# OSCP A -> independent ![image](https://hackmd.io/_uploads/ByxCRdBzex.png) ![image](https://hackmd.io/_uploads/ryqAAurzlx.png) ## Recon ### Rustscan * 192.168.170.143(Aero) * ![image](https://hackmd.io/_uploads/Bka-ZYBfge.png) * 192.168.170.144(Crystal) * ![image](https://hackmd.io/_uploads/SkTMZKBzge.png) * 192.168.170.145(Hermes) * ![image](https://hackmd.io/_uploads/HJNU-YHfeg.png) ### Nmap * 192.168.170.143(Aero) * ![image](https://hackmd.io/_uploads/SJJK4FSfgg.png) * 192.168.170.144(Crystal) * ![image](https://hackmd.io/_uploads/B1NEWYrMex.png) * 192.168.170.145(Hermes) * ![image](https://hackmd.io/_uploads/Hyy_EtHMxg.png) ## 143 --> local.txt * When I google cgms 3003 port,I found a aerospike database RCE,and use nc check version 5.1.0.1,match the exploit * ![image](https://hackmd.io/_uploads/ry_Oh5Hzel.png) * ![image](https://hackmd.io/_uploads/r1092qHzxl.png) * Download the PoC,and execute it * https://github.com/b4ny4n/CVE-2020-13151 * Got shell from aero * ![image](https://hackmd.io/_uploads/SJf4wjBGll.png) ## 143 --> proof.txt * Upload the `pspy` and saw `/usr/bin/asinfo` execute so many time * ![image](https://hackmd.io/_uploads/HkpngprMgx.png) * Check the prvilege,we can modify it to reverse shell * ![image](https://hackmd.io/_uploads/By-Sbarzle.png) * ![image](https://hackmd.io/_uploads/HkPe76HMxe.png) * Got shell from root * ![image](https://hackmd.io/_uploads/SJlCzaSGlx.png) ## 144 --> local.txt * http://192.168.170.144:80,has git page leak * ![image](https://hackmd.io/_uploads/Syf0ZYSzgx.png) * Using `dirsearch` scan path * ![image](https://hackmd.io/_uploads/rkW6zFSMxe.png) * Using `git_dumper` download whole `.git` folder * https://github.com/arthaud/git-dumper * ![image](https://hackmd.io/_uploads/ByiJQYBfgl.png) * Found DB user credential in `datavase.php` * ![image](https://hackmd.io/_uploads/S14NNFHfgg.png) * `stuart@challenge.lab:BreakingBad92` ```bash= git diff-tree -p HEAD ``` * This credential allow us login to FTP and ssh, and we got local.txt * `stuart:BreakingBad92` * ![image](https://hackmd.io/_uploads/HJozvYSGeg.png) * ![image](https://hackmd.io/_uploads/ryosvKHMle.png) ## 144 --> proof.txt * Found `backup` folder in `/opt`, using `scp` download the backup files,and only `sitebackup3` is the zip file,also need password * ![image](https://hackmd.io/_uploads/ryIucpHzlg.png) * ![image](https://hackmd.io/_uploads/rJ29carzxe.png) * Use `zip2john` and crack the pasword * ![image](https://hackmd.io/_uploads/B14xjaSMlg.png) * ![image](https://hackmd.io/_uploads/BJ8Wsprfee.png) * Found credential for user `chloe` * ![image](https://hackmd.io/_uploads/SkTCo6HMlx.png) * ![image](https://hackmd.io/_uploads/B1t6s6rGge.png) * And `chole` can swtich to root * ![image](https://hackmd.io/_uploads/BJ-RICHflg.png) ## 145 –> local.txt * Fllow the nmap scan result,I'm searching the tcp 1978 port on google, and got a service name&vertion * This service called `WiFi Mouse 1.7.8.5`, and it has RCE vulnerability * ![image](https://hackmd.io/_uploads/BJ3NTH9Mxe.png) * ![image](https://hackmd.io/_uploads/r1M6aS9fgl.png) * So, first I create a backdoor executable file with `msfvenom`, then run the script and got shell with `nc` * ![image](https://hackmd.io/_uploads/r1Au0H9flg.png) * ![image](https://hackmd.io/_uploads/BkhKCBqMxx.png) * ![image](https://hackmd.io/_uploads/ByYs0Scfeg.png) ## 145 –> proof.txt * Found PUTTY has installed at `C:\Program Files` on this machine * ![image](https://hackmd.io/_uploads/BJMukU9fex.png) * PUTTY stores user credentials in plain text in windows registry, and we got the user `zachary`'s password * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md * ![image](https://hackmd.io/_uploads/H1o5g8cfxx.png) * ![image](https://hackmd.io/_uploads/r1TslI5zex.png) * `zachary:h3R@tC@tch3r` ```powershell! reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s ``` * Connect with RDP as `zachary`, but still can't found proof.txt,until I run the powershell as administrator * ![image](https://hackmd.io/_uploads/Hy8-WU5zlg.png)