10.10.11.219

scan

./masscan.sh 
which ip? 10.10.11.219
which network, for example eth0tun0
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-07-07 13:57:13 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
[-] Passed the wait window but still running, forcing exit...        
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-07 22:00 CST
Nmap scan report for 10.10.11.219
Host is up (0.34s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
|   256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
|_  256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

echo "10.10.11.219 pilgrimage.htb" >> /etc/hosts

web

http://pilgrimage.htb/
http://pilgrimage.htb/assets 403
http://pilgrimage.htb/vendor 403
http://pilgrimage.htb/tmp/ 403

1. 扫web目录
2. 查看源代码
3. xray scan
   ./xray webscan –plugin phantasm -u http://pilgrimage.htb/ –poc “pocs/*”
   

git info leak

git clone https://github.com/lijiejie/GitHack
python GitHack.py http://pilgrimage.htb/.git

info leak

ssh emily@10.10.11.219
abigchonkyboi123

CVE-2022-44268：ImageMagick 7.1.0-49 存在信息泄露漏洞。当它解析 PNG 图像（例如，用于调整大小）时，生成的图像中可能会嵌入任意本地文件的内容（如果 ImageMagick 二进制文件有读取权限）。
CVE-2022-4510：Binwalk 远程代码执行漏洞
普通用户使用binwalk可以反弹shell

https://www.exploit-db.com/exploits/51249

使用这个exp，因此可以反弹一个root权限的shell

总结

1. RCE漏洞可以用来提权吗？
   可以. 普通用户使用binwalk RCE可以反弹shell, 反弹一个root权限的shell

conference

• https://giraffe711.github.io/2023/06/26/Pilgrimage/