前言
HACK THE BOX是一个在线靶机训练平台,提供许多有趣的靶机进行渗透测试学习。本文分享下其中Bitlab靶机的渗透过程(已下线)。这是HTB系列的第一篇writeup,之后也会持续更新。
准备
Bitlab靶机地址:10.10.10.114,OS:Linux
操作机:Kali
对于HTB平台的注册以及连接等操作不再赘述。
此外,为了方便,将bitlab的ip地址添加到kali的/etc/hosts文件中:
10.10.10.114 bitlab.htb
0x1 nmap扫描
使用nmap扫描:
# Nmap 7.80 scan initiated Sat Jan 11 19:35:50 2020 as: nmap -sVTC -o scan -p1-65535 bitlab.htb
Nmap scan report for bitlab.htb (10.10.10.114)
Host is up (0.30s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18 (RSA)
| 256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA)
|_ 256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55 (ED25519)
80/tcp open http nginx
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://bitlab.htb/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 11 19:52:44 2020 -- 1 IP address (1 host up) scanned in 1013.69 seconds
得到22和80端口,分别提供ssh和web服务。
查看80端口web服务
登陆界面,要提供username和passwd。暂时没法登陆。
0x2 获取www-data shell
在登陆界面下看到help按钮,点进后发现有如下界面:
接着点击。发现当点击gitlab Login后页面没有更新,而是弹出一段js代码:
function(){
var _0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64&a