Pilgrimage
nmap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| # Nmap 7.94 scan initiated Wed Sep 20 11:21:58 2023 as: nmap -e tun0 -sC -sV -oA nmap/default -v 10.10.11.219 Nmap scan report for 10.10.11.219 Host is up (0.96s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA) | 256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA) |_ 256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519) 80/tcp open http nginx 1.18.0 |_http-title: Did not follow redirect to http://pilgrimage.htb/ |_http-server-header: nginx/1.18.0 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Sep 20 11:22:40 2023 -- 1 IP address (1 host up) scanned in 42.74 seconds
|
pilgrimage.htb 添加到 hosts
git 泄露
gobuster 没扫到,discussion 看到的。。。
githack 下载源码
magick
源码中用到了 magick,查看版本
CVE-2022-44268
编写任意文件读取 exp 后读取 git 泄露源码中的 sqlite 数据库 /var/db/pilgrimage
emily:abigchonkyboi123
成功登录 ssh
linpeas
进程
.sh files
binwalk 2.3.2 有 RCE https://www.exploit-db.com/exploits/51249
/etc/console-setup