[Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升

文章预览

信息收集 IP Address Opening Ports 10.10.10.209 TCP :22,80,8089 $ nmap -p- 10.10.10.209 --min-rate 1000 -sC -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 59:4d:4e:c2:d8:cf:da:9d:a8:c8:d0:fd:99:a8:46:17 (RSA) | 256 7f:f3:dc:fb:2d:af:cb:ff:99:34:ac:e0:f8:00:1e:47 (ECDSA) |_ 256 53:0e:96:6b:9c:e9:c1:a1:70:51:6c:2d:ce:7b:43:e8 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Doctor |_http-server-header: Apache/2.4.41 (Ubuntu) 8089/tcp open ssl/http Splunkd httpd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2020-09-06T15:57:27 |_Not valid after: 2023-09-06T15:57:27 | http-robots.txt: 1 disallowed entry |_/ |_http-title: splunkd |_http-server-header: Splunkd Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel SSTI # echo '10.10.10.209 doctors.htb'>>/etc/hosts $ whatweb http://doctors.htb/login - ………………………………