SolarLab|HackTheBox

SolarLab|HackTheBox

nmap:

扫目录:

访问网页

最下面有个contact,没用

image-20240514125522374
image-20240514125522374

Designed by & Developed by Jewel Theme,有个新洞CVE-2024-33595但好像没啥用

查看6791端口,是个登陆界面,应该没注入

看下445端口,存在SMB匿名访问

下载全部文件

脑洞

image-20240514142917297
image-20240514142917297
1
2
username: blakeb
password: ThisCanB3typedeasily1@

搜索ReportLab,找到c53elyas/CVE-2023-33733: CVE-2023-33733 reportlab RCE (github.com)

将Poc中的touch /tmp/exploited改成windows反弹shell命令

flag在../../Desktop/user.txt

netstat -a查看本地其他端口

9090端口有东西