CherryBlossom

端口扫描

root@ip-10-10-171-114:~# nmap -sTCV -p- --min-rate 1000 10.10.186.204

Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-19 04:10 GMT
Nmap scan report for ip-10-10-186-204.eu-west-1.compute.internal (10.10.186.204)
Host is up (0.0058s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 21:ee:30:4f:f8:f7:9f:32:6e:42:95:f2:1a:1a:04:d3 (RSA)
|   256 dc:fc:de:d6:ec:43:61:00:54:9b:7c:40:1e:8f:52:c4 (ECDSA)
|_  256 12:81:25:6e:08:64:f6:ef:f5:0c:58:71:18:38:a5:c6 (EdDSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
MAC Address: 02:10:46:A6:BE:E3 (Unknown)
Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: cherryblossom
|   NetBIOS computer name: UBUNTU\x00
|   Domain name: \x00
|   FQDN: cherryblossom
|_  System time: 2023-11-19T04:10:35+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-11-19 04:10:35
|_  start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

SMB

从扫描中可以发现只有 SMB服务可以利用

root@ip-10-10-171-114:~# smbmap.py -H 10.10.186.204

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com   
                     https://github.com/ShawnDEvans/smbmap

                                                                                                    
[+] IP: 10.10.186.204:445	Name: ip-10-10-186-204.eu-west-1.compute.internal	Status: Guest session   	
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	Anonymous                                         	READ ONLY	Anonymous File Server Share
	IPC$                                              	NO ACCESS	IPC Service (Samba 4.7.6-Ubuntu)
root@ip-10-10-171-114:~# smbclient \\\\10.10.186.204\\Anonymous
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Feb 10 00:22:51 2020
  ..                                  D        0  Sun Feb  9 17:48:18 2020
  journal.txt                         N  3470998  Mon Feb 10 00:20:53 2020

		10253588 blocks of size 1024. 4680676 blocks available

查看这个文件的内容我发现其是一个 base64 加密的内容. 因此我将其进行解密并重定向到另一个文件中, 发现是一个 PNG 图片那就是文件隐写了

root@ip-10-10-171-114:~# cat journal.txt | base64 -d > journal_base64
root@ip-10-10-171-114:~# file journal_base64 
journal_base64: PNG image data, 1280 x 853, 8-bit/color RGB, non-interlaced
root@ip-10-10-171-114:~# mv journal_base64 journal_base64.png
root@907616ea6d86:/data# zsteg -a  journal.png 
.....
b4,bgr,lsb,xy,prime .. file: PGP\011Secret Key -
....

使用 zsteg 工具后我发现一些内容意识到这是 LSB 加密之后便开始了提取工作, 但是从输出中可以发现这个文件的幻数并不正确, 因此我们需要进行二次修改并进行解密 zip 文件

root@907616ea6d86:/data# stegpy journal.png 
File _journal.zip succesfully extracted from journal.png
root@907616ea6d86:/data# ls
1.txt  _journal.zip   journal.png 
root@907616ea6d86:/data# file _journal.zip 
_journal.zip: JPEG image data
root@907616ea6d86:/data# hexedit _journal.zip 
root@907616ea6d86:/data# file _journal.zip
_journal.zip: Zip archive data, at least v2.0 to extract
root@ip-10-10-48-35:~/cherryblossom# zip2john _journal.zip  > hash.txt
ver 2.0 efh 5455 efh 7875 _journal.zip/Journal.ctz PKZIP Encr: 2b chk, TS_chk, cmplen=70461, decmplen=70434, crc=B987D84 type=8
root@ip-10-10-48-35:~/cherryblossom# john hash.txt --wordlist=`locate rockyou.txt`
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
september        (_journal.zip/Journal.ctz)
1g 0:00:00:00 DONE (2023-11-19 07:37) 33.33g/s 136533p/s 136533c/s 136533C/s 123456..oooooo
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
root@ip-10-10-48-35:~/cherryblossom# ls
1.txt  hash.txt  journal.pgp  journal.png  journal.txt  _journal.zip
root@ip-10-10-48-35:~/cherryblossom# unzip _journal.zip 
Archive:  _journal.zip
[_journal.zip] Journal.ctz password: 
  inflating: Journal.ctz

解压 zip 文件后得到一个新的 7z 文件此时需要重新进行加密, 这里因为自己环境的原因导致没有办法进行解密, 直接看了别人的 WP 获取到解压密码 tigerlily , 解密之后得到一个 Journal.ctd 其实这是一个 xml 文件, 在这其中存在大量使用 base64 加密的密码列表, 并且从其中的内容也可以知道对应的用户 lily 是使用其中的密码作为 SSH 的密码的

后渗透

lily

使用得到的账号进行 SSH 远程登陆即可

root@ip-10-10-10-19:~/cherryblossom# ssh lily@10.10.153.164
The authenticity of host '10.10.153.164 (10.10.153.164)' can't be established.
ECDSA key fingerprint is SHA256:EZ3f3eJR3ecE+aLZiYDNKp3dQHqtk2nrhusPPN5Xruc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.153.164' (ECDSA) to the list of known hosts.
lily@10.10.153.164's password: 

	#####################################
	##########  Welcome, Lily  ##########
        #####################################

lily@cherryblossom:~$ id
uid=1002(lily) gid=1002(lily) groups=1002(lily)

lily —> johan

查看信息发现在 /tmp 目录下存在一个 shadow.bak 文件可以从中解密来获取到 johan 用户以及 root 用户的哈希, 但是估计 root 用户就不用试了直接 johan 用户进行破解处理

backups  cache  crash  lib  local  lock  log  mail  metrics  opt  run  snap  spool  tmp
lily@cherryblossom:/var$ ls -al backups/
total 2000
-r--r--r--  1 root shadow    1481 Feb  9  2020 shadow.bak

root@ip-10-10-10-19:~/cherryblossom# john hash.txt --wordlist=./cherry-blossom.list 
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
##scuffleboo##   (johan)
1g 0:00:00:12 DONE (2023-11-19 09:09) 0.07898g/s 545.9p/s 545.9c/s 545.9C/s #sharry#1992..#music28
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

johan —> root

在查看 johan 用户时我发现其属于一个特殊的组 devs 因此我开始枚举此特殊用户组, 最终发现该用户的一个特殊文件 sudo , 在我尝试利用此进行查看时, 我发现其存在回显对应的这个版本存在缓冲区溢出漏洞 sudo-cve-2019-18634

lily@cherryblossom:/var/backups$ su johan
Password: 
johan@cherryblossom:/var/backups$ id
uid=1001(johan) gid=1001(johan) groups=1001(johan),1003(devs)
johan@cherryblossom:~$ find / -group 1003 2>/dev/null
/usr/bin/sudo
johan@cherryblossom:~$ ls -al /usr/bin/sudo
-rwsr-x--- 1 root devs 149080 Jan 18  2018 /usr/bin/sudo